Post APkhbBz7CCRF6nnwTA by lamp@mastodong.lol
 (DIR) More posts by lamp@mastodong.lol
 (DIR) Post #APk00MCnw6f643OfQW by lamp@mastodong.lol
       2022-11-18T21:41:25Z
       
       0 likes, 0 repeats
       
       @dfeldman i do worry about this. as long as servers accept new peers without any challenge then someone determined to harass could keep sending from new dummy instances. the free TLDs could be blocked, but lots of other people's domains on afraid.org could be abused. and of course there are cheap domains they could buy.i feel like a single person could fuck up the fediverse if they wanted to.
       
 (DIR) Post #APkCebEmfMBHibHJZo by deavid@techhub.social
       2022-11-18T23:43:33Z
       
       0 likes, 0 repeats
       
       @lamp @dfeldman fully agree here. What about those sites for dynamic ips? free subdomains ready to be exploited. And there's a long list of domains that can be used.Also, hacked servers.I think Mastodon needs a way to authenticate/proof servers.
       
 (DIR) Post #APkbpz3cwRghdOaKEC by lapingvino@esperanto.masto.host
       2022-11-18T23:29:17Z
       
       0 likes, 0 repeats
       
       @lamp @dfeldman It is possible, but it's not free or cheap. The only way it would be cheap is from a single instance, which would mean a simple cutoff for that instance until they get their shit together. You can even go into whitelisting mode if things get really bad. The big difference with the fediverse is that you don't have to play with the same rules to participate. You might get a part of the network down, but the rest will adapt. Any attacker is fighting a losing battle.
       
 (DIR) Post #APkbpzc0sbC3M2fmpE by lamp@mastodong.lol
       2022-11-19T04:45:46Z
       
       0 likes, 0 repeats
       
       @lapingvino @dfeldman you could get domain names for under a dollar. 75 cents to send blackmail to a user might be worth it to someone 🤷well their ip addresses could be blocked, but they could easily change, whether is dynamic isp or something like free oracle cloud.so yes besides admins playing a whack-a-mole war if this happens, the ultimate security would be whitelist mode. but this will drastically change the fediverse/mastodon network as we know it.
       
 (DIR) Post #APkhbBCu5RsEhHFRK4 by deavid@techhub.social
       2022-11-19T00:08:50Z
       
       0 likes, 0 repeats
       
       @lamp @dfeldman Oh, I forgot. What about DDoS and rate-limiting?What if a group decides to start query the APIs like crazy? If the servers are suffering already with regular load, what happens if they need to deal with lots of request that seem legitimate but they are just an elaborate DoS attack?
       
 (DIR) Post #APkhbBz7CCRF6nnwTA by lamp@mastodong.lol
       2022-11-19T05:50:23Z
       
       0 likes, 0 repeats
       
       @deavid @dfeldman there's that too; individual servers don't have the defense that a massive platform like twitter has. well there's ways to protect on different layers but as for the application layer... i think i heard mastodon has rate limits but whatever can mimick legit traffic will have to get through. also peers need to have enough quota for all the proxying they need to do for their users.
       
 (DIR) Post #APki2Y90um5dedTnMW by lamp@mastodong.lol
       2022-11-19T05:55:26Z
       
       0 likes, 0 repeats
       
       @deavid @dfeldman i guess that's why mastodon doesn't allow unauthenticated access to external content, it just redirect you directly to the original url. but i don't know about the other softwares. any one that proxies external content for anyone without caching could be used for a ddos :P
       
 (DIR) Post #APmEhIIW827o4SMBsm by dfeldman@hachyderm.io
       2022-11-18T21:04:59Z
       
       0 likes, 0 repeats
       
       Mastodon is very, very vulnerable to spam - a lot like email before SPIF/DKIM/spam filters. I hope the community is able to fix this before the spammers figure out how to exploit it.
       
 (DIR) Post #APmEhIikYV6nNod8ls by dirkcgrunwald@infosec.exchange
       2022-11-19T20:40:14Z
       
       0 likes, 0 repeats
       
       @dfeldman Looks like it's happening at the retail level already. https://twitter.com/Rainmaker1973/status/1594066681013624832?s=20&t=gY7TlMpRuUNTLOQzCFvfaA
       
 (DIR) Post #APmEhJ55DSyOV54ya8 by dfeldman@hachyderm.io
       2022-11-18T21:05:54Z
       
       0 likes, 0 repeats
       
       * SPF
       
 (DIR) Post #APmEhJ6V8C6iZTk6nA by lamp@mastodong.lol
       2022-11-19T23:36:03Z
       
       0 likes, 0 repeats
       
       @dirkcgrunwald @dfeldman Ummm... it's a twitter bridge, it literally is them on twitter...
       
 (DIR) Post #APmEhKHAm0EoCrk944 by dfeldman@hachyderm.io
       2022-11-18T21:06:34Z
       
       0 likes, 0 repeats
       
       You could trivially make lots of fake servers with lots of fake accounts and absolutely dominate the network
       
 (DIR) Post #APmEhL5VkqVIizILWi by dfeldman@hachyderm.io
       2022-11-18T21:06:41Z
       
       0 likes, 0 repeats
       
       Please don’t do this
       
 (DIR) Post #APmEhM2iCjrJgazcno by dfeldman@hachyderm.io
       2022-11-18T21:09:44Z
       
       0 likes, 0 repeats
       
       Like, I could make a fake server with a fake Justin Bieber that claims to have 100 billion followers and be verified Instance admins would defederate me but I could just move
       
 (DIR) Post #APmEhMsT6JG8H7CxTU by dfeldman@hachyderm.io
       2022-11-18T21:12:34Z
       
       0 likes, 0 repeats
       
       Add in some AI text generation and I could make something that really really feels like a real instance but isn’t
       
 (DIR) Post #APmHhfronX8p24k2ds by tob@hachyderm.io
       2022-11-20T00:09:39Z
       
       0 likes, 0 repeats
       
       @lamp @dirkcgrunwald @dfeldman more people not understanding that mastodon is not a twitter clone.