Oddbean new post about | logout
James | 1 years ago (raw) | root | parent | reply | flag 
 @86242b72 
They still think it's nothing.

"We know about these. We have mitigations planned. We don’t think they’re cause for huge alarm."

https://news.ycombinator.com/item?id=37517842
Jason Parker (he/they) | 1 years ago (raw) | root | parent | reply | flag 
 @73b17510 Jake Gold @ Bluesky commented there about my first email to them.

He is accurate on the timing (received Friday, acknowledged Tuesday, separate discussion about documentation Wednesday), but he's being very misleading when he talks about the severity.  More specifically, my email had nothing whatsoever to do with the vulnerability I disclosed a few days ago -- my email was about a trivially abused DDoS that was fixed after being reported a month later -- see: https://github.com/bluesky-social/atproto/pull/1313
Jason Parker (he/they) | 1 years ago (raw) | root | parent | reply | flag 
 @73b17510 I'll also say as an aside that the test posts I made to demonstrate that particular flaw are still there.

It takes 43 seconds for one user to load that one post.  I don't even want to know what that's doing to various backend systems and how it scales with more views.

https://cdn.fosstodon.org/media_attachments/files/111/072/894/597/608/838/original/2ab5f91548bb08bc.png