this post was submitted on 15 Apr 2024
39 points (85.5% liked)

Lemmy.world Support

3248 readers
1 users here now

Lemmy.world Support

Welcome to the official Lemmy.world Support community! Post your issues or questions about Lemmy.world here.

This community is for issues related to the Lemmy World instance only. For Lemmy software requests or bug reports, please go to the Lemmy github page.

This community is subject to the rules defined here for lemmy.world.

To open a support ticket Static Badge


You can also DM https://lemmy.world/u/lwreport or email [email protected] (PGP Supported) if you need to reach our directly to the admin team.


Follow us for server news 🐘

Outages πŸ”₯

https://status.lemmy.world



founded 2 years ago
MODERATORS
 

I often use a commercial VPN service, which I suspect is not rare among Lemmy users. Most of the time, I'm able to post to lemmy.world, but on occasion I am not. The default web UI provides zero feedback, just a spinning submit button forever, but if I look in the browser dev tools, I can see it's being blocked.

I understand that some limitations are necessary to prevent spam and other abuse, however this is a very blunt instrument. The fact that I have a 10 month old account with consistent activity should outweigh any IP address reputation issues.

Perhaps the VPN limitations could be narrowed in scope to cover only account creation and posts from young accounts.

all 34 comments
sorted by: hot top controversial new old
[–] 5h17h34d 9 points 8 months ago (1 children)

I've always wondered why Google makes me jump though hoops when I'm tunneled through my VPN. I'm logged in to Google for chrissakes, that should be all the difference in both of these situations.

[–] [email protected] 5 points 8 months ago (1 children)

There's some very good reasons:

  • VPN traffic could be masking an attack on the account
  • By using a VPN, they lose a degree of certainty that it's you, they can't use the IP address as a factor to establish the probability it's actually you
  • Differentiating you as a person, from other people with the same source address, perhaps who are behaving poorly, or who've implemented robots to do things Google doesn't like.

I fully believe VPNs should be a fundamental right on the internet, nobody should have to identify themselves by IP address to use the internet. But from an account security perspective alone there's a good reason to be extra super duper sure of somebody before allowing them to log in

[–] 5h17h34d 4 points 8 months ago (2 children)

But, I'm LOGGED IN. To Google. Bad actors on the same VPN ip address are not logged in as me (I hope).

[–] [email protected] 3 points 8 months ago

Say that to the victim of cookie stealing attack

[–] [email protected] 2 points 8 months ago

Somebody might have stolen your login cookies, and is impersonating you. If the IP that your traffic originates from changes rapidly that could be an indicator.

[–] Rooki 4 points 8 months ago (2 children)

Hello @[email protected] ,

we understand your frustration, but lemmy doesnt give us any alternative to that, as we cant block posts/comments from younger accounts easily.

The issues with the UI, that it doesnt give any real feedback is, sadly an issue with the LemmyUI, but it will be probably improved in the future.

We are looking into better alternatives to that, but until then we sadly have to stay on our current path.
We will be of course announcing if we found an alternative to that.

[–] Zak 2 points 8 months ago

Thanks for the explanation. It seems I should be proposing improvements to the Lemmy software since the software doesn't currently support the policy I'm suggesting.

[–] [email protected] 2 points 8 months ago* (last edited 8 months ago) (1 children)

"As we cant block posts/comments from younger accounts easily."

OP " scope to cover only account creation and posts from young accounts."

Wait... so yall automatically do this to all new accounts even if they're legitimate? Just because they're new ?

So basically, that means non of their posts or comments show anywhere, they just think everyone can see their stuff, but have no idea they're stuff is blocked bc their account is new ?

Kinda like reddit you can't post if you have zero or enough karma right ?

Do y'all let them know that even ? Or is the goal here to keep them in the dark about it ?

Or are you talking about just the ability for individual users to use the regular block feature against new accounts if they want to block them ?

[–] Rooki 6 points 8 months ago (3 children)

We activated that rule after the acute CSAM attacks, and many used vpns, and after we did this the CSAM posts dropped.

Everybody in vpn is blocked to post comments or create posts. Not depending on account age.

We are NOT a dark web service where everyone needs to be under tor, vpn, proxy, and back again. We are an public service.

Please, imagine you are a instance hoster, you have either to choose csam ( and legal issues ) or users cant use VPNs.

[–] Zak 4 points 8 months ago (1 children)

We are NOT a dark web service where everyone needs to be under tor, vpn, proxy, and back again.

ISPs in some parts of the world spy on users to, for example sell their browsing habits to advertisers and data brokers. That's a good motivation for some people to browse via VPN by default, not to enable it only when accessing specific sites.

[–] Rooki 1 points 8 months ago (1 children)

Most people dont understand that vpn providers can and will do that too ( even paid ones ) track you, log you and sell that. So yeah both sides track you.

[–] Zak 1 points 8 months ago (1 children)

That's definitely a concern. I selected my provider (Mullvad) because I know someone who worked there, and I have fairly high confidence they don't do that.

[–] Rooki 3 points 8 months ago (1 children)

Instance admins chose to block vpns simply because of mullvad and then increased liability, because if there is comming a malicious actor through mulvad and they dont have any logs all liability goes to the instance admin, and then gets questions "Why didnt you just blocked vpns?" etc. etc.

