Mastodawn

Chris Shilt Nov 22, 2022

Jerry 🦙💝🦙

I've been in contact with Jen Easterly, the head of US CISA, this morning and they'll be creating accounts here. There is an account, @cisacyber, that is legitimately owned by CISA, though they're early in the setup process, so please, don't report them for impersonation.

Jerry 🦙💝🦙Nov 22, 2022

Since posting the message this is in reply to, I’ve had approximately 11,000,000 replies asking me why CISA or the US government doesn’t set up their own mastodon/fediverse instance. Or telling me that they should. I can’t reply to them all, so addressing it here.

Perhaps they will create one. Maybe they won’t. I’m not them. They didn’t create their own version of twitter.

I have to believe setting up a new service in the US government is a long and complicated and expensive process. Perhaps they want to jump in and see if the fediverse is useful enough to warrant the investment.

It’s been maybe 14 hours. Let’s give them a bit of grace, please.

DROP\ TABLE Hacker of Earthsea Nov 22, 2022

@jerry your so attentive lord jerry

@jerry While we're at it, why hasn't the government in XX set up their own instance yet?

I'll get me coat

James Hubbard Nov 22, 2022

@jerry not sure about the CISA requirements, but I'd imagine that they require someone to apply something like DoD STIGs to the host and software stack. It needs to be run in FIPS 140-2 compliance mode.
https://stigviewer.com/stigs

Complete STIG List

Security Technical Implementation Guides (STIGs) that provides a methodology for standardized secure installation and maintenance of DOD IA and IA-enabled devices and systems.

STIG Viewer | Unified Compliance Framework®

@jerry Oh Lort, I can just imagine the Oatmeal-Level screaming that you endured gracefully. Namaste 🙂 🕉️

Tindra Nov 22, 2022

@jerry recent Army policy involves needing metrics so they can make a data-driven decision before jumping on any new social media, and it needs to go through the CIO.

I expect other agencies have similar policies.

Andy Nov 22, 2022

@jerry I appreciate the optimism of people that think a large traditional enterprise could spin up a publicly facing service in days.

@jerry Labor-hours it takes to get approval to post on social media: Some, but kinda worth it.

Labor-hours it would take to just get FISMA authorization to operate an open source instance themselves: Oh lordy, I've got the vapors already

Gina Nov 22, 2022

@jerry it seems like in some ways, the US government moves amazingly quickly. In others, it's painfully slow. I imagine they will want to be sure whatever they set up is very secure, and can be properly recorded for the national archive as needed. That will probably take time.

Hal Pomeranz Nov 22, 2022

@jerry I’m not sure I can tolerate this level of mature, measured response on social media. More spicy hot takes please! (/sarcasm)

Jeff Hall - PCIGuru

@jerry Seriously!? The government set up their own Mastodon instance? I suppose stranger things have happened, but with their focus on everything else, I would guess that would be last on their To Do list.

Dave Swersky Nov 22, 2022

@jerry I've been a contractor for a government agency. The ethos there is about as diametrically opposed to the openness of the Fediverse as it's possible to get.

The government will have to see a need for their own instances that can't be fulfilled any other way, and that will only come after the lights go out at the birdsite.

Quing Em van Khaos Nov 22, 2022

@jerry no, ACAB

Daniel Micay Nov 23, 2022

@QuingKhaos @jerry CISA isn't a law enforcement agency.

Quing Em van Khaos Nov 23, 2022

@DanielMicay @jerry it's part of DHS

Daniel Micay Nov 23, 2022

@QuingKhaos @jerry

That doesn't make it a law enforcement agency. FEMA is part of DHS too. Would you feel the same way if FEMA made an account on a major instance to post announcements about natural disasters?

CISA is not a law enforcement agency and doesn't do offensive work. They work on securing US infrastructure overall and also help with securing the infrastructure of companies, etc. in the US to a lesser extent.

Having an account on the instance doesn't give them any special access, so what's the issue? If they wanted to do something nefarious it wouldn't be from an official account for publishing information...

@jerry Just to chime in, I for one support letting #CISA on here, because:

As far as I can tell CISA is one of the "good" ones. They have a positive impact on society and focus on protection.
Any of the "bad" ones -- overly aggressive gov. actors -- can make all sorts of accounts here and elsewhere without telling us. So what's gained by blocking CISA?
I'm for #inclusion and against #blocking unless there's documented bad behavior.
Getting important players involved in our conversation is good for infosec.exchange, the Fediverse, and our #community as a whole.

Thanks for taking a stand!

Dr. Lola Politicka Nov 22, 2022

Here is what govt struggles with:

1) Who has authority to create one? It's going to have to receive resources of some kind -- manpower, server costs, oh and security. Who has the authority to marshall those resources? What resources will be needed? (There will be committees).

2) Who has the knowledge/ expertise to develop such an instance? We'll need a moderation policy and some approval/oversight process for who gets an account and what they do with it. (Add committees).

ares Nov 22, 2022

you must realize that if cisa or us gov ever sets up fediverse instances, you'll need to block those instances approximately twelve minutes after people start posting there

@jerry Wouldn't that mean they could not enforce moderation policies as it would be a government run service subject to the 1st amendment w.r.t moderation? Hmm

wslack Nov 22, 2022

@decryptlyfe I think it likely those servers wouldn't host any non-USG accounts. The only accounts on the server would be official ones, so the domain would be its own form of verification. just spitballing though.

@jerry don’t you know that assuming bad intent makes this whole thing work? I mean, how else do we drive engagement and monetization? 🤯

@jerry oh that’s not your goal. Cool!

Jerry 🦙💝🦙Nov 22, 2022

@adamshostack 😂

Drew Mochak Nov 22, 2022

@jerry I doubt it's that expensive, it's probably more a matter of red tape and getting the appropriate clearances... plus, I mean, if they set up their own official instance sure that makes it easier to block, but I feel like that makes it MORE likely that they take the fediverse seriously, rather than less. Which strikes me as not the outcome these folks are looking for but 🤷‍♂️

Joseph Galbo Nov 22, 2022

@jerry very interesting development. Not surprised CISA is figuring this out first. Definitely following.

wslack Nov 22, 2022

@jerry If anyone has questions about that topic, I'm happy to take them. (this is not a promise to be able to answer them - and I wouldn't be speaking officially, just sharing information about how such an idea might play out using already public information)

Océane Dec 12, 2023

@jerry Exposing vulnerable people to government propaganda, to the benefit of white-collar workers who can sort out information, is libertarian.

Océane Dec 12, 2023

@jerry Call this “academic libertarianism” if you wish. But regardless of how well-meaning your contact is, they're still going to apply training and orders to casually mislead the people federating with your instance.

Your instance is going to share misinformation.

opal hart Nov 22, 2022

@jerry
>child agency of DHS
oh this will be fun

SecureWaffle🧇Nov 22, 2022

@jerry @cisacyber that is awesome to hear and thanks for confirming the legit account. look forward setting up a cisa list here.

@jerry @cisacyber I’m glad there here but I also really hope the government sets up a server

Gatewood Green (Woody) 🌵🏜️ 🐾Nov 22, 2022

@hacks4pancakes @jerry @cisacyber it would seem appropriate to have a social.gov instance that clearly demonstrates authenticity of government accounts.

@hacks4pancakes keep your eyes peeled for a federal Mastodon instance in the 2037 budget or something ;)

@jkbecker @hacks4pancakes They could get Input from Germany's CISA Equivalent [email protected]

Martin Campbell Nov 22, 2022

@jerry @cisacyber Was it really too much trouble for the US Govt to set up a verified dot gov Mastodon instance, the same way the German Govt has done on https://social.bund.de/

social.bund.de

Dies ist der Mastodon-Server der Bundesbeauftragten für den Datenschutz und die Informationsfreiheit (BfDI).

Mastodon hosted on social.bund.de

wslack Nov 22, 2022

@martincampbell2 Given the possible volume of agencies/offices/people that might want accounts, it would take some time to track/check/manage all of them - so some office would have to own that and have enough people to manage it. I imagine @jerry might say that running this instance has been a significant timesuck these last few weeks.

Jerry 🦙💝🦙Nov 22, 2022

@wslack @martincampbell2 “significant” may be a slight understatement

Christian Hoppe Nov 22, 2022

@martincampbell2 @cisacyber I think that this was at least in part done to get some form of verification for official entities back that is now broken on twitter and difficult here: A single instance widely accepted to be for verified government institutions only easily recognizable by the instance suffix. This might also be valuable enough to offset the time and money to set this up for the US. But there is also no talk of defederation with this instance in germany I know of though.

Frank Barton Nov 22, 2022

@jerry @cisacyber Thank you for the "heads up"
For some values of "list", i think it would make sense to have an authoritative list of official accounts. how/where... that's above my pay grade

Giving it a follow so that as they get it set up I'm already watching

Misuse Case Nov 22, 2022

@jerry @cisacyber I’m glad to hear this! I actually bugged her a couple days ago asking when CISA would get an account here, noting that @nasa already has one (actually, it has a couple) which I believe mirrors their #twitter account. I hope other Federal agencies follow suit.

Morten Toudahl Nov 22, 2022

@jerry @cisacyber they should be hosting their own instance imo. All government and organisations that wish to use mastodon should

Serge Droz Nov 22, 2022

@jerry @cisacyber Awesome: I think this is great, especially that they hang out with all the security practitioners, and don't feel they need to have their eXlUSivE own instance.

This may be very little: But I think it goes a long way towards the private sector working on eye level with governments. It sets the totally right signal. And congrats to @jerry it's a tribute to your work too.

viq Nov 22, 2022

@jerry wow, respects for becoming the defacto hub of infosec in fediverse, and kudos for running it.

Grendel Nov 22, 2022

@jerry @cisacyber

That's awesome! I feel like having them here on the fedi really help improve communicate the legitimacy of the platform.

Also it will be great to see their updates here

@jerry @cisacyber holy shit dude, That's the biggest thing since Ian landed on Nova's instance

@jerry @cisacyber I'm sorry that folks are not taking this news well. I'm not a fan of law enforcement of any kind... but CISA is a source of intelligence. That said, it's your own decision on how you want to consume info. If you want to block the whole instance, that's your right. I would humbly suggest though that you could just block the account and stay in touch with the rest of the cool people on infosec.exchange

@jerry @cisacyber Do people not realize the Feds could just as easily pose as normies? If safety is really THAT big a risk to your threat model, perhaps the internet is not for you.

Spy Doggie Nov 22, 2022

@jerry @cisacyber is there any way to get verified on here?