The fediverse has a bullying problem
-
“Doesn’t scale because the containers are set up wrong” is different from “unmaintainable code” though. What of the code was bad? I’ve looked at a bunch of fedi projects and Pixelfed didn’t strike me as either particularly good or particularly bad.
As for the last, I don’t have any examples
?
I mean, that is sort of what I expected. Mastodon doesn’t publicize Wordpress. Lemmy doesn’t publicize mbin. They all, mostly, mention a little bit of the context that they can interoperate with other federated services, but it doesn’t strike me as weird or malicious that someone would write a project and then promote that project. That sounds normal.
Actually, both Mastodon and Lemmy chose to implement sort of their own versions of ActivityPub, and that actually does strike me as selfish behavior. It means that mostly they are their own independent platforms that run “on top of” ActivityPub instead of enabling full interoperation with the other stuff. Doing it that way was hard to avoid, because the design of ActivityPub to me isn’t great, but this situation is actually a perfect example of that: Mastodon implemented a new feature in a way that would break (in a really jarring privacy-violating-to-some-extent way) until everyone else copied their implementation exactly. I’m not aware of Pixelfed doing anything like that. Mastodon and Lemmy can both get away with presenting themselves as “the fediverse” and forcing everyone else into copying one implementation or the other if they want things to actually work, and they both show very little interest in making it easy. If you want to pick out sins of various fedi projects to start to point out that are disrespecting the other projects in the space, something like that is where I would start.
Everyone I ever talked to told me "well yes we have to implement our own version of ActivityPub because AP is under-defined". In most cases it is defined what AP does, but not how. Therefore individual programers go in and figure out on their own how a certain thing they are building for their platform should be structured in AP.
Now, every project could simply go "I will copy the way Pixelfed implements it". But why should PF have that priviledge?
-
Back when I was younger and naïve, I would Nicolas Cage OP.
I'm now more mature and open minded, and I can say I wholesomely agree with @[email protected] statement ITT.
Technologists have very little patience for people that are technologically illiterate. And whe you're fighting to liberate people against corporations that send hitlists against you, patience runs faster.
My hope is that people like OP can empathize that while yes, public technologies can be harmful and downright hostile, they can take their time to comprehend concepts technologist took their time to write down and document for.If you want private conversations with peers, it must be encrypted, it must be forward secret, and it must be authenticatable.
XMPP, SimpleXchat, & Signal are the only three that fit these specifications.
I have the first two (check my bio
), the latter I do not trust.the latter I do not trust.
Am I reading the article wrong? Is it not a good thing that they refused to comply with the hostile anti-encryption law?
-
the latter I do not trust.
Am I reading the article wrong? Is it not a good thing that they refused to comply with the hostile anti-encryption law?
They refused to operate ON a country with a hostile anti encryption law as a threat.
Signal could have mocked the France government for being authoritarian fascist censorious anti-mathematics pieces of turd, but leave USERS stuck in France with the danger of the government’s bs law.
A metaphor for ease of comprehension: Signal threatens a farmer for hunting chicken down, by ceasing all freeing-chicken-from-the-farm operations.
Not killing the farmer, but leaving the chicken without the tools to liberate themselves.Yes, I read Animal Farm.
-
That is still not the point the commenter and the original blog author were making.
What we can take away from this episode is that Pixelfed implemented the fix in a way that suggests they would not handle a 0 day exploit with a "reql" vulnerability well. And having followed dansup's projects for a while that doesnt surprise me, because he clearly prefers to work "chaoticly" than in a structured, regulated way.
The "taking the heat" is something completely seprrate and boils down to stupid people on the internet needing to be angry at someone.
I'm not sure you can make that conclusion. This isn't a real vulnerability, and this isn't a surprise to anybody who knows how the AP protocol works. Dansup didn't reveal anything that was previously unknown, the blog author just has an axe to grind. It's unfair to assume that an actual 0 day vulnerability would have been treated the same way.
-
So check it out: Mastodon decided to implement follower-only posts for their users. All good. They did it in a way where they were still broadcasting those posts (described as "private") in a format that other servers could easily wind up erroneously showing them to random people. That's not ideal.
Probably the clearest explanation of the root of the problem is this:
Something you may not know about Mastodon's privacy settings is that they are recommendations, not demands. This means that it is up to each individual server whether or not it chooses to enforce them. For example, you may mark your post with unlisted, which indicates that servers shouldn't display the post on their global timelines, but servers which don't implement the unlisted privacy setting still can (and do).
