hardening mastodon against scraping
i should add: go bug Eugen to turn secure mode on by default, and give users more options to hide their web profiles, because this is fucking ridiculous
hardening mastodon against scraping
fellow masto instance admins of the fediverse:
by default, mastodon is leaky as fuck and there are a bunch of ways that data can be scraped and indexed from a mastodon instance
there are a few steps you can take to harden your instance against this; since there's an ongoing harassment campaign against trans masto users, now is a good time to review this
the following is not exhaustive, but it's a good start
1. Enable 'Secure Mode' on your instance. Without secure mode turned on, any of the activitypub endpoints of your instance can be scraped without http authentication -- this includes user profiles and users' public posts. This makes it ***absolutely trivial*** for a scripter to scrape all of the profiles of your instance denizens and look for keywords.
From the mastodon docs: 'When secure mode is enabled, all GET requests require HTTP signatures as well.'
It's insane to me that this isn't enabled by default. To enable it, see the 'AUTHORIZED_FETCH' parameter here: https://docs.joinmastodon.org/admin/config/#basic
This makes it more complicated to scrape, since scraping traffic now has to come from an instance that uses http signatures, and not just from some random asshole's computer.
2. Toggle some config options in preferences => administration => site settings. Here you can turn off the profile directory, disallow unauthenticated access to public pages, etc. See the screenshot below this post for the settings I use. You can make up your own mind about how strict you want to be here, but I think turning off the profile directory and the public timeline is a great idea.
3. Recommend your users disable DMs from people they don't follow. This is under preferences => notifications.
Any stuff I've missed, stuff you'd like to add, feel free to reply to this post.
Thanks for reading!
proposed experiment to mess with the transphobic harassment scraper
We've been discussing how the transphobic spammers are finding targets and a current hypothesis is that they're using a scraper to find the string "trans" in people's bios. For instance it seems I got on the list for having "translator" in my bio.
So if you want to try and prove or disprove this hypothesis and possibly mess up their scraper, I suggest putting the word "trans" somewhere in your bio. Since it's easier to adapt the scraper to get get around trans being part of a word (like "translator" or "transistor"), it might be helpful to add both the words "trans" and "transgender." Example sentences:
"I support transgender rights. Trans rights = human rights."
