Two factor authentication won’t help here. You have to build your app with the assumption that any attacker has a valid login and credentials and therefore restrict them to only information they have permission to see.

File uploads are encrypted in transit from the client to the server but not encrypted on the server.

Usually when people talk about e2e encrypted messaging they mean that everything is encrypted. That includes images and text content. The server should not be able to read any contents of any message sent through it.

Again this is a design choice I don’t want gifs.

Why? Sending memes is a core part of any social media experience.

There are filetype checks on line 350 of the app.

Line 350 in both files doesn’t seem to contain any filetype checks. I assume you mean file.content_type. That may not be accurate to the actual file uploaded; it can be spoofed.

Yes deleting is atomic.

        # Delete the associated message if it exists
        if chat_file.message_id:
            msg = db.get(Message, chat_file.message_id)
            if msg:
                db.delete(msg)
        ---> Here
        # Delete file from disk
        file_path = os.path.join(CHAT_FILES_DIR, file_uuid)
        if os.path.exists(file_path):
            os.remove(file_path)

If the application crashes/closes at the indicated point, then you will delete the message from the database but still have the image on the server. If this is an image served from /img/whatever, it would have no checks beyond a login check.

to the extent Tor is secure

Tor doesn’t automatically secure your app. If your social media instance has 1000 users on it, and one user gets compromised, then the other 999 users shouldn’t have any interactions outside of that user leaked.

web crypto can be utilized for group and 1-1s for an additional layer of encryption

Are file uploads encrypted?

How would you ever discover a filename?

Maybe you have a data leak. Maybe they send the filename in plaintext somewhere. Maybe they take advantage of the fact that UUIDs might be deterministic. But if I may flip the question… Why does an inaccessible post even need to return 403 anyway? It just functions as a big footgun that may cause any other exploits to behave worse.

Even if you have the correct link, if those two conditions arnt satisfied you will not be able to view.

But you can determine its existence or not through the status code.

This was a design choice to have consistency in filetypes. What’s the downside? All browsers will support displaying a jpg.

Gifs will lose any animation, pngs will lose quality. Also, as far as I can tell, there’s nothing stopping a malicious user uploading a non-image file.

Which part are you talking about?

There are two steps to making a post: Upload and store the image and add the post to the database. There’s also similar steps to deleting a post: Removing the image upload and removing the post from the database. Are both these operations atomic?

Everything except the login page, registration link will behind these two checks see (def login) where the @loginrequired logic is defined for each of the app routes.

It’s not that hard for a sufficiently motivated adversary to get an account on a sufficiently large instance. You need to ensure that one user account being compromised doesn’t result in information leakage from unrelated accounts.

This discussion stems from issues I found in just one function. You’re making a product which requires a very high level of security. You need to understand how to write secure code, and your LLM won’t be able to do it for you.

I don’t want to discourage you from programming in general, but making a very secure social media site is a rather complex undertaking for someone new to programming.

1. You list “Activist/journalist secure communication” as a use case. Not all countries have freedom of press.

2. Looks like you name images based on a random uuid, so that should protect against filename attacks. But if you do have a filename you can tell whether the image has been an image or not.

Also, looks like all uploads are converted to jpg, regardless as to whether the original image was a jpg (or even an image) or not. Don’t do that.

3. Can you point to where in code this invariant is enforced?

I watched a streamer play it. It seemed more about laughing at nonsense the AI came up with rather than genuine attempts at realistic conversation.

We had been chatting about these Gen AI survey findings and wondered out loud how it would be a good use of Gen AI if [eu5] asked you about your experiences with other specific 4X/Grand Strategy titles and dynamically generated a short tailored guide and tutorial for the new mechanics based on your existing knowledge

This is a terrible use for genAI. There’s like 4 major 4X games out there that payers have likely played, and it shouldn’t take that long to curate a tutorial for each. And you really don’t want the bullshitting machine telling your player about mechanics.

The GenAI hype is so bad that even an article saying that over 80% of people hate it has to squeak in some shilling.

Why not?

You say you’re not the sharpest tool in the shed, but I think gamedev is a good way to learn a variety of skills. And doing it as a hobby takes a lot of pressure off and allows you to take things at your own pace.

Had a quick skim and found this little guy:

# ---------- Protected media route ----------
@app.route('/img/<path:name>')
@login_required
def media(name):
    db = SessionLocal()
    try:
        me = current_user(db)
        # Find the post with this image
        post = db.query(Post).filter_by(image_path=name).first()
        if post:
            # Check visibility
            can_view = post.user_id == me.id or db.query(UserVisibility).filter_by(
                owner_id=post.user_id, viewer_id=me.id
            ).first() is not None
            if not can_view:
                abort(403)
        return send_from_directory(UPLOAD_DIR, os.path.basename(name))
    finally:
        db.close()

I’ve not read through everything, but there are some security concerns that jump out to me from just this function. Hopefully you can enlighten me on them.

Firstly, what is stopping a logged in user from accessing any image that, for whatever reason, doesn’t have an associated post for it?

Secondly, the return codes for “the image doesn’t exist” (404) and “the image exists but you can’t access it” (403) look to be different. This means that a logged in user can check whether a given filename (e.g. “epstien_and_trump_cuddling.jpg”) has been uploaded or not by any user.

Both of these look to be pretty bad security issues, especially for a project touting its ability to protect from nationstates. Am I missing something?

The move to storing everything in /usr/bin rather than /bin etc? I think it actually makes things more compatible, since if you’re a program looking for something you don’t need to care whether the specific distro decided it should go in /usr/bin or /bin.

Is it clickbait titles that don’t want to say what the article is about?

(It’s deceitful probabilities in lootbox drop rates, for anyone wondering)

Yeah, that’s the same vibe I got…

I get that sometimes it’s not possible to return luggage for a number of reasons. But why sell it rather than donating it to charity?

I used to work as a software dev before mass layoffs got me. Our work was technical enough that most of us used Linux to the point that finding a Windows user to test things was a real problem.

There’s tons of backup solutions out there. Why should selfhosters buy a proprietary one?

Most applications that are Electron either only support Windows or also want to support Android, iOS and Web. I assume there is some toolkit out there that supports everything, but honestly HTML5 is more well known and tested.

For the swap space, yes that’s for when you run out of RAM. 48GiB is plenty of RAM, so you should be fine without it. I have 32GiB of RAM on my system and have been running without swap for ages without issue.

Hardening guides like that are mostly designed for things like web servers which are connected to the public internet and need higher scrutiny. The default configuration for distros like Mint should be secure enough for the average user.

However, don’t feel invincible and run random code from random sites. Both Windows and Linux can’t protect you against malicious code you run yourself.

Having organised partitions is the kind of thing that people obsessed with organisation do. For most people, the default partitioning scheme is fine. However, as always, remember to keep backups of important data.

For installing software, Mint has a Software Centre (which is distinct from the Snap Store). I’d recommend installing software using that for the average user.

In Mint, there are three main types of packages:

• Debian/APT packages, which are provided by Mint (well, technically by the Debian distro and they trickle down to Mint, but technicalities). Not all software is available from Mint’s repos and they may be out of date.
• Flatpak packages, which are provided either by developers themselves or dedicated fans. They are usually more up to date and have a degree of sandboxing.
• Snap packages, which are controlled by a company named Canonical. As of late, Canonical has been a bit “ehhhh”, so there’s pushback against Snap. Mint has it disabled and has their reasoning explained here: https://linuxmint-user-guide.readthedocs.io/en/latest/snap.html

Mint’s software centre is able to install both Debian and Flatpak packages. I’d recommend using it where possible since it allows automatic upgrades and easier installation/uninstallation.

Who is this “we”?

There is no need to be diplomatic against those that exploit and harm the livelihoods of the people in this community.

“It’s just horror, bro” with the same kind of energy as “it’s just a prank, bro”.

I’ve not played the game, but “person riding another person in horse gear” is absolutely a fetish thing, intentional or otherwise.

I think it absolutely would fall afoul of kiddie porn laws. Honestly, I think any depiction of a child in proximity to nudity probably would count.

Just have replaceable Li-ion batteries.

“We don’t need a red crayon, we need another yellow one instead. Can you change?”

It’s easy to get fame as a programmer: Just make a popular open source project and you’ll be surrounded by people angry at you for not doing enough upaid work on it.

It’s open source. If 32 bit support is important enough, people can fork and maintain it.