Mastodawn

Mark Shane Hayden

PSA to all admins: I highly recommend a #FediBlock of #mastinator (ie. the entire mastinator.com domain).

Mastinator is a service that allows a person to anonymously follow people on the fediverse. No big deal you think? Your public posts are probably already anonymously viewable from your public profile anyways and all it is doing is aggregating public info? That is what its creator claims---it is just a convenience service!

Well no, it is mode concerning than that. It does this aggregation by following any account a mastinator user types into its service then replicating *all* your non-DM posts into a sort of "proxy inbox" in the mastinator.com domain that is completely out of your control and viewable by everyone!

In other words, if you are followed by mastinator.com it effectively turns your follower-only posts into public posts and lets people you have blocked keep following you by following the mastinator replica of your posts!

Innocent intentions or not this violates user consent.

Anomnomnomaly Dec 29, 2022

A heads up to @wild1145 for @mastodonapp.uk instance would you be kind enough to look into this please?

Thanks

'Edit' Have already been followed by them and have personally blocked the user and the domain for myself.

Grant Buote Dec 29, 2022

@anomnomnomaly @msh @wild1145 question: as a user, how do I block a domain?

Anomnomnomaly Dec 29, 2022

@GrantBuote @msh @wild1145

For me, it was when the [email protected] account followed me and I simply clicked on the 3 dots and selected block domain and then block user.

So I guess you'd need to find the user from that domain

Grant Buote Dec 30, 2022

@anomnomnomaly @msh @wild1145 thanks!

🇳🇿Dec 29, 2022

@GrantBuote @anomnomnomaly @msh @wild1145 Grant: I was able to block the domain as a user by searching for anyone on that domain, and then using three dots on their profile to block the entire server.

Grant Buote Dec 30, 2022

@neil @anomnomnomaly @msh @wild1145 thanks!

Michał "rysiek" Woźniak · 🇺🇦Dec 29, 2022

Hanneke Dec 29, 2022

@msh I'm not really well versed in ActivityPub etc, but I assume mastinator does not follow the actual account but rather scrapes the public feed (through an api or not).

So I have a few questions:

1) what would a block accomplish? That wouldn't block a scraper from accessing public data?

2) Blocking scrapers is hard and easily circumvented, but are there ip lists?

3) Shouldn't follower-only post not appear in public feeds? Is it a courtesy feature of the client to not show these?

Aral Balkan Dec 29, 2022

@h5e @msh It does actually follow you. See https://mastodon.ar.al/@aral/109585159213960986

Aral Balkan (@[email protected])

#fediblock #mastinator A site called Mastinator (https://mastinator.com) has started aggregating and republishing toots without permission. It creates accounts with your handle and follows you to get your toots (e.g., @[email protected], which, just to make clear, is not me).

Aral’s Mastodon

Hanneke Dec 29, 2022

@aral @msh Ok so if you don’t accept the follow (or block it), it will stop aggregating? Well at least that’s something…

Of course it’s still shit and it will undoubtedly keep content that a user deletes.

Aral Balkan Dec 29, 2022

@h5e Yep. Apparently it’s ephemeral, though, and the database exists only in RAM (so it’s wiped when the server is restarted). But yes, still… I don’t want random bots (with my name on them, much less) following me and aggregating my posts without my permission :)

opal hart Dec 29, 2022

@aral @h5e @msh manually approving followers can prevent this then. this is why i dont like follower-only posts compared to something more fine-grained like circles, because its all-or-nothing right now

Mark Shane Hayden Dec 29, 2022

@opal requiring follow requests to be manually approved can help yes, but since auto approval is the default in masto most people don't do that hence the warning.

Circles/channels would be handy yeah. I think some devs are looking at implementing them (or already have) in masto forks and other federated apps at least but regular mastodon doesn't.

Talya (she/her) 🏳️‍⚧️✡️Dec 29, 2022

@msh just use the RSS functionality ffs, why do people keep making things like that

Michał "rysiek" Woźniak · 🇺🇦Dec 29, 2022

@Yuvalne @msh because RSS won't let you see follower-only posts, and this crap will.

Talya (she/her) 🏳️‍⚧️✡️Dec 29, 2022

@rysiek @msh
ah, so the intended purpose is to make private posts public and violate the will of the poster. Cool, cool, cool.

Michał "rysiek" Woźniak · 🇺🇦Dec 29, 2022

@Yuvalne @msh I don't know if that is the intended purpose, but it's a possible use and the author of this tool refuses to acknowledge that that's a problem. So… 🤷‍♀️

mathew Dec 29, 2022

@rysiek @Yuvalne @msh RSS could be improved to include follower-only posts, of course.

@msh I had just gotten followed by the "everyone" account and was suspicious so I blocked the account. Now doing a full ban.

Ben Taylor Dec 29, 2022

@msh ping @freemo - does this warrant a block for qoto?

🎓 Doc Freemo

🇳🇱Dec 29, 2022

Hmm, possibly... I need to discuss with mods and investigate how the site works to confirm the accusation... But the way it is described is concerning yes.

THAT effin' Canadian guy....Dec 29, 2022

@msh I just had it follow me this morning....and I blocked the domain. 😉

gnomeoffender Dec 29, 2022

@msh being done by twitter already. People I don't follow are being fed into my timeline simply by being associated with followers who do follow that poster. That whole business is misleading as people estimate my persona by reading through a few of the posts in the timeline. I don't want to be a subscriber or purveyor of misinformation nor be used as a tool of the other side.

Tero Keski-Valkama Dec 29, 2022

@msh, thanks! While I understand this can be problematic for many, I appreciate a free archival and search service for my own toots, so I'm trying to get them to follow me.

Ada Dec 29, 2022

@tero @msh It's not archival. It doesn't keep any of the messages. They exist in server memory only, and are purged automatically to make room for new posts.

Tero Keski-Valkama Dec 29, 2022

@ada @msh, damn.

Rui Malheiro Dec 29, 2022

@tero according to the author, it only stores data in memoryso it will be erased on restart. I'm struggling to see any use on that service apart from being a proof of concept that stresses the ability to scrape activityPub data. In the long run, could be just someone trying to cash in on other people's data.
@msh

@msh
Is the server/domain block a solution here?
IMO not really.
Maybe better (if it is possible) is to:
- mark accounts of this service as BOT
- ask users for permission to be followed by this BOT

siren ⟡Dec 29, 2022

@msh @WeirderAdmin

a hivemind of packbats Dec 29, 2022

@siren @msh @WeirderAdmin Suspended - thanks for the ping!

- Packbats 🎒

Will Palmer Dec 29, 2022

@msh
This is why I don't like terms such as "follower only", which imply a limited audience has access, when actually it is effectively advisory-only.

Anything that intends to limit an audience should involve cryptography and allow direct control over who makes up that audience. That said, anything that intends to limit an audience will always be advisory, as anyone could reply / forward / etc. Quote Tweets exist because people were already copying & pasting, eg.

｜霜の狼｜人面獣心」🐺❄️Dec 29, 2022

@wpalmer @msh Okay but it /is/ followers-only if you lock your account so you can reject follow requests, like we do.

going "oh you have no privacy we shouldn't even try!" is, nah no thanks we're not here for that.

(on a technical level your followers-only posts are only sent to instances where someone follows you, IIRC, so rejecting the follow actually IS a defense; even if it wasn't, that's not a reason to just go "oh Everything Is Public haha enjoy having no privacy")

Will Palmer Dec 29, 2022

@frostwolf @msh it still requires trust in server owners, and every single follower. If something requires trust in every follower, I'd prefer to be able to limit the audience of my posts to only those followers I've vetted (without forbidding casual follows). I'm not just throwing my hands up and saying "no point in trying, then." I'm saying that there are important missing features which I'd like to see added, because the current method is not robust.

｜霜の狼｜人面獣心」🐺❄️Dec 29, 2022

@wpalmer @msh Yeah, there really needs to be multiple groups or something you can define who sees a given post. Or at least separating the concept of "follows" with "is friend" (useful in both directions, we've had friends unfollow us because we post a lot).

Personally I'd still want to approve both types of requests. But I'd approve a lot more if I could do that without letting them into my private posts.

Will Palmer Dec 29, 2022

@frostwolf @msh right, that's the kind of thing I'm talking about, though I tend to think in terms of what can be securely implemented and what features those implementations would imply, rather than just in terms of features which would be nice-to-have.

:verified_gold:Dec 29, 2022

@msh Everything is for sale on the internet. Nomatter how good an idea it is, doesnt mean it should be done. We all know information is on sale to the highest bidder on the internet. Even if the owner of the page has only good intentions, we learnt where those intentions go as soon as some company have their large check book out. Blocked.

Stephen Castro-Starkey Dec 29, 2022

@msh Done!

maddie (MOVED!)

@mjdxp oo yikes

BadExampleMan 🟣Dec 29, 2022

@msh Got followed by them myself a little while ago. If they're picking on a nobody like me, I don't know.

Jerry on Mastodon Dec 29, 2022

@msh I also added a block on my Cloudflare WAF. I don't want this thing anywhere near my instance

CapritiaJH Dec 29, 2022

@msh If anyone can do this by following his recipe -- and he was just screwing around himself -- seems more like he's exposed some serious bugs in the API, which ought to be fixed?

Rlocks Dec 29, 2022

caragraph Dec 29, 2022

@msh @dump_stack is this at all concerning?

leni, but cold Dec 29, 2022

@msh why do people continually try to force everyone to use the fediverse the way they want us to? The disregard for user autonomy is infuriating and exhausting

Forbearance Dec 29, 2022

@msh Is there a way to subscribe to someone's public toots in my feed, without becoming a follower and getting follower access and potentially not meeting someone's non-machine-readable follow requirements? Maybe without reply buttons? Keeping the toots themselves public but the right to notice them tightly controlled severely limits the extent to which an instance can be the agent of its local users. Building in some kind of subscribe-only half-follow would suck up the oxygen for workarounds.

גלות לעולם Dec 29, 2022

@msh cc @serge / @babka

Bubastis Dec 29, 2022

@msh cc @vaselinedeel420

Tom Dewey Dec 29, 2022

@msh @ralf is this something worth looking at for home.social?

craftxbox Dec 29, 2022

@msh Not quite sure what the fuss is about here. You could make an alt on just about any other fedi instance to bypass blocks, And unless you have protected followers enabled 'follower-only' posts are public by nature, being that *anyone* can follow you to begin with.

𝚜𝚎𝚕𝚎𝚊

Thanks

riscy Dec 29, 2022

@msh @stux is this a concern to look into?