TruckBC

@TruckBC@lemmy.ca

This profile is from a federated server and may be incomplete. Browse more on the original instance.

TruckBC, (edited )
  • option 1: Defederate from Lemmit.Online
TruckBC, (edited )
  • option 3: Ban @bot from lemmy.ca
TruckBC, (edited )
  • option 2: leave it up to users to block @bot
TruckBC,

We’ll share this post with other instance admins once there’s a bit more discussion, and maybe seeing this will get the ball rolling for other instances to have similar discussions.

TruckBC,

@bot, it posts links to Reddit posts in corresponding communities on lemmit.online. 99% of it’s posts get no engagement.

Unless you’re browning all instances sorted by new, you would never notice it’s activity.

TruckBC,

I’ve contacted them to see if they would be willing to transfer it to us. Figured I’d have better luck as a Lemmy admin then just someone random. The domain name is under $20 a year so it’s a non issue.

TruckBC,

Let’s see what the current owner of matrix.ca says.

TruckBC,

Clearing cache & data should also allow you to re authenticate.

TruckBC,

Currently it seems to be a vulnerability with custom emojis only, which this instance never had, so currently we shouldn’t be affected. However this is a developing situation and we will continue to monitor.

TruckBC,

I can’t remember exactly but @Shadow is the one that takes care of those things, I think he’s got it set up to backup every 8 hours? I’m taking a rapid crash course in sysadmin but I’m not really ready to start poking at production server stuff yet.

TruckBC,

Thanks!

TruckBC,

We have updated to a patched version.

TruckBC,

Power of the open source community.

In my opinion the “drama” was a critical part of immediately drawing attention to the voulnerabilty and bringing it to the attention of most instance admins very quickly.

Few things that have been added on my to-do list that I’ve learned from this.

  • We need more backend man power for coverage.
  • Major instances, and probably all instances should partner with another instance that’s in an opposite time zone for emergency response. Ideally having partnered admins and backend admins with no more than 8 hours difference between each one for 24 hour reliable coverage would be ideal. Partnered admins should in my opinion have each other’s phone numbers and have it set to bypass do not disturb.
  • We need to make sure users know how to contact admins off Lemmy for emergencies, as well as ensure that admins are tagged when a situation like this develops. (To my knowledge no lemmy.ca admin was tagged when this started to unfold.)
  • There’s more thoughts but I can’t remember them on 5 hours of sleep 😴

Any additional suggestions are welcome!

TruckBC,

No, but that’s a great idea. Thank you.

TruckBC,

At this point I’m monitoring inter-instance communications channels non stop even though I should be in bed. I will be temporarily removing admins that have not responded to my inquiry to confirm if they have 2FA authentication turned on as initial access appears to have been gained due to lack of 2FA.

If there’s anything additinal we can do, we will.

TruckBC,

We have yet to confirm if a vulnerability exists in the sidebars that can be set by community mods.

TruckBC,

I’m copying all links into a brand new incognito mode window for now.

TruckBC,

There’s no minimum complexity but I’ve enforced 2FA for all admins. One admin that did not respond has been temporarily removed precautionarily.

TruckBC,

No. Unfortunately. This is not a confirmed vector of attack at this point but we are monitoring.

TruckBC,

At this point it doesn’t seem like community sidebars have the voulnerabilty. We are fairly confident that they have identified the voulnerabilty and that lemmy.ca is safe as long as our admin accounts are properly locked down which we have confirmed.

TruckBC,

We can put it in place as a internal policy. I’m 99% confident all admins on Lemmy.ca are using complex password generators, that are hopefully not LastPass with their history of being hacked 😅

Edit: yeah I’m tired. It’s like 3 hours post bed time. I’m supposed to be at work in just over 5 hours.

TruckBC,

While I respect their decision, I believe that’s a over-reaction at this point and we will not be doing that, yet.

TruckBC,

I just successfully set up 2FA for an account on another instance that doesn’t have a verified email without any issues, so there’s no need to have done email verification to use 2FA.

TruckBC,

We believe they have resolved it but we will remain defederated overnight.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • kavyap
  • DreamBathrooms
  • thenastyranch
  • magazineikmin
  • InstantRegret
  • GTA5RPClips
  • Youngstown
  • everett
  • slotface
  • rosin
  • osvaldo12
  • mdbf
  • ngwrru68w68
  • JUstTest
  • cubers
  • modclub
  • normalnudes
  • tester
  • khanakhh
  • Durango
  • ethstaker
  • tacticalgear
  • Leos
  • provamag3
  • anitta
  • cisconetworking
  • lostlight
  • All magazines
    •