#indieweb 2017-02-05

2017-02-05 UTC
KevinMarks, MylesBraithwaite and davidmead joined the channel
#
@kevinmarks @RoguePOTUSStaff you can start here: https://github.com/indieweb/blank-gh-site (twitter.com/_/status/828047294012416001)
CherryPuffs, [kevinmarks] and [jgarber] joined the channel
#
[jgarber] aaronpk Pinned posts on tag listing pages is a really nice addition. :+1::skin-tone-2:
#
aaronpk thanks!
#
aaronpk say, that gives me an idea for tomorrow's #100days project... translating slack emoji names to emoji chars in IRC
#
[jgarber] Looks like you may be able to get a full list through Slack’s API tester: https://api.slack.com/methods/emoji.list
#
aaronpk well i can only translate them if they correspond to actual unicode emoji, so i'll do the mapping that direction
#
[jgarber] That’s a heck of a list: http://unicode.org/emoji/charts/full-emoji-list.html
#
aaronpk i hope someone has already created a mapping
#
[jgarber] _maaaaaaaybe_…? https://github.com/jollygoodcode/emoji-keywords
#
[jgarber] …but maybe not…
nitot joined the channel
#
sknebel aaronpk: https://api.slack.com/docs/message-formatting#emoji says they use the mapping from https://github.com/iamcal/emoji-data
#
aaronpk oh right! I forgot about that repo
davidmead and rickygee joined the channel
#
KevinMarks Also, slack allows custom emoji
#
[kevinmarks] :indiewebcat: for example
#
KevinMarks Not sure if there is an API for those
leg joined the channel
#
aaronpk there is, but i don't have a good answer as to how that should appear in IRC
#
aaronpk i could show the image in the web logs at least
sebsel and leg joined the channel
#
@edrex Trying a free Known microblog, set to cross-post everything to Facebook and Twitter via Bridgy #indieweb @lehudginshttps://edrex.withknown.com/2017/trying-a-free-known-microblog-set-to-cross-post-everything-to (twitter.com/_/status/828078012541370371)
mlncn, nitot and gko joined the channel
#
KartikPrabhu what is text first design?
#
Loqi Text-first design refers to the practice of designing information so that it is usable/actionable in its most basic plaintext form https://indieweb.org/text_first_design
sl007, tantek, j12t, wolftune, nitot, KevinMarks, miklb and friedcell joined the channel
#
@TechLifeWeb And, because it's late, I forgot the #indieweb hastag on my first post. #fail (twitter.com/_/status/828140063573864450)
#
Loqi [indieweb] "Eric, You'll get used to it all pretty quickly. Feel free to use my site to ping against if you want to test things out" by Chris Aldrich on 2017-02-05 http://stream.boffosocko.com/2017/eric-youll-get-used-to-it-all-pretty-quickly-feel
Pierre-O and tantek joined the channel
#
Loqi [indienews] New post: "Added IndieAuth and Micropub to my reader" https://unicyclic.com/mal/2017-02-05-Added_IndieAuth_and_Micropub_to_my_reader
tantek, rickygee, KevinMarks and jeremycherfas joined the channel
#
jeremycherfas Morning
#
Loqi good morning!
acegiak, jeremycherfas and [acegiak_net] joined the channel
#
[acegiak_net] !tell GWG should I send you a PR for these mf2_s fixes? https://github.com/acegiak/mf2_s/commit/ccc4787e49043be902f76fb8e582a45dc1a86b1c
#
Loqi Ok, I'll tell them that when I see them next
benbandro, catsup and benband33 joined the channel
#
@jbjohansson @aaronpk I'm unfollowing you on @jbjohansson and refollowing you on @JavaScriptJJ if you are interested in #JavaScript / #indieweb (twitter.com/_/status/828197521772027905)
rickygee, jeremycherfas and Kopfstein joined the channel
#
Zegnat Hmm, I need to find a way to own my YouTube history. Any ideas?
#
Zegnat Google’s own watch history misses the one important data point: when I watched it. Why?!
