Notices by Merry Jerry 🎄🎅🕎⛄️❄️ (jerry@infosec.exchange)

It sounds like bsky is scrambling to add capacity and so they have limited some functionality. At their scale, I am left wondering how exactly they are paying for it since I don’t think they have an actual revenue stream. Perhaps I am wrong on that.

My wife helps lead a Christmas charity event in the Atlanta area and part of that event is a gift shop that they purchase stuff through the normal wholesale distributor program. They just got notice through that channel to expect a 40% price hike after the first of the year.

I was having a discussion with someone recently about the impacts that the proposed tariffs will have, and one of the concerns I’ve got, based on our experiences with Covid, is that even if the tariffs are just saber rattling, the retail network seems primed to increase prices regardless of what happens with tariffs.

Fun times.

@catsalad I haven't seen hard numbers, but there's been a lot written about the number of 30 under 30 that have been criminally charged: https://nationalpost.com/news/surprising-number-of-people-in-forbes-30-under-30-list-have-run-into-trouble-with-the-law

I wonder if the US DoJ just automatically opens up investigations on everyone on the Forbes 30 under 30 list now…

https://gizmodo.com/another-forbes-30-under-30-ceo-is-indicted-for-fraud-2000527006

I bought a fairly epic orchid today and I think it needs a name. Any recommendations?

Answer: “zero trust”

Question: “how much confidence do you have in people sticking crap straight on the internet and hoping that access controls work effectively?”

I’ve been getting a number of phishing emails purporting to be from Hetzner saying my payment into needs to be updated. It’s interesting excuse they targeting email addresses that are plausibly associated with my various fediverse service domains. The from addresses are nonsensical, and the link to login Hetzner are easy give away that it’s a scam.

Anyhow, please be on alert if you use Hetzner. I am guessing the play here is to steal your Hetzner login credentials, and (probably) payment information. Hetzner does have an alert in their portal about phishing attacks purporting to be from them so I think they are aware, though I found the targeting to be a bit novel.

Stay safe out there.

EDIT: I meant to add that if you have not already done so, you should turn on two factor authentication. I know it’s a pain, but it can partially mitigate the effects of accidentally falling for a phish like this, among many other attack tactics.

I have to go to the bank today. Like, actually drive there and walk in. I think the last time I did this, the years started with 19

@GossiTheDog they are enabled here, too. I think we drew the short straw for who the spammers are moving on to next.

Any other instances seeing dozens/hundreds of signup attempts that appear to be spammers?

NB: I am far, far from perfect, both as a person and as a moderator/administrator. I love this place we've built, and it breaks my heart to see what people go through here.

I've been participating in the fediverse for about 8.5 years now, and have run infosec.exchange as well as a growing number of other fediverse services for about 7.5 of those years. While I am generally not the target of harassment, as an instance administrator and moderator, I've had to deal with a very, very large amount of it. Most commonly that harassment is racism, but to be honest we get the full spectrum of bigotry here in different proportions at different times. I am writing this because I'm tired of watching the cycle repeat itself, I'm tired of watching good people get harassed, and I'm tired of the same trove of responses that inevitably follows. If you're just in it to be mad, I recommend chalking this up to "just another white guy's opinion" and move on to your next read.

The situation nearly always plays out like this:

A black person posts something that gets attention. The post and/or person's account clearly designates them as being black.

A horrific torrent of vile racist responses ensues.

The victim expresses frustration with the amount of harrassment they receive on Mastodon/the Fediverse, often pointing out that they never had such a problem on the big, toxic commercial social media platforms. There is usually a demand for Mastodon to "fix the racism problem".

A small army of "helpful" fedi-experts jumps in with replies to point out how Mastodon provides all the tools one needs to block bad actors.

Now, more exasperated, the victim exclaims that it's not their job to keep racists in check - this was (usually) cited as a central reason for joining the fediverse in the first place!

About this time, the sea lions show up in replies to the victim, accusing them of embracing the victim role, trying to cause racial drama, and so on. After all, these sea lions are just asking questions since they don't see anything of what the victim is complaining about anywhere on the fediverse.

Lots of well-meaning white folk usually turn up about this time to shout down the seal lions and encouraging people to believe the victim.

Then time passes... People forget... A few months later, the entire cycle repeats with a new victim.

Let me say that the fediverse has a both a bigotry problem that tracks with what exists in society at large as well as a troll problem. The trolls will manifest themselves as racist when the opportunity presents itself, anti-trans, anti-gay, anti-women, anti-furry, and whatever else suits their fancy at the time. The trolls coordinate, cooperate, and feed off each other.

What has emerged, in my view, on the fediverse is a concentration of trolls onto a certain subset of instances. Most instances do not tolerate trolls, and with some notable exceptions, trolls don't even bother joining "normal" instances any longer. There is no central authority that can prevent trolls from spinning up fediverse software of their own servers using their own domains names and doing their thing on the fringes. On centralized social media, people can be ejected, suspended, banned, and unless they keep trying to make new accounts, that is the end of it.

The tools for preventing harassment on the fediverse are quite limited, and the specifics vary between type of software - for example, some software like Pleroma/Akkoma, lets administrators filter out certain words, while Mastodon, which is what the vast majority of the fediverse uses, allows both instance administrators and users to block accounts and block entire domains, along with some things in the middle like "muting" and "limiting". These are blunt instruments.

To some extent, the concentration of trolls works in the favor of instance administrators. We can block a few dozen/hundred domains and solve 98% of the problem. There have been some solutions implemented, such as block lists for "problematic" instances that people can use, however many times those block lists become polluted with the politics of the maintainers, or at least that is the perception among some administrators. Other administrators come into this with a view that people should be free to connect with whomever on the fediverse and delegate the responsibility for deciding who and who not to block to the user.

For this and many other reasons, we find ourselves with a very unevenly federated network of instances.

Wit this in mind, if we take a big step back and look at the cycle of harassment I described from above, it looks like this:

A black person joins an instance that does not block m/any of the troll instances.

That black person makes a post that gets some traction.

Trolls on some of the problematic instances see the post, since they are not blocked by the victim's instance, and begin sending extremely offensive and harassing replies. A horrific torrent of vile racist responses ensues.

The victim expresses frustration with the amount of harassment they receive on Mastodon/the Fediverse, often pointing out that they never had such a problem on the big, toxic commercial social media platforms. There is usually a demand for Mastodon to "fix the racism problem".

Cue the sea lions. The sea lions are almost never on the same instance as the victim. And they are almost always on an instance that blocks those troll instances I mentioned earlier. As a result, the sea lions do not see the harassment. All they see is what they perceive to be someone trying to stir up trouble.

...and so on.

A major factor in your experience on the fediverse has to do with the instance you sign up to. Despite what the folks on /r/mastodon will tell you, you won't get the same experience on every instance. Some instances are much better keeping the garden weeded than others. If a person signs up to an instance that is not proactive about blocking trolls, they will almost certainly be exposed to the wrath of trolls. Is that the Mastodon developers' fault for not figuring out a way to more effectively block trolls through their software? Is it the instance administrator's fault for not blocking troll instances/troll accounts? Is it the victim's fault for joining an instance that doesn't block troll instances/troll accounts?

I think the ambiguity here is why we continue to see the problem repeat itself over and over - there is no obvious owner nor solution to the problem. At every step, things are working as designed. The Mastodon software allows people to participate in a federated network and gives both administrators and users tools to control and moderate who they interact with. Administrators are empowered to run their instances as they see fit, with rules of their choosing. Users can join any instance they choose. We collectively shake our fists at the sky, tacitly blame the victim, and go about our days again.

It's quite maddening to watch it happen. The fediverse prides itself as a much more civilized social media experience, providing all manner of control to the user and instance administrators, yet here we are once again wrapping up the "shaking our fist at the sky and tacitly blaming the victim" stage in this most recent episode, having learned nothing and solved nothing.

I just got the alert about the proposed Secretary of Health and Human Services and thinking that the term “chaos theory” is about to get a new definition.

Hi all. As most of you know, I host a security-focused podcast with @lerg called Defensive Security, where we discuss recent news and happenings and what that means for defending your organization. We decided that people may be getting tired of only hearing us talk, so today, we are announcing a brand new podcast called Getting Defensive where we interview interesting people in the security industry. Many of you previously volunteered to be interviewed and I still have your contact info and will be reaching out soon.

We are still getting this thing off the ground and have some rough edges to smooth over, but I hope you find it interesting and useful.

You can find the podcast on our YouTube channel: https://www.youtube.com/@DefensivePodcasts and on our website at https://gettingdefensive.com

Crazy that bsky added as many new users in the week since the US election as the fediverse has active users.

Also, it’ll be exciting to see how bsky decides to monetize all them eyeballs and juicy social connection information.

It is once again bingo time!

@mitka I interpreted feld’s comment as meaning that we will soon not have people who understand macro economics due to getting rid of the DoEd, not that getting rid of DoEd is a good idea. @feld

@feld if only there were a field of study that could help inform their decisions rather than trying to run a $28T/year country with 340M people like a business

So… we now have a US federal department named DOGE… led by Musk 🤦♂️