Richard HullNov 27, 2022
So, the European Union has set up its own Mastodon instance, EU Voice, as an official channel/platform for all its many institutions - what a great initiative https://social.network.europa.eu/about
#TwitterMigration #europe #Diplomacy #Transparency
EU Voice

EU Voice is the official ActivityPub platform of the EU institutions. With EU Video, it is part of an alternative social media pilot proposed and provided by the European Data Protection Supervisor.

Mastodon hosted on social.network.europa.eu
Show threadjpoesenNov 27, 2022

@Richard_Hull It's a lovely initiative - one I hope many more organisations will follow.

I've started keeping track of these 'official' instances here:

https://gitlab.com/mastolist/org-instances

Mastodon Organisational Instance List / Official Mastodon Instances · GitLab

An unofficial list of organisations that have set up a Mastodon instance under their own brand / identity.

GitLab
Show threadTom RafteryNov 27, 2022
@jpoesen @Richard_Hull I'd love to see news agencies do this so their journalists are verified just by being on the server
Show threadRichard HullNov 27, 2022
@TomRaftery @jpoesen There is an instance for journalists, not sure how 'official' https://journa.host/explore
#TwitterMigration
Journa.host

The server for working journalists and news outlets on Mastodon. Home to active & retired journalists, media scholars, and a variety of news and journalism adjacent professionals. #Newstodon

Mastodon hosted on journa.host
Show threadjpoesenNov 27, 2022

@Richard_Hull @TomRaftery Hmmm... those journo instances are similar to all other community-oriented mastodon neighborhoods.

Nothing wrong with them, but for journalists I would love to see orgs run *their own* instances, if only to provide instant 'verification'.

What could be more trustworthy - identity wise - than seeing accounts like @[email protected]?

Show threadTom Raftery
@jpoesen @Richard_Hull Exactly
Nov 27, 2022 at 10:20amWeb
Show threadRichard HullNov 27, 2022
@TomRaftery @jpoesen Yes, The #Guardian had a presence a few years ago which is dormant, but not their own server. But this does raise the question - could a bad actor set up a server pretending to be a trusted organisation? I don't know enough about how Mastodon monitors new servers/instances.
Show threadTom RafteryNov 27, 2022
@Richard_Hull @jpoesen I’d assume ICANN would stop anyone who falsely registered a legitimate domain name
Show threadRichard HullNov 27, 2022
@TomRaftery @jpoesen Ahh, of course
Show threadjpoesenNov 27, 2022

@Richard_Hull To continue the hypothetical example:

cnn.social

would be far less trustworthy than

social.cnn.com.

The well-known domain is key here, and bad actors would only be able to abuse it by hijacking the entire cnn.com domain, which is highly unlikely to ever happen. (Though not impossible)

That doesn't mean cnn.social could never become trusted, but it would take time and resources, and the result would still be... meh.

Show threadRichard HullNov 27, 2022
@jpoesen Ahh, thank you
Show threadjpoesenNov 27, 2022

@Richard_Hull That said, it's not impossible that we'll start seeing phishing-style 'official' instances:

- @[email protected]
- @[email protected]
- ...

Though should that start to happen, I'm sure a security warning mechanism will get developed, similar to the current fedi blocklists or https://haveibeenpwned.com

Have I Been Pwned: Check if your email address has been exposed in a data breach

Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.

Have I Been Pwned
Show threadDavid KNov 27, 2022
@jpoesen @Richard_Hull unfortunately, a lot of organisations seem to have a track record of using weird stand alone, special purpose domains, even for secure services. One of my banks, for example, has (or had) evolved services on multiple domains for its websites, e-banking etc - made it very easily spoofed - maybe at this stage, people are a bit more aware of the need to be easily and simply verifiable.
Show threadjpoesenNov 27, 2022

@dkellyj Wow, was not aware that banks, of all orgs, use special purpose domain names instead of building on their main domain name that's already trusted.

It's quite likely they do this because internal processes / IT infrastructure makes it near impossible to get certain things done. So they circumvent their own rules by launching on separate domain names.

I've seen this several times when working with large orgs...

Show threadDavid KNov 27, 2022
@jpoesen in this case it seems to originate from an early ‘dot com’ era marketing project that spun up their e-banking services and ATMs as funky new sub-brand, which they promoted heavily for a while. Then they changed strategy, forgot about it, rolled everything back into the main brand, but kept the legacy domains and URLs 🤯…
Show threadjpoesenNov 27, 2022

@dkellyj Well they were right to keep the domains - nothing worse than having those get snatched up by baddies.

But ideally all of those domains' request should have been redirected to the main domain, if only to a special purpose landing page explaining why they ended up there.

The larger the org, the larger the mess.

Show threadDavid KNov 27, 2022
@jpoesen they also went through a period of literally breaking their own published guidance on outbound calls - asking you to prove who you were with personal details 🤔 while calling from a withheld number. An fashioned org that was more comfortable with cheques and quills.
They’ve tightened up a lot in recent times tho
Show threadjpoesenNov 27, 2022

@dkellyj That must've been such a Wild West era :)

Reminds me of when I did ADSL broadband support 20-odd years ago, and we could see the users' dial-up and email passwords on our screen, and used that for identification.

(that call center company was shitty but I learned a lot about the telco industry)

Show threadDavid KNov 27, 2022
@jpoesen I recently had a major telco here (a big international brand) ask me to send the following by *twitter DM*: Phone number, date of birth and full home address, including Eircode, which is the Irish equivalent of a ZIP code, but is a unique 7-char code that geolocates your house. Claiming they needed it *for* GDPR reasons lol 🤦‍♂️
I politely declined!!
Show threadKornyNov 27, 2022

@jpoesen
@dkellyj
Yeah - often new social media initiatives, or anything innovative at all, are only possible through "shadow IT".

I remember when I was at the Aus yellow pages, and the only way we got AWS time for an experiment was by the head of IT putting it on their credit card and expensing it.