@prologic@twtxt.net Try hitting this URL:

https://twtxt.net/external?nick=nosuchuser&uri=https://foo.com

Change nosuchuser to any phrase at all.

If you hit https://twtxt.net/external?nick=nosuchuser , you’re given an error. If you hit that URL above with the uri parameter, you can a legitimate-looking page. I think that is a bug.

@prologic@twtxt.net Hitting that URL returns a bunch of HTML even though there is no user named lovetocode999 on my pod. I think it should 404, and maybe with a delay, to discourage whatever this abuse is. Basically this can be used to DDoS a pod by forcing it to generate a hunch of HTML just by doing a bogus GET like this.

@stigatle@yarn.stigatle.no I used the following hack to keep my VPS from running out of space: watch -n 60 rm -rf /tmp/yarn-avatar-*, run in tmux so it keeps running.

@stigatle@yarn.stigatle.no / @abucci@anthony.buc.ci My current working theory is that there is an asshole out there that has a feed that both your pods are fetching with a multi-GB avatar URL advertised in their feed’s preamble (metadata). I’d love for you both to review this PR, and once merged, re-roll your pods and dump your respective caches and share with me using https://gist.mills.io/

@prologic@twtxt.net There are a lot of logs being generated by yarnd, which is something I haven’t seen before too:

Jul 25 14:32:42 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:42 (162.211.155.2) "GET /twt/ubhq33a HTTP/1.1" 404 29 643.251µs
Jul 25 14:32:43 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:43 (162.211.155.2) "GET /twt/112073211746755451 HTTP/1.1" 400 12 505.333µs
Jul 25 14:32:44 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:44 (111.119.213.103) "GET /twt/whau6pa HTTP/1.1" 200 37360 35.173255ms
Jul 25 14:32:44 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:44 (162.211.155.2) "GET /twt/112343305123858004 HTTP/1.1" 400 12 455.069µs
Jul 25 14:32:44 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:44 (168.199.225.19) "GET /external?nick=lovetocode999&uri=http%3A%2F%2Fwww.palapa.pl%2Fbaners.php%3Flink%3Dhttps%3A%2F%2Fwww.dwnewstoday.com HTTP/1.1" 200 36167 19.582077ms
Jul 25 14:32:44 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:44 (162.211.155.2) "GET /twt/112503061785024494 HTTP/1.1" 400 12 619.152µs
Jul 25 14:32:46 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:46 (162.211.155.2) "GET /twt/111863876118553837 HTTP/1.1" 400 12 817.678µs
Jul 25 14:32:46 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:46 (162.211.155.2) "GET /twt/112749994821704400 HTTP/1.1" 400 12 540.616µs
Jul 25 14:32:47 buc yarnd[1911318]: [yarnd] 2024/07/25 14:32:47 (103.204.109.150) "GET /external?nick=lovetocode999&uri=http%3A%2F%2Fampurify.com%2Fbbs%2Fboard.php%3Fbo_table%3Dfree%26wr_id%3D113858 HTTP/1.1" 200 36187 15.95329ms

I’ve seen that nick=lovetocode999 a bunch.

@prologic@twtxt.net Inspect? What’s sift? What would you like to know about the files?

@prologic@twtxt.net 10 Gbytes has accumulated since I made that last post. It’s coming in at a rate of 55 Mbits/second !

@prologic@twtxt.net I think there’s more to it than that. I’ve updated, yet hundreds of gigabytes of junk is still accumulating.

@prologic@twtxt.net I’m still getting this crap:

abucci@buc:~/yarnd/yarn$ ls -lh /tmp/yarnd-avatar-*
-rw------- 1 abucci abucci 863M Jul 25 14:19 /tmp/yarnd-avatar-1594499680
-rw------- 1 abucci abucci 7.8G Jul 25 14:19 /tmp/yarnd-avatar-2144295337
-rw------- 1 abucci abucci 9.8G Jul 25 14:19 /tmp/yarnd-avatar-2334738193
-rw------- 1 abucci abucci  10G Jul 25 14:14 /tmp/yarnd-avatar-2494107777
-rw------- 1 abucci abucci 9.5G Jul 25 13:59 /tmp/yarnd-avatar-2619243454
-rw------- 1 abucci abucci  11G Jul 25 14:04 /tmp/yarnd-avatar-2922187513
-rw------- 1 abucci abucci 7.5G Jul 25 14:14 /tmp/yarnd-avatar-349775570
-rw------- 1 abucci abucci  10G Jul 25 14:09 /tmp/yarnd-avatar-3640724243
-rw------- 1 abucci abucci 901M Jul 25 14:19 /tmp/yarnd-avatar-3921595598
-rw------- 1 abucci abucci 9.5G Jul 25 13:59 /tmp/yarnd-avatar-609094539
-rw------- 1 abucci abucci 9.3G Jul 25 14:04 /tmp/yarnd-avatar-755173392
-rw------- 1 abucci abucci 7.9G Jul 25 14:09 /tmp/yarnd-avatar-984061000

Something like 100 Gbytes of this junk has accumulated since I updated and re-started the server. I’m now running the latest version of yarnd, so the update did not fix the problem. Something else is going wrong.

