Conversation

Conversation

Notices

lnxw48a1 (lnxw48a1@nu.federati.net)'s status on Saturday, 03-Dec-2022 17:25:49 EST lnxw48a1

https://k.lapy.link/notes/98bji8qbby

#Misskey security update. Someone created "instances" which trigger a denial of service in Misskey and possibly #Mastodon. From what I hear, #Pleroma is not vulnerable. #GNUsocial is likely also vulnerable.

We can expect a lot more of these kind of things now that the #Fediverse is getting attention.
In conversation Saturday, 03-Dec-2022 17:25:49 EST from nu.federati.net permalink
Attachments
1. UPDATE TO 12.119.*2* / lapy. 🥝:verified_neko: (@lapy)
  
  from Misskey.lapy 🥝
  
  $[x2 🚨 **UPDATE MISSKEY IMMEDIATELY**] The Joinmisskey api just updated its vulnerable versions list, to not listing servers which using older versions known as having security flaws. If your server is using lower than below, please update Misskey IMMEADIATELY because [new security flaw has been found](https://github.com/misskey-dev/misskey/pull/9247), known as 'forkbomb', `(*.)activitypub-troll .cf`, `(*.)misskey-forkbomb .cf`, `*.repl.co` and so on. misskey-dev/misskey `< 12.119.1` mei23/misskey `< 10.102.606-m544` mei23/misskey-v11 `< 11.37.1-20221202185541` FoundKeyGang/FoundKey `< v13.0.0-preview3`
1. lnxw48a1 (lnxw48a1@nu.federati.net)'s status on Saturday, 03-Dec-2022 17:32:07 EST lnxw48a1
  in reply to
  
  https://borg.social/notes/98bcoo2t1n Here's another thread about it. And one of the earliest reports I saw is here. https://freespeechextremist.com/objects/6478dde7-53c6-470f-b264-dc973b5b7855
  In conversation Saturday, 03-Dec-2022 17:32:07 EST from nu.federati.net permalink
  Attachments
  1. Unable to connect to tls://borg.social:443. Error: stream_socket_client(): unable to connect to tls://borg.social:443 (Unknown error) stream_socket_client(): Failed to enable crypto stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
    
    @Dwarf :borgcube: (@dwarf)
    
    from The Borg collective
    
    @ruud@mastodon.world I'm running Misskey so I was targeted. The domains I've seen in the attack are: ``` *.activitypub-troll.cf *.misskey-forkbomb.cf *.repl.co ``` RE: To all Mastodon-admins: seems like there's an attack on all instances by troll accounts. Servers get slow because of it. They use thousands of subdomains of activitypub-troll.cf. My 'pull' queues skyrocketed. I now blocked the domain activitypub-troll.cf and all is back to normal. Please check if you're hit too.
  1. lnxw48a1 (lnxw48a1@nu.federati.net)'s status on Sunday, 04-Dec-2022 11:22:39 EST lnxw48a1
    in reply to
    
    Tagging this thread with #Fediverse #Security ... whomever made the script obviously read some protocol docs and some source code. With just a little #JavaScript, they were able to knock some #Misskey and #Mastodon instances to their knees.
    
    This isn't the first, and it won't be the last. Remember when someone posted a humongous image and locked up any #GNUSocial instance that tried to download the image? Remember when someone's instance was replaced by some sort of cryptocurrency site and PuSH es from your site to theirs would crash your site because of their site's response? (I'll bet I still have that domain blocked at the firewall.)
    
    We have to stop being naive about the intentions of those in the current migration. The overwhelming majority will have benign, if not good, intentions. But a select few will have bad intentions. Among those intentions is to colonize the Fediverse with #Twitter's culture, to come here and impose that culture of anger and disrespect upon the inhabitants here ... which already happened once with the first wave of people joining #Mastodon instance, except it was Twitter and #Tumblr at that time.
    
    In conversation Sunday, 04-Dec-2022 11:22:39 EST from nu.federati.net permalink
    1. lnxw48a1 (lnxw48a1@nu.federati.net)'s status on Sunday, 04-Dec-2022 11:24:29 EST lnxw48a1
      in reply to
      
      Incidentally, @lxo was the first to clearly describe this behavior as "colonization". Previously, we'd seen it and decried it, but lacked the modern pejorative to describe it properly.
      
      In conversation Sunday, 04-Dec-2022 11:24:29 EST from nu.federati.net permalink

Public

Notices