Kalcifer @ Kalcifer @sh.itjust.works

All of this user's content is licensed under [CC BY 4.0](https://creativeco

---

Read more

Posts

67

Comments

1,022

Joined

2 yr. ago

Not all web traffic, just the images to check.

Ah, yeah, my bad this was a lack of clarity on my part; I meant all image traffic.

A lot of precedent exists for not complying.

Would you mind citing a case? I'm curious.

It comes down to the individual company on whether or not to fight requests for user information.

Wouldn't this simply be obstruction of justice?

I just have trust issues, you don’t need to mind my crazy ramblings.

Concerns about privacy and anonymity are perfectly valid. Ideally, I would want my involvement in a venture like this to be completely anonymous, but there are practical limitations (generally limited by how much added complexity/added risk one wants to put up with).

I’m saying if you payed for a service to host your instance remotely. The domain, the site pages, the the database, everything. Then, everything on the domain would be tied to your person and the service providers have a certain power over your instance aside from just turning off your domain.

Ah, okay, I was under the assumption that the domain was purchased through a separate, independent provider, rather than through the same provider as that of the VPS.

they might allow subpeonas from various companies who request the info.

"Allow" is an interesting choice of words. A subpoena is legally binding (depending on the jurisdiction). One could circumvent this by purchasing a domain anonymously, but I'm not currently aware of a reputable domain provider that allows anonymous purchasing of domains.

—

Addendum (2024-11-11T23:38Z):

I just found Njalla which seems to allow anonymous purchasing of domains, but idk how reputable they are.

Also, most hosts have WhoIs and ICANN registrations for Domains, but you still need a domain regardless.

I'm not sure exactly what you are referring to. I don't exactly follow how the VPS provider would have any privileged insight into one's domain registration.

Same way things get leaked by Equifax, Twitch, US Bank, etc. You’re most responsible with your information by not having unnecessary accounts or transactions.

This would be low down on my concern for threat levels. At any rate, the only way to get around this would be to either host it on one's own hardware on one's own network, or to somehow anonymously purchase a VPS (I am currently unaware of a trustworthy VPS that allows anonymous hosting. I have heard of BitLaunch, but I don't know how trustworthy it is — do they have the ability to intercept control of the DO Droplet?).

—

Addendum (2024-11-11T23:40Z):

I just found Njalla which seems to allow anonymous purchasing of VPSs, but idk how reputable they are.

Aha, well, it depends on what you mean by "know".

[...] I do wonder if he counts it as advertising for his business [...]

Out of curiosity, what's the business?

That is a cool feature, but that would mean that all of the web traffic would get returned to my local network (assuming that the server is set up on a remote VPS), which I really don't want to have happen. There is also the added downtime potential cause by the added point of failure of the GPU being hosted in a much more volatile environment (ie not, for example, a tier 3 data center).

If some new spam account signs up on Lemmy.world and posts to lemm.ee, then if it's removed by an admin on your instance it is only removed for people on your instance. Everyone else still sees it as your instance is not hosting either the community or the user so it can't federate our anything to deal with it. The lemm.ee instance could remove the post or comment with the spam in a way that federates out to other instances, but can't ban the user except for on their instance. Only the Lemmy.world instance can ban the user in a way that federates out to other instances.

This make me think that we should maintain a community curated blocklist in, for example, a Git repository. It could be a list of usernames, and/or a list of instances that are known to be spam that gets updated as new accounts and instances are discovered. Then any instance owner can simply pull the most current version of the blocklist (this could even be done automatically). Once the originating instance blocks the malicious account, they can be removed from the list. This also gives those who have been blocked a centralized method to appeal the block (eg open an issue to create an appeal).

I would honestly have expected something like this to already exist. I think it's partly the purpose of Fediseer, but I'm not completely sure.

[Using a hosting service] makes you a more difficult target for attacks but also involves your information getting out into the world in direct connection to your instance.

I'm not sure I understand how one's data would be leaked by the hoster.

I asked about database preferences over in Self-Hosting once and they basically all said "don't choose a database ever.

I'm not sure I follow what you mean; Lemmy uses PostgreSQL.

How much server hosting experience do you have?

I've never hosted a public facing social media service. I have a few years experience hosting a number of my own personal services, but they aren't at the scale of a public facing Lemmy instance.

The spam is not from bots, it's people being paid to spam.

Do you know any specific/official organizations that do this, and/or examples where it's occured on Lemmy?

I would just turn off media uploads entirely.

Do you mean also disabling thumbnails? IIUC, pict-rs handles all thumbnail generation [1]. The reason I point this out is that simply disabling image uploads won't itself stop the generation of thumbnails [2]. There's also the question of storing/caching images that come from federated servers.

::: spoiler Referencs

1. Lemmy Documentation. Accessed: 2024-11-11T01:59Z. https://join-lemmy.org/docs/administration/administration.html.
   • "9. Administration". §"Lemmy Components". §"Pict-rs".

     Pict-rs is a service which does image processing. It handles user-uploaded images as well as downloading thumbnails for external images.

2. "I just developed and deployed the first real-time protection for lemmy against CSAM!". @db0@lemmy.dbzer0.com. Published: 2023-09-20T01:38:09-07:00. Accessed: 2024-11-11T02:16Z. https://lemmy.dbzer0.com/post/4500908.
   • ¶1

     [...] if the content is a link to an external site, lemmy sill caches the thumbnail and stores it in the local pict-rs [...]. :::

One thing to note, I wasn’t able to get it running on a VPS because it requires some sort of GPU.

This is good to know. I know that you can get a VPS with a GPU, but they're usually rather pricey. I wonder if there's one where the GPU's are shared, and you only get billed by how much the GPU is used. So if there is an image upload, the GPU would kick on to check it, you get billed for that GPU time, then it turns off and waits for the next image upload.

If your instance freely hosts whatever without any oversight, word will spread and all of a sudden you’re hosting all sorts of bad stuff. It’s not technically illegal if you don’t know about it, but I personally don’t want anything to do with that.

Yeah, this is my primary concern. I'm hoping that there are established best practices for handling the majority of this sort of unwanted content.

Run the software that scans images for CSAM.

Which software is that?