Temporary Changes to our Sign-Up Policy
Lemmy.world is temporarily disabling open signups and moving to an application-required signup process, due to ongoing issues with malicious bot accounts.
We know this is a major step to take, but we believe that it’s the right one for both us and our community right now.
We’re working on a better long-term technical solution to these bots, but that will take time to create, test, and verify that it doesn’t cause any problems with federation and how our users use our site, and we’d rather make sure we get it right than have a site that’s broken.
We’re making this change on 28 Aug 2023, and don’t have a specific timeline for how long registrations will require an application, but we will post an update once our new anti-abuse measures are in place and working.
Take care, LW Team
You gotta do, what you gotta do!
Thanks as always for the hard work and transparency.
Thank you for the kindness!
I hope you guys are doing okay having to see all that shit.. No shame in reaching out to mental health professionals. Makes me sad imagining you guys picking up emotional baggage and trauma having to see all that to protect the community.
I appreciate you guys looking out for us, but I hope you all have proper support yourselves.
That's a good point. Jesus.
I am loving the transparency.
Whew, I'm glad I got in before this or my fellow homo sapiens might not have noticed I was also a fellow homo sapiens like them and definitely not a robot.
You’re clearly a Mollusc
How dare you! I am no mere mollusc, I am a proud Todarodes pacificus and definitely not a robot squid.
OK BUT WHY ARE YOU SCREAMING
I had a nightmare about electric sheep. Don't we all?
What did you do to the turtle?
Here is an alternative PUPed link(s): https://m.youtube.com/watch?v=9qttRDmMc64
PUPed is the privacy-ignoring closed-source frontend of YouTube.
I'm closed-source, check me out at My Homepage.
Here is an alternative Piped link(s): https://piped.video/watch?v=9qttRDmMc64
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source, check me out at GitHub.
Puny bot, you do not understand PUPed is better bescause closed source! No hacker, No virus, Exiteing web 2 experince, UI verry clean and no dirt on screen, Slot machine is fun, Disney, Stock photos for your happy, uninstall is sad so its no longer done, Money.
T0TALL¥N0TR0B0T$
Yes, I agree with my fellow homo sapiens as well.
Yes, optimal timing indeed.
I cannot be glad for things, i have not been tamed
Hope it restricts the attack surface, why do people have to be such knobs
Not wanting to be too conspiratorial, but it isn't necessarily people simply doing this out of the badness of their hearts. The fediverse is a disruptive platform and there are many parties with deep pockets that might happily funnel a little bit of cash to certain consultancies in certain countries to stop things and add friction to this platform before it really takes off. Nothing like a little bit of corporate sabotage!
That sounds exactly like the badness in people’s hearts though.
The corporate types behind such actions aren't people.
Such a Rick thing to say.
Here is an alternative Piped link(s): https://piped.video/KApaZfVQObY?si=3JnuJK9P4Kej1fWf
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source, check me out at GitHub.
Dehumanization is how we got here.
Not a great way back? Unless you're looking to go in circles.
Oh stop. That's like that discussion about not dehumanizing neonazis.
And the answer here is the same: the corporate types don't see us common folks as human. They see us as a product at best, and disposable resources at worst. It took a lot of effort to get to the point in which the rights of workers, the rights of consumers and the rights of people in other roles, to be recognized. Real sacrifice, even.
So we gotta do what it takes to keep those rights, because, again, those corporate types don't see us as people. So, fuck them. They aren't people either.
Humans are humans, whether you like them or not.
The bad thing about Nazis is they disagree. Feel free to be more like Nazis? I'd prefer to be different. Still human, but you know, acknowledging my fellow humans as such.
To ignore this fact is to lay claim to the idea that you could never end up in a situation where you're treating people as subhumans. To call any human as subhuman is obviously antithetical to making that claim.
Clearly the only response to people who want to treat you as subhuman is to treat them with love and kindness so they can take advantage of the situation.
This is how every "civility" rule on the internet eventually becomes a "don't sass the nazis" rule.
There's a huge difference between treating someone subhuman, treating someone human, and treating someone love and kindness.
If you can't see that, I worry for you.
