If you guys are scared of a fediverse server archiving your stuff, good... but understand that this behavior doesn't have to announce itself.

Those that do are little scary, those that don't... well, they're monitoring.

I'll let you decide for yourself... but just know that OSINT on the Fedi is a trivial task if one were to wish to undertake it.


yes it does.

at this point blocking it just isolates you further...

I'm not saying it's the wrong thing to do... that's between you and your admin... BUT as long as unauthenticated & unauthorized federation are a thing... it won't change.

@thegibson @sungo it's not even just a m.s account at this point. It can come from anywhere. :x

Always could, I think?

@ella_kane @thegibson m.s and lobby servers like it are a nexus. They federate with most everyone else. They will not notice another silent account. So you get an account. And you listen. You listen to the whole fediverse echo in the timeline. and you record what you hear.

@thegibson @sungo I know how it's done. I'm just saying it's no longer just m.s. :x

@ella_kane @sungo

I want to be clear... I think it is unethical to behave in this way... and I would never do it.

But... contrary to the belief of some... I'm not the bad guys...

@thegibson @ella_kane @sungo I’ll be totally transparent. I have sock puppets to monitor anyone I perceive to be a threat to me or those I care about.

@estoricru You've reminded me that I need to get certain aspects of my exocortex back online. I'm rarely transparent about anything though. :flan_peek:

@ella_kane @thegibson

@sungo @thegibson @ella_kane

Someone else’s around here was working on an exocortex...

@thegibson @ella_kane @estoricru @sungo I have been, yes. I've been working on it since undergrad. About 30% of me is implemented in software these days.

@drwho Anything I can peek at? I've been poking at the concept for a lot of years now but only in the last few years have I felt leveled-up enough to maybe take a serious run at the code.

@estoricru @ella_kane @thegibson
@drwho The existence of huginn is new to me and should save me a metric fuckton of time :)

@ella_kane @estoricru @thegibson

@sungo @ella_kane @estoricru @thegibson Indeed! I was able to replace a couple of score of bots with a single application! No more copying, hacking, and recompiling C code over and over again.

@drwho When more of my meat brain is online, I need to look at improving the docker stuff I've seen so far. I've got a 15 node docker swarm to run this shit on :)

@thegibson @estoricru @ella_kane

@sungo @thegibson @estoricru @ella_kane Nice!

I know that Huginn runs more or less natively inside of Docker. I don't know how scalable it is, though - you should be able to spin up and down job workers as you need to. Looking in huginn/docker/, you can use the single-process containers for that purpose.

You're running your cluster on RasPis?

Show more

@drwho @sungo what do you consider exo-cortex? I know I could do an online search, but I'd rather get a more personal explanation of what it means to you.

@FiXato @drwho For me, an exocortex is anything that externalizes your usual meat brain processes.

From a software perspective, in my world, NewsBlur is a great example. Ostensibly it's just an RSS reader. It, however, offers training features. I can add rules based on content, tags, authors, etc and NewsBlur will filter the content appropriately. I end up with three lists: focus (high priority), regular, and hidden (trash). So rather than just getting a list of articles, I get prioritized content that saves me having to filter this shit with my meat brain.

@sungo thanks! That makes a lot of sense. I guess I've done similar stuff in the past with scraping and filtering.
One of those projects is a scraper for Dutch supermarket discounts that allowed me to quickly check where of my usual supermarkets certain products were on discount, and which could notify me based on keywords. Stopped using/developing it when I moved to Norway as all supermarkets here seem to use PDF/Flash/app-based solutions, which made scraping too cumbersome.

@FiXato Yeah, in the context of newsblur, it's a good example of a content agent. I send it out to find me interesting things and it comes back with content, contained by my rules and interests. In this case, it's obviously constrained by the sources I allow it to look at. The dream is to just let an agent like this free on the intertubes and train it over time. But this will do for now :)

Show more

@FiXato @sungo Flash-based crap is not amenable to scraping or API access at all.

Show more

@sungo @FiXato This. I use Huginn to pull and analyze data from hundreds of sources, aggregate and summarize what I need, prioritize findings based on an idiosyncratic scale, and send alerts when something happens.

