| Bird App | @synackpse |
Do people watch their local timelines a lot? Or do you all just read toots from people you follow?
Just wondering if using my mastodon.social account as my primary is an oopsie and I should be using my infosec.exchange one instead.
Data from an August breach of LastPass was used to gain access for the November breach? So reading between the lines, credentials that weren't rotated during incident response, or a vulnerability discovered from stolen source code.
Personal guess is on a credential/token that wasn't rotated/revoked during the initial incident response. Super easy to miss, especially with the nest of X credential grants access to Y credential, etc.
@grifferz 👋 sorry to hear about all that man ☹️
And apologies for the "unsolicited advice from the internet", but.... with regards to the fizzy drinks thing, there's research (that of course I cannot remember the location of) that shows carbonated water eases tapering off more than still, as your body still gets the bubbles and it semi-tricks it.
I wouldn't be at all surprised if this moves to attempts to DDoS (or otherwise attack) specific nodes, as they are created based on interest. An easy example being extreme right-wing groups targeting nodes created to support marginalized groups.
The flip side to all of this, is that organizations can create their own instances for access to mastodon. Meaning that rather than entrust security/privacy to others, they know exactly how the node they're using is configured.
However I'm sure that you're aware of the risks to Ruby/Node.js apps as it pertains to supply chain type attacks against the package/library systems.
I have not done a deep dive into looking for specific vulnerabilities, though.
The other observation I have is that moderation will likely become key... Harassment campaigns in some parts of the network are common already, same with co-ordinated mass-reporting campaigns to silence specific users.
Cybergaucho
