Adam Barnett

Infosec.Exchange has a wiki (courtesy of @jerry)!
It lives at https://wiki.infosec.exchange and it can be better with your help!

We have the beginning of an FAQ, which aims to to cover all of those "how do I..." questions which come up from time to time in a setting like this: https://wiki.infosec.exchange/faq/start

No need to sign up to view pages. Editor rights are granted on request: https://wiki.infosec.exchange/about/wiki

Nov 11, 2022 at 6:05amWeb
Show threadAdam BarnettNov 11, 2022
If you don't feel like writing wiki articles but you see or know something which belongs on the wiki, please tag me and I will do my best to get to it.
Show threadlorddimwit is now @[email protected]Nov 11, 2022
@dreadpir8robots You're doing God's work, thank you.
Show threadSecureCompliance  Nov 11, 2022
@dreadpir8robots @jerry This is awesome! Thanks!
Show threadReeterNov 11, 2022

@dreadpir8robots @jerry thanks, it's very valuable.

As an Infosec/Mastodon instance, do you think it would be useful to have explanations about how you manage to deal with GPDR with Mastodon (if I am not wrong, there is a lot to do on the admin side about it, and it seems most instance administrators are not fully aware of it)

=> This could be of some help for them, what do you think ?

#RGPD #GPDR #FAQ

Show threadJerry 🦙💝🦙Nov 11, 2022
@Reeter @dreadpir8robots that isn’t a bad idea
Show threadAdam BarnettNov 11, 2022
@jerry @Reeter I wonder if we have anyone who is knowledgeable about c GDPR. I know just enough to know that it is hard-hitting and not something to take lightly but that’s about it. There are several Mastodon GitHub issues on the subject, and most of them end up covered to a GH Discussion which is a sign that the conversation went on and on and on.
Show threadReeterNov 11, 2022

@dreadpir8robots @jerry yes I also saw that in another thread. Some issues were kicked out without any implementations, that's why I assumed that the GPDR compliance is expected to be dealt with by admins

I guess Mastodon by itself is not GPDR compliant and need something on top of Mastodon for that...

Show threadReeterNov 11, 2022

@dreadpir8robots @jerry actually, all this comes from this message from @aeris, that raises some of the issues that Mastodon may have with the GPDR and that would need to be fixed by any instance administrators, as long as the instance has multiple users ..

https://social.imirhil.fr/@aeris/109316559706610326

aeris 🏳️‍🌈 (@[email protected])

Je vais rigoler à moitié, mais on est d’accord que toutes les instances Mastodon non mono-utilisateur ont un registre de traitement, une privacy policy, un DPO pour les plus grosses, un SIEM sur les outils de modération, et savent que le champ « note » dans les profils utilisateurs est non conforme RGPD ? Entre autre bien sûr… #JDÇJDR

Mastodon
Show threadAdam BarnettNov 12, 2022
@Reeter @jerry @aeris Je ne suis pas bilangue mais je crois que je comprend le pluspart. I think I agree. It’s surely true that the Mastodon devs can’t make instances GDPR-compliant, but they could certainly provide tools to help with compliance. SIEM for moderation? A Data Protection Officer (at a certain size)? This is indeed a thorny issue.
Show threadReeterNov 12, 2022
@dreadpir8robots @jerry @aeris (sorry I was tired last night and I copy the link without translating it... )
Yeah that totally are tough issues to deal with. With the twitter migration, as more and more users will come, #GPDR compliance will become more and more looked at.
That was le point of my initial question. I was thinking that perhaps infosec community would a good one to initiate that kind of work.
Show threadAdam BarnettNov 12, 2022
@Reeter @jerry @aeris I agree but with the caveat that most people (definitely including me) aren’t qualified to give advice on GDPR. There might be a need to pay a lawyer at some point unless someone is willing to put their skills to the test as a qualified volunteer.
Show threadaeris 🏳️‍🌈Nov 12, 2022
@dreadpir8robots @Reeter @jerry My trouble is not really having mastodon compliant, but the behaviour of core dev on this subject, showing they don't care at all about it.
Show threadaeris 🏳️‍🌈Nov 12, 2022
@dreadpir8robots @Reeter @jerry Trouble is Gargron saying IP is not PII, or instances not exchanging PIIs but image & toot. Saying not profit org not covered by GDPR. Or using false legitimate interest to undercover real GDPR violation.
Show threadaeris 🏳️‍🌈Nov 12, 2022
@dreadpir8robots @Reeter @jerry Exactly the same troubles and fights around GDPR compliance we have with GAFAM will come back with Mastodon…
Show threadAaron 🥞Nov 11, 2022
@dreadpir8robots @jerry Thanks for sharing! I'll take a look today.
Show threadSven SlootwegNov 11, 2022

@dreadpir8robots @jerry One thing I would suggest adding to the rules explicitly, specifically for the infosec crowd: respect community norms and don't treat the fediverse like a data-mining free-for-all.

Unfortunately quite a lot of infosec folks don't seem to anticipate this expectation by themselves...

Show threadAdam BarnettNov 11, 2022
@joepie91 @jerry A very solid point which has already reared its head right here on this instance. Even well-intentioned discoverability projects can end up displeasing the fediverse, and not without good reason. I’m not a mod but I suspect this is a discussion the mods and @jerry will be having.
Show threadZandikarJul 26, 2023

@dreadpir8robots @jerry

Oh wow, didn't know there was a wiki/FAQ etc. Good looking out.

Show threadAdam BarnettJul 26, 2023
@zandikar @jerry I need to review the wiki and put more time into it again. I know there have been developments both here and in the wider fediverse which aren’t documented. Family/life/work take most of my energy, but I’m not gone from the wiki, just on hiatus.