Kir @dober@infosec.exchange

Securing Docker Containers https://0x00sec.org/t/securing-docker-containers/16913

Socialhome v0.10.0 released

Just over a year ago we released v0.9.0 with the intention of not releasing another (non-patch) release before #ActivityPub support is at a state of at least alpha level usability. I (Jason, author) must admit, this took longer than I excepted. Partial reason for this was huge changes that happened in my life - a divorce and switch from employee to entrepreneur. There were times were I hadn't looked at any of the code for a month and spent hours just catching up where things were.

There was also a huge amount of refactoring needed to make #Socialhome, which was designed for the #Diaspora protocol, happy with two protocols. While ActivityPub covers the same use cases (in a much more flexible way), it is fundamentally different in how profile and content identity is handled. Most of this refactoring happened in the federation library, which has to job of worrying about all this protocol stuff leaving the Socialhome changes mostly dealing with data storage.

This is easily the biggest single push that has been made for this project. It has also meant that not many features or UI changes have landed during the last year. I think however expanding the reach of Socialhome users from approx 25K monthly active users to around 500K monthly active users is probably worth it.

Simultaneously is released v0.18 of the federation library which handles all the actual protocol level logic.

A total of 460 commits (of which 170 to the federation library) went into this release by four authors, changing 392 files (33096 insertions, 7410 deletions).

Other highlights

Tag streams (followed tags) was added.
Scope of incoming integration for the Diaspora protocol Social-Relay can be set by the server admin.
Users now have a "followers" page similar to their "following" page to see who they are followed by. This is only available to the user themselves.
#Python 3.6 is now the lowest supported version.
Rewritten contacts page with more visually pleasing boxes instead of a table from the nineties.

Plus various smaller changes and fixes, see the full changelog here.

What's next?

Now that ActivityPub support has been shipped, it's time to make it more robust and compatible with other platforms. This will take time and happen gradually. Please do report all the bugs you may find in our chat or in the issue tracker.

There will also be more focus on the UI side of things and adding more features now that all the time doesn't have to be spent on the federation layer. @{https://diaspodon.fr/users/AugierLe42e} has already spent some time rewriting the publisher in #VueJS and various UI design rewrite/change proposals have been submitted from the community (one, two).

Docker

This release is also the first one that has Docker images published. #Docker will be the suggested installation method from now on. Any manual installation guides will be accepted but will not be maintained in the official docs.

Due to the Docker image being new, feedback is very welcome from Docker enthusiasts. Let us know how it worked for you and what needs better solutions or documentation.

What is Socialhome?

Socialhome is best described as a #federated personal profile with social networking functionality. Users can create rich content using #Markdown. All content can be pinned to the user profile and all content will federate to contacts in the federated social web. Federation happens using the ActivityPub and Diaspora protocols.

Please check the official site for more information about features. Naturally, the official site is a Socialhome profile itself.

Official site: https://socialhome.network.

Contribute

Want to work on a #Django and VueJS powered social network server? Join in the fun! We have easy to follow development environment setup documentation and a friendly chat room for questions.

Documentation
Chat room info

#changelog #news #socialnetwork #fediverse #selfhosting

A flaw in Sudo - CVE-2019-14287

The #vulnerability affects all sudo versions prior to the latest released version 1.8.28, which has been released today, just a few hours ago.

Just by specifying user ID "-1" or "4294967295" in the command instead of the root.

sudo -u#-1 id

More info on The Hacker News

Horribly? Don't panic!

This does not affect you if:

Your users are not allowed to sudo
Your users are allowed to sudo to root
Your users are only allowed to sudo as non-root to non-potentially-damaging software (say "id" instead of something like "rm" or "bash")

Do update nevertheless, but don't interpret this vulnerability to be anything more than it is.

#cybersec, #linux, #donotpanic

We have now a PeerTube account, maintained by @bjoern. For now we will concentrate on conference videos. http://conf.tube/accounts/nextcloud/ #PeerTube #Nextcloud

Why big ISPs aren’t happy about Google’s plans for encrypted DNS.
DNS over HTTPS will make it harder for ISPs to monitor or modify DNS queries.
#DoH #DNS #ISP
https://arstechnica.com/tech-policy/2019/09/isps-worry-a-new-chrome-feature-will-stop-them-from-spying-on-you/

I would appreciate recommendations for VPS provider. Just for small projects for now.

"Help us keep DigitalOcean secure

To get full access to DO, we need to verify your identity. You will need to provide a government-issued ID, a phone number and a selfie."

What the fuck is this bullshit.

Federation

Socialhome federates using the #ActivityPub and #Diaspora protocols. This allows content to #federate not only to other #Socialhome servers, but also with servers from over 40 different platforms with millions of users across the #Fediverse.

​

RT @IanColdwater@twitter.com

Metasploit RCE. No, not a module. RCE in Metasploit itself.

Go patch if you haven’t already.

https://blog.doyensec.com/2019/04/24/rubyzip-bug.html

🐦🔗: https://twitter.com/IanColdwater/status/1121541855441752071

#APT34 / #OilRig / #HelixKitten hacking tools and victim data leaked. https://dobergroup.org.ua/content/1547031/oilrig-apt34-hacking-tools-and-victim-data-l/

So far, this post from Black Hills has been helpful: https://www.blackhillsinfosec.com/build-c2-infrastructure-digital-ocean-part-1/