| π Website | https://daanberg.net/ |
| π¦ Bad bird site | https://twitter.com/straalpaal |
| πΈ Instagram | https://www.instagram.com/daanbrg |
| β οΈ Disclaimer | https://en.disclaimer.fyi/ |
New #blog: Tightening #security control over #mastodon public #api endpoints
The concern in fediblock around @cloy's #fedisearch plans earlier in the week prompted me to put my #infosec hat on and look into ways to make it harder for external #scrapers to hit Mastodon's API feeds.
This post suggests a possible solution for concerned instance admins as well as details of some #crawlers I spotted.
"Mastodon: A Social Media Platform Dominated By Pedophiles & Childporn"
The #disinformation in this article is quite well done: The article gives itself an #investigative veneer, there are many links, alleged evidence and screenshots. Everything seems somehow conclusive - if you read too fast....
1/3
A71 downsides:
- My A71 is 4G only, no 5G.
- Having to wait for apps to load for a second or two when launching them. Doesn't feel snappy.
- Samsung's Android modifications are a bit hacky and bloated sometimes.
- Android 13 is the last major release for this device.
A71 upsides:
- Fewer opportunities for scratches vs. the aluminum camera bump on the Pixel 7 Pro.
- Still gets security updates for a while.
- Battery life is quite good.
- Happy with the screen & camera.
What should I do?
I've been wanting to buy a #GooglePixel 7 Pro all day today.
But after watching and reading through countless reviews, I think I might stick with my current daily driver: a Samsung Galaxy A71 from late 2019.
Help me decide!
In The #Netherlands, #teletext is still a big tradition. Public broadcaster NOS upkeeps the service for three national television stations with news, sports, weather, travel, program information, and subtitles for every show.
This, and a cute 'Merry Christmas' graphic every year!
This post from Tumblr's Ghostonly is the best social media advice I've ever read:
How to have a good internet experience in 8 easy steps
https://www.tumblr.com/ghostonly/667966959023996928/how-to-have-a-good-internet-experience-in-8-easy
A user on the cybercrime forum Breached is selling what they claim is info scraped via Twitter APIs from 400 million Twitter profiles, including email, name, account name, follower count and in many cases phone number. This was first brought to my attention by Alon Gal at Hudson Rock. https://www.linkedin.com/in/alon-gal-utb/
The seller told me they scraped the data using the same set of weaknesses in Birdsite APIs that allowed the scraping (and publishing) early this year of profile data on 5.4M Twitter users.
They said they scraped the data via an exploit that was patched earlier this year, in the login api, and specifically the part of it that checks for duplicate accounts.
That, according to the seller, leaked the Twitter user ID, which was then converted via another Twitter API into a username. They also said that same iterative process worked for user telephone numbers.
The vulnerability that was reportedly used to scrape the previously dumped 5.4M twitter user data set was reported to Hacker One on Jan. 1, 2022.
https://hackerone.com/reports/1439026
The seller released 1,000 new records as a teaser, and is trying to get Twitter to buy the data for an undisclosed amount.
They also pasted a number of "celebrity" accounts directly into the sales thread. Curiously, this record set does not have the phone number associated w/ my Twitter account. But it was in the 5.4M scrape that got released on the same forum last month. However, I removed the burner phone number from my profile around the time the seller said they scraped this data (beginning of 2022).
The data in both the teaser and the 1,000 user file includes follower counts for each user, and a spot check on about a half dozen of them show follower numbers consistent with what Archive.org and Sociable says about follower accounts at the beginning of Jan 2022/end of December.
They are selling it through the escrow service set up by the administrators of the forum, which is what you'd expect to see in a real offering for this volume of data.
SwiftOnSecurity
Aiden
Ben Tasker
Tom
Cory Doctorow
BrianKrebs