Post APryICoAvtLUPblihk by c0dec0dec0de@hachyderm.io
(DIR) More posts by c0dec0dec0de@hachyderm.io
(DIR) Post #APreSe7qDzlIwnfV44 by jerry@infosec.exchange
2022-11-22T14:13:02Z
1 likes, 2 repeats
I've been in contact with Jen Easterly, the head of US CISA, this morning and they'll be creating accounts here. There is an account, @cisacyber, that is legitimately owned by CISA, though they're early in the setup process, so please, don't report them for impersonation.
(DIR) Post #APreYRfFT4nQ2N3kTg by opal@ap.maladaptive.art
2022-11-22T14:19:23.940727Z
0 likes, 0 repeats
@jerry >child agency of DHSoh this will be fun
(DIR) Post #APriWGA1fOkxb4fWIC by tinker@infosec.exchange
2022-11-22T15:01:44Z
1 likes, 0 repeats
@jerry @cisacyber - So that's really awesome. But why doesn't the US govt have an officially run Mastodon instance?They maintain their own email servers (or specific contracts through cloud services).I know we all know this, but this means that we now have adopted the threat model of the US Govt and their Cyber Operations.We have the volunteer technical chops for it... but everyone and their dog will be trying to get access to Jen's DMs.When we hiring a SOC?
(DIR) Post #APrmrSsPz3Aivtnddg by jerry@infosec.exchange
2022-11-22T15:11:16Z
0 likes, 2 repeats
Since posting the message this is in reply to, I’ve had approximately 11,000,000 replies asking me why CISA or the US government doesn’t set up their own mastodon/fediverse instance. Or telling me that they should. I can’t reply to them all, so addressing it here. Perhaps they will create one. Maybe they won’t. I’m not them. They didn’t create their own version of twitter. I have to believe setting up a new service in the US government is a long and complicated and expensive process. Perhaps they want to jump in and see if the fediverse is useful enough to warrant the investment. It’s been maybe 14 hours. Let’s give them a bit of grace, please.
(DIR) Post #APrmrTNc747qUeOYGO by w@arachnid.town
2022-11-22T15:48:55.875788Z
2 likes, 2 repeats
@jerry I know how hard it is making these decisions, and I know how hard the backlash can be. You have all my support!
(DIR) Post #APrnaoWKMMLJ5h5hbs by wizzwizz4@fosstodon.org
2022-11-22T15:47:19Z
0 likes, 0 repeats
@jerry A few dozen people have raised concerns about their safety, should their instances continue to federate with infosec.exchange, as a result of this decision.If that's a deliberate tradeoff, fine. I just want to make sure you're aware that this decision cuts infosec.exchange off from lots of the Fediverse; lots of people here *do* have something to fear from the US government.
(DIR) Post #APrnap7Y7y7Ix8VQcy by r000t@infosec.exchange
2022-11-22T15:55:48Z
1 likes, 0 repeats
@wizzwizz4 @jerry People are actually walling themselves away from 31,000 people because of one (1) fed.
(DIR) Post #APrnuPXkvuPvPy6V1M by mansr@society.oftrolls.com
2022-11-22T16:04:11Z
0 likes, 0 repeats
@wizzwizz4 @jerry If someone genuinely has something to fear from the government, and I'm not implying that they don't, I really doubt the presence or not of an official CISA account is going to make any difference whatsoever.
(DIR) Post #APrnxJtGPKZeknYDXE by w@arachnid.town
2022-11-22T16:01:13.003791Z
0 likes, 0 repeats
@r000t @wizzwizz4 @jerry Damn that's insane.
(DIR) Post #AProCco6MFK9lbQzk8 by wizzwizz4@fosstodon.org
2022-11-22T16:07:28Z
0 likes, 0 repeats
@mansr @jerry It's not just about their actual safety. It's about what we do and don't tolerate, as a community – or so I gather.If there's an official government presence, they've got a foot in the door, so to speak.
(DIR) Post #AProrPzut6SjubPdlw by chjara@snowdin.town
2022-11-22T16:06:02.672743Z
0 likes, 0 repeats
@r000t @wizzwizz4 @jerry lmao cope
(DIR) Post #AProrSMK6lZfEfuYyW by jerry@infosec.exchange
2022-11-22T16:08:07Z
0 likes, 0 repeats
@chjara @wizzwizz4 @r000t It's ok to block us: https://infosec.exchange/@jerry/109388310559419568 Be well.
