WARNING: Lemmy Self-Hosters, There Have Been CSAM Attacks taking place against !lemmyshitpost@lemmy.world

HybridSarcasm, 9 months ago

Locking the thread. Information relevant to self-hosters has already been shared. Too many reports of off-topic comments to leave this open.

slug, 9 months ago

i’d love for a good tech journalist to look into how and why this is happening and do a full write-up on it. come on ars, verge, vice

owiseedoubleyou, 9 months ago

How desperate to destroy Lemmy must you be to spam CSAM on communities and potentially get innocent people into trouble?

heyoni, 9 months ago

Maybe you’re a dev on the Reddit team and own a lot of shares for what you know is about to go public?

Catasaur, 9 months ago

Self hoster here, im nuking all of pictrs. People are sick. Luckily I did not see anything, however I was subscribed to the community.

• Did a shred on my entire pictrs volume (all images ever):

sudo find /srv/lemmy/example.com/volumes/pictrs -type f -exec shred {} ;

• Removed the pictrs config in lemmy.hjson
• removed pictrs container from docker compose

Anything else I should to protect my instance, besides shutting down completely?

possiblylinux127, 9 months ago

Couldn’t this be stopped with automatic filtering of bad content? There are open source tools and libraries that do this already

scrubbles, 9 months ago

That’s what we’re pushing the lemmy devs to do. Honestly even if they want to use proprietary tools for this instance I’m okay, I’ll happily go register an Azure account and plop an API key into the UI so it can start scanning. Lemmy should have the guardrails to prevent this from ever hitting our servers.

In the meantime, services like cloudflare will handle the recognizing and blocking access to images like that, but the problem still comes down to the federation of images. Most small hosters do not want the risk of hosting images from the whole of the internet, and it sounds like there is code in the works to disable that. Larger hosters who allow open registrations can do what they please and host what they please, but for us individual hosters we really need tools to block this.

possiblylinux127, 9 months ago

Proprietary software isnt necessary there are plenty of project that detect scam

scrubbles, 9 months ago

I’m saying when it comes to this I don’t care if it is or isn’t proprietary, frankly I’d be down if we used multiple ones. I’m all for my morals but when it comes to CSAM as long as it works. That’s the most important, and yes I’d probably use multiples

krolden, 9 months ago

That’s it, I’m defederating from lemmy.world. the admins let their users make death threats against users of other instances on top of this.

krebstar, 9 months ago

What is CSAM?

maxprime, 9 months ago

en.wikipedia.org/wiki/Child_pornography?wprov=sft…

Clbull, 9 months ago

Child sexual abuse material, a.k.a. child pornography.

xtremeownage, 9 months ago

Yup. Nope.

Pictrs is just completely disabled now. Rather be safe, then sorry.

stark, 9 months ago

Is disabling Pictrs as simple as stopping the Docker container?

xtremeownage, 9 months ago

Yup.

I sent a step further, and commented out the pictrs related configuration from the lemmy.hjson too.

neutron, 9 months ago

Does that disable image saving and processing for one’s instance?

xtremeownage, 9 months ago (edited 9 months ago)

Yup.

So far, mostly everything appears to work still. But, trying to upload an image, just throws an error.

SyntaxError: Unexpected token ‘R’, “Request er”… is not valid JSON

I don’t see a way to actually “gracefully” disable it, but, this works.

Edit- don’t just stop pictrs.

Lemmy gets very pissy… and b reaks.

Clbull, 9 months ago

Is this why I couldn’t upload a meme to the Lemmy World servers earlier today?

Fuck…

pastthepixels, 9 months ago

Yeah… Just wow. I disabled pictrs and deleted all its images, which also means all my community images/uploaded images are gone, and it’s more of a hassle to see other people’s images, but in the end I think it’s worth it.

Through caching every image pictrs was also taking up a massive amount of space on my Pi, which I also use for Nextcloud. So that’s another plus!

xtremeownage, 9 months ago

Note, apparently, lemmy will get pretty pissy if pictrs isn’t working… and the “primary” lemmy GUI will straight-up stop working.

Although, old.lemmyonline.com will still work.

And- I am with you. My pictrs storage, has ended up taking up quite a bit of room.

rar, 9 months ago

There has to be a more elegant way of dealing with this in the future, like de-coupling between Lemmy-account hosting (which effectively means acitivypub-fediverse account) and Lemmy-communities hosting.

idle, 9 months ago

I went ahead and just deleted my entire pictrs cache and will definitely disable caching other servers images when it becomes available.

sparky, 9 months ago

Anyone know if this work is tracked anywhere? I’m suddenly really suspicious of continuing to run my own instance.

hitagi, 9 months ago

github.com/LemmyNet/lemmy/pull/3897

It does say “thumbnails” but as far as I know, Lemmy (or pictrs) makes a copy of the full image too. I don’t know if this PR includes full images.

idle, 9 months ago

github.com/LemmyNet/lemmy/pull/3897

ugjka, 9 months ago

blocked lemmyshitpost some time age because it is trash anyway

DeltaTangoLima, 9 months ago

To be clear, if no one on a given instance sub to that particular /c, the content won’t federate to said instance, correct?

Jamie, 9 months ago

At this point, the community is clean. So unless more is posted, then you should be good. If someone searched for the community and caused a preview to load while the content was active though, then it could be an issue.

DeltaTangoLima, 9 months ago

Cool. Thanks. I cleaned up anything from the past 2 days, to be safe, and blocked that community.

A10, 9 months ago

Is it possible to prune pictrs by community name?

Jamie, 9 months ago

Not really. You could technically locate the images and determine precisely which ones they are from their filenames, but that means you actually have to view the images long enough to pull the URL. I had no desire to view them for even a moment, and just universally removed them.

As mentioned in my edit above though, ensure you are in compliance with local regulations when dealing with the material in case you have to do any preservation for law enforcement or something.

A10, 9 months ago

There is a purge community option available for admins but that did nothing.

Jamie, 9 months ago

From what I was informed, purging a post doesn’t remove the associated cached data. So I didn’t take any chances.

Oneobi, 9 months ago

Likely scum moves from reddit patriots to destroy or weaken the fediverse.

I remember when Murdoch hired that Israeli tech company in Haifa to find weaknesses is TV smart cards and then leaked it to destroy their market by flooding counterfit smart cards.

They are getting desperate along with those DDOS attacks.

AstroTechie, 9 months ago

Could be, but more likely it’s just the result of having self hosted services, you have individuals exposing their own small servers to the wilderness of internet.

These trols also try constantly to post their crap to mainstream social media but they have it more difficult there. My guess is that they noticed lemmy is getting a big traction and has very poor media content control. Easy target.

Moderating media content is a difficult task and for sure centralized social media have better filters and actual humans in place to review content. Sadly, only big tech companies can pay for such infrastructure to moderate media content.

I don’t see an easy way for federated servers to cope with this.

maxprime, 9 months ago

Yeah exactly. This is the main reason I decided not to attempt to self host a Lemmy instance. No way am I going to let anyone outside of my control have the ability to place a file of their choosing on my hardware. Big nope for me.

ExLisper, 9 months ago

What’s CSAM?

Akasazh, 9 months ago

Child sexual abuse material

Rearsays, 9 months ago

Likely Spez’s personal jailbait collection