- Which mods/admins were being Power Tripping Bastards?
Snoopy
- What sanction did they impose (e.g. community ban, instance ban, removed comment)?
Community ban
- Provide a screenshot of the relevant modlog entry (don’t de-obfuscate mod names).
- Provide a screenshot and explanation of the cause of the sanction (e.g. the post/ comment that was removed, or got you banned).
I woke up to suddenly being banned with a dm that was misgendering me. It appears the real reason I was banned was due to fact I was critical of Piefed’s recent actions.
Snoopy has no evidence that “I personally released the exploits into the wild" It was actually @yogthos@lemmy.ml who did the deed. I’m not technically enough to be pull it off, nor do I want to.
- Explain why you think it’s unfair and how you would like the situation to be remedied.
Hopefully unbanned and unblocked.
PTB, the misgendering is gross too.
regardless of how shitty the piefed crew has been behaving lately, releasing the security vulnerability as yogthos did was an asshole move and is something i disavow.
Since all yogthos did was using an LLM to find the vulnerability, and anyone can do that without any prior knowledge, today there’s not much speaking for limited disclosure in open source software for anything that can be found with automated checks(and I’d argue that a quick check for security issues should be done proactively). This has changed quickly, but it defacto the new standard.
i’m showing my age being unaware then! piefed getting unexpected downtime due to an llm-identified vulnerability has been a bit of an ironic twist after there was just that fearmongering post from rimu about db0 ‘moderating with llm’
Nothing to do with age, this was a very rapid change in the last months - LLMs are pretty good at finding security issues and even write the exploit for you, and you don’t even have to know how to code. That’s awesome tho! It leads to much more secure open source code we all can depend on.
Rimu is losing it. I switched to piefed so I don’t support the Tankies, but now I am actually considering switching back because even with their views, Lemmy development is attracting much less drama.
Oh, I still financially support dbzer0 to make sure stays alive. It’s not much, but it should cover what I use. I use this account on mobile, and Piefed on Desktop.
I do care because the finances of Lemmy development and lemmy.ml are intertwined. Since it’s all a big pot, supporting one means supporting the other.
Russia apologia is pathetic (same with Israel or the US for that matter), and the disinformation campaigns sweeping over Europe fanning the flames of fascism are the work of authoritarians both left and right. Nazis and Tankies are 2 sides of the same coin for me, and I never would be caught dead supporting a Nazi.
Believe what you like, but scholars dismiss horseshoe theory. Previously.
Doesn’t change the fact that both are authoritarians and have the tendency to mess with people’s lives in bad ways.
Horseshoe theory only applies to corrupt leftists.
deleted by creator
Why are you guys voting on a deleted comment?
deleted by creator
Yeah that was a real dick thing to do.
Doing public disclosures?
Public disclosure is good, but responsible disclosure usually involves informing the dev first, giving them a period of time to push out a patch and then publicly disclosing for the community to learn from.
Also good to report it to mitre and give it a CVE number.
This, assumes the vendor acts in good faith, which, as we have seen in the past few days, it hasn’t been the case. Public disclosure was the appropriate course here, so it allows forks like Pievolution & PyLova the awareness to also take action on their derivative vulnerabilities.
I believe @yogthos@lemmy.ml purposely did not, to exemplify amateurs now have access to tools they should not, and WILL forgo proper standardized communication channels to disclose issues like these in the future. Unless you believe Mitre & CVE reporting will be taught in grade schools, this threat model is pretty realistic of what we should now come to expect. Not everyone is privileged enough to afford security courses, and standardized education.
Responsible disclosure does not assume the vendor acts in good faith. Usually the disclosure period is around 90 days before the vulnerability is released, fixed or not (although this is negotiable with a good faith vendor).
Forks etc. could have been informed privately first too if possible.
This is not a good argument. Undisclosed zero days in the wild have always been part of the threat model. Amateurs with LLMs or not, a large percentage of vulnerabilities are not disclosed responsibly and are only fixed after damage has been done. Putting people and their personal information at risk because you want to make a point about the dangers of zero days (which everyone is already aware of) is woefully unethical.
That doesn’t mean we should abandon these things. The vendor can report the CVE too. Or anyone else with an interest in it. It doesn’t have to be the untrained amateur grey hat asking Claude for vulns. A malicious threat actor exploiting a system doesn’t report it either. The community benefits from skilled people handling things properly. Pretending that it doesn’t because most people don’t have those skills is silly.
You’ve never been sued then.
Hopefully I don’t need to demonstrate how this also isn’t an argument that doesn’t hold itself.
And unskilled people now have access to skilled tools that doesn’t handle things properly…. It’s not an argument people’s personal information is already at risk. It’s an argument that the tools people now have access do not properly handle things. Maybe teach the people that developed claude mythos how to Mitre & CVE responsibly ╮(︶▽︶)╭
As far as I know, piefed doesn’t even have a cve process for submitting vulnerabilities. And I’d like to note that the two vulnerabilities I disclosed only affect the server admin in a sense that they allow the attacker to post content to the server and snoop around on available endpoints, but they don’t expose any user information.
They don’t need to have one.
You can report it here: https://cveform.mitre.org/
Use the CNA-LR since I don’t think they have a CNA.
You were probably trying to do the right thing disclosing, just know that there is a better process for it (even if you think the devs are asshats, it’s good to do it like that for the community who aren’t).
Even if it only affects admins, that includes admins of forks etc.
I’m sure there’s probably more vulnerabilities to find.
Ah, I didn’t actually know about using mitre. So, that is good to know for the future.