A small tool to view real-world ActivityPub objects as JSON! Enter a URL
or username from Mastodon or a similar service below, and we'll send a
request with
the right
Accept
header
to the server to view the underlying object.
{
"@context": [
"https://www.w3.org/ns/activitystreams",
{
"ostatus": "http://ostatus.org#",
"atomUri": "ostatus:atomUri",
"inReplyToAtomUri": "ostatus:inReplyToAtomUri",
"conversation": "ostatus:conversation",
"sensitive": "as:sensitive",
"toot": "http://joinmastodon.org/ns#",
"votersCount": "toot:votersCount",
"litepub": "http://litepub.social/ns#",
"directMessage": "litepub:directMessage",
"Hashtag": "as:Hashtag"
}
],
"id": "https://infosec.exchange/users/realn2s/statuses/111603524880422572",
"type": "Note",
"summary": null,
"inReplyTo": null,
"published": "2023-12-18T21:24:04Z",
"url": "https://infosec.exchange/@realn2s/111603524880422572",
"attributedTo": "https://infosec.exchange/users/realn2s",
"to": [
"https://www.w3.org/ns/activitystreams#Public"
],
"cc": [
"https://infosec.exchange/users/realn2s/followers"
],
"sensitive": false,
"atomUri": "https://infosec.exchange/users/realn2s/statuses/111603524880422572",
"inReplyToAtomUri": null,
"conversation": "tag:infosec.exchange,2023-12-18:objectId=118774018:objectType=Conversation",
"content": "<p>I'm not sure if I get something wrong, but I think <a href=\"https://infosec.exchange/tags/Microsoft\" class=\"mention hashtag\" rel=\"tag\">#<span>Microsoft</span></a> <a href=\"https://infosec.exchange/tags/EntraID\" class=\"mention hashtag\" rel=\"tag\">#<span>EntraID</span></a> <a href=\"https://infosec.exchange/tags/Password\" class=\"mention hashtag\" rel=\"tag\">#<span>Password</span></a> Protection is complete rubbish. E.g. when ban weak passwords with the ominous 5 points rule the results seem to be completely arbitrary.</p><p>Microsoft speaks of including commonly used weak or compromised passwords in their Global banned password list. But the list isn't based on any external data source, so leaked passwords not leaked by Microsoft are not included 🤡.</p><p>This leads to:<br />Known leaked passwords are accepted. Location name plus year is accepted. Dictionary word plus year is accepted!!!</p><p>Not sure if this applies only to German dictionary words.</p><p>It gets even worse. Reading the documentation, I found "Characters not allowed: Unicode characters" WTF </p><p>Coming back to the weird point system. A banned password is not really banned, it gives you "only" 1 point (and you need five).</p><p>This leads to the question how many points do none-banned words give?</p><p>If you think it can't get worse, you're wrong! It looks like each character of a none-banned word gives one point. Meaning "password1234" is an accepted password. (1 point for password and 4 for each digit)</p><p>Or a real-life example: The <a href=\"https://infosec.exchange/tags/SolarWInds\" class=\"mention hashtag\" rel=\"tag\">#<span>SolarWInds</span></a> <a href=\"https://infosec.exchange/tags/SupplyChain\" class=\"mention hashtag\" rel=\"tag\">#<span>SupplyChain</span></a> attach which affected Microsoft, US government agency and countless other organizations worldwide, was cause by a weak FTP server password.<br />Namely "solarwinds123", which would be accepted by <a href=\"https://infosec.exchange/tags/EntraID\" class=\"mention hashtag\" rel=\"tag\">#<span>EntraID</span></a> <a href=\"https://infosec.exchange/tags/Password\" class=\"mention hashtag\" rel=\"tag\">#<span>Password</span></a> Protection (1 point each for "solar" and "wind", 3 points for the numbers. If "solarwinds" would be on the custom banned list, "solarwind1234" would have been enough.</p><p>And you can't do anything against it.</p><p>I actually hope that the documentation is somewhat wrong and that "123" is not 3 points but just 1 point, as they are consecutive numbers. But this would make it only marginal better (2023</p><p><a href=\"https://infosec.exchange/tags/Cybersecurity\" class=\"mention hashtag\" rel=\"tag\">#<span>Cybersecurity</span></a> <a href=\"https://infosec.exchange/tags/Fail\" class=\"mention hashtag\" rel=\"tag\">#<span>Fail</span></a> <a href=\"https://infosec.exchange/tags/SecurityFail\" class=\"mention hashtag\" rel=\"tag\">#<span>SecurityFail</span></a></p>",
"contentMap": {
"en": "<p>I'm not sure if I get something wrong, but I think <a href=\"https://infosec.exchange/tags/Microsoft\" class=\"mention hashtag\" rel=\"tag\">#<span>Microsoft</span></a> <a href=\"https://infosec.exchange/tags/EntraID\" class=\"mention hashtag\" rel=\"tag\">#<span>EntraID</span></a> <a href=\"https://infosec.exchange/tags/Password\" class=\"mention hashtag\" rel=\"tag\">#<span>Password</span></a> Protection is complete rubbish. E.g. when ban weak passwords with the ominous 5 points rule the results seem to be completely arbitrary.</p><p>Microsoft speaks of including commonly used weak or compromised passwords in their Global banned password list. But the list isn't based on any external data source, so leaked passwords not leaked by Microsoft are not included 🤡.</p><p>This leads to:<br />Known leaked passwords are accepted. Location name plus year is accepted. Dictionary word plus year is accepted!!!</p><p>Not sure if this applies only to German dictionary words.</p><p>It gets even worse. Reading the documentation, I found "Characters not allowed: Unicode characters" WTF </p><p>Coming back to the weird point system. A banned password is not really banned, it gives you "only" 1 point (and you need five).</p><p>This leads to the question how many points do none-banned words give?</p><p>If you think it can't get worse, you're wrong! It looks like each character of a none-banned word gives one point. Meaning "password1234" is an accepted password. (1 point for password and 4 for each digit)</p><p>Or a real-life example: The <a href=\"https://infosec.exchange/tags/SolarWInds\" class=\"mention hashtag\" rel=\"tag\">#<span>SolarWInds</span></a> <a href=\"https://infosec.exchange/tags/SupplyChain\" class=\"mention hashtag\" rel=\"tag\">#<span>SupplyChain</span></a> attach which affected Microsoft, US government agency and countless other organizations worldwide, was cause by a weak FTP server password.<br />Namely "solarwinds123", which would be accepted by <a href=\"https://infosec.exchange/tags/EntraID\" class=\"mention hashtag\" rel=\"tag\">#<span>EntraID</span></a> <a href=\"https://infosec.exchange/tags/Password\" class=\"mention hashtag\" rel=\"tag\">#<span>Password</span></a> Protection (1 point each for "solar" and "wind", 3 points for the numbers. If "solarwinds" would be on the custom banned list, "solarwind1234" would have been enough.</p><p>And you can't do anything against it.</p><p>I actually hope that the documentation is somewhat wrong and that "123" is not 3 points but just 1 point, as they are consecutive numbers. But this would make it only marginal better (2023</p><p><a href=\"https://infosec.exchange/tags/Cybersecurity\" class=\"mention hashtag\" rel=\"tag\">#<span>Cybersecurity</span></a> <a href=\"https://infosec.exchange/tags/Fail\" class=\"mention hashtag\" rel=\"tag\">#<span>Fail</span></a> <a href=\"https://infosec.exchange/tags/SecurityFail\" class=\"mention hashtag\" rel=\"tag\">#<span>SecurityFail</span></a></p>"
},
"updated": "2024-05-08T08:27:08Z",
"attachment": [],
"tag": [
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/entraid",
"name": "#entraid"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/microsoft",
"name": "#microsoft"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/password",
"name": "#password"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/cybersecurity",
"name": "#cybersecurity"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/fail",
"name": "#fail"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/securityfail",
"name": "#securityfail"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/solarwinds",
"name": "#solarwinds"
},
{
"type": "Hashtag",
"href": "https://infosec.exchange/tags/supplychain",
"name": "#supplychain"
}
],
"replies": {
"id": "https://infosec.exchange/users/realn2s/statuses/111603524880422572/replies",
"type": "Collection",
"first": {
"type": "CollectionPage",
"next": "https://infosec.exchange/users/realn2s/statuses/111603524880422572/replies?min_id=111603611961864032&page=true",
"partOf": "https://infosec.exchange/users/realn2s/statuses/111603524880422572/replies",
"items": [
"https://infosec.exchange/users/realn2s/statuses/111603611961864032"
]
}
},
"likes": {
"id": "https://infosec.exchange/users/realn2s/statuses/111603524880422572/likes",
"type": "Collection",
"totalItems": 3
},
"shares": {
"id": "https://infosec.exchange/users/realn2s/statuses/111603524880422572/shares",
"type": "Collection",
"totalItems": 1
}
}