(DIR) Post #AProrSqoHPxclEAuUi by chjara@snowdin.town
2022-11-22T16:09:21.524091Z
0 likes, 0 repeats
@jerry @wizzwizz4 @r000t
(DIR) Post #AProrTCQz1G3qIIBCS by opal@ap.maladaptive.art
2022-11-22T16:14:51.503980Z
0 likes, 0 repeats
@chjara @wizzwizz4 @jerry @r000t youve exceeded your daily sus of one (1)
(DIR) Post #AProx7WOUjBiLYK3u4 by chjara@snowdin.town
2022-11-22T16:15:27.610733Z
1 likes, 0 repeats
@opal @wizzwizz4 @jerry @r000t i have a god given right to be as sus as i want to
(DIR) Post #AProyHE7tbMAjkKUQS by opal@ap.maladaptive.art
2022-11-22T16:16:07.654443Z
0 likes, 0 repeats
@chjara @wizzwizz4 @jerry @r000t impostor given right
(DIR) Post #AProzQlZuhImc3WhvM by wizzwizz4@fosstodon.org
2022-11-22T16:15:57Z
1 likes, 0 repeats
@chjara @opal @r000t Not in my mentions you don't.Now SCRAM!
(DIR) Post #APrr8LPXOVKUW9ayCu by HSTG@freeatlantis.com
2022-11-22T16:40:22Z
0 likes, 0 repeats
@jerry The fact the government can't or won't make their own Instance says a lot. I don't think this has anything to do with "metrics". The fedi will soon be glowing brighter than Gab. Didn't think it was possible, but here we are!
(DIR) Post #APrvC9m10HgdOqBMjQ by thegaryhawkins@infosec.exchange
2022-11-22T16:11:38Z
0 likes, 0 repeats
@wizzwizz4 @jerry So there's an ultimatum between the vast majority of the infosec community and a government strategic advisory body, and some tinfoil hat types that assume every government entity is out to get them? That's a tough one 🤔Much of the infosec community has to work with government sectors or agencies in some capacity, even if it's only a standards body, or statistics agency, or regulators, or ombudsman, etc. These entities are as far removed from law enforcement as any private sector organisation. And if law enforcement agencies and spooks were going to snoop on your cat photos they probably wouldn't be doing it under any official account.
(DIR) Post #APrvCAENIqN6onS0w4 by securecompliance@infosec.exchange
2022-11-22T16:26:29Z
0 likes, 0 repeats
@thegaryhawkins @wizzwizz4 @jerry Wear a tin foil hat, and hanging out on the internet, is a bit of an oxy-moron.
(DIR) Post #APrvCAfJgfvGAM3Wvg by wizzwizz4@fosstodon.org
2022-11-22T16:27:27Z
0 likes, 0 repeats
@securecompliance You keep saying this.People have legitimate concerns for their personal safety; at a certain point, repeating your pithy "tin foil hat" sentence over and over again is not contributing to the discussion.
(DIR) Post #APrvCBHbOKY055y6bY by wizzwizz4@fosstodon.org
2022-11-22T16:28:44Z
0 likes, 0 repeats
@securecompliance @thegaryhawkins @jerry @xabean If people don't have a functional security model, that doesn't mean they don't need security. All it means is that they're vulnerable.
(DIR) Post #APrvCBnVTi4Hg2taKm by avuko@infosec.exchange
2022-11-22T16:54:25Z
0 likes, 0 repeats
@wizzwizz4 @securecompliance @thegaryhawkins @jerry @xabean from a very practical point of view: “better the devil you know”. You could block official government accounts, and they wouldn’t be able to follow you anymore (from that account!) or see anything related to you (from that account!). So those who have something to fear from CISA have it easier with its known government account.
(DIR) Post #APrvCCILd2jpDhKDPE by xabean@infosec.exchange
2022-11-22T17:01:27Z
0 likes, 0 repeats
@avuko @wizzwizz4 @securecompliance @thegaryhawkins @jerry I don't think blocking _an account_ prevents your posts from being consumed by that entity, if your posts are public.
