[seblon]

I found a way to escape their shell (so you can run whatever you want), if you're not verified, it involves multiple steps to archive this. I mailed them 2x to their membership address, but since today no reaction. I asked also in their IRC.

Just a question to HN: should I wait more, try again? Or should I simply publish the vulnerabilities somewhere? If yes, where? It's my first time that I found a vulnerability at my own, not sure how to deal with that.

[bayindirh]

You shall wait. It's a volunteer powered system and while the ops are silent and terse in their mails, they're nice people.

Their plate is already quite full and they operate a whole universe of services, so cut them some slack.

It's not an ordinary service which is exposed to internet trying to turn a profit. They run SDF, two Mastodon instances, a mail server, a Git server, trying to salvage/keep alive living computer museum (SDF Vintage Systems), etc. etc.

[bezier-curve]

I get that it's a volunteer system, but having donated for 2 years to help support their Lemmy instance, it's frustrating it's been down for 2 weeks without much of an update, just a hint "there's a good chance" it will come back. To me that seems lacking of transparency, not terse. How much disk space is it using? Maybe others in the community could help? How can they if they don't respond to emails? It was a nice thing while it lasted, but for federated social media, that kind of downtime hurts communities the most.

[beej71]

Their notification says they're out of disk for Lemmy. For my part, I sent them $50 for more.

I agree with you that the social downtime is bad. People just won't use the service.

[dwedge]

I tried signing up to their mastodon three times and just never received the email accepting me. It's a shame because I wanted to be part of their community

[SyneRyder]

Unless things have changed recently (last year or so), the SDF Mastodon servers are really slow and terrible at federating. They even had an incident where the servers failed, everyone lost their posts and had to start over again. Downtime was terrible.

SDF welcomed everyone openly during the initial Mastodon waves, so it was all very Eternal September.

If you're joining to make a spare account to participate with SDF people, awesome! But if you want it as your identity for all of Fedi, I think that would be a bad experience. I ended up getting my own MastoHost account for a while and it was a vastly better experience, until I burned out on Fedi.

SDF is a super fun place to experiment with Gopher though. I absolutely recommend getting your own Gopherhole on SDF. It's like the old Geocities days but in ASCII. (And make sure you grab Lagrange as your GUI Gopher / Gemini client. I liked Phetch as my terminal Gopher client.)

[bayindirh]

The performance hit was due to database work they were doing on the instance. Now it's a lot faster. The latest announcement reads as follows:

    We've completed our first phase of database clean up, thank you for your patience.  The impact on performance was heavy, but it was a necessary step.  All active users and their posts, profile, connections and media will be migrated to the new servers.  Once that has been completed, any remaining data will stay online for further migration and clean up.  Our instance is nearly 10 years old of constant daily operation, but we ran into a migration wall which held us back on 4.1.x.  Now that it is deprecated, we will do our best to jump to the latest version rather than migrate through.  Your support and patience has been greatly appreciated.

[bayindirh]

Which one? There are two instances, one for members, and one for everyone.

[dwedge]

I didn't know there were two, so probably the one for everyone. Maybe I should join and try the other one

[zorked]

Don't publish. You already notified them, your shell escape isn't a big deal, publishing it will only be a pain for the volunteers running the service.

[TacticalCoder]

> your shell escape isn't a big deal

You can't have it both ways: if it's not a big deal, then he can publish it.

If you say "Don't publish", then you acknowledge that it's a big deal.

I say to GP: "Congrats for finding a shell escape, it's always a big deal. But don't publish it... Yet".

Give them a chance to fix it. But it they don't even answer to the emails, even just saying: "thx we're busy we can't fix right now but will do", then at some point you just publish.

It doesn't take long to answer an email saying "thanks, we'll fix it eventually".

[Suzuran]

"We'll fix it eventually" is not good enough. If a human can find a flaw, then a bot can find the same flaw, and the bots are always watching and always testing. If someone can't commit to immediate security response when running a public-facing internet service then they should not be running that service, because the rest of the internet will not forgive them when their machine gets popped and becomes everyone else's problem.

If they can't commit to a hard timeline of less than a few days, then publish. What happens next is not your fault - it was inevitable anyway.

Edit for clarity: This is just in general, not specifically SDF or small orgs or large orgs. The internet does not care about the difference. The internet just does not care period. Nobody is going to give anyone else any breaks, and especially not a botnet.

[nabogh]

Definitely wait at least a few months if you've not already. There are legal risks with these kinds of things and some orgs move slowly.

[anthk]

I did it too but TBH as I used small tools such as tcc, jimsh, eforth+muxleq, sacc, smu, catpoint+pointtools, compilers from https://t3x.org... I didn't care a lot on the rest, I'm pretty happy with my current account.

You can do a lot with S9 Scheme and the Unix API/syscalls it supports.

[glitchc]

Can you share more detail on the exploit itself? Does the shell escape give you access to programs that require a paid account, or does the shell escape give you root access?

[seblon]

When escaping, you can invoke custom commands and binaries. If a tool is not available, just place them (mail yourself there, use zmodem, ...), via chmod. But you have a disk quota of 20mb, so you're limited as unverified account.

But the whole thing is: if you can escape as non verified user, than you can mass automate it to do ddos etc...

[pratyahava]

maybe try to fix it for them as soon as you have the root access?

[seblon]

Shell escape != Unix account escape :-)

[pratyahava]

oops, sorry, so it is not as bad as i imagined :) is it just a way to have an unlimited account for free?

[justsomehnguy]

Just leave a note in root's motd.

[aboardRat4]

I think you should create some visible but harmless nuisance using this shell escape, so that it's likely to get noticed, but doesn't damage anyone's valuable data.

Perhaps just run "bash -c 'stress --cpu 64 ; echo fix your shell escape'"l " or something like that.

[yashasolutions]

Creating a nuisance is not a good way to go about it.

Some security practices sometimes feels like someone stabbing you just to prove you could be stabbed. Then they point at the wound and say: "See? You should be more careful."

Yes, the risk is real, but creating harm to demonstrate it isnt the same as protecting people.

[bayindirh]

Well, ruining everyone's day on that particular host is not a nice way to "bring this to attention".

If I ever experienced something like that, I'd be banning the person (or limiting their resources drastically) for 60 to 90 days to bring the impact of this matter to their attention.

Anything affecting users on a system is not harmless.