Servers don't necessarily disregard Mastodon's privacy settings for malicious reasons. Mastodon's privacy settings aren't a part of the original OStatus protocol, and servers which don't run a recent version of the Mastodon software simply aren't configured to recognize them. This means that unlisted, private, or even direct posts may end up in places you didn't expect on one of these servers—like in the public timeline, or a user's reblogs.
That is super relevant for "private" posts by Mastodon. They fall into the same category as how you've been voting on Lemmy posts and comments: This stuff seems private, because it's being hidden in your UI, but it's actually being broadcasted out to random untrusted servers behind the scenes, and some server software is going to expose it. It's simply going to happen. You need to be aware of that. Even if it's not shown in your UI, it is available.
Anyway, Pixelfed had a bug in its handling of those types of posts, which meant that in some circumstances it would show them to everyone. Somebody wrote on his blog about how his partner has been posting sensitive information as "private," and Pixelfed was exposing it, and how it's a massive problem. For some reason, Dansup (Pixelfed author) taking it seriously and fixing the problem and pushing out a new version within a few days only made this person more upset, because in his (IMO incorrect) opinion, the way Dansup had done it was wrong.
I think the blog-writer is just mistaken about some of the technical issues involved. It sounds like he's planning on telling his partner that it's still okay to be posting her private stuff on Mastodon, marked "private," now that Pixelfed and only Pixelfed has fixed the issue. I think that's a huge mistake for reasons that should be obvious. It sounds like he's very upset that Dansup made it explicit that he was fixing this issue, thinking that even exposing it in commit comments (which as we know get way more readership than blog posts) would mean people knew about it, and the less people that knew about it, the safer his partner's information would be since she is continuing to do this apparently. You will not be surprised to discover that I think that type of thinking is also a mistake.
That's not even what I want to talk about, though. I have done security-related work professionally before, so maybe I look at this stuff from a different perspective than this guy does. What I want to talk about is this type of comments on Lemmy, when this situation got posted here under the title "Pixelfed leaks private posts from other Fediverse instances":
Non-malicious servers aren’t supposed to do what Pixelfed did.
Pixelfed got caught with its pants down
rtfm and do NOT give a rest to bad behaving software
dansup remains either incompetent for implementing badly something easy or toxic for federating ignoring what the federation requires
i completely blame pixelfed here: it breaks trust in transit and that’s unacceptable because it makes the system untrustworthy
periodic reminder to not touch dansup software and to move away from pixelfed and loops
dansup is not competent and quite problematic and it’s not even over
developers with less funding (even 0) contributed way more to fedi, they’re just less vocal
dansup is all bark no bite, stop falling for it
dansup showed quite some incompetence in handling security, delivering features, communicating clearly and honestly and treating properly third party devs
I sort of started out in the ensuing conversation just explaining the issues involved, because they are subtle, but there are people who are still sending me messages a day later insisting that Dansup is a big piece of shit and he broke the internet on purpose. They're also consistently upset, among other reasons, that he's getting paid because people like the stuff he made and gave away, and chose to back his Kickstarter. Very upset. I keep hearing about it.
This is not the first time, or even the first time with Dansup. From time to time, I see this with some kind of person on the Fediverse who's doing something. Usually someone who's giving away their time to do something for everyone else. Then there's some giant outcry that they are "problematic" or awful on purpose in some way. With Dansup at least, every time I've looked at it, it's mostly been trumped-up nonsense. The worst it ever is, in actuality, is "he got mad and posted an angry status HOW DARE HE." Usually it is based more or less on nothing.
When I see this, the pattern is almost always the same. People take some high-profile person, and some kind of grain-of-truth accusation that they did something bad, that really boils down to "they had a bad day one day" or something, if that, and they run with it all the way through the end zone and halfway to the next town over.
Dansup isn't just a person making free software, who sometimes posts angry unreasonable statuses or gets embroiled in drama for some reason because he is human and has human emotions. He's the worst. He is toxic and unhinged. He is keeping his Loops code secret and breaking his promises. He makes money. He broke privacy for everyone (no don't tell me any details about the protocol or why he didn't he broke it for everyone) (and don't tell me he fixed it in a few days and pushed out a new version that just makes it worse because he put it in the notes and it'll be hard for people to upgrade anyway so it doesn't count)
And so on.
Some particular moderator isn't just a person who sometimes makes poor moderation decisions and then doubles down on them. No, he is:
a racist and a zionist and will do whatever he can to delete pro-Palestinian posts, or posts that criticize Israel.
a vile, racist, zionist piece of shit, and anyone who defends or supports him is sitting at the table with him and accepts those labels for themselves.
