• LilDumpy@lemmy.world
    link
    fedilink
    arrow-up
    87
    ·
    1 year ago

    Someone is really out to get lemmy.world lately.

    I feel like with every update there is at least one attack.

    • Candelestine@lemmy.ca
      link
      fedilink
      arrow-up
      51
      ·
      1 year ago

      We’re having fun and trying to build a positive space. And we have real potential to succeed in growing large. Can you think of a single faster way to attract trolling on the internet?

      It’s a lot more likely than someone like spez taking a break from plundering his company to piss off a modest number of internet randos in some internet corner somewhere, which would barely be a drop in the bucket of his problem anyway.

      The overall effect of this is so small, it almost has to be someone(s) with too much time on their hands. If they had any kind of real power, they wouldn’t be wasting their time on these chump change attacks.

      • sab@kbin.social
        link
        fedilink
        arrow-up
        34
        arrow-down
        1
        ·
        edit-2
        1 year ago

        Honestly, decentralized social media are probably bad news for the current state of the art of disinformation campaigns. The bullshit that has been thriving on Facebook and Twitter is not only a chorus of bigoted aunts and uncles, but (perhaps more importantly) a coordinated attack from state sponsored troll farms seeking, among other things, to destabilise Western democracies.

        The fediverse is, by design, less vulnerable to these attacks. Your trolls can generate activity around your disinformation content all they want: if nobody I follow boosts it, it’s not going to show up in my Mastodon feed. And you can feel free to recreate r/conservative or whatever in the fediverse, but if it becomes a cesspool like on Reddit you’ll be stuck with your trolls talking to each other on a defederated instance with no-one listening. Disinformation strategies currently employed successfully on centralized social media platforms are likely to fail here, causing a problem for bad actors.

        It is probably paranoid to think there’s any geopolitical actor behind the current attack, but I fully expect the fediverse to become under attack from Russian troll farms as soon as they realize they’re no longer reaching out to people on Twitter, Reddit or Facebook.

        • Hot Saucerman@lemmy.ml
          link
          fedilink
          arrow-up
          17
          ·
          edit-2
          1 year ago

          a coordinated attack from state sponsored troll farms seeking, among other things, to destabilise Western democracies

          If you don’t think state sponsored troll farms exist in the “West,” I’ve got a bridge to sell you.


          From 2011: US government working on Persona Management “sock puppet” software to flood forums with pro-US talking points

          https://www.theguardian.com/technology/2011/mar/17/us-spy-operation-social-networks


          From 2013: US ally Israel pays Israeli college students to defend Israeli government online

          https://www.usatoday.com/story/news/world/2013/08/14/israel-students-social-media/2651715/


          From 2014: Reddit lists Eglin Air Force base as the most “Reddit Addicted City”

          https://old.reddit.com/r/Blackout2015/comments/4ylml3/reddit_has_removed_their_blog_post_identifying/


          From 2014: Research done at Eglin Air Force Base in 2014 about influence of opinions through “a decentralized potential field-based influence algorithm is developed in this work to ensure that all individuals’ states achieve consensus asymptotically to a desired convex hull spanned by the stationary leaders’ states, while maintaining consistent influence between individuals (i.e., network connectivity).”

          https://arxiv.org/pdf/1402.5644.pdf


          From 2018: Facebook works with Cambridge Analytica to undermine US elections

          https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html


          Can we stop acting like we’re the fucking good guys in this? It’s absolutely fair that there are Russian troll-farms pushing disinformation, but to act like there are only Russian troll farms and they only exist to destabilize western democracies is a fucking joke.

          Last I checked, there are plenty of US conservatives and rich people who want to dismantle democracy and these people own fucking news organizations, we don’t even need to go to Russian troll farms for that horseshit. It’s fucking home-grown. (I mean Musk and Murdoch weren’t even born in America and these two dipshits control some of the biggest names in US media I can think of, and both of these motherfuckers hate democracy. Reddit’s Steve Huffman literally looks up to Musk. Facebook is MAGA central because of Mark Zuckerberg.)

          So let’s stop acting like the phone call isn’t coming from inside the house. When the state-actors show up, it’s gonna be all of them not just some of them.

          • sab@kbin.social
            link
            fedilink
            arrow-up
            5
            arrow-down
            1
            ·
            1 year ago

            You’ll notice I only mentioned Russia once, and not even in the paragraph you cited. The Russian troll farms are without doubt the most famous, and they have backed candidates like Farage, Trump and Le Pen with uncanny success. But it would be incredibly naive to think other actors are not involved with similar strategies, which is why I kept my post general. Steve Bannon has his ties to Russia, but he’s American as apple pie.

