Huge props for being one of the few major instances to preemptively shut down!
this post was submitted on 10 Jul 2023
246 points (100.0% liked)
Beehaw Support
2796 readers
1 users here now
Support and meta community for Beehaw. Ask your questions about the community, technical issues, and other such things here.
A brief FAQ for lurkers and new users can be found here.
Our September 2024 financial update is here.
For a refresher on our philosophy, see also What is Beehaw?, The spirit of the rules, and Beehaw is a Community
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 2 years ago
MODERATORS
shutting down the server early was best. the nature of open source software is what allows these incidents to be mitigated as quickly as they are. thanks a lot to you guys, and to all of the team at Lemmy who worked to resolve this.
heroes <3
Glad it's back up. I went outside. It was hot af and boring.
Thank you for shutting down rather than "wait and see"! It was the right choice.
huge Ws, excellent work
also, thanks for the Mastodon link, i wasn't sure where to check on beehaw status during the outage
This is why I am on Beehaw. The Admins really care about the Instance and the content on it.
That's why I want to bring attention to the fact, that U can support them. https://opencollective.com/beehaw
I am not a Admin, Mod or anything else. I just really like Beehaw and support them. And you should too.
The shutdown is a good call given the circumstances.
An idea of less-radical preventive action is placing the instance in read-only mode, either as a Lemmy feature, or through reverse proxy settings (eg reply 503 for any POST/PUT/DELETE request). But that'd require some development and/or preparation.
Doing that on the reserve proxy side would block any user-submitted content and more (logins, searches, ...). This would hopefully be efficient at blocking many attack vectors, while still keeping the instance partially online, even if that's a degraded mode.
Note that if this were a Lemmy feature, if we had been infected, an admin could've gotten hacked and as a result, disabled that feature. I'm not really sure what can be done to make Beehaw foolproof. That said, the UI has since been hardened by CSP headers so this type of attack should no longer be possible.
Would read-only mode help with XSS exploits though, like this particular one? Since the "damage was already done" by the time anybody noticed, wouldn't putting the site in read-only mode still have kept serving up the XSS payload? It'd stop "infected" people from making any state mutations on Lemmy, but eg. data exliftration would still happen
12:30AM EST: I make announcements to tell people about this
I think it'd be beneficial to have more backup lines of communication for announcements than just Mastodon.
We have Discord and Matrix channels as well. Do you have anything to suggest?
Something like status-page is always nice. I haven't used it but it looks like https://cachethq.io/ could be a decent fit as well.
Just something Google-friendly.
Nah.
I'll be blunt and say that unless you were already in-the-know, Beehaw pretty much ceased to exist when the server was shut down. Not the best result amidst a hacking scare.
Much preferable to the announcement of Beehaw was hacked and lost your user credentials . Security trumps convenience.
load more comments
(11 replies)
load more comments
(6 replies)
morning thought: I've definitely joined the right instance. (also the start from the assumption of good faith guidelines linked to in Gaywallet's recent post)
Awesome response, and a great succinct postmortem. Thanks for doing what you do!
Good work.
Have a non custom beer 🍻
Content-Security-Policy will really help save your ~~bacon~~ beans and protect against XSS. Hopefully the Lemmy devs can apply a super strict policy to help. IMHO it's a must for any site with user generated content.
Amazing job! This is not easy to go, given that you're working with an immature product and a changing landscape.
Awesome work sidestepping the hack.
Thank you for all you do, from what I was hearing I was in no way expecting you to have the site back up within 12 hours. Many kudos.
Agree with everyone else. Thanks for shutting it down.
I'll most likely do it anyway, but do you think password changes are necessary at this point?
To add onto what @Lionir said, you'll never be wrong to change your password, even if much like in this case it isn't warranted. For future reference, my recommendation is "if you have to ask, rotate your password." Finding out later you didn't have to is so much better than finding out later you should have
I disagree - rotating passwords comes at a cost especially for people who don't use a good password manager (and that is basically everyone). It's security theatre and generally creates distrust between people offering security advice and the people who (hopefully) are listening.
There are times when it should be done, but don't do it without a reason.
load more comments
(1 replies)
I don't think this is necessary.
We had no messages on our database that had the vulnerability though some were federated from blahaj in the aftermath. The JWT, which is your session token, was changed as well so it seems very unlikely to me that this needs to be changed. There's no reason to believe the attack could've given access to passwords.
I don’t think this is necessary.
I'd add that it's basically useless. From what I've seen, resetting your password doesn't even invalidate previously issued JWT tokens, which would be the only reason to do it. But of course, you've already reset them all and so has lemmy.world.
A password reset probably should invalidate all previous JWT tokens.
We had no messages on our database that had the vulnerability
This is interesting. I actually commented about the use of emojis/emotes a couple days ago on a post on [email protected] made by a federated user from lemmy.one, that has since been removed (😕), but I still have the bookmarked comment in which I copied the raw embed for the remote emote image in the federated comment I was responding to.
Do I understand it correctly, that the latest fixes to stop the code injection, will still allow remote image embedding, so something like an "emote picker extension to embed animated GIFs from a remote server and/or remote instance's emoji list" would still be doable and wouldn't pose any risk?
Or would such picker still have to include measures to prevent offering embeds with potential exploits?
load more comments
(8 replies)
Your work is greatly appreciated! Also happy to know that you got some sleep, very important for the process ☺
Welcome Back 🤗
view more: next ›