The major takeaway for me is apparently users of the fediverse are so well behaved that this has apparently never come up before. Not sure if it’s a lack of popularity or that people who use the fediverse are more intelligent but if this is the first time they are facing this kind of attack they are pretty lucky.
most of the time exploits like these are used to send out phishing links, the average fediverse user is tech savvy enough to not fall for a phishing link, so the usual scammers who would have done this already didn't bother.
@@spaceghostmiid quite frankly, these days good phishing becomes too hard for even security researchers to differentiate sure, they don't fall for the average thrown together stuff, but there are quite a lot phishing sites and emails out there these days which you can't differentiate anymore
@@Drazil100 Sure, the point was that the community was better citizens (on average) and like you suggested the same was true for the fediverse... Initially. After all, unlike the closed off and often hidden 3rd party alternatives Mastodon has been both inclusive from the start and hostile to Nazi bar formation. What we need is the second phase, interest in continuing open interchange while building up security. This is not an easy step, and in some ways it is already failing with many small instances forming a ridiculous hatred of larger instances.
I self-host Mastodon and have been worried about this kind of bullshit happening since day one. Not so much because of the spam itself, but because eventually this is going to go the way of e-mail where self-hosting is basically impossible without jumping through a lot of hoops. As for "the Fediverse attacking Threads", that's literally why Google and Facebook dropped XMPP support. Also let's appreciate that Kuroneko (black cat) is also the logo for one of Japan's shipping companies (Yamato Transport).
No, it's not why XMPP support was dropped, not even close. It has everything to do with building walled gardens. Google was the one who both extended XMPP and proposed federation, then watched Microsoft, Facebook and Apple just pick out three parts they liked and run. Google later dropped it because of the same internal BS that causes most projects to get killed at Google, not spam.
Like email though the web will evolve. We can only have nice things until it gets popular enough for people to attack it. Then something new takes its place.
Some new spam protection features have been announced for vanilla Mastodon. Open registrations will be off by default, and even if enabled they will automatically turn back off after a week of admin inactivity There's also image-based blocklists being implemented on some forks based on blurhashes
i've settled on an akkoma instance that's not popular at all, that is ruled by a friend of mine. as he almost rage quit during the attack, i assume the instance was affected. have no idea though, i didn't see a single post. i guess the filters were working.
I run a single user instance. Spam is not out of the ordinary, bad faith report spam, link spam and dm spam is more common than people think. This was an order of magnitude broader as usually it's not an indiscriminate network wide firehose. the solution is really simple: close open signups and utilize invite codes, you end up with a healthier social graph that way too.
Closed signups kind of goes against some instances' philosphies. I think requiring multifactor authentication for signups(valid email plus setup otp, maybe additional pki stuff), would be a better option for open instances. That, and maybe adding captchas like they've suggested. Or, maybe also a cooldown for posts, maybe new accounts can't post for 24 hours or, maybe some kind of automated analysis on new accounts that can detect potential spam, etc.
Personally I've seen none of this spam stuff, partially due to the fact that the admin of the instance I'm on is fairly good and active, and as well as this, I barely ever check the global stuff, only see stuff from people I follow.
What a dumpsterfire! As a person, who is not far away from the age of these script kids, school can be incredibly boring, and the desire of doing something completely deplorable is huge, but even I would not be ready to do something this stupid.
I'm on both Mastodon and Lemmy and did not really see any of the spam itself. I saw people talking about it, but I didn't see the spam in question except in screenshots.
it also mostly shows the problem of abandoned servers. my server was one of the first hit. we solved it in literally 5 minutes, we have the timestamps to prove it. because we dealt with it so fast, we don't even appear in lists of instances to refederate with after the problem was solved since we weren't on the bad lists to begin with. many servers are uncared for, taking days to get solved, or not solved at all.
Mastodon is just like forums in the old days, only with federation you can participate in others, that's not insular at all. Each instance being a community is not like Twitter at all, and it's not a closed system like Facebook.
I'm in favor of signup queues, like if you are a legit new user it could take a week for your request to be processed... I think that's fine, such that if you want 1000 accounts you will have to wait a week for most of them and if an admin spots you it's over.
As they say, one account per day, keeps the admin away. Yeah, it takes time but you can run it in parallel on many instances and many IPs/email combinations. Also signup queues kill user retention because once the queue is over the user has already forgotten about the platform. If you don't get the users attention immediately they have a very high chance of never coming back.
