Image uploads are now disabled on lemm.ee due to malicious users
Sorry for the short post, I'm not able to make it nice with full context at the moment, but I want to quickly get this announcement out to prevent confusion:
Unfortunately, people are uploading child sexual abuse images on some instances (apparently as a form of attack against Lemmy). I am taking some steps to prevent such content from making it onto lemm.ee servers. As one preventative measure, I am disabling all image uploads on lemm.ee until further notice - this is to ensure that lemm.ee can not be used as gateway to spread CSAM into the network.
It will not possible to upload any new avatars or banners while this limit is in effect.
I'm really sorry for the disruption, it's a necessary trade-off for now until we figure out the way forward.
This is sick. Kudos to mods for dealing with this garbage. I hope the posters are all hunted down and punished.
Yeah, the admins deserve all our support on this. Not only to protect themselves as server owners, but to stop the spread. Hopefully a longterm solution will be found soon
Just like self-isolation when you have a cold - the healthy and wise thing to do.
I think this is a great move until we have something rock solid to prevent this. There are tons of image hosting sites you can use (most of which have the resources to already try to prevent this stuff) so it shouldn’t really cause much inconvenience.
Quality of posts will go up too. There’s a direct correlation with (worse) quality and image posts.
I prefer image memes, but to each their own.
Images are great when used sparingly
insert image here
less strain on lemmy servers as well
I know there are automated tools that exist for detection CSAM- given the challenges the fediverse has had with this issue it really feels like it'd be worthwhile for the folks developing platforms like lemmy and mastodon to start thinking about how to integrate those tools with their platforms to better support moderators and folks running instances.
I just shut down my instance because of this attack. Once there are better controls to prevent this, I will stand it back up.
Yeah, there was a gardening instance run by a great guy who just did the same
What do you think the purpose of these attacks are? The fediverse is so small in the grand scheme that I can only assume the worst.
Good thing my instance is only friends and friends of friends, otherwise I'd have to do the same
What was your instance?
https://github.com/LemmyNet/lemmy/issues/3920
That's fucking dope, thank you very much for the link to the issue!
Good, its an API that can fit diffrent tools even if one is promoted. Upgrading means switching out a binary file. Posix modularization FTW.
No apologies necessary.
Perfectly fine. People can upload images elsewhere and then just link to them. Most image upload sites will have all those protections in place already. A good stopgap until Lemmy gets those mod tools
This is really sad and disgusting. It affects the whole platform but especially smaller instances that can't keep up. Despite being a lemm.ee user, I was particularly upset about thegarden.land shutting down because of that spam. It had my favourite gardening community on here.
I really hope this gets sorted out, and the spammers end up where they belong.
Wait, they shut down? That's sad, they were great
I'd really love to start a small instance just to play host to a couple of niche interests I don't see around yet, but yeah, hearing about this fucked to behavior is making me hold off.
It has a real chilling affect on users, which is so unfortunate for a platform that is mostly made up of well meaning people
This is why we can't have nice things.
Honestly, some people are just the worst. Why on earth anyone would waste their time doing something so vile is absolutely beyond me...
If one enjoys the twisted pain inflicted on children, then inflicting pain that makes most adults want to use eye-bleach by showing off their plunders is to them well executed revenge on the people they dont like.
This might be a good thread to ask:
Does anyone know if any of the Lemmy apps support direct imgur uploads for Lemmy?
I remember RIF used to do that for reddit back in the day before reddit supported direct image hosting.
Memmy on iOS uploads to Imgur by default. You just use the upload button.
Memmy on iOS does.
It's honestly sad that some well-intentioned laws can be used to attack online platforms.
I kinda wonder though, how would go about making a law against cp but doesn't hurt small sites like lemm.ee?
The issue is that you really can’t. The laws are written specifically to prevent plausible deniability. Because pedos would be able to go “lol a troll sent it to me” and create some doubt in a jury. Remember that (at least in America) the threshold for conviction is supposed to be “beyond a reasonable doubt.” So if laws were focused on intent, all the pedos would need to do is create reasonable doubt, by arguing that they never intended to view/own the CSAM.
This was particularly popular in the Napster/Limewire days, when trolls would upload CSAM under innocuous titles, so people looking for the newest episode of their favorite show would find CSAM instead. You could literally find CSAM titled things like “Friends S10E9” because trolls were going for the shock factor of an innocent person opening a video only for it to end up being hardcore CSAM. Lots of actual pedos tried using the “I downloaded it by accident” defense.
