this post was submitted on 06 Jun 2024
1 points (100.0% liked)

The Agora

1601 readers
1 users here now

In the spirit of the Ancient Greek Agora, we invite you to join our vibrant community - a contemporary meeting place for the exchange of ideas, inspired by the practices of old. Just as the Agora served as the heart of public life in Ancient Athens, our platform is designed to be the epicenter of meaningful discussion and thought-provoking dialogue.

Here, you are encouraged to speak your mind, share your insights, and engage in stimulating discussions. This is your opportunity to shape and influence our collective journey, just like the free citizens of Athens who gathered at the Agora to make significant decisions that impacted their society.

You're not alone in your quest for knowledge and understanding. In this community, you'll find support from like-minded individuals who, like you, are eager to explore new perspectives, challenge their preconceptions, and grow intellectually.

Remember, every voice matters and your contribution can make a difference. We believe that through open dialogue, mutual respect, and a shared commitment to discovery, we can foster a community that embodies the democratic spirit of the Agora in our modern world.

Community guidelines
New posts should begin with one of the following:

Only moderators may create a [Vote] post.

Voting History & Results

founded 1 year ago
MODERATORS
 

Because someone, eventually, is going to make this post anyway, we might as well get it over with. I know someone posted something a week ago, but I feel something a little more neutral would be useful.

There's a lot of talk on lemmy.world right now about lemmy.ml at an instance level (edit: see here: https://sh.itjust.works/post/20400058). A lot of it is very similar to the discussions we've had here before- accusations of ideologically-based censorship, promotion of authoritarian left propaganda, 'tankie-ism', etc. The subject of the admin's, and Lemmy dev's, political beliefs is back up as a discussion point. The word defederation is getting thrown around, and some of our beloved sh.it.heads are part of the conversation.

What do people think about lemmy.ml? Is there evidence that the instance is managed in such a way that it creates problems for Lemmy users, and/or users of sh.itjust.works specifically? Are they problems that extend to the entire instance or primary user base, or are the examples referenced generally limited to specific communities/moderators/users? Are people here, in short, interested in putting federation to lemmy.ml to a vote?

To our admin team and moderators: What are your experiences with lemmy.ml? Have you run into any specific problems with their userbase, or challenges related to our being federated with them?

Full disclosure: I have very little personal stake in this. I don't really engage with posts about international events, I don't share my political beliefs (such as they are) online beyond "Don't be a shitbag, help your fellow human out when you can", and have not run into any of the concerns brought up personally. But I'm also not the kind of user who would butt against this stuff often in the first place.

What I will say is that I have not personally witnessed activites like brigading or promotion of really nasty shit from lemmy.ml. I cannot say this about other instances we defederated from before. But again, this may just be a product of how I use Lemmy, and does not account for the experiences of others.

This is just an opportunity for those who do have strong opinions on this topic to say their piece and, more importantly, share their evidence.

If nothing else, given similar conversations a year ago, this will be an interesting account of what sh.itjust.works looks like today (happy belated cake day everybody!)

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 0 points 5 months ago (1 children)

You raise some interesting points, and I don't think they should be dismissed out of hand. I have some questions though (some of them are re: your other comments here):

[...] some evidence that they are running their own modified version of the code which seems to give them special tools to do things like instant mass bans and selective federation of content.

Could you speak to this in a little more detail? Does what you are seeing inherently require functionality beyond what Lemmy's public release offers natively, or is beyond the scope of something like an automod tool? Asked honestly, I am not an IT professional.

[...] if .ml were to be treated as a state espionage actor [...] it would be trivial for them to collect identifying information via federation and to promote malicious or compromised websites by modifying their feeds, or even the feeds of individual users.

This is obviously a very serious accusation, but let's put that aside for a moment.

My (limited) understanding is that as a function of using the ActivityPub protocol, it is already trivial to collect identifying information on users of federated services. What makes lemmy.ml unique in this regard - couldn't a bad actor do this just as easily by other means? Simply it's comparative size to other instances/services that can be leveraged for this purpose? Aren't there lower profile means of accomplishing this same thing?

I don't know enough about how federation works from a technical perspective to speak to feed manipulation when viewing a 'rogue actor' instance from a place like sh.itjust.works, but welcome comments/clarifying questions on this point from smarter people than myself. Want to know more, just don't know what to ask.

[โ€“] [email protected] 0 points 5 months ago* (last edited 5 months ago)

Federation exposes potentially quite a bit of user telemetry data through a few different vectors. For example, simply loading a thumbnail from another instance exposes a user's IP to that host instance. The exact ability for a third instance to tie a specific web request or usage pattern to a specific user is unclear, but is not a large leap. I am working through some specific exploit ideas on a test server I run, but I don't have a ton of time these days, and it's difficult to model some of these vectors without real traffic. I can say that so far, if a user interacts with a post soon after making the content request, it's pretty easy to grab their IP, especially on low traffic content. So if I can see that a user interacts with a niche community (because votes are federated for some strange reason), I can target them that way. I should also be able to set a cookie via the content request, as well as do all the typical browser fingerprinting tricks. Once that association happens, it becomes trivial to serve malicious content to an individual user. This is a very serious threat vector specifically because it's easy to hide what you are doing from the rest of the world, so it requires vigilance by the target to uncover. If it is done rarely it would be all but impossible to spot.

The broader point is that there is clear motive and plausible opportunity here. From a cyber security perspective, that's enough to take preventative and protective measures.