Post 9oZ2d883yUt2TtIEMq by r000t@infosec.exchange
(DIR) More posts by r000t@infosec.exchange
(DIR) Post #9oWw2py31CtKctxQoa by seeyouindisneyland@infosec.exchange
2019-11-01T19:13:23Z
0 likes, 0 repeats
While I enjoy the lack of the #verified account bullshit on here, it certainly makes it harder to find certain profiles (esp. if they've yet to proove ownership of their websites etc.) and makes it easier for imposters. E.g. try to find the correct accounts of #Fedilab (countless name changes and outdated legacy profiles on different instances are NOT helping, and #Mastodon and tell me how long it took ya. And count the number of fake "offical" profiles. #IAM #IdentityManagement #identityfraud
(DIR) Post #9oWw2rRVXA3DCYkTNA by r000t@infosec.exchange
2019-11-01T20:37:12Z
0 likes, 0 repeats
@seeyouindisneyland You know about the rel=me thing, right? https://github.com/tootsuite/mastodon/pull/8703
(DIR) Post #9oWw2siCoZ0B8dZK2S by seeyouindisneyland@infosec.exchange
2019-11-01T20:59:23Z
0 likes, 0 repeats
@r000tYes, see first parenthesis. In addition to that, as of now/AFAIK there's no way to see on e.g. the profile search results which profiles have a verified website or which website was verified. You cannot expect users to sift through countless "official" profiles til they find the real one. Especially not non-techy users. Again, time how long it takes you to find the official Mastodon profile.
(DIR) Post #9oWw2u39q9M7HuNZKq by r000t@infosec.exchange
2019-11-01T21:00:40Z
0 likes, 0 repeats
@seeyouindisneyland While it's not a particularly satisfying response/argument, I tend to respond to discovery/authenticity questions about the Fediverse in terms of email. How long does it take to find someone's official email address? etc.
(DIR) Post #9oWw2vfpnpt6K9TyG8 by seeyouindisneyland@infosec.exchange
2019-11-01T21:11:47Z
0 likes, 0 repeats
@r000tWhat's an "email"? Never heard of such pre-historic witchcraft. *dabs on you and does that up-to-date Fortnight game dance* #howdoyoudofellowkids Security cannot be detrimental to convenience for regular users, and impersonation is a security issue (in addition to an ethical, political etc.)
(DIR) Post #9oWw2x9IJn2ytoH0oi by r000t@infosec.exchange
2019-11-01T21:13:43Z
0 likes, 3 repeats
@seeyouindisneyland This was something I thought about for a very long time. In terms of Joe Blow usability, the fediverse is already 100% totally fucked. It got that way after the Gab drama. There's nowhere you can be on the Fediverse and reliably communicate with everybody else. Large swaths of the network isolate themselves from anybody holding centrist or right-leaning views, and not all of them are doing it voluntarily. There's literally bad actors bullying others into blocking instances.
(DIR) Post #9oX7Iu4SdyQyXlrYcS by r000t@infosec.exchange
2019-11-01T21:15:48Z
0 likes, 0 repeats
@seeyouindisneyland Until that's solved, the fediverse isn't tuned for normal everyday people. Right now, fedi is basically people who've been b& from traditional social media, or people who don't trust traditional social media. I've also come to the conclusion that Twitter became absolute trash when they had to make it usable to non-technical people (to boost numbers), and when it became the de-facto place to get customer service. So a high barrier to entry may be desirable.
(DIR) Post #9oX7Ius5fS8J1h5Bya by seeyouindisneyland@infosec.exchange
2019-11-01T22:08:23Z
1 likes, 0 repeats
@r000t"So a high barrier to entry may be desirable." Strongly disagree. I want my non-tech friends to be as safe as I am without having to hold Mastodon 101 courses every week or provide 24/7 tech support. This elitist way of thinking gets us nowhere. I want diversity and not the same demographics/IT nerd circlejerk in an 90's IRC channel.As for the instance-muting topic: that's a nice family-size can of worms I'd love to crack open at another time, though.
(DIR) Post #9oX7IvXv9var7QebB2 by jerry@infosec.exchange
2019-11-01T22:14:50Z
0 likes, 0 repeats
@seeyouindisneyland @r000t everyone seems to have their own vision for what the fediverse should be, and how it should work. I agree with not having a high barrier to entry, though given that no one can register an account on any legit instance any longer without an invitation, maybe that ship has sailed. Certainly the dynamics change as/if the platform fills with “regular” people, like it did with twitter. But i think there is a natural governor on that growth.
(DIR) Post #9oX7IwDkeP3PDAE0NU by jerry@infosec.exchange
2019-11-01T22:17:56Z
0 likes, 0 repeats
@seeyouindisneyland @r000t I just don’t think the fediverse can scale to the kind of use we see on Twitter. There are 3.5-ish million fedi accounts, and I’ll bet only about 15-20% or less of those are active/not abandon. Supporting 100M active users would crush us. My greatest fear is giphy integration and suddenly going from 200GB is storage to 200TB in a few months.
(DIR) Post #9oX7IwkifpQQrPeKlU by r000t@infosec.exchange
2019-11-01T22:18:25Z
0 likes, 0 repeats
@jerry @seeyouindisneyland Authenticated fetch is gonna make this even worse. Thanks, tumblrverse!
(DIR) Post #9oX7Ix87Gq8m1yb1EW by jerry@infosec.exchange
2019-11-01T22:25:26Z
0 likes, 0 repeats
@r000t @seeyouindisneyland I hadn’t heard of “authenticated fetch” before and just read the proposed change to activitypub. That has got to be the closest thing to RFC3514 we will ever see in real life.
(DIR) Post #9oX7IxmAruBQ2DL0fg by r000t@infosec.exchange
2019-11-01T22:27:07Z
0 likes, 0 repeats
@jerry Yup. No security added, bad news for anybody running a smaller instance; You go viral, you get slammed with traffic. and the "evil evil nazis" can still view your content in a browser.
(DIR) Post #9oX7IyRIP14o5kZqlc by jerry@infosec.exchange
2019-11-01T22:28:50Z
0 likes, 0 repeats
@r000t I didn’t pick up that authenticated content could only be served from the originating instance. Sort of defeats the point of the fediverse.
(DIR) Post #9oX7IyxCUOb5ghVKUq by r000t@infosec.exchange
2019-11-01T22:33:06Z
0 likes, 0 repeats
@jerry It basically came out of this discussion which is..... interesting. You may need an extra serving of your preferred intoxicant. https://github.com/tootsuite/mastodon/issues/10221
(DIR) Post #9oX7IzYQG0N5Y8v3Vw by jeff@social.i2p.rocks
2019-11-01T23:24:47.113201Z
0 likes, 0 repeats
@r000t @jerry turns out when you make a post on a federated full mesh gossip network lots of people will see it really fast, who knew!?
(DIR) Post #9oX7cR7ryDiQZ1lsYq by jerry@infosec.exchange
2019-11-01T23:22:48Z
0 likes, 0 repeats
@r000t WHAT THE FUCK did I just read? They are building complicated to avoid using the “private” flag...
(DIR) Post #9oX7cRQIrgSdUCObIG by r000t@infosec.exchange
2019-11-01T23:26:49Z
0 likes, 0 repeats
@jerry @jeff Well yeah. Again, the goal here isn't privacy. A good portion of the actors here consider themselves "thought leaders", and what's a thought leader without an audience? So they need an audience, so posting privately isn't a choice. This transparent narcissism is also basically the cause of wanting to exclude people from being able to see their public content; "My posts are valuable and insightful, and you don't get to see them. Ha ha! I win, you lose!"
(DIR) Post #9oX7cRlDbvBuX4BItU by jeff@social.i2p.rocks
2019-11-01T23:28:23.796728Z
0 likes, 0 repeats
@r000t @jerry thot leaders should go back to instagram
(DIR) Post #9oX8CxasjU9Tgcl16W by jerry@infosec.exchange
2019-11-01T23:30:14Z
0 likes, 0 repeats
@r000t @jeff do you which instances are they on? I would like to adjust some settings.
(DIR) Post #9oX8CxyHKUrorBhhZY by r000t@infosec.exchange
2019-11-01T23:34:15Z
2 likes, 0 repeats
@jerry @jeff Octodon, radical.town, PlayVapid, etc. If you wanna find self-important yet fragile people on fedi, start by looking for instances that suspend an awful lot of single-user instances.
(DIR) Post #9oX9XqEvN15kuh0Xqq by kaniini@socially.whimsic.al
2019-11-01T23:49:58.391178Z
1 likes, 0 repeats
@r000t @jerry @seeyouindisneyland while authenticated fetch is broken, there is something to be said about improving the management of peering in the network, which is what OCAP is largely about. network transactions should be optionally authorized, based on pre-authenticated relationships, not authenticated on demand with expensive crypto operations.and there are real pain points caused by the lack of workable peering management in the network, which is what the issue leading to authenticated fetch was trying to express, so I don't really like this security bro attitude here, it's very disrespectful for people who are experiencing legitimate pain points.your use of the network and what you discuss is likely different than what others discuss. different people with different discussion niches have different security requirements. in the absence of proper security design, combined with pressure from users who need some sort of fix, it shouldn't be surprised that these flawed solutions keep coming out from the Mastodon devs.the solution is to replace these bad security designs with simple and robust primitives.and yeah, stalkers can read the profile pages as a guest -- this is one of my largest criticisms of authenticated fetch mode, it doesn't let you lock down what guests can do. guests still have access to many APIs including streaming, and they can browse profile pages. all of that has to be able to be locked down for authenticated fetch to make sense in the first place.in closing, you all are a bunch of middle aged white dudes. have some empathy for these people. instead of deriding them for hitting pain points they didn't think about, be part of the solution and help me push on the AP community to build robust security primitives into the protocol.
(DIR) Post #9oX9bO4w0xoyjQ1fpA by dude@take.iteasy.club
2019-11-01T23:50:31.004596Z
0 likes, 0 repeats
@r000t thanks for the reminder. It's been a while since I checked https://metabase.fediverse.network/public/question/101b3bc1-4b9c-484b-a9ac-2ed85821b108?instance=take.iteasy.club @jerry @jeff
(DIR) Post #9oX9jA9Bh9cRqBisN6 by jeff@social.i2p.rocks
2019-11-01T23:51:58.306940Z
0 likes, 0 repeats
@dude @r000t @jerry MY LIST IS BIGGER THAN YOURS :O https://metabase.fediverse.network/public/question/101b3bc1-4b9c-484b-a9ac-2ed85821b108?instance=social.i2p.rocks
(DIR) Post #9oX9nIXUR5AZ1h3tnE by jeff@social.i2p.rocks
2019-11-01T23:52:46.476762Z
1 likes, 0 repeats
@dude @jerry @r000t wow it actually has to paginate
(DIR) Post #9oX9t5DirrfXSLZgK8 by dude@take.iteasy.club
2019-11-01T23:53:49.336917Z
0 likes, 0 repeats
@jeff so does https://metabase.fediverse.network/public/question/101b3bc1-4b9c-484b-a9ac-2ed85821b108?instance=sealion.club and we've been dead for, how long... lol @jerry @r000t
(DIR) Post #9oXCqj6IRB5g8VfWWO by jerry@infosec.exchange
2019-11-02T00:26:45Z
1 likes, 0 repeats
@dude @jeff @r000t old bans never die, apparently
(DIR) Post #9oXDczQH3Srgeu1j3Q by jerry@infosec.exchange
2019-11-02T00:21:42Z
0 likes, 0 repeats
@kaniini @r000t @seeyouindisneyland I think where we differ is in the belief that the fediverse can ever be appropriate for the use case that you, and others seem to be concerned about. So forgive this middle aged white dude who has seen this movie play out dozens of times over my career. Or not.