Pierre-O, leg, hs0ucy and jeremycherfas joined the channel
#
jaduncan[m] Zegnat: if you're fetching it often enough you can just pick up the video names and you know the time slot in any case.
#
jaduncan[m] It depends how granular you want it to be, but the difference between the old and new responses provides you with a rough time.
mlncn joined the channel
#
Zegnat I am currently just doubting if it actually even includes everything
jeremycherfas and Pierre-O joined the channel
#
jaduncan[m] The other way to include everything would be to have a userscript that added each video you watch to a special favourites list, and an import script that then removed them.
mlncn and jeremycherfas_ joined the channel
#
Zegnat Yeah, I was thinking of just rolling up a WebExtension to keep track. Probably a lot easier than trying to scrape the youtube history page. But it will not be able to catch stuff I watch outside the browser.
friedcell and jeremycherfas_ joined the channel
#
Zegnat acegiak, you were doing YouTube logging, right? What are you using?
#
Zegnat !tell acegiak you were doing YouTube logging, right? What are you using?
#
Loqi Ok, I'll tell them that when I see them next
#
aaronpk good morning!
#
Loqi guten morgen
#
jaduncan[m] Good morning [from] Vietnam!
mlncn joined the channel
#
sknebel https://news.ycombinator.com/item?id=13570227 Another answer for "why you should have your own domain"?
#
GWG Good morning
#
Loqi GWG: [acegiak_net] left you a message 5 hours, 5 minutes ago: should I send you a PR for these mf2_s fixes? https://github.com/acegiak/mf2_s/commit/ccc4787e49043be902f76fb8e582a45dc1a86b1c
#
sknebel good morning everybody!
#
GWG I've always wanted to say this....
#
GWG Good morning Vietnam!
Pierre-O, friedcell and EHLOVader joined the channel
#
sebsel sknebel the underlying problem seems to be not having ones own editor too :)
wolftune joined the channel
#
jaduncan[m] GWG: Morning. ;)
EHLOVader joined the channel
#
Zegnat sebsel, I for one could do with a full-time editor around the place
#
@TechLifeWeb Added the WaybackMachine plugin (https://github.com/mapkyca/KnownWaybackMachine) to my Known site. Cool. #indieweb (twitter.com/_/status/828281368924782593)
#
sknebel sebsel: more that you share your reputation with other users on the platform (which admittedly also could be good)
#
sebsel yeah that's right! the good/bad content discussion is not really indieweb relevant, but having bad content of other on the same domain as your (good?) content is a good reason for indieweb / your own domain
KevinMarks joined the channel
#
KevinMarks https://arstechnica.com/security/2017/02/how-google-fought-back-against-a-crippling-iot-powered-botnet-and-won/
#
KevinMarks "wordpress pingback attack"
#
aaronpk "Google was able to block it, because each querying machine broadcast a user agent that contained the words "WordPress pingback," which Google engineers promptly blocked."
mlncn, acegiak and begriffs joined the channel
#
bear I worry about that style of attack being aimed at webmention
#
GWG acegiak, I made the change
#
aaronpk the good(?) news is that they first tried a bunch of other unrelated attacks. pingback was not their first attempt.
#
bear sure, but the distributed nature of webmention and the fact that most folks using it run on tiny servers means that any attack, even partially successful, is going to hurt a *lot* of people
#
bear so I worry
#
GWG bear, my concern is that the first time it happens, someone will say that they are going to remove support as a recommendation
#
GWG That is the Pingbacks argument I get the most. Just turn it off
#
bear nods
#
GWG No one says that about email, despite it being spammy and much less secure
#
aaronpk the problem with pingback is there is very little value added
#
aaronpk when having it on
#
aaronpk so turning it off means you don't lose much
#
GWG aaronpk, that is why I want to ensure people see value in Webmention
#
GWG The specification doesn't necessarily emphasize that
#
GWG Specifications aren't cheerleaders
#
bear one of the many things on my todo list: create a list of attacks to try against webmention and show how it either already prevents them or how they can be mitigated
#
jaduncan[m] Bear: I would imagine that the defender would promptly filter on the webmention headers. It would however maybe be good to ratelimit webmentions on the plugins etc. If something that isn't on a whitelist is (or appears to be) sending 5 webmentions a second, it's probably good to cut that out on the respondent end. Maybe even to just require the user to authorise continued mention display.