          • nekat_emanresu@lemmy.ml
            link
            fedilink
            arrow-up
            3
            ·
            edit-2
            1 year ago

            You listed a few interesting things and seemed miss an important one.

            I might be a bit wrong in what I’m about to say, but the basics are right. Meta released a chatGPT like LLMs source code and had their weights leaked. Their model is named LLaMA.

            People have been messing around with LLaMA inspired LLMs on their personal computers thanks to meta for months now.

            Bad actor LLM bots are now a hobbyist level task. The fediverse is showing signs of not significantly caring or trying. Imo, Lemmy instances aren’t ready for this.

            https://ai.meta.com/blog/large-language-model-llama-meta-ai/

          • Serinus@lemmy.ml
            link
            fedilink
            arrow-up
            2
            arrow-down
            4
            ·
            1 year ago

            The US government as a whole, comparatively, are the good guys in this. The US government is pretty cautious and tends to shy away from spreading propaganda to its own people.

            There are a lot of caveats there, absolutely. I’ll get into some of those. But let’s not pretend the US government is on par with the Russian or Chinese governments when it comes to social media propaganda.

            The GOP being in bed with the Russians and collaboratively pushing narratives is not being done on behalf of the government. And I doubt whatever is happening at Elgin is targeting Americans.

            • Hot Saucerman@lemmy.ml
              link
              fedilink
              arrow-up
              3
              ·
              edit-2
              1 year ago

              And I doubt whatever is happening at Elgin is targeting Americans.

              I don’t think “not targeting their own citizens” is quite the flex you think it is when it comes to pushing disinformation and misinformation.

      • MeetInPotatoes@lemmy.ml
        link
        fedilink
        arrow-up
        9
        arrow-down
        4
        ·
        1 year ago

        Maybe it was their refusal to take a stance on Meta and Threads? The admins of .ml said it took them 2 minutes to decide to preemptively defederate. .World on the other hand came to an anti-corporate platform and publicly took a position that they would wait and see about federation with Meta.

        It’s like saying “power to the people and viva revolution but we are also remaining open to licking boot depending on the circumstances.”

        • Candelestine@lemmy.ca
          link
          fedilink
          arrow-up
          10
          arrow-down
          3
          ·
          1 year ago

          I do not believe that the Fediverse is an exclusively anti-corporate platform. It’s nature is open to all, even corporations, at a technical level.

          Granted, many anti-corporate people came here, but that doesn’t make this a fundamently anti-corporate place. Just their specific communities.

          I also doubt many serious Fediverse types are that petty and childish. That’s generally a trait of more short-sighted people. Not a lot of native trolls here, we came here in many cases to escape that behavior.

          Is it so strange to think some assholes might just chase us down and bring it to us? What would you do if you were a hate-fueled asshole that wanted to watch the world burn? I’d find nice things and fuck them up, personally. That would be both fun and potentially effective.

          • MeetInPotatoes@lemmy.ml
            link
            fedilink
            arrow-up
            6
            arrow-down
            3
            ·
            1 year ago

            The FOSS alternative to the big corporate controlled social media corps that swallow up smaller social media alternatives is not anti-corporate? Ok.

            • Hot Saucerman@lemmy.ml
              link
              fedilink
              arrow-up
              11
              ·
              edit-2
              1 year ago

              Linux runs on something like 90% of corporate servers. Amazon’s AWS runs its own version of Linux and is the largest cloud provider in existence.

              This means, by and large, the labor done on a volunteer basis by random internet nerds to create Linux and all its tools has unintentionally been the largest transfer of wealth created by labor from the working class to the corporate class in fucking history.

              FOSS means anyone can use it for any reason. Including organizations you reasonably fucking hate using it for reasons you fucking hate.

              It’s literally why in the last few years you had maintainers of open source projects sabotaging their own projects when learning what it is being used for, or trying to make “new rules” that don’t allow certain organizations to use their code (pro-tip, if they can access your code, they can use it).

              Only now is the FOSS community waking up to the fact that corporations are using their open ideals to profit off of their labor very handsomely.

              If there’s one thing that capitalism is excellent at, it’s taking valid critiques of capitalism, and then repackaging those critique and selling them back to the very public that is critiquing them. There’s a reason Meta has already jumped in on ActivityPub, because its a new market to exploit.

              The early internet was nothing but counterculture and lack of corporations. Corporations showed up because it was a new market to exploit and they used their largess to dominate the conversation. It happened before, it will happen again.

