pistolero on Nostr: :mgsgb_r::mgsgb_o::mgsgb_u::mgsgb_n::mgsgb_d::mgsgb_2: (and possibly/hopefully the ...
:mgsgb_r::mgsgb_o::mgsgb_u::mgsgb_n::mgsgb_d::mgsgb_2:
(and possibly/hopefully the final round of)
:msf::hacker_f::hacker_s::hacker_e::globalistlocated:
:lazer_m::lazer_e::lazer_e::lazer_t::lazer_s:
:glowinthedark::smb64_f::smb64_b::smb64_i::threeletteragentglowsobright:
Round 1: https://freespeechextremist.com/notice/ATeF6cFWv3ZIsAxfkm
This is basically mop-up: I was vague about what had occurred because I wasn't sure how much I could say. I think I can safely dump the whole thing. There is some backstory, please bear with me as I'm presenting it chronologically. Times are in UTC. Most of the information is not new, but I hadn't posted any specifics before.
The executive summary: a persistent scraper has been the source of most of the pedo accounts signing up on FSE, and that scraper is also selling data to the feds. The feds have decided to ask about someone on another instance because the scraper just attributes everything to FSE. The information they asked for is information I do not have.
:hacker_t::hacker_i::hacker_m::hacker_e::hacker_l::hacker_i::hacker_n::hacker_e:
2023-03-05 18:27:07: After determining from HTTP "Referer:" headers that boardreader.com is the source of some significant portion of the trickle of pedo accounts showing up on FSE and getting banned immediately, I send an email to info@boardreader.com asking about their scraper. No reply for several days.
2023-03-07: I experiment with different ways to stop boardreader.com from scraping TWKN, eventually landing on one that works but spews cosmetic errors on FSE.
2023-03-08 18:56:54: Timestamp of the last post on FSE to get indexed by boardreader.com. (The post is https://freespeechextremist.com/notice/ATPlmcZFVVUX43oreS .)
2023-03-13 10:24:39: In an apparent effort to figure out why they can't scrape FSE any more, some traffic from Serbia (where their developers are: https://blog.socialgist.com/understanding-how-we-find-data ) arrives through devtools.boardreader.com and I promptly shitcan 109.92.154.188:
[2023-03-13T10:24:39+00:00] https://freespeechextremist.com/main/all [200] 109.92.154.188 https://devtools.boardreader.com/
[2023-03-13T10:53:48+00:00] https://freespeechextremist.com/main/all [200] 109.92.154.188 https://devtools.boardreader.com/
[2023-03-13T13:57:18+00:00] https://freespeechextremist.com/main/all [200] 109.92.154.188 https://devtools.boardreader.com/
2023-03-13 16:56:10: I finally receive a reply from "Dave Heal", dave@socialgist.com to the email I sent to info@boardreader.com, eight days after emailing them for information, but the morning after I start dropping traffic from their devs. He asks what I want to know.
2023-03-13: Over the next few hours, Heal and I correspond some. I complain that they are scraping TWKN and falsely attributing all of the posts to FSE, using residential proxies, and generally behaving the worst way a bot can. I try to explain fedi and say that if they want to index FSE, they have to stop to index local posts only instead of using my resources to scrape all of fedi. He agrees to stop scraping, asks what to stop scraping, I give him an IP range and ask to be removed from the index; despite replying very quickly before that, he ghosts completely afterwards. Still no reply to that as of present, and they haven't stopped attempting to scrape, despite getting nothing but 402s or 401s.
2023-03-14 16:46:12: The morning after I tell Heal to stop (and, maybe coincidentally or maybe not, the same day Mike Chitwood has I get an email from someone named "Special Agent Peter Christenson" from an fbi.gov email address. I assume it's a prank, so I check the mail headers. It was received by my mail server from an IP address that matches their SPF record, and they used esmtps (which is relevant because a spoofed IP would not be able to complete the TLS handshake). I think a while, discuss with some friends, etc. One of them, right before I post the whole thing in public, points out that the government has, in the recent past, charged people with obstruction if they couldn't get anything otherwise.
The text of the mail (attached as image, including headers, and attachment) was this, plus siglines and greeting:
> This is Special Agent Peter Christenson, with the FBI. I am requesting subscriber information for the user "WitchKingOfAngmar." This user posted the attached threat. Please let me know if you can assist with this request.
