I was just followed by an account(?) on mastinator.com. After careful consideration I decided to block the entire domain. Anyone (well, almost anyone) who wants to follow me is welcome, of course, but not anonymously. That's not cool.
I may reverse this decision in the future if I get more information, but, for now, this is it.
I found this. Hope it helps everyone avoid the FUD:
https://boyter.org/posts/mastinator-activitypub-breaking-assumptions/
I must admit that I'm sympathetic to the author (@boyter, I think): it's true that it's difficult to test an AP implementation without some kind of infrastructure in place.
But I'm also with @aral: this should be opt-in.
Perhaps it needs to be the other way around. By default when you sign up to instances your posts only stay on that instance, and you chose to interact with the fediverse, either in total, or on a instance by instance case.
I did notice that setting your mastodon instance into secure mode would be a good step towards this.
@boyter I didn't opt-in. I just have my follows open, because I wasn't expecting something like this to happen, which is also why I never felt like reviewing requests.
If you need to test some AP-based application, my advice is that you create an account on each platform (Mastodon, Pleroma, Misskey, etc.) and use those and advertise them as what they are.
Ask developers and admins for advice and permission. Most would have helped you with whatever needs you had, and this whole shitshow would have been avoided. (I call it shitshow, but I only noticed it by pure chance. Maybe it wasn't that big of a thing.)
My impression is that you went a little too _gung-ho_ on this, and that's why some people got mad. As you noticed, a lot of them are sensitive about their privacy and trigger-happy when they feel threatened, which is almost always.
Anyway, I'd like you to stay around, but please take into account that this is a communication platform, so try communicating before pulling something that affects other people like this. I hope you manage to finish whatever you wanted to do and help us secure the Fediverse.
I did try what you suggested, and some instances didn't like it so I moved on.
Seems I did go a little gung-ho. Although had one person taken a step back and said "Hey there is some potential for abuse, can you add X,Y and Z" that would have been far more constructive.
For example, I am aware that there is some "follower" only thing that I would be happy to honor, if someone could point me at where its actually implemented. I don't see anything in the activity that I am currently getting which suggests its working as intended perhaps?
I plan on staying around for a while. As I keep mentioning, im not doing this to annoy or abuse people. I am also actively trying to improve it, and encouraging people to block if if they want. Id just like constructive feedback, as "Just shut it down" is not.
@boyter
> I thought having people follow was the point of playing in a federated system...
Well, more like having people _to_ follow—but not anonymously.
> I am aware that there is some "follower" only thing that I would be happy to honor, if someone could point me at where its actually implemented.
Each activity has an array of recipients, which are basically URL pointing at people or general inboxes. When a post is follower-only, to a followers URL, which the server resolves into each particular account.
But that's not the point. The point was that you were following people, which means you were allowed to see those posts. There's nothing wrong about that. The problem was (allegedly, I haven't tried it) that you let everyone access all those posts (regardless of visibility) without any previous authentication.
Each activity has an array of recipients, which are basically URL pointing at people or general inboxes. When a post is follower-only, to a followers URL, which the server resolves into each particular account.
Yep, the follower only bit I am very interested in. Where in the Create event does it live? I am totally willing to ignore those posts.
Yes, it would let anyone access those posts, but my point is thats already a thing if you allow people to follow you?
@boyter
> the follower only bit I am very interested in. Where in the Create event does it live? I am totally willing to ignore those posts.
Visit any post (or status) URL, GET it, but with a HTTP request header like this:
Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"
In the json-ld document that you'll receive there is a field called (unsurprisingly) "to". If a post is followers-only it will add a URL that ends in "/followers" (if I'm not mistaken, I'm just guessing). It is not Mastodon specific.
But, seriously, don't do that. Use some other method to test your implementation. The one I recommended in my first reply is best, even if some people don't like it. Don't insist on mastinator. There are much better ways.
Now the reason I am interested in this is not just for mastinator, I want to have my own compliant implementation, and knowing what it is I am supposed to do in this situation would help.
Actually, just having a decent spec about ActivityPub/Mastodon would be useful to avoid this in the future.
@boyter There is a decent spec. There actually are several: ActivityPub (https://w3c.github.io/activitypub/), which is based on ActivityStreams, which in turn uses ActivityVocabulary. There's RFC 7033 for Webfinger, OAuth2 for authentication, etc.
And that's AP, but the Fediverse also uses OStatus and #Zot and WebTorrent among others. The most widely used is AP, but it's not the only one.
None actually encompass everything you actually encounter. Hence me having read all of them multiple times and still not being able to find how to implement the followers only request.
Its not for lack of trying I can assure you.
@boyter That's why I said that you should open accounts on different instances using different implementations. Because, sadly, _no one implements the standard as is_, so what everybody does is support the Mastodon API and then add extensions of their own. These extensions are standard-compliant, but obviously not included in it. Maybe that's what confusing you?
I am now attempting to have others learn from the experience without having to replicate it.
@boyter Let them replicate it. It's ok. Most people who wanted to write an AP implementation did so years ago. If you really want to help other people, create a public repository with your code (I recommend using @Codeberg for that) and ask them to contribute to it or just criticise what you have done so far.
Again, cultivate a network of friends with similar interests. That always pays off. In software and in life.
I can already picture how well that will go down as a million clones are launched...
@boyter I doubt that will be the case, but remember to ask the admins for permission first.
In any case I was talking about the code of your implementation, but maybe this one would be useful too. I wonder if it could help in preventing attacks. After all (according to the usual hysterics), it's basically a weapon.
What was implemented could be done using Mastodon as a base fairly easily I suspect. I don't know Ruby or how it works well enough to comment intelligently on that. If the argument is that being able to create accounts quickly, and follow is a weapon then all instances are weapons?
However I don't think painting an even bigger target on myself by posting this code is a prudent idea considering what has happened.
@boyter
> Which admins?
The ones of the site where you choose to host your code.—If you choose to do it.
> I thought having people in charge like that is one of the reasons people left twitter?
In the immortal words of George Clooney, «someone has to be in charge.» Which doesn't mean that whoever it is has to become some sort of ruthless dictator.
> If the argument is that being able to create accounts quickly, and follow is a weapon then all instances are weapons?
Yes, and that's why admins are a thing. Not only do they ban you from using bad words, they also watch the logs and check that everything works as it should. At least the good ones.
> I don't think painting an even bigger target on myself by posting this code is a prudent idea considering what has happened.
Code does nothing by itself. It's executing the code that has consequences. That's why security researchers study viruses. They look at the codee to see what it does and how. They don't release them in the wild.
Creating a repository is just letting people know how your code works and an invitation for everyone to contribute and improve on it. Nobody will be painting a target on yourself, and if they do, just don't listen to them.
@boyter But anyway, I was going to sleep. I'll answer more questions tomorrow. Good night.
Yes, code does nothing by itself. However as mentioned I am not sure I am willing to subject myself to that right now, considering I apparently endangered so many people with what I have done so far. I may change my mind on that in time though.
If Person A's account is private, and Person B submits a follow request, Person A can see who it is who's requesting to follow them and can deny it if they don't like the look of them.
But if Person A receives a follow request from a generic, innocent-looking account with no posts, bio or followers named "everyone", they might think it safe to accept it—without it being clear that this will make all their posts publicly accessible via your site.
Is that really "opt-in"?
@hughster We're not here to blame anyone, man. Everything's behind us now and nobody got hurt. Just block the instance and move on.
Maybe he should have announced his instance and his project before and asked for volunteers to be followed? Sure, he could have done that. Or he could have created test accounts in different servers? Of course. But what's done is done. He explained everything, he owned up to it, and that's what matters.
Alas announcing is hard when you don't know where to announce it. I wonder if that's something that could be done by someone trustworthy.
As you say, I have owned up to everything. I suspect someone with evil intentions would not.
Also if you know where to find the "followers only" portion of the specifications to exclude those posts it would really help. I think it might be mastodon specific... but I am happy to implement it anyway.
@boyter
> Alas announcing is hard when you don't know where to announce it.
Apart from following other accounts and creating your own network of like-minded people, you could have asked your admin what they thought of your idea, and about its pros and cons. But I agree, it's definitely hard to communicate when you follow no one and no one follows you. (By the way, you're running your own instance?)
In general, just get to know people and build relationships with those you feel you can trust. It's not like you did something illegal, but you have to make sure that you know how what you do can affect others.
Also, surrounding yourself with knowledgeable people could give you some guidance and help you notice the differences between AP implementations. All of them have their quirks and probably none of them follow the standard precisely.
In the end, the tl; dr of this post is: talk to people first, act later, even if you decide not to follow their advice.
Write a post with your needs and I'll boost it. Maybe that way you will be able to find allies.
Discoverability is indeed an issue on this network, hence I followed what was possible from my other networks. I doubt I would have gotten too much pushback from those people since I suspect they think in a similar way (not putting words in their mouths though).
I did write a post just before asking if people know where that is in the spec. It's something I could add in about 5 mins if someone can point me at where it is.
If there is some other way to do this please point me at the specification?
Also if you happen to know where the "followers" only thing that people are referring to is id love to add that too.
@boyter If someone uses your site to try to follow someone with manual approval of followers enabled, will it go ahead and submit a follow request?
@boyter I don't know if there is or not, so perhaps someone else could help. The issue isn't so much one of clogging queues but that if your bot submits a follow request, recipients have no way of knowing that accepting it means making their posts public.
Hence wanting to find this in the spec. I think it might be mastodon specific though, which is good enough for me and I will add it in.
That's what I am trying to find.
@boyter Is this what you're thinking?
https://docs.joinmastodon.org/spec/activitypub/#properties-used
@boyter Are you able to use a test Mastodon account the bot is following to publish some follower-only posts, perhaps?
@josemanuel Just want to say @boyter has been nothing but forthright in his communication with me and he raises some very solid points in his message on mastinator.com that folks in the fediverse would do well to think/act on. Specifically, those folks excitedly celebrating Tumblr, Mozilla, etc., setting up their own instances. Once instances of millions (if not hundreds of millions) exist, they’ll be making the rules. And blocking them will be like you blocking Gmail on your email server.
Wow. That blog post turned dark really quickly: “You're lucky I'm not evil, for if I was, you'd be royally fucked, BITCHES!”
(Ok, I exaggerated for comedic purposes, but _not by that much_.)
I'm still sympathetic with the auhor, though, and agree with most of what he says there.