              • MeetInPotatoes@lemmy.ml
                link
                fedilink
                arrow-up
                2
                ·
                1 year ago

                Fully agree with all of that. The difference I see with ActivityPub is that we can say they can use it all they want but we won’t be connecting with them or interacting with their users at all.

                And they honestly probably won’t care, but it makes it clear where the rest of us stand and communicates to current Fediverse users a commitment to stay as free as possible from corporate influence. I felt like there was no room for milquetoast answers to that question.

        • Kabe@lemmy.world
          link
          fedilink
          arrow-up
          7
          arrow-down
          4
          ·
          edit-2
          1 year ago

          The whole point of lemmy.world is that it’s a general, welcome-to-all instance.

          If you want server admins who take overtly political stances and actions on behalf of their users, you have instances like lemmy.ml to choose from.

          • MeetInPotatoes@lemmy.ml
            link
            fedilink
            arrow-up
            11
            arrow-down
            5
            ·
            1 year ago

            I literally left Lemmy.world and stopped recurring donations to switch to Lemmy.ml

            But you’re muddying the waters with a disingenuous argument. They can be open to all individual users without being open to connection with possibly the worst actor in the social media space.

            You’re also mischaracterizing staying free of giant corporate influence as “taking overtly political actions blah blah on behalf of its users” and starting to sound 100% like a corporate shill with absolutely dogshit arguments that only a moron wouldn’t see through.

            Who is worse, Meta or the people who want nothing to do with Meta?

            The answer to that is extremely easy.

            Protecting their users from bad actors is exactly what server admins should be doing as good admins. That’s not political, and go lick boot somewhere else.

            • Kabe@lemmy.world
              link
              fedilink
              arrow-up
              4
              arrow-down
              1
              ·
              edit-2
              1 year ago

              Sounds like you made the right choice for yourself.
              I wish you the best.

              • MeetInPotatoes@lemmy.ml
                link
                fedilink
                arrow-up
                8
                arrow-down
                1
                ·
                1 year ago

                Thank you and you too. I apologize that I didn’t make my point more civilly. I’m an old-ass techie that has seen enshitification ruin just about every new frontier and being noncommittal about keeping them out while we have a chance is, to me, a surefire recipe to have big capital ruin this little experiment in freedom. I think that you just have to study Meta’s history to assure yourself that their intentions are always self-serving and never in the public interest. My incivility is purely because of how strongly I loathe them, not you. Take care.

              • MeetInPotatoes@lemmy.ml
                link
                fedilink
                arrow-up
                6
                arrow-down
                2
                ·
                1 year ago

                I genuinely am. Part of why I hate Meta, Reddit, and Twitter is how callously they treat their users. The reason that I have very little patience for people that stick up for them is that I don’t like bullies or the enabling of bullies. Go take a look at the app permissions required to use Threads and tell me that any “nice” person would think it’s ok to harvest that much data. We are livestock to them.

        • nefonous@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          They explained the situation very well, and it’s not exactly as you described it.

          Thread is outside the fediverse now, so there is literally nothing to defederate.

          And they already basically admitted that in case of threads federating, they would defederate.

          It was one of the few instances (if not the only one) to put down exactly what practical problems federating would cause instead of simply taking an ethical stance or regurgitating the usual nonsense EEE argument.

          But people wanted an immediate, strong and ethical stance (which is also understandable), so they didn’t like the wait and they didn’t care about an objective analysis of pro and cons

          • MeetInPotatoes@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            Yeah, to quote the Joker here “it’s about sending a message.” Doesn’t matter about the technical reality, it just would’ve determined the wording. “If they try to federate with us, we won’t have any of it.”

            I didn’t see them say that though, saw a Mastodon post and an admin thread on .world that specifically said they would wait and see.

            • nefonous@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              Yeah, but the admin clarified in some replies that the moderation problems and possibility of receiving ads are already enough to choose to defederate. They didn’t give the absolute certainty but basically made their intentions clear.

              But I agree with you, most people wanted to get a clear message against it and not just a “if that happens we will very likely defederate”.

              I still think both approaches are fine, it’s good to decide by ethics and it’s good to wait and decide by rationality too. No wrong choices, it’s just a matter of preference

        • Anony Moose@lemmy.ca
          link
          fedilink
          arrow-up
          10
          ·
          1 year ago

          White hat attackers do not take down infrastructure, that is by definition a black hat act. White hat attackers would merely discover exploits and report them to owners.

  • indigomirage@lemmy.ca
    link
    fedilink
    arrow-up
    69
    ·
    edit-2
    1 year ago

    This is a shame. Hosting a high visibility server is no joke, and I don’t envy the admins and the very difficult work they do. It’s simultaneously an argument for and against decentralization. For - a single instance can get knocked out without talking out the whole fediverse. Against - it seems as though high visibility communities are potentially fairly easy to target and take down.

    I think that decentralization wins out here in the end, but it does feel like there may be a need for some sort of fallback mechanism to be in place at an instance/community level. I suspect this might evolve somehow over time. It would require some way to expand trust between instances and or portability of communities (which could be fraught with user trust/data integrity issues).

    If things don’t evolve it could grow into a whack-a-mole game for bad actors, or there might need to be more investment into server infrastructure (which could work against decentralization if only because of economies of scale).

    Or maybe there’s no issue after all? I’m just imagining potential implications of a scaling fediverse - it’s fascinating and exciting stuff!

    Thoughts?

    • db0@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      21
      ·
      1 year ago

      This is the primary reason why I’m ok for my instance to not grow massively. We got 10K people and we have pretty good traffic ,without overloading us or making too much of a target. We still get new users since we allow registrations, but the application requirements retain the quality

      • 6db@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        1 year ago

        I’m realizing that I signed up for a probably-at-risk instance (lemmy.ml). I’m quite left but not necessarily an anarchist so it would seem applying to lemmy.dbzer0.com wouldn’t be a good move. (But I did enjoy reading your application requirements!) Recs on other small but reliable instances?

      • indigomirage@lemmy.ca
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Absolutely makes sense. If lemmy is going to have any truly large communities though, investment in infrastructure/ops as well as function/moderation will be absolutely needed. (It’s an ‘if’, of course)

        Time will tell how the community will want to lead it.

    • Chozo@kbin.social
      link
      fedilink
      arrow-up
      15
      arrow-down
      1
      ·
      edit-2
      1 year ago

      a single instance can get knocked out without talking out the whole fediverse

      Honestly, it may as well have in this case. LemmyWorld is the de facto “hub” for basically the entire Threadiverse right now. All the major communities are seeing the most activity through LemmyWorld. While I’m subscribed to a lot of communities from other instances, sometimes duplicates of ones found on LemmyWorld, losing LemmyWorld would still a huge chunk of the content that I’m trying to see.

      I really do wish that more specialized instances would sprout up and that some of these communities could cluster together across multiple pockets of the Threadiverse. I feel like this makes it less likely to lose huge chunks of content, and also makes fewer large targets for somebody to want to attack in the first place.

    • Anony Moose@lemmy.ca
      link
      fedilink
      arrow-up
      13
      ·
      edit-2
      1 year ago

      You don’t need to necessarily centralize to defend against DDos or similar attacks. You can add things like Cloudflare for DDos mitigations, CDN and maybe something like Kubernetes for horizontal scaling of servers (spin up more servers to handle extended load) transparently behind the scenes. This can also get you the benefits of low geographical latency, so a load-balancer fetches you data from the closest replica of a database geographically, etc.

      Of course, all this adds up in terms of cost, but I think this might be worth it for the largest instances. I suppose that can still be considered centralization.

      If we wanted to encourage small many small instances instead, perhaps there could be a transparent load-balancer layer for the fediverse that instances could sign up for, that is managed by a devops group. Alternatively, lemmy could have built-in load-balancing, caching, etc. as part of its codebase that instance operators can set up with their own accounts at Cloudflare, etc.

      • indigomirage@lemmy.ca
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        Agreed. Ultimately, that’s the point. There are solutions (with ongoing vigilance required) but it comes with an ongoing cost, be it server infrastructure or human resources).

        I think the federated load balancer might be interesting but I expect there are many pitfalls that need to be considered and addressed wrt security, trust and integrity of data.

        Anyway, it’s amazing to see this all grow and evolve.

      • A1kmm@lemmy.amxl.com
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Yeah everyone using Cloudflare is definitely centralisation, but maybe a kind of centralisation that allows for easier switching to something else if Cloudflare gets too crazy.

        DDoS is a war of attrition - and the best way to win a war of attrition is to make it cost much more than $1 to make you spend $1, and to be able to outspend the attackers (e.g. the whole community bands together to support the victims against the attacker). I think the best response depends on who is attacking.

        Network level DDoS is likely using stolen bandwidth - but the person directing the attack is probably paying someone for the use of it (i.e. they didn’t compromise the equipment themselves, someone else builds botnets and rents them out). If you can identify what traffic is part of a DDoS, you can track down where it is coming from, and alert the owner of the network where it is coming from, which hurts the person providing the services to the attacker quite a lot. If I have a reputation of: if you attack me for someone else, I’ll cost you a significant part of your business that will take you months to build back up, then you are not going to offer that service cheaply, or even at all.

