A checkpoint? From Mk. VI? And they mention the fediverse? (Well, Mastodon at least). It must be Christmas.

I tried what another user reported and it worked. I submitted a github issue as the security email seems to be unmonitored based on me trying to contact it (regarding a different issue) for over a week now.

Be careful about links you click in Lemmy, I guess.

cross-posted from: https://sh.itjust.works/post/774797

> What is XSS? > > Cross-site scripting (XSS) is an exploit where the attacker attaches code onto a legitimate website that will execute when the victim loads the website. That malicious code can be inserted in several ways. Most popularly, it is either added to the end of a url or posted directly onto a page that displays user-generated content. In more technical terms, cross-site scripting is a client-side code injection attack. > https://www.cloudflare.com/learning/security/threats/cross-site-scripting/ > > Impact > > One-click Lemmy account compromise by social engineering users to click your posts URL. > > Reproduction > > Lemmy does not properly sanitize URI's on posts leading to cross-site scripting. You can see this working in action by clicking the "link" attached to this post on the web client. > > To recreate, simply create a new post with the URL field set to: javascript:alert(1)// > > Patching > > Adding filtering to block javascript: and data: URI's seems like the easiest approach.

Lemmy is vulnerable to javascript: links, see this post for more details.

Crank up "Crab Rave" and put your claws in the air, but with guns in them.

Can't sleep, time to rewatch this video and others like it.

Escape! With Art!

I was a bit distracted with the whole LRRMans thing, have some highlights.

Apparently someone on lemmy.ca feels the need to make clickbait out of a very short wikipedia article. And they didn't even answer their clickbait in the post body. smh.

For added fun archive.org seemingly breaks the Lemmy UI, indicating that the community lives @web.archive.org for some reason.

> Created: 9th century

> "This is the most exciting piece of excrement I've ever seen ... In its own way, it's as irreplaceable as the Crown Jewels"

The operator of the plant is confident it is safe, some say there are other risks that make not releasing the wastewater worse, most opposition is limited to saying hasn't been enough study, one scientist in particular says it is unsafe. We'll see what ends up happening later this month.

> “a lack of adequate and accurate scientific data supporting Japan’s assertion of safety”.

> “The risk of another earthquake or a typhoon causing a leak of a tank is higher, and they’re running out of space.”

> “The concept of dilution as the solution to pollution has demonstrably been shown to be false, [...] [t]he very chemistry of dilution is undercut by the biology of the ocean.”

> “I think it is important to evaluate the long-term environmental impact of these radionuclides,”

> “We have confirmed that the tritium concentrations in the bodies of marine organisms reach equilibrium after a certain period of time and do not exceed the concentrations in the living environment,” [...] The tritium concentrations then decrease over time once the organism is returned to untreated seawater.

> The IAEA [...] is expected to release a final report on the site and the plan for the wastewater release later in June.

Lemmy 101

A (hopefully not as complicated as the others) introduction to Lemmy

How do I sign up?

> Notice: Spam campaigns targeting Lemmy providers are already happening, so we are currently requiring manual approval. Please cut me some slack, I need to sleep occasionally.

1. If you are viewing this post then that likely means you are on a Lemmy instance already. This post was originally hosted on https://lemmy.nrd.li, a community welcoming anyone who is nerdy about something.
2. Click Sign Up in the top-right-most corner.
3. Fill out and submit the information.
4. Done!

You have just signed up to Lemmy. Congratulations, welcome to the club. At this point, you should click the name of the provider you're on (at the top-left-most part of the registration page) and bookmark it to your browser. This is where you will be browsing Lemmy from now on. Now you will need to wait for the admin (me) to approve your account, this will likely take less than 24 hours, and usually closer to an hour or two.

So, what about them federation business I've heard so much about?

Beyond a few basic quirks, you don't need to care about it yet. That's for Lemmy 102, eventually.

