Right now the fediverse is nipping at the heels of the silos.

They know we are here, and they perceive us as a threat. We know this from leaked emails from facebook.

That said, they could attack us in an oblique manner with any number of poisoned waterhole attacks.

Earlier today someone predicted one or more of those platforms just integrate activitypub and crush us by incorporating us.

Another pointed at the potential for procedurally generated instances that just harvest data, or overwhelm our ability to suspend all of the instances they throw up.

When these attacks are adapted to... they'll get concerned, and will try to frame us as part of "the dark web(tm)"...

That's how we'll know we're winning.


I'm interested in brainstorming immune system defenses

beyond our strength as actually real people who can tell the difference between fake and person, usually pretty obvious



I am interested in this as well.

I feel like some sort of new instance registry may be necessary if we see these sorts of co-opting efforts occurring...

Like a low speed probationary period or something...


Registry of instance to a peer to peer shared federated list of instances

and with the moderators and hosts of the

Theres so many already!

Facebook is going to be regulated soon anyway, is my tangible reality goal. They aren't going to be. At all. Go away entirely fb


So I've been brainstorming since the last toot

Is there a mastodon specific security group or instance set up or on chat?

Or just people who are looking for a puzzle?

@thegibson @Food The other thing to look out for are large quantities of instances on related IP blocks. Major corporations often pay for large IP address spaces, in part to work around spam blacklists.



I'm looking for a solution about how GitHub's parent company is now Microsoft

Something we can use as #foss and such that has nothing to do with that recent company grab

@Food @vertigo @thegibson well there's gitlab. It has a self-hosted option.

Github is unfortunately so entrenched because of the discoverability it offers its users.

@waterbear @Food @thegibson It's one of the reasons why my projects are managed and even hosted using #Fossil.

It's definitely not for everyone though.



How about this

Developers need to get paid enough for food, water, shelter, healthcare, so they can live their ethics and values, avoiding being compromised

Moderators who also need to get paid a bit or donated to can have an allotment of individual accounts number they're ideally responsible for personally verifying person as person and making sure they have the basics of security and data storage in check

@vertigo @TheGibson

Backups of data have to be places that are redundant, and owners hosting instances need to make sure they're on top of the management of the small bits of security that add up. Also would be good to pay them

@hugo setup comes to mind

@vertigo @TheGibson @hugo

Creating and refreshing an open redundant list of the fediverse and all attached instances and users and how many each instance has in overlap can help us identify weak links and see if there's any vulnerabilities in the awareness linkup

Sorta like finding broken packages, only we'd have a list of traits of nonreal cues to watch for and when finding a part, removing it somehow probably by alerting surrounding mods

@vertigo @TheGibson @hugo

Thinking of vulnerabilities of servers hosted on proprietary or at least insecure hosts, how to encourage hostings on places that are guaranteed to be as close to values and ethics in running server as possible

And having identified list of those server instance spots

@TheGibson @Food
For one, whitelisting needs to be more of the norm, and people are going to have to be selective about who they federate with anyways even among normal instances.

@mirzaba @thegibson @Food The most elegant solution I saw someone propose (can't remember who though :s) was to auto-block instances hosting more than N users to force decentralisation –and avoid the fate of emails.

But the problem is that we already have too big instances like mastodon.social or pawoo.net. So maybe we're doomed.

Also, if you have a link or source regarding those leaked Facebook emails about federation I'd be interested.

@rick_777 @lertsenem @mirzaba @thegibson @Food How should a new instance establish itself if it can’t federate without first being on a whitelist?

@duck57 @rick_777 @lertsenem @mirzaba @Food

a problem...

After some thought... maybe the natural way an instance slowly federates is enough to make it un-economical to abuse.

but I feel like this could be scriptomatically overcome by selective high value follows...

@duck57 @rick_777 @lertsenem @TheGibson @Food
much like a user would look for an invite or apply to an instance, people in said up and coming instances would take it to themselves to make a case for federating with their instance. Or show their ToS or something to ensure they mean business with moderation

@mirzaba @rick_777 @lertsenem @thegibson @Food Maybe the default is muted by default: new instances can follower whomever they like (so long as the account they want to follow isn’t on a strict whitelist instance) but manual approval is necessary for posts and replies from the new instance to reach existing instances.

@TheGibson @Food
>Instance registry

>looks at eris.Berkeley.EDU
>looks at Q-line
>looks at EFNet

history likes to repeat itself, doesn't it? :P



Hence I'm proposing the owners and moderators get to know each other as people lol

Conferences for mastodon doubling as a user's convention

@Wolf480pl @Food

I am not necessarily suggesting it as the solution... but I don't know how we make ourselves resilient to abuse of the open system without some sort of whitelisting.

That said, yes... we tend to repeat ourselves.🤔



Its good to look through all the ideas for sure

What we have that the centralized dont is individuals who are people who are more than paid to care

@TheGibson @Food

IMO, to a certain extent, this is a question of what our goals are.

