cross-posted from: https://jamie.moe/post/113630
There have been users spamming CSAM content in !lemmyshitpost@lemmy.world causing it to federate to other instances. If your instance is subscribed to this community, you should take action to rectify it immediately. I recommend performing a hard delete via command line on the server.
I deleted every image from the past 24 hours personally, using the following command:
sudo find /srv/lemmy/example.com/volumes/pictrs/files -type f -ctime -1 -exec shred {} \;
Note: Your local jurisdiction may impose a duty to report or other obligations. Check with these, but always prioritize ensuring that the content does not continue to be served.
Update
Apparently the Lemmy Shitpost community is shut down as of now.
Could someone please ELI5 that script. I’m all for keeping things clean, but old enough to remember the days of console based trolling.
sudoAs root
find /srv/lemmy/example.com/volumes/pictrs/filesFind files in
/srv/lemmy...that:-type fAre plain files (not directories, symlinks, etc; includes images)
-ctime -1And were created within an amount of time (probably last day, haven’t used this flag in a while)
-exec rm {} \\;For each matching file found execute
rmon it (delete it).I don’t think rm is gonna cut it if you have that shit on disk
Locking the thread. Information relevant to self-hosters has already been shared. Too many reports of off-topic comments to leave this open.
That’s it, I’m defederating from lemmy.world. the admins let their users make death threats against users of other instances on top of this.
i’d love for a good tech journalist to look into how and why this is happening and do a full write-up on it. come on ars, verge, vice
How desperate to destroy Lemmy must you be to spam CSAM on communities and potentially get innocent people into trouble?
Maybe you’re a dev on the Reddit team and own a lot of shares for what you know is about to go public?
Self hoster here, im nuking all of pictrs. People are sick. Luckily I did not see anything, however I was subscribed to the community.
- Did a shred on my entire pictrs volume (all images ever):
sudo find /srv/lemmy/example.com/volumes/pictrs -type f -exec shred {} \;-
Removed the pictrs config in lemmy.hjson
-
removed pictrs container from docker compose
Anything else I should to protect my instance, besides shutting down completely?
I was looking into self hosting. What can I do to avoid dealing with this? Can I not cache images? Would I get in legal trouble for being federated with an instance being spammed?
Refer to this comment chain from this same thread https://poptalk.scrubbles.tech/comment/577589
Someone else here mentioned not running "pictrs” at all
Couldn’t this be stopped with automatic filtering of bad content? There are open source tools and libraries that do this already
That’s what we’re pushing the lemmy devs to do. Honestly even if they want to use proprietary tools for this instance I’m okay, I’ll happily go register an Azure account and plop an API key into the UI so it can start scanning. Lemmy should have the guardrails to prevent this from ever hitting our servers.
In the meantime, services like cloudflare will handle the recognizing and blocking access to images like that, but the problem still comes down to the federation of images. Most small hosters do not want the risk of hosting images from the whole of the internet, and it sounds like there is code in the works to disable that. Larger hosters who allow open registrations can do what they please and host what they please, but for us individual hosters we really need tools to block this.
Proprietary software isnt necessary there are plenty of project that detect scam
I’m saying when it comes to this I don’t care if it is or isn’t proprietary, frankly I’d be down if we used multiple ones. I’m all for my morals but when it comes to CSAM as long as it works. That’s the most important, and yes I’d probably use multiples
As far as I know, images should not be federating to federated instances, right? Image proxying is supposed to be added to pictrs version 0.5.0 but it is still in alpha.
I get it. Thumbnails are cached. Thanks.
Not just the thumbnail. The full image is cached. There’s a PR request to disable thumbnail caching but not the full image.
Yeah you are right. It’s here: https://ani.social/pictrs/image/78d05797-5b02-4c5a-bd86-132f0f41856c.webp
Thanks.
Likely scum moves from reddit patriots to destroy or weaken the fediverse.
I remember when Murdoch hired that Israeli tech company in Haifa to find weaknesses is TV smart cards and then leaked it to destroy their market by flooding counterfit smart cards.
They are getting desperate along with those DDOS attacks.
Could be, but more likely it’s just the result of having self hosted services, you have individuals exposing their own small servers to the wilderness of internet.
