Mastodon, Musk, and Mythbusting: The Case for Federation

In the wake of Elon Musk's acquisition of Twitter, Mastodon instances have seen some of the highest sign-up volume ever.

This has sent my typical corner of Twitter into somewhat of a debate.

Dubbed "Infosec Twitter", exploit researchers, red teams, SOC analysts, CISOs, DFIR teams, and more can reliably be found commenting on the news of the day, sharing research, discussing breaches, and more.

When I joined Twitter in early 2020, I did it primarily because I was starting to present at conferences and knew that it would benefit me to have some kind of network, and LinkedIn still grossed me out.

What I found there was a mixture of enlightenment and confusion, of insight and of disappointment.

Amid my newfound source of threat intel, tradecraft, and (of course), memes, was something I didn't expect: the hacker culture I grew up in was surprisingly absent.

Instead of discussing information freedom, privacy, or technology that helped people, I found arguments about whether offensive tooling was okay to publish, whether EDR is good, and whether infosec is an entry-level field (to list only a few).

The kinds of topics I used to see regularly on forums and IRC were rare to see.

Luckily, curating who you follow helps a lot with this. A muted word here, a muted account there, and you can end up with a feed of topics you mostly care about.

This has changed even in the short time I've had an account, though, in that Twitter has been serving more and more advertisements and struggling to be profitable.

As Elon Musk has taken over Twitter and cleaned most of the house out, it's become evident that a platform up for purchase by any individual is not a platform conducive to user freedom and control.

This is not a blog about ideological statements for or against Musk. It does not matter to me who is able to take over Twitter for $44B, only that someone can, and only as long as there are alternatives.

However, in disappointingly predictable fashion, certain sections of Infosec Twitter have been outspoken about the most popular platform, Mastodon, being unrealistic and a non-answer to the problem of unitary platform control.

This would be entirely reasonable if many accounts with large audiences were not stating inaccurate information about it as insurmountable downsides of the federated alternative.

Federation Mythbusting

The purpose of this blog is to address as many of these myths as possible with accurate information. So here we go.

You have to host your own server

Though it would solve a lot of problems outlined in sections after this one, no you do not have to host your own.

You can join any instance you want and see content from users on any instance that is federating with yours. Conversely, any instances not federating with yours (for any reason), will be invisible to you by default.

You can't verify yourself and can be impersonated

Again, not a problem if you host your own, but let's assume you're not able to or don't want to. That's fine.

You can verify yourself via a relative link in a different place, such as Keybase or your own website. By simply creating a link like this on the homepage of your website:

`html <a rel="me" href="https://infosec.exchange/@rybaz">mastodon</a> ` ...a Mastodon instance will show a green checkmark in my profile, verifying me as the owner of that domain, which I use as my primary source of identity on the internet.

The blue check on Twitter is only a luxury for certain high-profile people anyway. If anything, those most at-risk for impersonation are those who Twitter doesn't deem worth verifying, rendering them helpless to stop it.

Content moderation is a problem

Aside from this being a problem on every social media platform, Twitter included, Mastodon instances can block entire other instances themed around content they want nothing to do with.

If you join a mainstream instance with lots of people, you're likely to run into content you'd rather not see, but that's why:

1. There are so many instances to potentially join, often centered around interests or subcultures.
2. You can host your own.

DMs can be read by admins of instances

Also a problem on Twitter and most any other platform owned or operated by someone else.

Have sensitive conversations over channels you trust, like XMPP, Matrix, Signal, Session, whatever.

It's confusing

Of the people I interact with on a daily basis, including on Twitter, I am on the lower end of the intelligence scale, and that's a good thing.

If I can spend 10 minutes Googling how Mastodon works, so can everyone else.

This goes without saying that, in my short time on a Mastodon instance, people have been more than willing to help new users figure out how things work. All anyone has to do is ask.

We should just start a forum

I love forums. I miss forums. I learned a ton from them.

Luckily, there are federated forum platforms like Lemmy that accomplish that goal of asynchronous, topic-based discussion, while being interoperable with other ActivityPub-based implementations.

We don't need ANOTHER social media site

I agree. Completely.

I hate social media, but it's the way of the world, and I want a professional network. But apart from LinkedIn and Twitter, I don't have any other social media accounts, so the "too many platforms" exhaustion isn't very strong for me.

Federated platforms and protocols are meant to clean up and change the noise, not add to it. It must be viewed as a different way of interacting with digital communities in order for value to be extracted.

The Ethos of Federation

Switching to Mastodon or any other federated technology shouldn't be driven by the volume of content there is to consume there, but a desire to invest in systems that are controlled by users instead of corporations, investors, or executives.

Or where content isn't force-fed to you by an algorithm to make you angry, sad, happy, entertained, and lonely all in a single session of scrolling.

Or where your dopamine levels aren't corporate growth metrics, measured by variance of spiking and sinking and correlated to profit.

Federated services aren't meant to be Twitter or Facebook competitors. If you're looking for one to replace the other, you're going to be disappointed, especially if you have a large audience on one of them.

But large audiences and maximum reach is not what federation is about.

It's about taking back platform control and using open protocols.

It is about quality over quantity.

It's about fostering the free and open exchange of information, interoperability, and highly censorship resistant content. The same arguments for Signal relays or Tor nodes in oppressive countries can be made for Mastodon, Matrix, or any other federated tech.

If sufficient amounts of content is the #1 value driver for you to use a platform, that's fine, and centralized media may be what you actually want, as it's more conducive to quantity.

You'll ultimately be disappointed with platforms that emphasize user freedom over how long they can entertain you.

For better or for worse, that is the current dichotomy.

Federated platforms won't get there overnight, but the dynamic of "where everyone else is" only changes based on the decisions of individuals, something the Twitter algorithm would rather you not do.

If everyone waits for everyone else to go first, nothing will change.

There is nothing to stop someone else from taking control of Twitter or whatever comes next, be it a competitor or clone-like alternative.