~eb

Recent activity

Re: Ethical repository evaluation of SourceHut 1 year, 3 months ago

From Elliot Bräck to ~sircmpwn/sr.ht-discuss

On 1/25/20 6:20 PM, Drew DeVault wrote:
 > I have considered options like this, but the reality is that supporting
 > a large subset of the world's population is extremely difficult and time
 > consuming. It can take months of wading through regulatory problems for
 > *each* new country you want to accept payments from. I simply don't have
 > the time for it.
If you want to, you could take a third option and allow you to fund 
other people's accounts with your credit card. Then I could receive 
cash/local bank transfers/cryptocurrency/whatever and pay for them with 
my card.

Re: Ethical repository evaluation of SourceHut 1 year, 3 months ago

From Elliot Bräck to ~sircmpwn/sr.ht-discuss

(It seems like I'm not getting the e-mail from the mailing list, just 
from the issue tracker - do I need to set it up somewhere?)

 > No, but I might temporary ban certain exit nodes, or identify other
 > patterns from the attackers. I can't go into more detail here, security
 > by obscurity is a necessary tactic for dealing with this kind of abuse.
 >
 > I don't rely on monitoring to defend from SQLi, I am quite confident
 > that SourceHut is safe from it regardless. However, SQLi attempts are an
 > easy way to identify bad actors on the network. Again, not going to go
 > into much more detail here.
Well, if that's the case then that's the case. I must say that it's not 
a robust approach however, and it arguably isn't strictly required for 
the functioning of the service. Goodhart's law: whatever characteristic

Re: Ethical repository evaluation of SourceHut 1 year, 3 months ago

From Elliot Bräck to ~sircmpwn/sr.ht-discuss

A+1: You could log IP addresses in a masked format. This is also 
required by the GDPR, I think. I have never given my active, informed 
consent to having my IP stored. (Not doing this could potentially put 
you on the hook for a €20M fine, or require you to break requirements C2 
and C3)

The following protocol should be good enough, while not putting odious 
requirements:
1) Each week, generate a random salt with ID = year + week number
2) Hash the IP with the salt (possibly with a difficult hash that takes 
~1ms/evaluation or whatever)
3) Store salt ID and and first 12 bits of hash.

Then, whenever you want to ban an IP, you can still do this. Add the