70
can we care about opsec now
(archive.ph)
There's an addon that removes tracking elements from urls.
always good to have more defensive layers on firefox.
bumping this so it's not at the bottom maybe.
Installed it, thanks!
Please report posts and comments containing tracking links, moderators have been asked to act on it. Consider using tankie.tube or invidious for video linking
We should at the very minimum ban links with trackers. I see them too much here.
There is also a tagline which links to a Google doc, which is not a good idea.
The tagline should be removed now
Yeah links with trackers should either get auto-removed or get the tracking part scrubbed automatically. Using a regex filter should be enough for the majority of them
that would interfere with the whole purpose of this site
I can't view the link (doesn't load for some reason) but I read an excerpt that was posted below and just wanted to say... we're all mega-fucked anyway if the feds/any of the Five Eyes agencies want to know who we are
Western intelligence agencies, in particular the NSA, have ubiquitous wiretaps/implants throughout internet infrastructure and considering the Hexbear server seems to be in a datacenter in France...
Deanonymizing measures like this are used when someone is difficult to identify by the usual means (like because they are using Tor or I2P or are connecting to a centralized service out of their reach that is used by many, many different, irrelevant-to-them people, although those aren't totally immune to massive internet surveillance either). But a place like this where we all connect to one server and everyone who visits is "suspect" by their standards? We are already fucked assuming we are on their radar
If you connect through a VPN you're not safe either (trivial timing attack). If you use Tor or something you might be safe... but it only takes one slip-up because this is a clearnet site and you might not even realize you made it
This is all true, but there's more to worry about than just feds. Similar deanonymization attacks can be leveraged by fascists and liberals who want to harass our users. Not compelling google to reveal IPs, sure, but linking to a malicious domain (and obscuring the link destination with markdown), or to a targeted social media post and seeing who interacts, or a bunch of other vectors.
No reason to make attackers jobs easier, but also true that even the most careful of us should not feel a false sense of security
Completely agree, we should be wary of that
vpn and invidious and chill? but sharing google docs inherently seems more obviously bad
container tabs on firefox. I keep social media in a blank profile that's really only logged into hexbear and matrix.
yeah, but this approach can be generalized to any service that you are logged in to really. VPN helps but really you just can't open signed-in tabs of links from untrusted sources
Its more that those basically force you to use hexbear in private window at least, and preferably under separate exit node, or your activity doesn't require those hoops even. With small links viewership - so we shouldn't share archived news stories then?
Whew that is scaaary. I mean, I think we all know on some level that all our internet activity is being tracked. But to go from that to this specific is kinda chilling.
wait what specific thing happened?
click the link icon in the OP (they aren't super obvious ik)
But here's the gist:
In a just-unsealed case from Kentucky reviewed by Forbes, undercover cops sought to identify the individual behind the online moniker “elonmuskwhm,” who they suspect of buying bitcoin for cash, potentially running afoul of money laundering laws and rules around unlicensed money transmitting. In conversations with the user in early January, undercover agents sent links of YouTube tutorials for mapping via drones and augmented reality software, then asked Google for information on who had viewed the videos, which collectively have been watched over 30,000 times.
The court orders show the government telling Google to provide the names, addresses, telephone numbers and user activity for all Google account users who accessed the YouTube videos between January 1 and January 8, 2023. The government also wanted the IP addresses of non-Google account owners who viewed the videos. The cops argued, “There is reason to believe that these records would be relevant and material to an ongoing criminal investigation, including by providing identification information about the perpetrators.”
ah thanks, i didn't realize it was a link
Yeah... I'm with you, people are not taking the risks of a lot of things seriously. Rule changes aren't a bad idea, especially since they don't require dev effort that we don't have, but as much as possible we should probably automate enforcement, it will make it more effective/consistent.
Its all wasted effort, until it's not, and then it'll be too late.
Automod tools do exist now but we would have to put in some dev effort to get the features we want, and it may not scale super well to our large instance size. And its hard to keep up with all the major sites let alone small obscure sites or straight up honeypots. You can't really beat careless user behavior, but you can certainly improve things.
its gonna be really tough to balance usability and sufficient safety/paranoia here IMO. I think the current approach is mostly "people can choose their own risk level" and giving people tools like invidious links, etc.
Did something happen?
there's an article, but it doesn't really show. I think you can click the square and it opens
Clicking the title once you're in the post does it for me usually.
archive.ph link doesn't open for me
i would recommend using firefox multi-account containers to isolate browsing hexbear (as well as google, facebook, etc) if you're not already
but yea it would be good if people didn't post those
Not sure what multi account containers buys in this context, I think the default behavior of firefox mostly mitigates the 3rd party tracking that used to be rampant. Maybe I'm just not thinking though. They'd still get your IP, and the fact that you clicked on a link shared by x other person?
I guess it would open links posted on hexbear in the hexbear container, on which you won't be logged into the other site? But iirc common practice for sites you do have a sign in for is to auto-open them into their own container 
so you'd have to be configuring it pretty paranoid-ly.
Attempting to work around and mitigate these issues at the site level is probably a good idea, because people individually will not all be so careful. But it has to be done in as like, convenient a way as possible, otherwise it'll just piss users off
firefox doesn't kill all trackers, though it does kill a lot of them. things like google tracking what your account has interacted with obviously won't be handled by firefox's security features. when I open youtube videos in my hexbear container, I'm not logged into youtube, so my actual youtube account behaves like it's never watched them. do not set youtube to auto-open in a container, that defeats the purpose of using this imo. i have auto-open in container for hexbear, and like... shoppping sites like ebay? basically sites that wouldn't really be linked to. things like twitter and youtube where the concern comes from should not auto-open into a container, you can just manually open it into the proper container when you want to browse it properly.
and yea, we should handle it site wide, but in absence of it being handled site wide i would recommend doing this ^^
this post was submitted on 29 Mar 2024
70 points (100.0% liked)
technology
22835 readers
1 users here now
On the road to fully automated luxury gay space communism.
Spreading Linux propaganda since 2020
- Ways to run Microsoft/Adobe and more on Linux
- The Ultimate FOSS Guide For Android
- Great libre software on Windows
- Hey you, the lib still using Chrome. Read this post!
Rules:
- 1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
- 2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
- 3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
- 4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
- 5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
- 6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
- 7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.
founded 4 years ago
MODERATORS