Since usernames are only unique to the instance it’s created on, what’s to stop someone from creating a copycat username in order to impersonate another user?
Mastodon has a sort of lightweight verification which just signifies that you are to some degree in control of the URLs linked to in your profile. So for example, if you have your own domain or something that people associate with you, then you can use that in your profile to show that it’s you. Of course, that depends on that domain meaning something to the end user, and the end user being savvy enough to, for example, know that someone could get the .com version of your .net domain, etc. etc.
We’re installing a new app on a secure network. The vendor has requested we allow access to gstatic.com. That seems overly broad to me and unsafe. Thoughts?
Gstatic.com is a domain owned by Google that serves as a content delivery service that caches all unchanging files in a server near the user to reduce load times. It is used to load content from Google’s Content Delivery Network (CDN) and store static data like JS libraries, stylesheets, and images. Gstatic.com also verifies connectivity to the internet for Chrome browser and Android devices. Google hosts its static content on a specific server called Gstatic to reduce bandwidth usage and deliver the content faster. Gstatic.com also allows users to embed Google Maps images on their web pages without requiring JavaScript. Gstatic.com is not a virus, but security software may display pop-ups about it.
With all the current discussion about the threat that Instagram Threads has on the Fediverse and that article about how Google Embrace Extend Extinguished XMPP, I was left very confused, since that was the first time I’ve heard that Gchat supported XMPP or what XMPP actually is, and I’ve had my personal Gmail since beta (no,...
I was quite involved in XMPP, not from the very start, but quite early. At first its biggest strength were 'transports' – gateways to other, proprietary, instant messengers. Having a Jabber (that what it was called there) account allowed one to talk to ICQ and AIM users. This is what pulled first users and allowed the network to grow. The protocol being open and network being federated appealed to various nerds, for whom it became the IM network of choice. Especially when they could use it to talk to friends and family on other networks.
I wrote a Jabber transport for the most popular instant messaging platform in my country. It become a 'must have' component of any Jabber/XMPP server here. And some major local commercial internet services would start their own XMPP services – finally they had some means to compete with the monopolist. For me it was my '5 minutes of pride' – my little piece of open source software would be used by thousands of users, though most unaware of that. I have also wrote a Python library and a text client for XMPP.
Then Google joined and Facebook started considering it. It seemed like XMPP will become 'the SMTP of instant messaging' – the real standard which will end closed proprietary communicators. But things didn't go well. Google would often ignore the agreed protocol, change it a bit, while still declaring full support. XMPP development would slow down, as everybody wanted the protocol to be agreed with Google, but Google just made some small improvements on their side without sharing details or participating in building XMPP specifications.
Federation with Google would become more and more unreliable. Sometimes it would work, sometimes not. Google Talk, GMail Chat, Hangouts seemed to be the same thing and not the same thing at the same time it was a mess. Then Google pulled the plug. Then every smaller commercial providers did the same – there was no point in keeping the service when more than half of the contacts disappeared.
I felt betrayed by Google (it really felt like a 'non-evil' corporation back then). But that was not what killed XMPP for me.
I would have less and less people to talk to via XMPP, not just because of Google. Other networks my Jabber server was linked to become more and more irrelevant (anybody using ICQ, AIM or GG now?). Nerds that used XMPP left it because of loosing contacts in other networks, or just moved on to Discord (yeah… nobody seems to notice it is proprietary too). I would still use XMPP for family communication, but there was the spam…
Oh… the spam. I would get over hundred of messages (or contact requests), mostly in Russian, offering me bitcoins or cracked software. They would come from many different accounts and domains. Often from 'legitimate' XMPP servers. And there were no means to reliably block it. The XMPP protocol had no proper means to handle illegitimate traffic. XMPP servers and clients had little spam-fighting measures. The spam made XMPP unusable for me, so I shut down my server too. I guess that could also be a major reasons for some commercial services to de-federate. I think USENET was killed by spam and no effective moderation too back in the day.
Then my wife convinced me to bring it back. XMPP is again and still my primary communication platform for family chat. A private server with four accounts. Practically blocked from outside. We use it because it proven to be the most reliable thing and independent from the big corporations. Even Signal was inferior to that (no proper desktop/web clients, sometimes messages would be delayed even by hours, then it even stopped being convenient when they dropped SMS support).
