Here's some speculation on how things seem to have happened: A malicious instance created custom emojis (which are just fancy inline markdown images) with an XSS payload DM'd some high profile...
Exemplary
Here's some speculation on how things seem to have happened:
A malicious instance created custom emojis (which are just fancy inline markdown images) with an XSS payload
DM'd some high profile admins using the custom emojis
UPDATE: These may have been on public comments and not DMs.
Used the same emoji XSS exploit (?) to inject JS redirecting to lemonparty and whatever else to the sidebar, using the admin permissions gained above
No idea if the devs are working on it or not but there seems to be a patch for the exploit floating around. Also proper CSPs could've prevented this relatively easily. It's just an overall mess, and feels like this is just the tip of the iceberg.
Bonus:
Their 2FA implementation is the bare minimum necessary (ironically, uses too new algorithms so apps like Authy apparently don't work. Also it doesn't ask you to verify the code after enabling and just assumes it worked fine. Of course no recovery key support exists)
All GET requests to the API put the JWT on a query string parameter, because of course.
Nothing OAuth-like exists. Anything you log in takes your username and password (& 2FA token) and gets an irrevocable JWT back.
With the Reddit migration a bunch of inexperienced admins opened up smaller instances using the "recommended" Ansible installer or other 3rd party scripts. AFAIK none of them do any kind of SSH hardening or other basic Linux server security prep.
Looks like this is correct. The GitHub issue has a link to a live payload, which seems to be pretty simple. The alt text for the emoji is just injected into the page so you could have an emoji...
These may have been on public comments and not DMs.
Looks like this is correct. The GitHub issue has a link to a live payload, which seems to be pretty simple. The alt text for the emoji is just injected into the page so you could have an emoji with text like
From what it looks like the payload did a couple things, sent multiple requests with all of the cookies and then made another request if the ID navAdmin was present in the page
Also proper CSPs could've prevented this relatively easily.
Oh and the fact that the app could just run away with all the cookies from JavaScript is amazing too. The fact that the cookies are all set from JS and as such there could be no HttpOnly setting on the cookies exasperated the problem as well.
Yikes, I mean I can understand having a simplified auth system that has some holes when you’re in alpha, but not implementing even exp? That’s kind of crazy! Even for a dev instance, use it but...
Yikes, I mean I can understand having a simplified auth system that has some holes when you’re in alpha, but not implementing even exp? That’s kind of crazy! Even for a dev instance, use it but set your settings to generate tokens with 50 year lifespans or something on your dev box. Problem solved.
Just a heads up, it's a particular instance lemmy.world and not the entirety of lemmy itself. There's a discussion regarding it going on lemmy.ml: https://lemmy.ml/post/1895271 Edit:...
Just a heads up, it's a particular instance lemmy.world and not the entirety of lemmy itself.
One of the largest instances. Possibly, the largest instance according to a post on their website that I now can't access. Not directly related but: Beehaw is the third largest, which is...
One of the largest instances. Possibly, the largest instance according to a post on their website that I now can't access.
Not directly related but: Beehaw is the third largest, which is interesting as it started from a group of core users who were disgruntled with some of the... culture... of the early days of Tildes, and after they launched an LGBTQ+ Tildes discord server to talk more privately.
According to fediverse observer, lemmy.world is the largest Lemmy instance by number of users, and there are several other Lemmy instances that are larer than Beehaw. However, there's some...
According to fediverse observer, lemmy.world is the largest Lemmy instance by number of users, and there are several other Lemmy instances that are larer than Beehaw. However, there's some question about how many of those are "bot" signups. https://fediverse.observer/list
I don't think there's many bots to be honest, at least I haven't seen any obviously apparent bots posting stuff on Lemmy with a few exceptions of deliberate bot usage for community purposes. From...
I don't think there's many bots to be honest, at least I haven't seen any obviously apparent bots posting stuff on Lemmy with a few exceptions of deliberate bot usage for community purposes. From my experience Beehaw is just very... quiet, overly so compared to other instances.
You're right that obvious bots haven't been posting stuff on Lemmy/Kbin. However, Lemmy devs acknowledge that bot account creation is a problem: https://github.com/LemmyNet/lemmy/issues/2355...
You're right that obvious bots haven't been posting stuff on Lemmy/Kbin. However, Lemmy devs acknowledge that bot account creation is a problem: https://github.com/LemmyNet/lemmy/issues/2355
Over the past month especially, lemmy/kbin admins have used a variety of ways of dealing with bot account creation, e.g. captchas, emails, and human review: https://lemmy.world/post/293545
So it's almost certain that there are bot accounts on fediverse servers, which will skew their "registered user" numbers to favor servers with open signups like lemmy.world and disfavor servers with human-review signups like beehaw. Daily Active Users is a better metric until the bots start posting: https://lemmy.fediverse.observer/dailystats
(but fediverse observer apparently doesn't break it down by server, which was the question above.)
Eh. Gaywallet I still like, admire, and miss the presence of here. But the other two former Tildes users turned Beehaw admins were banned here for very good reasons, and I personally don't miss...
Which was a great loss for everyone, because most of what they brought to Tildes was positive and valued by all.
Eh. Gaywallet I still like, admire, and miss the presence of here. But the other two former Tildes users turned Beehaw admins were banned here for very good reasons, and I personally don't miss them at all. Alyaza was genuinely one of the most aggressive, antagonistic, unpleasant, and mean spirited users on this site. I'm pretty sure she still holds the record for the most removed comments, is responsible for the most locked topics, and chased more users off this site than anyone in Tildes history due to her inability to give anyone the benefit of the doubt, and her uncanny ability to escalate any minor disagreement into full blown arguments. And IMO a major reason Tildes is a much more pleasant and friendly place now is because she was finally kicked out for good.
I joined beehaw because it seemed similar to here…limited topics, invite only, etc. I started reading their moderation post and it came across very hypocritical because they said they remove...
I joined beehaw because it seemed similar to here…limited topics, invite only, etc. I started reading their moderation post and it came across very hypocritical because they said they remove anything dehumanizing but specifically allow celebration of the demise of and hate speech about bigots/those who attack LGBTQIA’s. Now that I understand a bit of the history I can better understand their hypocrisy
That's pretty much what the main disagreement came down to. Alyaza and others basically felt the moderation here didn't go far enough in some respects (since we occasionally allow some...
That's pretty much what the main disagreement came down to. Alyaza and others basically felt the moderation here didn't go far enough in some respects (since we occasionally allow some controversial topics to be discussed), and too far in other respects (not allowing them to attack others who they deemed as enemies, which they often based on snap judgements, and uncharitable interpretations of other user's comments).
Yes, I read that too. It seems to me that a policy like that would just allow hate to be amplified, just in another direction. Sites that deplatform hate and malice of all kinds are the best....
Yes, I read that too. It seems to me that a policy like that would just allow hate to be amplified, just in another direction. Sites that deplatform hate and malice of all kinds are the best. Choosing which hate to arbitrarily allow will eventually create a toxic space.
Wow, that's very interesting to me, a recent sign up. Would be good to see a timeline history of the trials and tribulations of getting Tildes to where it is now. With much humour of course!
Wow, that's very interesting to me, a recent sign up. Would be good to see a timeline history of the trials and tribulations of getting Tildes to where it is now. With much humour of course!
