Keybase recently announced native support for Mastodon verification. Free Radical is now supported by that system, so you can log into Keybase and prove that you own your Mastodon account to get a spiffy green checkmark on your profile.
I previously said that the Russians are coming. Yes, I meant it.
In the last two weeks, I’ve had registrations from 25 accounts that flagged themselves as bots. Of those, about half went on to post exactly one spammy toot.
Of these, 24 of them had email addresses that were hosted by
mxsrv.mailasrvs.pw. That one server itself is hosted by DigitalOcean, an American hosting company. The other email address is from a domain without a designated mailserver (that is, it lacks an MX record).
22 of the users connected to the FreeRadical.zone instance from IP addresses in owned by “QUALITY NETWORK CORP” out of Seychelles. They are in ASNs
AS50896, both referring to “Depo Data Center Kaluga”, at “248021, Russia, Kaluga region, Moscow Street 258, office 16”.
2 of the remaining users connected from IP address that are also owned by “QUALITY NETWORK CORP”, but for which
whois doesn’t show their ASNs (yay RIPE!).
The 1 other user connected from a netblock with ASN
AS61440 owned by “Digital Energy Technologies Chile SpA” out of Santiago, Chile. They still used the
mxsrv.mailasrvs.pw mailserver, though.
I’ve been called a “paranoid liberal”, a “fascist”, and “retarded” for saying that I thought that the recent spam flood had ties to Russia. Turns out I underestimated the connection: out of 25 spammers I identified and blocked, 25 are directly tied to hosting accounts in Moscow through at least one means.
Social media managers at companies establish presences on all new social networks. Even if they don’t use them immediately, they plant a stake in the ground in case those networks later become popular. It’s unreasonable to believe that social media engineers from major world governments don’t also do the exact same thing.
The information I worked with to compile those stats is at https://gist.github.com/kstrauser/bb63763363e81fa5f843fc7bcb9f84b4.
This updates my last blog post where I said that we’re getting a flood of spambots. Summary: if you’re an admin affected by this, you must act now.
I’ll cut to the chase. It seems that this week’s collection of spammer registrations come from Russia. I think that the spam they’re sending today is a probe to see who will respond to it. My prediction is that instances who don’t act quickly will see those accounts stop posting and drawing attention to themselves. In a few months, say nearing the American mid-term elections, they’ll wake up and start steering the inevitable political conversations in directions that we, the instance admins, had not intended. By that time it will be too late to easily root them out because their numbers will have exploded during the time we were looking the other way and hoping the problem will go away.
I might be wrong, but I don’t think so. And I’ll be damned if I’m going to help Mastodon go down the same path as Facebook and Twitter during the last American election. We have to act to stop this, and we have to do it now.
The current crop of spam is all origination from the same email server, even though it hosts many email domains. You can block all registrations from it by going to Preferences > Moderation > E-mail blacklist > Add new, and entering
mxsrv.mailasrvs.pw. This won’t affect any spambots already registered on your system! It only prevents new ones from registering. It also won’t fix the next wave of spammers that go through a different email server, so this isn’t a “one-and-done” action. It helps for now, though.
Next few months actions
I’ve opened an issue discussing ideas for making Mastodon’s admin tools more helpful for dealing with this. Plus jump in if you have more or better ideas!
The long road
I predict that at some point we’re going to have to consider a federated spam registration network. If “foo@randomdomain” spams on my instance, and “bar@someotherdomain” spams on yours, and we both report it, the network could see that they both came from the same server. Then it could suggest to all participating instances that we collectively block that server. And yes, this will be ripe for abuse and we’ll have to think long and hard about what it means to use automation to block potential Mastodon participants. Maybe we’ll have to add captchas to the registration system, which is bad for our differently-abled friends. Maybe instance will have to go to manual approval systems. Honestly, all of these alternatives suck. But far enough out, if we want to preserve Mastodon’s freedom for legitimate human users, we’re going to have to make some difficult decisions.
