zlacker

[return to "So this guy is now S3. All of S3"]
1. Cianti+u2[view] [source] 2023-05-04 19:04:23
>>aendru+(OP)
Solution is also on the works like use /.well-known/, so this is more like funny, rather than a big problem.

Key to trick was to have bucket named "xrpc" and store a file there: https://s3.amazonaws.com/xrpc/com.atproto.identity.resolveHa...

There is also another funny thing in the image, the user posting about is sending one from "retr0-id.translate.goog", which is odd. Somehow he has got https://retr0-id.translate.goog/xrpc/com.atproto.identity.re... to redirect to his page, and gotten that handle as well.

◧◩
2. chrism+F7[view] [source] 2023-05-04 19:27:14
>>Cianti+u2
Eh, it’s worse than just funny; it’s concerning, because they should have known about and easily avoided this kind of vulnerability, it’s standard stuff you have to think about. So what else have they missed?
◧◩◪
3. stevek+c8[view] [source] 2023-05-04 19:30:09
>>chrism+F7
This is a private beta. Nobody is suggesting that any of this be used for anything serious just yet. Development happens out in the open, you can go find out what else they've missed by doing the work, or by waiting until others you trust have done so.

I myself have had an account for like a month now, but only started really using it a week ago, because that calculus changed for me, personally.

Like, it's not even possible to truly delete posts at the moment. This all needs to be treated as a playground until things mature.

This isn't even the first "scandal" related to this feature already!!!! There is another hole in what currently exists that allowed someone to temporarily impersonate a Japanese magazine a few weeks back.

◧◩◪◨
4. YtvwlD+a9[view] [source] 2023-05-04 19:33:38
>>stevek+c8
Okay, yes, but this indicates that they didn't read the ActivityPub before developing their own new shiny protocol.
◧◩◪◨⬒
5. linuxd+Bo1[view] [source] 2023-05-05 06:08:35
>>YtvwlD+a9
Paul has lots of experience designing protocols. He designed SSB. ActivityPub does a lot of things wrong from first principals.

The whole point was to start from scratch.

◧◩◪◨⬒⬓
6. marius+0r1[view] [source] 2023-05-05 06:32:11
>>linuxd+Bo1
> ActivityPub does a lot of things wrong from first principals

I'd be curious to learn about those.

◧◩◪◨⬒⬓⬔
7. capabl+8j2[view] [source] 2023-05-05 13:56:56
>>marius+0r1
There is a lot more information here: https://twitter.com/bluesky/status/1511811083954102273?lang=...

From my own understanding, the biggest useful differences for me personally is: account portability, domains as usernames and content-addressable from the ground up.

- Account portability - Useful if/when you want to move between servers

- Domains as usernames - Ties into the same value as account portability. I've owned my own domain for decades, it never changes and probably won't, until years after I die

- Content-addressable - Caching and syncing becomes so much easier, which is a huge issue Mastodon currently suffers from.

[go to top]