Lemmy security, private messages and you

There's been a bit of a stir over this post: https://sh.itjust.works/post/13512126

I thought I would explain some things about Lemmy in general and HC in particular, for better or worse.

About this exploit

1. We are NOT affected by this particular bug. It only affects Lemmy 0.18.5, at the time of that post we were on 0.19.2 and I have just upgraded us to 0.19.3, which was released a few days ago. In general I keep close tabs on Lemmy development and we are always on the latest version within a couple of days.

2. Even if we had been affected, you would have to be a registered user on HC to even attempt to exploit it, and this particular bug involved spamming the Report feature. It would've been really obvious to Alice or I had anyone tried, since we get notified of all reports.

About Lemmy security in general

Lemmy is still early in its development, things are changing rapidly and there have been a number of rather serious security bugs over the past year. This is not the first time and it won't be the last time something like this comes up.

I keep an eye on Lemmy development and upgrade us to the latest version soon after it is released. This is the main thing I can do to make sure we limit our exposure to any potential Lemmy exploits.

We are also not federated and as of now we're a pretty small tight knit group. This vastly reduces our risk from any exploits, since typically exploits require you to be a registered user.

Lastly, if there was ever a serious exploit that affected us, you will hear from me.

About Lemmy private messages

Lemmy private messages exist as unencrypted text inside of the Lemmy database.

Lemmy admins in general CAN'T view or delete your private messages through the Lemmy admin interface, there is simply no option for it.

The server admin (me in this example) has access to the database directly and could run a query to view or delete private messages.

In practical terms, this means the only person here who could do that is me. As I said before, I really don't care to view the dick pics you send to each other, but you should keep in mind that I could.

In general you should never use Lemmy private messages for anything that could hurt you if they ever became public. There are some scenarios in which that data could end up in other people's hands, such as:

• Through some funky Lemmy exploit we don't know about yet
• If someone hacks the server itself (extremely unlikely but you never know)
• If someone shows up at my door with a warrant.

Overall though, Lemmy private messages aren't less secure than those of any other similar service you use, even the likes of Reddit, Twitter, etc. There is nothing to panic over, just use common sense.

I'm happy to answer questions on any of this, feel free to ask them here.