And so on. The exact same pattern happened with a different lemmy.world mod who was extensively harassed for months for various made-up bullshit, all the way up until the time where he (related or not) decided to stop modding altogether.
It's weird. Why are people so vindictive and personal, and why do they double down so enthusiastically about taking it to this personal place where this person involved is being bad on purpose and needs to be attacked for being horrible, instead of just being a normal person with a variety of normal human failings as we all have? Why are people so un-amenable to someone trying to say "actually it's not that simple", to the point that a day later my inbox is still getting peppered with insistences that Dansup is the worst on this private-posts issue, and I'm completely wrong and incompetent for thinking otherwise and all the references I've been digging up and sending to try to illustrate the point are just more proof that I'm horrible?
Guys: Chill out.
I would just recommend, if you are one of these people that likes to double down on all this stuff and get all amped-up about how some particular fediverse person is "problematic" or "toxic" or various other vague insinuations, or you feel the need to bring up all kinds of past drama any time anything at all happens with the person, that you not.
I am probably guilty of this sometimes. I definitely like to give people hell sometimes, if in my opinion they are doing something that's causing a problem. But the extent to which the fediverse seems to like to do this stuff just seems really extreme to me, and a lot of times what it's based on is just weird petty bullying nonsense.
Just take it it with a grain of salt, too, if you see it, is also what I'm saying. Whether it comes from me or whoever. A lot of times, the issue doesn't look like such a huge deal once you strip away the histrionics and the assumption that everyone's being malicious on purpose. Doubly so if the emotion and the innuendo is running way ahead of what the actual facts are.
So, I was probably (one of) the first to post that “Pixelfed leaks private posts” thing on here? I first wrote a long reply to this, but it sort if got away from me. The short version would be,
A) sure, the fediverse has a bullying problem in the sense that people do, and that that is usually exacerbated in any online comment field. People are awful, and that includes me, you, Dansup, and anybody reading this. We're also usually pretty brilliant when nobody's looking.
B) despite what I write above, I don't take bullying lightly. I am really uncomfortable with how you use the generally phrased headline to address this specific case. You're not writing about the fediverse as such, you're casting Dansup as a victim.
C) Dan's up, Dan's down, Dan's a victim, Dan's throwing a fit online and then deleting the tweets. As you cite in OP, some people attribute all sorts of unrelated evil to him. Most of all, my impression is Dansup has as a hard time separating from his role as main developer on Pixelfed, Loops, etc, as online commenters has separating his work from (perceived) personal faults.
D) let's imagine those projects were fully open sourced and developed by the community already. Would we be in the same situation here? Again, resorting to ad hominem bullying in online discussion is unacceptable, but I do question that Dansup is an unequivocable victim. Nor is he an evil mastermind who has engineered this situation to garner pity. He just seems to be extremely hard working, with a generous pinch of need for control of his projects.
-
This kind of indirect bullying is kind of unavoidable online (until we get that perfect education to civility that may happen in 2000 years if we still exist). Maybe one solution is to have strong rules and moderation about personal attacks. But then it's the moderators that will get bullied for censorship and end up crucified on the power tripping bastard community.
Maybe one solution is to have strong rules and moderation about personal attacks. But then it’s the moderators that will get bullied for censorship and end up crucified on the power tripping bastard community.
When people try to call out power tripping against valid moderation, they get called out on [email protected]
-
So check it out: Mastodon decided to implement follower-only posts for their users. All good. They did it in a way where they were still broadcasting those posts (described as "private") in a format that other servers could easily wind up erroneously showing them to random people. That's not ideal.
Probably the clearest explanation of the root of the problem is this:
Something you may not know about Mastodon's privacy settings is that they are recommendations, not demands. This means that it is up to each individual server whether or not it chooses to enforce them. For example, you may mark your post with unlisted, which indicates that servers shouldn't display the post on their global timelines, but servers which don't implement the unlisted privacy setting still can (and do).
Servers don't necessarily disregard Mastodon's privacy settings for malicious reasons. Mastodon's privacy settings aren't a part of the original OStatus protocol, and servers which don't run a recent version of the Mastodon software simply aren't configured to recognize them. This means that unlisted, private, or even direct posts may end up in places you didn't expect on one of these servers—like in the public timeline, or a user's reblogs.
That is super relevant for "private" posts by Mastodon. They fall into the same category as how you've been voting on Lemmy posts and comments: This stuff seems private, because it's being hidden in your UI, but it's actually being broadcasted out to random untrusted servers behind the scenes, and some server software is going to expose it. It's simply going to happen. You need to be aware of that. Even if it's not shown in your UI, it is available.
Anyway, Pixelfed had a bug in its handling of those types of posts, which meant that in some circumstances it would show them to everyone. Somebody wrote on his blog about how his partner has been posting sensitive information as "private," and Pixelfed was exposing it, and how it's a massive problem. For some reason, Dansup (Pixelfed author) taking it seriously and fixing the problem and pushing out a new version within a few days only made this person more upset, because in his (IMO incorrect) opinion, the way Dansup had done it was wrong.
I think the blog-writer is just mistaken about some of the technical issues involved. It sounds like he's planning on telling his partner that it's still okay to be posting her private stuff on Mastodon, marked "private," now that Pixelfed and only Pixelfed has fixed the issue. I think that's a huge mistake for reasons that should be obvious. It sounds like he's very upset that Dansup made it explicit that he was fixing this issue, thinking that even exposing it in commit comments (which as we know get way more readership than blog posts) would mean people knew about it, and the less people that knew about it, the safer his partner's information would be since she is continuing to do this apparently. You will not be surprised to discover that I think that type of thinking is also a mistake.
That's not even what I want to talk about, though. I have done security-related work professionally before, so maybe I look at this stuff from a different perspective than this guy does. What I want to talk about is this type of comments on Lemmy, when this situation got posted here under the title "Pixelfed leaks private posts from other Fediverse instances":
Non-malicious servers aren’t supposed to do what Pixelfed did.
Pixelfed got caught with its pants down
rtfm and do NOT give a rest to bad behaving software
dansup remains either incompetent for implementing badly something easy or toxic for federating ignoring what the federation requires
i completely blame pixelfed here: it breaks trust in transit and that’s unacceptable because it makes the system untrustworthy
periodic reminder to not touch dansup software and to move away from pixelfed and loops
dansup is not competent and quite problematic and it’s not even over
developers with less funding (even 0) contributed way more to fedi, they’re just less vocal
dansup is all bark no bite, stop falling for it
dansup showed quite some incompetence in handling security, delivering features, communicating clearly and honestly and treating properly third party devs
I sort of started out in the ensuing conversation just explaining the issues involved, because they are subtle, but there are people who are still sending me messages a day later insisting that Dansup is a big piece of shit and he broke the internet on purpose. They're also consistently upset, among other reasons, that he's getting paid because people like the stuff he made and gave away, and chose to back his Kickstarter. Very upset. I keep hearing about it.
This is not the first time, or even the first time with Dansup. From time to time, I see this with some kind of person on the Fediverse who's doing something. Usually someone who's giving away their time to do something for everyone else. Then there's some giant outcry that they are "problematic" or awful on purpose in some way. With Dansup at least, every time I've looked at it, it's mostly been trumped-up nonsense. The worst it ever is, in actuality, is "he got mad and posted an angry status HOW DARE HE." Usually it is based more or less on nothing.
When I see this, the pattern is almost always the same. People take some high-profile person, and some kind of grain-of-truth accusation that they did something bad, that really boils down to "they had a bad day one day" or something, if that, and they run with it all the way through the end zone and halfway to the next town over.
Dansup isn't just a person making free software, who sometimes posts angry unreasonable statuses or gets embroiled in drama for some reason because he is human and has human emotions. He's the worst. He is toxic and unhinged. He is keeping his Loops code secret and breaking his promises. He makes money. He broke privacy for everyone (no don't tell me any details about the protocol or why he didn't he broke it for everyone) (and don't tell me he fixed it in a few days and pushed out a new version that just makes it worse because he put it in the notes and it'll be hard for people to upgrade anyway so it doesn't count)
And so on.
Some particular moderator isn't just a person who sometimes makes poor moderation decisions and then doubles down on them. No, he is:
a racist and a zionist and will do whatever he can to delete pro-Palestinian posts, or posts that criticize Israel.
a vile, racist, zionist piece of shit, and anyone who defends or supports him is sitting at the table with him and accepts those labels for themselves.
And so on. The exact same pattern happened with a different lemmy.world mod who was extensively harassed for months for various made-up bullshit, all the way up until the time where he (related or not) decided to stop modding altogether.
It's weird. Why are people so vindictive and personal, and why do they double down so enthusiastically about taking it to this personal place where this person involved is being bad on purpose and needs to be attacked for being horrible, instead of just being a normal person with a variety of normal human failings as we all have? Why are people so un-amenable to someone trying to say "actually it's not that simple", to the point that a day later my inbox is still getting peppered with insistences that Dansup is the worst on this private-posts issue, and I'm completely wrong and incompetent for thinking otherwise and all the references I've been digging up and sending to try to illustrate the point are just more proof that I'm horrible?
