What is Hackers' Pub?

y'all should follow @GraphicMattMatt Elliott if you care about Toronto

My favorite conservative pastime is when they accidentally describe utopia while trying to scare people about socialism

이게무슨

すべてのスギ・ヒノキを燃やし尽くさなければならない

鼻づまりがひどい

ぬー…

French civil engineer Charles Joseph Minard was born #OTD in 1781. He was known for his contributions to information graphics, including his famous map of the losses suffered by Napoleon during the 1812 Russian campaign.

Writing about Minard's map, Edward Tufte said “It may well be the best statistical graphic ever drawn.”

Image: Charles Minard / Public domain

아이덴티티커피랩의 맛난 디카페인 원두, 콜롬비아 나리뇨 엘 타블론 핑크 버번. 최근 접한 디카페인 중에서는 과일과 같은 산미가 잘 표현되어서 즐겨 마시고 있어요. 아쉽게도 지금은 품절이네요..

hooray! a title slide! I'll be talking at #MonkiGras next week about how we fucked everything up and will be questioning whether anything is retrievable at all. Should be good!

🤣🫠 #monkigras

One of my main #web gripes: HTML forms can only use GET and POST methods.

If <form> also supported PUT and DELETE, you could easily map CRUD to HTTP methods and that would feel so much cleaner than splitting functionality for the same types over a bunch of different paths.

[즐겨찾기랑 부스트를 부탁드리는 툿]
vgen에서 아티스트 등록을 하고 싶은데 좋아요(즐겨찾기/커모지 리액션 등) 100개랑 멘션 5개가 필요하다고 해요
연합우주에서만 활동해서 이계정에 올려요 감사합니다!!
부탁해요 연합우주
https://vgen.co/eugeneart

#VGenCode

今天該開冷氣了吧！

Content Classification System Post Mortem

The IFTAS CCS project was a pilot project to provide CSAM detection and reporting for Mastodon servers. The bulk of the project ran for 26 weeks, and while we cannot afford to maintain the service any longer, the findings below can inform future projects. All numbers are rounded for readability.

Pilot Activity

CCS received posts from eight services with roughly 450,000 hosted user accounts, 30,000 active monthly.

Our participants represented a range of service sizes from <10 to >100,000 accounts, and a range of registration options (open registration, open subject to approval, invitation only).

During the pilot period, CCS received 3.9 million posts via webhook, or 23,000 per day. These posts represent messages that were authored by or interacted with by the participating services’ active users, leading to media being stored on the host service.

Just under 40% (1.55 million) of all posts received included one or more media attachments to classify, leading to 1.86 million media files to hash and match. Posts with no media were discarded by the service.

Of the 1.86 million files, small numbers were either unsupported formats (~2,000) or no longer available when CCS attempted to retrieve the media for classification (~1,600). An additional ~3,100 media files failed to download.

In total, of the 1.86 million media files sent to IFTAS for classification, 99.665% were hashed and matched.

The hash matcher flags media for human review if it finds a match, or a near match, and after review IFTAS filed 53 reports related to 80 media files with NCMEC. This works out to 4.29 matches per 100,000 media files. An additional number of media files that matched were beyond our human review expertise to adequately classify, and therefore we elected to not report these files.

All of the matched media and subsequent reports were of real human victims, none were fictional, drawn, or AI generated. We did not receive matches for “lolicon”.

We elected to match against a broad array of databases to ascertain their effectiveness, and we found that databases maintained by child hotline NGOs (e.g. NCMEC, Arachnid) were far more effective than databases available from commercial service providers. We saw a handful of false positives, and the vast majority of them came from commercial providers. If we had continued, we would have narrowed down the databases in use.

All matched media generated a notification to the affected service provider, and IFTAS performed any necessary media retention for law enforcement.

Context

4.29 matches per 100,000 may not sound like a large number. However, to be clear, this is a higher number than many services would expect to see, and it includes a broad range of media, from “barely legal” minors posted publicly, to intimate imagery shared without consent, to the very, very worst media imaginable. In some cases, it was apparent that users were creating accounts on host services to transact or pre-sale media before moving to an encrypted platform, under the belief that Mastodon would not be able to detect the activity.

There are 1.6 billion posts on the ActivityPub network today, and if our numbers hold true, this means there are currently many tens of thousands of copies of known CSAM on the network, likely significantly more as our service adopters by definition do not include providers that are not inclined to mitigate this issue, and criminals looking for anonymous accounts are likely to target less-moderated services.

