I don’t have experience with a sarong, but a saree is basically the same thing.

The difference is in the shape and size of the piece of cloth. That’s how you can tell a saree, bedsheet and towel apart. There is also usually difference in material (but fine silk towels exist, as do coarse cotton sarees), patterns/weaves (but there are towels and sarees that share pretty similar patterns) and quality of materials used (but again, ridiculously high quality silk bedsheets are a thing). The real difference is the shape and size - sarees are always 5.5m x 1.15 m (‘standard’ 6-yards), or 8.2m x 1.15m (9-yards, worn only on special occasions now, and only in a few specific regions).

In a pinch, a saree works as a towel or a bed sheet or a cover sheet of any sort, really. However, good luck getting a towel or bedsheet draped onto your body - you’ll look like you’re in a sack. They just don’t have the right shape!

Yes, access to production database is fairly common (for certain job functions, at least). Unaudited and unfettered database access is much less common. Sure, it happens, but it is rare - especially for something at the scale (& attractiveness to hackers) of Instagram. And yes, an audit trail doesn’t mean your manager will be immediately alerted, and there are people who won’t think of the audit trail and go snooping in prod anyway - so it is possible, but I just don’t think it’s very probable ¯\_(ツ)_/¯

And a moderation tool for direct messages? Which are E2E encrypted? That doesn’t make much sense to me. What moderation function would a “list of people they have DMed in the last 2 years” serve? I guess it could be used to determine if somebody has been harassing someone else - but the block feature exists, why would it reach a moderator in the first place?

and frankly you should assume that this is happening behind the scenes at every company.

Look, I operate under the principle of “anything that I put online, will be eventually public and linked to me” (which is why I would never answer the original question, even with an anonymous account that isn’t linked to my email) and “everybody sucks at infosec” - but that doesn’t mean Instagram employees have a handy way to access a human readable list of people I have DMed.

Occam’s razor is in favour of the girlfriend getting the info the old fashioned way - snooping on the OP’s phone

Ya, I mean Instagram is no bastion of privacy, I’m sure - but most managers wouldn’t be thrilled to learn their employees were accessing the production database for fun. It’s less a “but you violated our customer’s trust” and more a “you idiot, why you tempting fate, we are generally one typo away from the whole thing crumbling down anyway!”. And surely no company bothered to build a nice tool that’ll let their employees peruse the DM list of a random user - we can barely get them to build us actual monitoring infrastructure till something breaks! So one would have to put in some effort into gathering this information. Running background checks for some random friend - the risks and effort doesn’t feel like it would be worth it. It seems more likely the girlfriend peeked at OP’s Instagram client herself, or just took a guess, and made up “a source working at Instagram” as a plausible excuse.

You’re on the lemmy.world instance, so you can reach the admins by emailing [email protected], or posting in the support forum [email protected]

Now to answer whether there’s a difference between being promoted and doing it yourself - In this case, it’s suspected that session tokens were compromised. You know how when you enter some events, they vet you/your ticket once at the door and then put a stamp on your hand? If you go out and want to get back in, you don’t have to do the whole verification song and dance again, just show them your stamp? Well, that’s pretty much what a session token is - Lemmy vets your password once when you log in, and gives an unique session token to whatever browser or app you used to log in. That way, when you reopen Lemmy, you don’t have to enter your password again.

Now that token is compromised, you have to assume a hacker has your unique token. When you logged yourself back in, Lemmy did the whole validation process again and gave your browser/app a new, unique session token - that’s just how logging in works. But the important question is, did it invalidate the old session token when you logged out? Otherwise the hacker can still show the old token and pretend to be you.

Now if your browser/app prompted you to log-in today, you can be sure that your browser/app tried to get into Lemmy and was denied access. That means you can be sure your old stamp/token is now invalid. Logging out and in yourself doesn’t give you the same guarantee - you will have to check Lemmy code (or run some experiments) to know if logout does actually invalidate the old token. I haven’t validated Lemmy’s code, but I will say most half decent software will invalidate your token when you log out. If you want an extra layer of protection, change your password as well - even the software devs that forget to invalidate tokens on logout usually remember to invalidate them on password changes.

LoL! That is an unusual guess, I don’t think I have heard of “Marxist Leninists” in popular media in a while!

I think the original analogy works better.

If an EU country goes rogue, other EU nations can’t just isolate it and bar it’s citizens from entry. There is no expulsion from the EU AFAIK. But Lemmy instances can block another instance fairly easily and unilaterally - like how nations can refuse visa to citizens of a rogue nation. And Lemmy instanced are expected to federate with most other instances, just like countries are expected to grant visas to most other countries - unlike joining the EU, which is a whole big process and all EU members have to agree (there are no vetoes in Lemmy federation).

But most importantly, the EU members are required to act as one in many circumstances - most laws apply across all EU members, EU negotiates trade deals as a block, etc. That is not true for Lemmy instances. Each is completely independent and makes its own laws - and must only comply with some very loose principles (which boil down to “don’t be a total jerk”) to not be isolated from other instances. This is much closer to the kind of independence countries have, than EU members.

I think it’s not helped by the fact that most early adopters are “techies” who enjoy talking about the underlying tech.

The average user doesn’t really need to understand this whole fediverse thing to sign up and use Lemmy. We could just have a website with a big sign up button that randomly (to load balance) selects an instance from a whitelist and signs the user up there to get them started. But instead we have GitHub docs with detailed comparisons of various instances, and long discussions about underlying protocols and what the federation means and how that’s different from centralized platforms.

Lemmy does not have anonymous voting - https://lemmy.eus/post/182574

Each instance decides what to show on its homepage and its own moderation rules, so you are free to build (or find, if one already exists) an instance that attempts to prevent the kind of manipulation you are worried about.

No. It depends on their home instance.

A few may go out of their way to make it easy - there is nothing stopping a Lemmy instance from requiring government ID to sign up, after all. A few may go out of their way to make it hard - there is nothing forcing a Lemmy instance to collect any data about a user. Most big instances will probably be at the same level of difficulty as tracing someone from their email address - their servers are probably logging IPs and locations, which will be a starting point for tracing identities, but not guaranteed to be “easy” by any means.