I found a way to escape their shell (so you can run whatever you want), if you're not verified, it involves multiple steps to archive this. I mailed them 2x to their membership address, but since today no reaction. I asked also in their IRC.
Just a question to HN: should I wait more, try again? Or should I simply publish the vulnerabilities somewhere? If yes, where? It's my first time that I found a vulnerability at my own, not sure how to deal with that.
You shall wait. It's a volunteer powered system and while the ops are silent and terse in their mails, they're nice people.
Their plate is already quite full and they operate a whole universe of services, so cut them some slack.
It's not an ordinary service which is exposed to internet trying to turn a profit. They run SDF, two Mastodon instances, a mail server, a Git server, trying to salvage/keep alive living computer museum (SDF Vintage Systems), etc. etc.
I get that it's a volunteer system, but having donated for 2 years to help support their Lemmy instance, it's frustrating it's been down for 2 weeks without much of an update, just a hint "there's a good chance" it will come back. To me that seems lacking of transparency, not terse. How much disk space is it using? Maybe others in the community could help? How can they if they don't respond to emails? It was a nice thing while it lasted, but for federated social media, that kind of downtime hurts communities the most.
I tried signing up to their mastodon three times and just never received the email accepting me. It's a shame because I wanted to be part of their community
Unless things have changed recently (last year or so), the SDF Mastodon servers are really slow and terrible at federating. They even had an incident where the servers failed, everyone lost their posts and had to start over again. Downtime was terrible.
SDF welcomed everyone openly during the initial Mastodon waves, so it was all very Eternal September.
If you're joining to make a spare account to participate with SDF people, awesome! But if you want it as your identity for all of Fedi, I think that would be a bad experience. I ended up getting my own MastoHost account for a while and it was a vastly better experience, until I burned out on Fedi.
SDF is a super fun place to experiment with Gopher though. I absolutely recommend getting your own Gopherhole on SDF. It's like the old Geocities days but in ASCII. (And make sure you grab Lagrange as your GUI Gopher / Gemini client. I liked Phetch as my terminal Gopher client.)
The performance hit was due to database work they were doing on the instance. Now it's a lot faster. The latest announcement reads as follows:
We've completed our first phase of database clean up, thank you for your patience. The impact on performance was heavy, but it was a necessary step. All active users and their posts, profile, connections and media will be migrated to the new servers. Once that has been completed, any remaining data will stay online for further migration and clean up. Our instance is nearly 10 years old of constant daily operation, but we ran into a migration wall which held us back on 4.1.x. Now that it is deprecated, we will do our best to jump to the latest version rather than migrate through. Your support and patience has been greatly appreciated.
Don't publish. You already notified them, your shell escape isn't a big deal, publishing it will only be a pain for the volunteers running the service.
You can't have it both ways: if it's not a big deal, then he can publish it.
If you say "Don't publish", then you acknowledge that it's a big deal.
I say to GP: "Congrats for finding a shell escape, it's always a big deal. But don't publish it... Yet".
Give them a chance to fix it. But it they don't even answer to the emails, even just saying: "thx we're busy we can't fix right now but will do", then at some point you just publish.
It doesn't take long to answer an email saying "thanks, we'll fix it eventually".
"We'll fix it eventually" is not good enough. If a human can find a flaw, then a bot can find the same flaw, and the bots are always watching and always testing. If someone can't commit to immediate security response when running a public-facing internet service then they should not be running that service, because the rest of the internet will not forgive them when their machine gets popped and becomes everyone else's problem.
If they can't commit to a hard timeline of less than a few days, then publish. What happens next is not your fault - it was inevitable anyway.
Edit for clarity: This is just in general, not specifically SDF or small orgs or large orgs. The internet does not care about the difference. The internet just does not care period. Nobody is going to give anyone else any breaks, and especially not a botnet.
I did it too but TBH as I used small tools such as tcc, jimsh, eforth+muxleq, sacc, smu, catpoint+pointtools, compilers from https://t3x.org... I didn't care a lot on the rest, I'm pretty happy with my current account.
You can do a lot with S9 Scheme and the Unix API/syscalls it supports.
Can you share more detail on the exploit itself? Does the shell escape give you access to programs that require a paid account, or does the shell escape give you root access?
When escaping, you can invoke custom commands and binaries. If a tool is not available, just place them (mail yourself there, use zmodem, ...), via chmod. But you have a disk quota of 20mb, so you're limited as unverified account.
But the whole thing is: if you can escape as non verified user, than you can mass automate it to do ddos etc...
I think you should create some visible but harmless nuisance using this shell escape, so that it's likely to get noticed, but doesn't damage anyone's valuable data.
Perhaps just run "bash -c 'stress --cpu 64 ; echo fix your shell escape'"l " or something like that.
Creating a nuisance is not a good way to go about it.
Some security practices sometimes feels like someone stabbing you just to prove you could be stabbed.
Then they point at the wound and say: "See? You should be more careful."
Yes, the risk is real, but creating harm to demonstrate it isnt the same as protecting people.
Well, ruining everyone's day on that particular host is not a nice way to "bring this to attention".
If I ever experienced something like that, I'd be banning the person (or limiting their resources drastically) for 60 to 90 days to bring the impact of this matter to their attention.
Anything affecting users on a system is not harmless.
Yeah, Software protection was very naive in the beginning. Fun fact: I owned a windows 3.11 for workgroup UPGRADE disc collection, it was clearly explained and also enforced from the setup installer. So, no previous installed win 3.0 == upgrade installer will fail. The fix: just create an empty Textfile named win.com at any place - the installer simple scans the WHOLE disk just for this existing filename. Next fun fact: in reality, the Upgrade contained the full installation, no only a delta. Men, software was so simple these days....
I have a childhood memory of my dad buying a shrink-wrapped copy of the Windows 3.1 Upgrade that was supposed to allow any installation of "3.0 or earlier" to become Win 3.1. it turned out when we actually tried it it only accepted 3.x though. [1]
I think he ended up pirating a 3.x install from a friend and running the upgrade on to of that; felt pretty morally clear given what the box had advertised.
Right?? Even if it's potentially a re-shrink, just the box period still existing in that condition is notable, especially for such a "plain" design; it's not like the full-colour Windows 95 ones for which there are probably thousands of unopened copies sitting in collectors' vaults.
Last Year, i wrote some Monad Mini Framework for my own, but focusing only on the Result-Type itself. I planned to publish it, but i think today is a good day. Here we go: https://codeberg.org/Arakis/Result
- Allow enter/leave Driver mode even while sound is playing
- Hide the "tab to minimize" after several seconds
- Allow customize the pattern. Now it's hard coded perlin noise animation, before it was blank screen white/black without texture.
- Cannot enter email address to unlock private beta while sound is active (chars getting deleting while typing).
- Loses Focus rapidly on multi monitor setup, even when not touching the browser. It seems it's sensitive to focus/unfocus events, not sure what's the exact cause. PS: Regular full screen videos form for example youtube never lose fullscreen with my browser.
- Fullscreen does not full whole screen, there's black border left and right, it seems you're animating a square, not the full landscape rectangle.
- The jump from gain 1 to gain 2 is quite big, so i have to reduce the volume on the system sound, that's quiet annoying, since it's for all browser tabs then / even the whole system, depending on mixer settings.
And several more bugs, i do not remember them all.
One important question, that comes in mind all the time: Is this project vibe coded? Don't get me wrong, i also startet to begin vibe coding my projects, but it seems there's a little mess in the code (without looking into the obfuscated code).
This is awesome feedback, thank you. Some of this I have been trying to dial in, and I just pushed an update to almost everything you mentioned:
Fixes Deployed:
Ghost Typing: You were spot on. I was defining the modal inside the main render loop. Moved it out, so the input is stable now.
Audio Focus: Removed the visibilitychange listener. It should now persist on multi-monitor setups without cutting out.
Texture Toggle: Added a specific button to toggle between "Neural Grain" (noise) and "Pure Light" (solid strobe) so you can customize the pattern.
Volume Taper: Switched the gain slider to logarithmic scaling so the jump from 0-10% isn't deafening.
UI Clutter: The "Tap to Minimize" overlay now fades out automatically after 3 seconds.
On Vibe Coding... guilty as charged.
This project evolved rapidly from a hacky passion project to help myself focus, into an attempt to build something worth sharing with others. I built the initial engine to prioritize the DSP/audio math, and the React architecture definitely suffered
Would love to know if the multi-monitor issue is resolved on your end now.
This problem is not limited to Latin America or physics alone - it also affects regions such as Africa. For example, many students at universities in Senegal, do not find employment after graduating. Some drop out earlier once they realize their prospects are slim, while others try their luck in Western countries.
The question is, what we can do? I try always to search books, internet articles or even YouTube music for being published before 2022, but I cannot stay with old history stuff forever.
Just a question to HN: should I wait more, try again? Or should I simply publish the vulnerabilities somewhere? If yes, where? It's my first time that I found a vulnerability at my own, not sure how to deal with that.
reply