Tim McLean

@[email protected]
56 Followers
75 Following
14 Posts
Cryptography, Rust, etc.
Bloghttps://www.chosenplaintext.ca/blog/
Twitterhttps://twitter.com/McLean0
LocationWaterloo / Toronto
Show threadTim McLeanDec 20, 2022
@vivainio I think that's true overall, but it feels like a large portion of the frequent posters in tech/programming circles really did leave!
Show threadTim McLeanDec 20, 2022
@mattblaze It really is quite surprising how quickly people left, at least in tech/infosec. 90% of the technical discussion is gone off my Twitter feed now, and I didn't even unfollow anyone!
Show threadTim McLeanDec 20, 2022
@mattblaze What stopped that discussion from happening on Twitter? Did too many people leave, or was it an algorithm change?
Show threadTim McLeanDec 19, 2022
@willc Log out. Go to the Sign In page. Open the Network tab of dev tools. Sign in. Look at the HTTPS request sent to the server. It contains your password. The server is controlled by the server admin on a domain owned by the server admin using a TLS cert set up by the server admin, so it can log any request it receives. That's just how the web works!
Show threadTim McLeanDec 19, 2022
@willc they can log it when you sign in or register
Show threadTim McLeanDec 19, 2022

If the fediverse succeeds, then its users will be fractured across many smaller servers instead of clustered in 1 large server. This makes security much harder.

A large server (like Twitter!) can be defended by large security teams, perform internal audits, and be held accountable by regulatory bodies. Their executives can be hauled before Congress or thrown in jail for failing to report a breach.

Small servers will mostly lack the resources to fund a security person, let alone a security team. They may not even have access logs. And small server admins are unlikely to face the same level of scrutiny from regulators. This makes cryptographic assurances like E2E encryption that much more important for federated platforms like Mastodon.

Show threadTim McLeanDec 19, 2022
@willc Oof. Frustrating to see so many answers there that I disagree with. E.g. "Mastodon Admin here. We can't see or leak your password." is clearly wrong or at least misleading. Hopefully that will shift now that infosec folks are here :)
Tim McLeanDec 19, 2022
@subm3rge Sure. That works for people like us who understand the difference. But as Mastodon becomes more mainstream, many users won't, and there will be much harm to those users as a result. We can and should do better!
Show threadTim McLeanDec 19, 2022
If the community wants it, we could probably do a lot to improve the current state of Mastodon servers and trust (where the server owner is effectively God of all users on their server). E.g. enforce cryptographic transparency for moderation actions.
Show threadTim McLeanDec 19, 2022
I haven't read too much about Mastodon/ActivityPub yet, but I'm guessing server admins can impersonate anybody on their server and change the text of anyone's posts (toots?). That could also be fixed once the key distribution infrastructure is in place for e2e encryption.