I see you've never had the misfortune of knowing someone like this in real life. I had a good friend that was like this who I genuinely cared about, but between mental health issues and a...
Wow that's wild.
I see you've never had the misfortune of knowing someone like this in real life. I had a good friend that was like this who I genuinely cared about, but between mental health issues and a personality disorder, she inevitably found ways to alienate anyone she got close too. I had to cut off our relationship for the sake of my own mental health.
She had an amazing ability to interpret the most benign conversations and experiences as being an act of aggression against her. The smallest comment that I wouldn't think twice about would end up being something she'd interpret as malicious and she would be convinced that the giver of the comment was a horrible "bully" or hated her or the like.
It was a wild ride, and since the time I've known her I've been extra cautious about the people I choose to become close too.
Yeah I have never really met anyone like that. I have seen some people like this online but I never had the chance to interact with them. Tbh the person who kept everyone from themselves was me....
Yeah I have never really met anyone like that. I have seen some people like this online but I never had the chance to interact with them. Tbh the person who kept everyone from themselves was me. There was a time (like a 3 year period) where I didn't have any friend just because I thought everyone hated me. It took a long time to recover and I'm hoping your friend is doing better now.
That's clever tbh. Didn't know there was this much drama here before I came here. Does this site have an offical Discord btw or it was just the unoffical one?
That's clever tbh. Didn't know there was this much drama here before I came here. Does this site have an offical Discord btw or it was just the unoffical one?
On some level I think it's the side-channel thing. Creating a tildes discord or minecraft or any other server that enables a different mode of communication automatically creates those side...
On some level I think it's the side-channel thing. Creating a tildes discord or minecraft or any other server that enables a different mode of communication automatically creates those side channels. The identity isn't shared, it falls into an us vs them mentality. Not that they weren't going to split anyway, but inviting the fragmentation is something to be avoided.
We did talk about setting up a Tildes mastodon node that shared its identity with the user accounts here. Maybe we should revisit that sometime. It might turn into a better outlet for the fluff and casual chit chat than groups.
We had a Valheim server for quite a while and I don't remember any of us ever discussing meta issues within Tildes. Everyone on that server was a joy. Nobody flocked to it to cause drama or,...
We had a Valheim server for quite a while and I don't remember any of us ever discussing meta issues within Tildes. Everyone on that server was a joy. Nobody flocked to it to cause drama or, absurdly, diss other users.
I think this was an issue only with those particular individuals...
Wow. And I was recommending Beehaw as one of the few good Lemmy instance, though I did side-eye their "be nice" rule a little (your tone couldn't even be a little bit aggressive, from what I saw...
Wow. And I was recommending Beehaw as one of the few good Lemmy instance, though I did side-eye their "be nice" rule a little (your tone couldn't even be a little bit aggressive, from what I saw in practice).
Shows how little one can know about the history of things.
This seems like an unnecessarily uncharitable reading of how things went down. I wasn’t involved in any of it at the time, but I don’t think that you can reduce the interpersonal interactions that...
This seems like an unnecessarily uncharitable reading of how things went down. I wasn’t involved in any of it at the time, but I don’t think that you can reduce the interpersonal interactions that led to the creation of Beehaw down to paranoia and toxicity. Either way, having more social platforms controlled by their users rather than corporations is a good thing, so let a hundred flowers bloom I say.
From the blog post: Honestly this is a take that I agree with. I actually quite like the rationalist community and believe they tend to be criticized with unnecessary harshness, but this criticism...
From the blog post:
While we agree that beliefs and emotional responses can get in the way of important work, the kind of rationalist that we take qualms with is someone who doesn’t understand that their own beliefs or emotions are clouding their judgement.
Honestly this is a take that I agree with. I actually quite like the rationalist community and believe they tend to be criticized with unnecessary harshness, but this criticism in particular resonates with my experience to such a degree that I feel glad that people are pointing it out.
To be clear, as someone who has only been on Tildes for a few weeks, I have not come across any indication from posts here that this community has people who lack self-awareness in the manner she describes-- I am only saying that I have seen it in other communities and those other communities seem to do it under the guise of "rationalism."
When I was younger, I found myself in possession of many of the thoughts they discuss because I was also taught them through the lens of a colonial oppressive system.
I'm very interested to know what the opinions were that were presented on Tildes that could be argued to be "colonialist." Having not been here that long, I'm really pretty clueless as to what sort of discussions those may have been.
That's not what I get from that policy post at all (even if that seems to be how they actually handle things). Where in there does it say what exactly they are refusing to "sanitize"?
That's not what I get from that policy post at all (even if that seems to be how they actually handle things). Where in there does it say what exactly they are refusing to "sanitize"?
I'm not sure if you mean that as criticism, but it seemed like a reasonable decision to me. In fact, Beehaw looks like a very nice place, and I wouldn't hold past actions of some of its members...
I'm not sure if you mean that as criticism, but it seemed like a reasonable decision to me.
In fact, Beehaw looks like a very nice place, and I wouldn't hold past actions of some of its members against it.
People change and learn all the time, sometimes fast. And the context is totally different.
Not really as criticism, more of a "This explains a lot." because I felt the decision ultimately came down to wishing to vet the users much like Tildes does. The fact that they were former tildes...
Not really as criticism, more of a "This explains a lot." because I felt the decision ultimately came down to wishing to vet the users much like Tildes does. The fact that they were former tildes moderators now makes a lot more sense.
Beehaw is one of the better lemmy instances, and I'm thankful for their presence on the greater fediverse.
I would call them former active/power users instead of former Tildes moderators since there’s no official Tildes moderation system. Just a few users who have the ability to edit the title or tags...
The fact that they were former tildes moderators now makes a lot more sense.
I would call them former active/power users instead of former Tildes moderators since there’s no official Tildes moderation system. Just a few users who have the ability to edit the title or tags of a post. I don’t think anyone but Deimos has the ability to remove content and ban users.
I see. My guess is that beehaw would be even more heavily moderate than Tildes, but only users can really know. In not a technical person, but I was surprised to learn it was a federated website,...
I see. My guess is that beehaw would be even more heavily moderate than Tildes, but only users can really know.
In not a technical person, but I was surprised to learn it was a federated website, that didn't feel like a good fit.
Same here, but to be fair from my experience on the fediverse, the posts, opinions and communities that seem to have the most trraction on the large instances (such as .world, /ml/and kbin*) are...
Same here, but to be fair from my experience on the fediverse, the posts, opinions and communities that seem to have the most trraction on the large instances (such as .world, /ml/and kbin*) are generally left of center, supportive of queer/feminist/POC viewpoints/issues, and moderated well enough to prevent bigoted views/topics from thriving. I know there are some problematic communities, users, and instances out there, but they seemed to be a very tiny minority.
Aside from the problematic views of some of lemmy's developers, the culture for the most part feels very welcoming and inclusive, which is why it still surprised me when beehaw ended up defederating from many of the big instances.
You gotta remember that beehaw exists in large part because some users thought Tildes moderation was not strict enough. So their standards are probably more stringent than most.
You gotta remember that beehaw exists in large part because some users thought Tildes moderation was not strict enough. So their standards are probably more stringent than most.
In a perfect world, sure, but the sheer size of servers like lemmy.world and the scale of their expansion over the past weeks has resulted in severe issues with moderation. Even if the overall...
In a perfect world, sure, but the sheer size of servers like lemmy.world and the scale of their expansion over the past weeks has resulted in severe issues with moderation. Even if the overall site culture is fine, harassment and hate can still slip through the cracks. That’s why Beehaw defederated from those big instances until they’re able to get a handle on their moderation. It’s not uncommon for servers on Mastodon to do the same thing with mastodon.social, since it’s too big to always be moderated properly.
I also believe that they have additional admins and mods so perhaps one person doesn't hold too much power. Regardless, to each their own and the users who are happy here can continue to b happy...
I also believe that they have additional admins and mods so perhaps one person doesn't hold too much power. Regardless, to each their own and the users who are happy here can continue to b happy and and the users who are happy there can be happy there. It's a big world and a big internet, we don't all have to play in the same sandbox.
The Lemmy.world defederation was largely due to spam (and some trolling too) from that instance more than any other. .ml is still federated with them, as is kbin, which has open signups unlike .ml...
The Lemmy.world defederation was largely due to spam (and some trolling too) from that instance more than any other. .ml is still federated with them, as is kbin, which has open signups unlike .ml even.
They're not a malicious bunch of people over there (disclaimer: I was involved in the Discord group that led to Beehaw's creation), I'd argue that their goals of creating a safe and friendly space include deciding that, when they conflict, it's better to prioritize the safety and feeling of the marginalized over the feelings of those who are not, in context.
I'm not saying it's necessarily the best universal approach, but that was largely the core of the problem we saw with the Tildes culture at the time. Acting as if a discussion on eugenics that gives space for people to act as if it's a good thing is exhausting when, whether due to race, neurodivergence, queer status, or otherwise, you've had to argue against that before, including arguing for ones own right to keep existing and not have others like you subject to eugenics style culling, to use the example of the linked post from Gaywallet.
She was definitely very confrontational, but I'm still on team "alayaza's core points were right, despite her aggressive presentation", and she certainly is much more mellow over at Beehaw, from what I've seen so far.
It was a disagreement on the level of moderation - some people wanted, well, more stringent moderation. For the most part, if you're polite, and the opinion isn't absurd, you can express most...
It was a disagreement on the level of moderation - some people wanted, well, more stringent moderation. For the most part, if you're polite, and the opinion isn't absurd, you can express most opinions on tildes, and for a group of people, "most opinions" included ones that they felt were unacceptable to exist on the site.
Nothing really has changed on tildes. If you've been reading it today without issue, you've come across those opinions in polite form, and you aren't the type to be sensitized against it evidently. In the end, I don't think there's a right or wrong answer, they wanted more moderation, and besides the... uh, weird discord, they left and made their own site with their own moderation policies, which is a perfectly fine solution.
All of the pandemic-related dysfunction in the way people used Tildes and other social sites was coming to a boil at that point. Everyone was spending far too much time online. Without in-person...
All of the pandemic-related dysfunction in the way people used Tildes and other social sites was coming to a boil at that point. Everyone was spending far too much time online. Without in-person contact, I think many of us forgot how to gauge and respond sensibly to the emotional content of text interactions.
That being said, as one of the members of the LGBTQ+ community, and a former sysadmin, I could see merit in most of the positions taken in that thread. I'm glad to be a member of both Tildes and Beehaw - the garden wall isn't too high in either case, just enough that people are less likely to try and talk past or outshout each other when feelings are running hot.
Afaik, not always. There was a hotly debated thread a long time ago where a particular user defended eugenics. Somehow, and I really don't remember how, the topic came up again a number of times...
Afaik, not always. There was a hotly debated thread a long time ago where a particular user defended eugenics. Somehow, and I really don't remember how, the topic came up again a number of times in different threads and people essentially went: "This really shouldn't even be a conversation, and the offending comments should be deleted without a discussion." Which is a valid take, especially because one of the conversation members was disabled and felt pretty personally attacked by it all.
I'd like to say that Tildes overall feels like a trans friendly place, as it should be.
Looks like the thread Psi is referring to does mention some users feeling like trans issues weren't being handled the way they would have liked. I made my comment because "indications of...
Looks like the thread Psi is referring to does mention some users feeling like trans issues weren't being handled the way they would have liked.
I made my comment because "indications of transphobia" is also the fastest way to get banned on reddit too. The moderation here seems to be generally more relaxed than some subreddits.
The code of conduct only says:
In general, as long as you treat others with basic civility and try to contribute in good faith, you will be welcome on Tildes.
Like I said I'm new here and don't want to make anyone feel unwelcome, but if someone brings up "trans people in sports" should they be instantly banned? Honestly even "eugenics" is a broad term and can relate to whether a mother chooses to carry a child with severe disabilities.
I really feel like I am stirring the pot a bit here and don't mean to, so I think I've spoke my peace with this comment and won't continue to reply unless it seems really necessary.
It does and doesn't. That's more an abortion type conversation, which riles up similar folks. Eugenics as a whole? Is a massively disproven approach to science that had more opinionated racial...
Honestly even "eugenics" is a broad term and can relate to whether a mother chooses to carry a child with severe disabilities.
It does and doesn't. That's more an abortion type conversation, which riles up similar folks.
Eugenics as a whole? Is a massively disproven approach to science that had more opinionated racial issues than we know what to do with. It just doesn't warrant discussion anymore beyond it becoming a disgusting horrible footnote.
Just a more general point I want to make about controversial topics is that I've found the often people disagree on definitions, at which point from the start you're already asking for disaster....
It does and doesn't. That's more an abortion type conversation, which riles up similar folks.
Just a more general point I want to make about controversial topics is that I've found the often people disagree on definitions, at which point from the start you're already asking for disaster. In this case the community has to answer the question "what is eugenics," and the chances of finding agreement on the definition alone is so slim that's it's inevitable the discussion will devolve.
I find that the same dynamic happens when there's any conversation that involves the word "racism." The left and the right define the term differently so obviously they will not see eye to eye. Another more specific example I've found more recently is that the word "Zionism" often means something different to people who identify as Zionist than to people who identify as anti-Zionest. It more or less guarantees they'll talk over each and not make any progress.
That was exactly the issue we were having. A large majority of the users here saw nothing wrong while a tiny group was going around using “Malice” all the time and claiming Tildes was a toxic...
That was exactly the issue we were having. A large majority of the users here saw nothing wrong while a tiny group was going around using “Malice” all the time and claiming Tildes was a toxic website.
Apparently they were experiencing Tildes at a level unknown to the rest of us and eventually they left because they couldn’t understand why we didn’t see it. I still don’t. I’ve never seen a single thing here that I’d label malicious…usually Deimos deletes those few comments and bans those users post haste.
It's the joy of having 'facts' being distorted. Traditionally if you entered a conversation about a controversial topic, you at least came from a place of understanding the topic to a degree that...
It's the joy of having 'facts' being distorted.
Traditionally if you entered a conversation about a controversial topic, you at least came from a place of understanding the topic to a degree that you could understand. I.e. Racism = People being treated differently because of certain characteristics. Now? It's all over the shop.
The whole, "My truth" thing is uniquely offensive to intellectual debate for this reason. It means every single persons opinions become distorted and irreflective of society at large.
