Mic_Check_One_Two @ Mic_Check_One_Two @reddthat.com

Posts

3

Comments

280

Joined

2 yr. ago

Yeah, the RS3 wiki is genuinely fantastic. Daily updates, calculators for virtually every activity, and you can search it directly from the game’s chat box.

Bingo, there it is. Thanks!

You can actually buy tinted tape to dim them without completely blacking them out. So you can take your clock from “bright enough to keep your entire bedroom lit” to “just bright enough to read in the dark.”

Found out while watching Technology Connections. Bright blue monochromatic LEDs are one of his biggest pet peeves, and he mentioned the tinted tape off-hand in one of his videos.

Hell, the entire Flat Earth thing started as a joke. Just a bunch of people going “wouldn’t it be funny if we started memeing about the earth being flat?” And now here we are a few years later, with flat earthers launching rockets into space and subsequently disregarding the results that they get.

Same. Companies like Nintendo have repeatedly proven that they have zero interest in preserving their old games. In fact, they often do the exact opposite, and work to stop people from preserving their own (legally owned) game libraries. But Nintendo also has zero interest in re-releasing those older games. So the only way you’re able to realistically play them is via piracy, since the actual company that owns the rights won’t release them for sale on a legal platform.

Just wanted to note that some things may be broken due to the invalid JWTs?

I started getting “Not logged in” errors shortly after the JWT reset. I assume because the app was still using the old (now invalid) JWTs. I tried clearing my cache, so the app would request a new (valid) JWT. I’m still getting the error on my lemmy.world accounts.

Next, I decided to try deleting the accounts from my app entirely. But when I try to disable the Push Notifications option prior to deleting, the app freezes on an infinite loading screen.

It may not be a huge issue since the Push Notifications are probably using the old JWTs. But wanted to point it out, since others may be dealing with the same thing.

I actually suggested exactly that elsewhere. It would be a nuclear option, for sure. Since it would require every single user to log back in. But it would 100% without a doubt stop the attacker in their tracks.

Tokens are signed with a secret string, which basically tells the server that it is legitimate. They could change that secret, and the server would immediately distrust any tokens signed with the old secret. This would be a pretty nuclear option though, because it would require every single user to log back in.

You’re not the first person to say that the expiration time is a year, which is hilariously long if true. A shorter expiration time is more secure (because it specifically limits attacks like this to a specific timeframe) but it also increases server load by requiring token requests more often. For instance, if the expiry was set at 5 minutes, you’d have requests every 5 minutes but an attacker would only have control of an account for a maximum of five minutes. Maybe it was done to help save on server load, since this is all basically run by a few people as a hobby.

Yup. Changing your password or 2FA wouldn’t help here, because they’re not actually logging into your account. Rather, they’re simply telling the server that they’re already logged in, using your auth token as proof. You know that little “Keep me logged in” checkbox that everyone clicks when they log in? That stores an auth token on your browser, which is tied to your account.

The next time the browser starts a session on the site, it sends that auth token instead of going through the regular login process. And since the site knows that auth token belongs to your account, it logs you in automatically without needing to go through the regular login process.

So basically, they’re stealing a cookie from your browser, with your name on it. Then they’re able to tell the server that they’re you, by presenting that cookie as proof.

Proper procedure should be to deauthorize any auth tokens when you change your password. But even big sites get lazy about this sometimes, so it may not be the default. If this is the case for Lemmy, even changing your password won’t help because it doesn’t automatically deauth that token.

Seems like there’s an active cookie-scraping attack going on. Lots of compromised accounts are going around different instances posting links with drive-by JavaScript. The JS tries to grab your current login token, which would give hackers access to your current login session.

They don’t need your password because they’re just grabbing that cookie that your browser gets when you check the “Keep me logged in” checkbox on login. That’s what allows you to verify your account across multiple sessions, and it allows them to do the exact same thing. They can simply send that authorized token, and “log in” as you. This would (likely) work across instances, because if they grab your cookie then it will give them access to whatever instance your account is logged in on.

