hexbear

10254 readers
1 users here now

Now that the old Hexbear fork has been officially abandoned, this community will be used as a space for meta-discussion on the site itself.

founded 3 years ago
MODERATORS
1
88
Link trackers (hexbear.net)
submitted 3 months ago* (last edited 3 months ago) by InsidiousTrackers@hexbear.net to c/hexbear@hexbear.net
 
 

Hi folx

Not much has changed since we last brought this up half a year ago, which is probably a mistake as link trackers have become more ubiquitous, and the corporations that know our names and addresses have built up shadow profiles on us, but better late than never.

Anyway, cutting to the chase. This bot will warn you in DMs when you share a tracking link. That's it. Post over.

Read on if you want to see my unhinged tracking link rants.

What are link trackers?When you share a youtube link you may notice an ?si=(random gibberish) at the end. You may notice the same with Instagram, except here it's ?igshid. On Twitter, it's ?t. On TikTok and Reddit you have urls that end in gibberish like vm.tiktok․com/blahblah or reddit․com/r/blahblah/s/blahblah.

These URLs are artisanal. They are made only for you.

Other site's URLs can also be called "high entropy" URLs, for example, they may contain the time down to the millisecond, in one case.

When you share these URLs to the world wide web, you broadcast to this service (to YouTube, to Google, to TikTok, to Reddit etc.) that "Hey! This previously-anonymous account is actually me!". When you share this link to your friend halfway across the world who only talks to you on Discord, and they click it, you broadcast to this service that actually you two are buddies. Same here on Hexbear. This sharing helps these sites build a social graph on us.

The threat is two-fold. Google has a powerful search crawler, and also runs a massive ad network. They could sift through the pages they indexed on Hexbear and link the exact Hexbear account to your real name. People who have clicked on your shared link will also be exposed as having been on that exact page to which you shared the link. This kind of metadata leak can be dangerous, as law enforcement has previously asked Google to reveal people who watched so-and-so YouTube video at so-and-so time.

This bot also handles TikTok, Yandex, Snapchat, Meta/Facebook trackers that all have this same ad-related threat.

What can mods on Hexbear do?If you're a mod and you think this is important, you can @ mention this bot on a community you moderate. The bot should reply to you with some cringe, and then you can appoint it as a mod. When given mod powers, it will remove any comment/post that contains tracking links if the user has not fixed it after a day.

I will probably add functionality to sift through old comments that have dangerous trackers (like TikTok, which exposes your name and picture to anyone who clicks it) and remove/report them soon.

How to protect yourself on other sites and on your phoneInstall the ClearUrls extension on desktop (if you're on Chrome... please switch, that is another privacy issue entirely). ClearUrls will cut down on most of your worries.

Be on the lookout for the high-entropy parameters when you share things on your phone as well. Parameters in the url that look like ?si=blahblah, ?igshid, which look like they'd stand for "share ID" or "Instagram share ID", as well as obfuscated TikTok links like vm.tiktok․com/blahblah will all track you and your social circle.

How to protect your identity from leakage if you accidentally click on a tracking URLIf you're browsing a sensitive website, like Hexbear, and you happen to click a tracking URL that goes to YouTube, Google/YouTube can correlate your click with the appearance of this URL on Hexbear, associating your identity with this site.

To avoid this, you may use Firefox Multi-Account Containers, and make Hexbear use its own container that you keep separate from everything else. Although this solution is not perfect, it will prevent one facet of your identity leaking and make it harder for other sites to correlate your digital footprint.

What other threats exist hidden in URLsThe biggest threat is TikTok, which basically doxxes you when you share a link with someone.

When someone clicks your TikTok link, a big banner on top of their screen shows your profile picture and your name. If you used your real name and picture... well. Uh-oh.

Other "light doxxing hazards" exist on other sites. After looking through Hexbear comments using the search function, you can find comments that link to *****, comments that link to ****, etc. that may include the user's general location down to the city, their preferred language, their screen width and height (in the URL!!! for some reason???), and some very high-entropy parameters that look like a long string of gibberish.

If I sat down today and looking to dox someone by looking at their profile and they shared links willy-nilly, I'd have some pretty good leads.

What can the maintainer of HexReplyBot do?HexReplyBot does not handle YouTube tracking parameters properly. The maintainer can check this RegExr post I made with the modified regex. I bodged it real quick, but it should remove the ?si at least. It will still keep the ?pp parameter, but I got lazy and it's not as common. Please consider changing the regex out, thank you.

Some linkshttps://archive.ph/8c80m - law enforcement using metadata provided by YouTube to find the real name of a suspect
https://hexbear.net/comment/4439859 - someone mentioning that they keep getting a Hexbear user recommended to them on TikTok because they clicked that user's TikTok link months ago
https://archive.is/WD7ke - "We kill people based on metadata" Can't be bothered to find it but ross ulbricht got busted on some metadata links between his email and stackoverflow. Now imagine if they had tracking links back then to triangulate his stackoverflow identity (which now has tracking links) with some other offsite identity.

Share any feedback or thoughts, I'll take it into consideration.

2
6
What is Hexbear? (hexbear.net)
submitted 1 year ago* (last edited 1 year ago) by CARCOSA@hexbear.net to c/hexbear@hexbear.net
 
 

My answer:

When chapotraphouse was banned on reddit many mods and users came together to create a space on a link aggregator platform.

Choosing lemmy the original admin and developer team decided to fork it for various reasons. About a year ago, sustained effort was taken to upstream many of the forked features so that we could rebase with current version lemmy and federate.

Over the years hexbear has become a non-sectarian social media space for sharing news, memes, links, posts and comments with each other as the mods endeavour to make the space welcoming to marginalized people.

Terms of Service | Code of Conduct | Modlog | Allow-list | PPB

3
1
submitted 1 year ago* (last edited 1 year ago) by CARCOSA@hexbear.net to c/hexbear@hexbear.net
 
 

Please include a brief description of the nominated instance, why it should be removed from the allow-list or added to the block-list, and include a link to the instance. Off-topic comments will be removed.

If an instance is already nominated please do not create another top-level comment, reply to that other nomination with your comment and upvote to show your desire to defederate.

Multiple top-level comments for the same instance nomination will be removed

4
 
 

Please include a brief description of the nominated instance, why it should be added to the allow-list, and include a link to the instance. Off-topic comments will be removed.

5
 
 

hey comrades,

I've been having this issue that I thought must have been related to me using Voyager, but I just experienced the same thing through desktop firefox.

When I respond to some users the page load times out and says I can't reply, but it has posted my reply (often without upvoting my own comment)

Obviously not thrilled to be tagging people but one user I have noticed it with replying @Angel@hexbear.net, both threads and comments.

Which is extra annoying cause I've been really enjoying nerding out together.

I think it has happened with other users too. (Really regretting not saving the thread that was extra broken I saw earlier in the week.)

i-spil-my-jice

6
 
 

I, being used to my password manager doing everything, failed to save my password when I made my Hexbear account. The application has since been accepted, but when I try to reset the password the bear icon spins for a while before resetting to the reset password button.

I have tried multiple browsers and devices. I assume this is because I've never logged in to the account and that's why it doesn't want to work. Can anything be done?

7
 
 

modlog link (CW for misogyny and transphobia): https://hexbear.net/modlog?page=1&actionType=All&userId=2019549

sorry to be an armchair admin but noticed this user around today. took a look at their modlog and noticed they have a previous siteban and today had posts removed for overt misogyny and transphobia (the transphobia was a necro of a year-old bookclub thread about Feinberg... bizarre).

anyway, i noticed they've only received a 2-day ban just from the CTH comm. i guess this is in line with the new policies around combating misogyny, but imo this should be a pretty clear cut case for a perma site ban. user from another instance with a previous ban, pops up today and starts posting vile misogyny and seeking out old posts to do transphobia on. why give them a third chance?

8
 
 
9
 
 

Hey sorry if this info is posted somewhere or if this is the wrong place to ask this. I don't have a hexbear account but I pretty much spend all my time here. I told my partner they should sign up for an account on hexbear, and they were just curious how long it takes to be approved 👀

10
 
 

I was joke banned from chapotraphouse comm recently (which was funny and I am not upset about in any capacity) and today I went looking to make a post and realized it wasn't in my feed. Lo and behold the joke temp ban actually unsubbed me from the comm. Easy fix but I didn't notice and it doesn't really tell you.

Anyway if anyone gets joke banned or temp banned from a comm just remember to resub when your ban is up so you can resume lurking and posting. I did not know it worked this way so figured others should know too.

11
 
 

example: selecting "kelly" is a needless chore, because you have to sift through a bunch of kelly emojis to find the one named kelly. similar things happen with "slammer" and several others.

the canonical name of an emoji should always have precedence over keywords in the picker

12
 
 
13
 
 

can anyone else verify

14
 
 

This would fall under all pr is good pr right? Cant click on it and its sooo frustrating

15
 
 

The emoji picker is incredibly slow for me when it comes to previews. Can I cache all the emojis so it becomes useable?

16
 
 

Anyone have suggestions for a good mobile Lemmy app? Or do people generally just use their browser?

I'm using boost right now and its fine except that it shows usernames instead of display names so I can't see anyone's pronouns

17
 
 

Hello users of hexbear, we have started discussions with an admin of lemmy.ca regarding potential refederation. Lemmy.ca had added hexbear to their blocklist about a year ago: https://lemmy.ca/post/3326347

With the recent changes in lemmy features as well as a maturing fediverse the mods/admins of hexbear and lemmy.ca are open to trying again, but before we put lemmy.ca on our allow-list we wanted to open up discussion and voting to the users of hexbear.

This vote will be binding with regard to adding lemmy.ca to our allow-list. In addition, the idea of including sh.itjust.works in this discussion was raised but was voted down by a majority of mods from inclusion.

https://lemmy.ca/c/canada and https://lemmy.ca/c/pcgaming are the instance's top two communities but there are a few other small, niche communities. A community that may be removed from hexbear is the https://lemmy.ca/c/fediverselore so please indicate your opinion on this community if you have one.

As usual please use

dean-smile if you would like lemmy.ca to be added to our allow-list

dean-frown if you would like lemmy.ca to not be added to our allow-list

We will leave this post unlocked for a few days before making the decision, thank you. Users may also use this post for a general discussion on federation including naming instances for federation/defederation or feedback for the hexbear admin/mod team.

18
19
12
submitted 2 months ago* (last edited 2 months ago) by wheresmysurplusvalue@hexbear.net to c/hexbear@hexbear.net
 
 

I noticed while creating a new post that if I provide a Thumbnail URL with an external (not hexbear.net) URL, then the original image gets used when viewing the post. I first noticed it on this post where I added a youtube thumbnail icon (check it in the browser console).

I tried researching if there's a bug for this in upstream Lemmy:

This one seems like it would have fixed it: LemmyNet/lemmy-ui: Update post listing to prefer local image when available

And see also this: LemmyNet/lemmy: Add initial skeleton of image proxy improvements for feedback

Unfortunately I'm not that familiar with the Lemmy codebase, but how possible would it be to proxy+cache thumbnails? I don't quite mean store it permanently in the database, just proxy the source image and cache it for performance reasons. Otherwise, maybe we should disable the thumbnail URL for now until this support is added upstream?

20
 
 

Take for example my banner image. On mobile you can see Isabelline standing at the opening of whatever the fuck that is, looks great. Roughly a 16:9 window, maybe 1.85:

On desktop she is cut out desolate scope asspect ratio looks awful. Mods pls i-spil-my-jice

21
 
 

502 errors, 502 errors everywhere kitty-cri-potato

22
 
 

I understand that the beautiful french Sandy Bridge hexbear server is very busy and hexbear does not want spam. But I gotta post!!!

It's just my inbox hexbear, promise I am not doing spam... I just gotta reply to 40+ messages...

23
 
 

I think it would be really really really really funny

24
 
 

Canvas is starting in 4 days from time of post on the 12th of July. looks like they did it last year, too (see thumbnail).

i can't find any discussion on it on Hexbear, so i'm assuming this hasn't been properly discussed before. i think it would be really cool imo and we could do what was happening on PixelCanvas but w/ more Hexbear stuff ig

25
 
 

It would be like the dunk tank but without rule 8. People don't have to subscribe to it. I will continue not posting to it, but you can feel free to make me a mod. I will be there like an absent father.

Also I don't really know where this post should go, I guess we got rid of the user union at some point.

view more: next ›