cross-posted from: https://jamie.moe/post/113630

There have been users spamming CSAM content in !lemmyshitpost@lemmy.world causing it to federate to other instances. If your instance is subscribed to this community, you should take action to rectify it immediately. I recommend performing a hard delete via command line on the server.

I deleted every image from the past 24 hours personally, using the following command: sudo find /srv/lemmy/example.com/volumes/pictrs/files -type f -ctime -1 -exec shred {} \;

Note: Your local jurisdiction may impose a duty to report or other obligations. Check with these, but always prioritize ensuring that the content does not continue to be served.

Update

Apparently the Lemmy Shitpost community is shut down as of now.

  • aseriesoftubes@lemmy.world
    link
    fedilink
    English
    arrow-up
    154
    arrow-down
    20
    ·
    1 year ago

    Someone is trying really hard to hurt Lemmy by continually attacking the most popular instance. Is this all coming from right-wingers upset that their nazi instances were defederated across basically the whole fediverse?

    • Kungolicious@lemmy.world
      link
      fedilink
      English
      arrow-up
      69
      arrow-down
      15
      ·
      1 year ago

      My tin foil hat is telling me it’s one of the other social media companies funding a hacking group to do it. They stand to have the most to lose, and they’ve seemingly decided to enjoy changing the narrative regarding multiple topics. Lemmy stands directly against what the bigger social medias stand for.

      I have no evidence to back this though. As a business owner I just know that things become very consistent when people are being paid, and very inconsistent when they aren’t. These attacks are seemingly very consistent/organized.

      • phillaholic@lemm.ee
        link
        fedilink
        English
        arrow-up
        52
        arrow-down
        2
        ·
        1 year ago

        You think a company that is posed to go public is going to attack a competitor with a minuscule amount of traffic with extremely illegal material that could put them in prison for even having?

        • Kungolicious@lemmy.world
          link
          fedilink
          English
          arrow-up
          17
          arrow-down
          13
          ·
          1 year ago

          Reddit? No. I was thinking moreso Meta. They have the deeper pockets and a proven track record of breaking privacy laws to their own benefit.

            • fsmacolyte@lemmy.world
              link
              fedilink
              English
              arrow-up
              5
              arrow-down
              1
              ·
              1 year ago

              So then why was Meta trying to get Threads to be on the Fediverse? Of course they’re aware of any potential threats, no matter how small.

              • phillaholic@lemm.ee
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                1
                ·
                1 year ago

                Why reinvent the wheel if someone’s just going to hand you the backend? Lemmy is no threat to them.

                • fsmacolyte@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  The threat is a new sustainable community that’s sheltered from advertising that people could leave Factbook/Instagram/whatever and go to.

          • orizuru@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            9
            arrow-down
            2
            ·
            1 year ago

            Meta was talking about adding Mastodon federation to their Threads app. So I very much doubt it.

            They’d probably take an Embrace, Expand, Extinguish approach.

        • KIM_JONG_JUICEBOX@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          2
          ·
          1 year ago

          You would pay a third party to do it. And keep details extremely vague so you have plausible deniability.

      • Steeve@lemmy.ca
        link
        fedilink
        English
        arrow-up
        20
        ·
        1 year ago

        You have a massively inflated view of Lemmy’s importance in the social media market.

        • GONADS125@lemmy.world
          link
          fedilink
          English
          arrow-up
          16
          arrow-down
          1
          ·
          1 year ago

          The longer it continues, the more likely that scenario is IMO. Bitter alt-right extremists would probably start losing interest after a short while, whereas social media competitors would stand to gain from long-term interference.

      • AssPennies@lemmy.world
        link
        fedilink
        English
        arrow-up
        17
        arrow-down
        5
        ·
        1 year ago

        I’d go with state actors first.

        When a particular social media platform is centralized, you can buy yourself a say percentage of stock and have sway over it (cough tencent), or have a useful idiot ruin the platform (cough musk), or another useful idiot to run propaganda you like anyway (cough truth social, cough fox news, cough newsmax…), or yet another that will sell out it’s host country’s citizens for cold hard cash (cough facebook).

        But when that social media platform is decentralized? Well, then you’d need to figure out how to poison the well early on to stave off adoption. The Saudi Arabias, UAEs, Chinas definitely don’t like the idea of lemmy, and it’ll be way harder for them to control if critical mass is hit.

        • aseriesoftubes@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          1 year ago

          Yep, that’s a great point.

          Add to that the fact that mainstream social media companies wouldn’t touch DDoS and CSAM attacks with a 100-foot pole, even if they contracted with a third party. Both of these attacks are highly illegal and would surely ruin a publicly traded company (or one that’s trying to go public, like Reddit).

          And don’t forget Russia in your list of state actors who are threatened by the unrestricted flow of information. They definitely don’t want their citizenry to be informed of how disastrously their invasion of Ukraine is going, or what a murderous scumbag Putin is.

        • Valmond@lemmy.mindoki.com
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          You don’t get a lot of upvotes and sure we don’t know but it isn’t like the NSA infiltrated (in person) left wing groups and more.

          It’s definitely a possibility that someone doesn’t like decentralised content enough to put some meager efforts against it.

    • MataVatnik@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      edit-2
      1 year ago

      This makes the most sense to me. It’s a pretty vitriolic attack, therefore I don’t think it’s simply a troll while at the same time I don’t believe it’s any corporate social media.

    • CryptoRoberto@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      42
      arrow-down
      46
      ·
      1 year ago

      I wouldn’t put it past the hexbear crazies throwing a tantrum. They claim to be left wing… Sure seem more like fascist trumper types though. Maybe it’s just that they’re all incels and incels all seem about the same.

      • Fylkir@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        44
        arrow-down
        1
        ·
        1 year ago

        Throwing a tantrum about what exactly? They’re one of the oldest-running Lemmy instances. Until now they were running a fork based on a pre-Federation version of the codebase.

        You believe they did a bunch of work migrating their database only to then negate that work by destroying the community they wanted to Federate with?

        • maegul (he/they)@lemmy.ml
          link
          fedilink
          English
          arrow-up
          15
          arrow-down
          2
          ·
          1 year ago

          Well something to keep in mind is that hexbear isn’t one person … it’s a whole community that’s developed independently for a while. So it’s reasonable to expect that there’d be variation in the behaviours of members in the same way there’s variation on the rest of lemmy. From what I’ve gathered, not all hexbear members are keen on the re-federation, and some aren’t too keen on being “well-behaved” around politically opposed users (ie “libs”), though hexbear admins and other users have promised moderation and that such isn’t part of the core hexbear values.

          It’s social media, afterall … and people can be rather shit and ruin it for the rest of us. In the end, the core service provided a social media platform isn’t the hardware, sys-admin-work or software (however necessary they are) … it’s the moderation work.

          The moderation keeps the place sanitary enough for people to actually want to be here … however much we may have problems with particular actions of our moderators, we should really support and praise them at every turn.

        • Rentlar@lemmy.ca
          link
          fedilink
          English
          arrow-up
          16
          arrow-down
          6
          ·
          1 year ago

          At least a handful of users on hexbear had made their intention clear during the first week of re-federation, they were looking to cause chaos on Lemmy for there own pleasure. I don’t know if they were banned and/or their comments deleted.

        • CryptoRoberto@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          4
          ·
          1 year ago

          Big difference between a few users who did a bunch of work and the toxic goonsquad the majority of the userbase turned into.

      • maegul (he/they)@lemmy.ml
        link
        fedilink
        English
        arrow-up
        45
        arrow-down
        10
        ·
        1 year ago

        they’re all incels and incels all seem about the same.

        Downvote from me there. I’ve seen plenty of examples of hexbear people being nice, interesting and good sports. They definitely seem to have more of shitposting culture than is normal on mainstream lemmy. But all in all it’s seemed fun to me from what I’ve seen.

        Beyond all that, this is just superficial and prejudicial. If you had some examples to link to or more substantial insights to share as to why it’d be “them”, that’d be worth reading.

        Otherwise, they’re an instance. Not one person, I’m sure some on hexbear are assholes and some awesome.

        • CryptoRoberto@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          46
          ·
          1 year ago

          So, so shocked someone it’s from lemmygrad that is defending the notoriously toxic “communist” tanky trollfest instance.

          • maegul (he/they)@lemmy.ml
            link
            fedilink
            English
            arrow-up
            47
            arrow-down
            4
            ·
            1 year ago

            Sorry, not from lemmygrad. And I’m on lemmy.ml because I joined before the Reddit migration and “Privacy and FOSS” (the focus of lemmy.ml) made a lot of sense for a lemmy instance/community.

            Beyond that … more superficial, prejudicial hate mongering without any description of why or for what purpose. Sorry, I don’t think it’s worth reading … a downvote from me … and, just being real for a moment … at the moment it’s more likely that you’re a member of a “notoriously toxic … trollfest”.

            Ironically, IME, I’ve seen significantly more troll-like tankie hate than I do tankie-trolling. I keep asking for receipts/links to tankie trolling here, as I’m genuinely curious to see it and understand what people are so upset about (please don’t explain to me what’s so upsetting unless it’s culturally thorough or coupled with some links+descriptions) … but no one has been able to do so.

            • zephyreks@lemmy.ca
              link
              fedilink
              English
              arrow-up
              8
              arrow-down
              1
              ·
              1 year ago

              Most people from hexbear provide sources, which is better than can be said for all the tankie hate.

  • regalia
    link
    fedilink
    English
    arrow-up
    71
    arrow-down
    2
    ·
    1 year ago

    Why do these deranged fucks do this

      • regalia
        link
        fedilink
        English
        arrow-up
        71
        arrow-down
        3
        ·
        1 year ago

        This isn’t trolling, this is just disgusting crime.

        • Not_Alec_Baldwin@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          19
          ·
          edit-2
          1 year ago

          The crime happened in the past when the children were abused. This is some weird amalgam of criminal trolling.

          Edit: yeah yeah I get that csam is criminal, that’s why I called it an amalgam. It’s both trolling and criminal.

          • chiisana@lemmy.chiisana.net
            link
            fedilink
            English
            arrow-up
            11
            ·
            1 year ago

            Depending on jurisdiction, I am not a lawyer, etc etc, but I’d imagine with fairly high degree of probability that re-distribution of CSAM is also a crime.

          • ChunkMcHorkle@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            The crime happened in the past when the children were abused.

            That’s true. You could look at it that way and stop right there and remain absolutely correct. Or, you could also look at it from the eventual viewpoint of that victim as a human being: as long as that picture exists, they are being victimized by every new use of it, even if the act itself was done decades ago.

            Not trying to pile on, but anyone who has suffered that kind of violation as a child suffers for life to some extent. There are many who kill themselves, and even more that cannot escape addiction because the addiction is the only safe mental haven they have where life itself is bearable. Even more have PTSD and other mental difficulties that are beyond understanding for those who have not had their childhood development shattered by that, or worse, had that kind of abuse be a regular occurrence for them growing up.

            So to me, adding a visual record of that original violating act to the public domain that anyone can find and use for sick pleasure is an extension of the original violation and not very different from it, IMO.

            The visual records are kind of a sick gift that never stop giving, and worse still if the victim knows the pics or videos are out there somewhere.

            I am well aware not everyone sees it this way, but an extra bit of understanding for the victims would not go amiss. Imagine being an adult and browsing the web, thinking it’s all in the past and maybe you’re safe now, and stumbling across a picture of yourself being raped at the age of five, or whatever, or worse still, having friends or family or spouse or children stumble across it.

            So speaking only for myself, I think CSAM is a moral crime whenever it is accessed, one of the most hellish that can be committed against another human being, regardless of the specificities of the law.

            I don’t have a problem with much else that people share, but goddamn I do have a problem with that.

  • itsdavetho@lemmy.world
    link
    fedilink
    English
    arrow-up
    70
    arrow-down
    3
    ·
    1 year ago

    I literally am going to give up social media in general if this doesn’t stop

    Seen it last night late around 3am shit made me sick I honestly almost cried but I just closed the app and tried not to think about it

    Whatever the goal is it’s a stark reminder that there is monsters creeping in the shadows every where you go

  • enbee@compuverse.uk
    link
    fedilink
    English
    arrow-up
    65
    arrow-down
    1
    ·
    1 year ago

    big F in chat for those of you dealing with this. my #1 fear about setting upand instance.

    • jeffw@lemmy.world
      link
      fedilink
      English
      arrow-up
      42
      ·
      1 year ago

      It impacts everyone when this shit happens. It takes time for mods/admins to take down. And you can’t unsee it.

      I hope nobody else has the misfortune of stumbling on that shit

      • Bleeping Lobster@lemmy.world
        link
        fedilink
        English
        arrow-up
        42
        arrow-down
        1
        ·
        1 year ago

        There have been studies which found playing tetris for an hour or two after seeing something traumatic can prevent it taking root in our longterm memory.

        I tried it once after accidentally clicking a link on reddit that turned out to be gore, I can’t remember exactly what it was now (about 9 months later) so it must have worked

      • thrawn@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        1 year ago

        Yeah you really can’t. I’m pretty desensitized from earlier internet with death and other shock gore content but had managed to avoid CSAM until today. It was a lot worse than I expected, felt my heart drop. Worse, my app autoplays gifs in thumbnail so it kept going while I was reporting it.

        I’ve mostly forgotten and it wasn’t on my mind until I saw this thread (happened less than 24hr ago) but even the slightest reminder is oddly upsetting. Wish I’d thought of the Tetris thing.

  • Oneobi@lemmy.world
    link
    fedilink
    English
    arrow-up
    64
    arrow-down
    6
    ·
    1 year ago

    Likely scum moves from reddit patriots to destroy or weaken the fediverse.

    I remember when Murdoch hired that Israeli tech company in Haifa to find weaknesses is TV smart cards and then leaked it to destroy their market by flooding counterfit smart cards.

    They are getting desperate along with those DDOS attacks.

    • OrbitJunkie@lemdro.id
      link
      fedilink
      English
      arrow-up
      28
      ·
      1 year ago

      Could be, but more likely it’s just the result of having self hosted services, you have individuals exposing their own small servers to the wilderness of internet.

      These trols also try constantly to post their crap to mainstream social media but they have it more difficult there. My guess is that they noticed lemmy is getting a big traction and has very poor media content control. Easy target.

      Moderating media content is a difficult task and for sure centralized social media have better filters and actual humans in place to review content. Sadly, only big tech companies can pay for such infrastructure to moderate media content.

      I don’t see an easy way for federated servers to cope with this.

      • maxprime@lemmy.ml
        link
        fedilink
        English
        arrow-up
        12
        ·
        1 year ago

        Yeah exactly. This is the main reason I decided not to attempt to self host a Lemmy instance. No way am I going to let anyone outside of my control have the ability to place a file of their choosing on my hardware. Big nope for me.

  • Dandroid@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    44
    ·
    edit-2
    1 year ago

    I got lucky. I am not subscribed to this community, and I am the only person on my instance. But what if I was subscribed and hadn’t seen this post? This is too much responsibility for me.

    I just shut down my instance until we can disable cached images. If that never happens, then I’m not bringing it back up.

    Shout-out to github.com/wescode/lemmy_migrate. I moved my subscriptions over in a minute or two, and now, other than not having my post history, it’s exactly the same.

    • Clbull@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      ·
      1 year ago

      Is this why I couldn’t upload a meme to the Lemmy World servers earlier today?

      Fuck…

    • PastThePixels@lemmy.potatoe.ca
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      Yeah… Just wow. I disabled pictrs and deleted all its images, which also means all my community images/uploaded images are gone, and it’s more of a hassle to see other people’s images, but in the end I think it’s worth it.

      Through caching every image pictrs was also taking up a massive amount of space on my Pi, which I also use for Nextcloud. So that’s another plus!

      • HTTP_404_NotFound@lemmyonline.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 year ago

        Note, apparently, lemmy will get pretty pissy if pictrs isn’t working… and the “primary” lemmy GUI will straight-up stop working.

        Although, https://old.lemmyonline.com/ will still work.

        And- I am with you. My pictrs storage, has ended up taking up quite a bit of room.

      • rar@discuss.online
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        There has to be a more elegant way of dealing with this in the future, like de-coupling between Lemmy-account hosting (which effectively means acitivypub-fediverse account) and Lemmy-communities hosting.

      • HTTP_404_NotFound@lemmyonline.com
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        1 year ago

        Yup.

        So far, mostly everything appears to work still. But, trying to upload an image, just throws an error.

        SyntaxError: Unexpected token ‘R’, “Request er”… is not valid JSON

        I don’t see a way to actually “gracefully” disable it, but, this works.

        Edit- don’t just stop pictrs.

        Lemmy gets very pissy… and b reaks.

  • owiseedoubleyou@lemmy.ml
    link
    fedilink
    English
    arrow-up
    33
    arrow-down
    1
    ·
    edit-2
    1 year ago

    How desperate to destroy Lemmy must you be to spam CSAM on communities and potentially get innocent people into trouble?

