Blog General Infosec

Nowhere Near Extinction: Mastodon One Year Later

A little over a year has passed since the November 2022 migration of many Infosec folks to Mastodon and the ActivityPub Fediverse. I wrote an introductory post about the platform early on, but it’s worth checking back in to see how things have evolved.

As a quick reminder, Mastodon is a decentralized social media platform that operates on the ActivityPub protocol. Out of the box, ActivityPub platforms “federate” with each other, connecting automatically, but allowing folks to self-organize how they like and work things out within and between the different communities. Mastodon focuses on microblogging, while other platforms are more Reddit-like, or Instagram-like, and so on. 

Jerry Bell – owner of infosec.exchange among many other servers – reflected a little on this in December, closer to the anniversary. At the time, infosec.exchange was rated as the seventh largest Mastodon instance. In addition, other servers of the infosec.exchange family rated as the top iceshrimp and mbin instances. As is apparent to anyone in the security communities on Mastodon, Jerry continues to work tirelessly to keep the servers up, running, and spam-free, and his efforts deserve enthusiastic kudos. He is one great model of a great security community citizen, far above and beyond.

Other infosec instances continue going strong. Many of our people can be found at hachyderm.io, ioc.exchange, hackers.town, and more. And of course quite a few infosec folks reside on non-hacking/non-infosec instances, and are no less a part of the community.

In reply to Jerry, InfoSec vet, scholar, CEO, and policy superstar Tarah Wheeler put it better than I could have

#infosec uniquely needs good, curated, timely information with trusted heuristics from the community, because we are not an industry. We are a mafia trying to become a guild. My Fulbright research on WannaCry showed that Twitter and infosec influencers were the primary chosen source of rapid information from competent interlocutors for the first week. It’s because there were no official sources moving fast enough…or at least with a reputation for moving fast enough and also being good technical sources.

The past year has been an interesting one for Mastodon as it endured booms, busts, teachable moments, and growing pains. Some major instances have navigated leadership or moderation crises, others endured heartbreaking losses, like any community. The larger Fediverse experienced similar, no surprise, along with unexpected technical/social issues like an LGBTQIA+ positive Mastodon instance having its domain name seized by the Taliban (as it used the .af ccTLD). Intense debate on whether to federate with corporatized platforms like Threads and Bluesky fires up regularly, including cases where servers fork into “yes” and “no” instances, both with valid reasons. The terrain is complex, as navigating online communities always has been. 

Most of the advice from my previous post on Mastodon still stands, but I’ll repeat the important ones:

  1. Use the advanced web interface.
  2. Lists are powerful, so explore that feature.
  3. Follow hashtags you’re interested in and find new folks to engage with from there.
  4. Mastodon supports multi-factor authentication, so you should enable it immediately.

A few things, though, have changed. 

Search

One of the major changes is that a platform update means accounts can now opt-in to their posts being searchable on the platform. It’s not perfect, but it’s on the way to making Mastodon much more viable for folks just looking to dig up information. Hashtags continue to be very important to providing visibility for posts and, as mentioned, are followable either in your main timeline or custom columns in the Advanced Web Interface.

Another set of tools I want to highlight around search is those @ResearchBuzz has collected at mastogizmos.com. They allow for hashtag search across many, many instances at once, enhanced people searches, trends across large swaths of the Fediverse, and more. It’s a fantastic toolset for anyone looking to do research, analysis, or just find more interesting things or people to follow.

Spam

In the least surprising news of the decade, spam also found its way to the Fediverse, including automated spam campaigns. A February spam attack exploited poorly-moderated or abandoned instances, especially ones that left registration wide open for new accounts to be created with no checks. As both a community member and the administrator of a Mastodon instance it was interesting to watch in real-time and see where things failed, but also where things went well.

In some senses the problem involved a failure of imagination as well as engineering; more specifically, Mastodon would benefit from some deep professional red-teaming on both a technical and user level. When spammers began spinning up accounts across instances that either didn’t moderate or simply were no longer administered, the only initial response at hand was actively limiting or suspending federation with those servers, which can have deeper repercussions on a user-to-user level. It appears that the Mastodon engineering team is responding quickly though – including an automatic function that vastly limits user interaction if no moderator signs into the server for seven days.

Being infosec and technology folks, many of us jumped into analysis and mitigation modes pretty quickly. Blocklists were spun up and other intelligence coordinated. Information sharing went very well, and it’s something to be proud of the community over.

Due to the attack mostly (but not exclusively) operating out of abandoned/unmoderated instances, domain-based analysis of the spamming instances proved unhelpful. Many affected instances emerged during that November rush, and the sheer amount led to a domain scope that did not lend itself to building an attacker profile. It was simply an attack of opportunity.

And apparently fueled by a conflict on rival platform Discord – one user wanted to discredit another, and so engaged the campaign. 

Both the administration/moderation and engineering sides of the response appear to have quickly learned lessons from this attack and moved to adapt, which is heartening. 

Brands, People, and Infosec

Mastodon’s identity as a non-advertising, non-brand social media platform persists. Brands have not really found a foothold from which to tell people to buy breakfast cereal or yoga pants. However, as infosec information goes, several companies have established a presence and are using it to provide timely and qualitative threat intelligence. 

The latest additions along those lines have been:

Proofpoint’s Threat Insight research group

Infoblox Threat Intel

And of course I’d be remiss if I didn’t point to our own presence on Mastodon:

DomainTools

BreakingBadness

SecuritySnacks

There definitely exists space for companies, especially security-related companies, and other types of institutions to join the Fediverse and gain a following and other benefits by providing good-faith and accurate resources to the wider community. But monetization and immediate return on investment are unlikely to materialize, and that’s part of the allure to many users. We are not the product there, and we have influence over and responsibility for our own experience.

So yes, there’s definitely a place for institutions – many are active on Mastodon, including universities and security conferences. But where it truly shines is individual contributors. To find those individuals who truly fit the way you want to curate your timeline, you’ll need to dig in and do some searching. Of course, there’s a problem with listing individual infosec accounts on a corporate blog for all sorts of reasons, not the least being that irreverence is a very, very common personality trait among our people. Bearing that in mind, I suggest starting with the following folks on Mastodon, but please do not interpret this as a wholesale endorsement of their entire timeline. (Sorry, the lawyers made me say that.)

Tarah Wheeler – Red Queen CEO, mentioned above, and much more. An amazing institution in our industry, and an incredibly impactful policy person. Excellent poker face. 

Lesley Carhart – Dragos Director of Incident Response, a constant font of industry-wide wisdom and experience. They also run PancakesCon, and provide a huge amount of mentoring effort to the community. 

Renee Burton – Sr. Director, Infoblox Threat Intelligence. Great IOC aggregation and threat commentary. 

Kevin Beaumont – Great resource for both historical and emerging threat intel. Did I mention irreverence already? Okay yeah, just making sure. 

Catalin Cimpanu – reporter for Risky Business, on top of pretty much all the news.

Conclusion

No future is certain, least of all the future of online community, social media, or information security. Three years ago the landscape looked completely different for sharing and consuming near-real-time threat intelligence with the rest of the community. Three years from now it will likely look just as different from today. But Mastodon’s decentralized, self-organizing infrastructure continues to provide the Extremely Online Infosec community with a good platform to meet each other, talk about what we’re seeing, ask questions, and share knowledge. 

I hope to see you there.