If you run a decentralized system, at least you would implement some basic protection mechanisms, right? Think about Captchas, PoW, reputation systems and IP/region blocks.
God's of Gnu/Linux realm Torvalds & Stallman were mercy upon you peasant and show you da way of true freedom. Now go and say to every stranger you'll meet, what have you seen.
the updates the servers are putting out will handle a lot of things, but there also needs to be tooling for admin to handle compromised instances. having gone through and blocked 100+instances during the spam, it's untenable to manage that. there needs to be a subscription process or something to to block and unblock. ideally one that's recursive so lists of lists can be created. Would help with not just spam, but "undesirable content" instances as well. Would be amazing to be able to mirror the big instance blocks.
I haven't experienced any spam issues on mastodon. Of course I've seen people talk about it, but didn't see any of these spam posts. I assume, that my instance admin was quicker to react, that many others.
We get these false flag events on IRC ( Yes, it's still around, yes people still use it though not nearly as active as it used to be ) ALL THE TIME. Thankfully they're relatively easy to deal with over there given IRC is a text only platform.
Hi Brodie, I do this using DMs as it is distrobution I send bot messages encrypted to random fediverse users each one using its own mfa and sending to my self hosted instance as a feed of encrypted data.
Yeah, I'm a Mastodon user and saw no spam. The only thing I saw about this issue except for this video where 2 messages from my instance's admins that they are looking into it.
many of the users on my instance are getting hammered by spam. it hasn't it me personally. but there's lots of posts complaining about it, so I guess that's second hand spam, lol
How about you’re only able to make an account with a supported hardware-key? That would tie accounts to actual hardware while respecting privacy and botting would become prohibitively expensive.
I heard that most of them are kids, that means that a few of them are adults. If you're an adult wasting your time with a raid orchestrated by a bunch of dumb kids... what the hell are you doing with your life?
I like the freedom of the fediverse. But aren't these types of things just inevitable in that sort of system? Along with all the CP, nazis, feminists, and transgenders. All sorts of things some people don't like. (I express no opinion here, I just made a list of things some people don't like.)
Well, I'm a self-proclaimed script kiddie who legally isn't even a child anymore and only makes harmless scripts like almost every programmer does to make repetitive things easier.
4:10 This is backwards. No one on small instances cares if Threads gets blasted with spam. We were never interested in their "infinite growth" mindset and it's bad for the fediverse whenever someone mindlessly parrots it. The part about open-signup fedi instances spamming other instances is the real story.
@@BrodieRobertson i am being honest, i really REALLY don't see the point of social media. I'm subscribed here just because it might help you in someway but i got your video from RSS, your videos could be in a blog and that would be fine, comment section is usually pretty meaningless as 99.99999% of the time is just people shitposting and rarely someone would care about a random guy's opinion anyway, e-mails are also a fine option to communicate and i don't see a point in XMPP and Matrix for messaging when it has the same problems as e-mails do, they just have more convenient clients. Specially Matrix, the amount of problems that i had with thing, to managing the server to actually use it i got so many problems that i just prefer to just e-mails with RSA encryption.
i dont get the point of many open and decentralized social media services. something like peertube might be nice and messengers are *very* important - but why do we need open-source twitter or instagram? these platforms were designed to be addicting for profit and i dont see the point in using them anyway.
The major takeaway for me is apparently users of the fediverse are so well behaved that this has apparently never come up before. Not sure if it’s a lack of popularity or that people who use the fediverse are more intelligent but if this is the first time they are facing this kind of attack they are pretty lucky.
most of the time exploits like these are used to send out phishing links, the average fediverse user is tech savvy enough to not fall for a phishing link, so the usual scammers who would have done this already didn't bother.
@@spaceghostmiid quite frankly, these days good phishing becomes too hard for even security researchers to differentiate
sure, they don't fall for the average thrown together stuff, but there are quite a lot phishing sites and emails out there these days which you can't differentiate anymore
Yeah, yet another way it mimics the early web. It's not like systems in the 90s and early 2000s were secure by any means.
@@orbatos Yeah but computers were slow back then. It’s much easier to do now with blazing fast computers.
@@Drazil100 Sure, the point was that the community was better citizens (on average) and like you suggested the same was true for the fediverse... Initially. After all, unlike the closed off and often hidden 3rd party alternatives Mastodon has been both inclusive from the start and hostile to Nazi bar formation.
What we need is the second phase, interest in continuing open interchange while building up security. This is not an easy step, and in some ways it is already failing with many small instances forming a ridiculous hatred of larger instances.
"Now the problem in this case is over..."
In the industry, we call this "foreshadowing".
Out of all the things on Brodie's channel, japanese schoolkids war was not what I expected.
"You can tell it's Japanese because of this thing."
You can't really tell because of that.
Don't forget, weebs exists.
Don't forget I'm a weeb
@@BrodieRobertson you translating kuroneko without prompt and pause gives it away 🐈⬛
I self-host Mastodon and have been worried about this kind of bullshit happening since day one. Not so much because of the spam itself, but because eventually this is going to go the way of e-mail where self-hosting is basically impossible without jumping through a lot of hoops.
As for "the Fediverse attacking Threads", that's literally why Google and Facebook dropped XMPP support.
Also let's appreciate that Kuroneko (black cat) is also the logo for one of Japan's shipping companies (Yamato Transport).
No, it's not why XMPP support was dropped, not even close. It has everything to do with building walled gardens. Google was the one who both extended XMPP and proposed federation, then watched Microsoft, Facebook and Apple just pick out three parts they liked and run. Google later dropped it because of the same internal BS that causes most projects to get killed at Google, not spam.
Like email though the web will evolve. We can only have nice things until it gets popular enough for people to attack it. Then something new takes its place.
It google monopolizes it.
"Their old group imploded due to infighting"
Yeah, kids.
"Script kiddy" LOL Indeed. A throwback to the good old days.
Hi, thanks for showing my post at 10:57! Please continue making videos like these! Have a wonderful day!
thank you for your incredible work Erik!
people, go donate to his instance's maintenance
Some new spam protection features have been announced for vanilla Mastodon. Open registrations will be off by default, and even if enabled they will automatically turn back off after a week of admin inactivity
There's also image-based blocklists being implemented on some forks based on blurhashes
typical mastodon activity
i've settled on an akkoma instance that's not popular at all, that is ruled by a friend of mine. as he almost rage quit during the attack, i assume the instance was affected. have no idea though, i didn't see a single post. i guess the filters were working.
I run a single user instance.
Spam is not out of the ordinary, bad faith report spam, link spam and dm spam is more common than people think. This was an order of magnitude broader as usually it's not an indiscriminate network wide firehose.
the solution is really simple: close open signups and utilize invite codes, you end up with a healthier social graph that way too.
Closed signups kind of goes against some instances' philosphies. I think requiring multifactor authentication for signups(valid email plus setup otp, maybe additional pki stuff), would be a better option for open instances. That, and maybe adding captchas like they've suggested. Or, maybe also a cooldown for posts, maybe new accounts can't post for 24 hours or, maybe some kind of automated analysis on new accounts that can detect potential spam, etc.
Personally I've seen none of this spam stuff, partially due to the fact that the admin of the instance I'm on is fairly good and active, and as well as this, I barely ever check the global stuff, only see stuff from people I follow.
I haven't gotten spam either, despite being on multiple instances (including Japanese ones).
What a dumpsterfire! As a person, who is not far away from the age of these script kids, school can be incredibly boring, and the desire of doing something completely deplorable is huge, but even I would not be ready to do something this stupid.
Fun fact: Mumei means Nameless (just like Nanashi)
Oh hi!
They're like a palindrome actually.
nanashi, read 名無し or nameless, is the reverse reading of mumei, read 無名 or no name.
7:00 looks like the owl finally decided to make history 💀
I'm on both Mastodon and Lemmy and did not really see any of the spam itself. I saw people talking about it, but I didn't see the spam in question except in screenshots.
Most of it was focused on the Japanese instances
it also mostly shows the problem of abandoned servers.
my server was one of the first hit. we solved it in literally 5 minutes, we have the timestamps to prove it. because we dealt with it so fast, we don't even appear in lists of instances to refederate with after the problem was solved since we weren't on the bad lists to begin with.
many servers are uncared for, taking days to get solved, or not solved at all.
I guess I'm an old fart and only do TH-cam, I've tried mastodon, twitter, Facebook .