If IFTAS found it happening so brazenly on the first servers we happened to look at, no doubt this activity is still occurring on servers that have no such protections. Mastodon is – at its simplest – a form of free, anonymous web hosting. The direct messaging feature precludes moderators and administrators from being aware of illegal content (it will never be reported by potential customers), and only a hash and match system is able to find these media and flag them.

Not only does inadvertently hosting CSAM revictimise the children involved, it also serves as an attack vector for the service to be targeted by law enforcement. We are aware of several instances of CSAM being uploaded for the express purpose of causing moderator trauma or an immediate report to law enforcement, leading to a significant amount of legal issues. This is essentially a form of swatting; simply upload CSAM, report it to the authorities, sit back and watch the server get taken down and possible criminal charges for the administrator.

Responsible Shutdown

We ensured that all webhooks were disabled by the host services, and once all review and reporting was completed, we hard-deleted all remaining data on the service, excepting the metadata and media required to be held for one year for possible law enforcement action. The AWS environment was then dismantled, deleted, and removed from service.

All associated staff and consultants were removed from the relevant IT services, and IFTAS retains no data nor metadata from any of the activity other than the bare minimum required by law pertaining to the encrypted media stored for law enforcement.

Some observed services that were clearly unmoderated and/or willing to host this content to the degree that federating with them would generate legal concerns were added to the IFTAS DNI denylist.

Next Steps

Moderation Workflow

We hope that Mastodon, Pixelfed, Lemmy and other platform developers will quickly implement safeguards within moderation dashboards to minimise moderator trauma.

Content moderators commonly experience trauma similar to those suffered by first responders. Even though the development team may have never reviewed traumatic content, the app or service will at some point deliver this traumatic content to users of the moderation workflow. When presenting reported content to a service provider or moderator:

• Always show the report classification clearly, so the moderator is aware of the type of content they are about to review,
• Blur all media until the moderator hovers to view greyscale version (re-blur when hover not detected or mouseleave event),
• Greyscale all media until the moderator clicks to toggle full colour (allow toggle state back to greyscale),
• Mute all audio until the moderator requests audio, and
• Allow the moderator to reclassify the report.

CSAM Detection

If you are a service provider, lobby your web host or CDN provider to perform this service for you, and ask them if they have resources you can use.

Cloudflare offers a free service worldwide, if you are a Cloudflare customer, consider enabling this option.

If you are a web host that hosts a large number of Fediverse providers, consider adding this safeguard at the network level.

Free Support from Tech Coalition

Tech Coalition has a program aimed at small and medium services called “Pathways“, and they are very interested to hear from Mastodon and other Fediverse service providers. While this does not offer detection, it does offer background, guidance, and access to experts. Sign up to explore these options, and to demonstrate a good faith effort to address this issue. The more providers they hear from, the more likely we are to get better options.

Ongoing Work

We are aware of noteworthy efforts to continue this work. @thisismissem is working on a prototype implementation of HMA, and Roost is exploring an open source solution for small and medium size services.

Consider following and monitoring https://mastodon.iftas.org/@sw_isac to receive alerts when services are confirmed to be sources of this content.

A range of services and resources that can help mitigate this issue are available on our CSAM Primer page in the IFTAS Connect Library. We will continue to research and share resources that can help mitigate this issue for service providers. Please let us know if you are aware of additional resources we can add to this guide.

IFTAS intends to continue its relationships with INHOPE, NCMEC, Project Arachnid, Internet Watch Foundation and other organisations to advocate for the Fediverse, and to ensure these entities understand the network and have someone to talk to if they have questions.

To everyone who participated, asked to participate, or supported this project, thank you! We are extremely sad to have to end this project, but we have safeguarded the underlying codebase and – should the opportunity arise – we will restart with this or another resource to provide this service to any who need.

2077あれmacで動くんだ…

코드 리뷰 요정, CodeRabbit이 나타났다 🐰 https://tech.inflab.com/20250303-introduce-coderabbit/

코드래빗에 저렇게 프롬프트를 넣을 수 있는거구나.....

한국의 Clojure 생태계를 책임지는 슈퍼루키 트친도 영입하고 있는 중인데, 이 계정도 추천해야겠다. 아니, 근데.. 클로져리안 모아놓은 인스턴스도 있었네????

RE: https://clj.social/@planet/114235006087329444

燃え残った全てを燃やし尽くす必要がある

Content Classification System Post Mortem

The IFTAS CCS project was a pilot project to provide CSAM detection and reporting for Mastodon servers. The bulk of the project ran for 26 weeks, and while we cannot afford to maintain the service any longer, the findings below can inform future projects. All numbers are rounded for readability.

Pilot Activity

CCS received posts from eight services with roughly 450,000 hosted user accounts, 30,000 active monthly.

