this post was submitted on 11 Jul 2023
277 points (96.6% liked)
Lemmy
13639 readers
1 users here now
Everything about Lemmy; bugs, gripes, praises, and advocacy.
For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.
founded 5 years ago
MODERATORS
Sorry, but that's literally every online service. For example if you buy a new virtual server it takes like 5 minutes till a Chinese IP starts to try root passwords.
If someone actually wanted to harm Lemmy they'd just DDOS the biggest instances for a month (which would be easy, it's mostly single servers after all) or attack it with so much spam and large images that storage would break.
We need moderation tools
Here's hoping Sync and Boost lead the way
Here's hoping Sync and Boost lead the way
Or better yet, let's hope Free Software apps lead the way and ditch the proprietary ones.
Well, Sync and Boost were well established already. It's probably gonna take some time for the new foss ones to catch up
I'm getting CS-nerd excited about how this is all going to play out. Federated moderation is hard and so many awful, clunky things have been tried before. Are we actually going to see a web-of-trust or reputation system that reaches widespread adoption? It's gotta be silent and noninteractive as there's no way to expect normal people to put up with the complexity.
load more comments
(2 replies)
Using open source apps, especially with more than one contributor, is currently the best option to be safe from this kind of attack.
Edit: I'm not saying that FOSS is 100% secure because it's FOSS. I'm just saying it's the best option we currently have.
It helps, but it's still not a silver bullet. For example, a Lemmy app could contain no malicious code in its open source repository, but malicious code could still be added to a binary release in an app store.
Voyager (formerly wefwef) is a self-hostable web app, so it doesn't have this problem. Of course this only means you can inspect the code you're running. You still have to able to understand the code to be sure it's not doing anything malicious.
That's why F-Droid is the safest Android app repository. If I'm not mistaken, every app they offer is rebuilt from the public source code by the repo package maintainer.
Yeah, downloading from fdroid or izzyondroid kinda solves that.
Izzy directly sends over the APKs from GitHub releases. F-Droid does their own builds which is partly why they're so slow to update.
OSS does not guarantee security, ever. Please let's not fall into false sense of security.I
But in this case, if an app is open source, there is a higher chance of discovering that it sends your credentials somewhere else than in closed source app
That assumes people are looking at that and know what they're doing and aren't malicious actors. None of this is guaranteed. Famous examples of major OSS security vulnerabilities have already shown this.
Oauth2 login support for apps would certainly be very welcome.
I am using the Liftoff app. It looks pretty safe but I don't really know.
It's open source and pretty popular (for a Lemmy app at least) so it should be pretty safe
Indeed, this is a real weak spot with Lemmy's security. I honestly think we need to place more emphasis on implementing OAuth2, when I have the time I'll have to take a look at that again to see if I'm able to.
Are there any known apps that should be avoided? I’m using Mlem and Memmy.
Not yet, this post is just a warning that it might happen
Not sure about the other apps, but Memmy keeps your password stored in the app. But generally speaking I don’t think Gavin is a malicious person. He spent 3 weeks with beta tests before he was even comfortable pushing it to Apple App Store and the code is reviewed by Apple before being included to watch for malicious scripting. I am not saying people don’t get malicious scripts passed through Apple, but from what I have seen of Gavin’s work, he doesn’t seem the type that would do that.
Closed source ones.
load more comments
(4 replies)
1password is probably the most valuable subscription I pay for.
If anyone's looking for a free and open source option, Bitwarden is also great.
load more comments
(3 replies)
KeePassXC is free and completely offline
And if you want it to be online, you can just share your .kdbx file between your computers using Syncthing or whatever.
Also Password Store! Syncs over Git and on Android you can use a Yubikey so that the private key isn't even on your phone.
But yes, KeePassXC is way more user friendly. Anything touching PGP/GPG is an automatic red flag for family.
Thanks for this!!
I feel like it raises somewhat the general issue of how much we're willing to live with complete mysterious anonymity from all of the developers and admins in the fediverse. I'm not saying that every admin or developer should have their real identity revealed and linked here. But there's a tension or issue here in how much it's normal and accepted and how much the fediverse in general wants to grow and attract users that are accustomed to trusting large companies that provide a different kind of base level trustworthiness than makes sense "out here".
If not links to real life identities (however trustworthy that can be in the limit), at least some connection to a broader online presence such that it becomes more likely the actor has something to lose in acting in bad faith (the lemmy core devs being a good example).
I don't have a solution ... but it seems to be a growing pain as this whole thing kind of grows from "hacker project" to "mainstream social media".
The solution has been the same for the last 20 years: Use a password manager, do not reuse passwords. That's it, you're done.
Even if the Lemmy instance admin steals your password (which would be easy!) they can't do anything with it.
Trying to break Lemmy, yeah, let's prosecuted those bastards, but... WHAT. COULD. BE. MORE. WORTHLESS. than my account?
You are welcome to the scintillating points I have made. Bask in their brilliance.
Feels like this will be a very common occurrence with people rushing to build and use new apps, and host new servers. There are plenty of positives to fediverse vs centralized, but it doesn’t come without negatives.
Is Memmy for Lemmy safe?
Nothing is safe.
Use a password manager and a unique random password for each service you sign up with. It's the only way to protect your accounts.
If you use push notifications you have to give the developer your access token, that could be stolen if the push server is hacked
As much as any other app I've seen, but I would still recommend using unique credentials for Lemmy.
Is this a password manager ad?
This is why password managers are so heavily pushed. Imagine if you used the same password for Lemmy that you used for your email? Both are now compromised. A unique password for all accounts is the bare minimum you must do.
Although it is worth noting that the recent Lemmy hack didn't come from a password compromise, but from session token harvesting, which a password change would not really protect against.
Lol this is not how the hack worked. JWT cookies are encrypted. They don’t contain your password at all. There was no way to reverse engineer from your cookie to your password.
load more comments
(4 replies)
view more: next ›