How are temporary files growing to 10 Gbytes in size? The name of the file is “yarn-avatar”, but why would avatars be so large?

@prologic@twtxt.net Alright, running yarnd 0.15.1 now. I stopped my hack so we’ll see if the VPS gets clogged with junk 😆

@prologic@twtxt.net

abucci@buc:~/yarnd/yarn$ make preflight
Checking Go version ...                 [ ERR ]
Go 1.16+ is required, found go1.22.5
FATAL: 🙁 preflight failed
make: *** [Makefile:33: preflight] Error 1

🤔

@prologic@twtxt.net Aha, got it. Thanks for looking into it. I’m updating now and we’ll see if that stops it.

@stigatle@yarn.stigatle.no Works now! 🥳

@prologic@twtxt.net Sure, but why would this start happening all of a sudden today? Nothing like this has happened before. Is this a known bug?

@prologic@twtxt.net 0.15.1, looks like.

@bender@twtxt.net I hope so too. I’ve never seen anything like this before. Whatever it is, it’s strange.

@prologic@twtxt.net This is weird, but today, out of nowhere, yarnd filled up the disk on the VPS where I run it. It’s never done anything like this before and I have no idea why it would start. But it threw almost 700 Gbytes of data into /tmp in files like this:

yarnd-avatar-1087570772  yarnd-avatar-1599127133  yarnd-avatar-2042956376  yarnd-avatar-2562946212  yarnd-avatar-3274766535  yarnd-avatar-3931929859  yarnd-avatar-553201529
yarnd-avatar-1089125452  yarnd-avatar-1606826819  yarnd-avatar-2089122560  yarnd-avatar-2611944556  yarnd-avatar-3310922372  yarnd-avatar-3938996661  yarnd-avatar-556240195
yarnd-avatar-1101228867  yarnd-avatar-1618755765  yarnd-avatar-2104107259  yarnd-avatar-2641384948  yarnd-avatar-3326285269  yarnd-avatar-3939402047  yarnd-avatar-559344463
yarnd-avatar-1112165824  yarnd-avatar-1650827505  yarnd-avatar-2142824779  yarnd-avatar-2680659340  yarnd-avatar-3340682113  yarnd-avatar-3998621883  yarnd-avatar-570292705
yarnd-avatar-1119886894  yarnd-avatar-1656673647  yarnd-avatar-2160786463  yarnd-avatar-271923479   yarnd-avatar-3374584613  yarnd-avatar-4005102536  yarnd-avatar-595490106
yarnd-avatar-1131417623  yarnd-avatar-1685698239  yarnd-avatar-2165405940  yarnd-avatar-2793562275  yarnd-avatar-3380606954  yarnd-avatar-4016872095  yarnd-avatar-679251850
yarnd-avatar-1160959085  yarnd-avatar-1746759128  yarnd-avatar-2171489899  yarnd-avatar-2842068287  yarnd-avatar-3416352997  yarnd-avatar-4110048378  yarnd-avatar-679950970
yarnd-avatar-1231649265  yarnd-avatar-1752278279  yarnd-avatar-2251317422  yarnd-avatar-2843868670  yarnd-avatar-3468636088  yarnd-avatar-4116552474  yarnd-avatar-737874628

164 files. Some are empty, some are 7 or even 10 Gbyte.

Any idea what would cause that? And why now, after running yarnd for so long with nothing like this happening?

@lyse@lyse.isobeef.org I bet it was! These kinds of sunset shots (with colorful delicious clouds in motion… etc) have always been candy to my eyes. And I know for a fact that the real thing usually looks ten folds better than in pictures (at least in the ones I used to take). Thank you for sharing these!

@movq@www.uninformativ.de

(I don’t really trust Android, though, and I suspect that apps can still install background services that are always active. Pure speculation and paranoid on my part, but still.)

Which is fair, but I would say the GrapheneOS devs in particular are also quite paranoid about this stuff and go to great pains to make sure this stuff can be controlled by the user.

@prologic@twtxt.net Yeah that is probably what was happening. I wish that go build could embed the values that go install does.

@abucci@anthony.buc.ci i love this talk

@movq@www.uninformativ.de This outage did affect me, though not much, via the university where my wife teaches and where I teach sometimes. They actually sent out an alert in their emergency alert system (the one they use to alert people of extreme weather events and bomb threats, mostly), telling people that all IT systems were down.