(DIR) Post #9oXDczmFjkRhl4JHJQ by kaniini@socially.whimsic.al
2019-11-02T00:35:42.552733Z
1 likes, 0 repeats
@jerry @r000t @seeyouindisneyland the fediverse can certainly be appropriate for that use case with the proper security primitives.I know this because I've already solved *several* security defects in AP implementations.again, good security design comes from an empathetic mindset. your mindset just maintains the status quo.
(DIR) Post #9oYFUKEygC9fgThPyS by r000t@infosec.exchange
2019-11-02T01:37:25Z
0 likes, 0 repeats
@jerryFor me it's like, take all of the bullet points you see from laurelai and the other super vocal people pushing for authenticated fetch... And I'm wondering why they haven't deployed forum software. It seems the problem here was solved 20 years ago. My puzzlement comes from the simultaneous need for a public audience/"global discussion" and need to guard against specific people even so much as *seeing* one's content. @kaniini @seeyouindisneyland
(DIR) Post #9oYFUKX3aycIaY9r9c by r000t@infosec.exchange
2019-11-02T01:38:40Z
0 likes, 0 repeats
@jerry @kaniini @seeyouindisneylandAt some one point, I have to wonder what's gonna get kneecapped next to turn ActivityPub into something it ain't, when SimpleMachines, Buddy Press, even phpBB are sitting right there.
(DIR) Post #9oYFUKrGNqmPbDbzeK by r000t@infosec.exchange
2019-11-02T01:53:38Z
0 likes, 0 repeats
@jerry @kaniini @seeyouindisneylandI have a super hard time calling any of this anything other than straight up DRM.... How would these discussions look if the stakeholders were "music labels" and "evil pirates", in place of "some nebulous barely-definable group of marginalized people" and "some nebulous barely-definable group of evil attackers"?
(DIR) Post #9oYFULBTAiwWbt4892 by r000t@infosec.exchange
2019-11-02T01:57:45Z
0 likes, 0 repeats
@jerry @kaniini @seeyouindisneylandIn theory, you can "solve" piracy as a problem in its entirety... Just *only* allow protected content to be played in pre-approved viewing centers, where you physically visit, you go through security (no cameras or camera phones!), you enter a small room, you view the content, then you leave.And authenticated fetch feels an attempt to move towards that model.
(DIR) Post #9oYFULVfxb6dcYWGdk by jerry@infosec.exchange
2019-11-02T02:00:52Z
0 likes, 0 repeats
@r000t @kaniini @seeyouindisneyland I doubt a forum is what they’re looking for. I suspect they want to UX of the fediverse, and that makes sense, but like I said, I’ve seen this movie before. It leads to continually more awkward parts being bolted on the side of Frankenstein, rather than taking a step back and thinking about the challenge holistically.
(DIR) Post #9oYFULo6r3qqXj8zNA by jerry@infosec.exchange
2019-11-02T02:07:12Z
0 likes, 0 repeats
@r000t @kaniini @seeyouindisneyland seems like using the counter.social code would be the most advantageous - basically build and island where access to the content can be controlled. Anything else is asking for trouble, since people will have an expectation of protection that isn’t real. That seems particularly important if, as was stated in the github thread, the intention is to protect people from actual violence.
(DIR) Post #9oYFUM1a2ycvDVRkMy by jerry@infosec.exchange
2019-11-02T02:09:17Z
1 likes, 0 repeats
@r000t @kaniini @seeyouindisneyland what i find particularly troubling is the brigading of Gargron to implement features he either knows won’t work, or doesn’t know how to implement. That is, after all, one of the use cases the proposed changes are to mitigate.
