2021-03-30 UTC
[tw2113_Slack_] joined the channel
# 00:32 [fluffy] you need to click the little play button in the corner to hear the music though (thanks, advertisers) # 00:33 [fluffy] I forget how to manually trigger a 500 now that I’ve fixed the URL parser to be more robust 😛 superkuh, [tantek] and alex_ joined the channel
# 04:38 [tantek] snarfed, this quote is for you (and everything about security on silos vs "indieweb") # 04:39 [tantek] "In the aftermath of the compromise, Popov said that PHP maintainers have concluded that their standalone Git infrastructure is an unnecessary security risk. As a result, they will discontinue the git.php.net server and make GitHub the official source for PHP repositories. Going forward, all PHP source code changes will be made directly to GitHub rather than to git.php.net." # 04:40 [tantek] if the PHP folks can't secure their own git server, then I seriously doubt individual folks can [snarfed] joined the channel
# 04:41 Loqi tantek has 19 karma in this channel over the last year (78 in all channels) # 04:42 [snarfed] obviously not the state of affairs we want! or that we should settle for. # 04:43 [tantek] but it is the current state of (git) affairs, and we should acknowledge that # 04:43 [snarfed] but it’s ok to accept that computer security these days is hopelessly complicated, and attackers often very advanced, and in many instances self hosting things is harder to secure than thoughtfully using silos as infrastructure where appropriate # 04:43 aaronpk do keep in mind that someone's own git repo is unlikely to be as big a target as PHP # 04:44 [tantek] snarfed indeed, you've made similar points in the past and I figured would appreciate this datapoint of confirmation # 04:44 [snarfed] true, somewhat. but attacks are very automated and widely applied # 04:45 [tantek] aaronpk, I see it the other way, because PHP uses/used git, any exploits that were developed for that could also be re-used on someone's personal git repo # 04:46 [snarfed] they could, but aaronpk’s point is that they likely wouldn’t, since a small personal repo isn’t a very interesting or valuable target # 04:46 [tantek] the person using an attack tool is not the same as the person developing it for a high value target # 04:46 [tantek] this is why there are such things as "script kiddies", they use attack scripts, not develop them # 04:46 [snarfed] oh i was definitely talking about the attack user, not the developer # 04:47 [snarfed] yes i’m very well aware. they’re who i meant. both by interesting/valuable and by automated # 04:47 [tantek] point being, once a high value target has incentivized a dev to create a tool, others will use it in random places purely for mischief # 04:48 [snarfed] semi-random, yes. and also widely, sometimes for the same, more often now for profit. domain hijacking for SEO, etc # 04:48 [tantek] e.g. for as trivial a reason as having a short twitter handle 😛 # 04:48 [snarfed] i’m agreeing with both of you 😁 aaronpk historically, you nowadays # 04:48 [snarfed] bulk wordpress compromises for spam, SEO, etc purposes are the canonical automated example # 04:48 aaronpk but also I doubt this is a problem with git itself # 04:49 aaronpk more likely it's something unrelated that got them access to the server # 04:49 [tantek] I mean imagine the mischief possible if someone gained control of webmention.io # 04:49 aaronpk (Hopefully the damage is limited to just mischief) [jgmac1106] joined the channel
# 05:19 [jgmac1106] I should capture the thousands of malicious WP pings I get a day. Only increased when I started doing cybersercurity training. # 05:20 [jgmac1106] I actually took my app down since my last st schools not using it to refactor (then I priced the data storage increase and hid in corner quivering) # 05:22 [jgmac1106] Last school year* Started December time, just a constant barrage of Javascript injection automated attacks # 05:24 [jgmac1106] Same bill is in seven states.... I can either gamble with no data breech shield or stop providing low coat service to schools. Zenyattus, treora_, nsh, [chrisaldrich], jjuran, [Rose], jeremych_, [jgmac1106], [KevinMarks], Zegnat, deathrow1, [mapkyca], [schmarty], [grantcodes], alex11, [scojjac], [Murray], shoesNsocks, KartikPrabhu, Seirdy, [calumryan] and [tantek] joined the channel
# 20:01 [jgmac1106] • people see this from Glitch: ~glitch-hello-website is a simple static website and reboot of our existing ~hello-webpage starter # 20:01 [jgmac1106] • ~glitch-hello-eleventy is a generated static site using Eleventy, a static site generator that’s great for building a blog or simple CMS # 20:25 sebsel hm, the damage of someone gaining access to webmention.io is one... someone to gaining access to Quill is another # 20:26 sebsel I doubt anyone sanitizes their own Micropub endpoint, since, yea, you use it to put HTML and files on your server # 20:27 sebsel (I actually have a second `media-plus` scope, so Quill is not allowed to upload .php files, but still) [tw2113_Slack_] joined the channel
# 21:08 Loqi [Jeremy Keith] The principle of most availability [scojjac] and [aciccarello] joined the channel
# 22:01 GWG sebsel: I do. But I write a plugin that can be used on many people's sites. I have to check, but I think I strip JS from content. # 22:08 jacky this didn't seem like a vuln of Git but of a home made solution # 22:09 jacky if anything, it just seemed like it lacked enough community review to prevent things like this # 22:09 jacky kinda sad that they decided to just jump ship to GitHub tho # 22:33 [tantek] yes sad, but also interesting as a community deciding what was the more sustainable option for them # 22:33 [tantek] admintax is a real thing even for such a well established community like PHP # 22:34 [tantek] jamietanna[m] did you try checking BarryF's site with IndieWebify.me to see if it identified any errors related to the problems you're seeing with it not showing up in your reader? leo60228, Kaja_, AkyRhO_, sknebel_, deltab_, globbot, nertzy__ and [Jeff_Hawkins] joined the channel
[fluffy] I have a bunch of custom animated error pages with music. https://beesbuzz.biz/music/experiments/2314-error-pages
[tantek] "In the aftermath of the compromise, Popov said that PHP maintainers have concluded that their standalone Git infrastructure is an unnecessary security risk. As a result, they will discontinue the git.php.net server and make GitHub the official source for PHP repositories. Going forward, all PHP source code changes will be made directly to GitHub rather than to git.php.net."
[jgmac1106] I should capture the thousands of malicious WP pings I get a day. Only increased when I started doing cybersercurity training.