Admins of Mastodon:
I’ve deleted four bot accounts that were spamming movie streaming links, with captions like:
- Tickling Giants Film Gomovies Super Streaming keine Anmeldung putlockers
- Kostenloser Stream Attack on Titan Season 3 tamilisch Ganzer Film Youtube Ohne Anmeldung Sonnenfilme
- Movie The Insanity of God Film complet 720px pas de login Youtube putlockers
- Movie Stream Little Shop of Horrors: The Director’s Cut 123movies Without Signing Up Watch Here putlockers in Hindi
- En el Septimo Dia (On the Seventh Day) Regarder gratuitement double audio en hindi gostream gomovies pas d’inscription
Not on my instance. You might want to keep a lookout, too.
FOSTA – the Allow States and Victims to Fight Online Sex Trafficking Act of 2017 – and SESTA – the Stop Enabling Sex Traffickers Act of 2017 are some likely unconstitutional, certainly unnecessary jackassery. While I agree with the EFF that this is terrible law, I don’t think it’s the end of the world.
(Sec. 2) This bill expresses the sense of Congress that section 230 of the Communications Act of 1934 was not intended to provide legal protection to websites that unlawfully promote and facilitate prostitution and websites that facilitate traffickers in advertising the sale of unlawful sex acts with sex trafficking victims. Section 230 limits the legal liability of interactive computer service providers or users for content they publish that was created by others.
By no plausible interpretation is Free Radical a website meant to “unlawfully promote and facilitate prostitution” or “facilitate traffickers in advertising the sale of unlawful sex acts with sex trafficking victims”. I’ve never seen such a post in the fediverse, let alone one that originates on Free Radical, and it’s certainly not meant for that purpose any more than is any other general public forum.
(Sec. 3) The bill amends the federal criminal code to add a new section that imposes penalties—a fine, a prison term of up to 10 years, or both—on a person who, using a facility or means of interstate or foreign commerce, owns, manages, or operates an interactive computer service (or attempts or conspires to do so) to promote or facilitate the prostitution of another person.
Same as above. I have never and would never own, manage, or operate a website to promote or facilitate the prostitution of another person. Regardless of whether prostitution should be illegal in the first place, it’s not something I’m going to directly participate in.
(Sec. 4) The bill amends the Communications Act of 1934 to declare that section 230 does not limit: (1) a federal civil claim for conduct that constitutes sex trafficking, (2) a federal criminal charge for conduct that constitutes sex trafficking, or (3) a state criminal charge for conduct that promotes or facilitates prostitution in violation of this bill.
Again, I’m not going to be promoting or facilitating prostitution. Note that this is different from carrying traffic that may incidentally facilitate illegal activities. For example, I guarantee that people use Gmail to do illegal things. That’s not its designed or advertised for, though.
(Sec. 5) The bill amends the federal criminal code to define a phrase related to the prohibition on sex trafficking. Currently, it a crime to knowingly benefit from participation in a venture that engages in sex trafficking. This bill defines “participation in a venture” to mean knowingly assisting, supporting, or facilitating a sex trafficking violation.
Key word: knowingly. I won’t be knowingly doing any of that stuff. I explicitly don’t read, monitor, analyze, or moderate all traffic flowing through the system. I don’t pretend to. I specifically don’t want to.
I side with the EFF that this is a bad idea and I oppose it. That said, I can’t imagine a plausible scenario where FOSTA/SESTA affects me – an American admin using American hosting resources – in any way. And if some dipshit prosecutor sees it otherwise, I’ll fight it. As an EFF member and friend to many a lawyer, I’m not going anywhere any time soon. These ridiculous bills won’t scare me away.
edit: Upon the excellent suggestion of a friend, I’ve added:
No solicitation of prostitution
I kind of fell into a heated argument between well-intentioned people. While I actively do not want to become involved in every disagreement in the fediverse, enough people ended up participating that I wanted to offer my outsider’s take on events.
A new user, Pat, joined Free Radical a few days ago. They were active on birdsite but had heard about our growing community and wanted to check it out. I had a few chats with Pat about what makes the two networks different, and they were eager to get started exploring.
Some time last night, Pat found another user, Jan. Jan believes that people in Pat’s demographic have caused a lot of political and societal problems for people in Jan’s demographic. Pat, fresh from birdsite, saw this as an invitation to debate the point.
Things got a little heated.
At 3AM I woke up because our new comforter only has one temperature – “infernal” – and I thought I’d drop in to see what was happening online. Turns out quite a bit was happening and I was hearing about it. Pat and I had another chat about the social differences between birdsite and Mastodon. I went back to sleep.
This morning I woke up to more, ahem, discussion and a request from Pat: “Mastodon isn’t the place for me right now, please delete my account, and best wishes”.
I deleted their account.1
I’ve received no moderation reports on either party, and this post isn’t my reaction to anything external to my own thoughts. I’m just piecing together the implications of an unusual situation.
I read what Pat wrote. I think they’re a good person with good intentions who ended up in a disagreement. They felt like they were being attacked and responded to it. Their mistake – if you can call it that – was engaging in an argument with someone who wasn’t offering to argue with strangers. Pat came in from a network where such random arguments are much more common and accepted as normal.
I read what Jan wrote. I think they’re a good person with good intentions who ended up in a disagreement. They felt like they were being attacked and responded to it. Their mistake – if you can call it that – was accepting the offer to argue instead of ignoring an unwanted message. I truly understand that it’s easier said than done, though, especially when Jan had no intention of talking directly to Pat in the first place and almost certainly had no wish to have someone explain how they were “wrong”.
Mastodon truly isn’t “birdsite but on a different server”. This was largely built by and for minorities who’ve had a raw deal and want someplace safe to hang out. “Safe” does /not/ mean “echo chamber”! I’m continually exposed to opinions I don’t share, /and that’s great!/ It means I’m reminded that decent people I enjoy talking to sometimes have opinions significantly different from my own. It does mean that when you hear something you dislike2 that the best course of action is usually to try to listen, understand the speaker’s point of view, and then move on.
Even though Pat made the first mistake, in my opinion, I think they left on a high note by realizing that they weren’t in their element and bowing out gracefully. I would welcome them back as long they were willing to act within Mastodon’s social mores.
- I didn’t really delete their account because Mastodon doesn’t support that. I did disable their login and delete all their toots. ↩
- I’m talking about run-of-the-mill political disagreements, etc. I don’t expect anyone to keep quiet when they experience harassment, oppression, or other speech that actively seeks to make others feel unwelcome. ↩
I want to have a cool logo but I can’t really justify paying to commission one to my family. Conversely, I’m not going to ask an artist to work for free, because I value their work and don’t want to imply that I don’t. So, how I can I reconcile these seemingly incompatible requirements? I’m not sure, but I’ve been tossing this around:
- One or more artists submit rough drafts of their ideas,
- I select one that resonates with me and help the artist develop it,
- That artist gives me exclusive rights to the design so that there aren’t 43 instances with “my” branding, but
- The artist keeps all merchandising rights, and I help them advertise stickers, t-shirts, etc.
Releastically, that probably wouldn’t generate a lot of revenue (although I’d certainly buy some stuff for myself). However, the artist would get 100% of all income from it. If I’m the only one who buys a t-shirt, it’s not that great a deal for them. If I help them sell a hundred shirts or somehow become Internet famous, that could be a nice chunk of change, of which my cut would be $0.00.
I’m neither a businessman nor an artist, so I’m not clear if this idea is brilliant or terrible. What do you think?
2017 has been a wild ride, but I have a lot to be very grateful for. I am honored and privileged to be surrounded by my lovely Mastodon friends, and to be in a position that I can give back a little to our community. Thank you for being a bright light in an otherwise challenging year.
I’ve had a hard time going cold turkey with birdsite but it gets easier by the day. I still think of it as the early service that was new and different and exciting and wasn’t being used as a machine for spreading hate. I need to break that habit, but it’s hard.
This morning I drank deeply of that cesspool and was shocked at how horrible it is. Was it always that bad and I was just used to it, or has it taken a recent and sharp turn for the worse? I don’t know. Either way, here we are.
I’ve been committed to Free Radical since its launch, and I want to publicly and explicitly reaffirm this: we’re here for the long haul. The world needs a good, distributed, self-hosted social media network and I think that we’ve found it. I might not have posted a lot lately – life happens – but I’m here for you.
Let’s build something good!