Let me preface by saying, I would love to hear counter points and am fully open to the fact that I could be wrong and totally out of touch. I just want to have some dialogue around something that’s been bothering me in the fediverse....
The cycle of social tech becoming mainstream and conversational norms being dragged down to a least common denominator predates modern social media. The earliest example I can think of is Usenet (newsgroups):
During the 1980s and early 1990s, Usenet and the Internet were generally the domain of dedicated computer professionals and hobbyists; new users joined slowly, in small numbers, and observed and learned the social conventions of online interaction without having much of an impact on the experienced users. The only exception to this was September of every year, when large numbers of first-year college students gained access to the Internet and Usenet through their universities. These large groups of new users who had not yet learned online etiquette created a nuisance for the experienced users, who came to dread September every year. Once ISPs like AOL made Internet access widely available for home users, a continuous influx of new users began, which continued through to 2015 according to Jason Koebler, making it feel like it is always "September" to the more experienced users.
It's the same cycle. Social tech starts off being used by a smaller number of technically inclined people. Communities are smaller and normalized civility is more commonplace. Peer pressure holds people to those norms. Once a social tech balloons from mainstream interest, the norms (or zeitgeist if you prefer) shift toward the incoming population because they outnumber the early population and exert more peer pressure. The new norms become a compromise between the norms of the incoming mob and what the community moderators are willing/able to enforce.
It's tempting to put labels on an incoming demographic and use it in a derogatory way, but removing the label from the equation doesn't change the source of unhappiness; the memory of what once was and the knowledge that it can't last when cultural dilution sets in.
(no, I'm not providing any solutions to the problem, this is just rambling that might provide more insightful people with a starting point)
They’re defederating smaller entities because the network got consumed by corpos. And abuse, but lots of that comes from big services and they don’t defed those.
It’s tempting to believe the email issue really is some conspiracy to keep the little guy down, but it really is just that a new domain, with low volume, is a strong signal for abuse. That is true with or without trouble from Gmail, Yahoo, etc. If you wrote a machine learning algorithm to find spam, your ML would come to the same conclusion. There’s no obvious solution to that.
Fediverse instances aren’t just providers, they’re communities.
Just like email list serves. Should a listserv block gmail subscriptions? I would again argue not.
This is in essence what FB/Meta is doing, all the time, except it’s not individual spam it’s an algorithmically backed manipulation mechanism using it’s users as tools ^.^
Presumably people using Threads want that. Or they’ll tolerate it.
Presumably people using Threads want that. Or they’ll tolerate it.
They will do it to us, not just Threads users.
Fediverse instances aren’t just providers, they’re communities.
Just like email list serves. Should a listserv block gmail subscriptions? I would again argue not.
Its more like email lists blocking people from other email lists. If there is a massive email list that has continually and specifically coordinated to destroy or consume other email lists and spent massive resources learning specifically how to do this via social manipulation, yes, I would think blocking people from that email list is a very good idea ^.^
It’s tempting to believe the email issue really is some conspiracy to keep the little guy down, but it really is just that a new domain, with low volume, is a strong signal for abuse
Perhaps if it wasn’t already corporate agglomerated, this wouldn’t be so true. But fediverse isn’t email, we have easier indicators for abuse because most content is public and we can guesstimate how much of an instance is “real” users ^.^
Do, what, specifically? How will they affect that your instance shows you?
Its more like email lists blocking people from other email lists. If there is a massive email list that has continually and specifically coordinated to destroy or consume other email lists and spent massive resources learning specifically how to do this via social manipulation, yes, I would think blocking people from that email list is a very good idea ^.^
Should a listserv block people who are subscribed to another listserv then?
Perhaps if it wasn’t already corporate agglomerated, this wouldn’t be so true. But fediverse isn’t email, we have easier indicators for abuse because most content is public and we can guesstimate how much of an instance is “real” users ^.^
An email is a message from a user at a domain. A fediverse post is a message from a user at a domain.
Content is public, but to a big email provider, it’s not much more data. Gmail filters based on identical-looking messages from an “unestablished” domain. If you came up with a way to filter spam on the fediverse, it would likely look very similar.
If Mastodon/Lemmy/whatever picks up critical mass, I can guarantee you there will be a shit ton of spam, misinformation, disinformation, and scammy nonesense coming from a long tail of instances. Much of the garbage will, thanks to large language models, look pretty human, too. The only real roadblock to it will be defederation from “unestablished” instances and even that will be unreliable at best.
