https://github.com/LemmyNet/lemmy-ui/issues/1863
https://github.com/LemmyNet/lemmy-ui/issues/1559
https://github.com/LemmyNet/lemmy-ui/issues/1544
A couple different ones regarding 2fa
Some people have reported being able to add TOTP from mobile. Most people that reported on desktop have the same issue. It's a lemmy thing, not just the instance. Lemmy needs to have you validate your TOTP before committing it to your account so you don't get locked out for turning it on but not being able to actually add it.
@[email protected] you are tasked with securing your network, please list all websites that should be blocked by default.
Thanks for the insight, that's good to know. What do you do if you need to move from one organization to another (it seems to be only allowed to move from personal vault to organization, not org -> personal or org -> org)
Same here. I added it to Keepass, then opened a private browser and tried to log in and it wouldn't take it. So one of 2 things:
- Most sites have you enter a code to validate that you have it right before applying the changes to your account - I did not get this in Lemmy
- They simply don't validate that you have 2FA set up correctly by asking you for a code prior to actually enabling it on your account and the log in with 2FA is broken.
I went ahead and removed 2FA so I wasn't locked out of my account if I get logged out somehow until this is fixed.
Catch the error and dump the response body to see what you're getting. Might just be the server is overloaded and not responding with the expected JSON. The full body should give you more clues
I'm going to read about GitHub being down (with a link to this repo) on Monday, aren't I?
I haven't spun up an instance, so I don't have a good idea what the DB looks like, but are IP addresses captured on either account signup and/or vote casting?
It's isn't a silver bullet, but it's prohibitively more expensive to spin up instances to cast votes for bot users versus running through a script on a single machine. If you've got an IP you might be able to pinpoint bot activity and the accounts associated with it (until they get smarter, at least)
Yes, captcha is the default minimum that should be implemented.
Also reasonable is to log account creation with IP and timestamp, which allows retroactively remove offenders if patterns occur, or [more easily] determining if 500 account signed up within 5 minutes from a single IP.
While kind of a pain, but fairly efficient: require a phone number with text verification to enable an account.
Yes I know there's ways around each of these, but it makes it much harder to spin up many accounts through rudimentary means.
Comment / post ratio is useless as well for this though.
- Create a server
- Create 10,000 bot accounts
- Have 85% of bot accounts create a random post
- Have 40% of post a comment on the main level posts
Looks like I pretty busy, totally real server by the aforementioned metric
cross-posted from: https://lemmy.world/post/212576
As we've seen in the past week, a large amount of users don't care why subreddits are blacked out or why, they just want their timeline back to normal.
It's understandable, most users just want something to "work" when they want to use it and don't give any thought to what that means. We've already seen mods be replaced, deleted histories come back to life, whatever it takes for Reddit to make it seem "normal" so they don't lose users. Heck, even some of those who have left Reddit may be tempted to go back and read / comment on things they see there, because Reddit obviously isn't going to die overnight. So how do we continue the fight in the current environment Reddit has put us in while still getting a message across the users?
My thought is the following, and I'm putting it here because I think recent migrants are/were more than semi-casual reddittors, and it's clear we've got some development talent out there. I'm a developer as well but I'm looking for:
- Thoughts on the approach I'm suggesting
- Thoughts on implementation / usage
- Overall feelings regarding this in general
The idea
Make browser plugin(s) and / or a website that [knowingly to the user] intercept comment post requests for reddit and stores the post content elsewhere. In its place, all that is submitted to reddit is a link to a website (where people can click to view users intended comment text) along with a blurb about "reddit owning your comment data".
The browser plugin can also find these comments within posts and automatically query and get the raw text and replace it within a reddit page to make viewing these posts easier for everyone.
The idea being that the more users install the extension to easily read these posts, the more users obfuscate their posts so that other users also need the extension to more easily read comments on reddit.
Not only does this protect user data from being owned by Reddit, it makes it so Google searches will not find content on reddit.
Example post before and after:
(Unencrypted, or viewed with the browser extension installed)
(The posted content stored in reddit)
There's my idea. A few thoughts / notes:
- Is this possible? I haven't checked out manifest V3 or made a browser extension in a long time, but with what RES already does I assume this would be doable.
- Is it worth it? Will enough people want to read comments stored in this manner to "join the fight"? Who knows
- Should it store the comment data elsewhere, or just store encrypted text in the reddit comment itself?
Anyway. I know we've got a lot of ex-redditors here, a lot of very talented developers, and a fight still going on that deserves a next step from the users.
Open to any and all thoughts from. This is just a musing on a potential next step - I haven't decided if I'm going to start developing anything yet.
view more: next ›
CrowdStroke