So instead, the laws are written to close that loophole. It doesn’t matter why you have the CSAM. All that matters is you have it. The feds/courts won’t give a fuck if it was due to you seeking it out or if it was due to a bad actor sending it to you.
And that’s pretty much where we are now. Bad actors creating bot accounts on multiple instances, to spam the larger (most popular) instances with CSAM.
I think they have oversimplified the situation to the point that it is wrong.
Arguably, Lemmy instance providers (depending on where they live) are protected in the same way Facebook or other content hosts are. So long as you are acting in good faith you are protected against any illegal content your users upload. This does mean you need to remove illegal content as you become aware of it, you can't just ignore what your users are doing.
There have been cases where although a user technically 'possessed' CSAM, it was shown that they did so unknowingly via thumbnails or it being cached. The police do investigate where it came from. It's not as simple as just sending it to someone and you can have them convicted.
Yes, you'd just need to show that you actively moderate/apply content policies.
This will vary by jurusduction, but most of the West has laws similar to this I believe.
Lemmy instances are likely already protected in many countries legally so long as they act in good faith, ie actively moderate.
Fuck the legal part, I wouldn't want to stay on platform infested with cp. Thank you so much for all the awesome people combating this <3
::: spoiler spoiler Don't freak out. This image isn't hosted on lemm.ee. :::
Its a bug in sombodies markdown parsing.
Your URL was somehow HTML escaped.
Correct
Incorrect
I uh... don't know what you mean there. I was just pointing out that the image I posted is hosted externally, so it doesn't mean I found a bypass to the disabled uploads. It displays fine on the website.
Some software somwhere has a bug in it and it broke your link, im sorry if i failed to communicate that
Did you alert authorities?
I'm going to go out on a limb and say they and all the other instances that were hit with this attack probably did. Which authorities, I don't know. If this instance is hosted in Estonia then probably Estonian authorities, but it's probably being hosted on the cloud so is it REALLY hosted in Estonia? There are a ton of American and EU users so hopefully the FBI and whatever the EU equivalent is. But honestly cybercrimes can get confusing because of the nature of people and hosting being spread out all over the world and it can be hard to even figure out who to report to.
Europol in Europe. But you can report it to your national cybercrime division and they can refer it to the appropriate authority if necessary.
I don't think they made it onto this server, with the 100kb upload limit in place, that was already a rather low risk. It's a preventive measure. So far lemmy.world was the one deliberately targeted.
There’s no need to invoke conspiracy. This is entirely possible for a single person to do, and motivations for single people may be very pity even if the consequences are widely visible.
One misguided teenager on a power trip who enjoys how much disruption he can cause is enough for such an effect.
yeah bitches be spending actual money to destroy a fifteen year old game with bots. it doesn't need to have political motivation.
I'm like 80% sure this isn't coming from the outside but from people on Lemmy from malicious instances
Thank you for the efforts you are making. This is a serious situation; more than just dealing with bad actors, you are viewing traumatic images.
Please, for your sanity and well being, prioritize your self care. Things like this linger in the psyche much longer than you would expect.
That's fucking disgusting. Take any measures you can to prevent that shit from being on the site.
Lol first spam I've seen so far on lemmy
This is a very good decision, I worried about this problem from the very beginning that I learned about the Fediverse. Research must definitely be done to find CSAM detection tools that integrate into Lemmy, perhaps we could make a separate bridge repo that integrates a tool like that easily into the codebase.
I hope every disgusting creature that uploads that shit gets locked up
There was a user that posted a tool they had already been working on, that worked in Python, to go through and automate detection/deletion of potential CSAM on Lemmy servers that admins could implement until better tools come along. Unfortunately, I don't remember who posted it or where I saw it in my travels yesterday.
Sounds like a useful back-pocket fallback/emergency tool. A thing for when your primary is failing or need more help.
Was it this post by db0?
https://lemmy.ml/post/4027478
Yep, that's the one. Thanks!
You're welcome
People like this are despicable
Mastodon/Lemmy should work together on some tool for this, it would probably make it easier, and they both have problems with it now
We currently are, someone else answered your question better than i can.
That's disgusting! You made the right thing, sorry you admins and mods have to put up with that shit, I hope instance owners that are being attacked are reporting it to local authorities.
