Post APkL0yM8BxUPQItUXY by primalmotion@antisocial.ly
(DIR) More posts by primalmotion@antisocial.ly
(DIR) Post #APkH92PIc8xsUHxyAi by vortex_egg@hackers.town
2022-11-19T00:35:00Z
1 likes, 0 repeats
Does anyone know anything about this?"An Elasticsearch server is currently scraping posts and public account information on Mastodon users. So far, information of over 150,000 Mastodon has been scraped and the process is ongoing. But what’s worse, the server is exposing the logged records to public access without any security authentication. This means that anyone with knowledge of exploring the Shodan search engine can access the information without the need for login credentials. It is worth noting that the exposed server belongs to a third party and is not affiliated with any of the official Mastodon servers."https://www.hackread.com/leaky-server-mastodon-users-data/
(DIR) Post #APkH930AP4SIKdDPdY by primalmotion@antisocial.ly
2022-11-19T00:54:07Z
0 likes, 0 repeats
@vortex_egg I'm not sure what's the problem. These are public data anyway. Or am I missing something?
(DIR) Post #APkIjlyil5I2CgcBgu by masstransitkrow@federation.ninetiesmysteri.es
2022-11-19T01:11:58.354365Z
0 likes, 0 repeats
@vortex_egg Yes.RT: https://federation.ninetiesmysteri.es/notice/APkIfoxOY8BIB28Nbk
(DIR) Post #APkKqCtLo99FJtIaZs by max@smeap.com
2022-11-19T01:26:40Z
0 likes, 0 repeats
@eldaking @primalmotion @vortex_egg Mu favorite current analogy: Restaurants are public spaces, but that doesn’t mean every conversation inside one is public data
(DIR) Post #APkKqDaFEfSXSvMqR6 by primalmotion@antisocial.ly
2022-11-19T01:35:30Z
0 likes, 0 repeats
@max @eldaking @vortex_egg yeah sure. But realistically, it's public. I mean this is the Internet. The laws of your country maybe completely different from the ones in another country. If you yell in the restaurant and say shit, you gonna get kicked out. Private conversation or not. I am not expecting anything I post publicly here to be private. I think relying on laws, social rules or old social constructs on the Internet is a lost battle...
(DIR) Post #APkL0yM8BxUPQItUXY by primalmotion@antisocial.ly
2022-11-19T01:37:29Z
0 likes, 0 repeats
@max @eldaking @vortex_egg Especially that this is the fediverse. It is meant for instances to scrap data from inbox/outbox of another one. So what are we gonna do? Sign EULA, forbid clients?
(DIR) Post #APkLP5TxLf3GTV3LnM by max@smeap.com
2022-11-19T01:41:48Z
0 likes, 0 repeats
@primalmotion @eldaking @vortex_egg We’re a social species. All we have are social norms! Just because technology makes it super easy to be rude doesn’t make it any less rude! (Nor does it make it a “lost battle” to fight for social norms.)In the real world if you try to eavesdrop on the wrong conversation you are liable to get punched. We don’t have remote punching technology (yet), but we can continue to shun bad actors in our communities and call them out for rudeness.
(DIR) Post #APkLpzNa9937MktoR6 by primalmotion@antisocial.ly
2022-11-19T01:46:41Z
0 likes, 0 repeats
@max @eldaking @vortex_egg Oh I'm not arguing that what this server does is right and polite. But it is getting public timelines. It's not hacking on DM or anything else. We should be careful about getting undignified by basic use of a public API, because the solution may be worse than the illness.As for the social species, depends... look at my handle :)
(DIR) Post #APkMKCockuaHj0xM7k by primalmotion@antisocial.ly
2022-11-19T01:52:09Z
0 likes, 0 repeats
@eldaking @max @vortex_egg We don't even know the purpose. They may be building a global account search engine? Doing research? Or, yeah, being a bad actor. But I am personally not offended by the simple fact of scrapping public data. It is more important to educate people on the consequences of a public post, rather than limiting its use IMHO.
(DIR) Post #APkMhV7KsNYF9Coglc by max@smeap.com
2022-11-19T01:56:21Z
0 likes, 0 repeats
@primalmotion @eldaking @vortex_egg “Research” is forbidden by several instance’s code of conduct.Also “unsecured Elastic Search” doesn’t need an intent behind it to be seen as a bad actor. Plenty of instances have secured Elastic Search. It’s a part of the Mastodon install process. If someone is too lazy to secure an ElasticSearch cluster they shouldn’t be scraping any part of ActivityPub “public” or not.
(DIR) Post #APkMmzhwZKr9TCYj20 by primalmotion@antisocial.ly
2022-11-19T01:57:22Z
0 likes, 0 repeats
@max @eldaking @vortex_egg ok I missed the "unsecure" part. That sucks ass hard.
(DIR) Post #APkNBW6HmlU8srdd0C by primalmotion@antisocial.ly
2022-11-19T02:01:48Z
0 likes, 0 repeats
@max @eldaking @vortex_egg but I still think that being de facto offended by someone scrapping public data can be a dangerous path for the entire Fediverse. This is a more profound and complex issue.
(DIR) Post #APkNeM6S2C12H9T0Uq by max@smeap.com
2022-11-19T02:06:59Z
0 likes, 0 repeats
@primalmotion @eldaking @vortex_egg There’s Robots.txt and #nobot. A lot of instances feel no problem with normal fediverse federation, but disagree with bots/scrapers on principle. It’s a “losing” battle, tilting at windmills sometimes even, but a battle worth fighting because it says a lot about who we are and what we value. People and conversations and community over machines. Expectation of some considerate privacy versus all laundry is dirty forever. I don’t mind a worthy lost cause.
(DIR) Post #APkOt0u3EnFKp5DiYC by yuki2501@hackers.town
2022-11-19T02:20:48Z
0 likes, 0 repeats
@primalmotion @vortex_egg If you download thousands of users' profile pictures and backgrounds, I fear what someone could DO with them.Impersonating people on different servers for phishing? Gathering intel and selling it to the highest bidder? Scrapping potential bad investments for insurance companies?Tip off the FBI and CIA about "persons of interest"? Despite the "public availability" of profiles, The fediverse has the important assumption that the people reading your profile are in fact, people, and not third party agents working for governments or corporate interests. Compiling and uploading this data to an unknown server should be seen as a breach of the social contract, and the people responsible should be banned from here.It's exactly the same case as installing cameras with facial recognition on the street. Sure, you're outside and if you're doing nothing wrong then you have nothing to fear, right? But do you really want your face to be in a database freely available and downloadable?Fuck that shit.
(DIR) Post #APkPfC2r7C71HNJQTQ by Polychrome@poly.cybre.city
2022-11-19T02:29:33.270080Z
0 likes, 0 repeats
@yuki2501 @primalmotion @vortex_egg I won't say their behavior isn't terrible but anything you post here should be considered public. It's why you don't see me posting my face on this thing.
(DIR) Post #APkQVdZtzdEXjImDpo by primalmotion@antisocial.ly
2022-11-19T02:39:03Z
0 likes, 0 repeats
@yuki2501 @vortex_egg but this is public. Don't get me wrong. I'm a huge partisan of privacy. I self host everything, including my mastodon instance because I trust nothing online. But just saying i'm offended, or what I post publicly could be used against me because someone scraps my public data is just being disconnected from what is Internet at its core. No law will save you on the Internet and assumptions are the worst enemy of security.
(DIR) Post #APkQVevCzts3tfkkgS by primalmotion@antisocial.ly
2022-11-19T02:39:03Z
0 likes, 0 repeats
@yuki2501 @vortex_egg And the camera analogy is wrong IMO. It passively steals information. On a public timeline I provide information explicitly for other to consume.
(DIR) Post #APkTwWL3JiyCxSLEfY by yuki2501@hackers.town
2022-11-19T02:40:55Z
0 likes, 0 repeats
@Polychrome @primalmotion @vortex_egg I know. I don't fear the occasional spy looking at what I write. But this is large-scale scrapping and red flags immediately arise.It's our duty to make this a safe place for everyone.
(DIR) Post #APkTwWwd411mpzvFEu by Polychrome@poly.cybre.city
2022-11-19T03:17:30.025800Z
0 likes, 0 repeats
@yuki2501 @primalmotion @vortex_egg I'd love that but fedi is really not designed for it. It's like posting on Usenet - for better or worse everything is in the open. People have been talking about this issue for over 15 years during fedi's development and ongoing evolution but it being public is core to how the network operates.If you want secrecy and safety then you'll have to start something new that works in a very different manner than what we've got here.
(DIR) Post #APkfBTLpnzodX42VZw by StryderNotavi@aus.social
2022-11-19T05:23:25Z
0 likes, 0 repeats
@primalmotion @eldaking @max @vortex_egg We can and should do both. Given how prevalent scraping is people should be aware of it and consider that when they post.But that really doesn't give someone a pass for scraping data from an instance that *specifically prohibits doing exactly that*. It doesn't suddenly become ok just because there isn't a technical control that prevents them from doing that.
(DIR) Post #APliNmnNpceYKjRrDE by pee_zombie@schelling.pt
2022-11-19T17:34:02Z
0 likes, 0 repeats
@Polychrome absolutely second this; i can understand why people are uncomfortable with scraping, but really, fedi is public-by-default and you cannot reasonably have any expectation of privacy on this network. its just unrealistic to ignore the existence of adversarial actors; if your threat model doesn't include "people who wont behave the way i want them to", then, well, expect to be disappointed i guess
(DIR) Post #APliRfCW0hMNwB3Jho by pee_zombie@schelling.pt
2022-11-19T17:34:44Z
0 likes, 0 repeats
@Polychrome the solution to this, insofar as one is even desirable (which i'm not sure is true) is to collaborate on evolving the ActivityPub protocol to support content encryption
(DIR) Post #APll2WKq8Snj40eHmS by Polychrome@poly.cybre.city
2022-11-19T18:03:47.650608Z
0 likes, 0 repeats
@pee_zombie that's been one of my personal dreams but it's probably not going to happen.If Matrix can't pull it off, I don't know how AP will. :meowShrug: