For those not familiar, there are numerous messages containing images being repeatedly spammed to many Threadiverse users talking about a Polish girl named “Nicole”. This has been ongoing for some time now.
Lemmy permits external inline image references to be embedded in messages. This means that if a unique image URL or set of image URLs are sent to each user, it’s possible to log the IP addresses that fetch these images; by analyzing the log, one can determine the IP address that a user has.
In some earlier discussion, someone had claimed that local lemmy instances cache these on their local pict-rs instance and rewrite messages to reference the local image.
It does appear that there is a closed issue on the lemmy issue tracker referencing such a deanonymization attack:
https://github.com/LemmyNet/lemmy/issues/1036
I had not looked into these earlier, but it looks like such rewriting and caching intending to avoid this attack is not occurring, at least on my home instance. I hadn’t looked until the most-recent message, but the image embedded here is indeed remote:
https://lemmy.doesnotexist.club/pictrs/image/323899d9-79dd-4670-8cf9-f6d008c37e79.png
I haven’t stored and looked through a list of these, but as I recall, the user sending them is bouncing around different instances. They certainly are not using the same hostname for their lemmy instance as the pict-rs instance; this message was sent from nicole92 on lemmy.latinlok.com, though the image is hosted on lemmy.doesnotexist.club. I don’t know whether they are moving around where the pict-rs instance is located from message to message. If not, it might be possible to block the pict-rs instance in your browser. That will only be a temporary fix, since I see no reason that they couldn’t also be moving the hostname on the pict-rs instance.
Another mitigation would be to route one’s client software or browser through a VPN.
I don’t know if there are admins working on addressing the issue; I’d assume so, but I wanted to at least mention that there might be privacy implications to other users.
In any event, regardless of whether the “Nicole” spammer is aiming to deanonymize users, as things stand, it does appear that someone could do so.
My own take is that the best fix here on the lemmy-and-other-Threadiverse-software-side would be to disable inline images in messages. Someone who wants to reference an image can always link to an external image in a messages, and permit a user to click through. But if remote inline image references can be used, there’s no great way to prevent a user’s IP address from being exposed.
If anyone has other suggestions to mitigate this (maybe a Greasemonkey snippet to require a click to load inline images as a patch for the lemmy Web UI?), I’m all ears.
Who disapproves of condoms? Y’all out here raw dogging the internet like damn fools
IP addresses are fairly worthless
It doesn’t provide much information since your IP address is probably not static. It rotates and thanks to NAT it is probably shared.
That’s only true for a subset of people, possibly a very small one. My IP stays for months at a time.
I mean, it (hopefully) shouldn’t let someone compromise a system remotely, but:
-
For those of you who have used IRC networks that didn’t mask IP addresses, people getting in flamewars proceeding to then DDoSing each other is a fundamental issue. If someone wants to do something at low latency, like play real-time video games, this is a particularly obnoxious way to disrupt them.
-
IP addresses can often be correlated across databases, even by random members of the public. I remember someone running another bot that would map IP addresses to BitTorrent downloads, for example.
End of the day, the Lemmy security model is “someone can see the username you choose to expose, but not IP address”. If the IP address is intended to be exposed, then might as well just stick it right next to the username. If it isn’t, then one shouldn’t let users be able to trivially-obtain it by pulling a direct-message stunt.
You as a user can not just DDoS someone. Modern connections a way faster and modern network hardware with drop packets that are taking up to much bandwidth. You are also behind a firewall and probaby a NAT which will drop random incoming packets.
The modern internet is full of bots scanning. If that doesn’t destroy your connection chances are some random internet person can’t either.
If you have a 50mb/s connection, surely someone sending you 100mbs of data would fill your line? The firewall is on your router, so the line to it would be maxed?
You as a user can not just DDoS someone. Modern connections a way faster and modern network hardware with drop packets that are taking up to much bandwidth.
You know, I thought about responding to this point by point, but I just don’t have the energy.
I’ll just say that I don’t agree, and I think that if you want to go looking, you’ll find that this certainly is not the case.
in my understanding, there was enough overlap between uBlock Origin and uMatrix that the developer didn’t want/felt it wasn’t worth to continue maintaining both.
I’m not too expert on both extensions, but maybe the functionality difference can be covered by NoScript or by using uBlock Origin with LibreWolf or some other combination.
On my instance (.ml) all of the images are fetched through the image proxy.
What version of lemmy is your instance running?
We used to do this on the EVE online forums until CCP caught on and banned inline images.
We were using the IPs and post times to identify accounts, then checking IPs that connected to our VOIP servers so we could identify spies and either remove them or feed them false intel.
Basic counter-intel work and all for a video game heh.
This sounds super cool and interesting, is there like a wiki I can read up about that stuff??