Przejdź do głównej zawartości

Would really love to get end to end encryption for DMs at the very least
Is there any guide of best practices for single-user instance operators wanting to avoid unnecessary legal liability?
 
I missed this when it happened. I'm sharing the original announcement for anyone else who wants to read it too. https://kolektiva.social/@admin/110637031574056150

🚨 Kolektiva.social SECURITY ALERT 🚨

This is an alert for Kolektiva.social users. Please read this post in its entirety!

In mid-May 2023, the home of one of Kolektiva.social's admins was raided, and all their electronics were seized by the FBI. The raid was part of an investigation into a local protest. Kolektiva was neither a subject nor target of this investigation. Today, that admin was charged in relation to their alleged participation in this protest.

Unfortunately, at the time of the raid, our admin was troubleshooting an issue and working with a backup copy of the Kolektiva.social database. This backup, dated from the first week of May 2023, was in an *unencrypted* state when the raid occurred and it was seized, along with everything else.

The database is the heart of a Mastodon server. A database copy such as the one seized may include any of the following user data, in this case up to date as of early May 2023:

- User account information like the e-mail address associated with your account, your followers and follows, etc.
- All your posts: public, unlisted, followers-only, *and direct ("DMs")*.
- Possibly IP addresses associated with your account - IP addresses on Kolektiva.social are logged for 3 days and then deleted, so IP addresses from any logins in the 3 days prior to the database backup date would be included.
- A hashed ("encrypted") version of your password.

🚨 👉 As a precaution we highly recommend that all users on Kolektiva.social *change their password immediately* to a new, unique, and strong password.

We sincerely apologize to all our users and regret this breach. In hindsight, it was obviously a mistake to leave a copy of the database in an unencrypted state. Unfortunately, what would otherwise have been a small mistake happened to coincide with a raid, due to bad luck and spectacularly bad timing.

We understand that our users and other people on the Fediverse will have a lot of questions. We will try to answer them as best we can, but please be patient and bear in mind that we may be overwhelmed with messages, and may be delayed in responding or unable to provide answers to certain questions for legal or technical reasons. As a security culture reminder, it can be extremely harmful to the individuals charged and to our community to openly speculate on the Internet about alleged criminal activity or about what law enforcement may be able to do with seized data. Our present awareness is that the seized Kolektiva data is unrelated to the federal investigation and prosecution and we are exploring legal avenues to have the seized data returned and copies destroyed.

Thank you for your understanding and solidarity :black_sparkling_heart:

👇 Please see our replies to this post for additional information (1/?) 👇

Agreed, but we should also be glad that we’re not on one mega-platform. If they shut down one instance it doesn’t shut down the whole Fediverse network. That’s resilience in a nutshell.
Do not underestimate this CSAM matter. As the recent attention from Facebook/Threads illustrates, big tech is starting to wake up to the danger the Fediverse represents to their regime of surveillance capitalism. The ostensible justification for attacking the Fediverse in the name of "rooting out child pornography" is a threat we need to take seriously.
@Mastodon Migration @Electronic Frontier Foundation Yes we need to take this seriously, but not in the way that big-korpo would like to push on us - that is, connecting to their API , which will scan all our images.
Since such APIs for scanning #CSAM will never be open and free (so that criminals can not "test" materials before publication) then the only option is a decent #moderation #fediverse. But decent means actually manually reviewing all photo/video material published on the servers. And this, in turn, indicates that instances should be no more than real moderation capabilities. Such manual moderation does not seem realistic on instances with tens-hundreds of thousands of accounts.
@miklo You have nicely summarized the problem. One of the most often proffered "solutions" is to hook up to Microsoft PhotoDNA. Which is... from Microsoft.
come and raid my server FBI! i dare you! you can claw my furries posts out of my cold dead hands
My girlfriend Leila was one of the first employees in Mitch and Mike's Cambridge office back in the day.
Not sure it was a paid position, but she got a job recommendation letter from Mitch Kapor, which is nice.
One of the best investments I ever made. Too bad the girlfriend thing did not work out...
Under civil forfeiture, American cops are incentivised to steal as much valuable electronics as they can. Untill there's reform of the civil forfeiture rules, overly broad seizures of potentially fenceable property are unlikely to decline.
I don't think it says in the article, but somewhere else someone mentiomed that the important thing is: don't be an activist and run a server....