        Application level DDoS usually relies on amplification of cost - I do something relatively inexpensive (like send a packet opening a connection), and it makes you do something really expensive involving databases, disk IO etc…; a good mitigation is to redesign the API to flip that on its head, so you do something expensive, and I do something relatively cheaper for you. There is an open issue about using Hashcash to do just that at: https://github.com/LemmyNet/lemmy/issues/3204 - the downside is that it forces users (even on mobile devices) to use more compute / power for every request to Lemmy, but I think there is a balance that can be struck there where it isn’t too bad for users, but makes that type of attack infeasible.

    • bastion@lemmy.fmhy.ml
      link
      fedilink
      arrow-up
      7
      ·
      edit-2
      1 year ago

      I think this might be interesting:

      • permit separate, low-traffic, highly rate-limited, auth-only servers. They would be strictly rate-limited and only accept connections from whitelisted partner servers, because they only handle auth.
      • any partner server can authenticate a user and handle content for the server/auth-server pair, but only does so under certain conditions (determined by the partner - all the time, when ping api call > n seconds, or manually, for example)
      • user@lemmy.world can’t log in, so the client tries the list of partnered servers. user succeeds at lemmy.partner.net.
      • user@lemmy.world@partner.net says… ‘…something’ and all other servers accept it as being from user@lemmy.world
      • lemmy.world recovers, and claims all of the @lemmy.world@partner.net posts. Partners then forget the extra stuff they’ve been hosting.
      • Calcipher@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        1 year ago

        The problem with these types of redundancy schemes is that it simply takes a Internet backbone hiccough (or AWS fuck up) to cause there to be multiple primaries (i.e. lemmy.world is online still, but some portion of the internet can’t see it, so a replica promotes itself to primary, people use both, how do you reconcile it).

        This is not even beginning to talk about the nightmare scenarios possible if someone hacks a replica.

        Edit: Still, this is a good thought and similar to how some actual software packages do things.

        • bastion@lemmy.fmhy.ml
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          A lot of those issues of ‘multiple primaries’ can be resolved with intelligent data types and actions. That is, if we have a notion of how the data is organized, a lot of decisions can be made a priori. Ones that can’t can be read-only during a split.

          Comment groups are mergeable sets. Any unique comment is a valid comment.

          For any individual comment, any tombstone causes a comment to be unseeable (and ideally be deleted). Any edits are latest-wins.

          A lot can be sorted out that way - enough to be usable. Some databases even support that on a db level.

    • vd1n@lemmy.ml
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Can’t post to op… But… Somebody just s scared.

    • Overzeetop@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      Big target. Either that or the butt wipe that was denied his Reddit username and started creating random long manned communities.

      I just sort of assumed we’d all get accounts in 2-3 instances so if one goes down we can still participate elsewhere.

  • LilDumpy@lemmy.world
    link
    fedilink
    arrow-up
    8
    ·
    1 year ago

    Someone is really out to get lemmy.world lately.

    I feel like with every update there is at least one attack.

  • RxBrad@lemmy.world
    link
    fedilink
    arrow-up
    8
    arrow-down
    4
    ·
    edit-2
    1 year ago

    No doubt Threads-related…

    Quite a few people on here really go off-the-rails when it comes to .world not coming out and outright blocking it before it’s a thing. (while also forgetting it affects Mastodon, and not-so-much Lemmy)

        • Lemdee@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Idk, must be resolved because I’m on the mobile browser for lemmy.world and it’s fine 🤷

    • LilDumpy@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      Ya. I’m still logged in through the Liftoff app and able to post. Idk why my first comment on this post was duplicated though.

    • czech@kbin.social
      link
      fedilink
      arrow-up
      11
      ·
      edit-2
      1 year ago

      I knew which user this was immediately after reading the comment. Check out their post history, all they do is shit on the fediverse. Why are you here if it’s so terrible? Hmmm…

    • DaniAlexander@kbin.social
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      Wow. Yeah, I regret reading your history as suggested by @czech. I’m really sorry for whatever is making you such a miserable person. It just be awful. I sincerely hope things get better for you.

    • MeetInPotatoes@lemmy.ml
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      Just once, when I saw a post here linking to a Reddit post with all the backlash from ending awards.

      I wanted to tell them all to abandon the sinking shithole of a ship that is Reddit and come to the Fediverse. Wasn’t worth making an account over though, they’ll figure it out.