<span style="color:#323232;">You take a photo of a document (e.g. a passport or driving licence)
</span><span style="color:#323232;">It is checked digitally to confirm it is genuine
</span><span style="color:#323232;">You take a photo or video of yourself which is matched to the one on the document
</span>
<span style="color:#323232;">You take a photo of a document (e.g. a passport or driving licence)
</span><span style="color:#323232;">It is checked digitally to confirm it is genuine
</span><span style="color:#323232;">You take a photo or video of yourself which is matched to the one on the document
</span>
in this case it would be the british government that already has my passport and driver license photos stored digitally so this would just be to validate a digital login as a real person
I started using complex fiber supplements (as in whole dried ground foods with multiple sources and types of fiber) about a month ago, honestly life changing, cannot recommend enough.
No, but how could it? Let’s say Feddit.dk receives a Like from mastodon.social. Then Feddit.dk would have to tell the other instances that mastodon.social sent that Like. But how can Feddit.dk prove that the Like actually did come from mastodon.social, i.e. it is not just a fabricated Like that Feddit.dk made up and hid by pretending it came from mastodon.social. That’s not easy.
This is in fact how Feddit.dk knows that the Like came from mastodon.social at first. The problem is that the signature is a HTTP Signature which is only associated with the HTTP request that mastodon.social makes to Feddit.dk. It is not on the Like object itself. Thus that signature can’t be transferred to the Like object if Feddit.dk wanted to share it further.
There’s not such a thing as a “Lemmy style” upvote. It’s all Like objects under the hood shared via the ActivityPub protocol. But ActivityPub has no mechanism for sharing an activity further than the original receiver (i.e. forwarding from A to B to C and so on). It’s really only made for direct sharing from A to B.
Additionally, if an object is addressed to the Public special collection, a server MAY deliver that object to all known sharedInbox endpoints on the network.
This requires implementing sharedInbox support, but I believe this should permit federating any content of choice to any server.
That would still be directly from one server to another server. I.e. from A to B and from A to C. But forwarding is a different matter, i.e. A sends something to B which sends it further to C. There’s complications with signatures and verification in that case and it’s less clear how to handle that.
Unfortunately it is not that easy. It’s not Mastodon that places the signature like that, it is the ActivityPub protocol. Lemmy, Mastodon and all other ActivityPub instances do it this way. You’d need to extend or change the protocol to somehow fix this. That is not easy and not something that will be done overnight.
Of fucking course they did it that way. If i where to hack sonthing together u could also just quote the entire request signature and all and forward it.
But surely the receiving server could validate that signature by verifying the existence of the received activity (by asking the origin server for the object referenced and validating the signature).
If like objects are distributed in URL form, this is already how it works. The extra load wouldn’t be fun, for sure, but the lack of an embedded signature makes it very easy to falsify anything on the Fediverse.
Lemmy doesn’t do it currently. It blindly trusts communities to not lie to people. I just found out about this myself.
In theory the JSON body could include all the necessary information to validate a signature and the signature itself. Then, a simple HEAD request could validate the contents without having to re-download everything, and users’ public keys could be cached to minimise HTTP requests necessary.
If you have a signature you can also sign the contents, so you wouldn’t need to download the content. But AFAIK ActivityPub has no mechanism for including signatures in objects as it is right now. There’s only HTTP signatures, which aren’t on the object itself.
The like is an activity. Any activity has an actor. Every actor has a public key. If the activity is sent with a cryptographic signature (like LD signatures, which Mastodon does implement) then any one can verify that the activity is legit.
I seriously doubt Lemmy currently does any validation whatsoever. There were communities using this blatant security issue for non-malicious purposes (see endlesstalk.org/c/[email protected], which re-wrote posts from people (which is only possible if the posts weren’t validated, or at least re-fetched from their origins)).
There is a way to re-share and validate remote activities, either through LD signatures (ew, JSON-LD processing :vomit:) (which only Mastodon and Misskey implement) or the newfangled FEP-8b32 Object Integrity Proofs (which nobody relevant on the microblogging space implements).
There were communities using this blatant security issue for non-malicious purposes (see endlesstalk.org/c/[email protected], which re-wrote posts from people (which is only possible if the posts weren’t validated, or at least re-fetched from their origins)).
The reason this is possible is because of the way Lemmy federates activities.
When you on instance A post, comment or upvote something in a community on instance B, your instance sends the activity to instance B, regardless of the instance of who you’re replying to or upvoting. It is sent to the community, and the community then shares it out to all other instances. AFAIK, lemmy does nothing to verify that received content from a community actually comes from the original instance. See here for one of the main Lemmy devs commenting on this..
Is this secure or reasonable? I’m honestly not sure but it doesn’t feel great. Signatures on objects could fix this I think.
Instead of sending the entire object embedded in the activity the secure way would be to only the URI instead. This is permitted by JSON-LD.
In the receiving side, if the object is untrusted (i.e. if it isn’t signed or if it’s from a separate authority from the parent object containing it) it should be thrown away and the id should be fetched from the remote instance directly (same as it would happen if it was a URI instead of an inline object). This is completely an oversight on Lemmy’s implementation and not a protocol problem.
Yeah, that is a shortcoming of the protocol. But it’s necessary in order to be secure until things improve (and given this is AP, that’s gonna be a while. People seem to love bikeshedding in circles instead of doing actual work)
and given this is AP, that’s gonna be a while. People seem to love bikeshedding in circles instead of doing actual work
Out of curiosity, what do you mean by this? Any examples? I’ve not followed the development of AP very much at all honestly so I don’t know the history.
this issue is a blocker for mastodon not supporting filtering remote posts by words (which would’ve helped with many spam attacks, which the pleroma family supported just fine for a WHILE via MRF, and more recently misskey has added support for)
if you go to socialhub you’ll find MANY threads of reasonable ideas that are in json-ld representation bikeshed hell as people unnecessarily debate over which exact json-ld representation of the same exact data is the most correctest. the most infuriating recent ones i have seen is the emoji reaction fep discussion and FEP-fb2a: Actor metadata both of which does this bullshit ON FEATURES ACTIVELY FEDERATING RIGHT NOW, where changing it would BREAK BACKWARDS COMPATIBILITY
I recently started looking at socialhub actually. I have even participated in that emoji reaction thread you linked, but I only joined the site recently.
Honestly, I’m a bit confused by the site. There’s kind of a lack of direction in a sense? Everyone is trying to extend the protocol in various different ways and it seems difficult to achieve alignment and agreement. I guess that is to be expected in a decentralized system but still.
you’ll find MANY threads of reasonable ideas that are in json-ld representation bikeshed hell as people unnecessarily debate over which exact json-ld representation of the same exact data is the most correctest
What’s the alternative though? I mean nobody has the authority to put their foot down and decide. I agree that the debates go on for way too long, but how else do we find alignment? Then again, the long discussions definitely exhibits a kind of selection bias - only the people who are pedantic enough to keep discussing will do so. Everyone else naturally just get tired of the whole thing and leave.
It’s weird but it almost feels like the fediverse needs a benevolent dictator to kind of get an overview and set a clearer direction, when it comes to the standards.
this bullshit ON FEATURES ACTIVELY FEDERATING RIGHT NOW, where changing it would BREAK BACKWARDS COMPATIBILITY
But these features were totally non-standard extensions right? You can’t expect such things to continue being compatible as the actual standard evolves. It would also be a neat way to strong-arm the standard - just implement an extension in the way that you want it to work and now the standard has to keep your version compatible. That wouldn’t be good. Just because there exists a non-standard implementation does not mean it should be able to dictate how stuff should be done.
But these features were totally non-standard extensions right?
that’s the thing, everything in activitypub is a non-standard extension. hashtags are an extension. post visibility the way it’s commonly done is an extension (more like a convention in that it doesn’t introduce anything new, but still not written down anywhere official), the concept of an un-locked account is a convention (and the marker that marks an account as locked is an extension). pinned posts, marking images as sensitive, they’re all extensions
(surprisingly, this is the second time i’m writing this exact thing today)
It’s weird but it almost feels like the fediverse needs a benevolent dictator to kind of get an overview and set a clearer direction, when it comes to the standards.
this has historically been mastodon. and they have put themselves in such a place that anything they do not approve of gets seen as a “nonstandard extension” and anything they approve of gets seen as a part of the standard. see the above reply.
edit: additionally, emoji reactions are federated by the SECOND MOST POPULAR free/open AP software and has implementations in at least 5 other software families (not just forks of one software, entire software families). if they cannot determine a de-facto standard but mastodon can, is AP really an open standard?