Guys: Chill out.
I would just recommend, if you are one of these people that likes to double down on all this stuff and get all amped-up about how some particular fediverse person is "problematic" or "toxic" or various other vague insinuations, or you feel the need to bring up all kinds of past drama any time anything at all happens with the person, that you not.
I am probably guilty of this sometimes. I definitely like to give people hell sometimes, if in my opinion they are doing something that's causing a problem. But the extent to which the fediverse seems to like to do this stuff just seems really extreme to me, and a lot of times what it's based on is just weird petty bullying nonsense.
Just take it it with a grain of salt, too, if you see it, is also what I'm saying. Whether it comes from me or whoever. A lot of times, the issue doesn't look like such a huge deal once you strip away the histrionics and the assumption that everyone's being malicious on purpose. Doubly so if the emotion and the innuendo is running way ahead of what the actual facts are.
Why are people so vindictive and personal, and why do they double down so enthusiastically about taking it to this personal place where this person involved is being bad on purpose and needs to be attacked for being horrible, instead of just being a normal person with a variety of normal human failings as we all have?
First time on the internet? This happens everywhere, more so when you're anonymous or pseudonymous, but whenever you're behind a screen and everyone on the other side is just a username being controlled by an idiot or a troll.
-
Some people have privacy expectations that are not realistic in an unencrypted, federated, heterogeneous environment run by hobbyist volunteers in their spare time.
It you have something private and sensitive to share with a small audience, make a group chat on Signal. Don't invite any reporters.
This is exactly why ActivityPub makes for such a mediocre replacement for the big social media apps. You have to let go of any assumptions that at least some of your data remains exclusive to the ad algorithm and accept that everything you post or look at or scroll past is being recorded by malicious servers. Which, in turn, kind of makes it a failure, as replacing traditional social media is exactly what it's supposed to do.
The Fediverse also lacks tooling to filter out the idiots and assholes. That kind of moderation is a lot easier when you have a centralised database and moderation staff on board, but the network of tiny servers with each their own moderation capabilities will promote the worst behaviour as much as the best behaviour.
But really, the worst part is the UX for apps. Fediverse apps suck at setting expectations. Of course Lemmy publishes when you've upvoted what posts, that's essential for how the protocol works, but what other Reddit clone has a public voting history? Same with anyone using any form of the word "private" or even "unlisted", as those only apply in a perfect world where servers have no bugs and where there are no malicious servers.
-
Why are people so vindictive and personal, and why do they double down so enthusiastically about taking it to this personal place where this person involved is being bad on purpose and needs to be attacked for being horrible, instead of just being a normal person with a variety of normal human failings as we all have?
First time on the internet? This happens everywhere, more so when you're anonymous or pseudonymous, but whenever you're behind a screen and everyone on the other side is just a username being controlled by an idiot or a troll.
Agreed. Reddit and Twitter were bad for bullying, doxxing, or just general nastiness, I’m not saying that it doesn’t happen on Mastodon, or the Fediverse in general, but it’s nothing like as bad.
-
It sounds like she's very upset that Dansup made it explicit that he was fixing this issue, thinking that even exposing it in commit comments (which as we know get way more readership than blog posts) would mean people knew about it, and the less people that knew about it, the safer her partner's information would be since she is continuing to do this apparently. You will not be surprised to discover that I think that type of thinking is also a mistake.
I agreed with you at first because from your description it sounded like she was saying security through obscurity was a good thing. But that’s not the case.
What she’s saying in the blog post is that this a 0-day and should be handled according to the best practices for 0-day disclosure.
You have to decide if you want to
- publish the findings before the fix -> more people will know and exploit the vulnerability but users might be aware and may or may not be able to mitigate sharing even more
- publish the findings after the fix -> the opposite
I don’t pretend to know enough to judge which option is the best. But I can’t fault the blog author for pointing out that Dansup didn’t follow best practices.
I don't think dansup was in the wrong here. Yes, it's a security issue I suppose, but the problem lies within the underlying protocol. Any server you interact with can ignore any privacy markers you add to posts, you're just not supposed to do that.
Whether this is a 0day depends on what you expect out of the Fediverse. If you treat it like a medium where every user or server has the potential to be hostile, like you probably should, this is a mere validation logic bug. If you treat it like the social media many of its servers are trying to be, it's a gross violation of your basic privacy expectations.
