mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

12K
active users

Michał "rysiek" Woźniak · 🇺🇦

Update: we seem to be unblocked. Thank you all!

Last night, the website of Reykjavík , Hakkavélin, got flagged by Google's "Safe Browsing" as "deceptive":
mstdn.social/@rysiek/110166076

The site is now unblocked. 🎉

But our login page is still blocked:
bob.hakkavelin.is/yunohost/sso/ 🤦‍♀️

We would really appreciate help with reporting this also as incorrect. You can do this here, and it takes less than a minute:
safebrowsing.google.com/safebr

bob.hakkavelin.isYunoHost Portal

Side note: I am wondering how best to highlight this as a clear example of anti-competitive behavior on part of Google.

Our Yunohost hosts e-mail, , other services that can be seen as "competing" (not in scale, but in function) with some Google services.

Google flagging @yunohost login pages as "deceptive" makes it considerably harder to self-host.

And it doesn't matter if it is on purpose or accidental. Google has the resources to not make such "mistakes".

@rysiek Would blocking Google & other search engines from crawling your admin log-in URLs mitigate that issue? Or put a file system password on it?

@adam no clue. Also beside the point. I should not have to go out of my way to stop Google from mis-categorizing my site as malware.

@rysiek Yes, of course. I was just trying to think of a way around it.

@adam fair.

Any such mitigation issue it potentially adds complexity and friction to the user experience. This is not my personal server (where I would just put it behind a WireGuard tunnel), but a set of services that are supposed to be useful for a bunch of people.

@rysiek
Gotta love the double standard:
ads with malware? Go ahead, completely safe!
a website for a Hackerspace? Fuck you, dangerous!

@RedstoneLP2, it's in the name. HACKERspace - obvously suspicious :blobcheeky:

I wonder what would happen if you had Google Ads on it too though. Would the two things negate each other? :blobthinking:

@rysiek

@rysiek So much "anti-abuse" stuff doubles as a barrier to entry.

So, so, much. The e-mail ecosystem has been completely hijacked by this to the point that admins just think it's normal.

Every time the big guys "raise the bar" on anything related to security, they kill off a few independents. Shrugged off as collateral damage for the greater good.

The dynamic is obvious enough, and has been understood long enough, that I don't think they can feign innocence anymore.

@rysiek I hate the whole thing... but there IS a legitimate debate to be had there.

Is this an inevitable consequence of the industry growing up and being more responsible about security? Or is this gratuitous and unnecessary?

Is there such a thing as "secure enough", or do we keep ratcheting upwards until nobody can host anything online without a dedicated 24/7 admin team?

@HerraBRE the legitimate debate is about who should host and control these kinds of tools.

Google doing both hosting of certain types of services, and deciding to block other sites hosting these kinds of services, is simply not acceptable.

@rysiek @HerraBRE

#BreakUpTheGoogles
(also, whatever happened to breaking up Microsoft -- that was a thing they were seriously talking about awhile back, and then it just kind of... went away.)

@rysiek @HerraBRE

They "settled" for allowing MS to modify some of its business practices. It should still be broken up.

@HerraBRE yeah, and it's particularly stark in situations like this, or like with e-mail, where Googles and Microsofts of this world are *clearly* not held to the same standard as some random microscopic Yunohost-based services hosting.

Google gets queasy about the h-word on our site, and bam, full block on domain and subdomains, fuck you very much.

But when I flag a bunch of phishing or malicious e-mails *hosted on Google Sites* or other Google services? Nah, can't have google.com blocked! 🤔

@rysiek @HerraBRE the abolute majority of SPAM I get comes from both of their core email products or servers hosted on their cloud. For the former, all the emails are literally the same.

Any independent operator can (and must or face the wrath of GAFAM) stop that easily, where as these pricks are like "Free bitcoin, sounds great, send it".

MS even made it impossible to report SPAM for a while (a few months), because they could and still can

@kc @rysiek In my experience (as the author of a mail client), at-the-client statistical content analysis performs well enough that we don't actually need blacklists at all.

Of course, lots of clients do a bad job, and users expect admins to solve the issue even if it's best solved elsewhere.

I know why it happens, but I consider blacklists a 2nd rate solution with a lot of collateral damage. I wish they would go away.

@HerraBRE, as a user who through years trained their own spam (bogo)filter, I wholeheartedly agree.

Spam filtering should be addressed client-side (or at least a user-based)!

@kc @rysiek

@hook @HerraBRE @kc @rysiek So I, the client, am expected to pick through and dispose of more than 5 spam emails a day in my Outlook priority inbox, and discern whether they are junk or phising? Frankly, that sucks (even tho I did get an invite to join the Illuminati recently).

@wndlb @hook @HerraBRE @kc not you the client, your e-mail client, the software.

And yes, this is way more reasonable than global blocklists managed by shady, unaccountable entities.

@wndlb, no. But essentially you apply machine learning locally on your computer tailored to you.

Initially it takes some time to mark what's ham and spam, but soon it starts to just work.