Yea I see what you mean. How do we solve this though? I mean let’s say you were to redesign the protocol from scratch. Do you just need to include all these things into the protocol from the start? That’s a lot of features and considerations to make. An extensible protocol might be for the best? But it does bring a lot of complexity… I’m really not sure.
this has historically been mastodon. and they have put themselves in such a place that anything they do not approve of gets seen as a “nonstandard extension” and anything they see gets seen as a part of the standard. see the above reply.
Yea this is problematic, especially because this pulls AP into a more microblogging-oriented direction, at the expense or at least disregard of all other use cases. I would not call this a benevolent dictator - that’s just a regular dictator.
(surprisingly, this is the second time i’m writing this exact thing today)
Yeah lol, i cant help but laugh every time i see the mods replies in this thread. i dont understand shit about his train of thought, i dont know if he is denyal or was surprised most people didnt end up aligning with his bias and is in damage control replying nonsense.
I apologize if this thread was misunderstood. Perhaps I was not clear that this was meant for improvements, it is not a vote on removal. Should that vote ever happen, the post would be clear about that.
All of my questions were only seeking to gain more information about people’s feelings. I apologize if it came off as a promise to enact anything in particular or an endorsement of any particular stance on the bot.
Yes, you’ve been very clear from the start that you do not want to remove the bot. However, the feedback you’ve consistently received is that it provides no benefit, is misleading, reductive, and the best improvement you could make would be to remove it. You don’t seem willing or able to respond to that.
Correct, I am unable to supersede admin decisions as a mod. I am here collecting feedback on improvements. Again, I am looking for feedback on improvements, as the decision to remove the bot is not in my control.
I feel as though the admin team and mods have never truly developed a product for market as they seem incredibly desperate to cling to whatever this bot is to become.
In any case, that thread just points to further team discombobulation and a poor handling of user wants and desires.
We’re not developing anything for market and had no role in creating or implementing the bot. Also we have full time jobs, are volunteering our time, and had to convene to review the pros and cons. If you think you can run things more smoothly, you are welcome to join the team and contribute time and energy to the effort. Don’t expect users to show any gratitude though.
Remove MBFC? Yes, that’s part of the discussion and the point of this post. The struggle seems to be over the API, but I’d love to have suggestions to bring to the rest of the team. As I have said multiple times, it is not my decision to remove the bot, I’m simply here for suggestions that the rest of the team would be open to.
It’s a team decision and I am the newest mod on the team. The main developer of the bot is an admin, who ultimately would be the one to implement any changes.
Who fact-checks the fact-checkers? Fact-checking is an essential tool in fighting the waves of fake news polluting the public discourse. But if that fact-checking is partisan, then it only acerbates the problem of people divided on the basics of a shared reality.
This is why a consortium of fact-checking institutions have joined together to form the International Fact-Checking Network (IFCN), and laid out a code of principles. You can find a list of signatories as well as vetted organizations on their website.
MBFC is not a signatory to the IFCN code of principles. As a partisan organization, it violates the standards that journalists have recognized as essential to restoring trust in the veracity of the news. I’ve spoken with @Rooki about this issue, and his response has been that he will continue to use his tool despite its flaws until something better materializes because the API is free and easy to use. This is like searching for a lost wallet far from where you lost it because the light from the nearby street lamp is better. He is motivated to disregard the harm he is doing to !politics, because he doesn’t want to pay for the work of actual fact-checkers, and has little regard for the many voices who have spoken out against it in his community.
By giving MBFC another platform to increase its exposure, you are repeating his mistake. Partisan fact-checking sites are worse than no fact-checking at all. Just like how the proliferation of fake news undermines the authority of journalism, the growing popularity of a fact-checking site by a political hack like Dave M. Van Zandt undermines the authority of non-partisan fact-checking institutions in the public consciousness.
