https://lemm.ee/post/65824884 for details.

Moderators interested in migrating to a new community on another instance might want to consider selecting an instance and doing so sooner rather than later so that users here have time to see a migration post here and subscribe to the new community.

https://archive.ph/5eGXS

For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named "Nicole". This has been ongoing for some time now.

Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it's possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.

In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.

It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:

https://github.com/LemmyNet/lemmy/issues/1036

I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn't looked until the most-recent message, but the image embedded here is indeed remote:

https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png

I haven't stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don't know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn't also be moving the hostname on the pict-rs instance.

Another mitigation would be to route one's client software or browser through a VPN.

I don't know if there are admins working on addressing the issue; I'd assume so, but I wanted to at least mention that there might be privacy implications to other users.

In any event, regardless of whether the "Nicole" spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.

My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there's no great way to prevent a user's IP address from being exposed.

If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I'm all ears.

I'm kind of curious as to what people these days are doing on a UPS front, to keep systems running through power outages and provide a clean shutdown prior to batteries becoming exhausted.

It used to be common to see UPS systems sold to give desktop computer systems time to shut down cleanly.
The UPS market seems pretty stale to me. There have been changes over the past twenty years or so that I'd guess have caused some of that:

• A move to filesystems structured so as to not risk corruption at the filesystem level from power loss at an arbitrary time.

• Many people using laptops. Doesn't change the situation much for servers, but I think that it reduces volume of the market that might want some kind of UPS.

I had expected that, with the drop in cost of lithium batteries and rise in tremendous rise in use of large batteries, that one would see new lithium-ion UPS units with large capacity.

But in practice, that doesn't seem to be the case. UPS units are still around, but basically only provide a small amount of power, enough time to shut down. They aren't normally geared up to keep systems running for hours.

There are lithium battery-based "home power backup" systems that provide loads of storage and automatic switching over to battery power if the mains power drops. However, these have some serious drawbacks that limit their use in a UPS role:

• Some of these aren't rated to switch over to battery power within a sharply-bounded amount of time, to avoid risk of momentary power interruption. For many devices, a momentary power interruption isn't a huge deal, but for computers, it matters. I understand that on the order of 10 ms is expected for reliable UPS use, to keep computer power supplies happy.

• One thing that one would like from a UPS is a clean shutdown prior to the battery becoming exhausted. For that to be done, the UPS needs to report its current charge capacity, so that software on the system can predict remaining runtime before exhaustion. Network UPS Tools is a widely-used Linux UPS-interfacing software package that does this shutdown. But looking at its hardware support grid, there isn't support for these power stations, and I suspect that if there were reasonable charge-level reporting support anywhere, there would be.

• USB has device classes that permits charge-level reporting, and looking at the USB spec, that appears to be true of USB PD. I have wireless headphones, for example, that make use of this. However, as best I can tell from looking through the kernel source, Linux doesn't provide a way to treat these as a power_supply-class device, the way laptops have a BAT0, BAT1, etc, which would let the OS provide a clean shutdown itself when the time-remaining drops to a critical level. And even though power stations typically provide USB charging, I have not been able to find any that actually report their charge level via that USB in such a fashion.

I can think of at least three viable ways to do provide a large amount of backup power and a clean shutdown, based on what I've seen:

• I'm sure that there are people who have rigged up some kind of ad hoc system off a full-blown grid-tie power system, with separate batteries, inverter, charge controller, etc. In that case, all one needs is a voltmeter linked to the batteries prior to the voltage-regulation stuff, knowing what battery type is involved, and one could give a capacity estimate. Doing this ad hoc is going to have some drawbacks that I'd hope that a vendor-provided battery management system wouldn't, like having to calibrate to one's batteries and not automatically dealing with battery aging.

• Simply run a UPS and a "big-battery" lithium backup power station. Plug the UPS into the power station and the computer into the UPS. The UPS provides the rapid changeover time and provides the computer with a warning prior to shutdown. This uses systems that should work out-of-box, but doesn't really seem ideal to me in that one's buying extra hardware and doesn't have a unified view of time remaining on the battery -- the computer thinks that everything's normal until the power station is drained and the UPS kicks on.

• Some people use old laptops as servers. For those, you can already use the OS's built-in power management to deal with laptop batteries. If you have a power station extending the runtime, great, though in that case, you run into the same "you don't have a unified view of the laptop and power station battery charge" situation.

I'm pretty sure that people out there doing self-hosted servers have thought about this, and I'm curious as to what people out there are doing in terms of the options out there. Do you just not worry about it, given the fact that corruption at a filesystem level isn't such a big deal? Do you just use a UPS for a handful of minutes prior to a clean shutdown, and not try to keep your systems running through longer power outages?

I also don't know how resillient home Internet connections are in the presence of power outages, whether typical cable, fiber, and DSL connections remain functional from the telco's standpoint. I know that cell towers typically have some sort of generator setup, as I've read about those in the past, and believe that I've read that they typically can run for at least several days without power even without technicians driving out. I don't know to what degree that is also true of wired communications hardware. I'm curious as to what the experiences of people who have put their server and network hardware on some form of backup power is. If you keep your on-premises hardware powered, have you retained Internet connectivity in power outages that you've experienced?