Email or username:

Password:

Forgot your password?
All posts Michael's posts Post Back to profile
Top-level
Andre

@michael I'm thinking in terms of privilege separation. I don't log in with a privileged account except to perform a specific task that requires that elevated level of access.

22 February at 6:34 | Wall-to-wall | Open on jauntygoat.net
6 comments
Michael

@PCOWandre so you don’t check on your moderation queue regularly?

22 February at 6:35 | Open on mstdn.thms.uk
Andre

@michael I get emailed if someone raises a report and I get emailed when new users are created. Neither event happens that often.

22 February at 6:41 | Open on jauntygoat.net
Michael

@PCOWandre imo (and you are obviously free to disagree) you should give your daily user mod privileges then.

The problem with this spam wave was the large number of servers with open registrations who didn’t have mods around.

And it’s not like anything too onerous happens in your case: you’d just have your server switched to requiring confirmation of new users. If you respond to new user and new report emails quickly, the approving new users quickly shouldn’t be a problem either.

Again, just my opinion …

@PCOWandre imo (and you are obviously free to disagree) you should give your daily user mod privileges then.

The problem with this spam wave was the large number of servers with open registrations who didn’t have mods around.

And it’s not like anything too onerous happens in your case: you’d just have your server switched to requiring confirmation of new users. If you respond to new user and new report emails quickly, the approving new users quickly shouldn’t be a problem either.

22 February at 6:53 | Open on mstdn.thms.uk
Andre

@michael And we're back again to ignoring decades of good security habits -- don't log in as root, don't open your entire domain to ransomware by using a domain admin account for general use, etc.

*shrug*

Old school vs new school approaches, perhaps.

22 February at 7:06 | Open on jauntygoat.net
Michael

@PCOWandre you can be a moderator without being admin.

22 February at 7:14 | Open on mstdn.thms.uk
Andre

@michael Yes, I know.

A purloined moderator account could be used to crush an instance very quickly. Scripts to report every post then take a moderator action on every post, as an example.

We're not seeing much in the way of real attacks on Mastodon yet because there's not enough in it. The stakes are still too low. That's going to change over time.

I'm old and cranky and think if we consider security first and convenience second we'll get a better long-term outcome. I don't want to see an instance incinerated because of a preventable condition; I also have no idea what happens when one restores a Masto database from backup in terms of resuming federated operations with a day of lost data. The whole thing sounds very messy.

@michael Yes, I know.

A purloined moderator account could be used to crush an instance very quickly. Scripts to report every post then take a moderator action on every post, as an example.

We're not seeing much in the way of real attacks on Mastodon yet because there's not enough in it. The stakes are still too low. That's going to change over time.

22 February at 9:04 | Open on jauntygoat.net
Go Up