• Candelestine@lemmy.ca
    link
    fedilink
    English
    arrow-up
    91
    ·
    1 year ago

    Yea, I switched to this alt. It appears to be one of the assistant admins accts. Seems like an old fashioned anon prank, to me, they’re mainly just trying to make stuff offensive and redirect people to lemonparty.

    So, y’know, old school.

    I don’t know if any data is actually in danger, but I doubt it. I don’t see why assistant admins would need access to it.

    • hawkwind@lemmy.management
      link
      fedilink
      English
      arrow-up
      52
      arrow-down
      3
      ·
      1 year ago

      All the bean memes are in danger! On a serious note, old-skool or not, it’s a huge loss of trust in something the community-at-large is excited to see replace reddit.

      • Candelestine@lemmy.ca
        link
        fedilink
        English
        arrow-up
        69
        arrow-down
        1
        ·
        1 year ago

        Par for the course. This system will never be immune to things like that. That’s part of what happens when you decentralize your power. Instead of a single target that can be made highly secure, you have a distributed array of targets.

        People should certainly be engaging on here with full awareness of the reality of the Fediverse, not expecting reddit 2.0. We never will be able to offer exactly what they did. We’ll be naturally worse in some areas and naturally better in others.

        • Philolurker@lemm.ee
          link
          fedilink
          English
          arrow-up
          21
          ·
          1 year ago

          This is why I’m glad I made redundant accounts on multiple instances. When there are problems on lemmy.world, I can just hop on over to another. That’s never been an option with Reddit.

          Now if there was only a way to export or sync user settings like subscriptions, it would be perfect.

            • hemmes@lemmy.one
              link
              fedilink
              English
              arrow-up
              6
              ·
              1 year ago

              Is there a way to link posts in the context of the reader’s instance? Like with !c community links?

              • codus@leby.dev
                link
                fedilink
                English
                arrow-up
                5
                ·
                1 year ago

                It’s not great but if you copy the URL into your instance’s search, you can get to the post that way.

                • hemmes@lemmy.one
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  1 year ago

                  Yeah that’s what I’ve been doing. There was this great bot that was autocorrecting community links and I was hoping this was possible for post-links on Lemmy instances.

      • Menachem@midwest.social
        link
        fedilink
        English
        arrow-up
        26
        ·
        1 year ago

        idk, im surprised it took this long. there’s a huge variety of admin teams with varying degrees of security awareness and it’s been over a month since the first big influx of users started. it’ll happen again too and probably not before too long

        • hawkwind@lemmy.management
          link
          fedilink
          English
          arrow-up
          11
          ·
          1 year ago

          True that. If you look at posts on lemmy.world though, it’s clear their users (which is like 50% of Lemmy) have zero clue they’re defederated ATM, and probably many that don’t know it’s compromised.

          • Hexadecimalkink@lemmy.ml
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            4
            ·
            1 year ago

            Federation and decentralization are not Web 2.0 concepts. Just like people who first learned what a tweet and a follow were and all the other concepts of those social media platforms, they’ll learn the new paradigm. Or they won’t and we’ll stick to 2.0 platforms.

        • codus@leby.dev
          link
          fedilink
          English
          arrow-up
          5
          ·
          1 year ago

          If there is a vulnerability in the software, it’s entirely possible for a single attack to take everyone down. All the instances are known and easily discovered.

      • Cyyy@lemmy.ml
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        1
        ·
        1 year ago

        i did switch from reddit to lemmy.world because i expected it to be a safe alternative that would atleast pay a lot of attention to security. so yes, the trust in security is broken a lot with this. especially since it happend so soon after so many people joined. i already think about maybe making my own instance to keep my account safe in the future.

    • CMahaff@lemmy.ml
      link
      fedilink
      English
      arrow-up
      33
      arrow-down
      2
      ·
      edit-2
      1 year ago

      My concern is that configuring the site to automatically redirect users sounds like they have pretty large control over the site - the kind of control that I would assume is usually limited to users with root access on the server.

      Obviously hope nothing of value is lost and that there is a proper off-site backup of the content.

      Edit: See Max-P’s comment, it looks like the site redirection was accomplished in a way that IMO suggests they do NOT have full control over the site. We’ll obviously have to wait for the full debrief from the admins.

      • thanks_shakey_snake@lemmy.ca
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Yeah the “redirect somewhere else” attack definitely doesn’t necessarily require any particular control of the site. Usually it’s noticing that you can trick some text into being run as Javascript, instead of interpreted as text… And then you just stick in a cheeky little <notarealscript>window.location = "https://www.badsite.horse"</notarealscript> into that spot.

        Then every time that comment, username, (in this case apparently) custom emoji, etc. gets loaded, whoops, the code runs and off you go!

        So no control of the site is required at all.

      • JackbyDev@programming.dev
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        If it was just DNS that doesn’t mean too much. If it was just DNS it seems to be back up. It’s like changing the number in a phone book.

    • Vilian@lemmy.ca
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      1 year ago

      probably even the top admin don’t, it’s gonna be encrypted, so even they don’t know your password(except if they changed the code to store it in .txt) but always use differnt password in the internet

      • Muddybulldog@mylemmy.win
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Nothing is encrypted except a user’s password. If you have access to the database you can replace that with a known password hash.