@LinuxSocist
I wonder how that would work. Would be intesting to figure out what that would take. Without too much thought, it sounds like it would invovle same painful system behind https verification, or perhaps some type of consultancy?

@ultimape I was thinking of trusted instances which are widely known (Googles, Twitters and Facebooks of the fediverse) that are only open to certain users and can verify their identity's.

@LinuxSocist
how to get there from here? I'll think a bit about this. It does sound like the ideal.

@ultimape I know some skilled users and memebers of the infosec community have started some of their own instances for these reasons.

It's a shame Diaspora didn't take off when it started, this debate would have already happened.

@ultimape As for verification I have been using twitter for example.
https://twitter.com/LinuxSocist/status/849832480349634560

@ultimape And self verification also. https://icosahedron.website/media/BUU2mHIkXi7sRroho_s

@kodo @ultimape "Who are you?" is the most expensive question in information technology. No matter how you get it wrong, you're screwed.

@ultimape I feel like if you are concerned over your brand you would have to run a solo instance of your own and that would be part of your identification. Not a great solution but at least everyone would view you consistently.

Birdsite's verification system was essentially a facet of them being a centralized authority, that obviously doesn't really work on a federated decentralized system.

I've researched Sybil attacks myself in the past, but never made any headway finding out how one might instill a cultural immunity.

https://www.researchgate.net/profile/Gregorio_Martinez_Perez/publication/222404137_Security_threats_scenarios_in_trust_and_reputation_models_for_distributed_systems/links/0deec5223698a668ae000000.pdf

Maybe it's the infosec in me, but I don't trust a single instance, not even this one?

I could come up with 50 million technical ways to do it (blockchains, lol), but with so many new users migrating over so quickly, it would be more effective to discuss ideas about safety.

My own stab at explaining federating was a bit rushed: https://medium.com/scat-sense/playing-with-hairy-elephants-ce338a2e41e3

I know others aren't as paranoid.
https://mastodon.social/media/WSIMOGfvSSrU8lx7A3o

@ultimape would you trust Twitter??

@Efi no, but at least they had monetary incentives aligned with not fuxing it up. I think they originally implemented it after being sued. hah

@ultimape tbh, I trust the opensource community over monetary pressures, but I'm just a kitten, not an infosec expert =3

@Efi Well yeah, I trust the code and think this is a much better system. But at the same time we're just directing people to a list of instances and I find that highly sketchy. The community writing the code =/= the community running the servers.

I'm thinking of all the people moving over blindly who don't realize how all this works - how can we foster something that will help teach them?

@ultimape @Efi Hence why you will find me on mastodon.social & icosahedron.website (and social.tchncs.de if I had an account there) because I only trust (in a limited sense) Gragron in his trust of the two instances.

@ultimape ah, I see what you mean
well, I think trust online should never be a thing you do, if that makes sense
like, I'd never post my bank account details anywhere online that is not a shop, and then, with precautions, so I think it's more an issue of general literacy than specific about federated systems, but I see your concerns

@Efi I like the literacy framing. I guess in tha metaphor, one could say that people are literate in the way twitter runs - which is like a walled community. And this is more like the fronitier?

I'll have to play with this in my head, sounds promising :)

@ultimape we are colonists on uncharted infosec territory nwn

@ultimape read through your medium post; agree with it as well.

what do you think if the best way for users to protect themselves when using mastodon? (and just because you spin up your own server, why should we trust you?)

@3stan it's going to be a 1 person server ;p

@ultimape Tagging @rechelon into this thread.

@ultimape would setting up .onion access for it be worthwhile?

@ultimape One thing to consider on self hosting, are people competent enough to keep the backend through to the front end secure? Are they able to comprehend virtualisation, containerisation and network isolation? Though some of that can be handled with a VPS.

@ultimape Keeping track of Open vSwitch connections to, from and between VM's can really do my head in at times.

@PeterAranyi perhaps no more than trying to get "PeterAranyi" at every major email provider.

@ultimape right, I see your point. But intuitively, I would think/expect username at "mastodon" would be kinda global? Still getting my head around federation. I guess.