77 comments

[ 5.1 ms ] story [ 169 ms ] thread
just throwing out there that ActivityPub has been given Recommendation status at the W3C (what is a recommendation? https://www.w3.org/standards/)

ATProto is a NIH reinvention of the wheel by a "public benefit LLC" of unclear ownership* that has demonstrated time and again its unwillingness to take a seat at the table within a group like the W3C or the IETF in protocol development.

What is ActivityPub, you may ask? https://en.wikipedia.org/wiki/ActivityPub

* EDIT: I completely missed there was Bluesky $8M seed round in July, lol. It's now a public benefit C Corp whatever that means.

https://techcrunch.com/2023/07/05/bluesky-announces-its-8m-s...

"Public benefit" is simply a marketing term when applied to a private for-profit corporation. It operates like any other company, with an extra line in its mission statement that it will operate for the public good. What does that mean? Nothing. Who enforces it? No one.
[flagged]
a belated congrats on the fundraising round.
Is this really the best way for you to represent your company?
I think it's going to be the people leading the next social media company that will make it succeed.

From what I've seen on HN & Twitter from the Bluesky team, it does not inspire any confidence that they would be any better than what we have today.

maybe @dang should get some YC funding to start something inspired by HN...?

not really how i would post on articles about my work
Bruv. Snark is not cool here and you're in the big-chair. Get good.
Jeremie and Bryan, at least, have interacted (and at least Jeremie has drafted multiple RFCs) with the IETF.

Current mailing list items specific to bluesky

https://mailarchive.ietf.org/arch/search/?q=bluesky&qdr=y

(comment deleted)
ActivityPub is fine as long as you're okay with a specific server owning your account and all your data. Many people just want that not to be the case.
(comment deleted)
I can’t be the only one who finds a lot of these new federated social networks to be a bit fishy… the whole idea is really great but bluesky & now metas “threads” are really only pseudo-federated. They both claim the future option to choose your instance but by default you start out on their centralized instance. This feels like a predatory tactic to be able to control the average user who doesn’t care about the value of decentralized networks.
I have a bluesky account but I am not active..yet - are a lot of people active? I need some people from HN to follow...anyone?
(comment deleted)
If you send me an invite, I pinky promise I will post something interesting and we can have a HN clique of at least 2. =D Email: {HNusername}@live.com
Not OP, but I have an extra - I emailed it to you.
Thank you kind soul! Unfortunately, I found out that mailbox is full. Thanks microsoft...

If you happen to see this, please check my profile for a working email!

Of course, I messaged you at your profile email address.
I'm not there I'd take an invite
I've got a few extra, happy to send you one. What's the easiest way?
would be helpful if you can send me one : punitsethi AT gmail DOT com
I'm somewhat active on Bluesky. Managed to find a couple of people to follow and talk about video games. It's kinda nice.

(I have 3 invite codes available if people are still desperate for them)

Invite would be great if you still have one going; me at willboyce dot com, thanks.
Been there a few weeks, approx 600 followers. What’s your handle?
Most of the people in Norway I followed on Twitter did a mass exodus over there a month ago, and it seems to have gained critical mass in my circle, at least.

With Mastodon only a few people tried, and when it didn't get much traction they stopped posting there quickly.

There doesn't seem to be any response to this from the Blue Sky team so far.

I can't help but think that Jack doesn't believe in Blue Sky that much. From what I can find, he doesn't seem to participate or even have an account. Meanwhile, at least Elon and Mark both post regularly on their social media sites.

Jack moved on to Nostr.
While I’m guessing this is a joke, it would also be the most Jack thing ever if true.
It's not a joke.
He deleted his bluesky account sometime today
What’s the reason though, any idea?
He's been very vocal about disliking the average bluesky user. IIRC he's said they aren't accepting enough, there's more details somewehere on his nostr account.
This is because he talked about his admiration for RFK Jr. and got pushback.
these are pretty boring. we've been playing with them for months now. there was no response because people have beat the hell out of this particular horse already

if you consider it an exploit you should probably consider, say, github issues markdown to be exploitable

the tl;dr is the server shouldn't trust the client and the client shouldn't trust the server to supply accurate link cards or link metadata.

right now it's not a huge deal because there's only one instance and it is invite-only. consider it demo grade software.

> all media uploads live forever and are publicly retrievable even if you mark the associated post for deletion

I have no idea what this is referring to

hmmm, maybe i misunderstood. edited out
We used to retain post history, but that’s been removed with repo v3. We prioritized taking media down ages ago. If anything like that is still happening, it’d be CDN cache and I’d have to pester the backend team to make sure it’s being cleared in delete reliably
Is video happening soon? As someone mostly going viral 8n twitter with videoes, it's the one thing missing from completing my move. Still use bsky a lot to discuss, but to share my videoes embedded in Twitter gives much more traction than a YT link on bsky.
We know about these. We have mitigations planned. We don’t think they’re cause for huge alarm.

