For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named “Nicole”. This has been ongoing for some time now.
Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it’s possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.
In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.
It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:
https://github.com/LemmyNet/lemmy/issues/1036
I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn’t looked until the most-recent message, but the image embedded here is indeed remote:
https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png
I haven’t stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don’t know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn’t also be moving the hostname on the pict-rs instance.
Another mitigation would be to route one’s client software or browser through a VPN.
I don’t know if there are admins working on addressing the issue; I’d assume so, but I wanted to at least mention that there might be privacy implications to other users.
In any event, regardless of whether the “Nicole” spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.
My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there’s no great way to prevent a user’s IP address from being exposed.
If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I’m all ears.
Good luck doing that in Portugal the ips are all dynamic here
iCloud Private Relay and similar relay services should also protect against IP tracking.
We used to do this on the EVE online forums until CCP caught on and banned inline images.
“Man, everyone is on planet earth. How boring”
We were using the IPs and post times to identify accounts, then checking IPs that connected to our VOIP servers so we could identify spies and either remove them or feed them false intel.
Basic counter-intel work and all for a video game heh.
This sounds super cool and interesting, is there like a wiki I can read up about that stuff??
theres a whole documentary about it on youtube, check out the “down the rabbit hole” channel
its very long.
Ty :)
Jesus i miss that time , counter intel was so easy back then
Interesting hypothesis.
Yes, especially because many Lemmy users have some radical views.
For real, totally tubular 🤙
Yup. Especially with digital watermarking by modifying a pixel here or there - something you’d naturally need a computer to detect.
Steganography. Good point.
( This is how a lot of modern information caches have been dropped too: you can put entire documents in a few pixels. Steganography is just the act of hiding something inside another object. It’s an older spy technique than classic cryptography )
You don’t need digital watermarking got for this. Just host the image at different URLs. evil.lemmy.org/nicole-mbystander.png and evil.lemmy.org/nicole-forrgott.png. (Really you’d use a random string and save in a database.) Then see what IP requests the -mbystander version and which the -forrgottt version, and you have our IP addresses.
Ummm, yeah. What he said.
Lol, though. Just that it’s so, well, me to overthink it! 🤣 But yeah, your idea is so much easier to implement. Just for starters 😝
Might be good to think about fediverse security similar to email security, as they are both federated information sharing systems. Email has spam blocking, allowing for reputation checks and other complex stuff. I wonder if Lemmy instances could collaborate on a SpamHaus type of bad host / bad user list to use and share.
SpamHaus type of bad host
That already kinda exists: https://gui.fediseer.com/
Cool, I hadn’t heard of that. So instance admins can access their lists via API I see. Should be possible to “spam filter” federations that way at least.
Maybe this stuff can be expanded to include a spam list of bad users and links too, for Lemmy servers to parse via API and block.
I’ve been blocking and reporting these nicole accounts as spam bots lately. I hope this doesn’t become as bad as the spam bots in the YT comments.
A while back someone mentioned something similar would be possible and as a proof of concept linked to an image that would generate on the fly to include your location.
I miss those old images that would show you your IP address and ISP name, which were generated dynamically based on the request. They were designed just to be a bit frightening. But, because they were rendered on the server side, there was definitely nothing stopping them from recording your IP address too.
In July there were a couple of posts like that here
On my instance (.ml) all of the images are fetched through the image proxy.
What version of lemmy is your instance running?
0.19.6. Could be that there’s some configuration option.
You should be running a reputable VPN full time, regardless.
VPNs are a condom for the internet
OK, I’m in. What’s a reputable one?
Ivpn, Proton, or mullvad
Mullvad
Definitely Mullvad
IP addresses are fairly worthless
I mean, it (hopefully) shouldn’t let someone compromise a system remotely, but:
-
For those of you who have used IRC networks that didn’t mask IP addresses, people getting in flamewars proceeding to then DDoSing each other is a fundamental issue. If someone wants to do something at low latency, like play real-time video games, this is a particularly obnoxious way to disrupt them.
-
IP addresses can often be correlated across databases, even by random members of the public. I remember someone running another bot that would map IP addresses to BitTorrent downloads, for example.
End of the day, the Lemmy security model is “someone can see the username you choose to expose, but not IP address”. If the IP address is intended to be exposed, then might as well just stick it right next to the username. If it isn’t, then one shouldn’t let users be able to trivially-obtain it by pulling a direct-message stunt.
You as a user can not just DDoS someone. Modern connections a way faster and modern network hardware with drop packets that are taking up to much bandwidth. You are also behind a firewall and probaby a NAT which will drop random incoming packets.
The modern internet is full of bots scanning. If that doesn’t destroy your connection chances are some random internet person can’t either.
If you have a 50mb/s connection, surely someone sending you 100mbs of data would fill your line? The firewall is on your router, so the line to it would be maxed?
Typically the data would get dropped by a router up the chain. Modern routers are pretty robust and can handle situations like that. Also I think it is becoming more and more common to have fiber although the roll out is slow.
If someone here has a slow connection they should test ddosing themselves to see what happens.
LMAO yea, if you’re actually talking about good hardware, the average person though is using some consumer grade crapware their ISP shoves out by the thousands that doesn’t take all that much to overload
You as a user can not just DDoS someone. Modern connections a way faster and modern network hardware with drop packets that are taking up to much bandwidth.
You know, I thought about responding to this point by point, but I just don’t have the energy.
I’ll just say that I don’t agree, and I think that if you want to go looking, you’ll find that this certainly is not the case.
Honestly I would be very interested to know what you are talking about. If you are referencing the past or very old hardware I get it but for modern stuff that’s just not the case.
search
- ddos-as-a-service
- swatting-as-a-service
DDoS as a service would not really apply to a residential IP though. I suppose you could try hitting a IP with lots of UDP traffic but chances are it wouldn’t impact the connection as it would be dropped upstream. I don’t know anyone with a slow enough connection to test this on so I don’t really know.
-
Unless it’s a state actor.
stop it you’re scaring me
That’s fair
However, a state actor probably has more effective means. It is really speculation at this point. It would be nice if someone did a full investigation.
How so?
It doesn’t provide much information since your IP address is probably not static. It rotates and thanks to NAT it is probably shared.
That’s only true for a subset of people, possibly a very small one. My IP stays for months at a time.
It boils down to the ISP. Also there is no way of knowing when a IP changes. At the end of the day there a much better ways of tracking.
Someone can learn what city you are in
Well no, data fingerprinting will easily link your IP with a million other data points. Someone will know exactly which data profile you are out of a billion of them.
That’s exactly my point. Just your IP doesn’t mean a lot. Chances are your post history is much more revealing.
I think you’re missing mine though. Your IP isn’t just your IP. Your IP obtained this way is a way of deanonymising your lemmy account and tying it to a million other data points. And there are many lemmy users for who that might be an actual safety risk.
deleted by creator
umatrix is unmaintained and thus solves nothing anymore, unfortunately.
Are there any umatrix alternatives?
in my understanding, there was enough overlap between uBlock Origin and uMatrix that the developer didn’t want/felt it wasn’t worth to continue maintaining both.
I’m not too expert on both extensions, but maybe the functionality difference can be covered by NoScript or by using uBlock Origin with LibreWolf or some other combination.
i use both ublock and noscript, ublock is much more lenient about allowing javascript so its good first line of defence. I try to allow only those javascripts that are absolutely necessary to what i want to do. So many sites have tons of unnecessary ones that do who knows what.
i know the answer is probably no, but is there any centralized reference of which common scripts are safe to whitelist?
i had the worst time trying to guess my way through NoScript. the default settings actually did break the majority of sites i habitually visit.
Not really, but I have observed some commonalities about what is usually needed for what. This is also why I want to have ublock as first line of defence -> if something is blocked on that by default then its definitely something you dont want to allow anyway so its a little safer to experiment with noscript.
Also, with noscript you need to constantly adjust it when going to new websites. Default settings breaking things is more of a feature than fault to me. Its about taking more control over things rather than trusting everything by default. But after you identify what is safe to allow, you dont need to adjust more things if site itself doesnt change something which you will notice rightaway due to things breaking again.
Its really hard to list any helpful tips about what to look out for since its mostly just intuition for me and halfremembered things about what I have seen before. Its probably more helpful for each user to develop these practices themselves anyway. But test things by temporarily allowing stuff and permanently allow only those things you are relatively sure about. Also start by allowing the scripts from the main site and work your way from there.
On some sites the list of scripsites can have insane amount of entries. I tend to try stay away from those sites as its also good indication there is nothing worthwhile there anyway. If you absolutely need to use those anyway and think you should be able to trust the site due to them likely not doing anything illegal anyway, there is temporary allow everything button which basically disables noscript for that site for the session.
Also sometimes when i allow scripts, they disappear from the list. I’m not sure what that is about, maybe it has something to do with me running ublock too or it has something to do with how the scripts are loaded in general. I havent had any problems with it so I havent investigated it. Also sometimes when i allow stuff, more sites appear so its more likely something to do with how some scripts call other scripts and maybe have redundancies if some dont seem to work.