Of note, the screenshot is named "FSE Screen Shot.png". (First time I've seen anyone outside fedi call the site "FSE", which is why I thought it was a joke initially.) The screenshot, like boardreader.com, lists FSE as the origin of the message and describes FSE as a "Forum". (A screenshot from board reader is attached. ) Although the screenshot says "13 hours ago", the post in question ( https://freespeechextremist.com/notice/ASjDkOhVrCDsAgsYiW ) was from 26 days before that, meaning they sat on the message a long time. Some text is highlighted, "kill blackrock" "larry fink", as if those were the search terms. The screenshot appears to be of a tool that uses boardreader.com's API. It has sentiment analysis annotations. "Forum · Blackrock Executiv⋯" appears at the top and the Unicode "🧢🐸👍" is botched in exactly the same way.
2023-03-14 19:52:17: I reply explaining that I attempt to keep anything illegal off my own server, and use the "It's like email" explanation to tell him why I don't (and can't) give him any information. I suggest he contact the origin server. (A screenshot of this email is attached.)
2023-03-14 through 2023-03-15 13:43:56: Brief correspondence. I figure the best approach, since I have nothing he wants, is to just explain that I have nothing he wants. He asks where it came from, I stress again that this is public information and tell him to look after the "@", I tell him to check /api/v1/instance. (Screenshot of the thread attached.)
2023-03-15 18:31:26: I figure that FSE goes into lockdown: login required for TWKN or public timeline, no new registrations allowed. I do the initial brief post ("Round 1", https://freespeechextremist.com/notice/ATeF6cFWv3ZIsAxfkm ) by removing all of the details from my first draft of that post, and adding a note saying that I will not be answering any questions.
2023-03-15 to today: Continued discussing the issue in private. I gave the fed several chances to tell me not to do this and even when I explicitly asked, he ignored the question twice.
:elliotthinking::terrythinking::hacker_s::hacker_o::hacker_m::hacker_e::dudethink::finkthink:
:hacker_t::hacker_h::hacker_o::hacker_u::hacker_g::hacker_h::hacker_t::hacker_s:
Given how long they sat on it, "Emergency Disclosure Request" seems like a bit of a stretch. Given the nature of the post they were asking about, I don't know how anyone could think it's a real threat: either it was a due dilligence thing or the feds have no clue how the internet works. So given all that, I think maybe it was a probe to see if I cooperate, maybe they wanted to know something else about fedi and they were using this as a pretext. Since the API they are using treats TWKN as just FSE, I think they didn't actually look at the post on FSE.
boardreader.com has changed hands a few times, so it is not a huge surprise if they were bought by SocialGist. If you go there and search for posts you made before 2023-03-08, you'll find them ascribed to FSE. As of right now, you can still find the post that attracted the feds on boardreader.com: search for "kill blackrock larry fink", click the little gear, set the domain to "freespeechextremist.com", and you will see the post from the screenshot; sorting by "freshness", it is the seventh result.
I can't find any other fedi instances on there, but this is a pretty annoying scraper to get rid of. As I said before, I think the good part of FSE is the transparency: you can see what's going on here. Not only does this give people a reason to sign up, but it demonstrates what's going on, so if any fed wanders by, they can see nothing shady is happening. But that doesn't work if the feds are looking at third-party tools that just say "Got this from FSE!" on them.
:finksmug: The glowies are (or want to convey that they are) specifically looking at threats against Blackrock executives. :hunterbidensmile:
:glowinthedark: The FBI and DOJ use Outlook. :terrylol2:
:glenda: acme is pretty comfortable as a mail reader. :bwksmug:
Remember everyone that was freaking out about the various search engines on fedi, most recently as:Public? Remember that I keep saying that there are scrapers getting at fedi *without* identifying themselves? It turns out that I was right and this is because I AM A GODDAMN GENIUS and EVERYONE THAT HAS EVER TOLD ME THAT I AM WRONG IS A RETARDED COPROPHILIAC. There are scrapers getting data out of fedi without identifying themselves and at least one of them is selling data to the FBI.
Overall, this is lucky for me: the person they were looking for was not someone I have any information on. Or it's unlucky because they shouldn't have been asking me about posts that originated elsewhere anyway. (Ideally, they don't ask me shit about shit so I don't have to figure out how to not answer them.) I did get to talk to TheAntiE-CelebLeague00 (npub17z4…npsw) a couple of days ago: he seems reasonable. Apparently the fedposter had been banned for unrelated reasons not too long after the post the feds were interested in.
:hacker_w::hacker_h::hacker_a::hacker_t:
:cvcvcv::hacker_n::hacker_o::hacker_w:
I think I'm going to reopen the public timeline and registrations, but that's tentative. Since boardreader.com is still attempting to scrape TWKN, if I reopen TWKN to people that aren't logged in, it will be with the terrible hacks I was using before to get boardreader.com to stop scraping. I hope to get Revolver out soon so that I don't ever have any information about anyone and I *can't* answer any questions about anyone, but until it's out the door, there is not a lot I can do short of locking down FSE.