These trols also try constantly to post their crap to mainstream social media but they have it more difficult there. My guess is that they noticed lemmy is getting a big traction and has very poor media content control. Easy target.
Moderating media content is a difficult task and for sure centralized social media have better filters and actual humans in place to review content. Sadly, only big tech companies can pay for such infrastructure to moderate media content.
I don’t see an easy way for federated servers to cope with this.
Yeah exactly. This is the main reason I decided not to attempt to self host a Lemmy instance. No way am I going to let anyone outside of my control have the ability to place a file of their choosing on my hardware. Big nope for me.
Is it possible to prune pictrs by community name?
Not really. You could technically locate the images and determine precisely which ones they are from their filenames, but that means you actually have to view the images long enough to pull the URL. I had no desire to view them for even a moment, and just universally removed them.
As mentioned in my edit above though, ensure you are in compliance with local regulations when dealing with the material in case you have to do any preservation for law enforcement or something.
There is a purge community option available for admins but that did nothing.
From what I was informed, purging a post doesn’t remove the associated cached data. So I didn’t take any chances.
What is CSAM?
Child sexual abuse material, a.k.a. child pornography.
I’m not subscribed to that community, but I guess I’m glad Pictrs doesn’t work for me, since I am using the Yunohost version of Lemmy. The creators of the Yunohost package couldn’t get it to work. I haven’t really missed it honestly.
Can you run lemmy without pictrs? What behavior is different?
It just means that you can’t upload pictures, including banners or avatars. However, when I want to create an image post, I just make the post on Pixelfed and then mention the Lemmy community I want to post to at the bottom of the post body. Supposedly there’s a way to reference a remote image for a banner or an avatar, but I haven’t figured that out yet.
So, from memory there has been:
- This recent attack
- Regular DDOS attacks
- Frequent attempts to spam community creation
- That one time the instance got hacked and set to redirect to shock sites
Am I missing anything?
This seems like more than just a few trolls. Maybe someone really doesn’t want to see user-owned social media take off.
I see where you’re going with this, but no, people really are just absolutely horrible. The fact is that with other social media they’re just already very set up in managing this so we never see it. Lemmy wants to be open, this is the flipside of that openness.
It’s generally easy to crap on what’s ‘bad’ about big players, while underestimating or undervaluing what they are doing right for product market fit.
A company like Meta puts hundreds of people in foreign nations through PTSD causing hell in order to moderate and keep clean their own networks.
While I hope that’s not the solution that a community driven effort ends up with, it shows the breadth of the problems that can crop up with the product as it grows.
I think the community will overcome these issues and grow beyond it, but jerks trying to ruin things for everyone will always exist, and will always need to be protected against.
To say nothing for the far worse sorts behind the production and more typical distribution of such material, whom Lemmy will also likely eventually need to deal with more and more as the platform grows.
It’s going to take time, and I wouldn’t be surprised if the only way a federated social network eventually can exist is within onion routing or something, as at a certain point the difference in resources to protect against content litigation between a Meta and someone hosting a Lemmy server is impossible to equalize, and the privacy of hosts may need to be front and center.
The solution in this case is absolutely AI filters. Unfortunately you won’t find many people willing to build robust model for that. Because they’d be those getting the ptsd you mention.
Iirc, ptsd is something only certain characters get. We should probably focus on finding people who really have no problem watching rough content. I have ptsd so I probably am not the right person for the job.
I don’t want to try. I have pretty low barrier. I set up NSFW filter on lemmy because I found disturbing the furry content that was common some time ago… I don’t want even to try anything worst than that
Can absolutely relate. Just seeing nsfw if you‘re not anticipating it is very weird.
It is very reminiscent of the trolls in the earlier web.
I went ahead and just deleted my entire pictrs cache and will definitely disable caching other servers images when it becomes available.
Anyone know if this work is tracked anywhere? I’m suddenly really suspicious of continuing to run my own instance.
https://github.com/LemmyNet/lemmy/pull/3897
It does say “thumbnails” but as far as I know, Lemmy (or pictrs) makes a copy of the full image too. I don’t know if this PR includes full images.