Our participants represented a range of service sizes from <10 to >100,000 accounts, and a range of registration options (open registration, open subject to approval, invitation only).

During the pilot period, CCS received 3.9 million posts via webhook, or 23,000 per day. These posts represent messages that were authored by or interacted with by the participating services’ active users, leading to media being stored on the host service.

Just under 40% (1.55 million) of all posts received included one or more media attachments to classify, leading to 1.86 million media files to hash and match. Posts with no media were discarded by the service.

Of the 1.86 million files, small numbers were either unsupported formats (~2,000) or no longer available when CCS attempted to retrieve the media for classification (~1,600). An additional ~3,100 media files failed to download.

In total, of the 1.86 million media files sent to IFTAS for classification, 99.665% were hashed and matched.

The hash matcher flags media for human review if it finds a match, or a near match, and after review IFTAS filed 53 reports related to 80 media files with NCMEC. This works out to 4.29 matches per 100,000 media files. An additional number of media files that matched were beyond our human review expertise to adequately classify, and therefore we elected to not report these files.

All of the matched media and subsequent reports were of real human victims, none were fictional, drawn, or AI generated. We did not receive matches for “lolicon”.

We elected to match against a broad array of databases to ascertain their effectiveness, and we found that databases maintained by child hotline NGOs (e.g. NCMEC, Arachnid) were far more effective than databases available from commercial service providers. We saw a handful of false positives, and the vast majority of them came from commercial providers. If we had continued, we would have narrowed down the databases in use.

All matched media generated a notification to the affected service provider, and IFTAS performed any necessary media retention for law enforcement.

Context

4.29 matches per 100,000 may not sound like a large number. However, to be clear, this is a higher number than many services would expect to see, and it includes a broad range of media, from “barely legal” minors posted publicly, to intimate imagery shared without consent, to the very, very worst media imaginable. In some cases, it was apparent that users were creating accounts on host services to transact or pre-sale media before moving to an encrypted platform, under the belief that Mastodon would not be able to detect the activity.

There are 1.6 billion posts on the ActivityPub network today, and if our numbers hold true, this means there are currently many tens of thousands of copies of known CSAM on the network, likely significantly more as our service adopters by definition do not include providers that are not inclined to mitigate this issue, and criminals looking for anonymous accounts are likely to target less-moderated services.

If IFTAS found it happening so brazenly on the first servers we happened to look at, no doubt this activity is still occurring on servers that have no such protections. Mastodon is – at its simplest – a form of free, anonymous web hosting. The direct messaging feature precludes moderators and administrators from being aware of illegal content (it will never be reported by potential customers), and only a hash and match system is able to find these media and flag them.

Not only does inadvertently hosting CSAM revictimise the children involved, it also serves as an attack vector for the service to be targeted by law enforcement. We are aware of several instances of CSAM being uploaded for the express purpose of causing moderator trauma or an immediate report to law enforcement, leading to a significant amount of legal issues. This is essentially a form of swatting; simply upload CSAM, report it to the authorities, sit back and watch the server get taken down and possible criminal charges for the administrator.

Responsible Shutdown

We ensured that all webhooks were disabled by the host services, and once all review and reporting was completed, we hard-deleted all remaining data on the service, excepting the metadata and media required to be held for one year for possible law enforcement action. The AWS environment was then dismantled, deleted, and removed from service.

All associated staff and consultants were removed from the relevant IT services, and IFTAS retains no data nor metadata from any of the activity other than the bare minimum required by law pertaining to the encrypted media stored for law enforcement.

Some observed services that were clearly unmoderated and/or willing to host this content to the degree that federating with them would generate legal concerns were added to the IFTAS DNI denylist.

Next Steps

Moderation Workflow

We hope that Mastodon, Pixelfed, Lemmy and other platform developers will quickly implement safeguards within moderation dashboards to minimise moderator trauma.

Content moderators commonly experience trauma similar to those suffered by first responders. Even though the development team may have never reviewed traumatic content, the app or service will at some point deliver this traumatic content to users of the moderation workflow. When presenting reported content to a service provider or moderator:

• Always show the report classification clearly, so the moderator is aware of the type of content they are about to review,
• Blur all media until the moderator hovers to view greyscale version (re-blur when hover not detected or mouseleave event),
• Greyscale all media until the moderator clicks to toggle full colour (allow toggle state back to greyscale),
• Mute all audio until the moderator requests audio, and
• Allow the moderator to reclassify the report.

CSAM Detection

If you are a service provider, lobby your web host or CDN provider to perform this service for you, and ask them if they have resources you can use.

Cloudflare offers a free service worldwide, if you are a Cloudflare customer, consider enabling this option.

If you are a web host that hosts a large number of Fediverse providers, consider adding this safeguard at the network level.

Free Support from Tech Coalition

Tech Coalition has a program aimed at small and medium services called “Pathways“, and they are very interested to hear from Mastodon and other Fediverse service providers. While this does not offer detection, it does offer background, guidance, and access to experts. Sign up to explore these options, and to demonstrate a good faith effort to address this issue. The more providers they hear from, the more likely we are to get better options.

Ongoing Work

We are aware of noteworthy efforts to continue this work. @thisismissem is working on a prototype implementation of HMA, and Roost is exploring an open source solution for small and medium size services.

Consider following and monitoring https://mastodon.iftas.org/@sw_isac to receive alerts when services are confirmed to be sources of this content.

A range of services and resources that can help mitigate this issue are available on our CSAM Primer page in the IFTAS Connect Library. We will continue to research and share resources that can help mitigate this issue for service providers. Please let us know if you are aware of additional resources we can add to this guide.

IFTAS intends to continue its relationships with INHOPE, NCMEC, Project Arachnid, Internet Watch Foundation and other organisations to advocate for the Fediverse, and to ensure these entities understand the network and have someone to talk to if they have questions.

To everyone who participated, asked to participate, or supported this project, thank you! We are extremely sad to have to end this project, but we have safeguarded the underlying codebase and – should the opportunity arise – we will restart with this or another resource to provide this service to any who need.

Blasting Past WebP - An analysis of the NSO BLASTPASS iMessage exploit

Link: https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html
Discussion: https://news.ycombinator.com/item?id=43493056

요즘 성숙해지려는 개인이슈가 있어서 그럼.

단독 尹 선고 늦어지자 피로 누적된 경찰... 숙박비만 13억 원 입력 2025.03.27 19:30 1월 초과근무 시간 기동대 1인 113시간 평일 기준 20~30개 지방청 기동대 상경 탄핵 이후 집회 계속… 尹 선고만 기다려 초과근무 수당 제한 없앴지만 '피로감' 우려 www.hankookilbo.com/News/Read/A2...

[단독] 尹 선고 늦어지자 피로 누적된 경찰... 숙박...

I'm kinda surprised the Ghost dashboard doesn't give you very basic stats about what content is being read/looked at / basic inbound traffic.

That seems more important than newsletter stuff?

Then again I often find myself at odds with creator stuff, so maybe I don't understand the platform well enough.

cc @johnonolanJohn O'Nolan

くろでん吸いたい定期

They Might Be Giants Flood EPK Promo (1990) [video]

Link: https://www.youtube.com/watch?v=C-tQSFQ-ESY
Discussion: https://news.ycombinator.com/item?id=43490173

Two queries for you, fedi friends #askfedi

1) Do any of those "erase your data from the #Internet" tools the YouTube creators are always advertising actually help? I feel like the spam texts are getting oddly specific, and also I have talked my fair share of shit about the Cheeto-in-Charge online which is seeming more dangerous by the day

2) Also, I unfortunately used my real last name when I jumped on Mastodon. Is there any way to change screen name? I know I looked awhile back and the answer seemed to be no but thought I'd ask again 🙏

Thanks friends!
#advice #privacy

악 닌다까먹었어

비상행동 이번주 토요일 17시 동십자각입니다 ※※※토요일 오후 5시※※※ www.bisang1203.net

와 버추얼 카드 시스템 넘 좋아서… 패밀리 블친끼리 모집해봐야지

I've been accepted as a speaker at @LASLinux Appp Summit (LAS) to talk about GNOME Circle. I was excited to travel to Albania and have my talk there but the Linux App Summit hasn't been answering any of my emails! Since I'm from Iran, I really need an Invitation Letter to be able to get my visa (e-visa) since Albania does not give visas to Iranians so easily, and it needs lots of paperwork (and also no embassy in Iran). I emailed LAS on 11th March...

#Albania #Linux #LinuxAppSummit #LAS #Gnome #Visa #GnomeCircle

지옥~~~~ x.com/GomtaengIya/...

!!!

I have no idea what young emelia was on about, but I think I like the sentiment?

(just found this going through the stuff in my ghost blog drafts after I imported from medium)

I am just having the kind of morning that makes me want to crawl up into a tiny ball and then drop a bomb which propels me up to reach a higher platform

한국의 Clojure 생태계를 책임지는 슈퍼루키 트친도 영입하고 있는 중인데, 이 계정도 추천해야겠다. 아니, 근데.. 클로져리안 모아놓은 인스턴스도 있었네????