Is our goal to have a federated network which _everyone_ can join with their instance, then we should allow Facebook et al. join us, and we should work on ways to make sure that the joining of Facebook won't cause harm to people on other instances.

If our goal is to have an isolated safe space away from mainstream socnets, then whitelisting would be a good approach, but it wouldn't be "Fediverse" anymore.

@TheGibson @Food
Keep in mind that for many people a rule like "if you want your instance to join the Fediverse, you need to contact a *real person* who already has an instance and have them vet your application"
would be a showstopper.



I'm for whatever instances from whoever person or not, as long as they're able to enforce code of conduct and uphold really being mastodon socially

@Food @TheGibson
But there isn't a single code of conduct governing the whole Fediverse. Every instance has different rules, and most of them can still live peacefully together, despite the differences.

Also, it's not just Mastodon. It's also Pleroma, Pixelfed, Friendica, Hubzilla, Misskey, Peertube...



Heh this is where religious sects branch off and all

Calvin, church of england, reformists vs that-word-that-means-strictly-the-same

@sungo @TheGibson like you have a fucking issue with with Awoo space??? So fuck off???

@thefishcrow @thegibson Not sure why you're coming at me like this. I think it's fair to say that they represent a sizeable schism in the fediverse. "schism" doesn't particularly mean "bad". Just that they broke off and went off on their own.

@Wolf480pl @Food

I agree, which is why I don't know that a register is a good idea.



Focusing on having people here as people and throwing out organizational associations or brands and such is my view.

The benefit of being here is it isnt about someone elses agenda

I think approaching security in this way, person to person at their degree of responsibility and clearly defined roles and code of conduct and people running the servers that are aware of each other, being aware of the people theyre near

@Wolf480pl @Food

I don't have a problem with them joining the fediverse... we can block their instances...

What I am concerned about is the potential for a concerted effort to poison the fediverse at large with a large number of junk instances.



The verification process would be a little behind the computer part of the system. Like, literally, humans interacting

That would mean for every user there would be at least one assigned mod

And instances that are large would require, ideally, mods for every set of users number.

And then we can be really tight socially without loose ends or weird 'idk what this is its just here' and it turns into death

@Food @TheGibson
But as it is right now, the Fediverse isn't tight socially, and I don't think it's possible to have this many people be tight socially.

I don't think it's even desirable. In such a large amount of people it's very easy to find 2 individuals who just don't like each other and would rather not be forced to talk to each other.



Hm yeah

At the beginning of thinking of this all, I was thinking of the difference between making an audio signal chain and just having an infinite fractal and is this something that we even have power over and I came to the conclusion individuals have power in here, and not much higher does it go



What@cypherpunk@mastodon.social is saying about distributed networks piques my interest because then there's no 'up'

However the host computer would have to always be on and always be connected to the internet, or there would have to be some sort of in-outbox online always

@Wolf480pl @TheGibson @Food if FB decided to federate, I doubt any existing fediverse instance could survive without blocking FB. I don’t see this is a philosophical question, but rather a technical and economic one. FB probably has 3 orders of magnitude more users and 4 to 5 orders of magnitude more traffic than does the fediverse. Even if pleroma/mastodon/etc could scale to that level of traffic without major changes, it would be too expensive to operate.

@jerry @TheGibson @Food
Only if people from your instance follow people from FB. And only to the extent they follow people from FB.

AFAIK, if people from my instance follow total of 5 people from .social, then my instance will only receive posts of 5 people from .social, not all posts from everyone on .social.
(if it's not the case then the protocol is terribly broken)

Now, do you think people from your instance would suddenly follow everyone from FB?

@Wolf480pl @jerry @Food
Your federated timeline, and thereby your required storage will explode.

@TheGibson @jerry @Food but federated timeline shows only posts from people who are followed by someone on your instance.

@Wolf480pl @jerry @Food

If I were an attacker, I would have accounts on prominent servers that would scriptomatically follow the accounts I wanted on the compromised servers.

@TheGibson @jerry @Food
Now we're talking!
This is a very interesting attack scenario.

So the key here is to distinguish a legit user following profiles from <bigInstance> from a bot following profiles from <bigInstance> in order to fill your disk.

Or is it?
Even if it's a real user following too many people from <bigInstnace> that can cause trouble for the admin. 1/2

@Wolf480pl @jerry @Food

This is the scenario when I refer to a poisoning scenario.

@TheGibson @jerry @Food

So we need a method in place for admins to identify users who cause too much load on the server and either politely ask them to move somewhere else, or to reduce the load they're causing, or have them cover part of the costs of the server, or find some other solution.

Either way, AFAIU, only people on your server can cause load on it (or, for that matter, other issues), and you need a way to monitor which of your users are causing issues.

@Wolf480pl @jerry @Food

So, kind of....

Let's say I have a compromised account on your server.

I follow a bunch of accounts from a thousand different instances that are mostly quiet.

Those accounts at some point start to all post heavy video content.

All of it comes to the federated timeline on your server.


Sign in to participate in the conversation

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.