-
Agreed. Reddit and Twitter were bad for bullying, doxxing, or just general nastiness, I’m not saying that it doesn’t happen on Mastodon, or the Fediverse in general, but it’s nothing like as bad.
If you build it, they will come
-
This guy is being reasonable, get the pitchforks!
This guy also being a perpetrator of bullying because he didn't like moderation decisions makes this post a bit ironic though
-
Agreed. Reddit and Twitter were bad for bullying, doxxing, or just general nastiness, I’m not saying that it doesn’t happen on Mastodon, or the Fediverse in general, but it’s nothing like as bad.
If Mastodon/Fedi was at the scale those platforms are we would see more harassment, absolutely. It remains to be proven but I think federation enables a lot more eyes on content which implies harassing material can be removed more quickly.
Federation/decentralization solves a lot of problems over centralized social media, but ultimatley you can't engineer human nature.
-
So check it out: Mastodon decided to implement follower-only posts for their users. All good. They did it in a way where they were still broadcasting those posts (described as "private") in a format that other servers could easily wind up erroneously showing them to random people. That's not ideal.
Probably the clearest explanation of the root of the problem is this:
Something you may not know about Mastodon's privacy settings is that they are recommendations, not demands. This means that it is up to each individual server whether or not it chooses to enforce them. For example, you may mark your post with unlisted, which indicates that servers shouldn't display the post on their global timelines, but servers which don't implement the unlisted privacy setting still can (and do).
Servers don't necessarily disregard Mastodon's privacy settings for malicious reasons. Mastodon's privacy settings aren't a part of the original OStatus protocol, and servers which don't run a recent version of the Mastodon software simply aren't configured to recognize them. This means that unlisted, private, or even direct posts may end up in places you didn't expect on one of these servers—like in the public timeline, or a user's reblogs.
That is super relevant for "private" posts by Mastodon. They fall into the same category as how you've been voting on Lemmy posts and comments: This stuff seems private, because it's being hidden in your UI, but it's actually being broadcasted out to random untrusted servers behind the scenes, and some server software is going to expose it. It's simply going to happen. You need to be aware of that. Even if it's not shown in your UI, it is available.
Anyway, Pixelfed had a bug in its handling of those types of posts, which meant that in some circumstances it would show them to everyone. Somebody wrote on his blog about how his partner has been posting sensitive information as "private," and Pixelfed was exposing it, and how it's a massive problem. For some reason, Dansup (Pixelfed author) taking it seriously and fixing the problem and pushing out a new version within a few days only made this person more upset, because in his (IMO incorrect) opinion, the way Dansup had done it was wrong.
I think the blog-writer is just mistaken about some of the technical issues involved. It sounds like he's planning on telling his partner that it's still okay to be posting her private stuff on Mastodon, marked "private," now that Pixelfed and only Pixelfed has fixed the issue. I think that's a huge mistake for reasons that should be obvious. It sounds like he's very upset that Dansup made it explicit that he was fixing this issue, thinking that even exposing it in commit comments (which as we know get way more readership than blog posts) would mean people knew about it, and the less people that knew about it, the safer his partner's information would be since she is continuing to do this apparently. You will not be surprised to discover that I think that type of thinking is also a mistake.
That's not even what I want to talk about, though. I have done security-related work professionally before, so maybe I look at this stuff from a different perspective than this guy does. What I want to talk about is this type of comments on Lemmy, when this situation got posted here under the title "Pixelfed leaks private posts from other Fediverse instances":
Non-malicious servers aren’t supposed to do what Pixelfed did.
Pixelfed got caught with its pants down
rtfm and do NOT give a rest to bad behaving software
dansup remains either incompetent for implementing badly something easy or toxic for federating ignoring what the federation requires
i completely blame pixelfed here: it breaks trust in transit and that’s unacceptable because it makes the system untrustworthy
periodic reminder to not touch dansup software and to move away from pixelfed and loops
dansup is not competent and quite problematic and it’s not even over
developers with less funding (even 0) contributed way more to fedi, they’re just less vocal
dansup is all bark no bite, stop falling for it
dansup showed quite some incompetence in handling security, delivering features, communicating clearly and honestly and treating properly third party devs
I sort of started out in the ensuing conversation just explaining the issues involved, because they are subtle, but there are people who are still sending me messages a day later insisting that Dansup is a big piece of shit and he broke the internet on purpose. They're also consistently upset, among other reasons, that he's getting paid because people like the stuff he made and gave away, and chose to back his Kickstarter. Very upset. I keep hearing about it.
