Authorized Fetch Circumvented by Alt-Right Developers

Sean Tilley@lemmy.world to Fediverse@lemmy.world – 145 points –
Authorized Fetch Circumvented by Alt-Right Developers
wedistribute.org

Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

70

You are viewing a single comment

is it not enough that you remain oblivious to the attempted harassment? If a bigot harasses in a forest and nobody is around to hear it, did they really harass?

The problem is, there are plenty of other people around to hear it. Everyone else except the harassed person can see it, and on top of that, the fact that harassment is trivial to do, and not policed, ensures that more harassers will come along. Each one having to be blocked one by one by the people they're harassing, after the harassment has already taken place.

As I said earlier, this is how twitter does things, and there is a reason that vulnerable folk don't use twitter anymore.

But isn’t this already the case?

No, it isn't, because right now, local only posting, follower only posting, authorised fetch, admin level instance blocks etc, all combine to make it non trivial for harassers. If you're familiar with the "swiss cheese defence model", that's basically what we have here. Every single one of those things can be worked around, especially by someone dedicated to harassing folk, but the casual trolls and bigots, they won't get through all of them. The more imperfect security, anti harassment and privacy options we have, the harder it is for casual bigots.

I'm familiar with the Swiss cheese model and you make a good point.

But even still, I think what we have now is insufficient, has other negative side effects too, and I don't see a good path to make it sufficient.

I was initially lamenting that social networks currently do a terrible job (dangerously negligent job) setting user expectations wrt privacy (or lack thereof). It'd be nice if social networks were upfront about the lack of privacy, and made the limitations of their tools inherently obvious. Sorry if it seems like I keep shifting goalposts, I keep changing the direction of the conversation as you give me interesting things to think about and discuss.

I'm not suggesting that we copy Twitter's model for anti-harassment, especially since The Idiot took it over.

I'm suggesting that, rather than just double down on what exists now, you do a thought experiment with me where we explore a radical rethink of anti-harassment, and what it might look like if we don't try to use privacy tools to accomplish it. I'm not convinced that there is no reasonable solution possible. Although the details would probably depend significantly on the type of social network (for example: microblogging vs reddit-like).