Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

My security collective is honestly considering going back to IRC.

It's becoming increasingly apparent that if you don't use something truly free and open source and host it yourself, you're just setting yourself up for more of this sort of thing.

You can't trust anyone to properly handle the problem of "how the hell do we keep creeps the f*ck away from kids?" with any amount of common sense.



Even if you self-host matrix there are still multiple ways you could be liable for content you don't even know exists. Especially the last 4 points here:

https://telegra.ph/why-not-matrix-08-07

There are even custom message/media types that people use to upload hidden content you can't see even if you're joined to the same channel using a typical client.


Has this actually happened, or is it hypothetical? Was a server operator held liable for merely holding cached images?

Edit: It seems I've suddenly been rate–limit banned.


That post is 2023 vintage and is both outdated and questionable in parts.

19. "media downloads are unauthenticated by default" -> fixed in Jun 2024: https://matrix.org/blog/2024/06/26/sunsetting-unauthenticate...

20. "ask someone else’s homeserver to replicate media" -> also fixed by authenticated media

21. "media uploads are unverified by default" - for E2EE this is very much a feature; running file transfers through an antivirus scanner would break E2EE. (Some enterprisey clients like Element Pro do offer scanning at download, but you typically wouldn't want to do it at upload given by the time people download the AV defs might be stale). For non-encrypted media, content can and is scanned on upload - e.g. by https://github.com/matrix-org/synapse-spamcheck-badlist

22. "all it takes is for one of your users to request media from an undesirable room for your homeserver to also serve up copies of it" - yes, this is true. similarly, if you host an IMAP server for your friends, and one of them gets spammed with illegal content, it unfortunately becomes your problem.

In terms of "invisible events in rooms can somehow download abusive content onto servers and clients" - I'm not aware of how that would work. Clients obviously download media when users try to view it; if the event is invisible then the client won't try to render it and won't try to download the media.

Nowadays many clients hide media in public rooms, so you have to manually click on the blurhash to download the file to your server anyway.


> I'm not aware of how that would work

Custom clients that do support uploading/viewing of the non-standard events. It's a known vector for sharing CSAM in channels.


Does matrix self-hosting allow you to disable federation & uploads?


I know you can disable federation entirely, but not sure about more specific controls just for uploads.


I was on yahoo chat as an 11 year old and I was... fine?


Trivia Madness!:1 4 lyf




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: