TLDR: I’m limiting (followers-only) infosec.exchange for now. In the coming weeks, I and several admins plan to escalate this to a full suspension. Consider migrating if you find the suspensions, and our reasons for them, concerning.
Check for content warnings before following links.
Edit: See this update from infosec.exchange. On one hand, it’s good that they finally acted. On the other hand, it’s worrying that multiple reports with evidence, and knowledge about r000t, were ignored until now. They’ll need do better going forward, and not just ignore reports and dismiss evidence until a public outcry.
r000t (@ligma.pro, @infosec.exchange, @fedi.site) has been working on a full-text search engine for Fedi for a while:
Claims to rotate addresses and avoid announcing its presence while claiming that this is protecting user safety somehow. Claims that the hourly VPS providers are the top 3 ones used by Mastodon instances, preventing rangebans. Teasing a search engine in November with the intention to “specifically bypass all attempts to block it” while branding this as something good for user safety. Makes fun of people concerned about such a scraper by comparing them to a Kiwi Farms victim.
And now:
r000t released as:Public, a full-text non-consensual block-evading search engine for Fedi, after threatening mass violence just days earlier. Previous hint. Went on a bender of threats, slurs, threatening animal cruelty, and eventually posting unmarked gore in an attempt to gain mod attention. See the archived profile for r000t @ ligma.pro when federated to bae.st (CW: NSFL gore). This all happened shortly after admitting to stealing cryptocurrency.
All that infosec.exchange did was limit r000t’s account with a possibility of un-limiting it soon. A mod admitted to receiving several reports against r000t but dismissed them as “fediblock nonsense” while voicing support for this non-consensual engine.
If we assume honesty, then what r000t said about concealing the collector in November would still check out judging by this post made during its release. Also note that the engine does not depend on federation. It uses the streaming API of servers you federate with: as long as you federate with at least one server that the collector is fetching from that has the streaming API enabled, your instance’s posts that federate there can be indexed.
The opt-out mechanism might change; r000t has teased making the opt-out mechanism dependent on federating with ligma.pro.
Unrelated to this fiasco, some more gems I stumbled upon:
Brags about bypassing authorized fetch. Comparing excluding gender non-conforming members of PolyMC to moderating nazis. threatening legal action against blocklists. bragging about getting away with death threats.
Given the lack of action taken by infosec.exchange, despite reports: I no longer trust its staff to lead a safe community. I’ve set infosec.exchange to followers-only for now. In a few weeks, I and several other admins plan to escalate this to suspension. If you’re on infosec.exchange, and find this concerning: consider whether this warrants finding a new instance.
Edit: If any of this makes you want to send death threats to the people involved: please don’t. You’re making this worse for everyone.