Skip Navigation

User banner

Jerry on PieFed

@ Jerry @feddit.online

Posts
25
Comments
133
Joined
1 yr. ago

Just a techie guy running feddit.online to allow people to communicate, make friends and acquaintances. Odd coming from a happy introvert, right? (https://jerry.hear-me.blog/about)

I also own these publicly available applications:Mastodon: https://hear-me.social/Alternative Mastodon UI: https://phanpy.hear-me.social/Peertube: https://my-sunshine.video/Friendica: https://my-place.social/Matrix: https://element.secure-channel.net/XMPP/Jabber: https://between-us.online/Bluesky PDS: https://blue-ocean.social/ (jerry.blue-ocean.social) Mobilizon (Facebook Events Alt): https://my-group.events/and more...

  • Can't log in to piefed

    Jump

  • @rimu@piefed.socialBut the logins from Voyager are returning 400 (Bad Request), although the username and password are correct, and to me, the request looks good.

    I posted what is coming into the server. The only anomaly I saw was that the session cookie referrer seemed odd. Can you look at the request I posted? Do you see any reason it would be seen as a bad request?

    The odd thing is that while I get an error 95% of the time trying to log into Voyager, twice it did let me log in. I don't know what was different about those 2 times.

    Nothing gets logged to syslog, any nginx logs, pyfedi.log, or journalctl.

  • Can't log in to piefed

    Jump

  • Nope. I posted below what is coming into the server. The only thing I can think of is that the referrer is coming in as https://localhost/inbox which might explain the 400 error (Bad Request). Does your nginx configuration drop incoming cookies for the login endpoint?

  • Can't log in to piefed

    Jump

  • Help me here. I'm not an expert. Here is the request going into the server. The error code is 400 (Bad Request) 

       
        
@x..@x..  
18:24:10.580462 IP 127.0.0.1.49126 > 127.0.0.1.5000: Flags [P.], seq 5107:5771, ack 1755, win 8143, options [nop,nop,TS val 1081650450 ecr 1081650382], length 664  
E....3@.@...............kz.....n...........  
@x..@x..POST /api/alpha/user/login HTTP/1.1  
X-Forwarded-For: 162.120.199.186, 172.70.111.121  
X-Forwarded-Proto: https  
Host: feddit.online  
Content-Length: 56  
accept-language: en-US,en;q=0.5  
content-type: application/json  
accept-encoding: gzip, br  
cf-ray: 9c85ae25b9720f65-EWR  
user-agent: Dalvik/2.1.0 (Linux; U; Android 16; Pixel 10 Pro XL Build/BP4A.260105.004.E1)  
cdn-loop: cloudflare; loops=1  
cf-connecting-ip: 162.120.199.186  
cf-ipcountry: US  
cf-visitor: {"scheme":"https"}  
cookie: session=eyJSZWZlcmVyIjoiaHR0cHM6Ly9sb2NhbGhvc3QvaW5ib3giLCJfZnJlc2giOmZhbHNlfQ.aYJgEQ.nMo4SDt0iKOrzFvSItQuquLp4qo  

{"password":"<hidden>","username":"testuser"}  
18:24:10.584409 IP 127.0.0.1.49120 > 127.0.0.1.5000: Flags [P.], seq 8671:10383, ack 2866, win 22123, options [nop,nop,TS val 1081650454 ecr 1081650338], length 1712  
E.....@.@.CB.............BO.+Ngj..Vk.......

    The session string is: eyJSZWZlcmVyIjoiaHR0cHM6Ly9sb2NhbGhvc3QvaW5ib3giLCJfZnJlc2giOmZhbHNlfQThis decodes to a referrer of: https://localhost/inbox

    I wonder if this is the issue. Will Piefed accept a session claiming to be from localhost? Will it see this as a potential attack or misconfiguration? Should I reconfigure nginx to drop incoming cookies for the login endpoint?

    I'm grasping at straws.

  • Can't log in to piefed

    Jump

  • Very odd thing. Sometimes I am able to log in via Voyager. Mostly not.

    At one point I put a space after the user name, and then it logged me in. Once I didn't, and it logged me in. But it isn't consistent. The server is complaining that there's a problem in the request format. i don't see anything different that allowed the log in those 2 times.

  • Can't log in to piefed

    Jump

  • The Cloudflare WAF log shows that it allowed the login request to go through. I'll have to look more this evening.

  • Can't log in to piefed

    Jump

  • Can't log in to piefed

    Jump

  • I have to look again because it was a while ago, but I do block some user agent strings, but if I'm blocking Voyager this way, I really screwed up.

    Another possibility is that Cloudflare is presenting a managed challenge during sign up.

  • Can't log in to piefed

    Jump

  • This is helpful. Thanks.

    Can you share the curl command? Seems like something worth keeping in my notes and will help me in looking more closely at the firewall rules.

  • Can't log in to piefed

    Jump

  • I used to be able to log in via Voyager. I don't know what changed. I get a message that Voyager doesn't support signups via Piefed. Is this what you see?

    I'll have to look at this tonight. Maybe it's a firewall issue? Rimu, @rimu@piefed.social, any suggestions on where to start?

  • ProtonMail vs Tutamail vs Posteo

    Jump

  • I knew someone was going to bring this up. So read this:

    https://medium.com/@ovenplayer/does-proton-really-support-trump-a-deeper-analysis-and-surprising-findings-aed4fee4305e

    Small piece from the article:

    Under Yen’s leadership, Proton donates a sizeable amount of cash, and the benefactors are easy to find since non-profits must disclose donations. In total, I’ve identified over 30 organizations that received grants from Proton, and you can find a partial list here. Interestingly, they also made a few donations not publicized on that page (one was to a Hong Kong democracy org, which might explain why it was hidden).

    Findings:

     
            Not a single organization has ties to Republicans or conservatives.
    Many of them are known to be liberal, for example, Access Now and Fight for the Future in the US.
    There were at least 10 that also received funding from Soros’ Open Society Foundations.

    In my research, I discovered that under Andy’s leadership, Proton has a giving pattern similar to George Soros, one of the Democratic Party’s mega-donors.

    Also, look who's getting the next round of financing from Proton: https://proton.me/blog/2025-lifetime-account-charity-fundraiser

    He's not a tankie. He's very liberal. There's no evidence he ever supported Republicans, let alone Trump.

  • PieFed 1.6 is released - pronouns, private communities, quote posts and much more

    Jump

  • Always getting better, by leaps and bounds. Thank you, devs, for all the hard work and great ideas!

  • Is peertube.wtf down?

    Jump

  • I get a gateway error. I'm in the U.S.

  • Hidden Telegram proxy links can reveal your IP address in one click

    Jump

  • Another reason to use a VPN

  • Warning to new tutamail users, your account could be temporary

    Jump

  • This is definitely the best protection. If the provider drops you, you move your domain to another provider. But, as far as I know, while almost all email providers will host your personal domain, none that I know of will do it on the free plans. But your email is your identity. You should be willing to pay for it, especially if you host it on a provider that otherwise won't make any money on you.

    There are a couple of downsides. If you forget, or are unable, to renew your domain, you lose it and your emails. Make sure another family member or friend can pay the renewal for you if, for some reason, you cannot.

    While your own domain makes it far less likely that your email will be canceled (because you can move it), abuse of your domain can result in your losing your domain name and your email, especially before it has earned a reputation.

    Which brings up another IMPORTANT point. If you use your own domain name, then you must set up your DNS records to protect your domain from spoofers and spammers so it doesn't get blacklisted or, worse, doesn't cause cancellation of your domain name. Scammers and spammers WILL try to send email using your domain name. You need to tell email clients to toss these rogue emails and give them the means to determine spoofing and unauthorized use. Read this: https://www.valimail.com/blog/dmarc-dkim-spf-explained/

    Also, be aware that SpamAssassin considers .com, .net, and .org TLDs to be far safer than .world, .online, .blog, and most others. Using one of these newer TLDs results in a higher spam score, and your email is more likely to end up in the spam folder if it reaches the magic score of 5. A new age TLD can add as much as 1 point to the spam calculation depending on the email provider receiving your email.

    So your own domain name is safer but costs money and requires more work.

  • Small or medium-sized Mastodon instances?

    Jump

  • https://hear-me.social/ is one possibility. It has the added benefit of a 12,000-character posting size as well, especially nice if the 500-character limit at .social was frustrating.

  • Why are people using the "þ" character?

    Jump

  • I asked Gemini Pro whether the thorn character messes an LLM up? If anyone is interested, here's the answer. The short answer is it makes it harder for humans to read the text, but LLMs are not bothered by it. So, those who are using the thorn character for "th" believing that it breaks AI are not achieving anything and are just being annoying.

    Gemini Pro's response: (Note that as I write this in PieFed, the thorn character is being converted to "th" and so you will have to convert it back in your brain.

    The belief that using the character "þ" (Thorn) "messes with" LLM training has gained some traction in privacy-focused and "anti-AI" circles. Here is a breakdown of the technical reality behind that claim.

    1. The Theory: Disrupting Tokenization

    Large Language Models don't read words; they read tokens (numerical representations of character clusters).

    Common Tokens: In standard English, the word "the" is one of the most common tokens. It is highly optimized, and the model "understands" it perfectly.

    The "Thorn" Hack: If you replace "the" with "

    <thorn>

    e," you force the model's tokenizer to handle a rare character. Because

    <thorn>

    is uncommon in English training data, the tokenizer might break "

    <thorn>

    e" into two separate, rare tokens (the byte for

    <thorn>

    and the letter "e"). Proponents believe this makes the text "invisible" or "garbage" to the model, preventing it from learning from the content or correctly categorizing it.

    1. Does it actually work? (Mostly No)

    While the idea is clever, it is generally ineffective against modern, high-scale LLMs for several reasons:

    Multilingual Training: Most modern models are trained on massive multilingual datasets. Icelandic uses

    <thorn>

    as a standard letter. Therefore, the models already have

    <thorn>

    in their vocabulary and have seen it millions of times.

    Byte-Level Tokenization: Modern tokenizers (using Byte Pair Encoding or BPE) are designed to handle any Unicode character by falling back to its raw bytes. They don't "break" when they see an unfamiliar symbol; they just process it as a less-common sequence.

    Contextual Mapping: LLMs are excellent at pattern recognition. If a model sees a sentence like "

    <thorn>

    e cat sat on

    <thorn>

    e mat," it can easily infer from the context that "

    <thorn>

    e" serves the exact same linguistic function as "the."

    1. The "Glitch Token" Phenomenon

    There is a grain of truth to the "glitching" idea. **In the past, ** certain rare characters or specific strings (often called "glitch tokens") were included in a model's vocabulary but appeared so rarely in the training data that their "embedding" (the model's understanding of them) was never properly trained.

    When a model encounters a true glitch token, it can sometimes "hallucinate" or produce nonsensical output. However,

    <thorn>

    is a standard UTF-8 character and is too common globally to act as a true glitch token for most general-purpose models.

    Summary

    Using

    <thorn>

    is more of a digital protest or a linguistic "speed bump" than a functional way to break an AI. It might make your text harder for a simple keyword-search bot to find, but for a modern LLM, it’s just a slightly "noisy" version of English that we can still read and understand quite easily.

  • TIL that in 1820 some 20,000 pigs roamed NYC to clean up the streets

    Jump
  • Today I Learned @lemmy.world
    Jerry on PieFed @feddit.online

    TIL that in 1820 some 20,000 pigs roamed NYC to clean up the streets

    www.nypl.org /blog/2024/07/17/views-digital-collection-milestones-nycs-trash-revolution

  • startpage.com blocking VPN?

    Jump

  • I deleted what I wrote before. If it federated, ignore it.

    Your browser is trying to find startpage.com on your local machine instead of the Internet.

    While on the VPN, open a command window and ping startpage.com. Does it return localhost or the real IP address? If it returns the real IP address, then the problem is related to the browser. Try another browser to see if it's Vivaldi-related.

    If it returns localhost then maybe it's a setting in protonVPN?

    This is strange. Just try to find clues.

  • startpage.com blocking VPN?

    Jump
  • Deleted

    Another missed promise from Dandup

    Jump

  • I'd ask for a refund.

  • Today I Learned (TIL) @lemmy.ca
    Jerry on PieFed @feddit.online

    TIL the guillotine was named after a man who neither invented it nor believed in the death penalty

  • Today I Learned @lemmy.world
    Jerry on PieFed @feddit.online

    TIL the Guillotine was named after a man who neither invented it nor believed in the death penalty

  • Cybersecurity @sh.itjust.works
    Jerry on PieFed @feddit.online

    AI hacking. Downloading images can allow your computer to be hijacked

  • Cybersecurity @sh.itjust.works
    Jerry on PieFed @feddit.online

    My Pixel 10 warned me 8 times in 30-minutes that there was a rogue connection made. Deeply concerning

  • Facepalm @lemmy.world
    Jerry on PieFed @feddit.online

    Hackers got Clorox passwords by simply asking for them?

  • Facepalm @lemmy.wtf
    Jerry on PieFed @feddit.online

    Chicago Sun-Times Ripped For AI Summer Reading List - Comic Sands

    www.comicsands.com /sun-times-ai-list
  • Facepalm @lemmy.world
    Jerry on PieFed @feddit.online

    Chicago Sun-Times Ripped For AI Summer Reading List - Comic Sands

    www.comicsands.com /sun-times-ai-list
  • Privacy @lemmy.world
    Jerry on PieFed @feddit.online

    Big win for States, and you, for stopping corporations who violate state privacy laws

  • Fediverse @lemmy.world
    Jerry on PieFed @feddit.online

    Short video that show what Friendica can do

  • Selfhosted @lemmy.world
    Jerry on PieFed @feddit.online

    mysql or postgresql? Which is better for an Internet-facing application

  • Community Promo @lemmy.ca
    Jerry on PieFed @feddit.online

    Antisocial Media

  • memes @lemmy.world
    Jerry on PieFed @feddit.online

    The elf in the swamp

  • Technology @lemmy.world
    Jerry on PieFed @feddit.online

    Digital Ocean's long outage on 28-Nov-2024 caused by a Network Solutions blunder they [NS] didn't know how to fix

  • memes @lemmy.world
    Jerry on PieFed @feddit.online

    Schrödinger's Supermarket

  • memes @lemmy.world
    Jerry on PieFed @feddit.online

    It could be worse

  • memes @lemmy.world
    Jerry on PieFed @feddit.online

    This Building Looks Like It Was Designed In Microsoft Word

  • memes @lemmy.world
    Jerry on PieFed @feddit.online

    Different perspectives on dogs

  • memes @lemmy.world
    Jerry on PieFed @feddit.online

    Depends what you base it on

  • memes @lemmy.world
    Jerry on PieFed @feddit.online

    Schrödinger's Code