Post APKk5i1CIQkJfYhU4e by ChrisJohnRiley@infosec.exchange
(DIR) More posts by ChrisJohnRiley@infosec.exchange
(DIR) Post #APKaQ1MZ5GXRupk2rY by ChrisJohnRiley@infosec.exchange
2022-11-06T15:16:51Z
0 likes, 0 repeats
There are many things that make me concerned about Mastodon… A short🧵and (unverified) thoughts:**Federation**One of the many things I'm concerned about with Mastodon is the federated accounts. How do you reserve your handle and prevent fakers from spinning up a new account to impersonate you? Seems like a problem that needs to be faced sooner rather than later sadly 🫣The benefits and inherent drawbacks of decentralized social solutions is a balancing act that will take significant time to get right. **Verification**Verification (in the Twitter sense) isn't the answer, but highly technical and hard to achieve solutions are unlikely to gain the significant traction needed to make them useful. If brands, and non-technical users can't make it work, then we've failed.**Server abuse**Decentralized servers offer pros and cons. Much like popular browser extensions and open-source tools, there is a tendency for malicious actors to target takeover of these resources to gain immediate access to users and resources that trust the resource. Why build yourself when you can takeover an existing platform. **Privacy/Non-repudiation**It's clear that owners of the platforms have some abilty to view data on their platforms and in their database. The abilty to change data may also be a concern. Without signed toots, and customer owned keys, can we trust the voice of the people we follow?…I'll leave it there for now, but would love to see a full threat model built up and examined. There are solutions out there, but we need to see where the problems are to figure out where to apply fixes.
(DIR) Post #APKaQ1qLIYMFPBfpHE by amerika@noagendasocial.com
2022-11-06T15:27:35Z
0 likes, 0 repeats
@ChrisJohnRiley "How do you reserve your handle and prevent fakers from spinning up a new account to impersonate you?"You have an active handle and if you spot fakers, point them out.You can use the verification procedure: https://docs.joinmastodon.org/user/profile/
(DIR) Post #APKe5wc5QuLbD4gTQm by ChrisJohnRiley@infosec.exchange
2022-11-06T16:08:45Z
0 likes, 0 repeats
@amerika I'm aware of the link verification. I haven't looked at the code behind it to see how the verification flows and what stage the verification happens.Does the client verify the link verification? Does the instance verify and communicate that? All areas to look at.Like I said, I'd like to see a threat model and abuse scenarios researched.
(DIR) Post #APKfKXo03AeKZFmXpI by amerika@noagendasocial.com
2022-11-06T16:22:37Z
0 likes, 0 repeats
@ChrisJohnRiley It depends on how important verification is in the first place.You have the DMCA to go after any infringers.
(DIR) Post #APKgKMW87SrBVnttcu by ChrisJohnRiley@infosec.exchange
2022-11-06T16:33:47Z
0 likes, 0 repeats
@amerika Who do you DMCA if it's decentralized?
(DIR) Post #APKiEDJhc5bj9FHeDo by amerika@noagendasocial.com
2022-11-06T16:55:06Z
0 likes, 0 repeats
@ChrisJohnRiley The instance that hosts the infringing account, or any content that it posts, since that it is origin.
(DIR) Post #APKiQUE0ZiE33xTLV2 by ChrisJohnRiley@infosec.exchange
2022-11-06T16:57:16Z
0 likes, 0 repeats
@amerika I don't think that'll work like you expect. Can you DMCA a scammer hosting their own instance? How do you enforce DMCA if they ignore it. DMCA is good for enforcement against companies, not individuals and inherently corrupt entities.
(DIR) Post #APKjKy22wLU5iyoF3Q by amerika@noagendasocial.com
2022-11-06T17:07:32Z
0 likes, 0 repeats
@ChrisJohnRiley DMCA forces removal of the content.If a scammer hosted their own instance, you could identify infringing content and bring it down.If they ignore it, you file and they must defend.Here's the basics:https://www.aclu.org/other/text-digital-millennium-copyright-act-dmca
(DIR) Post #APKjYK7K8hglz7e9Ee by amerika@noagendasocial.com
2022-11-06T17:09:56Z
0 likes, 0 repeats
@ChrisJohnRiley If you identify a full-on scammer instance, that I would report to the FBI (or controlling national police agency).They like takedowns, like they just did to z-lib.org :)
(DIR) Post #APKjuzX6pw8onxW4zQ by ChrisJohnRiley@infosec.exchange
2022-11-06T17:14:01Z
0 likes, 0 repeats
@amerika How does that work for instances owned by a private owner in Russia (asking for a friend).ISPs in certain countries may help fill in the gaps, but outside of the US there are differing processes and responses.
(DIR) Post #APKk5i1CIQkJfYhU4e by ChrisJohnRiley@infosec.exchange
2022-11-06T17:15:58Z
0 likes, 0 repeats
@amerika I think the real proof is in how this works in the months/years to come. DMCA na enforcement will not be as easy as a central platform, which is both good and bad. It's a new world, and there are new challenges.
(DIR) Post #APKke42avJTLohjfyC by amerika@noagendasocial.com
2022-11-06T17:22:10Z
0 likes, 0 repeats
@ChrisJohnRiley International law is complex. I thought there would be more Russian servers involved on the internet in general, but it seems they get dropped once identified as scammers so there is some incentive on the Russian end to act.
(DIR) Post #APKkh87SDUFpKnTEvI by amerika@noagendasocial.com
2022-11-06T17:22:44Z
0 likes, 0 repeats
@ChrisJohnRiley The central platform is the hosting. Someone owns the wires, servers, electrons, and IP addresses.