If you want to be taken advantage of, good for you. Don't volunteer me for it, thanks.
No one volunteered anyone for anything, get out of your own asshole.
When you treat your fellow people with monstrous inhumanity, you have chosen to become an inhuman monster.
You see them and see people just like you. I see them and also see people just like you.
This is a very silly conspiracy theory. Big corps don't give a shit about Lemmy, but there are plenty of script kiddies who want to hack easy targets. Contrary to your belief, there are plenty of dumb idiots with plenty of badness in their hearts.
Big corps are more sociopathic than you realise. There are so many underhanded games going on at that level it will make your head spin.
Big businesses indirectly and sometimes directly fund APT groups. They will buy things that give them anonymous access to competitor trade secrets, or fund attack campaigns against competitors. This sounds like the kind of attack campaign a competitor might launch as part of a one-two combo. This is the first part, the second part is to get editorials out there regarding how lemmy.world is full of CSAM.
Nah. The risk greatly outweighs the reward. Even if this hits the news, I doubt it'd affect numbers on here that much, especially since it's not that big. It's not even big enough to cause issues for "competitors" (and I use the term lightly). The fediverse is simply not really ready to compete with established actors. So the "benefit" is quite small. The risk if they're caught includes executives getting jail time and likely irreversible harm to their brand.
Does it? Standard dark web precautions are more than enough to throw any investigation into a dead end, especially for a one-off transaction with the buyer having little to no other activity.
Yet. The Fediverse isn't ready to compete yet. Business people aren't looking purely at the present, they've got a keen eye on the foreseeable future too. If there is a growing momentum towards the fediverse, that can spell trouble for Reddit in 5 years time. The entire point of such an attack is to derail momentum on the platforms. By the time they are ready to compete, it's much too late for this kind of attack to have any reasonable effect.
The more intelligent solution is what Meta is doing with Threads. Not something like this. There'd be a lot more money blackmailing the company than to mess with CSAM.
Big corps are a lot sneakier than something so blunt.
There isn't a company to blackmail. You can't treat the Fediverse as a competing company because it isn't one. You have to treat it more like a movement, like Occupy Wall Street
How do you derail a movement? You make sure the participants are slandered to the point that your accusations are the main things people on the outside remember of it. Mainstream Media did this with Occupy successfully.
However this doesn't work if your opponent is too big, too established or too well funded. Microsoft tried to do this with the Open Source Movement, but the latter was too well established and funded for it to work.
That's the thing, they're not being blunt at all. Literally anybody can pay for this kind of attack to happen and not even the service provider needs to know who the buyer is.
The only thing that is needed now are media hitpieces about how federated services spread CSAM and you've got damage that could make the YouTube adpocalypse look small.
Didn't say blackmail the fediverse. I'm saying blackmail the company trying to spread CSAM.
And again, you don't derail a movement. You try to own it if you really care.
But even then, it's not worth it. XMPP has been "competing" for far longer and likely had more success up front than Lemmy or Kbin.
You're severely overestimating the potential here. And you're severely overestimating how much a company would want to destroy it instead of exploiting any other success. There's money to be lost in paying to derail it. There's money to be made in exploiting it.
Ohhhh okay. Gotcha. There is one tiny problem with this.
On the Dark Web, you treat your identity like your password, you never give it out under any circumstances. And the norms in black markets reflect this, including the norms of transactions.
That means the seller doesn't know who the buyer is, and the buyer doesn't know who the seller is, and the exchanging of such information is a serious fuck up. Sellers don't want to know, as such knowledge can be a vehicle for the feds to charge them with a crime.
Now sure, a bad seller could turn around and blackmail the company, but only if that information gets leaked. This can be surprisingly easy to do, as there are avenues of info leakage that will catch out newbies, but anyone actually experienced with dark net transfers knows the score: no screen sharing, vet all screenshots carefully, don't use your real address for deliveries, don't use your home (or work) connection for the transaction, etc.
Don't know what you mean by own here. Control? Maybe but that depends on your own position and what benefits you.
XMPP is an IM standard, is it not? What that does and what Lemmy/Kbin do are very different.