Bluesky posts have a rich text system, which means links in posts are similar to anchor tags. It’s not a markup; it’s a way to annotate slices of a string with facets such as links or bold or etc. This means you can linkify any text, thus the first concern raised. We intend to create an interstitial warning if the linkified text doesn’t show the domain clearly.

The posts also have an embed system for images, links, and other posts. We currently naively accept the link cards as published, and we need to stop doing that and fetch the link cards on read instead.

(comment deleted)
As someone who's been following development and the situation in general, I just thought I'd pop in to say "I second this" - which normally wouldn't be a very useful reply, but I think people are (rightfully) skeptical of first-party claims when it comes to the significance of security issues.
Paul, take a break and let your superiors answer for their design decisions.
afaik, Paul designed the rich text system.
And he works for people who run a centralized social network who pushed it into production.
And if they drop by, they could also address the poor handling of security reports as described in the fine article. Because if the only way to get a reply about security issues is to get it to the front page of HN, that's a sign to me that the security team, if there is one, is deeply underwater.
not to mention they hold onto your keys for you!
It's definitely a case for huge alarm.

Maybe not the vulns. But the interaction with a security researcher. Like this part: "Bluesky has responded to only one of these reports, one time, 4 days after submission, saying "We appreciate the report, and we'll be taking a closer look at the issue.". They did not follow up on that report and they have not responded to any of my other reports."

It shows all signs of a company without a working security process.

If a website accepts (safely sanitized) HTML input, and I report that it's a security issue that I'm allowed to post:

  <a href="https://evil.com/">good.com</a>
, how much of a response am I owed?

"Yes, thank you, we're aware" seems more than adequate to me. Engaging a full-blown vulnerability disclosure process for something like this seems like a waste of time for everyone involved.

I'm one of the engineers at Bluesky that handles incoming security reports. We of course do take reported security issues very seriously. We have worked positively with a number of researchers.

The initial email in this case was received on a Friday afternoon, reviewed briefly for severity, and then acknowledged on the following Tuesday. There was a reply from another engineer on Wednesday to a reply by the reporter.

But we certainly could have followed-up better, and we could have been more clear. We're a very small team and the severity was deemed low, but even so we'll try to do better in the future for similar cases.

We do want to handle these kinds of reports better than most companies do. Creating a safe and secure system for users (which include our own families and friends) is something the team very genuinely cares deeply about.

I'm the reporter of these (and other) issues and the author of the vuln repository this article links to.

While I appreciate your response, the accuracy of the timeline your provided (Wednesday's email was about documentation), and your comment that "[w]e do want to handle these kinds of reports better", I can't help but point out that even today, Bluesky still hasn't reached out to me about the specifics of these (and other...) vulnerabilities. Bryan Newbold did email me a week after this disclosure to answer a few questions, but it didn't address the vulnerabilities at all; I like Bryan -- the few discussions we've had have been positive -- but he isn't the person that should have emailed me.

Sidenode, https://bsky.app/profile/jacob.gold/post/3k7frqmvhft2b sure did seem personal. The timing suggests that it was made solely to mock the situation. (To be clear, I like and respect @retr0.id a lot; I've bounced some of my ideas off of him and he's the "second security researcher" I referred to in the vuln respository.)

This whole thing has put an extremely bad taste in my mouth.

I think it's better to just not allow custom text for links. It's the behavior people are accustomed to from years of using various social media platforms.
> fetch the link cards on read instead.

do you mean, hitting a site every time someone loads a post?

that's going to lead to some obvious issues with hammering sites

These aren't really "exploits" in the traditional sense, it's just misrepresenting a link card.
Agreed. You can do this on Slack, mostly.
I was rickrolled on Slack last year. Not cool..
If an exploit is used in a forest, and no one's around to hear it....
The biggest Bluesky exploit is not mentioned in the article, which is they hold your private keys.
Regarding the downvote. Am I wrong?
You've made your point; you don't need to keep posting the same thing. If the whole point of Bluesky is to be decentralized, should they have first released a centralized beta version? IMO no, but they had reasons that make sense. It looks like they are still planning to decentralize in good faith.
I understand what you're saying here.
Please take into account that Bluesky is still young and run by a small team which is moving fast. Ignoring a few reports that they consider non-critical is not a strong negative signal, especially not during a time of rapid growth and while they're in beta and invite-only. They just cracked the million users and are probably navigating through a lot of chaos on a daily basis. Those of us who've been in similar situations know that this is normal.