• 4 Posts
  • 326 Comments
Joined 1 year ago
cake
Cake day: June 2nd, 2023

help-circle
  • First, don’t stress over it. Most instances are not strict on only federating with guaranteed instances. Most do not auto-sync with Fediseer at all, and the ones that do are more likely to only be syncing censures (when other instances are reporting the instance as problematic).

    To get guaranteed on Fediseer, you need another instance to guarantee you. If you start your instance, hang out in the spam defense chat, and are generally sensible with your instance, then you’ll find someone willing to do it no problem. Guarantees are not a huge risk to an instance since they can also be revoked at any time. If someone guarantees you then you start being a dick, they can just remove your guarantee. So it’s not a big decision, people wil be happy to guarantee someone who seems reasonable.



  • Technically it is still there. However, when a user is banned, you can also choose to remove their content. You could choose not to, but then what’s the point in automatically banning a spam account if you have to go and remove the spam posts yourself.

    If you choose to remove them all, and you accidentally hit a real user, you’ll remove all their posts and comments. Lemmy doesn’t provide an easy way to restore the content. And although there are automated solutions, you come to the next problem of knowing which posts to restore. Many posts were removed by mods of communities, many were removed by the user themselves. You don’t want to restore those items, instead you need to remember which you removed and restore only those ones - this is different functionality to Lemmy’s option to remove all their content.

    This actually exists in some form, there is an AutoMod that keeps a log of removed content for banned users and allows a restore of that content. So it’s a solved problem, just would need a similar solution to be built for a ban list.

    One thing you’ll learn quickly is that Lemmy is version 0 for a reason.


  • This make me think that we should maintain a community curated blocklist in, for example, a Git repository.

    There would be a few problems I can think of with this approach. The first one is who controls it? Whoever that is, you haven’t solved the issue because now instead of only the instance with the user being able to federate the ban now only the maintainer of the git repo can update the ban list.

    If you have many people able to update the repo, then the issue becomes a question of how do you trust all these people to never, ever, ever get it wrong? If you ban a user and opt to remove all their content (which you should, with spam), then if you are automating this you end up with the issue of if anyone screws up then how do you get someone’s account unbanned on all those instances? How do you get all their content restored, which is a separate thing and Lemmy currently provides no good way to do this. How do you ensure there are no malicious people with control of the repo but also have enough instances involved to make it worthwhile?

    There is a chat room where instance admins share details of spam accounts, and it’s about the best we have for Lemmy at the moment (it works quite well, really, because everyone can be instantly notified but also make their own decisions about who to ban or if something is spam or allowed on their instance - because it’s pretty common that things are not black and white).

    I would honestly have expected something like this to already exist. I think it’s partly the purpose of Fediseer, but I’m not completely sure.

    Fediseer has a similar purpose but it’s a little different. So far we have been talking about spam accounts set up on various instances, and the time it takes for those mods and admins to remove the spam. But what happens if instead of someone setting up a spam account on an existing instance, they instead create their own instance purely for spamming other instances?

    Fediseer provides a web of trust. An instance receives a guarantee from another instance. That instance then guarantees another instance. It creates a web of trust starting from some known good instances. Then if you wish you can choose to have your lemmy instance only federate with instances that have been guaranteed by another instance. Spam instances can’t guarantee each other, because they need an instance that is already part of the web to guarantee them, and instances won’t do that because they risk their own place in the web if they falsely guarantee another instances (say, if one instance keeps guaranteeing new instances that turn out to be spam, they will quickly lose their own guarantee).

    Fediseer actually goes further than this, allowing instances to endorse or censure other instances and you can set up your instance to only federate with instances that haven’t been censured or defederate from instances that others have censured for specific reasons (e.g. “hate speech”, “racism”, etc).

    It’s quite a cool tool but doesn’t help the original discussion issue of spam accounts being set up on legitimate instances.


  • Its pretty random outside the Russian misinformation sites (which I haven’t seen in a while, but they probably got better at hiding).

    Its hard to give you a link because mods or admins remove the posts or ban the accounts pretty quick most of the time. But there is a new spam account at least every day (I can think of at least two today. Edit: 4). They come in waves so sometimes there are a whole bunch.

    That’s probably another thing you need to know. I’m on Lemmy.nz, you’re on sh.it.works. If some new spam account signs up on Lemmy.world and posts to lemm.ee, then if it’s removed by an admin on your instance it is only removed for people on your instance. Everyone else still sees it as your instance is not hosting either the community or the user so it can’t federate our anything to deal with it. The lemm.ee instance could remove the post or comment with the spam in a way that federates out to other instances, but can’t ban the user except for on their instance. Only the Lemmy.world instance can ban the user in a way that federates out to other instances. This is something you’ll get a better understanding of over time.

    Lemmy.world has a lot if help so they don’t have issues, but often the spam will come from obscure instances while the admin is asleep and there is no backup, so every other instance has to remove the spam for their own instance. Then you have to work out how to mitigate that for your own instance when you are asleep. Most admins are pretty understanding that this is a hobby and don’t expect everyone to be immediately available, but if you have open registrations then you are likely to be targeted more and need a better plan.