Are you suggesting messaging doesn't have dominant players or that Google didn't integrate with XMPP and then eventually break compatibility and some folks argue set back XMPP in mindshare and marketshare.
XMPP is essentially an open standard where you can host your own relays. The concept was to fight against iMessage and Google Chat and Blackberry, etc. It was just as popular as lemmy/Kbin is now. Hell, Mastodon dwarfs Lemmy as a whole and isn't under attack.
There's just no real evidence this is a concerted effort to ruin the fediverse for corporate gain. It's much cheaper and more profitable to exploit it. It just isn't worth it right now. Meta sees an opportunity but mainly because it wanted to try and exploit Xwitter's current state. That's why it's not even on the fediverse yet. It's not that concerned.
Occam's Razor.
Edit: added clarification (emphasis added to highlight the change).
No way would a company risk being caught being responsible for CP. That would cause a massive backlash in the US socially, and the legal troubles would be huge. And the stock market would also very painfully punish them.
Do you really think there aren't ways for a company to avoid having their names put against such operations? A simple anonymous darknet transaction is enough to get this done without anyone's name being put on it or CSAM touching corporate machines.
Risk outweighs the rewards. Especially for something as small as lemmy. Take off the tin foil hat. It doesn't work like that. Have companies done evil things, yes, but in this case, absolutely no way.
What risk? Keep it off the books, take standard dark web precautions when purchasing such a service and there's no chance it'll be traced back to you.
Small but growing, and steadily establishing itself. That's a momentum certain companies will want to kill.
ahahahahaha.
My sweet summer child, I've seen it first-hand work EXACTLY like this. I work in the field of offensive security. On the one hand it first amazed me how much big legitimate companies play in that space but then I realised - of fucking course they do. It only takes a bit of know how to sweep most things under the rug.
No one cares about Lemmy. Grow up.
Which is why you're signed in on lemmy.world? Because no one cares about Lemmy?
Lemmy is nowhere near big enough to cause any of the competitors any consternation.
Edit: to be more clear, the fediverse as a whole isn't big enough. It's like believing XMPP is going to cause Apple to worry about iMessage.
I'm not an evil corporation. Do you even read the thread?
Obviously their comment was hyperbole, and the literal interpretation is based on the context of the conversation. Do a bit of critical thinking.
This is the internet, Steeve. We don't do critical thinking here.
The alt right instance has been fucking with world since they were defederated...
This is something right up their alley, so the simplest solution is they're doing it.
Come on people, Lemmy's user base is what, a few hundred thousand? A million tops? Which "parties with deep pockets" is this disrupting? The Lemmy userbase is a rounding error on the number of users of other popular social medias.
"Don't want to be too conspiratorial, but let me continue to drop a ridiculous conspiracy with no evidence"
And big corp wants to smother it before it’s bigger. It perfectly makes sense. It’s so much more difficult to kill a service/movement when it’s already widely adopted and popular. Identifying small, new players in the field and disrupting those takes very few resources for them, a rounding error, if you will.
The fediverse has the potential to be a threat to some big corps out there, and Lemmy is just one speck in a sea of a lot of specks. Together those specks are growing the fediverse, and the only way to disrupt it is to get rid of those specks.
You're delusional if you think the Fediverse, a totally open protocol that "competitors" can (and plan to) join instead of having to "defeat", poses a threat big enough to corporations with hundreds of millions or even billions of users to warrant the spamming of child porn.
Not from a big corporation, no. It's probably 4chan types. They tend to get deeply offended when people don't want nazis around.
IIRC there was a post a few weeks ago that had the total number of active accounts somewhere around 60,000. Yeah, we're definitely not big enough to attract that kind of directed attack
I like conspiracy theories as much as the next person. But let's be real for a moment ... this is shitty people doing shitty things. In part because Lemmy is a vulnerable and maybe relatively easy target by being indie software with indie instance management and relatively young. They might have a general purpose, such as being alt-right and defederated. But at it's core, I think it's gotta be just the "pleasure" they get out of breaking someone else's shit ... these people exist, we know they exist.
No, Lemmy is nowhere near big enough for that. If it was, it would be simply bought out by one of those companies, and then shut it down, like with XMPP. They have no rhyme or reason to skulk around in the shadows.
