PSA: Lemmy votes can be manipulated

koper@feddit.nl to Fediverse@lemmy.ml – 1934 points –

The best part of the fediverse is that anyone can run their own server. The downside of this is that anyone can easily create hordes of fake accounts, as I will now demonstrate.

Fighting fake accounts is hard and most implementations do not currently have an effective way of filtering out fake accounts. I'm sure that the developers will step in if this becomes a bigger problem. Until then, remember that votes are just a number.

358

You are viewing a single comment

If we stop spam accounts from brand new or low usage servers those could both be easily mailed (emulated activity, pre-create instances and let them marinate)

I don't know much about how making new instances works, but could someone create instances in large qualities with smaller populations with the goal of giving human moderators too much work to defederate them all?

There are legitimate reasons for creating a “low-usage” server to host your personal account, so you have full control over federating etc.

If we start assuming all small instances are spam by default, we’ll end up like email now—where it’s practically impossible for small sites to run their own mail servers without getting a corporate stamp of approval from Google.

This would actually be a bit more difficult. So first it would be easy for me to set up lemmy1.derproid.com, lemmy2.derproid.com, etc. but if you could just defed from *.derproid.com it's no problem. However setting up lemmy1.com, lemmy2.com, etc. is more expensive because you would need to register and pay for each of those domains individually.

That's not to say it's impossible but there is a bigger barrier to it.

I agree, but it's also worth keeping in mind that a bot swarm approach could be much more distributed. There used to be a guy on the Fediverse that set up "relay accounts" on many, many instances with public signups, prior to hooking them all together with a single app and making them spit out torrential fountains of garbage.

It is 100% possible to abuse other people's public services to make remediation more complicated. Blocking a bad instance or a series of bad instances is easy. Dealing with a run-away spam problem from dozens of friendly servers is way harder.