  • I will add that if you have open registrations you will be a target for spam and trolls, and if you don’t take quick action then some other instances are likely to defederate from your instance.

    This depends on the instance, some will have a low tolerance and defederate pretty quickly, some instances will defederate temporarily until the spammers or trolls move to a different instance, and some won’t care. But you likely won’t know it’s happened unless you notice you aren’t getting content from that instance anymore.

    One other thing is that if you’re going to run an instance and aren’t already on Matrix, make an account. It’s how instance admins tend to keep in contact with each other.








  • I can see both angles of this. Especially since the original disclosure didn’t have the full detail of how it could be exploited to access company systems, and they (the writeup author) never disclosed that update.

    You can see how a large company (Zendesk) could miss this in the multitude of people trying to claim bug bounties. I fully believe that had they understood the issue they should have fixed it, since it’s within their power and basically a service to their clients. But I can understand how the limited detail in the original disclosure demonstrated a much lower level risk than the end exploit that was never reported.



  • They aren’t trying to actually send from that email, they are trying to create an Apple ID that lets them log in using that email effectively as a username. And Slack will add people to the internal Slack if the email is a company email address.

    To open that account, they need to prove to Apple they own the account. They sign up with Apple and say their email address is [email protected], then Apple sends them a code to verify it’s their email.

    They can’t actually receive the verification email, because it’s not their email. That’s where the exploit comes in. It’s very important that this email address is the one that forwards emails to Zendesk. The verification email from Apple goes to Zendesk, then they use the exploit to see the history of the zendesk ticket, which includes the verification code.



  • Dave@lemmy.nzOPtoSelfhosted@lemmy.worldThoughts on HumHub?
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 month ago

    For the wiki option, perhaps the wiki is just where the posts are made then you share the link in a chat app or something. Then the reactions could be in the chat app?

    Or for the HumHub or Zusam options, maybe you could add the reactions/gifycat integration. The platforms seem like they would work well with them if someone would just contribute that functionality.


  • Dave@lemmy.nzOPtoSelfhosted@lemmy.worldThoughts on HumHub?
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 month ago

    See, I don’t believe this. It’s possible the project would die, but so often have popular projects lost their maintainers, and new people step in. They fork it, or have a peaceful transition of ownership, but the project carries on.

    With Zusam, I don’t think it’s got that much of a following yet. I haven’t heard of anyone on a self-hosted forum actually using it. Plus current development is slow (last release almost a year ago), so I do think it would die if the dev abandoned it.

    Yeah, that was an interesting avenue; I suspect the user client experience will be where that fails for me. It can’t require any technical expertise.

    I’m thinking that most of the non-technical people would be reading only, so it might be ok.

    At this point I’m thinking of setting up a HumHub, a wiki (maybe Dokuwiki), and Zusam, and getting some of my most interested people in as a trial and see which one they prefer.

    None of these options have emoji reactions or gifycat integration, though.


  • Dave@lemmy.nzOPtoSelfhosted@lemmy.worldThoughts on HumHub?
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 month ago

    I think largely we are aligned on what we are looking for in a platform. The private blog idea is interesting. I normally consider blogs as public, are there private blog platforms?

    So much of PhotoPrism is built on free libraries; the project uses something like 120 OSS libraries. How much of their income do you think they contribute to those projects who’s work their taking advantage of?

    I don’t see it like that. OSS is people releasing their work allowing it to be used commercially without limitation (other , it’s what they wanted when they picked the licence, or they would have picked a different one.

    Actually, I don’t have any issue with anyone charging for their software, either; it’s just that I won’t use it, and I don’t trust quasi-free projects. That’s just from experience. Most end badly, either by being bought out and going totally commercial, or just slow enshittification for the non-paying customers.

    On the other hand, projects die when the maintainers lose interest. I would like a platform that I know is going to stick around. That’s a difficult ask though, if it’s a company like HumHub, it’s very possible if the company goes under it will just die. On the other hand, something like Zusam, if the maintainer loses interest it will likely also die. It would be nice to have some confidence in the longevity of the platform before diving full steam onto it. But I guess at this point, finding something that works is hard enough, without worrying about that!

    I do have reservations about HumHub, but it’s the first platform I’ve seen that even comes close to being a familiar feel for users. I’m considering the other idea of using Dokuwiki as well, which I guess comes in as being more similar to your blogging idea.


  • Dave@lemmy.nzOPtoSelfhosted@lemmy.worldThoughts on HumHub?
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 month ago

    Ah I don’t have that many extensions in Mediawiki so I have probably had a smoother experience that you.

    Thanks for describing your wiki setup. Being able to look back at all your events in a sort of giant scrapbook must be awesome. I’m not quite sure it will do the job I’m looking for, but I really like the idea so I think I’ll have a deeper play.

    I have non-technical users doesn’t mean it won’t work for us, because I’m sure they can read even if they can’t edit, and that’s mostly what they would be doing with any solution. Looks like there’s also an android app.