In its current state, it is still very much in its infancy. A company would see more threat in the competing social networks trying to copy their model, or people just leaving outright than Lemmy for the time being. Mastodon would be more of a threat by comparison.
Eh. It's a new platform with new instances and a lot of potential attack vectors. With new users it's becoming a valid target for them.
The software developers who created Lemmy openly criticize systems of government and economics. These are nation-state battlegrounds too. The barrier to entrance is very low, as Lemmy doesn't even do routine tracking of account creation, rate-limiting alone isn't really defensive. 15 years ago sites like Reddit had major vote manipulation detection logic behind the scenes. This is pretty much unleashed playground for a lot of known tactics.
With the American election next year and all the chaos on sXitter, no unlikely.
Good hope the child porn posting stops with that.
Oh Christ, really? That's just sickening. I often sort by new, sounds like I've been very lucky to miss it entirely...
Yeah i had the unpleasant encounter several times by now...
I'm guessing they're not even flagging that shit as NSFW? I've been using liftoff and have the NSFW stuff hidden. I haven't run into of it yet but that's fucked up, hopefully it gets under control with this.
Maybe mods of each section can turn on manual approvals of submissions?
Manually approving submissions would be even more work. And shits being posted everywhere.
And no, the ones i had a unpleasant encounter with weren't flaired nsfw.
Isn't there a tool (possible free) by Google I think that detects abusive material like this?
https://protectingchildren.google/intl/en_uk/#introduction
Eh... I don't think we should give up our privacy because one or two bastards are doing that shit...
Images posted to a public, federated platform should not count as private, in my opinion. When you upload something here, every federated server instantly gets a hold of it. What privacy is there to give up, then?
I agree, everything on Lemmy is public for all to see, that's the nature of the Fediverse. Nothing here is really private, even vote counts since Admins of any self hosted server can see them, or Kbin which reveals them publicly for all.
Even DMs don't have it, which is why it nags you to use Matrix for secure DMs.
To combat this until there is something in place to automate blocking it. Manually approval might just be the only way to deal with it for now. Places can add more moderators.
Manual approval would mean that mods have to see all that shit to block it... That's not the right solution imo
They'll end up having to see it anyways to remove it, and by that point more than just the mods would have seen it...
Are you serious? Holy shit. I haven’t seen any at all. But just the thought that someone is posting it. I hate people sometimes.
Big incident last night
Looks like even this place couldn't keep it up. Unfortunate. Thanks admins for the transparency though.
Good call. Thank you for doing what you need to do to support the site and protect the users as necessary. And as always, the honesty and transparency is appreciated.
I think it's the right call honestly. We've grown so quick that it must be hard to manage by now.
Thanks for all the work you do! It isn’t unappreciated.
Hope it helps with the recent abuse.
https://github.com/bumble-tech/private-detector
Do you guys think this could help? I remembered reading bumble open sourced their image detection system.
If you could give me the numbers of new accounts monthly I would look into CloudFlare. If I can afford it I will even pay for it.
I don't blame you for taking that decision. But it's sad that this will deter legitimate users away, some of whom would've signed up otherwise.
Most will still be able to join. It just means that account activation will take a little longer for most people.
For me at least, lack of open sign ups immediately makes me not join an instance. It's why I didn't join lemmy the first few times I saw it talked about on reddit, when the main instance was lemmy.ml.
It's simply a delay in activation. The signups are virtually identical with one added question stating you read the note which is the same as the one above in the post.
I guess I'm out of the loop, perhaps because I mostly browse communities I subscribed to, but...
What happened? Lots of spammy bots signing up and spamming the site? I guess I didn't notice where I was looking
Also, what does application based sign up mean?
Anyhow, Lemmy.World and Lemmy (in general) are growing nicely, so what's needed to defend them is cool.
Edit: fixed grammar
Troll / spam accounts posted CSAM in !lemmyshitpost@lemmy.world. That spread with federation and every admin ended up involuntarily hosting such content.
Application based sign up means that if a user wants to subscribe they have to fill out a form and a .world admin gets to review it and approve or reject their sign up. It's a measure of controlling who gets in and limiting the amount of bots and possibly troll that join an instance.