They're all too much of an echo chamber for my taste
you could say Nekochamber about the Misskey one
This is why I moved to classic webforums. They actually have meaningful discussions.
@@SmileyBMM made webforums great again!
Mastodon is just like forums in the old days, only with federation you can participate in others, that's not insular at all. Each instance being a community is not like Twitter at all, and it's not a closed system like Facebook.
@@orbatos except instances constantly block each other over childish reasons and there is no easy way for them to be searched like forums.
I use Mastodon, and saw maybe 1 or 2 spam posts in the discovery feed. Other than that, I only saw people talking about spam, rather than actual spam.
3:15 incredible instance names
😭😭😭
😭😭😭😭😭😭😭
They're really quite cute and funny... 😭😭😭
I'm in favor of signup queues, like if you are a legit new user it could take a week for your request to be processed... I think that's fine, such that if you want 1000 accounts you will have to wait a week for most of them and if an admin spots you it's over.
As they say, one account per day, keeps the admin away. Yeah, it takes time but you can run it in parallel on many instances and many IPs/email combinations. Also signup queues kill user retention because once the queue is over the user has already forgotten about the platform. If you don't get the users attention immediately they have a very high chance of never coming back.
@@nezu_cc If it's that easy to lose users, you didn't really have users.
If you run a decentralized system, at least you would implement some basic protection mechanisms, right?
Think about Captchas, PoW, reputation systems and IP/region blocks.
bruh how hard it is to use cloudflare's dns proxy lol
@@bruwyvn Not very, but there is more to add than only a cloudflare proxy.
@@bruwyvn Not very, but there is more to add than only a cloudflare proxy.
@@bruwyvnit would be foolish to rely on a proprietary corporate solution.
Some of these do exist on mastodon but a lot of servers disable them
Still an interesting story without having experienced it
Just stop using social media guys even if it’s federated twitter it’s still BS
Mastodon have released an update today which include setting all servers to be closed to new registrations by default.
honestly i saw the aftermath, i didn't see it happen though
2:25 Lol! 😂
I have no idea why I'm seeing this video
God's of Gnu/Linux realm Torvalds & Stallman were mercy upon you peasant and show you da way of true freedom. Now go and say to every stranger you'll meet, what have you seen.
@@darukutsuAmen break
@@burein_itabombou trchhh baboubmm trcch bamboumm trcch babboum bababoum trcchh
the updates the servers are putting out will handle a lot of things, but there also needs to be tooling for admin to handle compromised instances. having gone through and blocked 100+instances during the spam, it's untenable to manage that. there needs to be a subscription process or something to to block and unblock. ideally one that's recursive so lists of lists can be created.
Would help with not just spam, but "undesirable content" instances as well.
Would be amazing to be able to mirror the big instance blocks.
I haven't experienced any spam issues on mastodon. Of course I've seen people talk about it, but didn't see any of these spam posts. I assume, that my instance admin was quicker to react, that many others.
We get these false flag events on IRC ( Yes, it's still around, yes people still use it though not nearly as active as it used to be ) ALL THE TIME. Thankfully they're relatively easy to deal with over there given IRC is a text only platform.
See, this is why we can't have nice things! I love Mastodon but the spam is accumulating.
Common FyraLabs W
Very true
I did script stuff when I was a kid back in the mid 90s.
I got zero spam but lots of people talking about it. Being on a small but active Mastodon server definitely helps with stuff like this ^^
A lot of it was targeted at the Japanese servers
Hi Brodie,
I do this using DMs as it is distrobution I send bot messages encrypted to random fediverse users each one using its own mfa and sending to my self hosted instance as a feed of encrypted data.
Yeah, I'm a Mastodon user and saw no spam. The only thing I saw about this issue except for this video where 2 messages from my instance's admins that they are looking into it.
It was mainly targetting the Japanese instances
@@BrodieRobertson Right! My instance is German.
Nooo Moomers, you can't do that!
Being a skiddie on Japan surely is busy work.
hi it is cappy
Q: have you completely gotten over #wayland?
Don't worry I'm just charging up for my final attack
Mastodon has a fatal SJW censorship problem.
many of the users on my instance are getting hammered by spam. it hasn't it me personally. but there's lots of posts complaining about it, so I guess that's second hand spam, lol
How about you’re only able to make an account with a supported hardware-key? That would tie accounts to actual hardware while respecting privacy and botting would become prohibitively expensive.
