KemoNine is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
KemoNine @kemonine

Trust your admins, picture edition.

This is an illustrated toot showing the admin interface that lets us admins see ALL OF YOUR TOOTS

Media filters, DM's, delete ability

All from the comfort of a browser.


· Web · 156 · 74

@ghosty183 Indeed...

I work hard to build trust (aka : I never used that feature until today when I wanted screen grabs) but... it's an important point to make for the new users.

I like to arrange a side channel for comms outside of DM's personally.

@kemonine that sounds to be the most reasonable option. I think handing off dm to another service would be best.

@ghosty183 @kemonine yep, as long as I've been on here the standard line is that if you need private, secure communications, take it off Mastodon.

wow, I am even an admin on a serer and I didn't realize we could do that. Admittedly it's been a while since I had to look at the admin interface for anything.

@frankiesaxx Yeah, even mods have the capability now...

I hadn't had a need or desire to look at it until today when putting that toot together.

An important reminder why side channels like Matrix, Signal, Telegram, etc are important in addition to Mastodon DMs

@kemonine (Mastodon DMs suck from a usability perspective too.)

@frankiesaxx Well yeah but I prefer not to call attention to that just yet 😉

@kemonine haha I don't think you have to. It's glaringly obvious to anyone who's ever used DM's/messaging on another platform.

@frankiesaxx I dunno, I prefer masto's to the modal window crap that Twitter has...

But then again I've been a fan of side channel messaging for years now.

If I want private comms best to find a direct messaging setup that's harder to snoop...

@kemonine i also don't treat any of my online communications as truly private, regardless of channel. Like, you and me, alone in an isolated outdoor area with no devices, I would trust as about as private as I can get.

@frankiesaxx @kemonine Is now a good time to mention that someone made a pull request a few months ago to show direct messages in a separate column?

No users were harmed in the creation of the parent toot.

The pictured accounts are all MINE.

I have multiple alts and this was setup using MY PERSONAL ACCOUNTS

Until today I never used the feature.

None of my users gave me a need and I hope that they never will.

@kemonine if there is no end-to-end encryption, never assume that what you write is private.

@kemonine And, additionally, act in a way that your admin can trust you :).

What I mean is... posting on their instance signifies an act of trusting the admin of that instance, just as the admin allowing you to post on their instance is an act of trust that you're not going to do something nefarious or put them in a bad situation (given the uncertain effect of recent pending changes in net neutrality laws).

This whole federation concept really hinges on maintaining that two-way trust.

@kemonine that should come as no surprise though. Even if there was no proper interface, it would probably be just a db query away.
Solution: don't send sensitive messages over a federated network with no proper means of end-to-end verification or encryption.

@howl That's assuming the moderation team has DB access....

More than a few instances are hosted by a 3rd party who is the only one w/ db access.

I've also found a *lot* of people have never considered such a thing.

Nevermind how simple it is to dig 😉

@kemonine Fair enough, didn't think of that because I picture mostly small instances with just one admin, but I guess that applies to big ones.

And yes, it might need to be more explicit on the interface that admins can see DMs. But hey, "Mastodon" is this "privacy-respecting social network" where your data won't be sold to third parties or used against you, amirite?

@howl That's the default behavior for now.

However, if a brand or big company wanted to run their instance I would hope they make it clear that it's a corporation behind the scenes.

@kemonine last paragraph was ironic. I mostly meant that to say 'hey, there are no technical limitations to make this a botnet and to make an instance sell your brain to the russians', in spite of the many claims especially as of lately of the Fediverse being so good at privacy.

abuse Show more

abuse Show more

abuse Show more

@frankiesaxx @kemonine @moz This is actually a very good suggestion and I would like to add that

@Gargron @frankiesaxx @kemonine @moz could suggest fake privacy feeling. DM would still be in clear in the database.

@kemonine Also technically the admin can pretty much shut down mastodon, open up the underlying databases, and dig through things.

admins = root. root 0wnzor j00, to speak in a now long-gone internet dialect.

@pnathan Not scritly....

There are a bunch of instances hosted via 3rd party services w/o direct db access (or root).

On top of that the moderation interface (ie, less privs than admin) also includes that feature.

You'd be surprised how many don't consider some of this when picking an instance.

@kemonine I havn't popped open the hood on Mastodon for a while - it's still mostly sidekiq and postgres, yes?

@pnathan Yes, the vast majority is still sidekiq and postgres.

I'm told the updated search features are backed by elasticsearch and someone has done some FTS tweaks to the postgres side on a larger instance to avoid the additional JRE dependency.

