fsebugoutzone.org:9999

       Post ASBvfylP0hjG2P16sC by mazal@infosec.exchange
 (DIR) More posts by mazal@infosec.exchange
 (DIR) Post #ASBvfoBaL18XEQBMem by spencerdailey@journa.host
       2023-01-05T01:56:14Z
       
       1 likes, 0 repeats
       
       I love so much about Mastodon, but I&#39;m afraid its threat model is borked. If dozens upon dozens of governments are hacking journalists&#39; iPhones and Android devices, the odds that servers (each hosting thousands of accounts) aren&#39;t hacked (now or later) is close to zero,and that makes me uneasy. Look at a project like Wordpress or Drupal, which fairly often undergo mass 0-day exploit events, and tell me that Mastodon won&#39;t just once. It only takes once b/c when hackers get your keys it&#39;s over 1/3
       
 (DIR) Post #ASBvfteU10DuBUk0tU by spencerdailey@journa.host
       2023-01-05T02:14:38Z
       
       0 likes, 0 repeats
       
       I think this raises stakes for Mastodon scaling up its team with top-notch people who can pay the attention needed to mitigate security issues (not sure you can &quot;fix&quot; all of them). It&#39;s great that infosec is already on Mastodon in full force, yet I&#39;ve learned via their chatter of the myriad ways this implementation of activityPub can be abused to bring down servers (via denial of service or straight-up security issues).b4 🐘 is popular,we need a network designed to withstand popularity/notoriety
       
 (DIR) Post #ASBvfwuXtjr2IBHNqa by spencerdailey@journa.host
       2023-01-05T02:21:11Z
       
       0 likes, 0 repeats
       
       Nostr&#39;s federated social model lets users (locally) own their social identity&#39;s private keys. Maybe Bluesky/ATProtocol will too, but that&#39;s likely DOA b/c Elon is steering it now :/ . That way, when the public-facing relays inevitably get hacked, the attacker doesn&#39;t literally steal their identity. That is nice, and Mastodon doesn&#39;t benefit from that design. Which means the stakes are exceedingly high that this project tightens its security. I fear its too late. But I&#39;ll enjoy it while it lasts.
       
 (DIR) Post #ASBvfylP0hjG2P16sC by mazal@infosec.exchange
       2023-01-05T07:59:46Z
       
       1 likes, 0 repeats
       
       @spencerdailey wow. i hadn&#39;t realized twitter is funding #Bluesky :blobcatnotlike:
       
 (DIR) Post #ASBvg19w6SXfT4VjOK by chrismessina@mastodon.xyz
       2023-01-31T03:54:43Z
       
       0 likes, 0 repeats
       
       @mazal @spencerdailey technically Jack was, right? https://www.theverge.com/2022/10/29/23428241/elon-musk-twitter-bluesky-decentralized-social-networking-future
       
 (DIR) Post #ASBvg3zPa2uEFIbru4 by spencerdailey@journa.host
       2023-01-09T03:34:16Z
       
       0 likes, 0 repeats
       
       see above^ @jerry @SwiftOnSecurity @Pwnallthethings Do any of you feel like saying &quot;Mastodon&#39;s threat model is borked&quot; is an overreaction? I&#39;m just concerned it would take merely one 0day event (like https://www.techmeme.com/150919/p1#a150919p1, https://www.techmeme.com/180330/p15#a180330p15, https://www.techmeme.com/141016/p46#a141016p46, etc etc) to completely reset this experiment. We all see how hard nation states attack Twitter - from killing DNS resolving services, to flooding Twitter with porn, to bribing employees, etc.. Could Mastodon survive success?
       
 (DIR) Post #ASBvg4cPF468CEr0gS by realcaseyrollins@social.teci.world
       2023-01-31T04:49:28.207612Z
       
       0 likes, 0 repeats
       
       I mean it’s a division of #Twitter if I’m not mistaken. Although I doubt much is keeping #JackDorsey from funding or buying it if he wants to.
       
 (DIR) Post #ASBvg8f2DEZqjY7AKu by spencerdailey@journa.host
       2023-01-31T04:05:20Z
       
       0 likes, 0 repeats
       
       the silence in the replies here is deafening.