Admiral Patrick

I’m surprisingly level-headed for being a walking knot of anxiety.

Ask me anything.

I also develop Tesseract UI for Lemmy/Sublinks

Avatar by @SatyrSack@feddit.org

  • 1 Post
  • 19 Comments
Joined 2 years ago
cake
Cake day: June 6th, 2023

help-circle


  • It’s been a long-running thing for blogspam to appear here. Usually admins will step in at some point and squash the accounts, but any time I see anything.blogspot.com as a post URL, I look at the account history and see if that’s all they’re posting. 9.9 times out of 10, that’s all they’re posting, and I ban them with content removal. Same for other sites that pop up out of nowhere that get spread from a brand new account.

    I have no idea what the objective is (SEO, ad views, etc), but it’s been a thing as long as I’ve been on Lemmy.

    Thanks for the list: some of those I had yet to ban.



  • If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I’m all ears.

    Tesseract dev here.

    For what it’s worth, I went back through and checked my DMs from “Nicole” and they’re all uploads directly to the home instance the DM came from (e.g. they went through pict-rs, and only the instance admins would be able to see the client IPs in their access logs). So, this doesn’t seem like a de-anonymization attack, though all it would take is “Nicole” to start hosting the images somewhere they control to achieve that effect.

    Safety Precautions Available in Tesseract

    Use Tesseract’s Image Proxy

    It has the ability to proxy images (separately / better than the Lemmy built-in method) both local and remote (e.g. to outside image hosts). The hosted instance (tesseract.dubvee.org) has that enabled but each user must enable it in settings (Settings --> Media -> Proxy Images).

    For Tesseract installs run by other instances, it would need the server-side component enabled by the instance admins before the user setting will show up to be enabled by the user.

    If you see the “Proxy Images” options in Settings -> Media, then the admins have enabled the server-side component. If not, you’ll need to ask the admins to configure/enable media proxying. If you’re self-hosting it, then it may not provide any additional privacy unless you’re running it in a cloud server or somewhere other than where you’re accessing it.

    Disable Inline Images

    It also has the option to disable inline images (Settings -> Post and Comments -> Inline Images). I’ve confirmed this also works for DMs. With inline images disabled, instead of the image, the alt text, if available, will be linked to the image. If no alt text, then the image URL will be a clickable link. In either case, clicking the image link will load it in a modal on-demand.

    Coming Soon (Released Just Now in 1.4.32)

    After reading this post, as a precaution, I’m going to push out a hotfix (hopefully this evening) that will disable inline images in DMs by default. If someone you trust DMs you, you can just click on the image link to view it in a modal (like any other link preview).

    Testing this feature now and should have it released this evening. Works like email clients when you disable inline images; a button/switch will appear at the top if it detects there are images / media embedded which will allow you to show the images; defaults to off.

    Tesseract DM view with inline images disabled by default

    Tesseract DM view with inline images enabled per-message






  • And what’s the problem with that?

    Laws don’t currently make a concession for federated social media. If the law in an instance’s jurisdiction says that users on a platform must be of a certain age, then for practical/enforcement purposes it makes no difference if they’re local or federated.

    FWIW, I also ban people under age 18 on my instance (local and federated). Obviously I can’t know everyone’s age, but if someone offers it and I become aware, and it’s below the minimum age set in our policy, then they’re banned until they’re of age - simple as that.

    I’m in the US, so 13 is the minimum age by law for most services (COPPA), and there’s various grumblings to increase the age specifically for social media, so I’m playing it safe with 18 which is the age you’re legally considered an adult.

    Considering some of the stuff that gets posted here (legitimately and via bad actors), then my legal liabilities are less as I’m going out of my way to only serve adults on the platform. Mind you, I’m running this as a hobby / volunteer and do not have a team of lawyers on hand.



  • Right.

    It sounds like what you’re proposing is very similar to Slashdot’s system (though I believe it’s on a submission-by-submission basis). So maybe instead of tagging users directly with labels, we were to tag their content. Then the rest of your proposal could apply by simply aggregating those scores and displaying them in the profiles.

    Not that I see this ever happening, though. I’m just joining you in your thought experiment.


  • I’m with you in theory, but there’s some things that aren’t particularly easy to solve in the fediverse:

    Ignoring the difficulty of implementation details (how do you ensure each user only gets to increment a value one time? Who defines the labels? Is it an arbitrary set, and if so, how can servers filter for offensive labels? How do you prevent bad actor servers from assigning their own, fake scores?), I wonder whether this would be a net benefit or net negative.

    There’s also the fact that it’s incredibly easy to spin up sockpuppet accounts across instances. In addition to the challenges you’ve put forth, there would also need to be some mechanism to prevent malicious labels being applied by bot swarms.

    Trolls can (and do) do the same, and then there’s that tinfoil hatter who creates and deletes an account per post. Even if those accounts are labeled, they’re in and out before a score could ever be tabulated/applied.

    Additionally, “troll” gets thrown around a LOT here regardless of the poster’s intent. Going against the grain in one community might get you labeled as a troll there even though they’re being sincere in their viewpoint.






  • Good question!

    Mine’s a small instance and runs on my existing infrastructure, so my only real cost (aside from a crazy amount of unpaid time and stress) is the domain name which is about $20/year.

    If I moved it to dedicated infrastructure, I’ve estimated it would cost me about $65/mo for just the backend, UI, and database services (to maintain the same level of performance, anyway. Could probably host it for less and take a performance hit). Object storage for pict-rs would probably be around $10/mo since I force it to use webp and have a 512 KB limit for user uploads.

    Those numbers may be a little high, but they’re based on my existing VPS provider which has amazing SLAs and uptime.


  • Been a while, but as far as I can recall, SJW and LW are the two largest instances and the decision was due to limitations with Lemmy’s moderation tools and wanting to provide a safe space for their userbase (the latter being their primary mission). BH doesn’t have a huge admin/mod team, so they chose to limit federation with some of the larger instances. I also think I remember reading that federation was never really Beehaw’s goal and is more a side effect of the platform (Lemmy) they chose to run for their project.

    May be a bit fuzzy on the details, but I believe that’s the gist of it.


  • I’m not sure if there’s a solution here, but I’d like to urge people to avoid lemmy.ml hosted communities in favor of communities on more reasonable instances.

    Did that months ago; defederated completely when they turned into Lemmygrad-lite. At first I missed some more active FOSS communities, but since then, others on different instances have become more active. programming.dev has a lot of communities that overlap with some of the bigger FOSS ones on .ml so maybe check out what they’ve got.

    If there’s a community that only exists there, be the change you want to see: create it somewhere else, nurture it, and give it time to grow. You’re not the only one making this complaint about .ml, and you probably won’t be the last.

    Related: I genuinely feel that ml being the official or at least de-facto flagship instance is turning people away.

    Edit: Oh yeah. Didn’t recognize your username at first, but I was looking at the modlog the other day from my LW account, and saw a bunch of individual community bans from Dessalines and wondered what was up. Figured it was something exactly like this, and it was. Thanks for sharing.