@thor
I hate shitty developers that don't set sensible defaults. So, most of them, but thankfully not all. I'll give a slight pass to those who try to set good defaults but get overridden by execs or similar.
@ent Some teenager is said to behind this spam attack. They figured out that all you have to do is target umpteen poorly configured small Mastodon instances. You can't block it because it's coming from everywhere.
@thor
Yep. And said spammer was clever enough to start using images, which there is no good way to filter out. One of the alternate fedi implementations hasn't really had issues because they have a user reputation system.
Another option I'd propose is allowing users to filter out image spam using an image similarity hash. Upload samples and select how exact a match other images are on posts in your feed, and that would at least get rid of the current wave.
@ent I'd say that maybe FOSS projects should be more democratic, except you got it for free, so you have no rights. Yes, you can fork a project, but there are 9343498534985 forks of Mastodon, many of which have good patches, but it's the original project that has the power to propagate them.
@thor@ent True, but it’s such a bad answer to the problem. Literally anything would be better including some kind of user enabled “filter images from” feature.
I have fucked with image hash niggers in the past to simply make a point.
@thor@ent People should configure things, configuration files should be easy, blah blah.
And people should probably stop installing mastodon :^)
In the meantime, it's a great way to build a list of unmoderated instances that are worth defederating from.
@Zergling_man
I'm all for configurability, but I'm very much against crappy defaults when a majority of those with technical knowledge agree a particular config tends to be better, eg enabling captchas for account signup. @thor
@ent@Zergling_man Any default setting is crappy to someone. I'm not sure your argument makes sense here. Are you against having default settings overall or...?
@thor@ent Good software is good defaulting. Which is to say, anticipating what the least destructive configuration would be if someone is too lazy to fiddle with it.
The flipside of this is that configuration is a user's duty; if you're going to use a tool, you should understand how it works and use it properly. Complaining to the devs that they defaulted badly is fine, but you should also fix your config when you discover the problem, and find it has a solution.
in this case that fix is making use of the defederation function, because regardless of some spambot, people have always been free to misconfigure their instances, or abuse them, or whatever.
I think it would be handy if remote deactivate still accepts messages from admins to admins though, so they can clean it up later. (Of course, that, too, must be an option, because it is often the case that the admin is the cause of the defed.)
@thor i've read "teenager" multiple times now and since to my knowledge the person or group responsible is not known it feels pretty condescending. It's like calling people one does not like "thug".
Why should it matter if its a bored retiree or some teen preparing a science fair? Why should teens be more bored or criminal or more spammy in regards to social network attacks than others?
Let's just call it a spam wave or spammers or whatever
@thor plus, belittering the enemies one is fighting against makes oneself look bad too. "Look how weak the UdSSR is! They are so weak! We fought head to head for decades, nearly equal in strength!" Doesn't really paint a good picture.
"A teenager hacked the distributed social media"
Doesn't make the distributed social media appear very strong when "it's just a teenager" suffices to break it.
Despite, no matter who it is it shows a relevant design/security flaw worth countering.
@saxnot Teenagers can cause mischief sometimes. I fucked around with the computers in the lab at my school as a teenager. The admin fixed it by banning me from the lab.
@saxnot As a teenage nerd, my thinking was that maybe he shouldn't leave the computers so vulnerable to attack. But he was a hacker himself. He's the guy who taught me about Linux. He didn't want to lock everything down.
@thor i'm aware of that.
A patch can prevent similar attacks like this but why not have captcha for both open and closed registrations which admins can't toggle off via the web settings?
Because I imagine quite a few admins want their registration to be open no matter the default and then spam bots find their way back in again.
To combat automated account creation there needs to be more than having a toggle off only for new installations and many want to have it open anyway
@saxnot There is a contingent of users who are trying to discourage captchas because they don't work for blind people. HCAPTCHA — the system you can enable in Mastodon currently — supports audio captchas. But some people are saying the audio option there is broken. Complicated.
Add comment