#
jaduncan[m] At least that way the DoS is on webmentions rather than tying up every resource on the server and DoSing the whole site.
#
bear jaduncan[m] yep - that's the attack vector that worries me the most - inbound webmention processing as a DOS
#
bear I need to get my nginx config cleaned up so I can post how I use it to rate limit my dynmaic endpoints
#
GWG bear, that is post worthy when you do
#
GWG If you can make it generic enough
#
bear yea
#
GWG I run Nginx for example
#
bear sadly today, instead of fun coding, I am working on terraform and packer configurations for work
#
GWG I have rate limits on my XMLRPC endpoint, but not Webmentions yet
#
jaduncan[m] bear: Yes. I was idly wondering about getting around bans via spoofing. There's also an issue of spam when webmentions scale, which probably means extra calls out to a spam detection service. The other thing I've idly wondered about since reading the text is just proof of work from the sender; it means you would at least cut out the ability to do viable attacks without a botnet.
#
GWG bear, I am sitting here waiting for them to finish working on my car
#
GWG I'd rather be coding
#
jaduncan[m] Absent that, you're getting the server to write the webmention comment to the page, probably call Akismet or similar, and then carry on. That's a lot of cost for the server when compared to the cost of the attack.
wolftune joined the channel
#
bear that type of spam handling I think is already covered by the vouch handling
#
bear (which is to say that you could have as part of your vouch handling a callout to akismet or the like)
#
jaduncan[m] Ah, OK. I've only just started looking, sorry. Does this mean that the attacker can currently also use webmentions against many servers to take down the main vouch server?
#
aaronpk what is vouch?
#
Loqi The Vouch protocol is an anti-spam extension to Webmention. Webmention with Vouch depends on understanding Webmention https://indieweb.org/Vouch
#
jaduncan[m] (not trying to be a dick here, just running though possible attacks)
#
aaronpk read up on that first :)
#
bear yea, read the vouch article - a lot of what your talking about is covered
#
jaduncan[m] Just popping over.
#
jaduncan[m] Sorry. :)
snarfed joined the channel
#
bear no need to apologize
#
bear part of the learning process is asking questions
#
bear and part of the learning process for other members of the community is learning where FAQs are answered
#
bear a big part of IndieWeb is the guiding principle that things are implemented when they are needed - so while thought experiments are encouraged and useful, they are secondary to experience
#
sknebel the pingback attack referenced in the article is the other direction, isn't it? using verification traffic?
#
jaduncan[m] Eh heh. I salute your effective creation of a proof of work for the spammer.
#
KevinMarks Yes, it is. They sent the ping backs to lots of wp sites so that they would fetch from the server to check for the link
leg joined the channel
#
jaduncan[m] bear: Vouch does indeed seem quite good. So for DoS prevention you could just have a strictness percentage on the servers that activated Vouch partially based on ratelimiting in suspicious situations before stopping and just logging/creating a rule to temp ban webmentions for increasing timeouts. Maybe even based on server load.
#
bear yes, the benefit with webmention+vouch is that the normal attack surface mitigations can be used
#
bear right now the issue is how to communicate that to a group of people who do not want to be ops :)
KevinMarks and [dgold] joined the channel
#
[dgold] anyone get known running with nginx?
#
[dgold] i've installed all the dependencies, I've put the installer in place, I've chown'd and chmod'd it all - I get bubkes.
#
bear there is talk of nginx for known on this page https://indieweb.org/known#Setup_Known_on_nginx
#
jaduncan[m] Is this something you're planning to work on in any particular plugin or CMS? I'm looking at how much I can harden Known at the moment, since I want to use it for a blog whilst I'm cycling Africa and won't be able to sysadmin from moment to moment (the best of of a few OKish options, given that I'm heavily suspicious of WP security).
