So I’ve noticed that there’s a little group of accounts all with the same name, presumably the same person with alts on several instances, and they all like to upvote their own stuff from their other accounts with the same name on other instances (and from other accounts which don’t have the same name but seem likely to be the same person). Here’s what it looks like. (I have redacted their actual username, since I’m not sure if that is acceptable to post in a bigger and not-drama-centered community.)
Each of these little groupings is multiple votes from accounts with the exact same name, all applied to the same comment within a few minutes of each other from (for example) the programming.dev and slrpnk.net accounts, a little while after the infosec.pub account posted it:
SELECT p.actor_id, cl.score, cl.comment_id, cl.published FROM person p, comment_like cl WHERE p.name = 'redacted' AND cl.person_id = p.id ORDER BY published ASC;
actor_id | score | comment_id | published
------------------------------------+-------+------------+-------------------------------
(some excerpts:)
https://infosec.pub/u/redacted | 1 | 1961075 | 2025-02-22 16:22:56.014731+00
https://slrpnk.net/u/redacted | 1 | 1961075 | 2025-02-22 18:00:51.325286+00
https://programming.dev/u/redacted | 1 | 1961075 | 2025-02-22 18:03:18.236992+00
https://programming.dev/u/redacted | 1 | 1958485 | 2025-02-22 18:03:19.371003+00
https://slrpnk.net/u/redacted | 1 | 1958485 | 2025-02-22 18:00:50.886344+00
https://infosec.pub/u/redacted | 1 | 1958485 | 2025-02-22 11:23:42.226386+00
https://programming.dev/u/redacted | 1 | 1958643 | 2025-02-22 18:03:19.093138+00
https://slrpnk.net/u/redacted | 1 | 1958643 | 2025-02-22 18:00:50.944788+00
https://infosec.pub/u/redacted | 1 | 1958643 | 2025-02-22 11:57:14.571075+00
https://infosec.pub/u/redacted | 1 | 1958775 | 2025-02-22 12:18:29.561662+00
https://slrpnk.net/u/redacted | 1 | 1958775 | 2025-02-22 18:00:51.007097+00
https://programming.dev/u/redacted | 1 | 1958775 | 2025-02-22 18:03:19.019653+00
https://programming.dev/u/redacted | 1 | 1958789 | 2025-02-22 18:03:18.814704+00
https://slrpnk.net/u/redacted | 1 | 1958789 | 2025-02-22 18:00:51.063719+00
https://infosec.pub/u/redacted | 1 | 1958789 | 2025-02-22 12:20:44.963274+00
https://slrpnk.net/u/redacted | 1 | 1958826 | 2025-02-22 17:59:48.55791+00
https://programming.dev/u/redacted | 1 | 1958826 | 2025-02-22 18:02:49.300343+00
https://slrpnk.net/u/redacted | 1 | 1958827 | 2025-02-22 18:00:16.302578+00
https://programming.dev/u/redacted | 1 | 1958827 | 2025-02-22 18:03:20.336056+00
https://slrpnk.net/u/redacted | 1 | 1958832 | 2025-02-22 17:59:48.497287+00
https://programming.dev/u/redacted | 1 | 1958832 | 2025-02-22 18:02:49.359749+00
https://programming.dev/u/redacted | 1 | 1958871 | 2025-02-22 18:02:49.420568+00
https://slrpnk.net/u/redacted | 1 | 1958871 | 2025-02-22 17:59:48.43862+00
https://slrpnk.net/u/redacted | 1 | 1958873 | 2025-02-22 17:59:24.697018+00
https://programming.dev/u/redacted | 1 | 1958873 | 2025-02-22 18:04:55.884635+00
https://programming.dev/u/redacted | 1 | 1958875 | 2025-02-22 18:04:55.795094+00
https://slrpnk.net/u/redacted | 1 | 1958875 | 2025-02-22 17:59:24.792819+00
https://slrpnk.net/u/redacted | 1 | 1958877 | 2025-02-22 17:59:24.743799+00
https://programming.dev/u/redacted | 1 | 1958877 | 2025-02-22 18:04:55.84273+00
https://slrpnk.net/u/redacted | -1 | 1958982 | 2025-02-22 18:00:51.647423+00
https://infosec.pub/u/redacted | -1 | 1958982 | 2025-02-22 12:55:05.047563+00
https://programming.dev/u/redacted | 1 | 1959091 | 2025-02-22 18:03:18.551263+00
https://infosec.pub/u/redacted | 1 | 1959091 | 2025-02-22 12:55:40.650352+00
https://slrpnk.net/u/redacted | 1 | 1959091 | 2025-02-22 18:00:51.138157+00
The reason I’m bringing this up:
- Isn’t this a problem? I get that it’s hard (impossible) to prevent this type of thing, but it seems weird that the infosec.pub admins weren’t into the idea of it being a problem when I pointed out this super-blatant instance of it to them. I do feel like dealing with blatant Lemmy-fraud when it happens is kind of a good instance hygiene type of thing to do.
- You should know that this user also talks pretty constantly about how the Democrats are bad, and anyone who votes for them is a fool, and Kamala Harris was the one who invaded Gaza, and so on. And they like using their multiple alts to upvote that content of their own. I feel like having that confluence pointed out is relevant.
- Is there something that I should be doing different than just pinging the admin and then moving on with my life if they don’t do anything?
I can’t exactly articulate why I feel like this is an issue, but I do. This also doesn’t necessarily seem like the right place to post this, but also, I wasn’t sure where to post it, and so…
Sorry I’m not on topic but am really curious about how you query the database directly
You have to be running an instance of your own (either a self host or be an admin of a real host), sadly.
In my opinion the system design should not include this hard distinction between “the admins” who can read everyone’s private messages and decide what “their” users can and can’t read and say and see who voted how, and “the users” who can do none of those things and are allowed to even exist purely at the pleasure or displeasure of the admins. But that’s a deeper discussion for another time.
Hmmm very interesting and I appreciate the info. Thank you!
I agree with you. Although, I’ve seen that there are docker compose files ready with all the needed services and it can run locally(not tested it yet). Will that be enough(running locally)? Or does a public instance is required?
I do understand why it’s a limit. Nobody will host a database that will accept connections from anywhere. It’s not hard to execute a query that will chock the entire db. Thoughts?
You can set it up as a “public” instance with closed registrations, and basically just use it as a self-host but have a lot more visibility and control. Or, you could probably play around with the nginx config and make it so that only the federation endpoints are accessible to the world and the actual web app is limited to just you. It will need to be “public” in some sense in order to be reachable to receive the content from other instances though.
I personally don’t use or like docker, partly just from inexperience with it and partly because I like to have more hands-on control over the deployment than I’m able to get with docker.
Yeah, no admin is going to give you access to their database. Even if it is supposedly read-only or something, you would be able to read private messages and other things you really shouldn’t be able to read. There is also a theory that things like who voted for what are “supposed to” be private even though they are not. I don’t subscribe to that theory but that’s the prevailing view among Lemmy people I think. You would have to set up your own full instance which requires a fair investment of time and knowledge at this stage however you are doing it.
Honestly ot only need to be done once and we could spin up this kind of an instance just to explore the data on Lemmy. I bet it can be a ‘temporary’ instance without a static ip or domain and spin it up every time. You can also probably have that as an ordinary instance running from your local with ngrok or something. Probably even block requests from unknown users. I’ll think about it once I get some free time
Drop me a line sometime in case you wish to discuss docker and I can show you how I use it. My line of work is around Kubernetes and been working with containers for years.
Can you elaborate? What type of control don’t you have when using docker?
I guess we should keep an open mind about it. I mean, the main point of Lemmy is not private messaging. And I kinda like the idea of a social network where everything is public and read only except for the parts a user is allowed to write/edit. Even if it’s not, I treat it as such. Meaning I don’t expect my data to be private and the platform doesn’t push for stepping out of anonymity so for me it’s perfect.
I mean, it does require some work. But if you are a person that can xonverse with me on such topics, its probably not that much for you or any real barrier. But I should look into it more deeply. It would be awesome to be able to spin up some instance which is only for data exploration and is read only.
This doesn’t work though. It has to be sitting, subscribed to get API calls when people do votes, otherwise it won’t be able to find out any of the voting information. You can cause Lemmy to dump the comments or posts (up to a point) from a selected actor, but you can’t do that for votes. You’re either subscribed when the votes happen and available to get a call, or else it’s gone for good.
I know a little bit about it. I actually made myself use podman for a deployment not that long ago and I just didn’t like it. I think mostly the issue is just that I have not been in a position where I really had to do anything with it, but if I do wind up in one I may take you up on it.
Generally I like to muck around with the code for pretty much any service I am using / hosting. Just little tweaks to make things more amenable to how I like them. Telling docker/podman to do a source checkout and then recompile when I change something in the source in the container was beyond me and it didn’t really seem like it was set up with that kind of thing in mind, so I more or less abandoned it and went back to doing “from scratch” installations for any stuff I’m mucking around with.
Probably if I didn’t do that, I would prefer the simplicity / reproducibility and such that Docker gives, but that’s usually my priority over that.
Yeah, agreed. Like I say, I think it is fine as long as it’s clearly communicated to users that the expectation is that. I think without that clear communication, presenting a false sense of privacy, it’s wrong.