yarn after the latest upgrade. Like a good 60 seconds.
â¨Jul 25 16:01:17 buc yarnd[1921547]: time="2024-07-25T16:01:17Z" level=error msg="https://yarn.stigatle.no/user/stigatle/twtxt.txt: client.Do fail: Get \\"https://yarn.stigatle.no/user/stigatle/twtxt.txt\\": dial tcp 185.97.32.18:443: i/o timeout (Client.Timeout exceeded while awaiting headers)" error="Get \\"https://yarn.stigatle.no/user/stigatle/twtxt.txt\\": dial tcp 185.97.32.18:443: i/o timeout (Client.Timeout exceeded while awaiting headers)"â¨I no longer see twts from @stigatle at all.
â¨./tools/dump_cache.sh: line 8: bat: command not foundâ¨No Token Providedâ¨â¨I don't have
bat on my VPS and there is no package for installing it. Is cat a reasonable alternate?
https://twtxt.net/external?nick=nosuchuser&uri=https://foo.com
Change
nosuchuser to any phrase at all.If you hit https://twtxt.net/external?nick=nosuchuser , you're given an error. If you hit that URL above with the
uri parameter, you can a legitimate-looking page. I think that is a bug.
lovetocode999 on my pod. I think it should 404, and maybe with a delay, to discourage whatever this abuse is. Basically this can be used to DDoS a pod by forcing it to generate a hunch of HTML just by doing a bogus GET like this.
â¨"GET /external?nick=lovetocode999&uri=https://vuf.minagricultura.gov.co/Lists/Informacin%20Servicios%20Web/DispForm.aspx?ID=8375144 HTTP/1.1" 200 35861 17.077914msâ¨always to
nick=lovetocode999, but with different uris. What are these calls?
watch -n 60 rm -rf /tmp/yarn-avatar-*, run in tmux so it keeps running.
yarnd, which is something I haven't seen before too:â¨Jul 25 14:32:42 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:42 (162.211.155.2) "GET /twt/ubhq33a HTTP/1.1" 404 29 643.251Âľsâ¨Jul 25 14:32:43 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:43 (162.211.155.2) "GET /twt/112073211746755451 HTTP/1.1" 400 12 505.333Âľsâ¨Jul 25 14:32:44 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:44 (111.119.213.103) "GET /twt/whau6pa HTTP/1.1" 200 37360 35.173255msâ¨Jul 25 14:32:44 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:44 (162.211.155.2) "GET /twt/112343305123858004 HTTP/1.1" 400 12 455.069Âľsâ¨Jul 25 14:32:44 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:44 (168.199.225.19) "GET /external?nick=lovetocode999&uri=http%3A%2F%2Fwww.palapa.pl%2Fbaners.php%3Flink%3Dhttps%3A%2F%2Fwww.dwnewstoday.com HTTP/1.1" 200 36167 19.582077msâ¨Jul 25 14:32:44 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:44 (162.211.155.2) "GET /twt/112503061785024494 HTTP/1.1" 400 12 619.152Âľsâ¨Jul 25 14:32:46 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:46 (162.211.155.2) "GET /twt/111863876118553837 HTTP/1.1" 400 12 817.678Âľsâ¨Jul 25 14:32:46 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:46 (162.211.155.2) "GET /twt/112749994821704400 HTTP/1.1" 400 12 540.616Âľsâ¨Jul 25 14:32:47 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:47 (103.204.109.150) "GET /external?nick=lovetocode999&uri=http%3A%2F%2Fampurify.com%2Fbbs%2Fboard.php%3Fbo_table%3Dfree%26wr_id%3D113858 HTTP/1.1" 200 36187 15.95329msâ¨I've seen that
nick=lovetocode999 a bunch.
sift? What would you like to know about the files?