:thatguywasadickhead: Since, while I was writing this, Alex Linder created a fedpost on an instance that made fun of him (see post by 313Chris:hellokitty_headbang: (npub10m7…a88s) : https://detroitriotcity.com/objects/8253101f-89bd-4ba3-be2e-98d944d12897 ), maybe I will wait for a while before reopening registrations; Electric Pants :prince_dance: (npub1qq7…fedr) and anime graf mays 🛰️🪐 (npub108z…dkr5) have temporarily closed down registrations on their instances. :tedklisten:
:plague: I recommend that you be careful about scrapers. Look at your logs. It takes 30 minutes to go from "I have no idea how to use awk" all the way to "awk is useful and I have no idea how I have gone this long without learning it".
:mcveigh: I recommend that you be careful of fedposters on your instance. Sometimes they actually *are* feds, as in the recent 8chan case, or the not-kidnapped governor, things like that. There's another habitual fedposter on that instance that, if his posts made it to FSE unaltered, probably would have resulted in more emails from the FBI. (book/Eris should thank me instead of dribbling his spergy butthurt at me.)
:ronmad: The natural inclination is to tell them to come back with a warrant: this is a reasonable inclination. But it's better to convince them there's nothing to see so they leave. On the other hand, if fedposts are getting more frequent, maybe it's too late to get them to leave. :terrysad:
If something happens to FSE for some reason, this post should appear on other instances, but the screenshots might not be available: you can get the attachments from IPFS: QmTn3r6Mpyz8wEQGyMkETAnGgaqpGEgeaMi3qtFZt3R2Kr or ipfs://bafybeidc7lxjlmrz6i2t7be75tstyivybavmddmh55vtrjbcsliz67nzum .
2023-03-14_09:45--email_from_christenson.png
2023-03-14_09:45--email_from_christenson--attachment.png
2023-03-14_12:52--reply_to_christenson.png
boardreader--kill_blackrock_ceo.png
2023-03-14-15_other_mail.png
01_metal_gear_solid_peace_walker_main_theme.mp3
https://freespeechextremist.com/media/d6976489-78d3-4460-87cd-8c0dc76809bf/01_metal_gear_solid_peace_walker_main_theme.mp3?name=01_metal_gear_solid_peace_walker_main_theme.mp3
(and possibly/hopefully the final round of)
:msf::hacker_f::hacker_s::hacker_e::globalistlocated:
:lazer_m::lazer_e::lazer_e::lazer_t::lazer_s:
:glowinthedark::smb64_f::smb64_b::smb64_i::threeletteragentglowsobright:
Round 1: https://freespeechextremist.com/notice/ATeF6cFWv3ZIsAxfkm
This is basically mop-up: I was vague about what had occurred because I wasn't sure how much I could say. I think I can safely dump the whole thing. There is some backstory, please bear with me as I'm presenting it chronologically. Times are in UTC. Most of the information is not new, but I hadn't posted any specifics before.
The executive summary: a persistent scraper has been the source of most of the pedo accounts signing up on FSE, and that scraper is also selling data to the feds. The feds have decided to ask about someone on another instance because the scraper just attributes everything to FSE. The information they asked for is information I do not have.
:hacker_t::hacker_i::hacker_m::hacker_e::hacker_l::hacker_i::hacker_n::hacker_e:
2023-03-05 18:27:07: After determining from HTTP "Referer:" headers that boardreader.com is the source of some significant portion of the trickle of pedo accounts showing up on FSE and getting banned immediately, I send an email to info@boardreader.com asking about their scraper. No reply for several days.
2023-03-07: I experiment with different ways to stop boardreader.com from scraping TWKN, eventually landing on one that works but spews cosmetic errors on FSE.
2023-03-08 18:56:54: Timestamp of the last post on FSE to get indexed by boardreader.com. (The post is https://freespeechextremist.com/notice/ATPlmcZFVVUX43oreS .)
2023-03-13 10:24:39: In an apparent effort to figure out why they can't scrape FSE any more, some traffic from Serbia (where their developers are: https://blog.socialgist.com/understanding-how-we-find-data ) arrives through devtools.boardreader.com and I promptly shitcan 109.92.154.188:
[2023-03-13T10:24:39+00:00] https://freespeechextremist.com/main/all [200] 109.92.154.188 https://devtools.boardreader.com/
[2023-03-13T10:53:48+00:00] https://freespeechextremist.com/main/all [200] 109.92.154.188 https://devtools.boardreader.com/
[2023-03-13T13:57:18+00:00] https://freespeechextremist.com/main/all [200] 109.92.154.188 https://devtools.boardreader.com/
2023-03-13 16:56:10: I finally receive a reply from "Dave Heal", dave@socialgist.com to the email I sent to info@boardreader.com, eight days after emailing them for information, but the morning after I start dropping traffic from their devs. He asks what I want to know.
