Sorry for the short post, I’m not able to make it nice with full context at the moment, but I want to quickly get this announcement out to prevent confusion:
Unfortunately, people are uploading child sexual abuse images on some instances (apparently as a form of attack against Lemmy). I am taking some steps to prevent such content from making it onto lemm.ee servers. As one preventative measure, I am disabling all image uploads on lemm.ee until further notice - this is to ensure that lemm.ee can not be used as gateway to spread CSAM into the network.
It will not possible to upload any new avatars or banners while this limit is in effect.
I’m really sorry for the disruption, it’s a necessary trade-off for now until we figure out the way forward.
This is sick. Kudos to mods for dealing with this garbage. I hope the posters are all hunted down and punished.
Yeah, the admins deserve all our support on this. Not only to protect themselves as server owners, but to stop the spread. Hopefully a longterm solution will be found soon
Just like self-isolation when you have a cold - the healthy and wise thing to do.
deleted by creator
I think this is a great move until we have something rock solid to prevent this. There are tons of image hosting sites you can use (most of which have the resources to already try to prevent this stuff) so it shouldn’t really cause much inconvenience.
Quality of posts will go up too. There’s a direct correlation with (worse) quality and image posts.
I prefer image memes, but to each their own.
Images are great when used sparingly
insert image here
less strain on lemmy servers as well
I know there are automated tools that exist for detection CSAM- given the challenges the fediverse has had with this issue it really feels like it’d be worthwhile for the folks developing platforms like lemmy and mastodon to start thinking about how to integrate those tools with their platforms to better support moderators and folks running instances.
I just shut down my instance because of this attack. Once there are better controls to prevent this, I will stand it back up.
Yeah, there was a gardening instance run by a great guy who just did the same
What do you think the purpose of these attacks are? The fediverse is so small in the grand scheme that I can only assume the worst.
Good thing my instance is only friends and friends of friends, otherwise I’d have to do the same
What was your instance?
That’s fucking dope, thank you very much for the link to the issue!
Good, its an API that can fit diffrent tools even if one is promoted. Upgrading means switching out a binary file. Posix modularization FTW.
No apologies necessary.
This is really sad and disgusting. It affects the whole platform but especially smaller instances that can’t keep up. Despite being a lemm.ee user, I was particularly upset about thegarden.land shutting down because of that spam. It had my favourite gardening community on here.
I really hope this gets sorted out, and the spammers end up where they belong.
Wait, they shut down? That’s sad, they were great
I’d really love to start a small instance just to play host to a couple of niche interests I don’t see around yet, but yeah, hearing about this fucked to behavior is making me hold off.
It has a real chilling affect on users, which is so unfortunate for a platform that is mostly made up of well meaning people
Perfectly fine. People can upload images elsewhere and then just link to them. Most image upload sites will have all those protections in place already. A good stopgap until Lemmy gets those mod tools
This is why we can’t have nice things.
Honestly, some people are just the worst. Why on earth anyone would waste their time doing something so vile is absolutely beyond me…
If one enjoys the twisted pain inflicted on children, then inflicting pain that makes most adults want to use eye-bleach by showing off their plunders is to them well executed revenge on the people they dont like.
It’s honestly sad that some well-intentioned laws can be used to attack online platforms.
I kinda wonder though, how would go about making a law against cp but doesn’t hurt small sites like lemm.ee?
The issue is that you really can’t. The laws are written specifically to prevent plausible deniability. Because pedos would be able to go “lol a troll sent it to me” and create some doubt in a jury. Remember that (at least in America) the threshold for conviction is supposed to be “beyond a reasonable doubt.” So if laws were focused on intent, all the pedos would need to do is create reasonable doubt, by arguing that they never intended to view/own the CSAM.
This was particularly popular in the Napster/Limewire days, when trolls would upload CSAM under innocuous titles, so people looking for the newest episode of their favorite show would find CSAM instead. You could literally find CSAM titled things like “Friends S10E9” because trolls were going for the shock factor of an innocent person opening a video only for it to end up being hardcore CSAM. Lots of actual pedos tried using the “I downloaded it by accident” defense.