To make it clear, the form is virtually the same as before with one additional question. It just asks you to state you read the note that is the same as the note in the post above. The application is virtually identical beyond that. But, the biggest difference, is like you said, an admin needs to approve it.
Is image posting temporarily turned off for lemmy.world users too?
Since last night, I've been unable to post (tested in memes@lemmy.world, memes@lemmy.ml, and lemmyshitpost@lemmy.world). Switched to an alt account on a different instance and had no issue.
(getting JSON error: unexpected character at line 1 column 1)
I'm also having this issue.
Looks like lemmyshitpost is down at the moment. 🤔
Im getting this same error roughly a day later from your post. On both mobile and desktop.
Yeah, I know they're busy trying to figure out how to deal with the attacks, so no pressure on them to restore it immediately. I just made an alt account yesterday and will post from there for a bit until this gets sorted.
Have you seen it mentioned anywhere why lemmyshitpost was the targeted community?
Nope, but I browse by All a lot and would guess that it was the most active comm on lemmy.world by good margin. They're definitely targeting lemmy.world and trying to disrupt it.
I vote for tribunals.
Sounds like something a bot would say! Off with his head!
Glad to hear. Obviously this is less than ideal, but working towards solutions is what's important.
Will this make it easier to reopen federation with instances that were concerned about abuse of our open sign up policy? (or was the issue with beehaw resolved while I wasn't looking?)
If it's temporary, likely not. The concern from most of the instances is that open subs mean literally anyone and anything can join, including bots which create account after account, just moving on when the original is banned. "We are closing open signups for now" is non committal, I'm betting the only way things get refederated is if World commits to this change for the long term.
Does this mean Beehaw will refederate?
Considering this is a temporary measure, I imagine not. Lemmy.world has been under constant attacks as the #1 Lemmy instance and it's not going to stop just because bots can't get in automatically anymore.
It's a good question. Hopefully the Beehaw admin team will reach out to the Lemmy.World admin team to have a discussion about exactly what the LW admins are trying to achieve and under what conditions they will be ready to reopen submissions. Though even if they do have that conversation there's no guarantee that that will match up with what the Beehaw admins are looking for in order to refederate. It was made clear from the Beehaw admins at the time though that they didn't have any issues with LW in general, only that toxic disruptive people were using the open sign-up of LW to create accounts to go cause trouble over at Beehaw (outside of the general LW userbase) and that they hoped to refederate once better tools were in place to address those disruptive users. Could be that lines up pretty well with LW's goal to wait until they have better tools to address malicious bot accounts before they reopen signups.
Considering the people that run Beehaw and their very fast defederation, I can't imagine that their statement of wanting to refederate is anything other than a mere pleasantry. I doubt they really want to.
And its fine, small communities are easier to manage. Its not like we are really missing out on much.
As long as users from allied instances can still post it is all good.
Better to semi restrict sign ups so the experience is improved for everyone. When those security issues have been fixed we can open up again. Seems fair
Beep Beep. Thank you for the update.
Beep boop beep. Hello fellow human.
Hi humans, wich way to the likely scam victems.
I will give them head patts and a free mini fridge.
I cannot be thankful, i have not been tamed
Lemmy.world users were mostly upset 2 months ago about how other Lemmy servers had application based registration and that made it bad for widespread adoption.
Incidents like this are part of why this is a bad idea. Hopefully mitigations to maliciously posted illegal content can be implemented to help Lemmy server admins big and small.
People make these applications seem like a much bigger deal than they are. You don't need to fill out an essay or anything, just a sentence or two to reassure the server owner that you're a normal person. I just mentioned the old Lemmy account I was moving away from. I get that it's a barrier for some though.
Very understandable, keep up the work!
Bummer, but I hope you can find a solution soon! What a PITA for you all.
Thank you so much for doing what it takes to control bots. Much appreciated!
Sounds like a plan! It's a 100% beneficial thing, it should clean it up a bit.
Good. If this is what it takes to overcome the issue then it's fine. Sucks for the real users but they also have alternatives.
Registrations are not closed. Normal users will still be able to join.
Wait I noticed that there's an image button in the application form, is there any risk that that might be abused by users passing by to upload to pictrs in registrations without an account? That could be a big problem if they could.
Tested it in an incognito tab. It seems to be disabled. Clicking the button does nothing for me.
That's good then, was worried for a sec that people could upload images without having an account, that would be very bad and make these kind of attacks insanely easy.
Thank you!
Update: we opened registrations again but temporary email addresses will still be banned.
I'm actually advocating for something in between: having a open registration weekend on a set time every month, and registration applications the rest of the time.
It solves both problem of having too many applications to deal with, and makes it a lot harder to create spam accounts since the time surface is reduced significantly.
Then bot creators would just.... Use the open signup window and regular users get the shaft.
It's easier to monitor for suspicious bit signup activities when you funnel them into a small time window with full attention during that time frame, instead of having to watch for them 24/7.
Can you explain? It's likely not a human validating hundreds of not thousands of signups anyway.
IMO registration applications should have been in use right from the start. Less annoyances for admins and moderators.
Not really, you have to manually approve all.
Indeed. This is a lot more work.
I wouldn't put the manual review of thousands of application into the "less annoyances" box.
Absolutely agreed. Similar to waiting periods for weapons purchases. It would be an effective filter for most people who get in the mood of making a troll post, they would get tired of it before they are approved, and many users with hateful names would be disallowed before they can start posting their hate.
::: spoiler Example of hateful user @lgbtslayer@lemmy.world being the quintessential example that pushed Beehaw to defederate from LW, after that user posted anti-lgbt and misogynist stuff directly into Beehaw's lgbtq+ community :::
No, applications are a very degrading process for both users and admins.
I agree it's annoying and hopefully will one day soon not be necessary, but "degrading" is something I don't think ever occurred to me. Is there some aspect to having to get manually approved that is degrading that I'm not aware of?
I never use services which require an application. First of all, that's a bad user experience. Second, it's enough to write some bullshit during job applications.
The application is a question asking if you read the statement (which is the same as the post above).
The rest of the application is the same application you had to fill out when you created the account even when it was open sign ups. The only real difference is it's not automatically accepted but manually accepted.
degrading?
Oh shut up
There are too many posts on this site linking back to reddit.
You guys need to program reddit URL in your site code to have it blocked from being posted, make it scramble url or block it.
Wasn't the argument for having open sign-ups that some Lemmy apps redirect straight to Lemmy.world for registration?
Yes but when people start creating accounts to post CSAM it doesn't leave us much choice.
Seems like a pretty important detail. Why wasn't it mentioned it in the post body?
Because they're not trying to make a big deal about how easily CSAM spread throughout federated instances making all hosts possibly legally liable. Instances in the US are probably ok, due to various laws like safe harbor for platform providers but with instances all over the world, they all have their own laws to contend with and many never expected this
It’s really not that hard to connect the dots… Unless you’re trying to impose a question for the sake of
It's about transparency for me. The admins claim to care about it and users praise them for it, but to me it seems like they're doing the bare minimum informing us about changes we are about to notice. Reminds me of corporations writing statements trying to sweep things under the carpet. You and I might realise what it's all about, but many users without the context won't.
That's not what I want Lemmy to be. I want to feel included as a part of the community. I'm doing what I think I can to help it all go in the right direction
Doing "the bare minimum"? We have quite a big team trying to keep the impact for our users to a minimum. We don't claim to care. We DO care. And we try to be as transparant as possible.
We monitor the new posts, we react very quickly to reports, we make sure that even with the sign up requirements everyone can still get on board quickly and we are looking for a solution for the csam problem.
If this is not what you want Lemmy to be, there are plenty of options.
I'm only talking about transparency here, didn't mean to undermine other moderation efforts and sorry if I phrased it ambiguously. But regarding informing users, yes, I think Lemmy.world admins do the minimum
Understand the issue with transparency. It's just a very sensitive topic all around. And it sucks it is happening. I am not realizing as well a very important threat that exists in unmoderated federation.
I approve because I'm a hipster and as a senpai I like to shit on newb kouhai.
Yikes