• Your account is bound to the provider you signed up to. You will only be able to log into it from that place, and that place alone. This is why I recommend bookmarking it.
• Your provider is not omnipotent, and occasionally needs to be taught about communities and content, especially if it is a new or small one. Read on below on how to do that.
• You are not limited to content hosted on your own provider. This is the hardest part to grasp so just roll with it even if you don't know what I mean by that yet.

So, how do I find communities/subreddits/sublemmies/PEOPLE TO TALK TO

1. Go to https://lemmyverse.net/communities
2. Click the home icon at the top-right-most part of the website, and enter in the provider you signed up with.
   • It should auto-complete and light up green.
3. Browse the list and click on the names of the ones you find interesting
4. Click the Subscribe button on the sidebar to add them to your homepage.

It can't be this easy, right?

For 90% of cases, it really is this easy. It's the last 10% that's gonna bring your trouble.

Lemmy just had a big bang of activity and every single admin and developer is running around with their hair on fire, so there will be quirks you will encounter in day to day usage.

For example:

I clicked subscribe but nothing happened

Click it again. If it says Subscription Pending it means you're subscribed.

Lemmyverse says there are posts but it's a ghost town in here when I open it

This means your provider just learned about the existence of that community. If you subscribe to it, it will fetch future posts and make it not a ghost town to the people after you. It will not fetch past posts because technical reasons.

I get 404: couldnt_find_community when I click on a community

Oh boy, here we go. This is the most complicated thing you will need to do.

This means your provider does not know about the existence of that community. If you want to subscribe there, you'll have to first teach your provider about it.

1. On the Lemmyverse website, each community has an additional part under their name that starts with an exclamation mark and [email protected]. Click it to copy it.
2. Go to your provider's home page.
3. Click the little magnifying glass at the top-right-most corner.
4. On the search bar, paste this identifier you just copied.
5. Search for it.
6. Ignore it when it says there are no results found. That's a lie.
7. If it doesn't show up within 10-20 seconds. Search for it again.
8. It should show up by now.

Going through this is tiring, yes. But after doing it once, your provider will, in most cases, remember it for anybody else in the future.

I clicked on a link and it logged me out so now I can't reply/upvote/subscribe

1. Remain calm.
2. Copy the URL of the page you are in right now.
   • If you're on the home page of a community, that exclamation mark identifier will be at the sidebar just below it's name. You can take that and use the instructions in the previous section.
3. Go to your provider's home page.
4. Click the little magnifying glass at the top-right-most corner.
5. On the search bar, paste the URL you just copied.
6. That post/comment/community should pop up in the search results.

Ok, I got the post but the comment I want to reply to is not there

1. Yeah, this is getting pretty absurd I know. Growing pains and all
2. On the comment, there will be this rainbow colored star badge somewhere next to the author's name. Right click it and select Copy Link
3. Proceed with the above instructions using that link.

I clicked a link and everything is different and I can't find any of these buttons you are talking about

Scroll to the very top of the page. Is the strip at the top of the page a dark blue/purple-y color or white/black

If it's purple-y, you stumbled your way onto kbin instead of Lemmy. That's a different thing.

If it isn't... I got no clue, sorry.

I want a mobile app

All of them are under-baked and have missing features at the present. But if you really want to, you can try Jerboa for Android, and Mlem for iOS.

You will need to adapt parts of this guide to how the apps work (in particular, where the search box is).

Any more quirks I need to keep in mind?

• In your settings there is a box for preferred languages. DON'T TOUCH IT
  • I am serious. You will lose access to half the content in the entire network in one fell swoop. Nobody tags languages correctly.
• Occasionally submit buttons will start loading infinitely. This may or may not mean whatever you were trying to submit may or may not have happened. Nobody knows. If it keeps spinning for more than 10-20 seconds, just go back to where you tried to post/comment and pray it worked.
• Hot and Active sorts are broken. Use something like New Comments or one of the Top sorts instead.
• Sometimes posts will change under you. If you're writing a long reply, double check to make sure the post you're replying to haven't switched out to something unrelated.
  • This is (I believe) the result of a stupid decision that is fixed by the newest yet unreleased version of Lemmy.
  • That same fix will also disable other live update behavior, which causes much more issues than it solves.

