Mastodon: Dated and broken by design

The past month has been interesting to observe in the fediverse. In just this month alone, many not-so-great things have happened.

• Nitter’s tokens expired around Valentine’s Day as predicted due to Twitter killing the last loophole the project was using (leading it to be declared “dead”), and Graf at least came up with another workaround for his instance (nitter.poast.org) involving buying old Twitter accounts to bypass this. As usual, nobody will leave Twitter.
• Bluesky is now open to anyone to join by using a phone number instead of a invite code, has put out a paper in a journal advertising atproto, and is currently hyped up.
• A programmer announced a Bluesky to Fediverse bridge. This led to a giant flamewar over on the Github page including some copypasta tier posts from Mastodon users paranoid about their federated social network actually federating. This would blow up to the point multiple
  other
  blogs would cover this.
• Turns out Mastodon and other fedi instance stacks also have poor checks against malicious input from other fediverse servers, leading to a massive exploit that consisted of a few lines of code being patched.

This is just what has HAPPENED this month alone, along with two instances in the “free speech” sphere going down: freespeechextremist and the longtime instance from the GNU Social days, shitposter.club.

In other words, Musk Always Wins. Many users online dealing with this are one step closer to saying “fuck this I’m going back to Twitter”. I don’t have some ironic Elon Musk AMV, so this will have to do:

But now, let’s talk about the latest thing to rock the fediverse: the Japanese skid spam attack. Essentially the Japanese side of the fediverse for a while now has been something hard to ignore, with Misskey and its group of forks (be it the now dead Calckey/Firefish, or newer ones like Icefish, Sharkey, and the like) becoming one of the leading forces on the fediverse. I wouldn’t be shocked if Misskey and fork instances had more users overall given the sheer strength of misskey.io. Anyhow, as something gets big enough, the chance that some 12-year-old skids are going to hammer it increases. “It can never happen here” is a bad mindset to have, I learned that when I left the Wi-Fi router open ages ago and I had to tell mom the ISP letter she got for downloading some “porno parody” of Spider-Man was from someone else. This is no exception on the fediverse, as instances get big, and feuds devolve into angry kids banned from an instance exploiting it or other instances.

On top of that with how globalized the world has gotten thanks to technology and the American hegemony, many of the same issues that pop up in the USA will inevitably pop up there. In America, Discord drama whores and skids are associated with the platform (due to its “server” (actually guild) model making anyone feel like they’re a powerful message board moderator), and it’s unsurprising that the same behavior would stretch to Japan too. Which is where today’s drama comes in to play.

Spam the planet!

As a result of something I’m unaware of due to a language barrier, some Japanese skids on Discord decided to flood the fediverse both ads to their Discord server, and spam. Here’s a screenshot of some of this spam:

A rough Google translation of this spam:

Hello! My name is Akihisa Ito, also known as ap12, and I run the criminal organization “Kuroneko Server”! ! ! Did you know about the person kuroneko6423? Please read it first, whether you are familiar with it or not. The criminal organization “Kuroneko” server that he runs carries out various criminal activities on a daily basis. Among them, the most distinctive one is DDoS attack! kuroneko6423 owns a number of DDoS attack tools, and regularly performs DDoS attacks on a large number of servers and causes them to go down! In addition, we operate VOICEVOX reading bot and VOICEROID reading bot on Discord, and we also collect messages and member information via the bot, passwords sent to the server, and personal information (address) of members participating in the server. , phone numbers, credit card information) and sells them to hackers! In this way, Kuroneko Server is a very good criminal organization that is constantly contributing to society! This reading bot is currently available for free! Why not try introducing it yourself? I have attached a list of bots operated by our organization.

So in other words, it’s deranged internet skid drama. Let’s first talk about who is behind this, at least with my lack of Japanese knowledge (mixed with “too much skid” knowledge). The Discord url goes to a group called ctkpaarr. A pixiv dictionary page compares them to Kiwi Farms, but I don’t remember Kiwi Farms being involved in similar spam attacks online. If anything ctkpaarr seems more like a group of skids than people who just want to laugh at the life and times of a drug addict livestreaming himself circling the drain. If the Pixiv post is true and honest, the behavior seems more like that of deranged Discord/Telegram skids than KF. Also related to this is a post on that forum in Japanese that boils down to “internet skid drama” (some underage kid pissed someone off online) complete with an effort to spam message boards as well. Some
fedi
posts I found also tried to explain the situation some more. The tl;dr? Skid drama. Allegedly there’s drama with some 12 year old and he’s being impersonated online and there’s mad skids doing skid things, and that’s all I can make out because a lot of this is very hard to comprehend to anyone outside a certain sphere. All I was able to get from asking a friend who knows the Japanese internet well is that Japanese skids are also in fact out of control and into some of the same zoomer memes.