"I may not be trans but transgender hating script kiddies are too incompetent to tell the difference."
Obviously do this ONLY if you're okay with potentially getting on the trans list. If you don't want to receive spam I suggest turning off DMs and notifs from accounts you don't follow.
If we can't stop the harassment at its source yet, we might be able to dilute or grow the list past usefulness, and hide our trans friends through sheer numbers so they can't be as easily singled out.
listen to the new Qrion album y'all it's great https://youtube.com/playlist?list=OLAK5uy_mpW8k5f2tZKK86KKaXA1-HP0bgn_publg
Sub Focus & Alice Gold — Out the blue
https://www.youtube.com/watch?v=tQQVgZhGc2M
Love is a potion
Mixed up by careless fools
And it takes two
And it takes two
Love isn't certain
It comes right out the blue
And when she casts her spell,
There's nothing you can do
food
I really suck at cooking rice normally (in small quantities at least, somehow when I did for 30 people it went just fine lol). But the rice cooker makes it super easy and it's great rice so this motivates me for cooking so much more
⚠️ READ BEFORE FOLLOWING ⚠️
if i don't know you from elsewhere (under same nick), shoot me an introductory DM first (following back is fine)
I do anarchist tech stuff and run free services at https://pixie.town
I program, solder rgb led thingies, and fly fpv quadcopters
en: they/them
nl: die/dies (langzaldieleven.nl)
“i don't trust like that”
not a furry, actually
Extreme coffee-out-of-a-wineglass Energy
something something trans list stop scraping bios
and now a word from our sponsors (screenreader warning it's zalgo)
T̀ͧ̓̑͐̓̍̂̏҉̴̷͚̦̤͙̜̖͙̝͟ợ̵͈̗̮̲̥͕̼̩̭̞̙͉̆ͮͧ̉̒́̑̍̋ͭ̌ͭ̒̉́̕͟ ̐̅̈́ͯ҉̸̴҉̹̟͕̖̠̟̤͕į̸̙̮͓̤̠̘̫̦̥̣̻͚̣̎ͭͯ̋̉͝n̔̄̏̈́̃̇͛̂̋̇̐́͘͝҉͙͔̠͇̖̤̹̭̱̪v̴̴̛̘̠̰̹͚̱͉̳̘̥̞̳̪͈ͥͭ̅ͥͦ̀͛̔̃̃̎͋̋̎͐͌ͪ̚͟͢ͅö́́̎ͬ̔͑̆̃̅̒̿ͪͯ̓͏̞̱̜͍̬̗̹̫̝̪͓͕̳̬̰͘͝kͥ̒ͣͦ̌͛̃͒̀̿ͣͪͤͬ̍ͮ̚̚̕͝҉̹̰̟̰̻̻͍̠̗̳̬̬̬̞̟̹̩͇́͜ẹ̴̡̨̱̹͍̯̱̗̗͍̬̐ͣ̑͑̐̓̈̑ͥ̅́̇̃͒̀̃̂́ ̨̛͖̬͇̣͔̼̥̬̝̥̣̭̝̪͎͈̌̅͆̉̀͘͜ͅẗ́̄͊̌̍̆́̿́̊ͣͮ̅ͥͩ̔̏͏̧̳͎̥͈ͅh̴̴͇̻ͧ̍̐̈͐̎͛́̀̽̃̒̔͢͢ȩ̸̶̶̟̗̮̺̭̥͕̭͎̺̙͎̖͔ͪ̑͛̓̅ͪ̄́ͧ͡ͅ ̡̧͇̤͚̻̬͉͔̥̫̟̙ͮͩ͌̿́̆͋͜h̵̨̭̰͎̭̱͊͒́͒͆̎ͮ̈́̆ͪͧ̚͞î̛̦̞͓͖̭͈̮͔̩͙̱̖̞̳̥̦̩ͭ̂̏͒ͨ̃̿̽̓͑ͫ̕͝͡vͧ͋ͪ̌̂̑́͌̂̒͑ͮ̋̂ͫ̈́҉̹͜͢ȩ̡̖̯̞̺̭̗͔͇̻̤̼͈̙̞͉͙̈ͤ͊ͨ̀̆͆͒̓̄̿ͭ̃̚͜͝͡-̶̪̪̠̝̜̯̜̹̭̯͎͍̲̱͉ͪ̏͒̊ͫ̀̈͘͡m̸̪̘͙̰͚̗̳͕̟̖̿̌͐̔̐̈̽̃ͯ̅͢ͅͅi̸̷̧̛͍̝̦̫̮̤̐͑͗̏ͬn̡̨͆ͩͤͫ̔̈́̈́͊͐̂͛̀̚͞҉̜͍̝̰̱͚̜̹̞̝̞͈d̢̫͕͚͕̥̰̝͆͗́ͨ͑̈́̓͜ ̡̩̜͎̳͎͂̓ͫͭ͐̀͡ȑ̷ͭ̑ͪͭ͋͢͏͕̳̟͜ͅͅe̴͌̅ͣ̾͒̔́̊̔ͭ̅̄̇͏͎͉͈̤̙p̀ͥ̈ͨͩ͛ͥͣ͗̄̈́̚҉̢͔͉͍̹̮͉̺r̵̸̡̩͎̱̟̺̟̞͈̯̯̪̹͂́ͣ̐͑̒̒̀ͧͩ̿ͮ̕͞ě̵̡̱͈̜̯̳͍̝̦̜̫͈̜̗̘̪̪̓͆͑͋ͮͯͪ̅̂͐̔̆̃ͫ͑̾͒͢ͅş̶͓͉͚̜̪̜͓̘̻̃̔ͨ́̀ͅẻ̵͇͈̮̝̠͖͍̫͉͓̪̠͔̬͕͛̊͐̎̓̽ͫ̌ͧ̅̿́͘n̛͚̺͈͍̰͉͙̤̘̺͖͉̤͖̈͑͑̍̅ͪ̎͂́ͦ̒ͣ̋̆̄̄̍̃̊͟t̵̛͙͚̥͇̫̻̞͖͕̰͈̩̰̱͉ͣ̃ͫ̋̍̈ͥ͗̎ͭ͋͜i̵̡̤͇̣̰̦̟̭̮̩̲͔̭̟̖̹̙ͥ̆̋ͫ̓͌̒̾̍̄̾̎̂͂̏̇ͩ̚͢n̶̮̹̤̻͈̙͔͎̦̟ͫ̀͌͛̋̌̽̀̓̂̕g̷̣͖̠̩͈̲̥͍̦̘̺̏̍͛͋̎͛͒ͪ̇ͮ͠͝ ͦ͂́̿͐̅̌̊̌̉̍̀҉҉͈͖̮̩͎̮̬͖c͖̬̠̫̠̫̗̉̾͋͒̏̄̈́ͬ̊̓͘͝h̴̷̨͉͖̱̗̪̣͕̮͓͕̺͖͈͙̥̬͓̟ͣ̏̀͐̀́̍ͪ̋͒͐ͪ͐́̕a͍͈͉͎̥̠͍͛ͭ͛̃ͫ͒͋́͟ö͙̻͔̙͖̰́̋̑́͜s̶̸̫̖̫͇̣̻̺̹͔ͧ͐̂̈́ͮ͋̌͠.̰̯̞͎̗̺̠͔̫͍̖ͮͦ̒̏̈̾ͭͧ̉͘͢͠