I know this is how the fediverse works, and how it has to work. But maybe we shouldn’t be advertising this tool right now when the right is trying to dox people and get them fired/deported for liking a kirk meme.
unless they’re defederated or blocked by gregtech.eu
Apparently I upvote a thousand times more than I downvote.
That is really concerning. Activity Pub should have a mechanism to hide those. If by any chance, one’s identity is reviled, their entire behaviour history would be out in the wild. The more one use an account, the more information is getting shared. Social engineering is a real thing.
The only way is it be absolutely private by not interacting (lurkers), which is not good for a social media like Lemmy or by changing accounts often.
No we shouldn’t. Anyone can create an instance and scrape whatever data.
Assume that all the posts and comment you make are public and linked to your real identity and don’t say things you wouldn’t say in person.
It’s a pretty simple concept.
Shame, guess I can’t say categorising Palestine Action as a terrorist group is dumb.
My comment was misguided because it didn’t take the US social context into account.
You can’t say it, but I can though.
Categorising Palestine Action as a terrorist group is ultra dumb.
You may want to be careful then if you need to travel through the United States.
I know that already, I’m fine with what I said.
Oh god this discussion again… We totally haven’t had this before:
- https://lemmy.world/post/34224572 (exact same discussion literally last month)
- https://lemmy.world/post/18813833
- https://lemmy.world/post/18805474
- https://lemmy.world/post/480760
That is really concerning
The only way is it be absolutely private by not interacting…
I don’t know if this is news to you but this is not a lemmy specific problem and basically applies to the entire internet…
If by any chance, one’s identity is reviled, their entire behaviour history would be out in the wild.
So close to a sweet meter. What do you think of
“If, by some chance, one’s handle’s reviled / their foul history would be out in the wild.”
? It’s not perfect. Probably just a little more work-shopping.
identity is reviled [I assume revealed]
The fact that most instances permit external image hosting permits obtaining user IP addresses by posting inline images hosted on a server created by an attacker, then harvesting IPs there. I noticed when going through the code that Lemmy, as of 0.19.4, has an option to protect users of a home instance by proxying images viewed there. However, it requires bandwidth and disk space, and I don’t think that many home instances have it on. It is definitely not on on my own home instance, lemmy.today.
Image Proxying
There is a new config option called image_mode which provides a way to proxy external image links through the local instance. This prevents deanonymization attacks where an attacker uploads an image to his own server, embeds it in a Lemmy post and watches the IPs which load the image.
Instead if image_mode is set to ProxyAllImages, image urls are rewritten to be proxied through /api/v3/image_proxy. This can also improve performance and avoid overloading other websites. The setting works by rewriting links in new posts, comments and other places when they are inserted in the database. This means the setting has no effect on posts created before the setting was activated. And after disabling the setting, existing images will continue to be proxied. It should also be considered experimental.
Many thanks to @asonix for adding this functionality to pict-rs v0.5.
I don’t know whether PieFed and Mbin presently have comparable functionality.
One major issue is that proxying the images will create more bandwidth usage on a home node, since they’re serving up all the images viewed by users of that home node, as well as disk space to store the proxied images — it’s more-expensive to run a node in that mode.
Unless your home instance has this option enabled, you should probably consider your IP address to be globally-visible. Note that using a VPN will mean that only the VPN’s exit node IP will be visible.
Now I’ll know which of you goons don’t like my jokes.
Nothing private about the fediverse
Except the ability to register an account without any personal details. Which makes it completely private if you want.
anonymous, not private. the two ideas are not the same.
you should also always assume a sufficiently willing person can find your identity, don’t post anything sensitive online, don’t post anything that would encourage those with resources to find your identity, and if you’re e.g. a politician then only post online to explicitly non-anonymous accounts. If you have a protected identity/location/that stuff, just don’t post online at all.
says me, and my army of alts.
/s
I get really surprised going through my up- and downvotes. Seems sausage fingers and mobile app leads to interesting votes sprinkled in with the ones I’ve actually voted for.
Pretty neat layer of obfuscation, though I can’t imagine being interesting or infuriating enough for anyone to go through my voting history.
If it were to happen, I hope it’s because of some shitpost of epic proportions.