I think its necesary, no problem.
Thank you sir. I appreciate the dedication to the community to subject yourself to the moderation. Hopefully we can squash this before it goes too far, farther than it has anyway..
Well, that sucks i wanted to share some cute pics i took of my cats
use imgur or imgbb. outsource image hosting.
I wouldve recommended catbox.moe but I have FUD about it now. I assume they are have themselves together, but I cant know for shure.
also ur fears are justified, but just checked: ghostery doesn't show any trackers on catbox's part, so its safe to use..for now..but one has to stay vigilant and make regular checks to see what will happen about them
well we could always use any other suggestions: imgur is a spyware in itself, but what can we do (i put it in the freezer app so i dont get wiretapped, suddenly my videos started to be uploaded in gif form by them to save on bandwidth lol 😭 )
This sucks, but given the circumstances it's sadly an understandable and necessary course of action.
Thanks for taking care about that.
Honestly, Im bit confused, I can still see image uploads posts like: https://lemm.ee/post/5858721
I guess I was lucky I didnt see morbid posts, just want to be sure Im safe now. Is it safe enough to just browse lemm.ee local?
Ah thx for explaining
Guessing there's no way to track down the uploaders?
I suppose many of them probably are posting behind VPN or Tor.
That would be a lot of work for admins, but perhaps reporting the CSAM to the FBI or something. I'm pretty ignorant about how that all works.
I'm no expert on this; but I'd assume that it is sometime easy to track them down, and sometimes very hard. Easy if they just do a direct upload from their home internet with a fixed IP address, using a regular lemmy account that they also use for day-to-day stuff. But hard if (for example), they use upload from some coffee shop wifi connection with a throw-away account using some tor / proxy / VPN shenanigans.
Seems fair enough, good on you for the speedy action.
Are the lemm.ee servers not located in a region that protects online forums from the content that its users post?
It's not just about lemm.ee, the up/down of federation is that stuff from lemm.ee gets copied to all the other federated instances and vice versa. So lemm.ee's region aside, this move tries to help protect the fediverse at large by removing a major distribution hub. It's not a full solution in that regard, but it makes a bad situation incrementally less bad. Other popular instances may end up doing this as well till better tools come about.
That's a fair point! Thanks!
If anyone wants to have a faster way of uploading images to Imgur on iOS, here‘s a shortcut for that.
How does one disable image uploads on their server? I want to disable it for a while
Turn off PICT-RS.
How?
Check out some of the posts in ![email protected], people seem to be shutting down the pictrs container, removing it from the hjson config and the compose file depending on how they've deployed Lemmy
I did see someone who appeared to be a lemmy.ml admin mentioning defederation in one of the CSAM threads, so if posts look old you might need to visit lemmyworld directly
Just checking -- Is this still in effect?
I assume this is why I can't change the banner on the community I moderate (on lemm.ee).
I totally understand why this had to happen. I'm just looking for a status update.
Yes it is
Any chance that gravatar support could be implemented? This would allow some basic functionality without hosting content on lemm.ee servers.
Seems like this is still disabled, is it now in play for the foreseeable future? What about setting a time frame in which no images can be posted until it's surpassed? Or maybe have an approval required for adding the avatar and banner?
Hey, this post is quite old, actually you can find the latest info in the sidebar of our front page:
Okay, so I'll be set in the next few days. Many thanks!!!
Personally, I would love it if all NSFW pictures were banned. There's deepai.org's nsfw detection bot. No idea if it costs money to use the api or not.
https://deepai.org/machine-learning-model/nsfw-detector
You can detect NSFW images for free using the AI Horde
Pricing: $5 per 100 API calls, or $5 per 500 for DeepAI Pro subscribers
whats the over/under wager that it was retaliation for the recent "h e x b e a r" shit?
Not a single lemmy user or admin, was it .world, .ml, HB or exploding heads or dbzer0 would benefit from other instances being attacked like this. Spamming normal porn or gore maybe could go as a joke or retaliation sure but using csam is very threatening to the whole fediverse even if done against a single small instance.
I have my issues with the HB mafia, but I don't think they'd stoop that low.
Better shut the internet down then. This will only continue to worsen now that anybody can generate whatever images they want with AI assistance. Such image hashes will not be in CSAM databases (if AI generated imagery is even CSAM)