RE: https://clj.social/@planet/114235006087329444

[第四十六話]サチ録～サチの黙示録～ - 茶んた | 少年ジャンプ＋

https://shonenjumpplus.com/episode/17106567264478576086#episode-comment

I'm proud to announce the project I've been working on for the last two years - Xee: a modern implementation of XPath and XSLT in Rust.

I know XML isn't hip anymore but this is a programming language implementation in Rust, according to extensive specifications!

https://blog.startifact.com/posts/xee/

#RustLang #xml @thisweekinrust

🤔 Why Choose to Use the BSDs in 2025
—@stefanoStefano Marinelli

｢ Yes, Linux, Docker, and Kubernetes are better than closed source solutions. But when everyone uses the same tools, freedom dies. We use them because "everyone does" rather than because they're the best tool for our specific needs ｣

https://it-notes.dragas.net/2025/03/23/osday-2025-why-choose-bsd-in-2025/

#bsd #freebsd #netbsd #openbsd #opensource

The young are going off tea, says The Times. According to a study of 6,000 Britons under 35, coffee is now the preferred hot drink, with 37% naming it their go-to, followed by hot chocolate with 31%. Down in a measly third, with 25%, was the “beloved cuppa”.

Using JS in ClojureScript Projects

https://martinklepsch.org//posts/embracing-js-files-in-clojurescript

The pull toward JavaScript has never been stronger. While ClojureScript remains an extremely expressive language, the JavaScript ecosystem continues to explode with tools like v0, Subframe & Paper generating entire UI trees and even full...

#clojure #clj #cljs !clojure@lemmy.ml @clojureClojure programming language discussion

I think people are getting confused about why Signal isn't appropriate for national secrets. It's secure isn’t it?

If we listen to the folks who designed it, it is designed with an intent to protect journalists, activists, and regular people. It does that by making it difficult enough that a much more equiped adversary would find it to expensive (literally in money, or in other resources) to obtain the contents of the chat.

It was -not- designed to contain the conversation of a world super power’s most powerful decision makers. That is a conversation many nations around the world would be willing to devote essentially unlimited resources to attack.

Likewise, it contains features and user interface elements geared toward normal people having normal, but perhaps private, conversations. It does not contain mechanisms a channel designed for top secret, high level communications might- for instance verifying things like hardware tokens/smart cards issued by a trusted root, with coupled biometrics also verified by a trusted collective root. It does not obscure communications patterns or network paths. It doesn’t incorporate dedicated networks with trusted and verified nodes. It doesn't, as far as I know, contain a feature for a user to silently report a compromise or duress.

The hub-bub about the use of Signal is pretty much an example of the tool "failing" in a way that is due to it's unsuitability for the government/military comms but entirely suitable for its more individual, civilian-focused purpose. A tool fit for their use case should have not allowed participants that were not centrally cleared as authentic and authorized for the compartmented information within, and an entire universe of controls would have existed around it to reduce the risk of side channels and leakage.

Signal is not at fault here, and the ultimate authorities of the US DoD, US Central Intelligence Agency, and the US National Security Agency should know better.

This is a failure of understanding and fragrant disregard for TTPs/SOPs that should disqualify these people from holding those roles. They clearly don't know what they are doing, and they don't care.

あけおめ

昨日のMisskeyの活動は

ノート: 12410(+65)
フォロー: 123(+1)
フォロワー: 123(+1)

でした。

#misshaialert

🤔 Why Choose to Use the BSDs in 2025
—@stefanoStefano Marinelli

｢ Yes, Linux, Docker, and Kubernetes are better than closed source solutions. But when everyone uses the same tools, freedom dies. We use them because "everyone does" rather than because they're the best tool for our specific needs ｣

https://it-notes.dragas.net/2025/03/23/osday-2025-why-choose-bsd-in-2025/

#bsd #freebsd #netbsd #openbsd #opensource

Casual #NixOS Meetup in Vienna! Join an informal NixOS meetup to chat about all things #Nix & NixOS!

📅 April 7, 2025 | 🕕 18:00 | 📍 GT_, Augasse 2-6, 1090 Wien
https://discourse.nixos.org/t/community-calendar/18589/195

今日16000歩も歩いてる。勾配を歩いたのでかなり足が疲れている

@mkj @AvitusNew Phone Houthis 👊🇺🇸🔥 @stefanoStefano Marinelli I’m sure there are other variations, but this is the one from Scott Hanselman (Microsoft); applies just as well to Signal and E2EE, and whether one of your endpoints is who you think it is, or compromised.