Conversation

Notices

1. Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:33 JST Kevin Beaumont

   Okay, this made me laugh.

   • patter (patterfloof@meow.social)'s status on Friday, 23-Feb-2024 18:43:18 JST patter

     in reply to

     @GossiTheDog silly question, but if mods haven't logged in for a week, how are those servers going to be upgraded to the version with this feature?

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:19 JST Kevin Beaumont

     in reply to

     Mastodon change incoming in next release, if no mod logs into a server for a week open registrations will close. Will probably take a few weeks but should solve the current spam issue largely. https://github.com/mastodon/mastodon/pull/29318

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:20 JST Kevin Beaumont

     in reply to

     • Ivory by Tapbots :emoji_wink:

     Good news everybody, the Fediverse spammer is back! @ivory client filtering it all out for me.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:21 JST Kevin Beaumont

     in reply to

     Mastodon change coming where new servers have open registration disabled by default: https://github.com/mastodon/mastodon/pull/29280

     Mastodon team have been all over behind the scenes btw.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:22 JST Kevin Beaumont

     in reply to

     Also, yes, it was a beef over access to a Discord.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:23 JST Kevin Beaumont

     in reply to

     If anybody wants an update on the Fediverse spam issue - the groups did a ceasefire 5 hours ago (3PM JST).

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:24 JST Kevin Beaumont

     in reply to

     If anybody wants another hilarious online dispute issue, back in 2016 two teens had a dispute over Minecraft, so one DDoS’d the Minecraft server’s DNS server - that broke Dyn, which took down internet access across the US East Coast as they were such a key supplier.

     I had to do a radio show on NPR about that one and the presenter kept asking me if it was Putin — and I was like, no, it’s teenagers. Advanced Persistent Teenagers. The show went on for an hour of me just saying ‘yo the net sucks’.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:26 JST Kevin Beaumont

     in reply to

     An update on the Fediverse spam issue:

     - It’s not just Mastodon.

     - Most of the targets receiving the spam use Misskey, and are in Japan.

     - Most Mastodon users aren’t being targeted, so aren’t seeing it.

     - It is a dispute between two people over a social issue, after asking them about it.

     - It is fully automated.

     - The spam continues to be sent and probably won’t stop any time soon, these guys need to star in a BL drama and make up.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:27 JST Kevin Beaumont

     in reply to

     For context on the spam problem, hundreds of Mastodon servers are chucking out thousands of spam messages.

     One example instance: https://opensimsocial.com/public/local

     It’s all one dude on Discord who has realised they can script spam. Thankfully they haven’t published source code. (And yes, they’re really just trolling a Discord server, lolol).

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:28 JST Kevin Beaumont

     in reply to

     Mastodon has been in deep decline for months (eg active user numbers have halved), but now the metrics are turning around due to one Japanese Discord spammer 🤣

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:29 JST Kevin Beaumont

     in reply to

     Another knock on impact from the spam run - the pictures of spam in the posts are chewing up disk space if file system without deduping is used, and there’s extra Sidekiq load (it’s the biggest Saturday ever on cyberplace.social).

     Also a bunch of instances have gone to failing in federation admin page, presumably because smaller instance admins got annoyed and switched them off.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:30 JST Kevin Beaumont

     in reply to

     Now, it does become a bigger problem if the current spammers publish their source code and more join in.

     There’s absolutely no effective controls to stop it - here is the Wild West still - so the elephant is the room is anybody can flip the table at present.

     The good news is much of the anti spam and anti phish technologies over the years (Real time Block Lists etc) can be reworked for here. The bad news is that’s a long way off realistically.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:31 JST Kevin Beaumont

     in reply to

     There is a bunch of technical issues it highlights, which is that Fediverse is very open to abuse at present. There’s no spam filtering at all. It’s like email from 1996. It’s wide open to abuse.

     IMHO Mastodon admins should enable CAPTCHA for registration - it’s supported out of the box - if they run open sign ups.

     Ideally Mastodon would add easy install third party plugins (a la Wordpress etc) so people could develop optional plugins for anti-spam and anti-malware.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 18:43:32 JST Kevin Beaumont

     in reply to

     The long story short with the Mastodon spam woes this weekend is it’s a deliberate attack exploiting Fediverse and Mastodon issues.

     They’re using Tor exit nodes and everything is automated. I think they can just keep running it, as there is no barrier to stop them.

     To keep it in perspective, though, I don’t think it’s a big deal at present. People should just ignore it.

   • Aral Balkan (aral@mastodon.ar.al)'s status on Friday, 23-Feb-2024 18:43:48 JST Aral Balkan

     in reply to

     • patter

     @patterfloof @GossiTheDog That is a very good question.

   • Aral Balkan (aral@mastodon.ar.al)'s status on Friday, 23-Feb-2024 21:59:10 JST Aral Balkan

     in reply to

     • patter

     @GossiTheDog @patterfloof Mastodon, however, could still very easily stop accepting traffic from Mastodon servers that are X versions behind. This would be good for the health of the network in general. And when/if those servers upgraded, it could start accepting traffic from them again.

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 21:59:11 JST Kevin Beaumont

     in reply to

     • Aral Balkan
     • patter

     @patterfloof @aral no, it doesn’t do that and won’t. Half the Fediverse isn’t Mastodon, server blocking is not the way forward.

   • patter (patterfloof@meow.social)'s status on Friday, 23-Feb-2024 21:59:12 JST patter

     in reply to

     • Aral Balkan

     @aral @GossiTheDog I guess there could be version numbers in the protocol & newer servers block feeds that aren't the right version

     but this is me, a programmer spitballing without info

   • Aral Balkan (aral@mastodon.ar.al)'s status on Friday, 23-Feb-2024 22:09:56 JST Aral Balkan

     in reply to

     • patter

     @GossiTheDog @patterfloof Not my circus, not my monkeys. Sadly, I don’t have time in the day enough to contribute to every codebase on the planet. But I’ll keep the idea in mind as a possible feature that we could implement in Small Web apps to ensure we don’t run into the same problem. (Small Web apps auto update anyway but it’ll be a good check to have in case someone has disabled that for their server.)

   • Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-Feb-2024 22:09:57 JST Kevin Beaumont

     in reply to

     • Aral Balkan
     • patter

     @aral @patterfloof submit the code on GitHub if it’s very easy 😅

     Personally I’m not in favour as federated networks shouldn’t be about gatekeeping over vulnerabilities. Fix the vulns at the receiving end. If you’re malicious, you can just send a newer version number.