Just fyi, there’s no mod team here. Only the site admin (Deimos) has the ability to perform normal mod actions outside of editing the title or tags of a post.
Just fyi, there’s no mod team here. Only the site admin (Deimos) has the ability to perform normal mod actions outside of editing the title or tags of a post.
According to which definition? Wikipedia says, it's "a set of beliefs and practices that aim to improve the genetic quality of a human population". I don't understand how an individual's choice to...
even "eugenics" is a broad term and can relate to whether a mother chooses to carry a child with severe disabilities.
That being said, I think it should still be possible to discuss topics like this as long as there is no brigading and everyone can agree to accept scientific consensus as fact. You can't ban topics from public discourse (without oppression), you can only force people to discuss them in fringe echo chambers, and that's how you breed radical movements like QAnon.
Okay since two people replied to me about this I will try and respond. I should explicitly state I'm not trying to advocate for eugenics, but that nuance exists even in these topics. Given the...
Okay since two people replied to me about this I will try and respond. I should explicitly state I'm not trying to advocate for eugenics, but that nuance exists even in these topics.
Given the Wikipedia definition you mentioned, while ultimately the personal choice of a mother to not birth a child with disabilities does not need to necessarily reflect beliefs that they are doing so to "improve the genetic quality of the human population", if these abortions occur on a population level the result is the same as if eugenic policies are embraced. Iceland for example has fewer people with down syndrome, supposedly due to women terminating pregnancies.
Eugenics is horrible and unscientific but it's not illegal as far as I'm aware, if in the future you can detect something like autism in utero, that many believe is not even a disability, and a mother chooses to abort, does she have a right to? I think most people would say yes since it's still her bodily autonomy, and it would seem odd that it's okay to abort "neurotypical" fetuses but not "divergent" ones, but clearly the question of whether it is ethical to do so or whether expectant mothers should be given full information regarding their pregnancy has some room for discussion, and I would consider that "discussing eugenics". Same could be said for things like congenital deafness and blindness.
Anyway none of this has anything to do with lemmy being hacked so if you want to discuss it further maybe we could do it somewhere else.
Careful, that whole debacle started when people like me suggested there might be nuance. For even suggesting that I was basically being called out as a Nazi who wanted to gas people. You know,...
Careful, that whole debacle started when people like me suggested there might be nuance. For even suggesting that I was basically being called out as a Nazi who wanted to gas people. You know, nuance…
I’m surprised because this topic basically resurfaced in that thread recently about new genetic screening techniques and…nobody really got that upset. I say good riddance to those users that freaked out over it. They were so sensitive and were clearly terminally online.
I was the person taking the brunt of the flame in that original thread (arguing exactly the same position that Lucid just outlined). I deleted the original comments from my profile because I...
I was the person taking the brunt of the flame in that original thread (arguing exactly the same position that Lucid just outlined). I deleted the original comments from my profile because I didn't care to dwell on a (one-way) flame war, otherwise I'd be happy to share.
I left Tildes completely after that thread (up until the Reddit debacle) since Deimos nuked everything instead of just banning or removing the unhinged vitriol from the discord brigade. As a testament to the userbase here, I got a few PMs along the lines of "those guys are unhinged; sorry that happened and don't take it personally", but the chilling effect that crew was having soured the site for me. Frankly, I'm disappointed those clowns were allowed to stay on here as long as they were, but glad to see them gone.
I haven’t been here very long, but I did see some strange opinions on minority voices here a while back. Although that seems to have gotten significantly better recently
I haven’t been here very long, but I did see some strange opinions on minority voices here a while back. Although that seems to have gotten significantly better recently
It's individual servers due to a global vulnerability, this seems to be the right issue, the attacker cannot compromise all Lemmy (Federation helps in cases like this after all) but can compromise...
It's individual servers due to a global vulnerability, this seems to be the right issue, the attacker cannot compromise all Lemmy (Federation helps in cases like this after all) but can compromise any instance they want until patched.
The short answer is that archive.is blocks Cloudflare's DNS, or other privacy focused DNS resolvers that don't send location information to archive.is's servers. This has been happening on and off...
The short answer is that archive.is blocks Cloudflare's DNS, or other privacy focused DNS resolvers that don't send location information to archive.is's servers. This has been happening on and off for years, and it appears to only have restarted recently.
The answer that archive.is gives, 1.1.1.7, is just invalid. (It's in the IP block Cloudflare uses for the 1.1.1.1 DNS server, and has no relation to archive.is.)
cc: @boxer_dogs_dance and @kfwyre since you were experiencing the same issues with archive.is, and the above seems to explain the reason for it. Thanks for sharing that, Aeledfyr.
cc: @boxer_dogs_dance and @kfwyre since you were experiencing the same issues with archive.is, and the above seems to explain the reason for it. Thanks for sharing that, Aeledfyr.
Some other people mentioned having issues with archive.is recently too: https://tildes.net/~news/17gl/proud_boys_fined_over_1_million_for_destroying_property_of_a_black_church#comment-95y6 No idea...
Looks like Spez finally fully snapped and went full nuclear then. Joke aside, I don't think it means anything other than the hacker memeing on recent events.
Looks like Spez finally fully snapped and went full nuclear then. Joke aside, I don't think it means anything other than the hacker memeing on recent events.
According to the Beehaw (which they've taken down as a precaution) discord it was known you could inject javascript into titles as recently as version 0.18.1, and from other sources appears to be...
According to the Beehaw (which they've taken down as a precaution) discord it was known you could inject javascript into titles as recently as version 0.18.1, and from other sources appears to be a longstanding issue that some areas of the platform were not sanitizing inputs properly.
Jesus, something that simple?? Mastodon has a similar issue with arbitrary file creation.. These federated social medias need to solve these issues quick before user confidence plummets and they...
Jesus, something that simple?? Mastodon has a similar issue with arbitrary file creation.. These federated social medias need to solve these issues quick before user confidence plummets and they just move back to the mainstream platforms
Yeah it is a bit of a mess and frankly makes me regret signing up to an instance a little. Ironically, it seems I somewhat predicted what happened just earlier this week:...
Yeah it is a bit of a mess and frankly makes me regret signing up to an instance a little. Ironically, it seems I somewhat predicted what happened just earlier this week:
At this point, I am honestly not sure about using Lemmy instances until some form of security audit has been done. To be fair to the community, things that are found are quickly fixed, but they seem to be mostly found after the fact. Something I also should have looked into further before trying it out. But given all the coverage of Lemmy I made the assumption (shouldn't have done that) that at least the base architecture of it all was solid given the amount instances people do spin up and that are popular.
Conspiracy theory: who do you think is behind this? It's a bit like the old antivirus conundrum. No one needed an antivirus until someone wrote a virus, but did someone write a virus to profit...
Conspiracy theory: who do you think is behind this?
It's a bit like the old antivirus conundrum. No one needed an antivirus until someone wrote a virus, but did someone write a virus to profit from antivirus?
I don’t think its anything that insidious, its not like anyone is making money from this hack from what I know, and there isn’t an opportunity to sell a solution. Its more likely someone just did...
I don’t think its anything that insidious, its not like anyone is making money from this hack from what I know, and there isn’t an opportunity to sell a solution. Its more likely someone just did this for the lulz, given the attention thats being given to Lemmy at the moment.
No idea if it would make sense to share the domain but the endpoint they exfiltrated the login tokens to had a direct reference to the Ukraine war, and one of the first things they did with their...
Its more likely someone just did this for the lulz, given the attention thats being given to Lemmy at the moment.
No idea if it would make sense to share the domain but the endpoint they exfiltrated the login tokens to had a direct reference to the Ukraine war, and one of the first things they did with their access was to rename the instance to "Israel" and changed federation to be allowlist-only with threads.net (among with putting up redirects to lemonparty & telling people the site was taken down "by Reddit"). There may or may not have been some racist slurs as well, can't be bothered to look through the chat logs.
One of the greatest things and worst things about FOSS, the code is available and anyone can review it. Awesome for patches. Awesome for finding exploits, testing privately and then attempting...
One of the greatest things and worst things about FOSS, the code is available and anyone can review it. Awesome for patches. Awesome for finding exploits, testing privately and then attempting live.
Also, it matters on so many things from correct configuration of a webserver, the stacks used, and the main one which is regular maintenance and patch work for when ever a CVE or bug is found. That stuff needs to be implemented quickedysplitsec to stop stuff like this happening.
All the big main corps have the same issues, the difference is the closed source nature makes it slightly more difficult to work out the hack.
I hope they get it patched before Lemmy looks like a joke.
Does anyone else have trouble logging into Beehaw? I came home from work today and tried to log in multiple times on multiple browsers with no success. Even tried signing up with a new name but it...
Does anyone else have trouble logging into Beehaw? I came home from work today and tried to log in multiple times on multiple browsers with no success. Even tried signing up with a new name but it just will not let me in LOL!
I cannot even message anyone over there as I am not on discord.
Any suggestions?
Not sure if you're still having this issue, but one of the things they had to do to secure things invalidated session tokens (or something similar). I know I had to delete my cookies/site data...
Not sure if you're still having this issue, but one of the things they had to do to secure things invalidated session tokens (or something similar). I know I had to delete my cookies/site data before I could log back in.
I don’t understand Lemmy or “federated” websites. Is security built in or are you hoping that the instance creator had done their due diligence? Using that system frightens me.
I don’t understand Lemmy or “federated” websites. Is security built in or are you hoping that the instance creator had done their due diligence? Using that system frightens me.
Can anyone give a short description on how to use lemmy? I tried subbing to lemmy.world, and there's a note that posts won't start popping into your feed until you're subscribed, so I waited a...
Can anyone give a short description on how to use lemmy?
I tried subbing to lemmy.world, and there's a note that posts won't start popping into your feed until you're subscribed, so I waited a bit.
Seems like my Frontpage is filled with a legion of small, very very niche sub forums. I've been dropping in, blocking like 20 forums in a pass, and giving up.
The sheer amount of Canada specific sub forums is astonishing. Like, I get it, it started as a Canadian centric content, and I think it's great that they have a place that's not polluted by US dominated discussion. But is there a way to just filter all that in one setting, rather than curating constantly like wack a mole?
Edit - Nevermind, I'm an idiot. I thought the gateway into lemmys was lemmy.ca (first link I found a file ago), and you signed up to federated lemmys through that general UI. Went to https://lemmy.world and this is what I wanted. Mystery solved
So Lemmy is a little bit like Reddit in format at least. By default, it puts you on the equivalent of r/all. If you want a more curated feed, go to the Communities page (it's on the top right...
So Lemmy is a little bit like Reddit in format at least. By default, it puts you on the equivalent of r/all. If you want a more curated feed, go to the Communities page (it's on the top right usually) and subscribe to some communities that interest you. You can technically subscribe to communities on your home instance and on instances that your home instance is federated with, but for now the easiest thing is probably to just subscribe to stuff that you see in that communities page that you like and not worry about federation. Once you've subbed to some communities that you like, go back to your main feed and change the view to "Subscribed" instead of "Local" or "All". You may have to go into your account settings to make that your default feed view, I can't remember for sure.
Here's some speculation on how things seem to have happened:
No idea if the devs are working on it or not but there seems to be a patch for the exploit floating around. Also proper CSPs could've prevented this relatively easily. It's just an overall mess, and feels like this is just the tip of the iceberg.
Bonus:
Some recent issues and PRs:
XSS with emojis
Current XSS Issue thread
Improper JWT issue
Looks like this is correct. The GitHub issue has a link to a live payload, which seems to be pretty simple. The alt text for the emoji is just injected into the page so you could have an emoji with text like
and it'd essentially render the HTML as
From what it looks like the payload did a couple things, sent multiple requests with all of the cookies and then made another request if the ID
navAdminwas present in the pageOh and the fact that the app could just run away with all the cookies from JavaScript is amazing too. The fact that the cookies are all set from JS and as such there could be no HttpOnly setting on the cookies exasperated the problem as well.
Yikes, I mean I can understand having a simplified auth system that has some holes when you’re in alpha, but not implementing even exp? That’s kind of crazy! Even for a dev instance, use it but set your settings to generate tokens with 50 year lifespans or something on your dev box. Problem solved.
Just a heads up, it's a particular instance lemmy.world and not the entirety of lemmy itself.
There's a discussion regarding it going on lemmy.ml: https://lemmy.ml/post/1895271
Edit: lemmy.blahaj.zone also appears to have been hijacked.
Edit 2: A lemmy vulnerability that was exploited on a few servers. More info by @jherazob
below.
Thanks. I corrected it
How big and/or important is that instance?
One of the largest instances. Possibly, the largest instance according to a post on their website that I now can't access.
Not directly related but: Beehaw is the third largest, which is interesting as it started from a group of core users who were disgruntled with some of the... culture... of the early days of Tildes, and after they launched an LGBTQ+ Tildes discord server to talk more privately.
Beehaw appears to be down as well.
Per their discord, one of the admins took it offline as a preemptive move until there's more info on what has led to these hacks.
That's a good move. I was just on there and suddenly got kicked off and wondered what happened.
Thanks for the update.
According to fediverse observer, lemmy.world is the largest Lemmy instance by number of users, and there are several other Lemmy instances that are larer than Beehaw. However, there's some question about how many of those are "bot" signups.
https://fediverse.observer/list
I don't think there's many bots to be honest, at least I haven't seen any obviously apparent bots posting stuff on Lemmy with a few exceptions of deliberate bot usage for community purposes. From my experience Beehaw is just very... quiet, overly so compared to other instances.
You're right that obvious bots haven't been posting stuff on Lemmy/Kbin. However, Lemmy devs acknowledge that bot account creation is a problem:
https://github.com/LemmyNet/lemmy/issues/2355
People who track user count (i.e. with "friendly" bots) can see suspicious patterns in account creation:
https://botsin.space/@threadcount/110581723322900741
Over the past month especially, lemmy/kbin admins have used a variety of ways of dealing with bot account creation, e.g. captchas, emails, and human review:
https://lemmy.world/post/293545
So it's almost certain that there are bot accounts on fediverse servers, which will skew their "registered user" numbers to favor servers with open signups like lemmy.world and disfavor servers with human-review signups like beehaw. Daily Active Users is a better metric until the bots start posting:
https://lemmy.fediverse.observer/dailystats
(but fediverse observer apparently doesn't break it down by server, which was the question above.)
Killer username, btw.
What culture was this? Tildes seems to be a pretty friendly place, was it not in its earlier days?
Eh. Gaywallet I still like, admire, and miss the presence of here. But the other two former Tildes users turned Beehaw admins were banned here for very good reasons, and I personally don't miss them at all. Alyaza was genuinely one of the most aggressive, antagonistic, unpleasant, and mean spirited users on this site. I'm pretty sure she still holds the record for the most removed comments, is responsible for the most locked topics, and chased more users off this site than anyone in Tildes history due to her inability to give anyone the benefit of the doubt, and her uncanny ability to escalate any minor disagreement into full blown arguments. And IMO a major reason Tildes is a much more pleasant and friendly place now is because she was finally kicked out for good.
I joined beehaw because it seemed similar to here…limited topics, invite only, etc. I started reading their moderation post and it came across very hypocritical because they said they remove anything dehumanizing but specifically allow celebration of the demise of and hate speech about bigots/those who attack LGBTQIA’s. Now that I understand a bit of the history I can better understand their hypocrisy
That's pretty much what the main disagreement came down to. Alyaza and others basically felt the moderation here didn't go far enough in some respects (since we occasionally allow some controversial topics to be discussed), and too far in other respects (not allowing them to attack others who they deemed as enemies, which they often based on snap judgements, and uncharitable interpretations of other user's comments).
Yes, I read that too. It seems to me that a policy like that would just allow hate to be amplified, just in another direction. Sites that deplatform hate and malice of all kinds are the best. Choosing which hate to arbitrarily allow will eventually create a toxic space.
Wow, that's very interesting to me, a recent sign up. Would be good to see a timeline history of the trials and tribulations of getting Tildes to where it is now. With much humour of course!
Wow that's wild. So is this another reason why tildes is an invitation type site?
I see you've never had the misfortune of knowing someone like this in real life. I had a good friend that was like this who I genuinely cared about, but between mental health issues and a personality disorder, she inevitably found ways to alienate anyone she got close too. I had to cut off our relationship for the sake of my own mental health.
She had an amazing ability to interpret the most benign conversations and experiences as being an act of aggression against her. The smallest comment that I wouldn't think twice about would end up being something she'd interpret as malicious and she would be convinced that the giver of the comment was a horrible "bully" or hated her or the like.
It was a wild ride, and since the time I've known her I've been extra cautious about the people I choose to become close too.
Yeah I have never really met anyone like that. I have seen some people like this online but I never had the chance to interact with them. Tbh the person who kept everyone from themselves was me. There was a time (like a 3 year period) where I didn't have any friend just because I thought everyone hated me. It took a long time to recover and I'm hoping your friend is doing better now.
One of the major benefits of being invite only is it helps prevent ban avoidance, yes.
That's clever tbh. Didn't know there was this much drama here before I came here. Does this site have an offical Discord btw or it was just the unoffical one?
No, it was an unofficial one.
On some level I think it's the side-channel thing. Creating a tildes discord or minecraft or any other server that enables a different mode of communication automatically creates those side channels. The identity isn't shared, it falls into an us vs them mentality. Not that they weren't going to split anyway, but inviting the fragmentation is something to be avoided.
We did talk about setting up a Tildes mastodon node that shared its identity with the user accounts here. Maybe we should revisit that sometime. It might turn into a better outlet for the fluff and casual chit chat than groups.
We had a Valheim server for quite a while and I don't remember any of us ever discussing meta issues within Tildes. Everyone on that server was a joy. Nobody flocked to it to cause drama or, absurdly, diss other users.
I think this was an issue only with those particular individuals...
I remember these people, how can anyone miss them?
Wow. And I was recommending Beehaw as one of the few good Lemmy instance, though I did side-eye their "be nice" rule a little (your tone couldn't even be a little bit aggressive, from what I saw in practice).
Shows how little one can know about the history of things.
You're right, and I still will! I was just surprised at the history of how Beehaw got to be(e).
This seems like an unnecessarily uncharitable reading of how things went down. I wasn’t involved in any of it at the time, but I don’t think that you can reduce the interpersonal interactions that led to the creation of Beehaw down to paranoia and toxicity. Either way, having more social platforms controlled by their users rather than corporations is a good thing, so let a hundred flowers bloom I say.
They also claim in one of their blog posts about their history that people here are ignorant bigots and we cause a lot of harm to the world.
From the blog post:
Honestly this is a take that I agree with. I actually quite like the rationalist community and believe they tend to be criticized with unnecessary harshness, but this criticism in particular resonates with my experience to such a degree that I feel glad that people are pointing it out.
To be clear, as someone who has only been on Tildes for a few weeks, I have not come across any indication from posts here that this community has people who lack self-awareness in the manner she describes-- I am only saying that I have seen it in other communities and those other communities seem to do it under the guise of "rationalism."
I'm very interested to know what the opinions were that were presented on Tildes that could be argued to be "colonialist." Having not been here that long, I'm really pretty clueless as to what sort of discussions those may have been.
That's not what I get from that policy post at all (even if that seems to be how they actually handle things). Where in there does it say what exactly they are refusing to "sanitize"?
Hmm, maybe I misinterpreted it through uncharitable eyes. I will reread it and reflect on it some more, and remove that part of my post.
Let me know if I was wrong.
Now it makes sense why they ended up defederating from lemmy.world.
I'm not sure if you mean that as criticism, but it seemed like a reasonable decision to me.
In fact, Beehaw looks like a very nice place, and I wouldn't hold past actions of some of its members against it.
People change and learn all the time, sometimes fast. And the context is totally different.
I'm glad beehaw exists.
Not really as criticism, more of a "This explains a lot." because I felt the decision ultimately came down to wishing to vet the users much like Tildes does. The fact that they were former tildes moderators now makes a lot more sense.
Beehaw is one of the better lemmy instances, and I'm thankful for their presence on the greater fediverse.
I would call them former active/power users instead of former Tildes moderators since there’s no official Tildes moderation system. Just a few users who have the ability to edit the title or tags of a post. I don’t think anyone but Deimos has the ability to remove content and ban users.
I see. My guess is that beehaw would be even more heavily moderate than Tildes, but only users can really know.
In not a technical person, but I was surprised to learn it was a federated website, that didn't feel like a good fit.
Same here, but to be fair from my experience on the fediverse, the posts, opinions and communities that seem to have the most trraction on the large instances (such as .world, /ml/and kbin*) are generally left of center, supportive of queer/feminist/POC viewpoints/issues, and moderated well enough to prevent bigoted views/topics from thriving. I know there are some problematic communities, users, and instances out there, but they seemed to be a very tiny minority.
Aside from the problematic views of some of lemmy's developers, the culture for the most part feels very welcoming and inclusive, which is why it still surprised me when beehaw ended up defederating from many of the big instances.
You gotta remember that beehaw exists in large part because some users thought Tildes moderation was not strict enough. So their standards are probably more stringent than most.
In a perfect world, sure, but the sheer size of servers like lemmy.world and the scale of their expansion over the past weeks has resulted in severe issues with moderation. Even if the overall site culture is fine, harassment and hate can still slip through the cracks. That’s why Beehaw defederated from those big instances until they’re able to get a handle on their moderation. It’s not uncommon for servers on Mastodon to do the same thing with mastodon.social, since it’s too big to always be moderated properly.