There really isn’t a good solution to it, at least one that isn’t invasive in ways we won’t like.
Defederating means not interacting with the crowd Meta brings in. I have a bunch of other reasons but that's my main one. And before you suggest blocking, you can't possibly expect me to block all 10M of their users and the domain block is bugged. I know because I tried.
Besides, this place doesn't look like much of a barren wasteland since we're interacting with a bunch of people right now. I don't mind interacting with only weirdo nerds if they're nicer people. Quantity doesn't mean quality after all.
For the people who want to interact with Threads because of family and friends, they should just make an account there. Just don't let Meta destroy this small part of the internet.
Defederating means not interacting with the crowd Meta brings in. I have a bunch of other reasons but that's my main one. And before you suggest blocking, you can't possibly expect me to block all 10M of their users and the domain block is bugged. I know because I tried.
Your point here is that blocking all of meta's instance is too hard because instance blocking is buggy.
Besides, this place doesn't look like much of a barren wasteland since we're interacting with a bunch of people right now. I don't mind interacting with only weirdo nerds if they're nicer people. Quantity doesn't mean quality after all.
This is just refuting my characterization of this place as barren.
For the people who want to interact with Threads because of family and friends, they should just make an account there. Just don't let Meta destroy this small part of the internet.
This is saying nothing other than "Meta will destroy the fediverse", again, without articulating how that would be possible.
A lot of people dislike it for the privacy nightmare that it is and feel the threat of an EEE attack. This will also probably not be the last time that a big corporation will insert itself in the Fediverse....
In the grand scheme, though, no one uses either mastodon or lemmy. I’m sure, to the devs and people who joined before 2021, that a couple million users seems like an enormous victory (and it is), but relative to a half billion twitters, the 1.5 billion instagrammers, or even the 5+M that signed up for Threads on the first day, it’s nothing.
Those Threads users aren’t part of Lemmy or Mastodon, they’re part of Threads. They don’t have to know what Lemmy or Mastodon are, even as they benefit from content created there. Once Threads is big enough, they either DOS non-corporate instances with mountains of data, disable those instances with protocol-breaking customizations, or just ignore them because all the biggest communities and content are hosted at Threads.
When mozilla & google started working together, Firefox was the majority browser and chrome a ridiculous upstart trying to squeeze into a domain dominated by IE and FF. The fediverse does not have mozilla’s power in that analogy. I mean, fediverse may survive after that, but the commercial players will absolutely siphon off anyone who cares more about the user experience and content than about privacy on a public forum, which probably means the user base of July 2022, not July 2023.
I keep asking but haven’t gotten an answer, why must instances that block meta also block those that federate with META? Wouldn’t blocking META be enough, as you wouldn’t see their posta, nor users, nor comments in any way after blovking the domain?
Meta can introduce their signature rage farming to the Fediverse. They don’t need to control Mastodon. All they have to do is introduce it in their app. Show every Threads user algorithmically filtered content from the Fediverse precisely tailored for maximum rage. When the rage inducing content came from Mastodon, the enraged...
Good points. I’m sure there are other potential solutions to reduce the fear of EEE taking place here. I don’t really think EEE would work, since instances are supposed to be small and operate horizontally, it is kind of impossible to kill Lemmy as long as we understand that we need to spread out a little bit (otherwise huge instances being defederated hugely impacts the user experience)
One thing though, Mastodon does allow for blocking domains. I just tried it over Mastodon.online and also through the fedilabs app, both are working. Kbin also has that feature, wish they implemented it to Lemmy so that we can empower users to customize their experience without needing to self host.
Which, by the way, is also a great way to verify certain people. If a Lemmy account is registered on a server with a domain that is owned by a large broadcast company for example, it’s easy to check whether the user of that account is who that person claims to be.
The municipality of Amsterdam set up their own Mastodon server registered to amsterdam.nl, so it’s clear their Mastodon posts are genuinely from the municipality without any external verification schedule. If the mayor would want to post herself, she could simply get an account on that server and everybody knows it’s genuinely her.
But it’s still pretty amazing to me: it’s like using Twitter or Instagram to read and reply to Reddit!
It’s probably amazing because everybody is used to social media platforms blocking access to and from other platforms. The point of these commercial platforms is to reel in as many users as possible and keep them in the ecosystem. No export possibilities, no federation or standard protocol.