Any more non-quirks I need to keep in mind?

• Some providers disable downvotes, some do not.
• Some providers disable community creation, some do not.
• Expect providers to go down and up and slow down and speed up and run out of money and start begging for donations as more and more people join in and start posting.
• Expect inter-provider drama, which may result in providers cutting each other off.
  • This is also known as "defederating". Which is both a blessing and a curse.
• There is no way to transfer your account between providers.
• You should not need to create accounts on more than one provider unless there is a specific reason to do so (e.g. if your account is on a provider that's defederated from a large one)
• This entire document is a massive oversimplification

All of this apply as of June 20, 2023. Hopefully the future is brighter.

Help!

If you have an account you can post in the comments and I will be notified, and will do my best to help however I can.

Credits

This is a slightly modified version of this wonderful document by @[email protected]

The USCSB does some great animations. Their new intro is radical as well, right up until they use a Red Tailed Hawk's call instead of an actual Bald Eagle's.

On today's episode of Tap Tap 100...

Comments are welcome and appreciated, especially from members of NRDLemmI. For fun here's an (edited) ChatGPT TL;DR:

• These guidelines try to balance the benefits of LLMs against negative impacts on communities.
• Follow the rules of the communities and instances you participate in, including rules regarding LLM content.
• It may be reasonable to seek clarification or leave a community, but don't continue violating rules and don't argue.
• If you primarily sharing your own thoughts and use an LLM for editing or other assistance, most of this is unlikely to be an issue.
• Sharing an unedited/unreviewed response solely generated by an LLM adds little to the conversation and is likely to be an issue.
• Users employing LLMs are welcome on NRDLemmI, but if consistent rule violations occur on other instances, bans or other actions may be necessary.

Background

The landscape of LLMs and other AI tools is constantly evolving, and the technology will likely never be worse or more inaccessible than it is right now. Regardless of your personal opinions on these tools, they will certainly have an impact on NRDLemmI as well as the broader fediverse. As with many of the decisions I am making regarding how NRDLemmI will run, I hope to strike a balance between the benefits of LLMs and negative impacts the content LLMs generate can have on communities.

This approach will not be perfect. It will need to evolve alongside the tools and alongside the fediverse itself. The most important thing is that everyone here understand our approach and the reasoning behind it.

The rules here

NRDLemmI does not currently have a specific rule against posting content generated by AI/LLMs; however, there are two existing rules that are relevant to the decision-making process when addressing reports or complaints about such content.

> 3. Don't do things to adversely impact federation with other servers.

> 6. Respect the rules of the communities in which you participate.

I may elaborate further on the reasoning behind these rules later. For now, it's important to understand that these rules aim to strike a balance between free speech and the ability of our instance's users to participate in the broader fediverse (As well as limiting legal or hosting-related consequences, as that would impact both).

Rule 6 can be seen as a corollary to rule 3, as multiple rule violations within external communities could potentially lead to our instance being blocked from federating with those external instances.

The rules elsewhere

Regardless of what you are posting, it is essential to be mindful of and do your best to follow the rules of the community and instance you are participating in. This is particularly crucial when posting potentially inflammatory, self-promoting, or LLM-generated content. Specifically, when posting LLM content, be sure to check the sidebar of both the instance and the community for:

• Specific rules regarding the use of LLMs
• Rules against "low-effort" content or comments
• Rules against spamming
• Rules requiring citations

If there is a specific rule either for or against the use of an LLM, the answer is straightforward: do not post LLM generated content there. If the rule pertains to any of the other points mentioned, it is up to you to determine whether the mod/admin will view the LLM-generated content as a violation.

When you break the rules

Let's suppose a mod/admin takes action against your post. Was the rule clear? If so, you deserved the consequences, as you shouldn't expect to go unnoticed. If the rule was ambiguous or subject to interpretation, the mod/admin's action indicates how they interpret the rule. In such cases, it is perfectly reasonable to:

• Stop posting or commenting in the community.
• Leave the community and/or instance.
• Apologize.
• Feel sad and/or angry.