I also believe that they have additional admins and mods so perhaps one person doesn't hold too much power. Regardless, to each their own and the users who are happy here can continue to b happy and and the users who are happy there can be happy there. It's a big world and a big internet, we don't all have to play in the same sandbox.
The Lemmy.world defederation was largely due to spam (and some trolling too) from that instance more than any other. .ml is still federated with them, as is kbin, which has open signups unlike .ml even.
They're not a malicious bunch of people over there (disclaimer: I was involved in the Discord group that led to Beehaw's creation), I'd argue that their goals of creating a safe and friendly space include deciding that, when they conflict, it's better to prioritize the safety and feeling of the marginalized over the feelings of those who are not, in context.
I'm not saying it's necessarily the best universal approach, but that was largely the core of the problem we saw with the Tildes culture at the time. Acting as if a discussion on eugenics that gives space for people to act as if it's a good thing is exhausting when, whether due to race, neurodivergence, queer status, or otherwise, you've had to argue against that before, including arguing for ones own right to keep existing and not have others like you subject to eugenics style culling, to use the example of the linked post from Gaywallet.
She was definitely very confrontational, but I'm still on team "alayaza's core points were right, despite her aggressive presentation", and she certainly is much more mellow over at Beehaw, from what I've seen so far.
It was a disagreement on the level of moderation - some people wanted, well, more stringent moderation. For the most part, if you're polite, and the opinion isn't absurd, you can express most opinions on tildes, and for a group of people, "most opinions" included ones that they felt were unacceptable to exist on the site.
Nothing really has changed on tildes. If you've been reading it today without issue, you've come across those opinions in polite form, and you aren't the type to be sensitized against it evidently. In the end, I don't think there's a right or wrong answer, they wanted more moderation, and besides the... uh, weird discord, they left and made their own site with their own moderation policies, which is a perfectly fine solution.
What are these obliquely referred to opinions?
Here's probably the quintessential thread on this topic: Repeatedly finding myself upset with the conversations on Tildes.
All of the pandemic-related dysfunction in the way people used Tildes and other social sites was coming to a boil at that point. Everyone was spending far too much time online. Without in-person contact, I think many of us forgot how to gauge and respond sensibly to the emotional content of text interactions.
That being said, as one of the members of the LGBTQ+ community, and a former sysadmin, I could see merit in most of the positions taken in that thread. I'm glad to be a member of both Tildes and Beehaw - the garden wall isn't too high in either case, just enough that people are less likely to try and talk past or outshout each other when feelings are running hot.
Wow, it's been two years since that thread, time sure flies. Deimos hit the nail on the head with that comment.
I'm new here and I apologize if I'm completely wrong but I am going to guess it's to do with transgender topics.
Afaik, not always. There was a hotly debated thread a long time ago where a particular user defended eugenics. Somehow, and I really don't remember how, the topic came up again a number of times in different threads and people essentially went: "This really shouldn't even be a conversation, and the offending comments should be deleted without a discussion." Which is a valid take, especially because one of the conversation members was disabled and felt pretty personally attacked by it all.
I'd like to say that Tildes overall feels like a trans friendly place, as it should be.
Looks like the thread Psi is referring to does mention some users feeling like trans issues weren't being handled the way they would have liked.
I made my comment because "indications of transphobia" is also the fastest way to get banned on reddit too. The moderation here seems to be generally more relaxed than some subreddits.
The code of conduct only says:
In general, as long as you treat others with basic civility and try to contribute in good faith, you will be welcome on Tildes.
Like I said I'm new here and don't want to make anyone feel unwelcome, but if someone brings up "trans people in sports" should they be instantly banned? Honestly even "eugenics" is a broad term and can relate to whether a mother chooses to carry a child with severe disabilities.
I really feel like I am stirring the pot a bit here and don't mean to, so I think I've spoke my peace with this comment and won't continue to reply unless it seems really necessary.
It does and doesn't. That's more an abortion type conversation, which riles up similar folks.
Eugenics as a whole? Is a massively disproven approach to science that had more opinionated racial issues than we know what to do with. It just doesn't warrant discussion anymore beyond it becoming a disgusting horrible footnote.
Just a more general point I want to make about controversial topics is that I've found the often people disagree on definitions, at which point from the start you're already asking for disaster. In this case the community has to answer the question "what is eugenics," and the chances of finding agreement on the definition alone is so slim that's it's inevitable the discussion will devolve.
I find that the same dynamic happens when there's any conversation that involves the word "racism." The left and the right define the term differently so obviously they will not see eye to eye. Another more specific example I've found more recently is that the word "Zionism" often means something different to people who identify as Zionist than to people who identify as anti-Zionest. It more or less guarantees they'll talk over each and not make any progress.
That was exactly the issue we were having. A large majority of the users here saw nothing wrong while a tiny group was going around using “Malice” all the time and claiming Tildes was a toxic website.
Apparently they were experiencing Tildes at a level unknown to the rest of us and eventually they left because they couldn’t understand why we didn’t see it. I still don’t. I’ve never seen a single thing here that I’d label malicious…usually Deimos deletes those few comments and bans those users post haste.
It's the joy of having 'facts' being distorted.
Traditionally if you entered a conversation about a controversial topic, you at least came from a place of understanding the topic to a degree that you could understand. I.e. Racism = People being treated differently because of certain characteristics. Now? It's all over the shop.
The whole, "My truth" thing is uniquely offensive to intellectual debate for this reason. It means every single persons opinions become distorted and irreflective of society at large.
Just fyi, there’s no mod team here. Only the site admin (Deimos) has the ability to perform normal mod actions outside of editing the title or tags of a post.
According to which definition? Wikipedia says, it's "a set of beliefs and practices that aim to improve the genetic quality of a human population". I don't understand how an individual's choice to abort a pregnancy falls under that definition.
That being said, I think it should still be possible to discuss topics like this as long as there is no brigading and everyone can agree to accept scientific consensus as fact. You can't ban topics from public discourse (without oppression), you can only force people to discuss them in fringe echo chambers, and that's how you breed radical movements like QAnon.
Okay since two people replied to me about this I will try and respond. I should explicitly state I'm not trying to advocate for eugenics, but that nuance exists even in these topics.
Given the Wikipedia definition you mentioned, while ultimately the personal choice of a mother to not birth a child with disabilities does not need to necessarily reflect beliefs that they are doing so to "improve the genetic quality of the human population", if these abortions occur on a population level the result is the same as if eugenic policies are embraced. Iceland for example has fewer people with down syndrome, supposedly due to women terminating pregnancies.
Eugenics is horrible and unscientific but it's not illegal as far as I'm aware, if in the future you can detect something like autism in utero, that many believe is not even a disability, and a mother chooses to abort, does she have a right to? I think most people would say yes since it's still her bodily autonomy, and it would seem odd that it's okay to abort "neurotypical" fetuses but not "divergent" ones, but clearly the question of whether it is ethical to do so or whether expectant mothers should be given full information regarding their pregnancy has some room for discussion, and I would consider that "discussing eugenics". Same could be said for things like congenital deafness and blindness.
Anyway none of this has anything to do with lemmy being hacked so if you want to discuss it further maybe we could do it somewhere else.
Careful, that whole debacle started when people like me suggested there might be nuance. For even suggesting that I was basically being called out as a Nazi who wanted to gas people. You know, nuance…
I’m surprised because this topic basically resurfaced in that thread recently about new genetic screening techniques and…nobody really got that upset. I say good riddance to those users that freaked out over it. They were so sensitive and were clearly terminally online.
I was the person taking the brunt of the flame in that original thread (arguing exactly the same position that Lucid just outlined). I deleted the original comments from my profile because I didn't care to dwell on a (one-way) flame war, otherwise I'd be happy to share.
I left Tildes completely after that thread (up until the Reddit debacle) since Deimos nuked everything instead of just banning or removing the unhinged vitriol from the discord brigade. As a testament to the userbase here, I got a few PMs along the lines of "those guys are unhinged; sorry that happened and don't take it personally", but the chilling effect that crew was having soured the site for me. Frankly, I'm disappointed those clowns were allowed to stay on here as long as they were, but glad to see them gone.
I haven’t been here very long, but I did see some strange opinions on minority voices here a while back. Although that seems to have gotten significantly better recently
More users to drown out the smaller echoes, maybe.
One of the largest ones AFAIK.
It's individual servers due to a global vulnerability, this seems to be the right issue, the attacker cannot compromise all Lemmy (Federation helps in cases like this after all) but can compromise any instance they want until patched.
The hackers defacement message was interesting:
https://archive.is/wbQ2f
The link there won’t load for me. Could be my VPN, but anyone else having issues ?
The short answer is that archive.is blocks Cloudflare's DNS, or other privacy focused DNS resolvers that don't send location information to archive.is's servers. This has been happening on and off for years, and it appears to only have restarted recently.
A good article summarizing the issue (from 2019)
Other discussions:
https://news.ycombinator.com/item?id=36397710
https://old.reddit.com/r/DataHoarder/comments/13g4htv/cloudflare_dns_blocking_archiveis/jjyfvst/
Edit, an example of what archive.is is actually doing to block Cloudflare's DNS:
The answer that archive.is gives,
1.1.1.7, is just invalid. (It's in the IP block Cloudflare uses for the 1.1.1.1 DNS server, and has no relation to archive.is.)cc: @boxer_dogs_dance and @kfwyre since you were experiencing the same issues with archive.is, and the above seems to explain the reason for it. Thanks for sharing that, Aeledfyr.
Some other people mentioned having issues with archive.is recently too:
https://tildes.net/~news/17gl/proud_boys_fined_over_1_million_for_destroying_property_of_a_black_church#comment-95y6
No idea what is actually causing it, but it sounds like it has something to due with iCloud Private Relay.
Ah, sounds about right. Thanks for the response.
Looks like Spez finally fully snapped and went full nuclear then. Joke aside, I don't think it means anything other than the hacker memeing on recent events.
According to the Beehaw (which they've taken down as a precaution) discord it was known you could inject javascript into titles as recently as version 0.18.1, and from other sources appears to be a longstanding issue that some areas of the platform were not sanitizing inputs properly.
Jesus, something that simple?? Mastodon has a similar issue with arbitrary file creation.. These federated social medias need to solve these issues quick before user confidence plummets and they just move back to the mainstream platforms
Yeah it is a bit of a mess and frankly makes me regret signing up to an instance a little. Ironically, it seems I somewhat predicted what happened just earlier this week:
At this point, I am honestly not sure about using Lemmy instances until some form of security audit has been done. To be fair to the community, things that are found are quickly fixed, but they seem to be mostly found after the fact. Something I also should have looked into further before trying it out. But given all the coverage of Lemmy I made the assumption (shouldn't have done that) that at least the base architecture of it all was solid given the amount instances people do spin up and that are popular.
Conspiracy theory: who do you think is behind this?
It's a bit like the old antivirus conundrum. No one needed an antivirus until someone wrote a virus, but did someone write a virus to profit from antivirus?
I don’t think its anything that insidious, its not like anyone is making money from this hack from what I know, and there isn’t an opportunity to sell a solution. Its more likely someone just did this for the lulz, given the attention thats being given to Lemmy at the moment.
No idea if it would make sense to share the domain but the endpoint they exfiltrated the login tokens to had a direct reference to the Ukraine war, and one of the first things they did with their access was to rename the instance to "Israel" and changed federation to be allowlist-only with threads.net (among with putting up redirects to lemonparty & telling people the site was taken down "by Reddit"). There may or may not have been some racist slurs as well, can't be bothered to look through the chat logs.
This makes me think even more that it was a bored script kiddie and not a nation-state
Ah… Now it starts to seem more sussy.. Thanks!
One of the greatest things and worst things about FOSS, the code is available and anyone can review it. Awesome for patches. Awesome for finding exploits, testing privately and then attempting live.
Also, it matters on so many things from correct configuration of a webserver, the stacks used, and the main one which is regular maintenance and patch work for when ever a CVE or bug is found. That stuff needs to be implemented quickedysplitsec to stop stuff like this happening.
All the big main corps have the same issues, the difference is the closed source nature makes it slightly more difficult to work out the hack.
I hope they get it patched before Lemmy looks like a joke.
It looks like lemmy.world is down. Other instances are still up.
Does anyone else have trouble logging into Beehaw? I came home from work today and tried to log in multiple times on multiple browsers with no success. Even tried signing up with a new name but it just will not let me in LOL!
I cannot even message anyone over there as I am not on discord.
Any suggestions?
Not sure if you're still having this issue, but one of the things they had to do to secure things invalidated session tokens (or something similar). I know I had to delete my cookies/site data before I could log back in.
Yes - I had to delete cookies/cache and everything worked well afterwards!
Thank you!
Did they do a password leak too? Or they just took over it?
I don’t understand Lemmy or “federated” websites. Is security built in or are you hoping that the instance creator had done their due diligence? Using that system frightens me.
Can anyone give a short description on how to use lemmy?
I tried subbing to lemmy.world, and there's a note that posts won't start popping into your feed until you're subscribed, so I waited a bit.
Seems like my Frontpage is filled with a legion of small, very very niche sub forums. I've been dropping in, blocking like 20 forums in a pass, and giving up.
The sheer amount of Canada specific sub forums is astonishing. Like, I get it, it started as a Canadian centric content, and I think it's great that they have a place that's not polluted by US dominated discussion. But is there a way to just filter all that in one setting, rather than curating constantly like wack a mole?
Edit - Nevermind, I'm an idiot. I thought the gateway into lemmys was lemmy.ca (first link I found a file ago), and you signed up to federated lemmys through that general UI. Went to https://lemmy.world and this is what I wanted. Mystery solved
So Lemmy is a little bit like Reddit in format at least. By default, it puts you on the equivalent of r/all. If you want a more curated feed, go to the Communities page (it's on the top right usually) and subscribe to some communities that interest you. You can technically subscribe to communities on your home instance and on instances that your home instance is federated with, but for now the easiest thing is probably to just subscribe to stuff that you see in that communities page that you like and not worry about federation. Once you've subbed to some communities that you like, go back to your main feed and change the view to "Subscribed" instead of "Local" or "All". You may have to go into your account settings to make that your default feed view, I can't remember for sure.
Glad it’s back up. :) I didn’t even notice it was down though. Haha.