Transparency report: broken images and federated CSAM attack
Images posted within the last 48 hours will appear as broken. This is expected and intended.
Yesterday 2023-08-27 a community on the lemmy.world instance received multiple posts containing CSAM (or as it is more commonly known CP) content, which spread throughout the federation. We also ended up becoming involuntary hosts of said content.
Due to the severely limited nature of the Lemmy moderation tools, removing or purging the incriminated posts from the admin UI wasn't sufficient and didn't cause the images to be actually removed from our server. Because of this, a nuclear option was required. I have deleted every image saved by our server during the last 48 hours.
Unfortunately this also includes a post on [email protected] , as well as multiple posts on [email protected]. Authors of the affected posts can fix them by re-uploading their images, without the need to recreate the posts.
We are sorry for the inconvenience, but hosting CSAM content is highly illegal and we simply can't take any risks on this front.
I am currently discussing with the other admins whether further measures are necessary, to prevent this from happening in the future. We'll keep you posted if we have any updates.
EDIT [2023-08-28 10:00 UTC]:
The attack is still ongoing. I have now blocked the community and further deleted the last 15 minutes of images.
At this moment in time, yes they are. The lemmy.world team took down the community that was being targeted, which means that the attack has stopped (even though whoever was posting that shit got his own way). I'm bummed about having done these mass deletions but I was quite scared and that was the easiest thing to do.
Actually, if such an issue was to re surface in the future, I have found a way to more selectively delete the incriminated content. Only side effect of that is that I have to look at those pictures myself to grab their ID; and Lord, that shit can be disturbing at times.
Thank you for your patience and sorry about having destroyed your posts.
Sorry you had to go through that. Peple are messed up, and we have to expect this sort of thing from time to time. I, too, like the "store images only on the originating server" thing. It puts responsibility where it belongs. And wouldn't that allow for damage control by blocking the offending instance while they get their shit together?
Yes it would. Truth be told, defederating lemmy.world would have also fixed this, but as you probably know I consider that to be the nuclear option. I've considered doing it, but I don't think the .world team is to blame, they are as much of a victim as we are.