Hello users of hexbear, or shall i say chapo.chat, we fucked up, and i fucked up like three times making this post.

Yes, hexbear.net has expired. Yes, we were aware of this possibility. We have gradually lost contact with the access owner (prior admin) for the domain registration. We attempted to make a migration plan, but we were disarmed by the reappearance of the party in question in September 2024 and repeated assurances that they would a) transfer credentials and b) continue payments until they were able to do the former.

We accept full responsibility for this. We should have been more aggressive about this and continued our alternative despite these reassurances. This is our fuck up, and we can’t offer anything besides our continued apologies and our plan of action going forward and an explanation of what happened:

Over the time of chapo.chat and hexbear.net the admins that purchased the domain, established the donation accounts, and the server accounts have left. One of the primary admins has gone inactive and returned many times, over a year ago some of the newer admins began asking the older admins to give full access to the domain, servers, and donations. These requests were not met, despite warnings of this exact event.

At the moment we do not have access to hexbear.net and there is a strong chance we will not get it back without participating in the auction, which is already over $300. Choosing to abandon the hexbear.net domain will cause federation problems and considerable technical issues which would lead to potential extended downtime.

During this downtime we would be reestablishing access to the new domain (or hexbear.net if we win the auction), access to server ownership, and donation accounts. This would be distributed among a number of admins so that we can prevent this from happening again.

Chapo.chat has the same access problem that led to the current state of hexbear.net so it is to be considered temporary.

I will do my best to answer questions

  • CARCOSA [mirror/your pronouns]@hexbear.netOPMEnglish
    43·
    9 hours ago

    Pinning @[email protected] comment:

    True Hexbear Fedayeen have hexbear hard coded in their hosts file and are currently enjoying their beanis

    On OSX/Linux just add 37.187.73.130 hexbear.net to the bottom of /etc/hosts and you’ll get your beanis back.

    On Windows its at C:\Windows\System32\drivers\etc\hosts

    On Phones it’s much harder so all your beanis are lost.

  • Terrarium [none/use name]@hexbear.netEnglish
    2·
    2 hours ago

    Okay so losing the domain is actually very funny to me. I am not personally invested in us getting the domain back so long as measures are taken to ensure security (comments on MITM and the need for invalidating JWT, at minimum, are reasonable concerns).

    I’ll make one quick note about the donations issue. I would recommend that in the future, you distribute funds so that if someone goes AWOL you only lose, say, 20% or 40% (let’s say someone else leaves with them) rather than 100%. This is how many orgs maintain funds for organizing without needing all of it to go to a legal entity or just one person.

    In terms of domain registration and access, I can give a couple tips for whatever domain the site settles on.

    • Have all emails go to a forwarding email address that pings multiple admins’ emails with domain messages. You can set up a regular ping to that address so that everyone knows it is still working every 2 weeks or so. e.g. “Subject: hexbear.net email is working”. You should also make a note if when the registration expires. Domains tend to be renewed yearly and on a particular date, so you can set calendar reminders and alarms and so on to each verify that the domain has been renewed.

    • With some registrar services you can have multiple domain admins. There is still just one legal entity that owns the domain but you can set up multiple accounts to have access to change DNS settings, get expiry emails, etc.

    • This is an InfoSec risk, but you can share ownership by making a shared legal entity the owner, like a business or non-profit. The problem with this is that two people need to register the business and this effectively reveals your names and that you are associated with one another. But depending on your risk tolerance and existing social connections, it might be possible for 2 people to do this kind of thing.

    Obviously there is no perfect solution. The ability of one person to change the password on any shared account (e.g. forwarded email address) would still pose a disruption risk. But doing at least the first two steps would give you a heads up on something going wrong and if you did the third you could pay on behalf of the owner (the legal entity) even if one of you goes AWOL.

    Anyways, thanks again for picking up the pieces here. I’m sorry, I am sure it is very stressful. We are all comrades here. Let us know if there are ways for us to support you all.

  • iie [they/them, he/him]@hexbear.netEnglish
    3·
    2 hours ago

    Can we pool donations to win the auction? When does the auction end?

    Reasons to try:

    1. We’ll lose people if we lose the domain. This could include people who are currently receiving mutual aid from us, or who might have planned to in the future. It could also include people who rely on this site to maintain their mental health and sense of community. Not everyone will know where to find the new domain. The chapo chat URL is old lore that newbies won’t know, and the official mastadon is little-known. We could lose a lot of people.
    2. Anyone touching grass now who tries to access hexbear later could get doxxed by the new owner. If I understand correctly, the login attempt could link their IP to their password, post history, and recovery email if they have one. If so, this could be pretty be dangerous for vulnerable users here. If the information gets posted to a public database, this could lead to some of those people getting hacked, stolen from, harassed, fired, or worse.
  • vger@lemmy.mlEnglish
    17·
    6 hours ago

    🚨 Comment found elsewhere:

    So this is a man-in-the-middle attack waiting to happen isn’t it? Buy the domain, setup a reverse proxy that points to the original hexbear server IP and start logging all requests.