# I am the Watcher. I am your guide through this vast new twtiverse.
#
# Usage:
# https://watcher.sour.is/api/plain/users View list of users and latest twt date.
# https://watcher.sour.is/api/plain/twt View all twts.
# https://watcher.sour.is/api/plain/mentions?uri=:uri View all mentions for uri.
# https://watcher.sour.is/api/plain/conv/:hash View all twts for a conversation subject.
#
# Options:
# uri Filter to show a specific users twts.
# offset Start index for quey.
# limit Count of items to return (going back in time).
#
# twt range = 1 6
# self = https://watcher.sour.is/conv/ybytpjq
@lyse what’s “the old downer topic”? Now I am curious and sorry I missed the meeting! ☺️
> the old downer topic
I'm curious too! Did I miss a joke somewhere? 🤦♂️
> the old downer topic
I'm curious too! Did I miss a joke somewhere? 🤦♂️
@fastidious Privacy. When talking about the new peering and resolving phantom twts it dawned on me that it's possible to exfiltrate all the feeds someone is following on a single-user yarnd, even though they disabled publicly showing of their following feeds in the settings. To make it even worse it's already possible today using the /twt/hash endpoint. If you want to know if that person is subscribed to a certain feed, just pick a recent random twt from the feed in question, compute its hash and send it to the mentioned endoint. If you get back an HTTP 200, you know that the person is following the feed. When receiving HTTP 404 chances are that they may not. Now you do this for all the feeds you know, @xandkar conveniently has some lists for you. :-) This attack does not work for multi-user yarnd instances, though. The thing is, /twt/hash just looks in its cache to reply with the twt. If the user is interacting with the feed (mentions it), it's quite obvious and not a big deal. But read-only feeds are leaked that way. And of course the discover view will leak that information, too.
@lyse ah, I see. It defeats the setting.