Because it is transparently obvious that it’s going to happen.
If you’re sending your users’ private statuses to an ActivityPub server, and just hoping that it’s going to choose to keep them private according to certain parameters even though that’s not what the spec stays it needs to do, then you’re fucking up. The fact that we know that particular instances of particular software are exposing them is a nice demonstration of the harm, a confirmation that you’re fucking up when you’re doing that, but it’s not really needed. It is the absolutely predictable result of some basic principles of security which, as a security researcher, you should absolutely be aware of.
I’ve repeatedly explained this. You’ve repeatedly explained your position. We’ve both had our say. You seem addicted to the concept of “winning” the conversation and wanting to just go back and forth. In that case I would really encourage you to state your position again, and I can state mine again, and we can both have fun doing that for a while. Want to? It sounds like a productive use of both of our time. It’s fun, too.
Edit: Actually, I didn’t even realize you are on fedia.io when I was typing this. You can test for yourself whether mbin does this, too, by coordinating with @Irelephant@lemm.ee. Follow his user, then have him post one of those private statuses, then fetch his user profile via fedia.io from an incognito window and see whether the private statuses show up. I have no idea whether they will, but if I had to guess, I would say it’s better than even odds.
You could’ve saved yourself a lot of typing there by just admitting to claiming things you actually didn’t know.
Because it is transparently obvious that it’s going to happen.
If you’re sending your users’ private statuses to an ActivityPub server, and just hoping that it’s going to choose to keep them private according to certain parameters even though that’s not what the spec stays it needs to do, then you’re fucking up. The fact that we know that particular instances of particular software are exposing them is a nice demonstration of the harm, a confirmation that you’re fucking up when you’re doing that, but it’s not really needed. It is the absolutely predictable result of some basic principles of security which, as a security researcher, you should absolutely be aware of.
I’ve repeatedly explained this. You’ve repeatedly explained your position. We’ve both had our say. You seem addicted to the concept of “winning” the conversation and wanting to just go back and forth. In that case I would really encourage you to state your position again, and I can state mine again, and we can both have fun doing that for a while. Want to? It sounds like a productive use of both of our time. It’s fun, too.
Edit: Actually, I didn’t even realize you are on fedia.io when I was typing this. You can test for yourself whether mbin does this, too, by coordinating with @Irelephant@lemm.ee. Follow his user, then have him post one of those private statuses, then fetch his user profile via fedia.io from an incognito window and see whether the private statuses show up. I have no idea whether they will, but if I had to guess, I would say it’s better than even odds.