So instead, the laws are written to close that loophole. It doesn’t matter why you have the CSAM. All that matters is you have it. The feds/courts won’t give a fuck if it was due to you seeking it out or if it was due to a bad actor sending it to you.
deleted by creator
And that’s pretty much where we are now. Bad actors creating bot accounts on multiple instances, to spam the larger (most popular) instances with CSAM.
I think they have oversimplified the situation to the point that it is wrong.
-
Arguably, Lemmy instance providers (depending on where they live) are protected in the same way Facebook or other content hosts are. So long as you are acting in good faith you are protected against any illegal content your users upload. This does mean you need to remove illegal content as you become aware of it, you can’t just ignore what your users are doing.
-
There have been cases where although a user technically ‘possessed’ CSAM, it was shown that they did so unknowingly via thumbnails or it being cached. The police do investigate where it came from. It’s not as simple as just sending it to someone and you can have them convicted.
deleted by creator
Yes, you’d just need to show that you actively moderate/apply content policies.
This will vary by jurusduction, but most of the West has laws similar to this I believe.
-
Lemmy instances are likely already protected in many countries legally so long as they act in good faith, ie actively moderate.
Fuck the legal part, I wouldn’t want to stay on platform infested with cp. Thank you so much for all the awesome people combating this <3
spoiler
Don’t freak out. This image isn’t hosted on lemm.ee.
Its a bug in sombodies markdown parsing.
Your URL was somehow HTML escaped.
Correct
…?width=640&height=480
Incorrect
…?width=640&height=480
I uh… don’t know what you mean there. I was just pointing out that the image I posted is hosted externally, so it doesn’t mean I found a bypass to the disabled uploads. It displays fine on the website.
Some software somwhere has a bug in it and it broke your link, im sorry if i failed to communicate that
This might be a good thread to ask:
Does anyone know if any of the Lemmy apps support direct imgur uploads for Lemmy?
I remember RIF used to do that for reddit back in the day before reddit supported direct image hosting.
Memmy on iOS uploads to Imgur by default. You just use the upload button.
Memmy on iOS does.
Did you alert authorities?
I’m going to go out on a limb and say they and all the other instances that were hit with this attack probably did. Which authorities, I don’t know. If this instance is hosted in Estonia then probably Estonian authorities, but it’s probably being hosted on the cloud so is it REALLY hosted in Estonia? There are a ton of American and EU users so hopefully the FBI and whatever the EU equivalent is. But honestly cybercrimes can get confusing because of the nature of people and hosting being spread out all over the world and it can be hard to even figure out who to report to.
Europol in Europe. But you can report it to your national cybercrime division and they can refer it to the appropriate authority if necessary.
I don’t think they made it onto this server, with the 100kb upload limit in place, that was already a rather low risk. It’s a preventive measure. So far lemmy.world was the one deliberately targeted.
deleted by creator
There’s no need to invoke conspiracy. This is entirely possible for a single person to do, and motivations for single people may be very pity even if the consequences are widely visible.
One misguided teenager on a power trip who enjoys how much disruption he can cause is enough for such an effect.
yeah bitches be spending actual money to destroy a fifteen year old game with bots. it doesn’t need to have political motivation.
I’m like 80% sure this isn’t coming from the outside but from people on Lemmy from malicious instances
Thank you for the efforts you are making. This is a serious situation; more than just dealing with bad actors, you are viewing traumatic images.
Please, for your sanity and well being, prioritize your self care. Things like this linger in the psyche much longer than you would expect.
That’s fucking disgusting. Take any measures you can to prevent that shit from being on the site.
Removed by mod
Lol first spam I’ve seen so far on lemmy
This is a very good decision, I worried about this problem from the very beginning that I learned about the Fediverse. Research must definitely be done to find CSAM detection tools that integrate into Lemmy, perhaps we could make a separate bridge repo that integrates a tool like that easily into the codebase.
I hope every disgusting creature that uploads that shit gets locked up
There was a user that posted a tool they had already been working on, that worked in Python, to go through and automate detection/deletion of potential CSAM on Lemmy servers that admins could implement until better tools come along. Unfortunately, I don’t remember who posted it or where I saw it in my travels yesterday.
Was it this post by db0?
Yep, that’s the one. Thanks!
You’re welcome
Google has an API for it. While I am not a fan of google, it is a widely used API.
Sounds like a useful back-pocket fallback/emergency tool. A thing for when your primary is failing or need more help.