â¨abucci@buc:~/yarnd/yarn$ ls -lh /tmp/yarnd-avatar-*â¨-rw------- 1 abucci abucci 863M Jul 25 14:19 /tmp/yarnd-avatar-1594499680â¨-rw------- 1 abucci abucci 7.8G Jul 25 14:19 /tmp/yarnd-avatar-2144295337â¨-rw------- 1 abucci abucci 9.8G Jul 25 14:19 /tmp/yarnd-avatar-2334738193â¨-rw------- 1 abucci abucci 10G Jul 25 14:14 /tmp/yarnd-avatar-2494107777â¨-rw------- 1 abucci abucci 9.5G Jul 25 13:59 /tmp/yarnd-avatar-2619243454â¨-rw------- 1 abucci abucci 11G Jul 25 14:04 /tmp/yarnd-avatar-2922187513â¨-rw------- 1 abucci abucci 7.5G Jul 25 14:14 /tmp/yarnd-avatar-349775570â¨-rw------- 1 abucci abucci 10G Jul 25 14:09 /tmp/yarnd-avatar-3640724243â¨-rw------- 1 abucci abucci 901M Jul 25 14:19 /tmp/yarnd-avatar-3921595598â¨-rw------- 1 abucci abucci 9.5G Jul 25 13:59 /tmp/yarnd-avatar-609094539â¨-rw------- 1 abucci abucci 9.3G Jul 25 14:04 /tmp/yarnd-avatar-755173392â¨-rw------- 1 abucci abucci 7.9G Jul 25 14:09 /tmp/yarnd-avatar-984061000â¨â¨abucci@buc:~/yarnd/yarn$ ls -lh /tmp/yarnd-avatar-*â¨-rw------- 1 abucci abucci 863M Jul 25 14:19 /tmp/yarnd-avatar-1594499680â¨-rw------- 1 abucci abucci 7.8G Jul 25 14:19 /tmp/yarnd-avatar-2144295337â¨-rw------- 1 abucci abucci 9.8G Jul 25 14:19 /tmp/yarnd-avatar-2334738193â¨-rw------- 1 abucci abucci 10G Jul 25 14:14 /tmp/yarnd-avatar-2494107777â¨-rw------- 1 abucci abucci 9.5G Jul 25 13:59 /tmp/yarnd-avatar-2619243454â¨-rw------- 1 abucci abucci 11G Jul 25 14:04 /tmp/yarnd-avatar-2922187513â¨-rw------- 1 abucci abucci 7.5G Jul 25 14:14 /tmp/yarnd-avatar-349775570â¨-rw------- 1 abucci abucci 10G Jul 25 14:09 /tmp/yarnd-avatar-3640724243â¨-rw------- 1 abucci abucci 901M Jul 25 14:19 /tmp/yarnd-avatar-3921595598â¨-rw------- 1 abucci abucci 9.5G Jul 25 13:59 /tmp/yarnd-avatar-609094539â¨-rw------- 1 abucci abucci 9.3G Jul 25 14:04 /tmp/yarnd-avatar-755173392â¨-rw------- 1 abucci abucci 7.9G Jul 25 14:09 /tmp/yarnd-avatar-984061000â¨Something like 100 Gbytes of this junk has accumulated since I updated and re-started the server. I'm now running the latest version of
yarnd, so the update did not fix the problem. Something else is going wrong.How are temporary files growing to 10 Gbytes in size? The name of the file is "yarn-avatar", but why would avatars be so large?
yarnd 0.15.1 now. I stopped my hack so we'll see if the VPS gets clogged with junk đ
â¨abucci@buc:~/yarnd/yarn$ make preflightâ¨Checking Go version ... [ ERR ]â¨Go 1.16+ is required, found go1.22.5â¨FATAL: đ preflight failedâ¨make: *** [Makefile:33: preflight] Error 1â¨đ¤
watch -n 60 rm -rf /tmp/yarn-avatar-* in a tmux because all of a sudden, without warning, yarnd started throwing hundreds of gigabytes of files with names like yarn-avatar-62582554 into /tmp, which filled up the entire disk and started crashing other services.
â¨abucci@buc:/tmp$ du -sh /tmp/yarnd-avatar-*â¨564M /tmp/yarnd-avatar-3024946878â¨7.2G /tmp/yarnd-avatar-3122347915â¨11G /tmp/yarnd-avatar-3533381443â¨445M /tmp/yarnd-avatar-441914658â¨I'm going to have to shut down my server soon. This looks like some kind of DDoS. Whether intentional or not it's filling up the disk at an unsustainable rate.
â¨Jul 25 01:37:39 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:39 (149.71.56.69) "GET /external?nick=lovetocode999&uri=https://pagez.co.uk/services/your-own-100-fully-owned-online-vi>â¨Jul 25 01:37:39 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:39 (162.211.155.2) "GET /twt/112135496802692324 HTTP/1.1" 400 12 826.65Âľsâ¨Jul 25 01:37:40 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:40 (51.222.253.14) "GET /conv/muttriq HTTP/1.1" 200 36881 20.448309msâ¨Jul 25 01:37:40 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:40 (162.211.155.2) "GET /twt/112730114943543514 HTTP/1.1" 400 12 663.493Âľsâ¨Jul 25 01:37:40 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:40 (27.75.213.253) "GET /external?nick=lovetocode999&uri=http%3A%2F%2Falfarah.jo%2FHome%2FChangeCulture%3FlangCode%3Den>â¨Jul 25 01:37:40 buc.ci yarnd[829]: time="2024-07-25T01:37:40Z" level=error msg="http://bynet.com.br/log_envio.asp?cod=335&email=%21%2AEMAIL%2A%21&url=https%3A%2F%2Fwww.almanacar.c>â¨Jul 25 01:37:40 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:40 (162.211.155.2) "GET /twt/111674756400660911 HTTP/1.1" 400 12 545.106Âľsâ¨Jul 25 01:37:40 buc.ci yarnd[829]: time="2024-07-25T01:37:40Z" level=warning msg="feed FetchFeedRequest: @<lovetocode999 http://alfarah.jo/Home/ChangeCulture?langCode=en&returnUrl>â¨Jul 25 01:37:41 buc.ci yarnd[829]: [yarnd] 2024/07/25 01:37:41 (162.211.155.2) "GET /twt/112507964696096567 HTTP/1.1" 400 12 838.946Âľsâ¨Something really weird is going on?
â¨abucci@buc:~$ du -sh /tmp/yarnd-avatar-3*â¨1.8G /tmp/yarnd-avatar-3122347915â¨2.4G /tmp/yarnd-avatar-3533381443â¨What is this?
yarnd filled up the disk on the VPS where I run it. It's never done anything like this before and I have no idea why it would start. But it threw almost 700 Gbytes of data into /tmp in files like this:â¨yarnd-avatar-1087570772 yarnd-avatar-1599127133 yarnd-avatar-2042956376 yarnd-avatar-2562946212 yarnd-avatar-3274766535 yarnd-avatar-3931929859 yarnd-avatar-553201529â¨yarnd-avatar-1089125452 yarnd-avatar-1606826819 yarnd-avatar-2089122560 yarnd-avatar-2611944556 yarnd-avatar-3310922372 yarnd-avatar-3938996661 yarnd-avatar-556240195â¨yarnd-avatar-1101228867 yarnd-avatar-1618755765 yarnd-avatar-2104107259 yarnd-avatar-2641384948 yarnd-avatar-3326285269 yarnd-avatar-3939402047 yarnd-avatar-559344463â¨yarnd-avatar-1112165824 yarnd-avatar-1650827505 yarnd-avatar-2142824779 yarnd-avatar-2680659340 yarnd-avatar-3340682113 yarnd-avatar-3998621883 yarnd-avatar-570292705â¨yarnd-avatar-1119886894 yarnd-avatar-1656673647 yarnd-avatar-2160786463 yarnd-avatar-271923479 yarnd-avatar-3374584613 yarnd-avatar-4005102536 yarnd-avatar-595490106â¨yarnd-avatar-1131417623 yarnd-avatar-1685698239 yarnd-avatar-2165405940 yarnd-avatar-2793562275 yarnd-avatar-3380606954 yarnd-avatar-4016872095 yarnd-avatar-679251850â¨yarnd-avatar-1160959085 yarnd-avatar-1746759128 yarnd-avatar-2171489899 yarnd-avatar-2842068287 yarnd-avatar-3416352997 yarnd-avatar-4110048378 yarnd-avatar-679950970â¨yarnd-avatar-1231649265 yarnd-avatar-1752278279 yarnd-avatar-2251317422 yarnd-avatar-2843868670 yarnd-avatar-3468636088 yarnd-avatar-4116552474 yarnd-avatar-737874628â¨164 files. Some are empty, some are 7 or even 10 Gbyte.
Any idea what would cause that? And why now, after running
yarnd for so long with nothing like this happening?
A friend of mine elsewhere pointed out that they pushed this change on a Friday, which of course no software developer with any experience would ever, ever, ever do. I have to assume there's some toxic management at CrowdStrike, but who knows. Even more reasons to sympathize with the poor folks who are probably going to be working nights and weekends to clean up this mess.
Much of modern software feels like the polar opposite of that. Not only can you not write it on an index card, you never will be able to because people who write software don't seem to aspire to try. I wish more people thought this way though!
> GoToSocial stores statuses, accounts, etc, in a database. This can be either SQLite or Postgres.
snac is simpler. Some JSON files and that's it. I can read them with jq and less. I can use tar to back them up. I can hand edit them in a text editor.
Yes, I am running
snac on the same VPS where I run my yarn pod. I heard of it from @stigatle, so blame him đ snac is written in C and is one simple executable, uses very little resources on the server, and stores everything in JSON files (no databases or other integrations; easy to save and migrate your data) . It's definitely like yarn in that respect. I haven't been around yarn much lately. Part of that is that I've been very busy at work and home and only have a limited time to spend goofing off on a social network. Part of it is that I'm finding
snac very useful: I've connected with friends I'd previously lost touch with, I've found useful work-related information, I've found colleagues to follow, and even found interesting conferences to attend. There's a lot more going on over there. I guess if I had to put it simply, I'd say I have limited time to play and there are more kids in the ActivityPub sandbox than this one. That's not a ding on yarn--I like yarn and twtxt--I'm just time constrained.
https://www.nature.com/articles/s41598-021-81531-x
https://www.nature.com/articles/s41598-021-81531-x
s/twitter\\.com/nitter.net/
-- Elon Musk
https://aeon.co/essays/elon-musk-puts-his-case-for-a-multi-planet-civilisation
iotop
Varied information diet + No change in attitudes when information diet is forced to be different = no echo chamber.
Listen to the podcast episode here
Varied information diet + No change in attitudes when information diet is forced to be different = no echo chamber.
The podcast episode
Not a surprise I guess.
> more than 90% of all AWS service API endpoints do not support IPv6
Sounds like AWS is instituting an IPv4 tax soon.
1. It's criminal
2. It's positioned to put software developers out of work or so fully de-skill them that they no longer know how to code anything but prompts (after which come corporate-justified salary and benefits decreases)
Don't use it. No one should ever use it. You're destroying your own future as a software developer by leaning on and supporting these things.
1. It's criminal
2. It's positioned to put software developers out of work or so fully de-skill them that they no longer know how to code anything but prompts (after which come corporate-justified salary and benefits decreases)
Don't use it. No one should ever use it.
1. It's criminal
2. It's position to put software developers out of work
Don't use it. No one should ever use it.
1. It's criminal
2. It's positioned to put software developers out of work
Don't use it. No one should ever use it.
