Given the fast-moving nature of related news lately, we decided we’d take a few minutes to point out some decent resources for understanding Mastodon. It’s been around for six or seven years now, but due to shifts in social channels, Mastodon has suddenly merited a lot more attention. Most of “Infosec Twitter” has adopted it already.
Of course, that spawns a unique problem: as a security operations engineer, one of my main uses for Twitter is as an “early warning system” about infosec issues, and I’ve got some well-honed threat intelligence feeds that I don’t want to lose. So how do I rebuild those on Mastodon?
What Even is Mastodon?
Let’s start at the beginning. Mastodon is a decentralized, federated social media platform – which is to say, anyone that’s inclined to can set up their own Mastodon server and because of the way it’s designed, it will by default interact with most of the other Mastodon servers out there. So instead of everyone congregating at twitter.com, people from places like mastodon.social, infosec.exchange, and many other places can interact. Their accounts stay on the instance they sign up for and are administered there – subject to the rules and policies of the local server, and the moderators/admins enforcing them.
Mastodon is essentially a number of communities building themselves and interconnecting, and learning how to play nice with each other (or not).
Marcus Hutchins (MalwareTechBlog) wrote up a great piece from the perspective of someone already familiar with Twitter, and it’s very worth reading.
Mastodon, brand- and corporate-wise, is a very different animal. Many servers have explicit rules against advertising or actively trying to sell things to others, or other messaging or mechanisms that do not place user consent in the forefront. There is no algorithm to game – everything is chronological or otherwise configured by the user via filters. Many folks that have made the jump to Mastodon are finding it a breath of fresh air after being contained, measured, and broadcast to increasingly for years.
How this will develop further is anyone’s guess, for now – it is very likely that Mastodon isn’t the endpoint, but a stepping stone to whatever’s next. But it could be more long-term viable than we give it credit for. It also has major problems to confront for itself, such as bad actors and CSAM content. A large influx of Infosec Twitter has already migrated, and has already found major security vulnerabilities (that have been patched in record time!)
The situation is organic, wild, and developing with time. It will be fascinating to watch.
Now that we’ve talked a little about what it is, let’s talk about how to use it for threat intel purposes. As noted above you can sign up on pretty much any open instance, but most industry folks have congregated around infosec.exchange or ioc.exchange (there’s a bit of irony in security professionals tying themselves to “exchange” servers!). You can also choose to migrate your account if you find an instance that appeals to you more, and the process is pretty painless.
Tip 1: Use the Advanced Web Interface.
First and foremost: the Advanced Web Interface is your friend. It’s a much more Tweetdeck-like experience with more malleability to curate your feeds. Go to Settings -> Appearance and click “Enable advanced web interface.”
Tip 2: Lists Are Powerful
Mastodon allows for the creation of custom lists you can curate to particular themes or subjects. I have separate lists for folks I know personally, infosec-related accounts, and others around different interests (sports, fandoms, your imagination is the limit).
Once you create a list, you’re going to want to Pin it to your home screen. You can do this by going to the “Getting Started” then choosing “Lists” and the List you want. Then find the Menu icon in the upper right, click it, and choose “Pin”
Screenshot showing the Menu icon in the upper right corner and the +Pin option underlined in red.
That will then allow you to curate a landing dashboard with multiple columns of your choosing. Also note, not only can you do this with hashtags rather than accounts, but you can follow multiple hashtags in the same column!
Screenshot showing configurable options for hashtag columns, including allowing a single column to track multiple hashtags.
Also note the left and right arrows in the above screenshot, to the right of Pin/Unpin. These arrows allow you to rearrange the column order in Mastodon. Set it up how you like!
Screenshot showing multiple custom columns in Mastodon’s advanced web interface.
Tip 2: You Can Follow Hashtags on Mastodon
Hashtags are particularly important with Mastodon since searching for strings is disabled across most instances. But please don’t intersperse your hashtags in the text body of your message – that makes it almost unintelligible for folks using screen readers. Instead, tack a few hashtags onto the very end of your message.
Also, you can follow hashtags just like people, and have any visible post with the hashtag show up in your Home feed. Just search for the hashtag in the search box on the left, click on the hashtag to bring it up, and click on the “+” icon to follow it.
Screenshot of the upper right corner of the Mastodon advanced web interface after searching for and clicking on a hashtag, with the Follow icon underlined in red.
Tip 3: Consensus is Still Forming on Hashtags and SOPs.
Now let’s talk turkey about how to find stuff. As we’ve discussed, we’re all in the early stages here and still discussing norms, but a few have some preliminary agreement so far. The first is the #threatintel hashtag, for use in highlighting indicators of compromise or other threat intelligence so that other folks can see it. Folks were also considering #secalert but the “alert” terminology caused some to spurn it.
Unfortunately, standard CVE syntax isn’t hashtaggable on Mastodon, so that’s still up in the air. One possibility is using underscores instead, such as #CVE_2019_8651. However, consensus has not yet been reached here.
Tip 4: Who Loves RSS? We Love RSS! And So Do Mastodon Devs, Thankfully.
Just about every profile page, hashtag page, or other content display page in Mastodon will automatically become an RSS feed if you tack .rss on the end of it. Then feed it into your RSS reader of choice and, voila, you have a whole new feed!
Tip 5: The Apps Aren’t Great – Try a Few Before Deciding.
The stock/native Mastodon mobile apps are fairly new and lacking in many features available on the web experience. However, a few apps have been around for years and get good word-of-mouth from power users, such as Tusky and Metatext.
Last Tip! Tip 6: Turn on Multi-Factor Authentication
Multi-Factor Authentication (MFA) is native to the Mastodon code, thankfully. Enable it by going into Settings -> Account -> Two-factor auth. With a large chunk of infosec twitter now using Mastodon on a daily basis, we’re bound to see a whole lot of security scrutiny and new vulnerabilities as we move forward. Go set up MFA now!
No one knows what comes next here; will this new platform have staying power, or just be the flavor of the month? The situation continues to be very fluid with no hints as to the outcome. But the cybersecurity community has very quickly adopted Mastodon for the time being, and it’s already proving useful thanks to early initiatives and guidance by folks like Jerry Gamblin, Lesley Carhart, apiratemoo, and more. Explore to your heart’s content, and then exploit what you’ve learned to your advantage! But share what you learn when you can.
You can follow DomainTools and DomainTools folks on Mastodon: