Jerry 🦙💝🦙

There’s been a lot of discussion about a rule we recently instituted regarding security testing on the infosec.exchange instance. I understand the value or pen testing as much or more than most people, and I’m fully cognizant that pen tests are happening all the time and I’m not getting the report. I get it. But there are now 28,000 people using this service to communicate. I know there are vulnerabilities waiting to be discovered. Finding blog post fodder by fuzzing instances that are already running hot due to explosive growth is not super helpful. But at the same time, I WANT that testing to happen.

As a result, I am going to set up two instances tomorrow that only federate with each other. This is where I’d prefer legitimate security testing be performed. I’ll also be using it as the QA environment to test new updates and settings prior to deploying to the production instance. I’ll moderate signups because I don’t want it accidentally becoming fediverse 2.0 in the ongoing rush for the doors at twitter, but will accept anyone who wants to join, with clear indications that it’s a sandbox and should not be considered safe.

Thanks for patience as we continue to find out way.

Nov 19, 2022 at 5:55amWeb
Show threadClipper Chip Nov 19, 2022
@jerry Great idea!
Show threadAdam ♿Nov 19, 2022
@jerry I'm pretty sure @alex set up cybervillains.com for this purpose - maybe ask if that can be used? Might save you having to administer more stuff
Show threadVissNov 19, 2022
@jerry sounds like a shitload of people are cool with testing in prod
Show threadJerry 🦙💝🦙Nov 19, 2022
@Viss I’ll go so far as to say that they are highly offended at the idea I would ask them not to test in prod
Show threadVissNov 19, 2022
@jerry "information security professionals" indeed.
Show thread/home/lmp Nov 19, 2022
@Viss @jerry "independent researchers"
Show threadShayRSFNov 19, 2022
@jerry thank you much 👍
Show threadSecureCompliance  Nov 19, 2022
@jerry Great idea Jerry.
Show threadJohannes  Nov 19, 2022
@jerry awesome work Jerry 🙏 I hope people will respect those house rules.
Show threadDefectiveWings ✈️Nov 19, 2022
@jerry
Will you need additional support (above the volunteers for infosec.exchange) to help maintain the test environment? If so, I'd be glad to help with that.
Show threadTess Nov 19, 2022
@jerry 😍😍
Show threadKilian Nov 19, 2022
@jerry I can't understand these people. They should set up an instance themselves and then test it there! 🤬
Show threadLenin alevski 🕵️💻Nov 19, 2022
@jumoog some issues can be found only in prod environments https://www.alevsk.com/2022/11/system-misconfiguration-is-the-number-one-vulnerability-at-least-for-mastodon/
Show threadKilian Nov 19, 2022
@alevsk issues sure.. but trying to break prod is a different story
Show threadSimon ZerafaNov 19, 2022

@jerry

Might be worth documenting this, once it comes to pass, both in the wiki/ site documention and also a security.txt file? 🙂🤷‍♂️

https://securitytxt.org/

security.txt

A proposed standard that allows websites to define security policies.

security.txt
Show threadNerdShinobiNov 19, 2022
@jerry It makes no sense if you ask me. Why not set up their own instance of Masty if folks want to test it?
Or, here's an idea, ONLY TEST STUFF YOU OWN OR HAVE PERMISSION TO TEST?
Anyone ever heard that before? Was that ethos retired in the 00s or something?
Show threadwerner58Nov 19, 2022

@NerdShinobi @jerry

@alexstamos has set up just that

https://cybervillains.com/about

The Lair of the CyberVillains

This server was specifically built as a playground for security professionals to understand the security, privacy and safety issues of Mastodon. Unstable and crazy, as social media should be.

Mastodon hosted on cybervillains.com
Show threadmRr3b00t    ​🐘Nov 19, 2022
@jerry awesome idea!
Show threadAJ Nov 19, 2022
@jerry Definitely interested in getting involved with this. Pentesting is one area that I've considered pivoting into as opposed to just analysis!
Show thread𝖈0𝖗𝖊𝖉𝖚𝖒𝖕𝖊𝖉 🇸🇪Nov 19, 2022
@jerry a good plan 🤙
Show threadReikagalNov 19, 2022

@jerry whelp, I get making sure this site is safe, but also you are hosting some of the best minds in Cyber.

Can people not just make this a 'Jerry vs best cyber hackers ' site. That would be great.

Let Jerry get on to patching and creating a great space for us all. And instead, just fyi this might need some attention emails, rather than try to bring us down vibe.

Thanks @jerry for all you do

.

Show threadddench who art in infosec exchange Nov 19, 2022
@jerry you are an utter star... Where you guys find the time I've no idea, but know this, it isn't a thankless task... There are 28000 people that I'm pretty sure would agree.
Show threadJerry 🦙💝🦙Nov 19, 2022
@ddench 🙏
Show threadmatsterNov 19, 2022
@jerry please add your patreon or donation link on your profile
Show threadJesse BrownNov 19, 2022
@matster He has it as a pinned post.
Show threadLenin alevski 🕵️💻Nov 19, 2022
@jerry let’s make infosec.exchange as secure as we can, we have the technology \[T]/!!!
Show threadJerry 🦙💝🦙Nov 19, 2022
@alevsk absolutely!
Show threadPatrick GrayNov 19, 2022
@jerry great idea
Show threadKaty Anton Nov 19, 2022
@jerry Awesome stuff. Me and the other 28k are highly appreciating it
Show threadmkolsekNov 19, 2022
@jerry Thank you and others holding infosec.exchange together for all your work here. Make sure to take care of your health and take time for your families.
Show threadIndigoNov 19, 2022
@jerry It boggles my mind that people need to be reminded that the difference between a legitimate pentest and an attack is working with the client to ensure you stay within scope. Rock on Jerry, you're a legend for dealing with this stuff!
Show threadGreg PorterfieldNov 19, 2022
@indigo @jerry this!!! So much. Ethics matter, authorization matters. Its not pentesting if it’s attacking a live instance without permission. The code is available and researchers can stand up their own instances and go nuts with whatever they want - and watch the server side at the same time.
Show threadIndigoNov 19, 2022
@gregporterfield @jerry It's completely ok to pentest in production if that is within scope (though dedicated testing environments are preferred for most of it), but as @deviantollam has put it in a few talks on red vs blue team: someone at the client has to be in on it, and an agreement about the scope of the test must be in place before you start. Otherwise you're not helping, just bullying them.
Show threadGreg PorterfieldNov 19, 2022
@indigo @jerry @deviantollam agreed all around. It’s not testing in prod that bothers me I’m always a little excited when I get to mess with production. That said, in non-prod I can dig deeper and try other things that are higher risk, without worrying so much about taking something down. Instrumenting labs and non prod to really see what’s going on is also very beneficial.
Show threadNatanael ⚠️Nov 19, 2022

@jerry do you take name suggestions for the two test instances?

Suggestion: Alice and Bob

Show threadJerry 🦙💝🦙Nov 19, 2022
@Natanael_L oh, that is good. I had been considering a poll, but I no longer need to do that
Show threadIndigoNov 19, 2022
@jerry @Natanael_L That is pure gold.
Show threadfmachadoNov 19, 2022
@jerry not sure if you saw this or of it’s applicable to you in any way but just want to bring it to your attention: https://twitter.com/rahaeli/status/1593819064161665024
rahaeli on Twitter

“Hey, US folks newly running Mastodon instances: do Future You a *huge* favor, mitigate your potential liability, and register with the copyright office and designate an agent to receive DMCA reports *right now*. https://t.co/HTPtaCYGBh”

Twitter
Show threadJerry 🦙💝🦙Nov 19, 2022
@fmachado thank you!
Show threadPaul TimminsNov 19, 2022
@jerry @fmachado make sure you see the whole thread too, lots of juicy stuff like planning ahead for CSAM etc
Show threadVick Forcella ™🌈🌳❄️☑️:verifiNov 21, 2022
@fmachado @anthropy
Show threadAnthropyNov 21, 2022
@VickForcella @fmachado I got my registrar data right iirc, plus I covered that under "don't do illegal stuff", if you do illegal stuff that's on you and I will cooperate with the law :V
Show threadBen AvelingNov 19, 2022
@jerry I now suddenly understand why this server has been rate limited a bit more often than I would have expected.
Show threadJerry 🦙💝🦙Nov 19, 2022
@BenAveling the rate limiting you see is the default behavior of mastodon. I will be working to increase the limits because I get caught by them too
Show threadBen AvelingNov 19, 2022
@jerry So far, I haven't been 'caught' by them, they appear, but only fleetingly.
Show threadMario Stylianou Nov 19, 2022
@jerry This is the way.
Show threadJesse BrownNov 19, 2022
@jerry Can you also allow federation with itacfl.link which is my test instance? Anyone is also welcome to sign up there and test. I attached to a few relays just to have some activity but I can disconnect from them if people start using it for testing.
Show threadRyanNov 19, 2022
@jerry This kinda thing is why I picked this instance - I mean, yeah, it’s also relevant to my interests, but I have a lot of interests. And I don’t know if an instance focused on other stuff I like would even know what pen testing is. I worry a bit for the millions of people pouring into random instances run by people who are super well versed in whatever the instance is focused on but have little experience with security/privacy best practices.
Show threadconsiderateNov 19, 2022
@jerry holy cow. this is next level. nice work.
Show threadDave AitelNov 19, 2022
@jerry Have you talked to Spender about getting GRSEC yet? For a high security instance it's the only way. If you want, I can annoy him about it.
Show threadDada Be Rusting TipiNov 19, 2022
@jerry would joining make it easier for me to gain insight about security issues? Or might it help in some way?
Show threadryeNov 19, 2022
@jerry Thanks for doing this!
Show threaddystopianllama  Nov 19, 2022
@jerry thank you for all that you do ! ❤️🦙
Show threadWalker Boh🛡Nov 19, 2022
@jerry and thats a professional sysadmin right there 👏