Hey all,
As others mentioned we did not have custom emojis so we were not affected by this particular attack. I have since upgraded our UI to 0.18.2-rc.1 which mitigates this XSS vulnerability.
The vulnerability appeared to be from a custom emoji that they were running. SJW does not use any custom emoji so we should not be affected. In either case lemmy.world has now been restored and is back online. I’ll keep an extra eye on this instance until the patch gets released shortly.
This is a topic that i’ve been meaning to start a discussion about but haven’t had a chance due to the level of detail i’d like to provide.
I will also be posting the current logic of how vote counts are counted and also publish the code that i use for the counting.
Without going too much into detail today when votes are counted theres a few things that the logic accounts for.
- It only counts votes at the first level (meaning anyone that replies to a vote with their vote gets their vote discarded)
- In the event someone tries voting more than once, only the first vote gets counted, the others get discarded.
- Users who join after the voting post is made do not get their votes counted. You must have had your account active prior to the vote post
- External and local users get separated and counted separately.
In the future, and this is the part i’d like to discuss more in detail on another thread, is whether we factor in someone’s reputation. Lemmy currently collects a post and comment score for every user. This score is essentially = to how many upvotes your post or comments have gotten. Additionally the number of post and comments also get tracked. I’d like to see if there would be a method to use this data in order to determine if an account should have the ability to vote. This does alienate the lurkers but they don’t typically vote anyway unless its something that could affect them.
When I have some extra time i’ll post a detailed post on this so that those of you who have an overachiever mindset can provide your 2 cents.
Hey all, I've reopened the ability to create new communities. You should now be able to create new communities.
The 530 is 2U, the 630 is 1U size factor. Looking more at the 630
Something with Dual CPUs, at least 128GB ram, dual 750W PSUs, hardware raid (12Gbps) and 8 x 2.5" SAS/SATA slots for SSD Drives on a raid 10
This is what I'm currently working towards. Waiting for a Fiscal host to accept our application!
After the latest upgrade I have re-enabled captcha's and remove the need to confirm via email.
If I were to do some rough math I'd say it would cost about $300/CAD per month.
My goal is once we are approved to start accepting donations that I can purchase dedicated hardware for this instance. I'd get a used server at about $2300 which would be sufficient a good amount of extra users and through it into its own dedicated shared colo at about $100/month. Factor in about $300-400 a year for drive replacements and we are left with $2300 / 12 month= 191.66 + 100/month for the shared 1u colo + a budget of $400 for drive failures throughout the year $33/month. 191.66 + 100 + 33 = $324.66/month for the first year dropping to about $133 per month after the first 12 months. It's worth noting that this method would give us double the amount of resources and quite a bit of extra storage.
Ideally we don't keep this instance on a single server forever and start to think about spreading it over multiple hosts at or after around 100K users (or less if the number of active users is high).
If someone wanted to host an instance they would not need to allocate as much resources as I have to this instance and depending on how active the instance gets could run off something a lot less powerful.
I very much appreciate you guys keeping pushing me on this. There is more involved than I had originally anticipated in being able to accept donations. We are currently waiting for a fiscal host on opencollective.org to approve our application which was submitted in June. Once it's been approved this instance will be accepting donations!
Hey all,
I've been busy coding some counter measures for the attacks on this instance today. Most of the stuff has since been cleaned up. Have temporarily disabled community creation until we get some extra security implemented. The communities that you see above should all have been purged at this point. Thank you
Hey everyone,
A few days ago when we were under bot attack I rolled out a script to help me mitigate the attack. This script essentially calculated that rate at which certain IPs were posting and added them to a block list. Some of the IPs from other instances such as lemmy.ml were falsely added to this block list. I've since gone through all of the IPs and removed the ones that shouldn't have been there.
Please let me know if anyone is still having issues and I'll do my best to review your particular case in a timely manner.