It’s easy to write off as “who cares” skid drama (because nobody in even the USA version of these parts of the internet cares about ap12 or some Japanese CCP themed Discord server), if not for the fact that it doesn’t stop coming. Initially the spammers loved Misskey, likely due to their familiarity with it and its captcha that can be beaten with an LLM/AI setup. One Misskey instance of this nature was flooded with these spambots. Every single post was scrolling with new template spam posts of this nature, tagging different users on different instances with a flood of messages and disposable accounts.

However, lately the spammers have changed their tricks to get past filters and have been targeting Mastodon instances. Many Mastodon instances as of late have been targeted by these spam posts, including many on masto.host. Here’s one such example, a mastodon instance with only 7 active users being flooded by these messages with the latest format, an image and two tagged users at once:

The owner of the instance left registrations open, and clearly doesn’t understand the risk of it:

An even more blatant example is this masto.host instance, run by an absent account. It’s particularly bad with masto.host because masto.host is one of the few providers out there offering managed Mastodon hosting, for those who think it will take away the nitty gritty moderation issues. But just like how a wordpress blog left abandoned can be a spam vector, the same goes with a Mastodon instance with open registrations that’s left to rot.

Now you might be thinking, why is this a problem on Mastodon instances in particular? Well there’s three reasons: Mastodon has tons and tons of instances people set up and forgot, people didn’t disable registrations, and most importantly Mastodon is broken by design. No really, it is.

What Eugen wants, Eugen gets

To understand why this is such a problem with Mastodon right now, we need to take a step backwards a bit and look at who runs Mastodon. Mastodon is notorious for being run by Eugen Rochko who has a policy of “what he wants, he gets”. It’s his project, and he doesn’t care. On one hand, this brings him detractors not only from users who want features, but from left wing types who also want him to make the most hugboxed platform on earth. On the other hand, Eugen is as notorious as the GNOME “valid use case” Foundation in terms of ignoring issues people have with his project. If search is broken, it’s because it’s a harassment tool (before adding in opt in search after many users were visibly angry). Quote posts also won’t happen because they’re a harassment tool. Having your own favicon for each instance goes against Mastodon’s Corporate Branding, and can’t happen either. Emoji reactions won’t happen because they make Mastodon slower. These are just several features that Pleroma, Misskey, and more openly support. In fact, Soapbox explicitly had server customization as a feature.

This has left Mastodon feeling as if it is the IE6 of fediverse, lagging behind what the cool kids of Pleroma and Misskey can already do (if you don’t run a fork that is). But it gets better. One other notable example of this mindset is that Mastodon has very weak anti-spam measures. This is because Eugen also had that “it could never happen to me” mindset, and in 2018 he said that CAPTCHAs are ableist. After all, think of the blind person using fediverse who can’t read the CAPTCHA. His solution was account approval. Of course this has it’s drawbacks, anyone who has signed up for certain forums including WithTheWill, 68kMLA, and of course the infamous ResetEra know just how getting into some of those forums consists of having good luck. Furthermore you need open signup to be listed on joinmastodon.org.

Fast forward to May 2023. Mastodon finally adds in an imported feature from one of the forks to have post-email captchas, the reason being a spamwave that was hitting Mastodon.social as well and advertising shitcoins. Essentially, it took Mastodon 7 years to add basic moderation features and only in a gimped format that requires you to set up an hCaptcha account and praying they don’t give you the Cloudflare treatment.

This entire situation getting as bad as it is can come down to one thing. It’s because Mastodon has no built-in way of doing captchas without using hcaptcha after an email is sent and accepted (which can cause email spam to increase), and Mastodon also has a problem with users who have no idea of what they’re in for setting up an instance and not disabling sign ups. This isn’t as bad in the Pleroma sphere simply because Pleroma instance owners at least tend to have more internet street smarts and have probably learned the hard way why you don’t set something up with open access to any bum. This is cemented by the fact that most of these spam vector instances are tiny instances run on masto.host or similar by owners who forgot about their instance. Even if you want to do hcaptcha, it should be on the sign in prompt like you know, other instance software can do:

 

Long story short, there are a ton of Mastodon instances with owners who forgot about them, literally running on masto.host or similar VPSes, and everyone forgets about them because what could possibly go wrong anyway. Turns out your 1 user instance with open regs is now a spam vector because you didn’t turn on account approval even. Maybe now Mastodon will force account approval on by default or something to handhold admins who struggle with this. But honestly, given what has happened on the fedi, things could be so much worse. Who knows when these 1 user fedi instances will suffer the Protonmail problem among other things?

Either way the moral of the story is, if you’re running a fedi instance you should actually be using the fedi and turn off registrations if you don’t need them. This entire case is what happens when you fail to disable registrations for your abandoned or single user instance.

Is it any wonder certain people are either going back to Twitter or flirting with Bluesky given the fact that you have to run a fedi instance like a website?