Mastodawn

Dr. Strangelove Nov 20, 2022

I have a request.

Bad actors will soon figure out - if they haven't already - that setting up impersonations of important organizations now will allow them to set off an explosion of chaos and confusion at a time of their choosing.

So if you run an account for an organization (especially #LGBTQ), please set up link verification between your Mastodon account profile and your organization's website.

If not, please boost.

Instructions are here under "Link Verification":
https://docs.joinmastodon.org/user/profile/

Setting up your profile - Mastodon documentation

Get started with your new account.

Russ Nov 20, 2022

(Looking at you, @pflag)

PFLAG National Nov 20, 2022

@theruss Yup. We know. Our IT person was alas down with COVID. It will happen. Thank you.

Russ Nov 20, 2022

Oh no! Rest is super important for avoiding long COVID, so I hope I didn't come across as overly impatient. I'm just doing my best to have your back by weeding out impersonators.

BTW, if you post a link to your Mastodon profile from your Twitter account (as a tweet, from your profile, etc.), it helps twice:
1) more folks from there find you over here
2) it's good enough proof until Twitter crashes.

💪

Steven Saus [he/him]Nov 20, 2022

@theruss They already have. Sadly. I just posted something similar myself.

James C. Kei 姬俊 Nov 20, 2022

@theruss I couldn’t find a LGBT group in here.

PFLAG National Nov 20, 2022

@theruss @jamesckei 👋👋👋

Adrien Plazas Nov 20, 2022

@theruss I'd even say that self-hosting their account is for them the best checkmark. If Company owns company.com, then I'd trust [email protected] more than [email protected].

Opaque Lightbulb Nov 20, 2022

@KekunPlazas That strikes me as an ideal way forward from the perspective of verification, but I worry that having every company that runs a social media presence -- given most companies are small -- having to *also* maintain a Mastodon instance might start to become a lot of overhead.

mandelbrot57 🐿️ 🧶Nov 20, 2022

@OpaqueLightbulb Good point! I run two accounts for a small group of volunteers. Will ask the techies to verify my account via link asap. Alas there are trolls in my field, too.

@OpaqueLightbulb
But they don't have to run the Mastodon instance by themselves! I have my own instance hosted at httos://ossrox.org for 5€ (5 users max, larger ones don't cost much more) and I only had to point the domainname owned by me at one of their servers. 🤷‍♂️
@KekunPlazas

Daniel de Kay Nov 20, 2022

@roland And they manage the instance, do updates, backup, and be on top of security?

@danieldekay
Yes, all the technical stuff. User admin and moderation is up to the customer.

…might work for coffee…Nov 21, 2022

@roland @danieldekay
But honestly how much moderation do your own accounts need?
PR blasts out some stuff, everyone is employed/in your project.

furthermore [email protected] feels very much like brand@gmail/yahoo/aol
All the red flags instantly go off. (like the vw accounts)

And ofc there are good other self hosted plugins/solutions.

Daniel de Kay Nov 21, 2022

@mwfc @roland Fully agree that moderation on a small instance with controlled users like from within a company should be a no- issue. I guess the only work would be Incoming stuff.

…might work for coffee…Nov 21, 2022

@danieldekay @roland

But why would you moderate that? you ignore stupid requests. Done. Should not be more interaction. Or am I missing something?

Daniel de Kay Nov 21, 2022

@roland @mwfc probably not. Thanks for the heads up.

…might work for coffee…Nov 21, 2022

@danieldekay @roland

Basicly I was thinking in the lines of setting up a institution server, so I was really wondering. And given the availibility of Friendica et al I see no reason why you should not host your own instance as a brand/institute. It should be really low effort, and no need to worry about ToS and other stuff on a foreign instance + brand recognition

This is more for commercial entities tho, I find VW odd to supposedly run to mastodon.social if true

https://europe.autonews.com/automakers/vw-joins-mastodon-concerns-over-twitter-mount

VW joins Mastodon as concerns over Twitter mount

VW is among a number of major car brands that have paused advertising on Twitter following Elon Musk's buyout of the platform.

Automotive News Europe

Daniel de Kay Nov 21, 2022

@roland @OpaqueLightbulb @KekunPlazas Maybe the solution for the future of the web business card? @antzee - here’s your personalized Mastodon server hassle free, see 👆🏼

The Matrix.org Foundation Nov 20, 2022

@KekunPlazas @theruss yup.

Chris Ely Nov 20, 2022

Even self-hosted organizations should use link verification from their website.

@matrix @KekunPlazas @theruss

Russ Nov 20, 2022

@KekunPlazas @voxpelli Yeah, @TexasObserver did this, and I think it's great.

There are three reasons I didn't issue this as a blanket recommendation, though:
1) It does involve both some effort and money on an ongoing basis; it's not fire-and-forget.
2) There's also a non-zero chance of an incorrectly-configured or undermaintained instance getting pwned.
3) Some folks use the same account for personal and work stuff, and I don't want my boss to be able to lock me out of my account.

Pelle Wessman Nov 20, 2022

@theruss @KekunPlazas @TexasObserver Yeah, I’m thinking I want to be at voxpelli(at)voxpelli.com eventually or eg me(at) or simply just voxpelli.com
I do professional and personal stuff from the same account, for sure wouldn’t want to have a different professional account that represents me

steelman Nov 20, 2022

@theruss @KekunPlazas @voxpelli @TexasObserver I am afraid TO hasn't done the rel="me" bit yet.

Russ Nov 21, 2022

@steelman @KekunPlazas @voxpelli @TexasObserver

It's not necessarily obvious, but having an instance running on the TexasObserver.com domain is substantially stronger evidence than a verified link from the website.

That said, it wouldn't hurt!

steelman Nov 21, 2022

@theruss @KekunPlazas @voxpelli @TexasObserver Of course! I didn't notice they've got their own domain and I was looking at the links. OTOH they haven't used their well known domain, instead they've bought a new one and without the rel="me" bit the connection between the domains isn't clear (even whois data are redacted). Their solution will help them avoiding instance wide bans, but it does little with regards to verification.

Texas Observer Nov 21, 2022

@steelman @theruss @KekunPlazas @voxpelli We will be adding the rel="me" linkage as soon as possible.

Pelle Wessman Nov 21, 2022

@TexasObserver @KekunPlazas @theruss @steelman be sure to only add it between URL:s that represents the same identity as you, so eg. don’t add it to the footer of all pages, else identity crawlers like my old experiment will have a really tough time: https://voxpelli.com/2012/10/relspider-what-why/

RelSpider - what and why? – Pelle Wessman

Texas Observer Nov 21, 2022

@voxpelli @KekunPlazas @theruss @steelman thank you, appreciate the tip.

StroomAfwaarts 🌱Nov 20, 2022

@theruss and set up a 2FA, may I add

Erich Schulz Nov 20, 2022

@theruss I wish I could somehow verify my #ORCID and #googleScholar pages.

Sadly doesn't seem possible write now

Russ Nov 20, 2022

@ErichSchulz Perhaps it'll be possible in the near future, though. Let's keep our eyes peeled.

Pelle Wessman Nov 20, 2022

@theruss Or even better: Don’t give your followers to the owner of another domain: Ensure that people follow you at an address on a domain you own (I’m still in the progress of fixing that myself, but that’s because I want it in a special geeky way)

Jason Sanford Nov 20, 2022

@theruss is there a way to report any bad actors that we discover?

Russ Nov 20, 2022

@jasonsanford I don't know if there's a perfect option for reporting potential bad actors.

For provable fakes, "Report" them to alert your and their admins.
For uncertain cases, it's less clear.

I've considered the possibility of setting up something equivalent to #FediBlock , but it's not quite the same situation.

Big picture, I want to establish two norms:
1) organizations verify their links
2) the community notices breaches of #1 and (politely) pushes for them to be fixed.

Sheenagh Pugh Nov 20, 2022

@theruss
Have to say, I read the instructions and was totally baffled. I don't get what "rel=me attribute" means, and "Since 4.0: the hostname does not change after IDN normalization" is Greek to me! I just couldn't work out what to do, so have done nothing. Mastodon does assume folk know more about tech stuff than most of us do.

Emmy Parpi Nov 20, 2022

@sheenaghpugh @theruss I can try to help you if you want.

Sheenagh Pugh Nov 20, 2022

@parpinet @theruss

Thanks, but I think it probably isn't as necessary for individuals as it would be for bodies.

Russ Nov 20, 2022

@sheenaghpugh
Sorry for the headache! The gist of it is this:

Your Mastodon profile is https://mastodon.scot/@sheenaghpugh

If *I* wanted to put a link to your profile on *my* website, the HTML for that would look like:

<a href="https://mastodon.scot/@sheenaghpugh">Sheenagh</a>

But if *you* wanted to link to your own profile and say "yup, that's me!", you'd add rel="me" (get it? me?) to that HTML tag:

<a href="https://mastodon.scot/@sheenaghpugh" rel="me">Sheenagh</a>

That way, your profile and website vouch for each other.

Sheenagh Pugh Nov 20, 2022

@theruss
So does that mean the link to my website and blog in my mastodon profile would also need the rel="me" thing in them?

Russ Nov 20, 2022

@sheenaghpugh I don't believe so, no.

Jessica Cannon Nov 20, 2022

@theruss @sheenaghpugh How long did it take for your website to be verified? I use tinyurl to avoid a long google address and I assumed that was why it didn’t verify my page, but you have curious how long to wait to see if it worked.

Sheenagh Pugh Nov 21, 2022

@drjacannon @theruss i haven't actually done it yet. I'm not sure if it is really necessary for individuals like me who aren't famous and aren't likely to get impersonated.

Russ Nov 21, 2022

@sheenaghpugh @drjacannon

Yeah, I concur.

RBK Greens Nov 20, 2022

@sheenaghpugh @theruss this means nothing to us non techie people, however will send it to the person and the relevant bit on the original link to whoever does the website

Thanks for asking the question we would have asked

Will need to have some sort of verification

Jernej Simončič �Nov 20, 2022

@sheenaghpugh @theruss You need the rel="me" link on any site you want to show as verified in your profile.

Emmy Parpi Nov 20, 2022

@theruss I just did it, thanks.
Pretty straightforward actually.

Lambda Nov 20, 2022

@theruss does link verification happen only on the user's instance, or do other instances re-verify the links? In other words, can a bad actor simply set up their own instance that shows arbitrary links as verified for everyone?

Russ Nov 20, 2022

@lambda That's a fascinating question, and I'm not sure off the top of my head. It looks like this is the relevant code, but I'm not up to date on my Ruby:

https://github.com/mastodon/mastodon/blob/main/app/models/account/field.rb

mastodon/field.rb at main · mastodon/mastodon

Your self-hosted, globally interconnected microblogging community - mastodon/field.rb at main · mastodon/mastodon

GitHub

Ariaflame Nov 20, 2022

@theruss Do you know if it happens automatically or if it takes a while? I tried it with my Dreamwidth profile but so far nothing.

Russ Nov 20, 2022

@ariaflame I took a quick look at your dreamwidth page, and it looks like you've got it set up correctly. Not sure how long it'll be until Mastodon catches up.

One thing you might want to try is removing the link to dreamwidth from your Mastodon profile and then adding it again - that might speed things up.

Ariaflame Nov 20, 2022

@theruss Well, tried that, now I just wait and see. It is unlikely someone is going to try to pretend to be me anyway 😋

Vincent Tunru Nov 20, 2022

@theruss Keep in mind that you're still trusting the instance if you're just looking at the "verified" badge. Bad actors can relatively easily set up their own instance with a fork of the Mastodon code, and add that badge without requiring actual verification.

Russ Nov 21, 2022

@VincentTunru This is a legitimate concern. I've got a few ideas about how to address it that would require some infrastructure work.

One thing we can do that doesn't require any infra work is this: if we are suspicious that an instance is verifying bogus links, we can open up the linked website ourselves, look for the rel=me link, and report the fraudulent account + instance (and probably cross-post to FediBlock).

It's not good enough, but it's a start.

Sven Nov 21, 2022

@VincentTunru @theruss note that each instance verifies on its own, so if you look at a profile through your instance, you rely on it, not on the instance the profile is on

OpenDNA⚙️Nov 20, 2022

@theruss for WordPress admins looking to verify an official account, look in the plugin store for "simple Mastodon verification".

Doesn't work for authors (yet).

Julia Thorne Nov 20, 2022

@opendna @theruss I've been really confused by the whole verification thing - I run my own Wordpress site and am tech confident, but I'm not a coder or experienced with back-end stuff, so I'll have a look at your plugin this week. Thank you! 😊

Wolfie Rankin Nov 20, 2022

@theruss The issue is most of us don't have a website.

Russ Nov 21, 2022

The good news is that if you don't have a website, then you don't need to prove that your Mastodon profile belongs to the same person as your website, so you're good.

If there's something other than a website that you'd like to prove is yours - Twitter account, LinkedIn profile, Google Scholar profile, etc. - then that might be trickier.

Iwasbeingnice Nov 20, 2022

@theruss
Thank you. I hope we can keep Mastodon clean from the beginning. Why do some people devote their life to ruining it for everybody else? I just don't understand what makes a person do such things.

Behindmyscreen Nov 20, 2022

@theruss news orgs especially should have their own instance with their staff being the only people allowed on it.