Notices by Tinker ☀️ (tinker@infosec.exchange)

So this actually happened:

I rode an electric kickscooter down to a side alleyway across from a rail transit station to pick up some second hand body modification electronics (a CPAP) from a man who has cybernetic implants in his chest! I had to get the 2nd hand body mods off the street because I can't afford proper healthcare.

I'm living in a @GreatDismal novel.

(And, yes, the weather was cold, dreary, and overcast - the sky above was the color of a TV tuned to a dead channel...)

#cyberpunk

@coloco - No, me refiero a mi teléfono. Mi teléfono creará un collage de mis fotos. Pero mi teléfono usa fotos que no me gustan.

Ohhhhhkay... We're gonna turn off those "this time last year" picture collages.

Don't need to see any of that.

@coloco - Los gobiernos y las corporaciones deciden las leyes.

@valkyrie @mensrea @0xF21D - Sadly, if you LIVE in the US, it doesn't matter where the server physically resides.

Plenty of examples of Americans hosting servers in non-extradition countries but still living in the states. Alot of the tor-hidden-service drug markets fall into this category. Heck, look at Kim Dotcom who both did not live in the US nor had physical servers in the US, lol.

@mensrea @0xF21D @valkyrie - Yeah, capitalists and their bribed lobbied politicians will use laws to try and destroy non-capitalist endeavors.

Mastodon, PixelFed, PeerTube, and other Fediverse admins of public servers might have to sort out legal issues and liability issues.

Article on some of that here: https://www.wired.com/story/mastodon-legal-issues-tipping-point/

Some possible solutions is to create a join legal insurance and legal advice co-op. Admins could pay a monthly fee to gain access to an liability insurance fund and to establish best practices in maintaining their instances.

._______
#mastodon #fediverse #admin

For those wondering about the John Mastodon meme, here is the publication that claimed:

• John Mastodon was banned from twitter (it was JOIN... Join Mastodon... not John.)
• Mastodon was named after this fictitious man.
• Confusing Mastodon the software with a centralized social media company.

They're just making up things now, lol.

._______
#JohnMastodon

Here before too long, I'm just going to close down my account permanently.

I think enough time has passed that anyone that was going to find me here, has.

I've got a method that will remove all of my followers and a second method that will seal off my name so no one can use it to spread disinfo (Once I've done that, and it takes a bit, I'll do a quick post here on how to do it.)

I thought of just letting the name go, but I've been quoted in too many news articles and blogs throughout the years that doing so would be irresponsible.

Lol, when a bunch of hackers migrate to new services, they tend to kick the tires a bit 😂.

Here, some hackers found a way to steal Mastodon passwords by manipulating the way Mastodon allows (and sidestepping the way Mastodon protects) HTML imbedded into posts.

It also highlights the ways that third party plugins (here Glitch, found on the Mastodon server infosec(dot)exchange and others) introduce interesting attack vectors that core maintainers don't initially control (thoughts go out to Wordpress).

The hackers then reported the issues to the Mastodon team and the Glitch team so they could issue security patches.

Big shoutout for finding/reporting the vuln:

• @gaz
• @albinowax

Kudos to the Mastodon & Glitch teams for coordinating and issuing a timely security patch.

I expect we'll see a lot of more of these initially (this is good, means the website is getting more secure).

Takeaways:

• Users: Consider changing your Mastodon password. Implement Multi-Factor Authentication.
• Admins: Update to the latest Mastodon version. Update any plugins as well.

Full writeup here: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

#infosec #WebAppPentesting #hacking #BugHunting

Here's the mobile UI showing the tabs on the right and the button to follow hashtags.

Reminder: You can follow hashtags (not just individual accounts).

So, to reiterate, your Home feed can contain not just accounts you follow or their boosts, but posts of specific hashtags as well.

All blended together.

#feditips

@coloco - verdad

@jerry

We have announcements now?!

@jerry, this is shnazzy.

Neither the software development behind Mastodon, nor your local instance (assumption) runs on Ads.

You aren't subject to the surveillance economy.

You aren't subject to an algorithm that is designed to cause addiction and engagement through rage porn.

It is generally free and open source, but it still costs money to run.

*If* you have the means, consider donating monthly or once, even a little bit, to both the software development of Mastodon and to your local instance.

(Don't worry if you're not able to or don't want to.)

Mastodon Software Development:
https://www.patreon.com/mastodon

Example Local Instance (for infosec(dot)exchange): https://liberapay.com/Infosec.exchange/

_____
#feditips

Demonstration of how #Peertube and #Mastodon interact and federate with each other:

Note: The video below is hosted on Peertube.

https://peertube.cpy.re/w/da2b08d4-a242-4170-b32a-4ec8cbdca701

Folks talking about various Mastodon instances being slow or laggy while they scramble to upgrade...

...should remember when Twitter was like this: