this post was submitted on 11 Feb 2025
149 points (98.7% liked)

hexbear

10331 readers
284 users here now

Hexbear Proposals chapo.chat matrix room.

This will be a place for site proposals and discussion before implementation on the site.
Every proposal will also be mirrored into a pinned post on the hexbear community.

Any other ideas for helping to integrate the two spaces are welcome to be commented here or messaged to me directly.

Within Hexbear Proposals you can see the history of all site proposals and react to them, indicating a vote for or against a proposal.

Sending messages will be restricted to verified and active hexbear accounts older than 1 month with their matrix id in their hexbear user profile.

All top level messages within the channel must be a Proposals (idea for changing the site), Feedback (regarding non-technical aspects of the site, for technical please use https://hexbear.net/c/feedback), or Appeals (regarding admin/moderator actions).

Discussion regarding these will be within nested threads under the post.

To gain matrix verification, all you need to do is navigate to my hexbear userprofile and click the send a secure private message including your hexbear username.

founded 4 years ago
MODERATORS
Ryaina@hexbear.net
ella@hexbear.net
CARCOSA@hexbear.net
sweet_pecan@hexbear.net
149
we fucked up (chapo.chat)
submitted 2 days ago* (last edited 2 days ago) by CARCOSA@hexbear.net to c/hexbear@hexbear.net
640 comments fedilink hide all child comments
 

Hello users of hexbear, or shall i say chapo.chat, we fucked up, and i fucked up like three times making this post.

Yes, hexbear.net has expired. Yes, we were aware of this possibility. We have gradually lost contact with the access owner (prior admin) for the domain registration. We attempted to make a migration plan, but we were disarmed by the reappearance of the party in question in September 2024 and repeated assurances that they would a) transfer credentials and b) continue payments until they were able to do the former.

We accept full responsibility for this. We should have been more aggressive about this and continued our alternative despite these reassurances. This is our fuck up, and we can't offer anything besides our continued apologies and our plan of action going forward and an explanation of what happened:

Over the time of chapo.chat and hexbear.net the admins that purchased the domain, established the donation accounts, and the server accounts have left. One of the primary admins has gone inactive and returned many times, over a year ago some of the newer admins began asking the older admins to give full access to the domain, servers, and donations. These requests were not met, despite warnings of this exact event.

At the moment we do not have access to hexbear.net and there is a strong chance we will not get it back without participating in the auction, which is already over $300. Choosing to abandon the hexbear.net domain will cause federation problems and considerable technical issues which would lead to potential extended downtime.

During this downtime we would be reestablishing access to the new domain (or hexbear.net if we win the auction), access to server ownership, and donation accounts. This would be distributed among a number of admins so that we can prevent this from happening again.

Chapo.chat has the same access problem that led to the current state of hexbear.net so it is to be considered temporary.

I will do my best to answer questions

you are viewing a single comment's thread
view the rest of the comments
[–] piggy@hexbear.net 5 points 2 days ago* (last edited 2 days ago) (1 children)

This is pretty easy to work around:

  1. Host a core file on hexbear.net itself in a magical secret directory and turn off directory access.
  2. When creating the database there's a screen that asks "How long do you want to wait to decrypt" set that to the maximum.
  3. Make a really long password that's easy to remember for example a stanza from a song.
  4. Add a Keyfile to distribute only to admins.

It's hard to collect all this data.

Even if you find the database you won't crack it in this lifetime.

Even if you find the database and know the password you need the key file.

Even if you find the database and have a keyfile you need the password.

Ideally this data shouldn't change, in practice try to find hosts like AWS that allow you to set up orgs and link accounts and only hold the "root account" details in the database.

[–] Sphere@hexbear.net 8 points 2 days ago (1 children)

Stanza from a song is a bad idea, shit like that got cracked when people used such text for so-called Bitcoin "brain wallets" like a decade ago, and hardware is a lot faster now. Passwords/passphrases absolutely must be randomly generated to be truly secure.

[–] piggy@hexbear.net 5 points 2 days ago* (last edited 2 days ago)

It's formatting should be unique enough that it won't match a rainbow table sure, but overall that's not a hard problem. You just need a small salt. Key file also works as the salt in this case