A checkpoint? From Mk. VI? And they mention the fediverse? (Well, Mastodon at least). It must be Christmas.

I tried what another user reported and it worked. I submitted a github issue as the security email seems to be unmonitored based on me trying to contact it (regarding a different issue) for over a week now.

Be careful about links you click in Lemmy, I guess.

cross-posted from: https://sh.itjust.works/post/774797

What is XSS?

Cross-site scripting (XSS) is an exploit where the attacker attaches code onto a legitimate website that will execute when the victim loads the website. That malicious code can be inserted in several ways. Most popularly, it is either added to the end of a url or posted directly onto a page that displays user-generated content. In more technical terms, cross-site scripting is a client-side code injection attack. https://www.cloudflare.com/learning/security/threats/cross-site-scripting/

Impact

One-click Lemmy account compromise by social engineering users to click your posts URL.

Reproduction

Lemmy does not properly sanitize URI's on posts leading to cross-site scripting. You can see this working in action by clicking the "link" attached to this post on the web client.

To recreate, simply create a new post with the URL field set to: javascript:alert(1)//

Patching

Adding filtering to block javascript: and data: URI's seems like the easiest approach.

Lemmy is vulnerable to javascript: links, see this post for more details.

Crank up "Crab Rave" and put your claws in the air, but with guns in them.

Can't sleep, time to rewatch this video and others like it.

Escape! With Art!

I was a bit distracted with the whole LRRMans thing, have some highlights.

Apparently someone on lemmy.ca feels the need to make clickbait out of a very short wikipedia article. And they didn't even answer their clickbait in the post body. smh.

For added fun archive.org seemingly breaks the Lemmy UI, indicating that the community lives @web.archive.org for some reason.

Created: 9th century

"This is the most exciting piece of excrement I've ever seen ... In its own way, it's as irreplaceable as the Crown Jewels"

The operator of the plant is confident it is safe, some say there are other risks that make not releasing the wastewater worse, most opposition is limited to saying hasn't been enough study, one scientist in particular says it is unsafe. We'll see what ends up happening later this month.

“a lack of adequate and accurate scientific data supporting Japan’s assertion of safety”.

“The risk of another earthquake or a typhoon causing a leak of a tank is higher, and they’re running out of space.”

“The concept of dilution as the solution to pollution has demonstrably been shown to be false, [...] [t]he very chemistry of dilution is undercut by the biology of the ocean.”

“I think it is important to evaluate the long-term environmental impact of these radionuclides,”

“We have confirmed that the tritium concentrations in the bodies of marine organisms reach equilibrium after a certain period of time and do not exceed the concentrations in the living environment,” [...] The tritium concentrations then decrease over time once the organism is returned to untreated seawater.

The IAEA [...] is expected to release a final report on the site and the plan for the wastewater release later in June.

Lemmy 101

A (hopefully not as complicated as the others) introduction to Lemmy

How do I sign up?

Notice: Spam campaigns targeting Lemmy providers are already happening, so we are currently requiring manual approval. Please cut me some slack, I need to sleep occasionally.

1. If you are viewing this post then that likely means you are on a Lemmy instance already. This post was originally hosted on https://lemmy.nrd.li, a community welcoming anyone who is nerdy about something.
2. Click Sign Up in the top-right-most corner.
3. Fill out and submit the information.
4. Done!

You have just signed up to Lemmy. Congratulations, welcome to the club. At this point, you should click the name of the provider you're on (at the top-left-most part of the registration page) and bookmark it to your browser. This is where you will be browsing Lemmy from now on. Now you will need to wait for the admin (me) to approve your account, this will likely take less than 24 hours, and usually closer to an hour or two.

So, what about them federation business I've heard so much about?

Beyond a few basic quirks, you don't need to care about it yet. That's for Lemmy 102, eventually.

• Your account is bound to the provider you signed up to. You will only be able to log into it from that place, and that place alone. This is why I recommend bookmarking it.
• Your provider is not omnipotent, and occasionally needs to be taught about communities and content, especially if it is a new or small one. Read on below on how to do that.
• You are not limited to content hosted on your own provider. This is the hardest part to grasp so just roll with it even if you don't know what I mean by that yet.

So, how do I find communities/subreddits/sublemmies/PEOPLE TO TALK TO

1. Go to https://lemmyverse.net/communities
2. Click the home icon at the top-right-most part of the website, and enter in the provider you signed up with.
   • It should auto-complete and light up green.
3. Browse the list and click on the names of the ones you find interesting
4. Click the Subscribe button on the sidebar to add them to your homepage.

It can't be this easy, right?

For 90% of cases, it really is this easy. It's the last 10% that's gonna bring your trouble.

Lemmy just had a big bang of activity and every single admin and developer is running around with their hair on fire, so there will be quirks you will encounter in day to day usage.

For example:

I clicked subscribe but nothing happened

Click it again. If it says Subscription Pending it means you're subscribed.

Lemmyverse says there are posts but it's a ghost town in here when I open it

This means your provider just learned about the existence of that community. If you subscribe to it, it will fetch future posts and make it not a ghost town to the people after you. It will not fetch past posts because technical reasons.

I get 404: couldnt_find_community when I click on a community

Oh boy, here we go. This is the most complicated thing you will need to do.

This means your provider does not know about the existence of that community. If you want to subscribe there, you'll have to first teach your provider about it.

1. On the Lemmyverse website, each community has an additional part under their name that starts with an exclamation mark and [[email protected]](/c/[email protected]). Click it to copy it.
2. Go to your provider's home page.
3. Click the little magnifying glass at the top-right-most corner.
4. On the search bar, paste this identifier you just copied.
5. Search for it.
6. Ignore it when it says there are no results found. That's a lie.
7. If it doesn't show up within 10-20 seconds. Search for it again.
8. It should show up by now.

Going through this is tiring, yes. But after doing it once, your provider will, in most cases, remember it for anybody else in the future.

I clicked on a link and it logged me out so now I can't reply/upvote/subscribe

1. Remain calm.
2. Copy the URL of the page you are in right now.
   • If you're on the home page of a community, that exclamation mark identifier will be at the sidebar just below it's name. You can take that and use the instructions in the previous section.
3. Go to your provider's home page.
4. Click the little magnifying glass at the top-right-most corner.
5. On the search bar, paste the URL you just copied.
6. That post/comment/community should pop up in the search results.

Ok, I got the post but the comment I want to reply to is not there

1. Yeah, this is getting pretty absurd I know. Growing pains and all
2. On the comment, there will be this rainbow colored star badge somewhere next to the author's name. Right click it and select Copy Link
3. Proceed with the above instructions using that link.

I clicked a link and everything is different and I can't find any of these buttons you are talking about

Scroll to the very top of the page. Is the strip at the top of the page a dark blue/purple-y color or white/black

If it's purple-y, you stumbled your way onto kbin instead of Lemmy. That's a different thing.

If it isn't... I got no clue, sorry.

I want a mobile app

All of them are under-baked and have missing features at the present. But if you really want to, you can try Jerboa for Android, and Mlem for iOS.

You will need to adapt parts of this guide to how the apps work (in particular, where the search box is).

Any more quirks I need to keep in mind?

• In your settings there is a box for preferred languages. DON'T TOUCH IT
  • I am serious. You will lose access to half the content in the entire network in one fell swoop. Nobody tags languages correctly.
• Occasionally submit buttons will start loading infinitely. This may or may not mean whatever you were trying to submit may or may not have happened. Nobody knows. If it keeps spinning for more than 10-20 seconds, just go back to where you tried to post/comment and pray it worked.
• Hot and Active sorts are broken. Use something like New Comments or one of the Top sorts instead.
• Sometimes posts will change under you. If you're writing a long reply, double check to make sure the post you're replying to haven't switched out to something unrelated.
  • This is (I believe) the result of a stupid decision that is fixed by the newest yet unreleased version of Lemmy.
  • That same fix will also disable other live update behavior, which causes much more issues than it solves.

Any more non-quirks I need to keep in mind?

• Some providers disable downvotes, some do not.
• Some providers disable community creation, some do not.
• Expect providers to go down and up and slow down and speed up and run out of money and start begging for donations as more and more people join in and start posting.
• Expect inter-provider drama, which may result in providers cutting each other off.
  • This is also known as "defederating". Which is both a blessing and a curse.
• There is no way to transfer your account between providers.
• You should not need to create accounts on more than one provider unless there is a specific reason to do so (e.g. if your account is on a provider that's defederated from a large one)
• This entire document is a massive oversimplification

All of this apply as of June 20, 2023. Hopefully the future is brighter.

Help!

If you have an account you can post in the comments and I will be notified, and will do my best to help however I can.

Credits

This is a slightly modified version of this wonderful document by @[email protected]

The USCSB does some great animations. Their new intro is radical as well, right up until they use a Red Tailed Hawk's call instead of an actual Bald Eagle's.

On today's episode of Tap Tap 100...