this post was submitted on 03 May 2024

56 points (90.0% liked)

Ask Lemmy

25999 readers

3147 users here now

A Fediverse community for open-ended, thought provoking questions

Rules: (interactive)

1) Be nice and; have fun

Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them

2) All posts must end with a '?'

This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?

3) No spam

Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.

4) NSFW is okay, within reason

Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either [email protected] or [email protected]. NSFW comments should be restricted to posts tagged [NSFW].

5) This is not a support community.

It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email [email protected]. For other questions check our partnered communities list, or use the search function.

Reminder: The terms of service apply here too.

Partnered Communities:

Logo design credit goes to: tubbadu

founded 1 year ago

MODERATORS

[email protected]

candyman337

[email protected]

How does lemmy deal with ban evasion? (lemm.ee)

submitted 3 months ago by [email protected] to c/[email protected]

34 comments fedilink hide all child comments

top 34 comments

sorted by: hot top controversial new old

[–] [email protected] 35 points 3 months ago (2 children)

It doesn't. No network is capable of that and if they say they are you're being lied to.

[–] [email protected] 4 points 3 months ago (1 children)

VPN's can be banned though.

[–] [email protected] 21 points 3 months ago (1 children)

nope. You can do IP analysis to ban IP's that belong to particular VPN but you can't ban VPN tech. There are so many VPN services and so many proxies and so easy to setup your own VPN that even Netflix struggles with that.

[–] [email protected] 1 points 3 months ago (2 children)

How are they caught then in countries that try to restrict digital access and have criminalized them?

[–] [email protected] 9 points 3 months ago (1 children)

I think these nations setup the ISPs to look for the packets using a VPN protocol. This protocol is only used between the user and the VPN provider, so the target website doesn't see it. Though I think this can be evaded too with a bit of work (masking the packets as normal web traffic). One reason why repressive regimes also want to control the devices of the user.

[–] [email protected] 1 points 3 months ago (1 children)

There are ways to ban them even if it evades detection though. Incompatible formatting and mobile applications come to mind. Charleston in South Carolina having the highest concentration of diehard privacy maintainers goes over nobody's head, having it come up as one's location is like wearing a label that says "I am not who I appear to be" and is the source of the most common geoblock in the free world. Probably a giveaway I help keep the peace in a few sites.

[–] [email protected] 2 points 3 months ago (1 children)

Isn't that just a game of whack a mole though? Ban VPNs ending in Charleston, people hop to another location. Rinse and repeat

[–] [email protected] 1 points 3 months ago

The right metaphor would be popping a pimple. Apply pressure and the oil just scatters and becomes aimless. They represent a powerhouse.

[–] [email protected] 2 points 3 months ago

From the client to the VPN host it's feasible to do protocol/port identification and prevent it that way. Some are significantly more difficult to do that for though, particularly when it uses something like HTTPS to blend in with the general flow. It's possible to set up a national level proxy gateway, but that would require a user's system to trust some alternate CA which would be really hard to enforce.

Short version, there's always a way around, but they can make it real tough for the average user.

[+] [email protected] -19 points 3 months ago (2 children)

Reddit does have a system to fight it.

Capable or not, bad solution is better than no solution.

[–] [email protected] 31 points 3 months ago* (last edited 3 months ago) (2 children)

no it's not better. It's extremely invasive as you have to fingerprint and store users fingerprint on your servers indefinitely. Not only that but all of this can be avoided by anyone with half a brain cell. Lemmy should not waste their resources on something like this, it's extremely hard to do to the point where literally nobody has a good system even giants like Linkedin. Source, I work in bot detection.

Lemmy would never get this right no matter how many people contributed and would just cause overal harm to the platform through privacy invasion and false positives.

[–] [email protected] 3 points 3 months ago (2 children)

Lemmy has quite a few unfortunately invasive qualities of its own, including generally needing an email address from you (Reddit does not), having poor privacy and data retention practices, and generally being very messy with who gets to decide what happens with your data and how easily it can be scraped.

Sure, Reddit sells it... But Lemmy gives it to any web scraper for free.

[–] [email protected] 11 points 3 months ago (1 children)

But Lemmy gives it to any web scraper for free

Which is good. You either have an open system or a closed one. There's no in-between.

If you want to have advantages of public free decentralized network you can't obfuscate and centralize bits and pieces of it. Also, it's 2024, we need to stop this misinformation that email address is supposed to be private. What is private is email address association with the owner and Lemmy doesn't leak or infringe on. The address is literally called address because it's supposed to be public.

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago) (2 children)

...And attitudes like this towards privacy will keep Lemmy from progressing to a point where those issues will be fixed.

I have a fundamental problem with giant corporations scraping user data without user consent. That's a system-level issue. It doesn't become "good" just because they get to scrape without consent for free.

[–] [email protected] 2 points 3 months ago

Nah it has nothing to do with attitude but with practicality. This would mean people's fingerprints need to be public and shared between servers or some other hack. It's just possible in any safety and its not really a hill worth dying on. Do we really care about users dodging subreddit bans that much? Its silly.

[–] can 1 points 3 months ago (1 children)

What would a "fix" look like in your eyes? Do you have na implementation in mind?

[–] [email protected] 1 points 3 months ago (1 children)

I have a few suggestions for development concerns off the top of my head:

Scrub post metadata* after users request its deletion
Auto-purge deleted content* rather than letting it sit behind a "deleted" flag (something Facebook got a ton of flak for doing)
Auto-purge deleted media*
Consider seriously limiting opening data wide for scraping, since the problem is non-consensual scraping, not payment for non-consensual scraping

* either immediately or, to prevent spam, after some time

[–] can 1 points 3 months ago (1 children)

I agree with your first few points but I'm unsure about the scraping. This is a public forum, what could be done to mitigate scraping that wouldn't take away form that?

[–] [email protected] 1 points 3 months ago

If we take "unlimited unauthenticated API access shouldn't be possible" for granted, I'm unfortunately not all that technically competent about what can be done next.

The first thing that comes to mind is treating website access and app access differently, maybe limiting app API access by default for people who haven't logged in.

Or creating a separate bot API that's rolled out across all servers at some point in the future... And I know federation could pose some serious chokepoints here so that's where my speculation ends.

[–] andrew_bidlaw 8 points 3 months ago

Instances can enable or disable the email verification and other measures, like asking why you want to join that instance.

I don't recall reddit being so liberal. I haven't used an account I didn't verified in the same day, so I can't say if it works, but I suspect they can enable different protocols for inspecting unverified accs.

As a side-note to that discussion: my VPN works with most services i can't access otherwise while reddit blocked me as I tried to access it to see for myself. I'm surprised.

[–] [email protected] 0 points 3 months ago (1 children)

Keeping a list of "fingerprints" of users is hardly invasive, and it's only dangerous without proper database security.

It can throw up false positives, but the key there is to make it as good at not doing that as possible, and having a reasonable means for users who feel like they were unfairly tagged as evaders to appeal the flag.

Also, don't do it automatically, use it as a tool to identify possible cases and have a review team check for which ones need the most immediate action, with help from a separate algorithm that prioritizes user reports by how reliably a users' reports have pinged actionable content.

That's the entire game of security, not being perfect, but being good enough for the adversary to decide you might as well be perfect for all their efforts would be worth, and ban evasion protection and bot prevention are no different.

[–] [email protected] 6 points 3 months ago (1 children)

That's the entire game of security, not being perfect, but being good enough

Yes and good enough is so hard to reach that this is no way accomplished with Lemmys volunteer resources. We literally have full time people and massive AI driven systems doing this professionally. This is no way achievable in Lemmy if centralized Reddit with multi-million dollar budgets can't even get close to "good enough".

[–] [email protected] 3 points 3 months ago

TBF Reddit isn't exactly trying all that hard since ban evaders tend to be good for engagement metrics. Like half the measures they do employ they only do because they feel like they have to in order to not look like they just blatantly don't give a shit so long as the investor watched metrics keep going up.

[–] [email protected] 9 points 3 months ago

Lemmy has a system whereby admins talk to each other and share details of ban evaders, but different instances decide what is a bannable offence and not all of the 1000+ instances are involved.

[–] [email protected] 17 points 3 months ago

Lemmy isn't unified. Each instance will have their own policies.

[–] [email protected] 13 points 3 months ago

It doesn't. That's a feature, not a bug.

You can do IP bans, but only your current instance really knows your IP. You can sign up to any others and you're just a fresh user to them.

Maybe the bigger instances share info about known CSAM uploaders between them, I dunno.

[–] [email protected] 11 points 3 months ago (1 children)

For remote actors, it seems to mostly rely on banned users not being very imaginative when it comes to naming subsequent accounts, and/or them not being able to leave a particular subject alone.

[–] [email protected] 0 points 3 months ago (1 children)

What do you mean by a “remote actor” here?

[–] [email protected] 3 points 3 months ago

A user on an instance that's different from the instance that wants to ban them (so methods like IP logging or browser fingerprinting or whatever wouldn't be available).

[–] [email protected] 9 points 3 months ago

Poorly

[–] [email protected] 6 points 3 months ago

I had to pay in order to get on my instance. It's definitely not foolproof, but you add even just a small payment requirement to a registration and it would seem like quite a bit would fall off.

[–] [email protected] 6 points 3 months ago

The answer is spread amonst the comments you've already got.

It's a combination of regular bans, IP bans, moderators knowing the 'regulars' and recognizing their (bad) behaviour. And the Lemmy admins have a Matrix chat(?) room where they exchange info.

[–] [email protected] 1 points 3 months ago (1 children)

Why spend time on deal with ban evasion instead you can spend time to serve who really need the community and make stuff better ?

[–] [email protected] 1 points 3 months ago

troll get bored soon or later