Admins have many options for digging these days.

@kemonine heh, so, still, in the end, they who have root on the cluster 0wn j00.

@kemonine This page corresponds to the moderation page following a report...
It remains useful to act easily.
But Yes, the admin has access to everything from the database.

@kemonine Don't trust your admins I'd say... and create democratic ways for the users of our instances to decide on this... sysadmins can't be the dictators of the flow of information... this responsibility has to be shared

@ajeremias Very fair point.

however, how do you democratize something most people aren't aware of and/or versed enough to handle in a secure fashion?

@kemonine we are going to make calls for monthly general assemblies.. and the users which of our instance/node (we also give other services) are welcome to participate, help, contribute, and find better ways to sustain our data/servers.

@ajeremias @kemonine Theres no way to enforce a democratic system as one person pays the server bill.

@ajeremias @kemonine Whoever owns the domain and server essentially cant be overthrown, you just have to leave the instance

@ajeremias @kemonine No you dont understand, theres no programatic way to enforce it, you can agree to do it that way, but theres always the risk of the account holder tossing everyone else out, ive seen it happen

@Laurelai @kemonine yeah but without trust life is not worth... and even if that happens, its easy to create another instance... we feel inspired by the movement of squats, which dedicates their time to squat empty buildings and find ways to govern them with direct democracy and consensus!! long live anarchy \o/

@ajeremias @kemonine Im an anarchist and im speaking from experience in anarchist created online communities taken over by hostile admins, but ok

@Laurelai @kemonine aah nooo, thats why i talked about affinity groups... people u meet in real life... instances should be local, no?

@ajeremias @kemonine It literally was an affinity group. We all had known each other for years.

@ajeremias @kemonine Im an anarchist ok, but a lot of anarchists are pretty much ignorant to the signs of an authoritarian personality, how power structures work and how perverse incentives are created.

@ajeremias @kemonine The internet has one old rule that still applies: people in power are those who run things. If I decide to run an instance and to manage it alone and act like a dictator, it is my right.

If a couple people decide to run another and rule together while one of then admins, it is their right. Just as much as a hive of users co-managing an instance.

Just don't expect voice or power after simply registering on someone else's service.

@kaiyou @kemonine im just explaining how we are dealing with the dictatorship of sysadmins on our instance! :)

@ajeremias @kemonine And I do like your model, just like tedomum is pretty open to ideas or critics from its users, even if we do not have formal way of including them I'm decisions (like a vote).

My point was not all instances will apply the same rule, and no there is no legitimacy in complaining about those who don't. Just use another instance. Hell, open yours if you can't agree with anyone.

@kaiyou @kemonine yes for sure.. tottaly agree, i like diversity and the possibility that each instance can do whatever they want.. and about voting, we do not vote.. we use consensus :)

@kemonine damn it, I thought they were sitting in postgres shell, finding DMs with SQL queries, and you're telling me they have a GUI? Lazy bastards...

@kemonine @angristan A server admin can always see anything you send through that server if it isn't end-to-end encrypted. In a big company like Facebook or Google they may have strict restrictions on who is allowed to read random people's private messages, but on a small server run by a single person, there's literally nobody other than that admin who can decide that.

@kemonine Uhhh why did you use the star of David to highlight the delete button?

@Gargron Because it was the best 'star' option in mspaint...

Not intended negatively, just the one tool I hit first when finding something to draw attention.

@kemonine umm wtf so it’s no a distributed network?

@Nixfreak It's a distributed network but once a toot hits a remote node/server/instance... all bets are off.

@Nixfreak You could use OTR or similar but that's not baked into anything at present (at least nothing I've heard about, others may have options).

I normally recommend users negotiate a side channel (matrix/riot/signal/etc) via DM to take anything that could benefit from e2e crypto or more privacy off masto...

@Nixfreak @kemonine Direct Messages are currently a second class citizen on Mastodon.

This place is designed for expression (publicly displaying your life, ideas and opinions), not for communication (talking privately to your intimate friends).

If you are looking for properly distributed communication tools, have a look at Matrix/Riot.

@kemonine Mastodon should strive to upgrade DM to use end-to-end encryption IMHO (although of course everybody knows that currently the system is not built for privacy). /cc @gargron

@kemonine I have a long time ago put this in the ToS under Privacy:

"Please note that everything you publish on Mastodon, including direct/private toots, is stored in plain text in our database. So it's technically possible for our system administrators to read everything. That's why you shouldn't use Mastodon for confidential communication. There are better options."

Also remember that it is very likely that Twitter also reads DM's, but Twitter would never admit that of course.

@kemonine Correction: *Twitter can read DM's (it's not that they actually read all DM's)

@jeroenpraat Any chance you'd mind if this chunk of your ToS was borrowed?

@jeroenpraat @kemonine iirc some journalist recently got questions asked at the Chinese border based on things she has only written about in Twitter DMs, so they're not only reading them, actively sharing too

So, in terms of privacy, it is not different from facebook or twitter? I mean, nothing stop a "malevolent being" from create an instance and collect data from its users and the users of other instances that interact with them. Did I understand this right?

So, the real difference between this network and, say, facebook, is that this one is more censor-resistant and you can see the messages in chronological order


@hellion I think 'no different than fb/tw' has a lot to do with your local instance and the instances which you interact. If you're on $bigBrand's instance they are likely data mining. If you're on $privacyFocused instance, they aren't going to be screwing around with your data.

However, if you interact with $bigBrand from $privacy those toots that hit $bigBrandInstance will be mined.

Kind of like e-mail : we can use google or our own. But we need mindful when sending mail to others.

@kemonine I think it's important for people to understand that this is not something that is unique to Mastodon. Any site where you can post information has this capability available to its administrators.

The most important lesson to learn is that if you don't want information to be available publicly, then you shouldn't make it available on a third party site.

That said, a good admin never snoops, but even a good admin will see private information when debugging for example.

@loke @kemonine This is why it was important to me to join an instance where members have roles in decision-making -- obviously it's still possible for someone to "go rogue", but we can build something more structured than the "admin as god" model.

@nev 👍

I'm glad to hear that.

One of the instances I admin is structured around a voting model for new users and policy making.

I'm hoping the other can grow large enough to have a moderation team 'in due course' where we have community members with active voices.

Building a community is tricky but we can all have a voice if well managed.

@nev One geared towards anxiety and a quiet place in the woods...

I set it up the last time there was a major influx of users and it's were a few find a home when they want to communicate with their closest masto-friends.

@nev With the new invite system (and even before) we structured it as a consensus model for approving new accounts to help keep the number of users low.

It's also structured around a majority consensus for policy making/etc.

The idea is to make it 'difficult' to onboard but once accepted easy to affect change overall.

@kemonine interesting! I love all the diverse systems people are developing.

@nev Agreed, between the different hosting providers for masto instances and the ease which you can deploy a Docker image these days there is a lot of opportunity.

The diversity across the federverse is amazing and the topical instances full of wonderful discourse.

@nev @kemonine Fair enough. That's a much nicer model. But even then anyone with access to the server will be able to access the information. There is simply no practical solution that will avoid that.

There is also the issue when sending private messages that those messages are not only available to your admin, but also the admin of the receiving instance.

In my opinion, the best advice is still to simply not post sensitive things that would be problematic if they were exposed.

@loke @kemonine totally agree! I don't think collective/democratic models solve the privacy problem. But they can give users more control.

@loke @kemonine not unique to Mastodon, no.

But 100% unique to software with a broken security model hiding behind a misleading GUI.

Mastodon can be better than this.
Debugging can be done while preserving privacy.

Users deserve end-to-end encryption.
Full stop.

@eryn @kemonine I agree that end-to-end encryption is good, and should be used wherever possible.

The only way to do this is to store direct messages in encrypted form, and then perform client-side decryption of those messages.

In order to do all of this, you not only need to implement client-side crypto, but you also need to implement a PKI so that you use the proper key when encrypting the messages.

That's a lot of infrastructure for a feature that it's used that much.

@loke @kemonine SysOps have had this capability going back to BBS days of lore as well, but we took our position VERY seriously. Most of us rarely (if ever) snooped on our users. There were of course exceptions and the younger the SysOp the chances are they were immature and did that sort of thing for sure.

@gme @loke Yep, the 'old hats' tend to take their position very very seriously and tend not to abuse.

However, one bad actor will spoil it for the rest of us.

People are panicking about Facebook data collection and missing the bigger picture IMHO.

The good news is Masto instances aren't here to harvest + sell user data.



A big part of why I left Twitter & haven't used a Facebook account in years is I simply couldn't trust others.

Their centralised nature necessitated a hierarchy.

Reading this just makes it clear that if individuals don't have their own instances & act as their own admins on them, then all that has happened is the localisation of the same hierarchical trust problems; specific to the instance.

That's not a solution.

Reading 'TRUST YOUR ADMIN!' resembles 'Trust Big Brother.'

@Barcode @kemonine Better solution: don't send anything sensitive over DMs, just negotiate a better (E2E encrypted) communication method, like xmpp+otr.

@slipstream @kemonine

I agree that's progress, but it is the sort of improvement that protects individual messages of a non-habitual nature.

The known 'we need to discuss this securely' stuff.

It's not protecting the other known problems - the 'I can control my privacy, but my Facebook friends' thoughtlessness screws *me* regardless' problems.

Or the problem of an ordinary piece of information only being revealed as needing to be kept private *in hindsight*.

Now: ; soon: ...

@slipstream @kemonine

I think for a truly secure communication network, there'd need to be an element of sacrifice.

'You blow this, it costs you.'

Think a substantial amount of cash held as a deposit to be allowed to use the service. And no way to ever rejoin the network. No second chance.

I don't know if this'd ever be implementable because anyone with the money could sponsor other people with no interest in the network to set up accounts and just eat the loss when one vanishes.

@Barcode I posted this because it's non-obvious that admins/mods for all instances that your toot 'touches' can be read by someone... and it may not even be the 'root' user on the IT team hosting the service.

I may have chosen my words improperly but needing to trust your (and the person your talking to's) admins is an important point.

The real 'solution' is to negotiate a side channel with e2e crypto. That's the only way you can trust the comms 😢

@whilelm @Darks @kemonine Je veux dire, avec une vraie intégration, autre que du texte brut à déchiffrer soi-même à la main dans un terminal.

@parleur @Darks @kemonine non évidemment. Enfin je veux dire pas à ma connaissance.

@whilelm @Darks @kemonine
Bon, après un test rapide, ça se pipe bien avec toot, par exemple.
$ echo "Proof of concept" | gpg --enarmor | toot post --
Insérer un truc de ce genre, mais en Python, dans un client pour Mastodon, ça devrait le faire.

@kemonine As an addition, trust the _remote_ admin when sending toots with any sort of privacy setting.
@frankiesaxx @kemonine Well yeah, obviously. There's a lot of trusting going on. 

It's the internet. It used to work that way with everyting (looking at you, plaintext protocols).

@pettter @kemonine Trust can be cheap though, because realistically, 98% of "private" online communication between users is boring "what you want for dinner tonight honey?" talk, exchanging pictures of naughty bits, or trash talking other users.

It's not like we're talking nuclear secrets. Pretty much nobody is *nearly* as interested in other people's DMs as those people imagine.

@frankiesaxx @kemonine Scraps of data yield a detailed picture which is valuable to advertisers (political and economical).

I agree that for small instances the value is low. and not worth the loss of trust, business, friendship etc. should it come to light.

@pettter @kemonine Yes, that's true, I was thinking more of the emphasis on "Your admin can see your DMs!"

My observation is most people are a lot less concerned about their data being scraped and aggregated and sold and targeted silently by machines than they are about a random human reading their "private" chat.

There was a good Social Science Bites episode on social stratification via data mining

@pettter @kemonine

Yeah but people don't generally care as much about other people's business as other people believe they do.

@tinker Still doesn't help the other side of the comms... The moment it leaves the instance it's fair game on the other side.

@kemonine - Yep. You can use Direct Messages to coordinate secure comms, but you can’t use DMs *as* secure comms.

@kemonine @taziden Seriously, there are no option *ENABLED BY DEFAULT* for masking private and DM messages ?
Old PHP forums don't permit that in GUI, the only option was querying the database, so admins must wanting see private thing for seeing it.

@kemonine it seems like a more ideal measure would be using to authenticate a different system, so your mastodon acct would sign / verify your other messaging system

Hmm... und das erinnert mich auch an die guten alten Mailbox-Zeiten als #Zerberus die Vertraulichkeit der privaten Nachrichten ernst nahm ... im Gegensatz zu anderen Systemen.

@Paul I think a large portion of the Masto admins take confidentiality of the DMs very seriously but at the same time it's good for others to know that it's not actually confidential 😉

@kemonine inwieweit greift hier das Telemediengesetz für Mastodon-Instanzen?

@Paul I have no idea. I'm outside of Germany and wasn't aware of the act until a few minutes ago.

@kemonine Back in the 1980/90s we had a similar situation with mailboxes / BBS as the almighty sysop was able to read&alter private communication.
That led to the use of #PGP and #privacy-aware systems.

@paul @kemonine This was a plot point in Halt and Catch Fire. They had a little BBS thing and had some awkward privacy moments.

@kemonine how long till someone invents a trustless instance, like ProtonMail?... that'd be interesting

@edheil Hopefully not long...

That or a side channel that's also stitched in for DMs would be a good middle ground