At this stage my bogofilter is more accurate than Gmail's for my use case and requires less intervention too.

@HerraBRE @kc @rysiek

@hook @HerraBRE @kc @rysiek I've selhosted mail servers since early 2000s.

No. Client side sucks. It only works for clients on powerful computers. Your android cannot train spamfilters, nor handle the amount of emails needed for that. It requires each accesspoint to retrain. Webmail, mobile, desktop: all need to train and keep learning. At best a waste, but commonly just expensive.

A serverside bogofilter or spam assassin solves all that.

@berkes, your phone is very likely much more powerful than my previous laptop that I used to train my bogofilter anti-spam on. In any case you could also just have the phone just use, not train, the filter.

With all the internet traffic, what’s the problem of syncing the bogofilter wordlist.db between your computer(s) and mobile device(s)? Mine’s 35 MB and I have been using/training it for about a decade.

@HerraBRE @kc @rysiek

@hook which client for Android has support for such a filter? Which mobile client pulls all mail client side? (And if there are any, which I doubt, how terrible is their battery time?)

Why not just run a single filter on a server and have all clients use that?

@berkes, might be more efficient, I agree. But in that case it should be a filter *per user* (and making sure the privacy of users is also protected).

@hook @berkes Maia Mail Guard (FOSS) used to provide this (but the project seems to have died silently) and similarly commercial solutions, such as from Messagelabs/Symantec.

It worked very fine, especially for power users with a lot of (junk-)mail and multiple entry points/devices. Privacy wasn’t a concern at the time as it ran on the mailserver itself (or and/or was run by the provider).

The problem was with regular users finding a separate webpage/login to much hassle, not using it.

@berkes @hook Without getting bogged down in details, there are solutions. They have pros and cons. We could, collectively, be addressing the cons if we wanted to.

But people have kinda just given up and accepted centralized, unaccountable censorship as an easy out, so it's not really happening.

I think that's a shame!

(Running it on a server might be fine, but if it runs on the client, privacy is improved and the user interface can be much nicer; the filter can learn from your behavior.)

@HerraBRE if things are doable and work already on a small sample, but improve with scale, I’d say we can probably rally up some hackerspaces etc. as early adopters.

I see people slowly becoming (sometimes painfully) aware of the privacy etc. issues that the current laissez-faire approach towards profiling companies brought.

@berkes @rysiek

@rysiek (Not to mention that this isn't like "just stop using Google / Chrome". #Mozilla #Firefox includes this damn "Safe browsing" by default)

@yunohost yup. The screenshot in the other thread is in fact from Firefox.

@rysiek
At some point there needs to be a class action suit for defamation.

@jpaul years ago a big PL telco, , had a major leak, which unfortunately also included my personal data (I used to be a customer).

They then published a page explaining that they were "hacked" and that "hackers" came into possession of personal data, and so on.

I e-mailed them, using my address that was leaked — in a domain containing word "hacker"! — and said that if they immediately change the wording to stop slandering hackers I will consider not suing the shit out of them.

They did.

@jpaul tbh I still should have sued the shit out of them. 🤷‍♀️

@rysiek @AstaMcCarthy

Full ack, exactly this is important.
When Elmo was censoring mastodon links and journos, we reported it in bulk with a volunteer lawyer.
This was digitalcourage.social/@sl007/1 ff
and today I clearly think, Elmo is a case for §102 TFEU which is “Abuse of dominant power” within the “Treaty on the functioning of the European Union”.
Otherwise it will just stop functioning. :)

digitalcourage.socialSebastian Lasse (@sl007@digitalcourage.social)Everybody! Esteemed #Fediverse “Twit” blocks accounts of journalists and competitors. We are fully aware of the #mastodon bans at Elmo. As elected Policy Lead for #ActivityPub I have expressed my deepest concerns and strong protest in a Telephone Call with the Assistant to @EC_Commissioner_Vestager@social.network.europa.eu this morning. #EU It was promised that it will be communicated directly to @vestager@respublicae.eu If you are an EU Citizen, please contact your elected Official or the Commissioners Breton and Vestager. [EN] https://www.nytimes.com/2022/12/15/technology/twitter-suspends-journalist-accounts-elon-musk.html [DE] https://www.sueddeutsche.de/wirtschaft/elon-musk-twitter-sperrt-konten-journalisten-mastodon-1.5716640 / cc Eugen Rochko, mastodon @Gargron@mastodon.social Drew Harwell, Washington Post @drewharwell@mastodon.social Donie O’Sullivan, CNN @donieosullivan@mastodon.ie Steve Herman, VOA @w7voa@journa.host Micah Lee, Intercept @micahflee@infosec.exchange Tony Webster @tony@mastodon.tonywebster.com Matt Binder, Mashable @MattBinder@mastodon.social #PressFreedom #HumanRights #netblocks #musk #twitter #censorship

@sl007 @AstaMcCarthy ah it's not going to work for us, as is not in the EU (even though it's in EEA and Schengen). :sadcat1:

@sl007 sadly no, that was before I had moved here.

@AstaMcCarthy