this post was submitted on 04 Mar 2024
740 points (97.9% liked)

Technology

59999 readers
2374 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Socsa@sh.itjust.works 7 points 9 months ago* (last edited 9 months ago) (1 children)

Lemmy in general is filled with potential security and privacy holes. The threat surface is just too massive.

Not to mention it has a bunch of vulnerabilities in terms of just basic forum functionality. A rogue instance can very easily just hijack all sorts of federated content and force it into a certain state as desired. Especially if that content is old. There is not really any mechanism for tracking source authority for federated updates, and there are definitely already signs that this is getting exploited to promote certain content and fuck with vote totals IMO.

None of this really matters at this point because Lemmy is insignificant, but it kind of places a limit on how much Lemmy can be scaled before it just becomes even more of a cringe propaganda wasteland than it already is.

[–] SorteKanin@feddit.dk 4 points 9 months ago* (last edited 9 months ago) (1 children)

A rogue instance can very easily just hijack all sorts of federated content and force it into a certain state as desired.

I'm really not sure what you mean by this, can you elaborate?

There is not really any mechanism for tracking source authority for federated updates, and there are definitely already signs that this is getting exploited to promote certain content and fuck with vote totals IMO.

I'm not sure what you mean by "not any mechanism for tracking source authority". Admins on their own instance are in control of what happens to the content and they'll know if another site edits content or whatever as that is sent as requests in ActivityPub.

What are the signs you're referring to?

[–] Turun@feddit.de 2 points 9 months ago (1 children)

Are updates authenticated? Or can I send an update to lemmy.world from 123.123.123.123 (which is not the IP address of feddit.de) that you have edited your comment to say "I don't like pizza"?

If updates are not authenticated this really could be a big problem.

[–] SorteKanin@feddit.dk 3 points 9 months ago* (last edited 9 months ago)

You cannot do that, no. Edits are authenticated in the sense that the request must come from the instance of the user.

Your admin could in principle send such a request for you. But then you're talking about a malicious admin and then all bets are off. Obviously admins are in full control of everything on their own instance, including being able to edit their own users stuff. Not that any reasonable admin would do that.