I use TTRSS for longer-term monitoring. I access it only rarely these days.

I use Wallabag for making personal copies of stuff. Shaarli as a bookmark manager and as an online card catalogue. They also feed into YaCy as primary sources for depth-2 indexing runs as needed.

@drwho I see there are a bunch of interesting terms/names I need to look into. Thanks!

Now to find some time... can I borrow your TARDIS, or got some kind of time-dilation device you can spare? 😅

Show more

@FiXato @sungo A system, or set of systems which allow the user to augment their day-to-day capabilities by either offloading tasks to smart automation mechanisms, or by adding additional practical capabilities or senses.

@estoricru @thegibson @ella_kane @sungo You're not the only one. I have agents connected to those alts for the same reason.

@ella_kane @thegibson @sungo You don't even need to set up an account (but it would make some things easier). Observe:

Zero authentication required. With a little correlation, an attacker can harvest direct links to responses and replies, and pull those also.

@drwho @ella_kane @sungo

A myriad of ways to compromise the perceived privacy of the fedi.

@drwho @thegibson @ella_kane Yup. But it's way easier to just sit on the federated TL firehose on a lobby instance and sit quiet. Problem with the RSS feeds is that your access is logged.

@sungo @thegibson @ella_kane True.

I mention it to bring up the point that needing an account is not needed at all (there is the perception going around that this is the case) (and a lot of folks don't know what RSS is).

I don't know how heavily logged the Mastodon timeline APIs are. I've never tried to set up an instance so I don't know how it acts.

@drwho @ella_kane @thegibson It's an http get. It shows up in nginx at the very least will the usual ip and referrer goodness in a default config.

@thegibson I tell all my clients “if you want real privacy, don’t use any social media at all. Non negotiable.

@thegibson I just learned yesterday that maybe the second person on the Web after Trump that I didn't particularly want to go out of my way to have reading me, has read me. Because Google indexes all of A fundamentalist Christian literal witch-finder who influenced a former Pope is now following me on Twitter.

Oh well. It was probably going to happen anyway, and I don't intend to be especially secretive. But it's sure a thing.

@thegibson Yep, anyone can Google anything these days. Just ordinary random people with a lot of time on their hands and a divinely-appointed task to rid the world of evildoers.

@thegibson I take that back, it's nontrivial for mastodon, it's less problematic with other solutions that work with/like mastodon.

@thegibson This is a design flaw in AP (or rather in the current implementations), no?

@jalcine @thegibson we are making progress toward fixing such design flaws, but ultimately if you/your instance do not use the improved security options, then it will not matter.

@kaniini @thegibson right. this stuff isn't really thought about or heavily discussed in the IndieWeb as of yet. It's more on the philosophy that if you don't want it online then don't post it AFAICS

@jalcine @thegibson

ironically, IndieWeb is more secure than the fediverse because the network is designed to flow from domain to domain. one of the larger security challenges in the fediverse is the caching of third-party data.

@thegibson don't want to troll or anything. But we all are, at this very moment, of our own free will, posting stuff publicly online.

If I didn't want this particular thought of mine accessible to complete strangers on the internet I wouldn't have published it here.

I'm no Mastodon expert, but I believe one could host an invite only instance disconnected from the fediverse, right? That would facilitate "safe" communication inside a controlled community. But that misses the point.

@TheGibson true, but that doesn't stop vulnerable users being understandably wary of a user who announces his intention to do exactly that just because he can.


Which I address in these posts. You must do what fits your threat profile. I am not arguing taking action.

Just know that that action is ultimately pretty ineffectual.

@TheGibson I agree on the technical level. The issue for me is that there are vulnerable users spread across instances who may not have understood the technical details around federation and who is able to access what. Telling them they shouldn't have posted sensitive information because AP never specified protection does nothing to solve their problem. That horse has probably already bolted. 1/?

@TheGibson then we have actors on the fediverse threatening to put vulnerable people in danger just because there's nothing technical stopping them. Again the onus is put on already vulnerable people to defend themselves from this, rather than dealing with the threatening behaviour. 2/2

Sign in to participate in the conversation

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.