I was just followed by an account(?) on mastinator.com. After careful consideration I decided to block the entire domain. Anyone (well, almost anyone) who wants to follow me is welcome, of course, but not anonymously. That's not cool.
I may reverse this decision in the future if I get more information, but, for now, this is it.
I found this. Hope it helps everyone avoid the FUD:
https://boyter.org/posts/mastinator-activitypub-breaking-assumptions/
I must admit that I'm sympathetic to the author (@boyter, I think): it's true that it's difficult to test an AP implementation without some kind of infrastructure in place.
But I'm also with @aral: this should be opt-in.
Perhaps it needs to be the other way around. By default when you sign up to instances your posts only stay on that instance, and you chose to interact with the fediverse, either in total, or on a instance by instance case.
I did notice that setting your mastodon instance into secure mode would be a good step towards this.
@boyter I didn't opt-in. I just have my follows open, because I wasn't expecting something like this to happen, which is also why I never felt like reviewing requests.
If you need to test some AP-based application, my advice is that you create an account on each platform (Mastodon, Pleroma, Misskey, etc.) and use those and advertise them as what they are.
Ask developers and admins for advice and permission. Most would have helped you with whatever needs you had, and this whole shitshow would have been avoided. (I call it shitshow, but I only noticed it by pure chance. Maybe it wasn't that big of a thing.)
My impression is that you went a little too _gung-ho_ on this, and that's why some people got mad. As you noticed, a lot of them are sensitive about their privacy and trigger-happy when they feel threatened, which is almost always.
Anyway, I'd like you to stay around, but please take into account that this is a communication platform, so try communicating before pulling something that affects other people like this. I hope you manage to finish whatever you wanted to do and help us secure the Fediverse.
I did try what you suggested, and some instances didn't like it so I moved on.
Seems I did go a little gung-ho. Although had one person taken a step back and said "Hey there is some potential for abuse, can you add X,Y and Z" that would have been far more constructive.
For example, I am aware that there is some "follower" only thing that I would be happy to honor, if someone could point me at where its actually implemented. I don't see anything in the activity that I am currently getting which suggests its working as intended perhaps?
I plan on staying around for a while. As I keep mentioning, im not doing this to annoy or abuse people. I am also actively trying to improve it, and encouraging people to block if if they want. Id just like constructive feedback, as "Just shut it down" is not.
@boyter
> I thought having people follow was the point of playing in a federated system...
Well, more like having people _to_ follow—but not anonymously.
> I am aware that there is some "follower" only thing that I would be happy to honor, if someone could point me at where its actually implemented.
Each activity has an array of recipients, which are basically URL pointing at people or general inboxes. When a post is follower-only, to a followers URL, which the server resolves into each particular account.
But that's not the point. The point was that you were following people, which means you were allowed to see those posts. There's nothing wrong about that. The problem was (allegedly, I haven't tried it) that you let everyone access all those posts (regardless of visibility) without any previous authentication.
@boyter
> the follower only bit I am very interested in. Where in the Create event does it live? I am totally willing to ignore those posts.
Visit any post (or status) URL, GET it, but with a HTTP request header like this:
Accept: application/ld+json; profile="https://www.w3.org/ns/activitystreams"
In the json-ld document that you'll receive there is a field called (unsurprisingly) "to". If a post is followers-only it will add a URL that ends in "/followers" (if I'm not mistaken, I'm just guessing). It is not Mastodon specific.
But, seriously, don't do that. Use some other method to test your implementation. The one I recommended in my first reply is best, even if some people don't like it. Don't insist on mastinator. There are much better ways.
Now the reason I am interested in this is not just for mastinator, I want to have my own compliant implementation, and knowing what it is I am supposed to do in this situation would help.
Actually, just having a decent spec about ActivityPub/Mastodon would be useful to avoid this in the future.
@boyter There is a decent spec. There actually are several: ActivityPub (https://w3c.github.io/activitypub/), which is based on ActivityStreams, which in turn uses ActivityVocabulary. There's RFC 7033 for Webfinger, OAuth2 for authentication, etc.
And that's AP, but the Fediverse also uses OStatus and #Zot and WebTorrent among others. The most widely used is AP, but it's not the only one.
None actually encompass everything you actually encounter. Hence me having read all of them multiple times and still not being able to find how to implement the followers only request.
Its not for lack of trying I can assure you.
@boyter That's why I said that you should open accounts on different instances using different implementations. Because, sadly, _no one implements the standard as is_, so what everybody does is support the Mastodon API and then add extensions of their own. These extensions are standard-compliant, but obviously not included in it. Maybe that's what confusing you?
I am now attempting to have others learn from the experience without having to replicate it.
@boyter Let them replicate it. It's ok. Most people who wanted to write an AP implementation did so years ago. If you really want to help other people, create a public repository with your code (I recommend using @Codeberg for that) and ask them to contribute to it or just criticise what you have done so far.
Again, cultivate a network of friends with similar interests. That always pays off. In software and in life.
I can already picture how well that will go down as a million clones are launched...
@boyter I doubt that will be the case, but remember to ask the admins for permission first.
In any case I was talking about the code of your implementation, but maybe this one would be useful too. I wonder if it could help in preventing attacks. After all (according to the usual hysterics), it's basically a weapon.
What was implemented could be done using Mastodon as a base fairly easily I suspect. I don't know Ruby or how it works well enough to comment intelligently on that. If the argument is that being able to create accounts quickly, and follow is a weapon then all instances are weapons?
However I don't think painting an even bigger target on myself by posting this code is a prudent idea considering what has happened.
@boyter
> Which admins?
The ones of the site where you choose to host your code.—If you choose to do it.
> I thought having people in charge like that is one of the reasons people left twitter?
In the immortal words of George Clooney, «someone has to be in charge.» Which doesn't mean that whoever it is has to become some sort of ruthless dictator.
> If the argument is that being able to create accounts quickly, and follow is a weapon then all instances are weapons?
Yes, and that's why admins are a thing. Not only do they ban you from using bad words, they also watch the logs and check that everything works as it should. At least the good ones.
> I don't think painting an even bigger target on myself by posting this code is a prudent idea considering what has happened.
Code does nothing by itself. It's executing the code that has consequences. That's why security researchers study viruses. They look at the codee to see what it does and how. They don't release them in the wild.
Creating a repository is just letting people know how your code works and an invitation for everyone to contribute and improve on it. Nobody will be painting a target on yourself, and if they do, just don't listen to them.
@boyter But anyway, I was going to sleep. I'll answer more questions tomorrow. Good night.
Yes, code does nothing by itself. However as mentioned I am not sure I am willing to subject myself to that right now, considering I apparently endangered so many people with what I have done so far. I may change my mind on that in time though.
Each activity has an array of recipients, which are basically URL pointing at people or general inboxes. When a post is follower-only, to a followers URL, which the server resolves into each particular account.
Yep, the follower only bit I am very interested in. Where in the Create event does it live? I am totally willing to ignore those posts.
Yes, it would let anyone access those posts, but my point is thats already a thing if you allow people to follow you?