So Lemmy.world will likely need to be completely defederated (to stop any compromised accounts from posting on other instances) and your specific instance will likely need to deauthorize all current login tokens (which will forcibly log everyone on your instance out) to stop any local accounts that got hit.

You seem to be correct. Some sort of drive by login token scraper. Changing your password won’t help, because they still have an authorized copy of your login token. And I don’t think Lemmy has any sort of “Log out of all devices” button, (which deauthorizes all of the account’s login tokens) so there’s not much that a compromised account holder can do to stop it once the hacker has that token.

It’s the same thing that got Linus Tech Tips a few weeks back. Their entire YouTube account got hacked and turned into a fake “buy into our crypto and Elon Musk will give you a bunch of money” scam a few weeks back. And Linus quickly discovered that changing their passwords didn’t help, because the hackers were able to simply continue using the token they already had.

This was likely going on for a while, and only recently got activated because they finally snagged an admin account. Shit like this can lurk for a long time, simply waiting for the right target to stumble into it. They don’t really care about the individual accounts, except for helping spread the hack farther. But once they grabbed that admin account, they had what they wanted.

Simply having it Print “Hello World” without any user interaction? There are no user inputs to sanitize.

I’d actually argue that it’s easier to get good names simply because each instance can have its own username pool. For instance, my username could also be used on other instances by other people. Me creating this account doesn’t stop someone from creating the same name elsewhere.

Honestly, this was helped simply by subbing to a lot of different communities. Each day is a fresh feed. It’s not up to Reddit’s “every single refresh is a brand new front page” level, but it’s enough to be able to scroll for an hour or two each day.

Real talk though, it’s because your brain can’t tell the difference between dream movements and real life movements. Basically, it’s to prevent you from actually punching whatever you’re laying next to. Your brain has a few methods to stop this, but the last resort is simply that your brain stops you from making any fast/forceful movements in dreams. Because the alternative is that you’d potentially punch your partner laying in bed next to you.

The downside is ease of use. Not everyone wants to set up a mastodon feed or a Lemmy feed. Lots of users only want one specific type of post.

For instance, I hate the Twitter-style microblog. I choose to use Lemmy because I specifically want to exclude Mastodon posts from my feed.

There’s also the issue with app development. Apps for Lemmy have undergone a lot of development in the past few weeks. Apps for kbin are basically non-existent. This is an issue that could be solved with time and the right developer(s) but as it currently stands a mobile user will be better off using kbin in their browser. So if someone is looking for a more seamless transition from Reddit, the natural move is to Lemmy.

Lemmy doesn’t currently work with Mastodon, and I don’t think there are any plans to change that. So the two platforms, while both federated, aren’t truly compatible.

Kbin (kbin.social) is a sort of in-between service. You can follow both Lemmy communities and mastodon accounts. It has two different halves, with a feed for Lemmy and a Microblog feed for Mastodon posts.

Only if you promise to be my gf

Primarily a mobile user, which I’m assuming most migrants are. I like it so far, but have some minor complaints about the available apps. I was so used to Apollo, and a lot of the apps like wefwef and Mlem are frustratingly close but not quite there yet. Mlem Is missing some things like being able to zoom images, make image posts, (Correct me if I’m wrong, but Mlem doesn’t appear to be able to post anything except links) automatically fetch inbox messages, or view comment replies in threads. Wefwef seems more like Apollo so far, but it has its own quirks since it’s entirely web-based.

That’s something that I expect to improve with time though, as the apps are all still under development. So here’s hoping that things improve.

There’s a reason second-year students are called sophomores. It’s a compound with the same roots as “sophisticated” and “moron”. It literally means “learned idiot”. It’s referring to the students who have a year of schooling under their belt, and think that they understand everything about the world. It’s basically referring to the Dunning-Krueger Effect, where people who know very little about something are the most likely to overestimate their knowledge on the topic.