I signed up kbin.social but have since decided to go all in on Lemmy. I’ve tried all day to delete my account on kbin but it won’t let me. Once I click the delete confirmation pop up it simply reloads the feed and keeps your account.

Be warned. Currently you have no control over your data there. I think that settles it for me. I won’t be using that service again.

  • simple@lemmy.world
    link
    fedilink
    English
    arrow-up
    83
    ·
    2 years ago

    Bit of an overreaction, it’s just that kbin is experiencing a lot of server issues and is insanely slow lately. Your request will probably go through later.

    • Ghostalmedia@beehaw.org
      link
      fedilink
      English
      arrow-up
      26
      ·
      2 years ago

      100% this. I’ll bet you’ll find a bunch of failed requests in the inspector. Things are being hugged to death right now.

  • Ghostalmedia@beehaw.org
    link
    fedilink
    English
    arrow-up
    39
    ·
    2 years ago

    I’m willing to let them slide. Kbin and Lemmy are getting power slammed right now. Requests from clients aren’t going through properly and everything is being held together with duct tape and prayers.

    If you find something weird, see if there is community / magazine that makes sense to report the bug to. I don’t think there is any ill intent happening right now. Shits just cracking under the extreme traffic load.

  • heartlessevil@lemmy.one
    link
    fedilink
    English
    arrow-up
    31
    ·
    2 years ago

    You don’t control the data either way. Federation and deletion are in conflict. Even if you deleted the account, there is no guarantee it would be deleted from other servers that the data was copied to. (And to be clear, Lemmy has exactly the same issue.)

          • Umbrias@beehaw.org
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 years ago

            The key word there bring frivolous, and like 99% of frivolous lawsuits get tossed out rapidly and/or result in a ton of wasted money by the filer. Slapp only really work when you have a lot of money already to justify it.

      • Umbrias@beehaw.org
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 years ago

        Gdpr is not that easy, and the right to be forgotten is certainly more complicated than people are making it out to be. Public facing forum posts have even less protection, for fairly obvious reasons. Now if Lemmy instances were sharing your account information and not deleting that, it gets murkier.

        Lemmy should probably keep gdpr and ccpa in mind but public facing forum comments are early qualified under the right to be forgotten unless they meet certain criteria.

      • datagoat@lemmy.fmhy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 years ago

        Do these regulations even apply in this case? Lemmy is non-commercial and it’s a distributed. Who would the regulators even go after?

        • jax@lemmy.cloudhub.social
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 years ago

          The other point is, how do you know which instances to go after to delete any content anyways? I think there is a way to see a list of federated servers, but there’s no way to know which has your data.

          In theory you could send a takedown request to each of them, but that doesn’t seem helpful

  • Ulu-Mulu-no-die@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    2 years ago

    Have you tried to contact the admins? Their servers are under immense load, it could be a problem related to that.

    • rimu@lemmy.nz
      link
      fedilink
      English
      arrow-up
      5
      ·
      2 years ago

      There is only one admin and it is also the only kbin developer.

      Kbin is not ready, I’m sad to say.

      • Ulu-Mulu-no-die@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 years ago

        As I understand it, it’s still a prototype, the dev didn’t expect at all people would use it, that’s why it’s not ready yet for mass-adoption, tho I like how it’s made, it has great potential IMO, it just needs time to get out of prototype phase.

  • liontigerwings@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    5
    ·
    2 years ago

    I can’t log in. I think it’s just a server problem. You can’t delete your account if the server can’t be reached. Give it time.

  • NotWalking@feddit.dk
    link
    fedilink
    English
    arrow-up
    4
    ·
    2 years ago

    I’m sure it’d just a bug and will be fixed soon. Have you tried contacting the mods?

  • WalterzarBoBalterzar@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    2 years ago

    One thing that definitely worries me with federation in general is the barrier to entry to hosting an instance is low, by design. On one hand this is great, but on the other hand it means just about anyone can spin up an instance and collect usernames, passwords, emails, etc. from anyone who signs up

    I know this is obviously no better than an single giant corporation who can do that. But it’s interesting to think about.

    • Memnarch936@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      ·
      edit-2
      2 years ago

      I am once again reminded of the always relevant XKCD comic

      I do see and understand the concern, and honestly, I don’t see a way around it. At some point, you have to supply some information to access services, especially if you want any sort of customization to your experience. I guess if you are really concerned about it, don’t use that email/password/username combo anywhere else.

      Edit: Apologies, I am still figuring out how formatting works here.

    • HeartyBeast@fedia.io
      link
      fedilink
      arrow-up
      4
      ·
      2 years ago

      Remember folks, use a password manager and get it to create a random strong password for every site you use

    • Communist@beehaw.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 years ago

      I believe the passwords are stored as hashes, not sent directly to the server, at least I certainly hope so.

      • heartlessevil@lemmy.one
        link
        fedilink
        English
        arrow-up
        6
        ·
        2 years ago

        They’re sent directly to the server and stored as hashes. There’s nothing stopping someone from logging the plaintext password, or removing the hash mechanism, though. Make sure to follow best practices and use a unique password on every website.

        • Communist@beehaw.org
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          2 years ago

          Oh jeeze, I guess the hashing system can’t work locally because then we’d know how the hashing works and could crack it, darn.

          edit: wait no, that’s stupid, why couldn’t it work this way?

          • roseh@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            4
            ·
            2 years ago

            Hashing could happen client-side, but there’s not much of a difference. If you’re using HTTPS, then all traffic to the server is end-to-end encrypted anyway.

            At some point you have to trust the website that you’re connecting to, but obviously don’t re-use passwords, use a password manager, etc etc

          • z2k_@lemmy.nz
            link
            fedilink
            English
            arrow-up
            3
            ·
            2 years ago

            If passwords are hashed on the client side and sent to the server to authenticate, then all an attacker would need is the password hash and not the original password to authenticate. So it could protect your original password but not your account.

          • SalamanderA
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            2 years ago

            A few years ago the plain text passwords would show up in the logs. That has been changed since then, but a malicious instance admin can easily revert this change and keep a log of plaintext passwords.

            A developer explained to me that adding client-side hashing would be problematic because different clients might do the hashing in different ways, and that the desired solution is to add OAuth at some point. There is also a bit more discussion about this in that thread: https://lemmy.ml/comment/97830

            I lack the technical knowledge in client-side hashing to explain why this is the case, but as far as I can tell client-side hashing is not common at all. The standard is to hash the passwords server-side.

            I do think that it is important to be aware of what a malicious instance admin can potentially do: they can log your plain-text password, see your e-mail and correlate it to your IP, look at what posts you like/dislike, and read your non-encrypted private messages. But these are not “Lemmy” problems, as these are general issues when it comes to trusting the servers of the sites that you create an account in.

            An important benefit of Lemmy is that you can actually set up your own server or use the server of someone who you really trust, and you can use it to interact with the rest of the instances. It is also possible to create an account without providing an e-mail, a phone number is not required, and you can usually access instances via a VPN or Tor. These are not a common luxuries when it comes to other sites.

            Using unsafe passwords is dangerous in a lemmy instance, but it is dangerous anywhere.

          • kimpilled@infosec.pub
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 years ago

            Hashing on the client side creates a “pass the hash” vulnerability. What you’ve done in that case is made the hash itself the password, because that’s all the client needs to pass to the server to authenticate. This means that if those hashes are leaked, they can be immediately used to access the server instead of being cracked first.

            https://en.wikipedia.org/wiki/Pass_the_hash

    • Jeze3D.exe v0.0.6@lemmy.worldOP
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      Thank you! I just noticed that. They have to manually delete the account as it just submits a request. Are you kidding me? What an inefficient system.

  • Problematic Consumer@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 years ago

    Not sure about kbin but sign-up/account management on lemmy is kinda broken as well. For example lemmy.ml doesn’t allow new users to sign up and when you try its just infinite loading with no visible response. Or on beehaw.org where you have to sign up and pray that you’re accepted cause otherwise you’re just ghosted. There’s a long way ahead in terms of UX