It’s like a large company inventing e-mail and not allowing people to e-mail to an e-mail address registered to another domain. Nobody would think that’s logical, but most have grown accustomed to commercial social media locking every account in.
No problem! You can find admins and users talking a lot about this by searching for the #p92 and #fedipact hashtags, lots of instances are preemptively defederating from Meta domains, although the software hasn’t implemented federation yet
As the title says, I’m ready to fire up a Lemmy server of my own. I have a suitable VPS running Debian 11. I think I can probably make short work of it once I get past this one difficult point. What should I call my Lemmy server? With catchy names out there like “Lemmy.World” and “sh.itjust.works”, I really want to...
Supposing that they, y’know, try to keep their setups secure anyway. With how much you see about breaches of different sites, it’s hard to imagine individuals and smaller groups being able to keep their stuff secure....
The vast majority of self hosted users would not be able to respond effectively to a coordinated or sophisticated attack. You might block off large swaths of domains, blocking big IP blocks, etc; but unless you are serving a very small number of users (White lists vs black lists) you’ll be fighting an uphill battle if someone decides to start going after your instance.
I tried one called Lemmur that I downloaded off F-Droid, however, it can not find this instance (lemmy.world). I want one that’s open-source, and preferably from F-Droid (because screw Google). Which one do you guys use?
Honestly, using wefwef.app as a web app is hard to beat right now. It works very smoothly, and I finally understand why all the iOS users mourn the loss of Apollo so hard. Granted, using an iOS-esque interface on an Android device is a bit odd, but the gestures and the layout are just chef’s kiss.
The biggest issue with it is that it’s getting hammered on the primary domain, so I’ll probably move to self-host it sooner than later.
I like it! Main issue for me is that there is not enough content on my hobbies, and “all” content is mostly filled with reddit-this and lemmy-that (or now threads) stuff, which is annoying because I don’t want to talk more about the platform than actually using it. But I hope this will change with some time.
I use only the browser, UX and UI is pretty straight forward, but subscribing to communities of other instances is really weird. I need to copy the “handle” (i.e. !lemmy_support), and add it manually to my instance domain (i.e. lemmy.world/c/[email protected]), and then I subscribe to it. I don’t know if there are other ways (besides finding new communities via “all”).
I’m not into the technicals of lemmy or the fediverse, but I guess this is not easily solvable, as an instance doesn’t know that I am the user of another instance.
The primary incentive that comes to mind is improved availability. Often, instances can become slow, so I use another. By hosting a local instance I could always have a smooth experience....
If you host your own instance you are your own admin. That gives you personal control over content and settings. However, you need to pay for a domain name and you need a 24/7 server so there’s some expense involved. Then there’s maintenance like software updates and user needs if you take them on.
I think most admins take on an instance simply to contribute in building the Fediverse and create something to take some pride in. You get some clout in the community for doing that.
Which, by the way, is also a great way to verify certain people. If a Lemmy account is registered on a server with a domain that is owned by a large broadcast company for example, it’s easy to check whether the user of that account is who that person claims to be.
The municipality of Amsterdam set up their own Mastodon server registered to amsterdam.nl, so it’s clear their Mastodon posts are genuinely from the municipality without any external verification schedule. If the mayor would want to post herself, she could simply get an account on that server and everybody knows it’s genuinely her.
I know this is not a feature oficially on lemmy as of now (at least the github github.com/LemmyNet/lemmy/issues/2397?ref=privacy… the issue is still open)...
Yep, it would give much more control to the user, also it’s a feature already present in mastodon (called block domain over there) so it’s not a foreign idea to the fediverse.
As more people flock over to the fediverse from reddit, twitter and other centralised proprietary networks it is important that you keep your e-mail and other important accounts safe from hijacking attempts. Since anyone can simply spin up an instance and host users and communities it is important that you don’t divulge your...
I wouldn’t say don’t post personal information at all. But rather don’t post information that you’re not comfortable with everyone knowing, while being identified and never being able to delete it.
IMO it’s best to assume that if you post enough online, someone dedicated enough will be able to identify you, especially people who already know you in real life. It’s difficult to post without revealing small details about yourself that can be combined to piece together who you are. Eg, you might never say where you work, but your city, field, an offhand comment about a coworker, a mention of a conference, and such might let someone narrow it down. Similarly, you might never mention what city you’re in, but it might be narrowed down from mentions of things like traffic, weather, events near you, remarks of things being close by, etc. And that’s not even getting into devious things like trying to trick someone into clicking a link to a domain you control so that you can get their IP.
I’m of the opinion you should generally act as if you’re talking to people face to face with a name tag saying your full name and address. I think that approach also just plain makes the internet a better place. Anonymity seems to make a lot of people more comfortable being aggressive assholes.
I say “generally” because there’s plenty of valid reasons to want to post things you would want to post things that you’d never say if identified. But in that case, you should strongly consider using an absolutely minimal throwaway account, while being extremely careful with details. And even then, you should at least consider that you might still get identified. In particular, I think a lot of users of throwaways only consider strangers not being able to identify them. Sometimes that’s all you care about, but your family, friends, and coworkers are going to have a lot easier time identifying you.
What's to prevent someone from hijacking my username?
Since usernames are only unique to the instance it’s created on, what’s to stop someone from creating a copycat username in order to impersonate another user?
Is gstatic.com safe to whitelist on a secure network?
We’re installing a new app on a secure network. The vendor has requested we allow access to gstatic.com. That seems overly broad to me and unsafe. Thoughts?
ELI5: Why are Lemmy users freaking out over threads?
Title
How many people here have actually used XMPP?
With all the current discussion about the threat that Instagram Threads has on the Fediverse and that article about how Google Embrace Extend Extinguished XMPP, I was left very confused, since that was the first time I’ve heard that Gchat supported XMPP or what XMPP actually is, and I’ve had my personal Gmail since beta (no,...
Rant: I hate the term “normie”. (kbin.social)
Let me preface by saying, I would love to hear counter points and am fully open to the fact that I could be wrong and totally out of touch. I just want to have some dialogue around something that’s been bothering me in the fediverse....
Why Defederating from Facebook/Meta is So Important (ploum.net)
I strongly encourage instance admins to defederate from Facebook/Threads/Meta....
Meta will kill small instances! Please read.
I just read this point in a comment and wanted to bring it to the spotlight....
What should we do about Threads?
A lot of people dislike it for the privacy nightmare that it is and feel the threat of an EEE attack. This will also probably not be the last time that a big corporation will insert itself in the Fediverse....
Meta can rage farm Mastodon without controlling it
Meta can introduce their signature rage farming to the Fediverse. They don’t need to control Mastodon. All they have to do is introduce it in their app. Show every Threads user algorithmically filtered content from the Fediverse precisely tailored for maximum rage. When the rage inducing content came from Mastodon, the enraged...
Does it matter which Lemmy I'm in?
I’m in Lemmy.world, but I’ve seen there are others. Do I have to switch in between them (if so, how?) or is it fine the way I have it?...
Is this true? (i.imgur.com)
Found it on Twitter.
Ready to take the plunge and spin up a Lemmy server but I'm already stuck trying to come up with a domain name.
As the title says, I’m ready to fire up a Lemmy server of my own. I have a suitable VPS running Debian 11. I think I can probably make short work of it once I get past this one difficult point. What should I call my Lemmy server? With catchy names out there like “Lemmy.World” and “sh.itjust.works”, I really want to...
How do self-hosters or smaller sites handle security?
Supposing that they, y’know, try to keep their setups secure anyway. With how much you see about breaches of different sites, it’s hard to imagine individuals and smaller groups being able to keep their stuff secure....
Best Lemmy client for Android?
I tried one called Lemmur that I downloaded off F-Droid, however, it can not find this instance (lemmy.world). I want one that’s open-source, and preferably from F-Droid (because screw Google). Which one do you guys use?
Reddit Refugees on Lemmy, how are you guys liking lemmy so far?
What are the incentives for hosting a Lemmy instance?
The primary incentive that comes to mind is improved availability. Often, instances can become slow, so I use another. By hosting a local instance I could always have a smooth experience....
It Still Hurts 😢 (lemmy.world)
Is there any way for a user to block an instance?
I know this is not a feature oficially on lemmy as of now (at least the github github.com/LemmyNet/lemmy/issues/2397?ref=privacy… the issue is still open)...
YSK: Keeping your accounts/online identity safe in the age of the fediverse/federated networks
As more people flock over to the fediverse from reddit, twitter and other centralised proprietary networks it is important that you keep your e-mail and other important accounts safe from hijacking attempts. Since anyone can simply spin up an instance and host users and communities it is important that you don’t divulge your...