In certain situations, it may also be reasonable to:

• Seek clarification to better follow their rules in the future.
• Share your interaction elsewhere, as long as it's not intended/likely to cause brigading or other retributive acts.

It is never reasonable to:

• Continue posting LLM content that is likely to violate their rules.
• Argue with or harass the mod/admin.
• Complain to the instance's admins about the mod enforcing the community rules.
• Complain to your admin about an admin on a different instance.

My interpretation of the "gray area"

If your post consists primarily or entirely of your original thoughts and you use an LLM only for editing, phrasing, grammar, or to reduce the level of detail, mods/admins are unlikely to have an issue with it. Likely they won't be able to tell that an LLM was involved, just like they can't tell Grammarly or Spelling/Grammar checkers were involved. The thoughts and knowledge remain your own or, at the very least, represent something you researched while writing your post. In this case, you might even be able to bend the rule against LLM content since you're sharing your content with only assistance from an LLM.

However, if you instruct the LLM to "Write me a comment refuting this post: [post text]," the thinking and opinion belong to the LLM rather than you. Sharing a response you didn't write adds little value to the conversation since you won't be able to further engage. Additionally, longer LLM-generated posts, especially on narrow topics (where they likely don't have much/up-to-date/good training material), often have a discernible "uncanny valley" quality and can be easily identified.

Contrast this with a situation where someone shares an article written by another person that refutes a post. If someone comments, saying, "Sarah Whatshername wrote an excellent response to this, where she mentioned that [...some info/quotes/whatever...]. I think it's worth reading before fully embracing this viewpoint," they are appropriately crediting the author, highlighting relevant parts of the author's opinion, and, if possible, providing a link to the source.

How to avoid sticky situations

If things you post are repeatedly reported as LLM-generated, it suggests that you may be leaning toward misusing these tools, and action may be necessary. If it becomes apparent that you lack expertise in the discussed topic (which should be evident to the mod of a community focused on that subject), action may also be required. However, if someone says, "I heard [X], is it true?" or approaches a topic they are unfamiliar with in a curious and constructive manner, it is less likely to warrant action even if an LLM is somehow involved.

In general, if someone wants to know what ChatGPT/LLaMA/Bard/whatever "thinks" about a post or how it would refute it, they will ask that thing for a response. Simply regurgitating its answer, particularly when you lack the expertise to assess its quality or accuracy, at best contributes little to the conversation.

When things get sticky on this instance or in communities I moderate

Users employing LLMs are welcome on this instance and in any of the communities I moderate, as long as human thinking remains the primary driver. If someone's posts start receiving reports (especially if admins threaten to block my instance), I will review the user's posts and comments then engage them in a conversation covering the topics mentioned above. If, as a result of this discussion, the user consistently fails to comply with community rules on other instances or refuses to adjust their tool usage appropriately, they will be banned from the community/instance.

Apparently Lemmy's user creation API is wide open, making it trivial to make accounts en-masse. This should not be a huge issue as this instance requires an application to be filled out to create an account.

To reduce likelihood of such accounts being made and overwhelming my ability to review applications captcha will be enabled until this issue is fixed. The difficulty is currently set to "Medium", which may be adjusted.

I am guessing this will be fixed in the upcoming 0.18 update which has several significant changes, some of which may require some downtime to apply. Details of what that update entails are currently not clear, including the timeline for its release.

Yay, an early CheckPoint! Let's hope heather takes an early lunch more often!

Wow, RNA came out in Jan. 2019... Time has been wonky...

The names have been changed to protect the unusual. Crapshots will return in August.

> For a defendant with no prior criminal convictions, an offense level of 37 yields 210 to 262 months (17 1/2 to almost 22 years). A defendant who accepted responsibility could reduce that range to 151 to 188 months if the prosecution agreed to deduct the third point.

As solidly indifferent as I am about the new LotR set, it's still fun watching entertaining people playing a game I enjoy.

Watching someone exploring the industrial history of a place I will likely never go is surprisingly interesting.