This may look like a weird question btw.

I see constantly people here worried about digital security, I see people using Tor, deleting social networks, and just sharing the different levels of security that they use.

So I was wondering, how safe is Lemmy? Sure it doesnt collect info like Twitter and Meta does, but that doesnt mean its 100% safe. So what are the main problems we can have here? Is there anything the 3 letter agencies could exploit? Is there any preventive measures users could take?

  • @pinkeston
    link
    21
    edit-2
    2 years ago

    So lemmygrad.ml is registered by somebody in the Netherlands while the server is hosted in Switzerland. Both of these countries are Western aligned so it should not be a big problem for the NSA to gain access if they really wanted to. If they get access to the server or the ISP serving it, then they can approximate your location and find out what ISP you’re using

    And if they get access to your ISP then they can find out everything about you since you registered with an ID

    If you’re in the USA, they 100% have near free access to your ISP. Everything you’ve ever done online has been logged in Utah and replicated multiple times across the entire country

    If you’re in the 5 Eyes they probably have a high degree of access through legal spying which they can then send to your country’s authorities

    If you’ve ever had any activity on any online communist space raw (no trusted VPN, no Tor), there’s a very high chance that all of that activity has been recorded on a database with backups and then replicated across multiple data centers in different regions, countries, or even continents

    If that online space is any modern American website, there is a 100% chance of this happening

    • @CriticalResist8A
      link
      62 years ago

      To explain some of that, we wanted to move the hosting to a non-5 eyes country, but also needed a host that could deliver infrastructure as well as DDoS protection and, if possible, privacy guarantees (that they won’t delete your hosting because you say stuff they don’t like). This Swiss host is the one we eventually found that fit everything, you can read more about them here: https://swissmade.host/en/.

      We would have moved the hosting to China to be completely safe but it was unfeasible at the time (need someone to speak Chinese and be able to make payments there which can be difficult).

        • @CriticalResist8A
          link
          52 years ago

          Probably, yeah, but I think we have a one year contract with the current host and we made the switch not long ago, like two months or so. @muad_dibber@lemmygrad.ml took care of it at the time so he can help you more than I with the technical stuff.

          • Muad'DibberA
            link
            22 years ago

            We could switch at any time, but this host is fine for now. If we start getting some warnings from them for being too communist, then it’ll be time to find another host.

    • nixfreak
      link
      22 years ago

      If you’re worried about the alphabet orgs. Only use 2048 bit encryption or higher , meaning only use RSA/ECC for all communications. The alphabet orgs don’t care about forums like this because it low threat level.

        • nixfreak
          link
          22 years ago

          Yes you can read about that with NIST also. There was a ECC algorithm that looked pretty deliberate (Dual_EC_DRBG). SHOR’s theorem uses quantum computing we don’t have that yet. Also there is post quantum algorithms getting decided by NIST. No NSA can’t break RSA or ECC curves unless the key itself is too small or the RNG or PRNG was tampered with. Also PGP/GPG is safe , alphabets can’t crack or bruteforce these. Just use anything over 2048 bit and make sure you have a long “passphrase” not password encrypted private key. Also for ECC check your curves https://safecurves.cr.yp.to/. I am a crypto guy and alphabet doesn’t have enough computing power to bruteforce these keys.

  • Breadbeard
    link
    18
    edit-2
    2 years ago

    not much, 5eyes hold your ISPs hostage via monopolisation and vertical integration. and the DARPA corps. (Fashbook, Spamazon and Microshaft, Horroracle, STD, …) are all united in this human centipede of a nazi corporate hegemony.

    also, the pigs are IMSI catching you with no warrants, because they can…

      • Breadbeard
        link
        11
        edit-2
        2 years ago

        corporations founded on the basis of or influenced by military intelligence and research acquired through Project Paperclip and its follow ups, usually either created in black sites (CONDOR Dictatorships f.e.) during f.e. MKULTRA but also university information technology research inspired (Bill Gates …) and based upon concentration camp management and the calculation and database machines developed for this. later developments and strands of these ideas can be found at f.e. the old data center headquarter of the pre-pinochet Allende government, heavily influenced by f.e. Bear Sterns… during this time, a predecessor and foundational network of the internet and ARPA is already running. CONDORTEL. used to send down kill lists and information back and forth between condor nazi governments in the south, their cartels and the secret services in the west. nodes were f.e. COLONIA DIGNIDAD, HARVARD/PRINCETON (Milton Friedmans departements), the german BND… and many many others.

        basically all the corporations that are based on the industrial and intellectual loot of the 3rd Reich and what blossomed from it in secret gardens of the US empire.

        f.e. Microsoft, Google, facebook, Amazon, Oracle, SAP, Siemens, Monsanto… but these are just the most known ones, the list is endless

          • Breadbeard
            link
            102 years ago

            well, then you are right on track! because that book is high in my charts of useful information more people should understand to even get a grasp of why things are happening in such a cataclysmic and psychologically driven way and why no-one seems to be responsible. chaos theorists and jungian morons are being presented to explain away the context and responsibility. but everyone who knows human organisation and clandestine opreations just a little, knows that this is not the case. actions have consequences. a group of wizards apprentice once cast a spell and now the water is rising. in order to stop the flood, we must remove the source again. the wizards apprentices will have to meet their master again…

              • Breadbeard
                link
                7
                edit-2
                2 years ago

                just look at Jordan Peterson, who explains away the context and continuety of colonial abuse throughout todays classist and system inherently racist societies in the so called “west”. Classic Jungian Narcissist. and i guess certain thinktanks are spreading this jungian esoteric fascism everywhere like chocolate cream on your toast, because it reduces the effects of economy to your individual level. and just looking at his bullshit graphs in his first book (drivel…) reminds me of the romantic esoteric theosophy circles around f.e. Lanz v. Liebenfels and Helen Blavatsky. mysticist circles trying to rasputinize rich oligarchs and their wives of the ruling class…

    • AgreeableLandscape☭
      link
      42 years ago

      I really feel like we would benefit from a socialist Lemmy instance hosted in China and/or Vietnam. Maybe even moving Lemmygrad there or mirroring it there?

      • Breadbeard
        link
        1
        edit-2
        2 years ago

        until it is not a peer2peer driven server network of individual server nodes mirroring each other in symphony and ratchet encrypting the content on a blockchain via it’s own encryption certificate and protocol (which is where you will find the lawful hurdles…) which would have to be handed out initially on SD cards in order to be mirrored on the server hardware… it won’t and can’t ever be safe from the main issues. the privatized 5eyes security centers we call “the deep state”

        until a certain starting majority of users have not been PERSONALLY handed keys &preset server images early in the distribution & start of a given platform, tampering is always a problem.

        back 2 years ago, everyone interested could have bought a raspberry for cheap, put a sd card with said server node into it and from there on a decent degree of security could have been provided. i saw people suggesting different methods, but the modern left is too outrage driven and topical to think in long term strategic goals it seems.

        the other thing is user acquisition and vetting. you can’t just allow anyone, you need a database of recommendations and a relationship management system (potentially observing other platforms and training an AI network to compare account behaviours&language patterns) to find the snitches, moles & traitors coming from other platforms and trying to infiltrate, doxx, harrass, e.t.c.

    • @pinkeston
      link
      15
      edit-2
      2 years ago

      Crash course would just be to use https://tails.boum.org/ ,always lock your computer when you step away, and shut it down completely when not in use, preferably with batteries taken out

      There’s a bit more you can do but it’s kinda overkill for normal people

      • @nervvves
        link
        15
        edit-2
        8 months ago

        deleted by creator

        • Arsen6331 ☭
          link
          112 years ago

          You can certainly go even further. If it doesn’t exist already, it wouldn’t be hard to make a program that shows up every few minutes regardless of activity, and forces you to enter a password. If the password is not provided within a set timeframe, the machine is halted immediately.

          if you do this and also disable suspend/hibernate, which isn’t hard to do, then even if they get your computer while TAILS is running, they will only have access until the timeframe you set up passes.

          It would even be quite easy to have a false password that immediately halts the machine if entered, in case they decide to force you to tell them.

  • Muad'DibberA
    link
    152 years ago

    The main preventive measure since this is a public website: don’t give out any identifying personal info: name, where you live specifically, links to other accounts, etc.

  • No matter where a server is located, if you care about keeping your identity hidden, at least use Tor Browser (in a new session, without browser customizations such as new add-ons). If it’s really important, use TAILS. Best to avoid using a proprietary OS (including stock Android).

    Also worth mentioning that requests to external websites are still made when embedding an external image with Markdown

      • For a phone or tablet? Unless there’s a Linux distribution that supports your phone, AFAICT, the only real option would be a variant of Android with minimal proprietary software (usually just drivers and other low-level code, unless you need Google Play services) like GrapheneOS or CalyxOS (or, for wider device support, LineageOS). It depends on the phone model.

        Otherwise, a Linux distribution or one of the BSDs.

        • nixfreak
          link
          72 years ago

          If you really want to do it right you need to create a new identity on the “net”. Don’t ever reuse that username , don’t ever use your original email address to create a new identity. Use tor without any javascript, or just use I2P. Get rid of your smartphone and get an old android or blackberry phone and root it. Don’t use google play or any other corporate “mobile stores”.

          On your PC only use Linux or Free/openBSD. Run your router through tor proxy for every connection. Only use virtual machines for your OS’s. Use proxmox or XenServer, or just KVM (kernel virtual machine) As your host machine and use ZFS encryption or Luks. Hide the private key for your host system in an encrypted container then then transfer to encrypted USB and put into “cold store”. Again shut up about who you are online. Use trash email addresses to signup for stuff… again never use the same email address. You can use tormail to contact the “outside” sometimes called “clear net”. Use good opsec. - 2cents Systems secure engineer.

          • @holdengreen
            link
            22 years ago

            Use diceware for root keys. https://diceware.dmuth.org/ is a nice demonstration but you should use physical dice.

            If you are on a mobile machine then isn’t it inconvenient to have to use a specially configured router? What do you do?

            • nixfreak
              link
              22 years ago

              I guess I don’t understand the context. Let me ask , are you asking what do you if you’re using a mobile device and don’t have access to a router?

              • @holdengreen
                link
                22 years ago

                I’m saying let’s say your device is already configured to run Tor. But then you go out somewhere and want to connect to wifi of a business or relative who’s router you don’t own.

                • nixfreak
                  link
                  3
                  edit-2
                  2 years ago

                  Ok , so there is a really cool product called , tailsscale https://tailscale.com/ This is amazing , basically you can install this on any computer or server and mobile device. It is a p2p VPN , real quick … example… I install this on my home server right , then I install another client on a mobile device like a phone. I can now connect to my server IP’s address on my server. I have this setup also.

          • For Android variants? If there’s a build for your device, no, it’s usually easy. You need to install some Android tools (usually just adb and fastboot) to your PC and follow some instructions. What phone/tablet would you be using?

              • Hm. Unfortunately, I can’t find anything for the M10; it’s likely one of Samsung’s less popular models.

                Do you have a laptop/desktop? If so, you could install a Linux/BSD distribution, or run TAILS from a USB drive. If the M10 is your only option, the best recommendation I can make would be to use the Android version of Tor Browser and only use Lemmy through that, or to install Orbot to route your Lemmy client through Tor.

          • nixfreak
            link
            32 years ago

            You don’t even need to learn how to program by having good opsec. It doesn’t hurt though to know programming in general. The most reason people get caught is because they can’t keep their mouth shut.

          • Breadbeard
            link
            22 years ago

            main problem afaik is getting the unlock/root key to your phone these days. most manufacturers will not give it out anymore

    • lemmygrabber
      link
      142 years ago

      This got me curious so I looked. In Firefox it is possible to disable the sending of referred header entirely. I just turned it off to experiment and see if it breaks any sites.

      • Arsen6331 ☭
        link
        10
        edit-2
        2 years ago

        It shouldn’t break any sites. If it does, they’ve made some bad design decisions with regards to the referer header.

  • lemmygrabber
    link
    13
    edit-2
    2 years ago

    From the three letter agencies angle, the only known problems could be them monitoring the site or infiltrating by creating an account here but we are not that popular so the latter is unlikely.

    You should just take care to not dox yourself (unless for some reason you don’t mind your identity being known, even then I would advise against it).

    • @redshiftedbrazilianOP
      link
      62 years ago

      So its not likely they can access any kind of sensitive data lemmy might store?

  • nixfreak
    link
    9
    edit-2
    2 years ago

    Lemmy is decentralized “sort of”. Lemmy is apart of decentralized apps that use a communication protocol called “activitypub” which allows any app that uses this communication to communicate with other apps , for instance “mastodon”. Posting on forums like this are not targeted by LE, or alphabet organization because of the moderation and low threat level.