Do not.
this post was submitted on 12 Feb 2025
7 points (100.0% liked)
Embassy of Hexbear on Lemmygrad
71 readers
31 users here now
Hexbear's Diplomatic Mission to Lemmygrad
founded 1 week ago
MODERATORS
With the top bidder literally being peepee, my assumption was that they're just faking, will top every bid and simply don't intend to pay up.
Does the auction site not make you give your card details before bidding? Seems like that should be the minimum.
you can use a burner card with like $1 on it for this purpose
also, how do you know its "pee pee" when all you can see is "p_p_2933838"? because if you're inferring that from "pp" i could hazard a guess that one of the other bidders has called themselves josif stalin.
what happens then do we think? I'd imagine it might just go down each high bidder in order until one pays up, but still that system is open to abuse (well any system that lets you place bids without sending holding funds)
This p_p_ person is on the chapo site talking about his bid. He's a cryptobro who wants the name because it's similar to his company's name, and he doesn't like his company being associated with "liberals" as he calls us.
How does he think we feel?
i just assumed that was a bit ngl
It absolutely is lol, they're too aware of site memes
doesn’t like his company being associated with “liberals”
fucking got us lmao
The price will likely impact future renewal rates if I had to guess.
Whoever has been the top bid so far has been tenacious. I wouldn't risk any money I can't afford to lose on this bit however. Better safe than sorry.
Yeah I'm just memeing, but I'm curious how high would they go
What happens if someone else buys it?
They could do a man in the middle attack and set up an identical looking site and use it to scrape login info and IP addresses which would be bad
What could they do with that info? And would they be able to read people's private messages to each other on there?
Emails/users plus passwords can be used for bruteforcing other accounts (usernames and passwords are often reused), or they could hijack your account on chapo.chat (which is the current backup domain for hexbear).
No data has been, or will be, directly compromised by the domain name drama. The admins still have control of the underlying lemmy instance - it's simply pointing to a new name in DNS records (what computers use to map unwieldy IP addresses to friendly webdomain.farts.org type names)
Your DMs and other info are not compromised unless you were to give someone your login info (which is what a MITM attack above would try to do).
Bear (lol) in mind that DMs on activitypub ARE NOT ENCRYPTED. Admins of a lemmy instance can snoop on the DMs of any of their users. Even if HTTPS encrypts data during transit, once it's at the recipient it is no more secure than any public post. Use Signal or PGP-encrypted email if you are sharing any information that you don't want to get snooped or leaked should an admin or malicious attacker access your DMs.
Emails/users plus passwords can be used for bruteforcing other accounts (usernames and passwords are often reused), or they could hijack your account on chapo.chat (which is the current backup domain for hexbear).
would I have to try to login again for this to happen, or could it happen anyway?
You would have to attempt to log in on a phony website. This domain auction does not give the new owner any access to the data stored on the current lemmy instance hosted underneath it.
It's like selling your house. The new owner may get your address, but they don't get ownership of your furniture.
OK thanks for the info.
It's part of why I don't have any intention to go back, I think. Unless we can have a fully verifiable user who is fully transparent about their ownership with whoever else...that's a genuine risk. You could get more than just I.P and login info especially if anyone uses an email for recovery. If you've completely black-boxed yourself from social media that's a different story I suppose.
Also, total replacement of the admin team sounds reasonable too. On vote, of course.
I’ve used an email for recovery. What happens if I change this email…will the old one still be visible?
Not sure if there is logs for that!
Thanks.
At this point I don't intend to go back to hexbear no matter what it is called. Not because I dont love the people and the site culture but because I can't trust the admin team. I was beginning to consider going back after the "Meta open-floor" discussion but the struggles over transparency and moderation were never really resolved.
This latest event reaffirmed my decision to stay away. The "we fucked up" narrative just doesn't sit well with me. I can't accept that the Admin who originally set up the url just "forgot. You don't break up 2000 comrades meeting place unless there was some serious bad blood.
I'm pretty upset over the events that lead to me deleting my account but even then I'd gladly do more to save hexbear than the little work it would have been to transfer the DNS account... unless I had serious suspicions that the site was a threat to the comrades there.
That's exactly pretty much it. At this point, I straight up don't believe them. Do we have solid proof/evidence that is what actually happened, or did some internal struggle session happen and the "original admin" doesn't wanna talk to anyone anymore?
We wont ever know, but we can make some pretty decent assumptions off the history of the site.
Sadly domain names are a bit archaic in how they are owned and distributed.
I don't know of many systems that allow secure ownership of domains between multiple people in any way that stops a single user going AWOL if they wish. Even establishing an LLC or something to manage the domain doesn't necessarily stop someone transferring the domain or letting it expire out of spite, especially when admins would rather keep (pseudo)anonymous.
Whilst the admins did admit they should've seen the writing on the wall and started the migration earlier, there's no real way for them to force the owner to give up the domain. If anyone is truly at fault, it's the person who sat on hexbear.net and didn't make any attempt to transfer the rights despite knowing they weren't interested in actively managing the domain.
I disagree with total replacement of the admin team. Though I guess I am biased because I was one but stepped down.
If anything this should simply be a teachable moment.
There's never a lack of teachable moments, is there between the constant struggles and now this? There's a difference I think between a teachable one and a totally and completely preventable one. Agree to disagree, I suppose.
I don't really see how this was a completely preventable issue. The person who owns the domain said they would keep it up, then they didn't.
From what I was told the person was hard to get a hold of. Why didn't anyone start asking questions when that first started occuring?
If you were asking me personally it's because I don't really care. I love the people there but we have weathered worse storms in the past. All the people I care about just hang out in other spaces instead.
There is no worse storm than site admins enabling cyberattacks on comrades... not even close. This isn't "should we stack rocks"
It was preventable in the sense that the admin team probably should not have continued relying on a single point of failure who had already shown themselves to be unreliable and prone to vanishing for extended periods, but I think it's also not really a blameworthy mistake. They assumed good faith in people who had helped to set up the site and pay for the infrastructure, which is understandable. It's a learning opportunity for sure and very preventable in hindsight, but not really anybody's fault I don't think.
Sure, but without a complicated legal entity, "the person who controls the DNS" will always be a single point of failure. Questions maybe should've been asked earlier, and backups put in place, but nothing about the issue was preventable.