Mastodawn

Dr. Adrian R. Warman Nov 7, 2022

Mike Masnick ✅

A quick note of something that may be important for people to know: I already noted that DMs here are a bit sketchy security wise, but (THIS IS THE IMPORTANT BIT): if you mention someone else's account in a DM, Mastodon, yoinks them into the conversation.

So, you know, if you think you're talking about someone behind their back, you might be doing it to their face.

Peter Sunde Kolmisoppi Nov 6, 2022

@mmasnick so who did you embarrass yourself Infront of ;)

Mike Masnick ✅Nov 6, 2022

@peter thankfully it wasn't something like that! Someone else mentioned me in a perfectly normal conversation, and suddenly I was in the DMs (though I couldn't see what transpired earlier!)

Bill Barol Nov 6, 2022

@mmasnick Yikes. "Important safety tip, Egon." (B. Murray, "Ghostbusters") Thanks.

BookSmart Nov 6, 2022

@mmasnick Reminds me of the time years ago when my boss yelled at our department and I shot a yahoo IM to a coworker that said, “Wow! Someone’s pissy today!” My hart just about kept through my chest when I realized that I sent the message to my boss by mistake.

Elon Musk (trashcan arc)Nov 6, 2022

@BookSmart @mmasnick

BookSmart Nov 6, 2022

@mmasnick @trashjuicebox Oh god, if only. I wasn’t fired. I tried to play it off like I sent it to her “as a concerned friend.” Really, I just learned a valuable lesson about putting/not putting things in writing.

Is it fat?Nov 7, 2022

@BookSmart @mmasnick how did your boss react?

BookSmart Nov 7, 2022

@Lookitmychicken @mmasnick If we ever had a chance at being friends, it disappeared that day. She wasn’t exactly fooled by my back peddling. I did get a begrudging apology though…

Weedleeedle Nov 7, 2022

@BookSmart @mmasnick "Whaaat no, I totally wasn't talking about you! That's crazy!"

Andrea Peahen Nov 7, 2022

@BookSmart @mmasnick 🤣

William W Nov 7, 2022

@BookSmart @mmasnick don't keep us in suspense, what happened next!?

BookSmart Nov 7, 2022

@silico_biomancer @mmasnick I did! I did! I'd direct you to my response, except I don't know how to do that yet.

William W Nov 7, 2022

@BookSmart @mmasnick you can share the link, but I don't see it on you profile so it might just be instance teething issues with the flood of people. May also be the privacy settings for the post?

Sen the Professional

@mmasnick Man I've fscking done that to myself 9_9 god how embarassing

Valentin Michalak Nov 6, 2022

@mmasnick You talk about it like it's happened to you before

Boris Barbour Nov 6, 2022

AKA treat DMs as public. Use Signal...

Mike Masnick ✅Nov 7, 2022

@BorisBarbour Yeah. I said exactly that yesterday. https://mastodon.social/@mmasnick/109293392745583500

Cyborg 2-A ✅Nov 6, 2022

IF it's confidential use PGP

@mmasnick they’re pretty sketchy on Twitter too. Not sure they ever got around to encrypting them.

imlordoftherings Nov 7, 2022

@mmasnick easy to solve - don't talk shit!

Mike Masnick ✅Nov 7, 2022

@Imlordofthering that was just a hypothetical so that people might internalize why they should understand this!

imlordoftherings Nov 7, 2022

@mmasnick absolutely! I think it is good to remind people to not talk shit though. I need a reminder often too.

John Eddy Nov 7, 2022

@mmasnick That's..... worrisome

Paul Lalonde Nov 7, 2022

@mmasnick rule number one: never say anything about anyone that you're not willing to say to their face. Makes so many things easier!

Mike Masnick ✅Nov 7, 2022

@FluxLalonde again, it's not just for THOSE situations. I was using that as an example so people would get why this is a concern. I was pulled into a non-insulting conversation and it just resulted in some confusion.

Paul Lalonde Nov 7, 2022

@mmasnick agreed. Private direct messages, or authenticated sourcing of messages looks like a perfect opportunity for automatic public/private key management. I'm sure I'm not the first to think of this in the federated context.

Cyborg 2-A ✅Nov 7, 2022

it's likely no different than twitter. It's up to the client to display messages intended for the recipient. The server actually blasts messages all over the place, to people you don't know. A simple "like" or whatever it's called on Mastodon, turns into maybe 10,000 messages. a PKI system might be cool but how do you mange the private key? On the server is no-go. Uploading to a web site is no-go. Note that Mastodon and all other federated servers already use a PKI system behind the scenes, so that joe-blow in whattayacallit can't joe-job you. But as far as you sending a secret message to your pal, you should probably use PGP.

Cyborg 2-A ✅Nov 7, 2022

or, use a client that supports OMEMO, the "server" doesn't have know anything about it, right?

Shaun 🏳️‍🌈🍉Nov 7, 2022

@FluxLalonde @mmasnick TBH, this sounds like something that someone who has never had to be concerned for their personal safety and never been physically or financially reliant on others would say.