(DIR) Post #9oYFUMK0wRN88g4T6O by jerry@infosec.exchange
2019-11-02T02:13:53Z
0 likes, 0 repeats
@r000t And yes, i fully believe you, @kaniini that you can fix AP, but i don’t think it will resemble the current fediverse when you’re done. Federating content out to masses of untrusted servers is antithetical to the idea of mediating access to that content, and unless the solution is quite robust, people relying on partial protection (without realizing it is only partial) are going to end up getting hurt. @seeyouindisneyland
(DIR) Post #9oYFUMYY4Ozwrks4ky by kaniini@socially.whimsic.al
2019-11-02T12:31:16.793737Z
0 likes, 0 repeats
@jerry @r000t @seeyouindisneyland I agree that people depending on partial protections are going to get hurt. that's why I am trying earnestly to fix that shit.
(DIR) Post #9oYFYnyG5Jxp380zVg by r000t@infosec.exchange
2019-11-02T02:18:51Z
0 likes, 0 repeats
@jerry^ This is the single, overarching point made by "security bros", because, surprise, we're in the industry of building computer systems that keep secrets, and keep unwanted people out. When words like "safety" are thrown around, they mean something. It invokes, for example, the journalist and source using Tor, and if there's a security fuckup there, someone could get killed.So when "safety" is the word used, halfway solutions are just simply unacceptable.@kaniini @seeyouindisneyland
(DIR) Post #9oYFYoNQZk64JBn5k0 by kaniini@socially.whimsic.al
2019-11-02T12:32:06.187020Z
0 likes, 0 repeats
@r000t @jerry @seeyouindisneyland you are not in the business of building anything. prove me otherwise and show me the code.
(DIR) Post #9oZ0Y4bTSJlSBrVjFo by r000t@infosec.exchange
2019-11-02T20:55:13Z
0 likes, 0 repeats
@kaniini @jerry @seeyouindisneyland Excuse the living fuck out of me? You're telling me what my career is? You're gatekeeping.... information security? Go fuck yourself.
(DIR) Post #9oZ0Y5BHJCP7yuGK3s by r000t@infosec.exchange
2019-11-02T21:16:52Z
0 likes, 0 repeats
@kaniini @jerry @seeyouindisneyland Just by the god damned way, I feel like you've forgotten that *you're* the person trying to sell others on the idea that kneecapping federation will somehow fine-tune consumption of public content by the public.It's on YOU to show US the code that does this. NOT the other way around.
(DIR) Post #9oZ0Y5dzaRNBPxhFom by kaniini@socially.whimsic.al
2019-11-02T21:18:34.996247Z
0 likes, 0 repeats
@r000t @jerry @seeyouindisneyland I'm not selling anybody on kneecapping anything. OCAP and well-designed peering management yields a better network. I have written several in depth articles about this.
(DIR) Post #9oZ10Wg4fba9MxEJKS by r000t@infosec.exchange
2019-11-02T21:19:50Z
0 likes, 0 repeats
@kaniini @jerry @seeyouindisneyland Then stick to that. I've learned much from the protocol by reading articles about them, and 40% of them are yours. They're well written, but that snipe earlier was wholly uncool.You won't get any support out of anyone by telling them what fields they do and do not work in. You don't know me. I doubt you want to.Have a blessed day.
(DIR) Post #9oZ10XRvnfrZlNcWvI by kaniini@socially.whimsic.al
2019-11-02T21:23:44.514787Z
2 likes, 0 repeats
@r000t @jerry @seeyouindisneyland What about the snipes you make at people who hit pain points? This entire thread is you deriding people you do not know and basically implying that they're stupid because they want the software to work in a way that gives them more agency over their data.Consider showing empathy towards others instead of acting like a know it all script kiddie.
(DIR) Post #9oZ1JA3P0bWUhm1kXo by kaniini@socially.whimsic.al
2019-11-02T21:27:06.835737Z
1 likes, 0 repeats
@r000t @jerry @seeyouindisneyland A good person working in security will do the best to advocate for their clients and create value while doing so.I've read hundreds of your posts over the past year or so. All of them have this derisive attitude. You do not create useful value, you only demean the efforts of others. It is sad, but it is also what I see from you again and again and again.
