72

We should be more careful. 1 in 30,000 is a pretty good chance to not get found out, but when it comes to videos with smaller viewcounts, we should not be allowing them to be shared.

Also we should do something about the tracking links that people keep sharing here willynilly. Even if it's just a rule change. Feels like 6 months since I last posted about this without change.

all 28 comments
sorted by: hot top controversial new old
[-] Aryuproudomenowdaddy@hexbear.net 47 points 7 months ago
[-] sloth@hexbear.net 13 points 7 months ago

bumping this so it's not at the bottom maybe.

[-] Des@hexbear.net 12 points 7 months ago

always good to have more defensive layers on firefox.

[-] WeedReference420@hexbear.net 4 points 7 months ago

Installed it, thanks!

[-] Parsani@hexbear.net 34 points 7 months ago

We should at the very minimum ban links with trackers. I see them too much here.

There is also a tagline which links to a Google doc, which is not a good idea.

[-] QuillcrestFalconer@hexbear.net 10 points 7 months ago

Yeah links with trackers should either get auto-removed or get the tracking part scrubbed automatically. Using a regex filter should be enough for the majority of them

[-] trabpukcip@hexbear.net 25 points 7 months ago

fedposting that would interfere with the whole purpose of this site

[-] PaX@hexbear.net 21 points 7 months ago* (last edited 7 months ago)

I can't view the link (doesn't load for some reason) but I read an excerpt that was posted below and just wanted to say... we're all mega-fucked anyway if the feds/any of the Five Eyes agencies want to know who we are

Western intelligence agencies, in particular the NSA, have ubiquitous wiretaps/implants throughout internet infrastructure and considering the Hexbear server seems to be in a datacenter in France...

Deanonymizing measures like this are used when someone is difficult to identify by the usual means (like because they are using Tor or I2P or are connecting to a centralized service out of their reach that is used by many, many different, irrelevant-to-them people, although those aren't totally immune to massive internet surveillance either). But a place like this where we all connect to one server and everyone who visits is "suspect" by their standards? We are already fucked assuming we are on their radar

If you connect through a VPN you're not safe either (trivial timing attack). If you use Tor or something you might be safe... but it only takes one slip-up because this is a clearnet site and you might not even realize you made it

[-] Hurvitz@hexbear.net 17 points 7 months ago* (last edited 7 months ago)

This is all true, but there's more to worry about than just feds. Similar deanonymization attacks can be leveraged by fascists and liberals who want to harass our users. Not compelling google to reveal IPs, sure, but linking to a malicious domain (and obscuring the link destination with markdown), or to a targeted social media post and seeing who interacts, or a bunch of other vectors.

No reason to make attackers jobs easier, but also true that even the most careful of us should not feel a false sense of security

[-] PaX@hexbear.net 12 points 7 months ago

Completely agree, we should be wary of that

[-] plinky@hexbear.net 17 points 7 months ago

vpn and invidious and chill? but sharing google docs inherently seems more obviously bad

[-] silent_water@hexbear.net 12 points 7 months ago

container tabs on firefox. I keep social media in a blank profile that's really only logged into hexbear and matrix.

[-] Hurvitz@hexbear.net 9 points 7 months ago* (last edited 7 months ago)

yeah, but this approach can be generalized to any service that you are logged in to really. VPN helps but really you just can't open signed-in tabs of links from untrusted sources

[-] plinky@hexbear.net 10 points 7 months ago

Its more that those basically force you to use hexbear in private window at least, and preferably under separate exit node, or your activity doesn't require those hoops even. With small links viewership - so we shouldn't share archived news stories then?

[-] Hurvitz@hexbear.net 14 points 7 months ago* (last edited 7 months ago)

Yeah... I'm with you, people are not taking the risks of a lot of things seriously. Rule changes aren't a bad idea, especially since they don't require dev effort that we don't have, but as much as possible we should probably automate enforcement, it will make it more effective/consistent.

Its all wasted effort, until it's not, and then it'll be too late.

Automod tools do exist now but we would have to put in some dev effort to get the features we want, and it may not scale super well to our large instance size. And its hard to keep up with all the major sites let alone small obscure sites or straight up honeypots. You can't really beat careless user behavior, but you can certainly improve things.

its gonna be really tough to balance usability and sufficient safety/paranoia here IMO. I think the current approach is mostly "people can choose their own risk level" and giving people tools like invidious links, etc.

[-] LibsEatPoop@hexbear.net 14 points 7 months ago

Whew that is scaaary. I mean, I think we all know on some level that all our internet activity is being tracked. But to go from that to this specific is kinda chilling.

[-] TheSpectreOfGay@hexbear.net 11 points 7 months ago

wait what specific thing happened?

[-] Hurvitz@hexbear.net 27 points 7 months ago* (last edited 7 months ago)

click the link icon in the OP (they aren't super obvious ik)

But here's the gist:

In a just-unsealed case from Kentucky reviewed by Forbes, undercover cops sought to identify the individual behind the online moniker “elonmuskwhm,” who they suspect of buying bitcoin for cash, potentially running afoul of money laundering laws and rules around unlicensed money transmitting. In conversations with the user in early January, undercover agents sent links of YouTube tutorials for mapping via drones and augmented reality software, then asked Google for information on who had viewed the videos, which collectively have been watched over 30,000 times.

The court orders show the government telling Google to provide the names, addresses, telephone numbers and user activity for all Google account users who accessed the YouTube videos between January 1 and January 8, 2023. The government also wanted the IP addresses of non-Google account owners who viewed the videos. The cops argued, “There is reason to believe that these records would be relevant and material to an ongoing criminal investigation, including by providing identification information about the perpetrators.”

[-] TheSpectreOfGay@hexbear.net 14 points 7 months ago

ah thanks, i didn't realize it was a link

[-] RION@hexbear.net 13 points 7 months ago
[-] What_Religion_R_They@hexbear.net 13 points 7 months ago

there's an article, but it doesn't really show. I think you can click the square and it opens

[-] Sickos@hexbear.net 6 points 7 months ago

Clicking the title once you're in the post does it for me usually.

[-] alexandra_kollontai@hexbear.net 3 points 7 months ago

archive.ph link doesn't open for me

[-] TheSpectreOfGay@hexbear.net 11 points 7 months ago

i would recommend using firefox multi-account containers to isolate browsing hexbear (as well as google, facebook, etc) if you're not already

but yea it would be good if people didn't post those

[-] Hurvitz@hexbear.net 6 points 7 months ago* (last edited 7 months ago)

Not sure what multi account containers buys in this context, I think the default behavior of firefox mostly mitigates the 3rd party tracking that used to be rampant. Maybe I'm just not thinking though. They'd still get your IP, and the fact that you clicked on a link shared by x other person?

I guess it would open links posted on hexbear in the hexbear container, on which you won't be logged into the other site? But iirc common practice for sites you do have a sign in for is to auto-open them into their own container thonk so you'd have to be configuring it pretty paranoid-ly.

Attempting to work around and mitigate these issues at the site level is probably a good idea, because people individually will not all be so careful. But it has to be done in as like, convenient a way as possible, otherwise it'll just piss users off

[-] TheSpectreOfGay@hexbear.net 11 points 7 months ago

firefox doesn't kill all trackers, though it does kill a lot of them. things like google tracking what your account has interacted with obviously won't be handled by firefox's security features. when I open youtube videos in my hexbear container, I'm not logged into youtube, so my actual youtube account behaves like it's never watched them. do not set youtube to auto-open in a container, that defeats the purpose of using this imo. i have auto-open in container for hexbear, and like... shoppping sites like ebay? basically sites that wouldn't really be linked to. things like twitter and youtube where the concern comes from should not auto-open into a container, you can just manually open it into the proper container when you want to browse it properly.

and yea, we should handle it site wide, but in absence of it being handled site wide i would recommend doing this ^^

this post was submitted on 29 Mar 2024
72 points (100.0% liked)

technology

23289 readers
147 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

founded 4 years ago
MODERATORS