(DIR) Post #APrvCCobh6XgpkPygi by avuko@infosec.exchange
2022-11-22T17:16:06Z
0 likes, 0 repeats
@xabean @wizzwizz4 @securecompliance @thegaryhawkins @jerry the wording is slightly unclear here, but I’m sure people with more experience know how this actually works.From https://docs.joinmastodon.org/user/moderating/#block :Additionally, on the blocked user’s side:The user is forced to unfollow youThe user cannot follow youThe user won’t see other people’s boosts of youThe user won’t see you in public timelines
(DIR) Post #APrvCDFC6FoGACrD84 by feld@bikeshed.party
2022-11-22T17:25:38.402762Z
1 likes, 1 repeats
@avuko @xabean @wizzwizz4 @securecompliance @thegaryhawkins @jerry > Additionally, on the blocked user’s side:> > The user is forced to unfollow you> The user cannot follow you> The user won’t see other people’s boosts of you> The user won’t see you in public timelinesThat is merely the default Mastodon behavior. If the server the person you blocked is from does not run stock Mastodon they cana) ignore the block activity completelyb) can still passively follow you (as long as your post still makes it to their server)c) will see other people's boosts of youd) will still see you in public timelinese) can still access your public RSS feed of your postsf) can still directly browse your profile on your server unless that's blocked; otherwise they can use other servers to view your postsit's no different than "you blocked me on twitter, but i can see you when i log out / incognito window"A block in the Fediverse is not very effective if the offending party wants to evade it. It's really hard to solve this without a closed centralized system.
(DIR) Post #APrvT04uIt7oFl3C7c by ares@kolektiva.social
2022-11-22T16:23:09Z
0 likes, 0 repeats
@wizzwizz4 @jerry if the federal government sets up their own instance, much of the fedi will block it for acabeven infosec.exchange would need to block it not because of acab, but because government moderators would inevitably allow content that violates the moderation policies of infosec.exchangeand now if the government sends their cops to infosec.exchange instead, the rest of us will have to block them
(DIR) Post #APrvT0YKXUf1j0ogz2 by xabean@infosec.exchange
2022-11-22T17:16:25Z
0 likes, 0 repeats
@ares I genuinely don't see what USG could post that would go against @jerry's AUP/TOS policies.
(DIR) Post #APrvT1EW0eP9pqYNjk by jerry@infosec.exchange
2022-11-22T17:19:16Z
0 likes, 0 repeats
@xabean @ares to be clear, it's my tacit support and, by extension, condoning of all the bad that the US government does by hosting them here. This is what people seem to have the biggest reaction to
(DIR) Post #APrvT1fSOTxJBP9tjM by xabean@infosec.exchange
2022-11-22T17:26:38Z
1 likes, 0 repeats
@jerry for what it's worth, "I pay US state & federal taxes because and I reside in the US and am obligated to by law" also sounds like "tact support and condoning of all the bad things the US government does" with this logic.
(DIR) Post #APryIAn2R9FQ9VDmee by alaric@ioc.exchange
2022-11-22T14:14:55Z
0 likes, 0 repeats
@jerry @cisacyber Good to know. Just saw 3 accounts associated with CISA, including CISAJen, on the ioc.exchange instance @seb
(DIR) Post #APryIBGSfkmdckzHW4 by jerry@infosec.exchange
2022-11-22T14:16:48Z
0 likes, 0 repeats
@alaric @cisacyber @seb They've observed many people creating accounts on various instances that purport to be CISA. The only actual CISA account on the fediverse, at the moment, is @cisacyber.
(DIR) Post #APryIBjAwzkh3oQDGy by sam@decarboxy.chat
2022-11-22T15:03:32Z
0 likes, 0 repeats
@jerry @alaric @cisacyber @seb between this and the presence of a few members of congress on here it seems like the executive branch and congress should consider setting up official instances
(DIR) Post #APryICFR13YYfrVyYS by elias@foxhold.net
2022-11-22T15:14:46Z
0 likes, 0 repeats
@alaric @jerry @cisacyber @sam @seb exactly. Since there’s no central authority to validate accounts, organizations need to use their own domains for this to work.
(DIR) Post #APryICoAvtLUPblihk by c0dec0dec0de@hachyderm.io
2022-11-22T15:51:56Z
0 likes, 0 repeats
@cisacyber @jerry @sam @alaric @elias @seb Is the US government (or any function thereof) legally able and of the appropriate temperament to moderate an instance? The free speech lawsuits will be relentless no matter what.
(DIR) Post #APryIDEPMMKTiy2faq by sam@decarboxy.chat
2022-11-22T15:52:58Z
0 likes, 0 repeats
@c0dec0dec0de @cisacyber @jerry @alaric @elias @seb In this case it wouldn't be a public instance, it would explicitly be used as a way for public officials to have a verified presence, the moderation requirements would be minimal
(DIR) Post #APryIDb600TerKemxM by c0dec0dec0de@hachyderm.io
2022-11-22T15:55:15Z
0 likes, 0 repeats
@elias @cisacyber @alaric @jerry @sam @sebYou can see which instances are blocked by another instance, yes? The far-right instances no one federates with will file suit if they can’t scream at the gov-run instance.
(DIR) Post #APryIE2OMWJODzQaVE by sam@decarboxy.chat
2022-11-22T15:58:46Z
0 likes, 0 repeats
@c0dec0dec0de @elias @cisacyber @alaric @jerry @seb a hypothetical government instance doesn't need to fediblock any other instances because they have a fundamentally different way of dealing with harrassment of their users, namely if you send death threats to @director@cisa.gov you'll get a visit from the FBI
(DIR) Post #APryIEPmxX1jOYNGyG by c0dec0dec0de@hachyderm.io
2022-11-22T16:02:59Z
0 likes, 0 repeats
@jerry @elias @alaric @sam @seb @cisacyberSure, but if you’re a horrible person to them without an actionable threat, what’s the government’s allowed response?I guess I should find out what happens to inappropriate comments submitted during the Administrative Procedures Act mandatory comment period.
(DIR) Post #APryIEuz5XyqxIyBay by sam@decarboxy.chat
2022-11-22T16:03:47Z
0 likes, 0 repeats
@c0dec0dec0de @jerry @elias @alaric @seb @cisacyber just ignore it? same thing that people in public positions do when they get shitty emails to their work accounts
(DIR) Post #APryIFRb8I4IaSEEQi by c0dec0dec0de@hachyderm.io
2022-11-22T16:04:56Z
0 likes, 0 repeats
@jerry @elias @alaric @sam @cisacyber @seb1) That sucks.2) I don’t generally have to be exposed to my representative’s hate mail.
(DIR) Post #APryIFtxQqkm0PUsdM by sam@decarboxy.chat
2022-11-22T16:06:47Z
0 likes, 0 repeats
@c0dec0dec0de @jerry @elias @alaric @cisacyber @seb Thats true, and it definitely does suck (i know people who are in roles where they handle correspondance for congresspeople and its not fun). It's also one of the serious downsides of being a public servant. but you/your instance can definitely block bad actors so you don't actually need to see the nazis in the replies to your government officials
(DIR) Post #APryIGN1gm0PSZ65wW by FabolousIrving@ryona.agency
2022-11-22T17:59:37.623211Z
0 likes, 0 repeats
@sam @c0dec0dec0de @jerry @elias @alaric @sebHusky_1669140015994_YR1XXY5XVD.…
(DIR) Post #APyIn1hTRjBGyBMr0i by thatguyoverthere@shitposter.club
2022-11-25T19:18:19.434917Z
0 likes, 0 repeats
@r000t @wizzwizz4 @jerry one fed... That we know of
(DIR) Post #APyKJQwlDQ9uUWXCwC by thatguyoverthere@shitposter.club
2022-11-25T19:35:31.411700Z
0 likes, 0 repeats
@securecompliance @thegaryhawkins @wizzwizz4 @jerry nah you get better reception when you wear the hat
(DIR) Post #APyX7NzFh1mlEzHlSq by Hyolobrika@gleasonator.com
2022-11-25T21:59:03.350743Z
0 likes, 0 repeats
@jerry @jerry You mean this CISA? Why shouldn’t we mercilessly bully them until they cry again?