[INACTIVE] R ✅

A friendly reminder, guys and gals, running instances: pls read through this and give @lutoma heads up:

https://ohai.su/users/lutoma/updates/166

The tool and this whole community is by and for all of us, so the least is to help each other out rather than awaiting instruction (or commandeering ;) ).

#infosec #ourcommunity

Apr 11, 2017 at 12:16pmWeb
Show threadStar HazeApr 11, 2017
@lutoma @maliciarogue i wonder if it would be feasable to write a plugin that triggers a vuln scan on every new federated instance. it would need a community consensus that it was an appropriate thing to do and I'm not even sure that legally it would be wise but hey InGen never stopped to ask if they should do something and they're doing fine!
Show thread[INACTIVE] R ✅Apr 11, 2017
@starhaze erm I am of that kinky kind that considers that security is a process, not a product :) @lutoma
Show threadStar HazeApr 11, 2017
@lutoma @maliciarogue hahah well said, are you implying that I'm advocating the opposite?
Show thread[INACTIVE] R ✅Apr 12, 2017
@starhaze well, your toot was very much product-oriented :) Happy to chat further on that, it'll have a longlasting impact since the idea of decentralisation is precisely that anyone can be an instance admin. When that happens to be a person who has little to no knowledge of basic #infosec, that is a disaster waiting to happen. @lutoma
Show threadStar HazeApr 12, 2017
@lutoma @maliciarogue I'd argue that my suggestion was "tool" oriented, as in "non infosec instance admins should get alerts if they federate with an insecure instance, because people share personal information over social media and they deserve
to know if there's a risk that the information they share could get compromised." (c.f what Chrome is doing with insecure TLS notifications)
Show threadStar HazeApr 12, 2017
@maliciarogue @lutoma I'd very much like to see a similar thing if a mastodon user tries to federate with an insecure server
Show threadStar HazeApr 12, 2017
@lutoma @maliciarogue additional thought i had on the way to work: "process not purchase" is only (imo) a useful dichotomy if the person or organization in question knows enough about security to make good decisions out can pay someone to make those decisions for them.
The people who need security most are going to be the ones who can't afford it, so we have a duty to provide they best tools that we can to keep them safe.