Paul Lalonde Nov 7, 2022

@anarchautist @mmasnick yeah, it's a bit flippant. Actual privacy is both hard and important.

meditative zebra Nov 7, 2022

@mmasnick uh, that seems like an amazingly dumb design decision

noirscape moved to @[email protected]Nov 7, 2022

@meditativezebra
@mmasnick

It's because they're not *really* DMs. What they are are statuses with a privacy level set to "only those mentioned" (and mentioning causes a notification to show up).

When sending a status to an outgoing instance you should also be aware that an instance can just ignore your request for privacy. There was one instance that was modified to do this in 2016, none others since to my knowledge, but yeah. The status is otherwise not encrypted or anything.

meditative zebra Nov 7, 2022

@techpriest @mmasnick

i appreciate the explanation

but i still see it as very misleading that something which is labelled a "direct message" will actually go to other people if you mention them

guess all of us twitter refugees are gonna need a while to recalibrate

Scott Feeney Nov 7, 2022

@techpriest @meditativezebra @mmasnick IMO none of that justifies how it works. It is terrible that you can’t mention someone without sending the message to them. And it’s terrible that the UI doesn’t provide a more clear indication of who is going to receive the message. These are different, unrelated, and bigger problems than lacking e2e encryption.

weems :verified:Nov 7, 2022

@graue @techpriest @meditativezebra @mmasnick ugh yep

Joel Bennett Nov 7, 2022

@graue @techpriest @meditativezebra @mmasnick it's unfortunate that they copied the wording "direct message" into the UI when there are no DMs on Mastodon -- there is only "Mentioned People Only" visibility.

noirscape moved to @[email protected]Nov 7, 2022

@graue
@meditativezebra @mmasnick
To be clear, it is very much a UI issue. I'm posting this from Pleroma which does make it clear that the "envelope" privacy is "anyone you mention in the post".

Actual secure chat (not this hacky privacy thing) on the fediverse *does* exist... just not on Mastodon, it's on Pleroma.

noirscape moved to @[email protected]Nov 7, 2022

@graue
@meditativezebra @mmasnick

https://docs-develop.pleroma.social/backend/development/API/chats/

Realize that posting the spec for that might be useful too. Secure here means "doesn't actually leak out to other people on accident" to be clear. Everything I said about external server trust still applies.

Chats - Pleroma Documentation

kolya Nov 8, 2022

Dave Smith Nov 7, 2022

@techpriest @meditativezebra @mmasnick Well... there's another opportunity for someone to come in and fix.

Theresa Nov 7, 2022

@techpriest @meditativezebra @mmasnick this is helpful, thank you

Andrew Bucko Nov 7, 2022

@techpriest @meditativezebra @mmasnick Perhaps it would be better to use the mastondon identity for email?

Kim Spence-Jones #FBPE Nov 12, 2022

@meditativezebra Perhaps the only dumb (arguably) bit is calling them ‘DMs’, which creates the wrong expectations. I like the functionality.

Zamnight Nov 7, 2022

@mmasnick What a way to find out Elon's on here.

Lukas Simonis Nov 7, 2022

@mmasnick this is because mastodon doesn't *really* have direct messages, just regular toots that are limited in visibility to "only people I mention."

https://docs.joinmastodon.org/user/network/#:~:text=In%20Mastodon%2C%20direct%20messages%20are,conversations%20containing%20a%20direct%20post.

I think some clients abstract this away to make them act and look like DMs, but afaict the official mobile app doesn't present any such functionality; you have to create a post, mention a user, then set the visibility accordingly.

Using the network features - Mastodon documentation

Follow and talk to anyone from any server.

Janis Nov 7, 2022

@mmasnick oh, my.

Nika2022 🐶🎶🌐☕️Nov 7, 2022

@mmasnick and even when they are blocked they see it. Kinda embarassing

Mikaredd30 Nov 7, 2022

@mmasnick
Very good to know... thanks for sharing.. lol

@mmasnick also, ppl don’t realise they *are* DMs. I was talking to someone on web and only realised when I used Metatext app.

Shoq 🌿Nov 7, 2022

@mmasnick It's now happened twice just today. @Gargron @stux is this a known issue?

Spoopy Nov 7, 2022

@mmasnick this is beautiful.

RMFifthcircuit Nov 7, 2022

@mmasnick oof! That is … not ideal!

Jeff Jachens Nov 7, 2022

@mmasnick
D'Oh! 😬
@Angelspice @clearing_fog

ClearingTheFog Nov 7, 2022

@JeffJWarwick @mmasnick @Angelspice Well that’s good to know

Angel32 Nov 9, 2022

Hello Mastodon - another new account from twitter here.

#Democracy #VoteBlue

Bruce Johnson ✅Nov 7, 2022

@mmasnick I'm pretty certain Elon is already demanding his team implement that feature today. At least whenever @ElonMusk is referenced. Because there's nothing like a thin-skinned egomaniac who demands to know what people say about him

Mr. Fred 🔥Nov 7, 2022

@mmasnick I still can't decide if that's a bug or a feature and I've been on mastodon for years 😂