There was another instance that revealed all the data by post/comment. Far more useful to see if s post is getting brigaded, etc, or to see maybe if you have a wierdo stalker.
I just can’t remember what the instance was.
Yeah, every once in awhile I check my starred pages just to see what random things got fat fingered onto it. It’s mildly amusing.
It can be blocked at the instance level by an admin defederating with them.
Is it known what Lemmy instance is actually running that site? Even if it were widely known and most instances decided to defederated from it, Lemvotes is open source software that is made to be self-hosted. Anyone could revive the website by running their own instance.
Yes.
gregtech.eu is the instance.
piefed.social has defederated from it so any community on piefed.social will not be broadcasting votes cast within it to lemvotes.
Seems like a fantastic stalking tool for anyone looking to check if you have been a model of social media purity. I’d be shocked if it got used to find derisive upvotes by authorities looking to screen individuals for political reasons. But hey, call me paranoid.
If you’re really worried about that, there’s no reason why you need to have your private details associated to your account. You can even have a “clean” main account for show and a “real” secondary account.
Your votes being public is only a problem if your account can be associated with you.
I just had a realization. A lot of content on the fediverse that we interact with is region specific. A user could have no identifying info in their comments or profile but still get doxxed because they upvoted a post associated with things like their job, their home state, places they frequent, medical conditions.
Do you suppose this got posted today because there is a doxxing project happening right now on 4chan?
I have no doubt it’s incredibly easy to dox someone from upvotes alone. Maybe not on lemmy because interactions are just a lot more infrequent, but on reddit if you upvote posts about Omaha Nebraska, retro game collecting, Subaru wrx, and e bikes, you really narrow down your choice of people. If you just had one other bit of information about the user, like just a general photo or where they went to high school you could definitely nail someone down.
I really do hate this part of the Lemmyverse and wish it was all obfuscated. That with it being impossible to delete your posts really limits how much I want to interact with the site.
What could be done to limit the amount of information associated with a username is to awitch to a new account periodically.
That’s somewhat unfortunate in that it clashes with reputation, which is also important for making the Threadivwrse work.
This doesn’t really make sense. What you say is only identifying if you already have this information about someone. If you already do have all this info about someone, what else do you need?
That is pretty dark. I was hoping the admin would take people’s safety a little more seriously but I guess it’s going to be on us to make sure word gets around a lot more
This is a foundational restriction with how federation works and was discussed back during the exodus from reddit when they cut off their API. Votes can’t be federated without identity attached, or you’d end up with a single vote multiplied by however many instances federated it to yours.
This is the price of the fediverse being uncensorable. Everything you do on it is oublic, and norhing can be reliably deleted from the entire fediverse.
There was some efforts to obsfucate voting by one of the m/kbin lemmy alternatives, to have each account have an associated hidden account with a randomly generated name that would technically be the account used for voting, so only the admin of your own instance could connect between your public account identity and your voting identity, but that could also just be defeated by basic pattern identification.
As far as instance admins are concerned, this has been known from the start, and is completely outside of their control. That said, it could definitely use some more signposting for awareness. It’s shocking how often this entire discussion gets repeated by people who apparently never thought to look into how federation actually works.
You’re right. I’m pretty sure now that I may have even asked this all before but lost it because I have goldfish memory.
deleted by creator
Just gives me a 404 error for any of my own stuff I try to look up.
It has to be the link from the root instance. It also needs to be the username@instance syntax
Check the link you paste into it. If it has “lemmy.link” at the beginning, cut that part out.
Same here
Good to know. I keep jumping between instances during outages and I’m worried in upvoting stuff twice
Narcissists hate it, everyone else loves it!
I don’t get it. Is this the Lemmy version of Reddit’s karma?
I just joined but lemmy does not seem to have a running Karma total attached to each user right? Or is that just this instance that does not have that?
AFAIK, you are correct, Lemmy does not have karma. Piefed has some sort of karma/reputation by account, but I think it’s geared more toward easing moderation than providing a status symbol
It doesn’t, which is refreshing. A lot of personal ego and insecurity is tied to those that care about how many upvotes they have.
My concern is that something like OP posted just brings that crap over here, albeit not in an integrated fashion.
trying to get rid of the tools is pointless, the data is out there for those who want it anyways.