(DIR) Post #9oZ1pK1ZTSrGtWVRWi by r000t@infosec.exchange
2019-11-02T21:27:37Z
0 likes, 0 repeats
@kaniini @jerry @seeyouindisneyland My points all centered around motive. I stand by my assertion that modern support for authenticated fetch is driven primarily by politics, and a desire to apply DRM to otherwise public posts in an attempt to "punish" those having differing political opinions. I honestly don't think the person saying "you aren't in the business of building anything" to someone they've never met, should be talking to *anybody* else about empathy.
(DIR) Post #9oZ1pKkwkl9dAFjgFk by kaniini@socially.whimsic.al
2019-11-02T21:32:54.935014Z
0 likes, 0 repeats
@r000t @jerry @seeyouindisneyland Authenticated fetch sucks, I fully agree with you.I have referred to it as a bandaid many times.But for many, it's better than nothing. Given how messages flow in the fediverse, without some sort of way of managing peering relationships, it will result in posts making it to instances that contain people who simply want to troll and dox you because they think you're a snowflake.Yes, it is possible that a stalker can evade authenticated fetch and stalk people by reading their profiles. This isn't a flaw in authenticated fetch, it's a flaw in the fact that Mastodon users do not have the ability to lock down their profiles.I'm talking about practical security, not DRM. Making sure posts do not exist in ways that can be relayed without authorization in the first place instead of having to depend on DRM-like solutions like authenticated fetch in the first place.But you're redirecting -- my complaint isn't about your failure to understand what I'm pursuing. My complaint is how you treat everyone that you deem a "snowflake" in a derisive way.You're right, I wouldn't want to get to know you. You're probably even more insufferable in person.
(DIR) Post #9oZ2d883yUt2TtIEMq by r000t@infosec.exchange
2019-11-02T21:35:49Z
0 likes, 0 repeats
@kaniini @jerry @seeyouindisneyland Public posts posted publically to public timelines on a public network for public consumption by members of the public, are going to be publicly consumed in public by members of the public. I, again, stand by my assertion that these controls are not being requested out of safety, as there are more effective ways to provide that safety that already exist. Posting followers-only and manually approving followers is a great first step!
(DIR) Post #9oZ2d8fjxHpEAL37rM by r000t@infosec.exchange
2019-11-02T21:36:13Z
0 likes, 0 repeats
@kaniini @jerry @seeyouindisneyland At this point, you can either apologize, or you can bitch at the null device after I block you. Your choice.
(DIR) Post #9oZ2d9GxitbE1mSqsS by kaniini@socially.whimsic.al
2019-11-02T21:41:54.963751Z
2 likes, 0 repeats
@r000t @jerry @seeyouindisneyland I'm sorry for implying that you're a parasite, that was a little unfair. I'm also sorry for saying that you're probably more insufferable in person, again, it was a cheap shot.However, I do think that you're being a bit unfair to people who are hitting pain points.My points are not about as:Public. I agree with you that as:Public is public. Public posts are going to always be accessible by anybody. Nobody pushing for OCAP disagrees with this, by the way.Our point is about building primitives that allow for useful interactions that are semi-private. What I am pushing for is infrastructure that allows for a meaningful replacement to the dreadful followers-only scope.You can't just say "LOL POSTS ARE PUBLIC U SNOWFLAKE" when the alternative is completely broken. We have to build a viable alternative first. But we shouldn't deride those who are stuck between two shitty choices in the present.Okay?
(DIR) Post #9oZ2uhvg7idgR7sjOS by kro@carrot.army
2019-11-02T21:45:05.757049Z
0 likes, 0 repeats
@kaniini @r000t @jerry @seeyouindisneyland Ahh, typical rabbit saying awful shit then apologizing ion hopes that people can pretend he's good again. How many times must we all go through this song and dance?
(DIR) Post #9oZGLU7yqPJIr2jbt2 by jerry@infosec.exchange
2019-11-02T02:16:14Z
1 likes, 0 repeats
@r000t @kaniini @seeyouindisneyland anyhow, I am exiting this discussion. This is now a “religion and politics” discussion where no one will change anyone’s mind because it is an emotional/philosophical construct. Good day.