This is not the first time, or even the first time with Dansup. From time to time, I see this with some kind of person on the Fediverse who's doing something. Usually someone who's giving away their time to do something for everyone else. Then there's some giant outcry that they are "problematic" or awful on purpose in some way. With Dansup at least, every time I've looked at it, it's mostly been trumped-up nonsense. The worst it ever is, in actuality, is "he got mad and posted an angry status HOW DARE HE." Usually it is based more or less on nothing.
When I see this, the pattern is almost always the same. People take some high-profile person, and some kind of grain-of-truth accusation that they did something bad, that really boils down to "they had a bad day one day" or something, if that, and they run with it all the way through the end zone and halfway to the next town over.
Dansup isn't just a person making free software, who sometimes posts angry unreasonable statuses or gets embroiled in drama for some reason because he is human and has human emotions. He's the worst. He is toxic and unhinged. He is keeping his Loops code secret and breaking his promises. He makes money. He broke privacy for everyone (no don't tell me any details about the protocol or why he didn't he broke it for everyone) (and don't tell me he fixed it in a few days and pushed out a new version that just makes it worse because he put it in the notes and it'll be hard for people to upgrade anyway so it doesn't count)
And so on.
Some particular moderator isn't just a person who sometimes makes poor moderation decisions and then doubles down on them. No, he is:
a racist and a zionist and will do whatever he can to delete pro-Palestinian posts, or posts that criticize Israel.
a vile, racist, zionist piece of shit, and anyone who defends or supports him is sitting at the table with him and accepts those labels for themselves.
And so on. The exact same pattern happened with a different lemmy.world mod who was extensively harassed for months for various made-up bullshit, all the way up until the time where he (related or not) decided to stop modding altogether.
It's weird. Why are people so vindictive and personal, and why do they double down so enthusiastically about taking it to this personal place where this person involved is being bad on purpose and needs to be attacked for being horrible, instead of just being a normal person with a variety of normal human failings as we all have? Why are people so un-amenable to someone trying to say "actually it's not that simple", to the point that a day later my inbox is still getting peppered with insistences that Dansup is the worst on this private-posts issue, and I'm completely wrong and incompetent for thinking otherwise and all the references I've been digging up and sending to try to illustrate the point are just more proof that I'm horrible?
Guys: Chill out.
I would just recommend, if you are one of these people that likes to double down on all this stuff and get all amped-up about how some particular fediverse person is "problematic" or "toxic" or various other vague insinuations, or you feel the need to bring up all kinds of past drama any time anything at all happens with the person, that you not.
I am probably guilty of this sometimes. I definitely like to give people hell sometimes, if in my opinion they are doing something that's causing a problem. But the extent to which the fediverse seems to like to do this stuff just seems really extreme to me, and a lot of times what it's based on is just weird petty bullying nonsense.
Just take it it with a grain of salt, too, if you see it, is also what I'm saying. Whether it comes from me or whoever. A lot of times, the issue doesn't look like such a huge deal once you strip away the histrionics and the assumption that everyone's being malicious on purpose. Doubly so if the emotion and the innuendo is running way ahead of what the actual facts are.
People get so weird about Dansup.
-
Honestly? I live in a small town, and face to face isn't much better. People are incredibly bigoted, and might be polite to your face but incredibly judgemental and small minded, especially to anyone perceived as different. Empathy is a skill that needs to be practised, like meditation. And many people lack it both online and off.
But people are polite to your face. On the internet there's no face, so that goes away.
I think part of that comes from empathy, though obviously part also comes from fear of confrontation and habit. It all adds up to offline interactions being far less hostile than on the Internet because they're not face-to-face.
This is also known as Internet Fuckwad Theory.
-
I'm not sure you can make that conclusion. This isn't a real vulnerability, and this isn't a surprise to anybody who knows how the AP protocol works. Dansup didn't reveal anything that was previously unknown, the blog author just has an axe to grind. It's unfair to assume that an actual 0 day vulnerability would have been treated the same way.
Correct. And as I tangentially mentioned, even if you do think this needs to be kept secret, then the blog author would still be wrong, because this blog post is doing is doing way more “harm” by publicizing the issue than any amount of commit notes ever could.
But yes, trying to keep this secret like a 0-day is completely the backwards model for how to handle it.
-
But people are polite to your face. On the internet there's no face, so that goes away.
I think part of that comes from empathy, though obviously part also comes from fear of confrontation and habit. It all adds up to offline interactions being far less hostile than on the Internet because they're not face-to-face.
This is also known as Internet Fuckwad Theory.