I heard that most of them are kids, that means that a few of them are adults. If you're an adult wasting your time with a raid orchestrated by a bunch of dumb kids... what the hell are you doing with your life?
I haven't seen any of this. I guess because my server and those it's connected to are mostly sane people? I'm on the official canadian server...
Didn't get any spam, or I haven't felt it.
How to be pathetic online 101
i really want to see some kind of federated authentication and SSO, i have no idea what that looks like but i feel like i saw posts about it
You want a government run digital identity system that makes anonymity on the Internet impossible and makes everything traceable to your home address.
I like the freedom of the fediverse. But aren't these types of things just inevitable in that sort of system? Along with all the CP, nazis, feminists, and transgenders. All sorts of things some people don't like. (I express no opinion here, I just made a list of things some people don't like.)
Hard to solve, because this is free software, so if people want to have old software, or easy to abuse instances, they're able to.
One suggestion is auto filtering servers that are too out of date
Well, I'm a self-proclaimed script kiddie who legally isn't even a child anymore and only makes harmless scripts like almost every programmer does to make repetitive things easier.
Can relate
A script kiddie is someone who can't write scripts
@@thewhitefalcon8539
Well, I'm not great at scripting either.
Oh god, anyone surprised once the influencers and such attention hogs found out about it.
4:10 This is backwards. No one on small instances cares if Threads gets blasted with spam. We were never interested in their "infinite growth" mindset and it's bad for the fediverse whenever someone mindlessly parrots it.
The part about open-signup fedi instances spamming other instances is the real story.
I know most people don't care at all, that's sort of the problem
9:03 no they aren't. Children are similar to adults. Most are good people. These kids are bad people.
Good people yeah, dumb also yeah
Source: I was a kid in the past
You should've blurred out their links/ommitted their names... You're giving them free advertisement
If you join the malware discord that's a you problem
Hacker wars! LOL
I don't care, I'm using Cartelion
Mastodon is just a variation of email and it will learn all the same lessons email did.
free posts
The fettyverse lmao
Why social media if dedicated blogs, e-mail and ircs do a better job?
Better how, exactly? IRC specifically is a protocol in dire need of an update. There's actually a proposal but people ignored it for matrix
All of these serve very different functions and are useful in there own right but don't replace social media
@@excidium666 What needs an update? IRC is fine how it is. Encryption and digital signatures maybe?
@@BrodieRobertson i am being honest, i really REALLY don't see the point of social media. I'm subscribed here just because it might help you in someway but i got your video from RSS, your videos could be in a blog and that would be fine, comment section is usually pretty meaningless as 99.99999% of the time is just people shitposting and rarely someone would care about a random guy's opinion anyway, e-mails are also a fine option to communicate and i don't see a point in XMPP and Matrix for messaging when it has the same problems as e-mails do, they just have more convenient clients. Specially Matrix, the amount of problems that i had with thing, to managing the server to actually use it i got so many problems that i just prefer to just e-mails with RSA encryption.
@@autistadolinux5336 you are the 1% of 1% exception then and that's ok but it's not how other people see things
Use Mastodon if you're into anime, furries and FOSS, but it's useless for everything else, especially politics.
Lol
X user not impacted 💫
X-bros? How do we keep winning. First with Xorg, then with X
@@quadrupledamageBoth falling apart as we speak right now. Another win for Mir users.
I feel sorry for the kids in this, they're just having a bit of fun
That's good bait
Is it as good as deez nuts?@@BrodieRobertson
Don't really see the point of Mastodon today when we have Farcaster.
Wut?
I can't keep up with this stuff
Who cares about Farcaster
@@StarlordStavanger yeah it's just a crappy blockchain social media thing
What is farcaster?
i dont get the point of many open and decentralized social media services. something like peertube might be nice and messengers are *very* important - but why do we need open-source twitter or instagram? these platforms were designed to be addicting for profit and i dont see the point in using them anyway.
Because people desire the experience of those platforms so you need to offer a sane alternative
People like communicating with others. Humans are social animals.
Basically so people can live in echo chambers and have confirmation bias.
Basically, all social media is used for now.
@@jort93zI'd rather my main method of social interaction not be designed around skinner box principles.
@@jort93zhave you ever heard about going outside lad?