A friend of mine elsewhere pointed out that they pushed this change on a Friday, which of course no software developer with any experience would ever, ever, ever do. I have to assume there’s some toxic management at CrowdStrike, but who knows. Even more reasons to sympathize with the poor folks who are probably going to be working nights and weekends to clean up this mess.

@prologic@twtxt.net One of these days I’ll turn off registrations

@prologic@twtxt.net Hello!

@movq@www.uninformativ.de Somewhere or another, I think in a William Byrd talk, I heard it suggested that the best ideas in computer science should fit on an index card (ah yes it’s this one: https://paperswelove.org/2017/video/will-byrd-most-beautiful-program/ ). He was referring to the basic principles of LISP/the lambda calculus, which have sometimes been called the Maxwell’s equations of computer programming (by Alan Kay). Simple, short, elegant, but very densely packed with meaning–generations of people have spent their whole careers unpacking what those simple rules can do.

Much of modern software feels like the polar opposite of that. Not only can you not write it on an index card, you never will be able to because people who write software don’t seem to aspire to try. I wish more people thought this way though!

@New_scientist@feeds.twtxt.net No.

@New_scientist@feeds.twtxt.net It’s insane that a single botched software update can have worldwide impact. We’ve messed up badly.

@prologic@twtxt.net LOL Thanks to you, even I started using signal.

@movq@www.uninformativ.de TBH I don’t like Matrix… It feels a bit messy, my conversations and servers I join tend to get mangled, some stuff tend to have some sub-stuff… etc. I don’t hate it though, because I know I may have been using it wrong.

But hey, have you ever tried Databag ? Your family might get a better user experience with this one.

@movq@www.uninformativ.de Don’t give up.

What about Signal? I’m had great success with this, friends, family, neighboards. They get it. It works. I don’t have to worry about it too much.

@xuu@txt.sour.is I have a theory as to why your pod was misbehaving too. I think because of the way you were building it docker build without any --build-arg VERSION= or --build-arg COMMIT= there was no version information in the built binary and bundled assets. Therefore cache busting would not work as expected. When introducing htmx and hyperscript to create a UI/UX SPA-like experience, this is when things fell apart a bit for you. I think….

@hecanjog@hecanjog.com Enjoy it while it lasts… it’s been hot as hell in here in the last couple of days.

@johanbove@johanbove.info Did they produce a new season or you’re just catching up with the old ones? It has been ages since the last time I’ve watched any of it.

@prologic@twtxt.net hey testing a rebuild of yarnd

@support@anthony.buc.ci No.

👋 Hello @hoorydrotrult@anthony.buc.ci, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod’s Discover feed to find users to follow and interact with. To follow new users, use the ⨁ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! 🤗

@prologic@twtxt.net Well ain’t that grand? I’ll get it updated.

@prologic@twtxt.net Well ain’t that grand? I’ll get it updated

By the way, @xuu@txt.sour.is, it looks like you’re running an old, buggy version of yarnd, that duplicates twts in the feed on edit.

@prologic@twtxt.net Hmm, yeah, hmm, I’m not sure. 😅 It all appears very subjective to me. Is 2k lines of code a lot or not?

I mean, I’m all for reducing complexity. 😅 I just have a hard time defining it and arguing about it. What I call “too complex”, others might think of as “just fine”. 🤔

@abucci@anthony.buc.ci Oh hey! 👋

@support@anthony.buc.ci No.

👋 Hello @safeenakhan@anthony.buc.ci, welcome to Buccipod, a Yarn.social Pod! To get started you may want to check out the pod’s Discover feed to find users to follow and interact with. To follow new users, use the ⨁ Follow button on their profile page or use the Follow form and enter a Twtxt URL. You may also find other feeds of interest via Feeds. Welcome! 🤗

@prologic@twtxt.net I don’t know if there is/will be a Crowdsec bouncer to handle something like that. 🤔

@eldersnake@we.loveprivacy.club how many browsers are out there, that use a unique “engine”? There seems to be quite a few: https://en.m.wikipedia.org/wiki/Comparison_of_browser_engines. Sure, another one won’t hurt. Would I use it? Probably not. 😅

@eldersnake@we.loveprivacy.club That’s actually awesome! Happy seeing the pace at which it’s starting to pick up momentum as far as getting more eyes on the project, especially after the “Ladybird Browser Initiative” announcement, that surely got a lot more people talking.

@Prologic@twtxt.net No, haven’t had the need to. We’re sticking to trusted and true over latest and sleekest in this project. Perhaps next year.

@mckinley@twtxt.net I must admit I was tempted to use EndeavourOS for an install on a HTPC (N97 mini PC) when it arrives to quickly get up and running, but then again I haven’t done a fresh install of Arch in quite a while so it sounds like things have simplified even more since then. Hmm…

@prx@si3t.ch A banger! 🤘

@bender@twtxt.net YES! They’ll be sucking on a 1000GB Lollipop per request! 😂 I bet their VPS providers will be happy! VERY happy!