    • heyoni@lemm.ee
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      5
      ·
      1 year ago

      Maybe you’re a dev on the Reddit team and own a lot of shares for what you know is about to go public?

    • pory@lemmy.world
      link
      fedilink
      English
      arrow-up
      42
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Child sexual abuse material - underage porn. For obvious reasons, you don’t want this to be something you’re hosting automatically out of your basement server.

        • TheRealKuni@midwest.social
          link
          fedilink
          English
          arrow-up
          12
          ·
          1 year ago

          I’ve been listing to the audiobook for American Prometheus: The Triumph and Tragedy of J. Robert Oppenheimer and the number of times they say “CP” as an abbreviation for “Communist Party” is too damn high.

          Also last time I went to the amusement park Cedar Point they’ve got “CP” as an abbreviation on all sorts of stuff.

          Made me chuckle, but I do think it’s perhaps time to move to the abbreviation CSAM since it’s less likely to get used for other purposes.

          • ExLisper@linux.community
            link
            fedilink
            English
            arrow-up
            26
            arrow-down
            3
            ·
            1 year ago

            In what world anyone would think that CP implies consent? I mean, the word ‘child’ is right there. Do you think that the term ‘child soldiers’ implies consent? I don’t have anything against the term CSAM but if it was created because of doubts around consent it was a silly reason to create it.

            • Microw@lemm.ee
              link
              fedilink
              English
              arrow-up
              11
              arrow-down
              2
              ·
              1 year ago

              The term originates from professionals - psychiatrists etc - who work in that field, because they knew even decades ago that “pron” is the wrong word for this kind of material.

              • Cryophilia@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                3
                ·
                1 year ago

                I think it’s more likely some people working in those fields wanted to improve their career by popularizing a new term.

            • barsoap@lemm.ee
              link
              fedilink
              English
              arrow-up
              5
              arrow-down
              1
              ·
              1 year ago

              I think it has less to do with the existence of non-consensual porn as with the possibility and, indeed, existence of vast amounts of consensual porn. Consent is very much possible in adult porn, it isn’t with CSAM. It’s also possible with soldiers, though of course conscription exists and ask a random Ukrainian they’d rather not have to be a soldier for their loved ones to be protected.

          • lightnsfw@reddthat.com
            link
            fedilink
            English
            arrow-up
            16
            ·
            1 year ago

            There’s a lot of porn that wasn’t made consensually either. I don’t care what we refer to csam as but I think it’s important to acknowledge that.

  • slug@lemmy.world
    link
    fedilink
    English
    arrow-up
    27
    ·
    1 year ago

    i’d love for a good tech journalist to look into how and why this is happening and do a full write-up on it. come on ars, verge, vice

  • Catasaur@lemmy.catasaur.xyz
    link
    fedilink
    English
    arrow-up
    24
    ·
    edit-2
    1 year ago

    Self hoster here, im nuking all of pictrs. People are sick. Luckily I did not see anything, however I was subscribed to the community.

    • Did a shred on my entire pictrs volume (all images ever):

    sudo find /srv/lemmy/example.com/volumes/pictrs -type f -exec shred {} \;

    • Removed the pictrs config in lemmy.hjson

    • removed pictrs container from docker compose

    Anything else I should to protect my instance, besides shutting down completely?

  • idle@158436977.xyz
    link
    fedilink
    English
    arrow-up
    20
    ·
    1 year ago

    I went ahead and just deleted my entire pictrs cache and will definitely disable caching other servers images when it becomes available.

  • DeltaTangoLima@reddrefuge.com
    link
    fedilink
    English
    arrow-up
    20
    ·
    1 year ago

    To be clear, if no one on a given instance sub to that particular /c, the content won’t federate to said instance, correct?

    • Jamie@jamie.moeOP
      link
      fedilink
      English
      arrow-up
      17
      ·
      1 year ago

      At this point, the community is clean. So unless more is posted, then you should be good. If someone searched for the community and caused a preview to load while the content was active though, then it could be an issue.

  • drcobaltjedi@programming.dev
    link
    fedilink
    English
    arrow-up
    18
    ·
    1 year ago

    I was looking into self hosting. What can I do to avoid dealing with this? Can I not cache images? Would I get in legal trouble for being federated with an instance being spammed?