Mostly I agree but I disagree in this way:
Face to face, especially in a small community, some people take it upon themselves to establish what they see as the right and proper rules for the community. Everyone must have a grassy lawn cut to exactly three inches is kind of the least terrible end of this.
“Queer people are a danger to our children”, “Everyone must be in a straight, monogamous relationship, that produces children who aren’t autistic or disabled in any way,” etc. and, because it’s in person, they have much more power to ruin lives.
We see some of that behavior in online communities but people generally have much more ability to “vote with their feet” or even abstain online.
I had Instagram for five minutes before they started trying to share my account with acquaintances who didn’t know I was queer. (Which is a crime as far as I’m concerned but not relevant.) I immediately closed my account. Imagine that had been a neighborhood I’d just moved into. It might not even be possible for me to move before I faced months of the real life consequences of being forcibly outed by a neighbor.
There’s a veneer of politeness in meat space. Sometimes there’s more than a veneer to it. But often not.
-
Everyone I ever talked to told me "well yes we have to implement our own version of ActivityPub because AP is under-defined". In most cases it is defined what AP does, but not how. Therefore individual programers go in and figure out on their own how a certain thing they are building for their platform should be structured in AP.
Now, every project could simply go "I will copy the way Pixelfed implements it". But why should PF have that priviledge?
Agreed. It’s not completely their fault. But also, they’ve run further than they needed to with the “I’m in charge of what protocol I’m going to speak to other instances running my own software” than they needed to. Case in point, this exact issue with “private” posts. A lot of things had to be fleshed out more so than they are in the AP spec. This feature needed to be handled more carefully than that.
-
So, I was probably (one of) the first to post that “Pixelfed leaks private posts” thing on here? I first wrote a long reply to this, but it sort if got away from me. The short version would be,
A) sure, the fediverse has a bullying problem in the sense that people do, and that that is usually exacerbated in any online comment field. People are awful, and that includes me, you, Dansup, and anybody reading this. We're also usually pretty brilliant when nobody's looking.
B) despite what I write above, I don't take bullying lightly. I am really uncomfortable with how you use the generally phrased headline to address this specific case. You're not writing about the fediverse as such, you're casting Dansup as a victim.
C) Dan's up, Dan's down, Dan's a victim, Dan's throwing a fit online and then deleting the tweets. As you cite in OP, some people attribute all sorts of unrelated evil to him. Most of all, my impression is Dansup has as a hard time separating from his role as main developer on Pixelfed, Loops, etc, as online commenters has separating his work from (perceived) personal faults.
D) let's imagine those projects were fully open sourced and developed by the community already. Would we be in the same situation here? Again, resorting to ad hominem bullying in online discussion is unacceptable, but I do question that Dansup is an unequivocable victim. Nor is he an evil mastermind who has engineered this situation to garner pity. He just seems to be extremely hard working, with a generous pinch of need for control of his projects.
you’re casting Dansup as a victim
Correct. The original blog post wasn’t really all that bullying, I just thought it was mistaken about the security issues involved. The subsequent comments (“incompetent” “toxic” “quite problematic” “funding funding funding” and so on) were what I would describe as bullying. And, it fits a pattern where people take some issue (often one like this where he didn’t even theoretically do anything wrong) and use it as a jumping-off point to start the personal attacks.
Dan’s up, Dan’s down, Dan’s a victim, Dan’s throwing a fit online and then deleting the tweets. As you cite in OP, some people attribute all sorts of unrelated evil to him. Most of all, my impression is Dansup has as a hard time separating from his role as main developer on Pixelfed, Loops, etc, as online commenters has separating his work from (perceived) personal faults.
What?
Why should he separate from his role as main developer? This makes no sense. “Sure those people got personally insulting with Dan for no reason at all, but you have to remember, he’s the main developer of these projects and he won’t separate from them. So it’s complicated.” What?
-
Just a random thought, if there is a need for privacy wouldn't it be possible to create public / private encryption key for users so messages can be encrypted and exchanged.
This way what would be public is that there's an exchange but nobody would be able to know what was said. It would make it at least message content private.
To make it a step further could exchange between servers also use it to encrypt which users exchange private message. I am thinking it could make it fully private then. Only sender and receiver servers could know which users were private messaging.
You actually could do this kind of thing with AP. It’s designed to give a key pair to every user to use for signing all their activities, so so the some careful redesign, you might be able to do something like have the browser authenticating the user’s identity in a way that the server isn’t able to do, or even messages being sent encrypted in a way that the server can’t read.
In practice, the server keeps the user’s private keys, and moving away from that model would be difficult. But you could in theory redesign it away from that.