1. It's criminal
2. It's positioned to put software developers out of work or so fully de-skill them that they no longer know how to code anything but prompts
Don't use it. No one should ever use it.
1. It's criminal: Copilot was only possible because of massive theft of other peoples' work (no compensation or even acknowledgement to any of the developers whose code was used to create Copilot)
2. It's positioned to put software developers out of work or so fully de-skill them that they no longer know how to code anything but prompts (after which come corporate-justified salary and benefits decreases)
Don't use it. No one should ever use it. You're destroying your own future as a software developer by leaning on and supporting these things.
đ¤Śââ
WHY are these big companies treated as though they are the be all and end all of infosec? These are rookie mistakes they're making, *at scale*.
> Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this âfeatureâ. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isnât a clear way to âdisable syncing to the cloudâ, instead there is just a âunlink Google accountâ option.
Like, never ever put your multi-factor tokens into a single cloud storage location! The whole point of this being "multi" factor is that there is a separate, independent physical factor involved in the authentication process. If the authenticator app on your phone puts the tokens in the cloud, then it reduces the security that comes from having a second factor. This is basic stuff.
Of course, never ever use Google Authenticator. All it does is generate TOTP and HOTP codes, which you can do with any OTP app, preferably an open source one that's been vetted.
đ¤Śââ
WHY are these big companies treated as though they are the be all and end all of infosec? These are rookie mistakes Google's making, *at scale*.
> Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this âfeatureâ. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isnât a clear way to âdisable syncing to the cloudâ, instead there is just a âunlink Google accountâ option.
Like, never ever put your multi-factor tokens into a single cloud storage location! The whole point of this being "multi" factor is that there is a separate, independent physical factor involved in the authentication process. If the authenticator app on your phone puts the tokens in the cloud, then it reduces the security that comes from having a second factor. This is basic stuff.
Of course, never ever use Google Authenticator. All it does is generate TOTP and HOTP codes, which you can do with any OTP app, preferably an open source one that's been vetted.
đ¤Śââ
WHY are these big companies treated as though they are the be all and end all of infosec? These are rookies errors they're making, *at scale*.
> Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this âfeatureâ. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isnât a clear way to âdisable syncing to the cloudâ, instead there is just a âunlink Google accountâ option.
> The USENET management committee has reconvened and there are green shoots of growth in the original, pre-World Wide Web social network.
ls thing regularly. I even do it after I've already lsed the directory but have run some other command afterwards. I tend to think of it like the LOOK command in text adventures.
#birthday
F-Droid tends to focus on open source applications that can be built in a reproducible way, which limits the inventory (though of course tends to mean the apps are safer and don't spy on you). There are non-free apps in there as well but they come with warnings so you're informed about what you might be sacrificing by using them.
That said if you have a favorite app you get through Google Play, there's a decent chance it won't be in F-Droid. Many "big corporate" apps aren't, and vendor-specific apps tend not to be either. But for most of the major functions you might want, like email clients, calendar apps, weather apps, etc etc, there are very good substitutes now in F-Droid. You're definitely making a trade-off though.
What I did was go through the apps I had installed on my last phone, found as many substitutes in F-Droid as I could, started using those instead to see how they worked, and bit by bit replaced as much as I could from Google Play with a comparable app from F-Droid. I still have a few apps (mostly vendor-specific things that don't have substitutes) that come from Google Play but I'm aiming to be rid of those before I need to replace this phone.
I haven't tried a Linux-based smartphone OS in a long time so I don't have any idea how bad/good it might be. I figure when I finally break down and get a new phone I'll experiment on my current phone.
There are lots of options. Bit by bit I divest from anything that's distributed from Google Play. With my latest phone I find and download APKs so that I could have the app without all the Google crap woven through it. By the time I need to replace this one I'll be fully free of Google Play. Most of my apps come from F-droid now. You can a perfectly functional phone/pocket computer unless you're addicted to installing dozens of corporate apps.