Lana joined the channel
#
bear jaduncan[m] I probably won't as I don't use any CMS - my site is static with a dynamic part just for webmentions
#
bear I do plan on working on some general guidelines, just nothing specific to a CMS
#
[dgold] bear Yeah, I've been following eliot's tutorial - that's gotten me to a blank screeen
#
bear [dgold] sorry then :/ you may want to ask in the known irc channel
#
aaronpk or the #known slack channel!
#
aaronpk (same thing)
#
[dgold] heads off to there
dgold and rickygee joined the channel
#
@svensonsan Dieses Indieweb Zeugs, dass die gefavten Tweets und Replys als Kommentare in Blog holte, das ist kaputt. Keine Ahnung wieso. (twitter.com/_/status/828327653853773829)
sneanias, leg, rickygee, nitot, batisteo and leg1 joined the channel
#
@TerminalPixel Day 34 of #100DaysOfCode: ? Added emojicode conversion to my #indieweb #chatbot ? So slack emoji should work better now ? (twitter.com/_/status/828338424000180224)
EHLOVader, friedcell and mlncn joined the channel
#
@_dgoldsmith and this is a known #indieweb micropub status update; using @aaronpk's https://quill.p3k.io #web #indieweb (https://headcrash.ascraeus.org/2017/and-this-is-a-known-indieweb-micropub-status-update-using) (twitter.com/_/status/828345469013282816)
#
KevinMarks Indieweb zeugs? Is that trains?
#
aaronpk i thought it was "stuff" or "thing"
#
sknebel "stuff"
#
sknebel (or thing)
#
aaronpk i thought it was usually used in conjunction with an adjective to turn it into a noun
#
aaronpk reads https://en.wiktionary.org/wiki/Zeug and remembers it's usually used in the context of "machine" or "gear"
#
sknebel it also works as a standalone noun for something not precisely specified, slightly negative
friedcell joined the channel
#
sknebel in the tweet, "dieses indieweb zeugs" = "this indieweb stuff"
#
sknebel KevinMarks: trains would be "Züge" (or Zug singular)
#
@TechLifeWeb #indieweb what is the best way to favorite a Tweet in Known? http://stream.techlifeweb.com/2017/indieweb-what-is-the-best-wet-to-favorite-a-tweet (twitter.com/_/status/828351363658559489)
#
KevinMarks Ah, I saw zeug as zueg.
#
KevinMarks My German is very rusty.
funwhilelost, KevinMarks, snarfed, rickygee, wolftune, friedcell, [aaronpk] and [kevinmarks] joined the channel
#
@100daysindieweb Day 47: Translating Slack :emoji: to Unicode #100DaysOfIndieWeb: https://aaronparecki.com/2017/02/05/8/day-47-slack-emoji (twitter.com/_/status/828386278722859012)
#
[aaronpk] woohoo
#
[aaronpk] ?
#
[aaronpk] ?
strugee joined the channel
#
sebsel o no. I wrote a small post, too big for twitter, but I wanted to share it there, so I cut it in pieces and made it a 'tweetstorm'
#
sebsel but now some bot has retweeted the middle part.
#
sebsel how do I solve that in indieweb terms :/
#
sebsel I guess I just leave it, it's a bot anyway
#
sebsel hm, or I could add the other tweets as syndications as well? let's see what Bridgy does with that
#
sebsel it worked!
#
sebsel bridgy++
#
Loqi bridgy has 47 karma in this channel (53 overall)
#
sebsel also: it did not count my own replies as replies to my post. nice
#
aaronpk interesting, so you treated all the tweets as syndications of your original post?
#
sebsel yeah, it's just a list now
#
sebsel https://seblog.nl/2017/02/05/3/inzichten-op-de-late-avond < that's the post. My indie-action buttons look weird now, but it worked.
#
Loqi [Sebastiaan Andeweg] Inzichten op de late avond: het probleem is niet dat ik niet op Facebook zit. Het probleem is dat jullie er allemaal wel op zitten, en dat normaal vinden. En, min of meer door Tegenlicht van vanavond: zwart-wit denken los je niet op met grijstinten....
#
sebsel whoa.
#
sebsel ah, because its a note.