2023-03-13: Over the next few hours, Heal and I correspond some. I complain that they are scraping TWKN and falsely attributing all of the posts to FSE, using residential proxies, and generally behaving the worst way a bot can. I try to explain fedi and say that if they want to index FSE, they have to stop to index local posts only instead of using my resources to scrape all of fedi. He agrees to stop scraping, asks what to stop scraping, I give him an IP range and ask to be removed from the index; despite replying very quickly before that, he ghosts completely afterwards. Still no reply to that as of present, and they haven't stopped attempting to scrape, despite getting nothing but 402s or 401s.
2023-03-14 16:46:12: The morning after I tell Heal to stop (and, maybe coincidentally or maybe not, the same day Mike Chitwood has I get an email from someone named "Special Agent Peter Christenson" from an fbi.gov email address. I assume it's a prank, so I check the mail headers. It was received by my mail server from an IP address that matches their SPF record, and they used esmtps (which is relevant because a spoofed IP would not be able to complete the TLS handshake). I think a while, discuss with some friends, etc. One of them, right before I post the whole thing in public, points out that the government has, in the recent past, charged people with obstruction if they couldn't get anything otherwise.
The text of the mail (attached as image, including headers, and attachment) was this, plus siglines and greeting:
> This is Special Agent Peter Christenson, with the FBI. I am requesting subscriber information for the user "WitchKingOfAngmar." This user posted the attached threat. Please let me know if you can assist with this request.
Of note, the screenshot is named "FSE Screen Shot.png". (First time I've seen anyone outside fedi call the site "FSE", which is why I thought it was a joke initially.) The screenshot, like boardreader.com, lists FSE as the origin of the message and describes FSE as a "Forum". (A screenshot from board reader is attached. ) Although the screenshot says "13 hours ago", the post in question ( https://freespeechextremist.com/notice/ASjDkOhVrCDsAgsYiW ) was from 26 days before that, meaning they sat on the message a long time. Some text is highlighted, "kill blackrock" "larry fink", as if those were the search terms. The screenshot appears to be of a tool that uses boardreader.com's API. It has sentiment analysis annotations. "Forum · Blackrock Executiv⋯" appears at the top and the Unicode "🧢🐸👍" is botched in exactly the same way.
2023-03-14 19:52:17: I reply explaining that I attempt to keep anything illegal off my own server, and use the "It's like email" explanation to tell him why I don't (and can't) give him any information. I suggest he contact the origin server. (A screenshot of this email is attached.)
2023-03-14 through 2023-03-15 13:43:56: Brief correspondence. I figure the best approach, since I have nothing he wants, is to just explain that I have nothing he wants. He asks where it came from, I stress again that this is public information and tell him to look after the "@", I tell him to check /api/v1/instance. (Screenshot of the thread attached.)
2023-03-15 18:31:26: I figure that FSE goes into lockdown: login required for TWKN or public timeline, no new registrations allowed. I do the initial brief post ("Round 1", https://freespeechextremist.com/notice/ATeF6cFWv3ZIsAxfkm ) by removing all of the details from my first draft of that post, and adding a note saying that I will not be answering any questions.
2023-03-15 to today: Continued discussing the issue in private. I gave the fed several chances to tell me not to do this and even when I explicitly asked, he ignored the question twice.
:elliotthinking::terrythinking::hacker_s::hacker_o::hacker_m::hacker_e::dudethink::finkthink:
:hacker_t::hacker_h::hacker_o::hacker_u::hacker_g::hacker_h::hacker_t::hacker_s:
Given how long they sat on it, "Emergency Disclosure Request" seems like a bit of a stretch. Given the nature of the post they were asking about, I don't know how anyone could think it's a real threat: either it was a due dilligence thing or the feds have no clue how the internet works. So given all that, I think maybe it was a probe to see if I cooperate, maybe they wanted to know something else about fedi and they were using this as a pretext. Since the API they are using treats TWKN as just FSE, I think they didn't actually look at the post on FSE.
boardreader.com has changed hands a few times, so it is not a huge surprise if they were bought by SocialGist. If you go there and search for posts you made before 2023-03-08, you'll find them ascribed to FSE. As of right now, you can still find the post that attracted the feds on boardreader.com: search for "kill blackrock larry fink", click the little gear, set the domain to "freespeechextremist.com", and you will see the post from the screenshot; sorting by "freshness", it is the seventh result.
I can't find any other fedi instances on there, but this is a pretty annoying scraper to get rid of. As I said before, I think the good part of FSE is the transparency: you can see what's going on here. Not only does this give people a reason to sign up, but it demonstrates what's going on, so if any fed wanders by, they can see nothing shady is happening. But that doesn't work if the feds are looking at third-party tools that just say "Got this from FSE!" on them.
:finksmug: The glowies are (or want to convey that they are) specifically looking at threats against Blackrock executives. :hunterbidensmile:
:glowinthedark: The FBI and DOJ use Outlook. :terrylol2:
:glenda: acme is pretty comfortable as a mail reader. :bwksmug:
Remember everyone that was freaking out about the various search engines on fedi, most recently as:Public? Remember that I keep saying that there are scrapers getting at fedi *without* identifying themselves? It turns out that I was right and this is because I AM A GODDAMN GENIUS and EVERYONE THAT HAS EVER TOLD ME THAT I AM WRONG IS A RETARDED COPROPHILIAC. There are scrapers getting data out of fedi without identifying themselves and at least one of them is selling data to the FBI.
Overall, this is lucky for me: the person they were looking for was not someone I have any information on. Or it's unlucky because they shouldn't have been asking me about posts that originated elsewhere anyway. (Ideally, they don't ask me shit about shit so I don't have to figure out how to not answer them.) I did get to talk to TheAntiE-CelebLeague00 (npub17z4…npsw) a couple of days ago: he seems reasonable. Apparently the fedposter had been banned for unrelated reasons not too long after the post the feds were interested in.
:hacker_w::hacker_h::hacker_a::hacker_t:
:cvcvcv::hacker_n::hacker_o::hacker_w:
I think I'm going to reopen the public timeline and registrations, but that's tentative. Since boardreader.com is still attempting to scrape TWKN, if I reopen TWKN to people that aren't logged in, it will be with the terrible hacks I was using before to get boardreader.com to stop scraping. I hope to get Revolver out soon so that I don't ever have any information about anyone and I *can't* answer any questions about anyone, but until it's out the door, there is not a lot I can do short of locking down FSE.
:thatguywasadickhead: Since, while I was writing this, Alex Linder created a fedpost on an instance that made fun of him (see post by 313Chris:hellokitty_headbang: (npub10m7…a88s) : https://detroitriotcity.com/objects/8253101f-89bd-4ba3-be2e-98d944d12897 ), maybe I will wait for a while before reopening registrations; Electric Pants :prince_dance: (npub1qq7…fedr) and anime graf mays 🛰️🪐 (npub108z…dkr5) have temporarily closed down registrations on their instances. :tedklisten:
:plague: I recommend that you be careful about scrapers. Look at your logs. It takes 30 minutes to go from "I have no idea how to use awk" all the way to "awk is useful and I have no idea how I have gone this long without learning it".
:mcveigh: I recommend that you be careful of fedposters on your instance. Sometimes they actually *are* feds, as in the recent 8chan case, or the not-kidnapped governor, things like that. There's another habitual fedposter on that instance that, if his posts made it to FSE unaltered, probably would have resulted in more emails from the FBI. (book/Eris should thank me instead of dribbling his spergy butthurt at me.)
:ronmad: The natural inclination is to tell them to come back with a warrant: this is a reasonable inclination. But it's better to convince them there's nothing to see so they leave. On the other hand, if fedposts are getting more frequent, maybe it's too late to get them to leave. :terrysad:
If something happens to FSE for some reason, this post should appear on other instances, but the screenshots might not be available: you can get the attachments from IPFS: QmTn3r6Mpyz8wEQGyMkETAnGgaqpGEgeaMi3qtFZt3R2Kr or ipfs://bafybeidc7lxjlmrz6i2t7be75tstyivybavmddmh55vtrjbcsliz67nzum .
2023-03-14_09:45--email_from_christenson.png
2023-03-14_09:45--email_from_christenson--attachment.png
2023-03-14_12:52--reply_to_christenson.png
boardreader--kill_blackrock_ceo.png
2023-03-14-15_other_mail.png
01_metal_gear_solid_peace_walker_main_theme.mp3
https://freespeechextremist.com/media/d6976489-78d3-4460-87cd-8c0dc76809bf/01_metal_gear_solid_peace_walker_main_theme.mp3?name=01_metal_gear_solid_peace_walker_main_theme.mp3