Our methodology incorporates findings from credible fact-checkers who are affiliated with the International Fact-Checking Network (IFCN). Only fact checks from the last five years are considered, and any corrected fact checks do not negatively impact the source’s rating.
Just like every good lie has a little bit of truth in it, MBFC wouldn’t be able to spin its bullshit as well without usurping the credibility of real fact-checking organizations.
You seemed to care passionately about IFCN fact-checkers doing the fact-checking. It turns out that MBFC agrees with you. Your (feigned) concern has been completely addressed in just the way you’d hoped. A person making that argument in good faith might say, “Oh! Maybe this is a better resource than I thought it was,” or maybe,“I should probably apologize to Rooki for harassing them about something I appear to have just made up.” Instead you just spin it into some other nebulous bullshit and move the goal posts. If you’re not careful, people might begin to suspect that you’re starting with the conclusion and working backwards.
Sorry, no mea culpa. Let me elaborate. Van Zandt claims to value IFCN fact-checkers in his ratings, then he uses that laundered credibility to gatekeep minority and politically inconvenient voices. Here’s a recent example brought to my attention.
It should be noted that despite no non-partisan fact checkers are listed on MBFC’s site as raising concerns about the The Cradle’s credibility, Van Zandt has arbitrarily placed it in the “Factual Reporting: Mixed” and “Credibility: Medium” categories. The concerns he posits about The Cradle’s 'lack of transparency, poor sourcing," and one-sidedness clearly apply to the weird right-wing guy who makes these opaque decisions about journalistic value.
If IFCN fact-checkers have issues with sources he’d like to denigrate, he’s happy to list them even if they’ve since been resolved. But they don’t make up the central criteria for his ‘methodology’ as he’d like you to believe. Meanwhile he’s free to make unreferenced claims about the credibility of others that uncareful readers take completely at face value.
All the concerns I have about The Cradle’s credibility have been developed in spite of MBFC, which is the opposite of what you want if your goal is accountability and media literacy. And thanks to their reliance on this charlatan, LW!news have recently punted what I think is a valuable report.
If you think being an unrepentant liar is good for your cred, fill your boots, I guess.
It should be noted that despite no non-partisan fact checkers are listed on MBFC’s site as raising concerns about the The Cradle’s credibility, Van Zandt has arbitrarily placed it in the “Factual Reporting: Mixed” and “Credibility: Medium” categories. The concerns he posits about The Cradle’s 'lack of transparency, poor sourcing," and one-sidedness clearly apply to the weird right-wing guy who makes these opaque decisions about journalistic value.
'I don’t understand how it works so it’s stupid!'
The Cradle is a rag that’s been banned by Wikipedia for publishing conspiracy theories and for (gasp!) poor sourcing.
If you had read their methodology, you’d know that MBFC wasn’t being arbitrary as lack of transparency and the impact are clearly defined:
A source is considered to lack transparency if it fails to provide an ‘About’ page or a clear description of its mission. Transparency is further compromised if the ownership of the source is not openly disclosed, including the identification of the parent company and key individuals involved. Additionally, the absence of information about major donors, funding sources, or general revenue generation methods contributes to this lack of transparency. It is essential for the source to at least disclose the country, state, or city of operation and the name of the person responsible (such as the editor). While providing a physical address is not mandatory, meeting some of these transparency criteria is important. Inadequate transparency typically results in the source’s factual reporting rating being reduced by one or two levels, depending on the extent of the shortfall.
Credibility Levels:
High Credibility: A score of 6 or above.
Medium Credibility: A score between 3-5 points. Sources lacking an ‘About’ page or ownership information are automatically rated as Medium Credibility.
Low Credibility: A score of 0-2 points. Sources rated as Questionable, Conspiracy, or Pseudoscience are automatically classified as Low Credibility.
The Cradle lacks transparency as they do not disclose ownership. The domain is registered in the United States.
Who could’ve seen that rating coming?
Methodical is the opposite of arbitrary. The reason it seems arbitrary to you is that you don’t understand it. As a bare minimum to be critical of MBFC you should understand how it works, understand their methodology, and probably have read their Wikipedia page. Bonus points for seeing what high quality research says about them (spoiler alert: it says you’re wrong). You’re demanding that people take very seriously your misinterpretations and assumptions about something you don’t understand. How is that a reasonable request?
Thanks, this was a very informative comment. I assume none of the IFCN signatories have a free API? Just asking since you seem pretty well versed on this
More than half of these occurred in a community you moderate. Do you approve of this use of the term ‘spamming’ to silence criticism?
Exposing a free API for anyone to use is not typical trade practice for respectable fact-checking operations. You may be able to get free access as a non-profit organization, and that may be worth persuing. On the other hand, there’s a fundamental problem in the disconnect between the goals of real fact-checking websites and the kind of bot you are trying to create.
Thanks, that tip about being a non-profit is a good suggestion. Do you have any specific fact checkers in mind?
In terms of the comments, they look like they are off-topic. There are support communities within Lemmy.world that would be more appropriate places to post concerns. Or even other communities focused on things like Lemmy drama and similar topics like that. But copy/pasting the same comment on multiple threads? Doesn’t matter what you’re saying, we’ll delete it as spam. Done it many times myself, even if I didn’t delete your comments in particular.
This is not a case of copy/pasting the same comment in multiple threads. Please look closer at the comments and the reports. One comment is repeated once, but that is due to it being topical to MBFC’s take on the BBC, and both articles were from the BBC.
Also, I’m alarmed you consider contextualization of MBFC in comments that reply to the Bot as ‘off-topic.’ The Bot created the topic of MBFC’s credibility by linking to it as an authoritative source. If a comment about the credibility of the BBC in reply to an article published by the BBC is on-topic, then a comment about the credibility of MBFC as a reply to a review published by MBFC is also on-topic.
A lot of the suppositions are done with impossible to happen stuff, like the sun literally disappearing, or collapsing into a blackhole with no added mass (a sun mass blackhole would be stable, but I don’t know how one could be created).
If it disappeared, then we’d still feel even gravity for those 8 mins, as the effect of gravity propagated at the speed of light. If it somehow magically became a black hole, we’d still orbit it the same even after 8 mins, but losing all the head would eventually kill us.
The expected explosion wouldn’t be what makes the earth uninhabitable either. The sun increases in luminosity by ~1% every 100 million years, and it’s estimated that between 700 million and 1.5 billion years the surface of the planet will be too hot for liquid water. An astronomer also says photosynthesis would be impossible in 500-600 million years.
When someone doesn’t understand a process and asks “can’t you just do XYZ?” Usually management. “Just” is actually a 2 week project and tons of hours and trouble shooting
I’m currently in a software development project which was handed over to a different department with little software development expertise, and fucking hell, I hear this so often.
Can’t you just run the tests against against a database like normal? Why do you need to automate the setup of this database? (I do not know what “normal” means, they did not elaborate.)
Can’t you just switch over all the code to go directly against the database rather than also supporting in-memory. And then five minutes later: Can’t you just hook up the database connection where we need it and use in-memory for the rest?
Like, I’m trying to appreciate the critical questions, because hey, maybe there is something I’m missing. But always this “just”, and them being dissatisfied when you tell them it doesn’t make sense or would be more work, that’s what kills me.
If you paywall publication and peer-review, you suppress a huge amount of science that doesn’t have the kinds of checks that corporate sponsorship and review introduce. This means studies of things like the dangers of CFCs, smoking, microplastics, thalidomide, and countless other things that’ll kill you will never see the light of day.
Honestly it’s crap like this, and the constant need to write grants, worry about funding, and crank out papers like there’s no tomorrow is why I ended up just going into industry instead.
Don’t get me wrong, I love science and scientific advancement, but the current system of publishing is super broken. What if you’re a civilian researcher who doesn’t have access to the big name journals? Well then be prepared to pony up $50/article.
Its been a while since I used a Kindle but AFAIK its still this - using Calibre + the deDRM plugin. I don’t know if linking directly to stuff here is OK so just do an internet search for github noDRM deDRM_tools and you should find the plugin you need for Calibre.
kbin.life
Active