[–] Zak 0 points 8 months ago (1 children)

I think this is a misunderstanding of the legal situation at least for the US and EU. Platform immunity and safe harbor provisions are pretty strong in those jurisdictions, and the fact that the trail goes cold with the IP address (because it's a non-logging VPN) does not shift liability back to the platform operator.

[–] Rooki 2 points 8 months ago (1 children)

But then still the questions comes up "Why didnt you blocked vpns? or TOR?" we will be not the main liability holder, but we will be accountable for those accidents.

[–] Zak 0 points 8 months ago (1 children)

An investigator asking a question is not liability, and I don't believe any of the safe harbor or platform immunity laws in the EU or USA condition their protections on denying service to users from IP addresses belonging to providers that don't provide a certain level of assistance to law enforcement. I'm nearly certain you can't get in any kind of legal trouble for not blocking privacy-protecting services like Mullvad.

That's separate from the operational concern: you don't want people to post CSAM. I don't want people to post CSAM. Nearly everyone else doesn't want people to post CSAM, and most of us are willing to accept some level of inconvenience so that you can prevent or limit it. That said, once Lemmy offers more fine-grained tools, I hope lemmy.world will adopt a more fine-grained policy.

[–] Rooki 2 points 8 months ago

We still want to be on the safe side as we all arent lawyers ( and we dont have much money for it ).

And in the end we will see where mod tools go on lemmy.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago) (1 children)

Aren't there alternatives that could be as effective especially when stacked together? dbzer0 requires users to fill out an application with the following

  • Please include the following wordsΒ β€œI agree to follow the golden rules” in your application.
  • Tell us the name of your favorite anarchist, pirate, or open source advocate.
  • Mention one public event or news story that happened in the last month.

and have a verified email address before it's processed.

I think the instance owner has also been developing something to prevent CSAM attacks.

I get Lemmy.world is massive and verifying accounts might be a struggle but I feel like the initial hurdle for new users might be worth it. Even if they are forced to wait a bit.

[–] Rooki 3 points 8 months ago

We get a little bit more registrations in an hour than db0 has in a day, thats the reason why we dont do manual registrations.

Yes he does, and we are using it already, but its just his one is for after incident cleanup ( ALREADY BAD ) and the vpn is to stop/reduce that even happen.

But thanks for your suggestions, we sadly cant apply them fully.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago) (1 children)

Nah dude, I'm not advocating to be havin to deal with they csam bullshit.

It's the main thing we have zero tolerance for on our instance HC.

It's the primary reason we were not federating in the first place.

So no I don't expect anyone to put themselves legally at risk for a hobby that doesn't pay your bills just so I can post my poop and fart questions on shitty ask hilariouschaos lol

But I'm gunna level with you though.

I don't trust the intentions of most instance admins.

There's this veil of secrecy and sneakiness there that I just don't appreciate.

It's not a way that myself and our server admin operate.

We're always straight up and 100% transparent as fuck no matter what till the end. We have no issue telling our users what's going on and how stuff works if they have questions or if there's any changes. I'm not saying that to talk shit on you. I'm saying it's what I don't see from some other instances.

And I get that you have to protect yourself that is true yes of course.

I'm just trying to explain why I asked you that question in the first place.

I'm not going to tell you how to run your shit, cuz I wouldn't like it if you told me that LOL haha but there's a huge benefit to being unapologetically brutally honest and straightforward and up front.

I don't know I just feel like there's some hidden agenda something just doesn't sit well with me with some other instance admins. So I'm very skeptical and wonder what they're up to.

It's just really fucking weird anyway I hope y'all figure out your stuff.

Thanks for responding

[–] Rooki 4 points 8 months ago (1 children)

Its the curso of a big instance, we announce stuff gets shit on, doesnt announce it gets shit on, makes a vote gets shit on, makes a friendly survey gets shit on.

We are still trying to announce most of the stuff we do but, some things would have been announcement back and forth because we activated and deactivated one of our harder rules.

[–] [email protected] 2 points 8 months ago

Yea, sounds like a rock and hard place for sure. Don't let it bother you anymore so much. There's only so much you can do, and you can't please everyone.

I feel like lemmy can kinda become a bit of a whole you get sucked into at times.

Happens to me sometimes. Take a break and step away for a little breather when that happens.

I know it's hard to do trust me. I'm addicted to technology so I'll be the first to tell you ha ha

But yea don't stress yourself out. It'll be alright

[–] CrayonRosary 1 points 8 months ago

The worst part about this issue is, once you hit submit and get the infinite spinner, the text box for the post or comment is locked, and you can't even copy/paste the text in order to try again after turning off the VPN, and you can't cancel the submission to unlock it.

[–] [email protected] -1 points 8 months ago (2 children)

The fact that I have a 10 month old account with consistent activity should outweigh any IP address reputation issues.

I dont even know where to begin unpacking this flagrantly ridiculous sentence, but I’ll just say this is the same energy as the β€œdevs are lazy” entitlement when popular video games suddenly acquire a cheater problem

[–] Zak 5 points 8 months ago

Proposing changes like this is how open source projects work.

Account age and reputation metrics are a pretty good way to limit abuse because the supply of established accounts is limited, making them difficult to replace when they get banned.

[–] elbarto777 2 points 8 months ago

Lol nice trolling attempt!

For anyone else reading, I'm a dev, and I didn't get any "devs lazy" vibe from the OP.

It's a sensible request, not a ridiculous one.