Twitter is Flat
- 9 min read - Text OnlyTwitter has not crashed and burned yet, but it has changed since the Elon acquisition. "Infosec twitter" has migrated to several mastodon instances among the "fediverse." Today, it is harder to find engaging novel content from technical sources. For that reason I am not looking at Twitter as much and in a way I am a little happier overall. Weird, right?
Twitter had some great experiences for me. In particular, Twitter was incredibly flat. Pre-existing social relationships were not, for many, a gatekeeper to interacting with someone, or to be interacted with.
On Twitter, I could reach out to specific people on something revelant to them and people could reach out to me when I mention something relevant to them.
Reaching out
At the time, I was researching key derivation functions, specifically ones I might be able to implement as a learning experience. I found Baloon Hash while reading NIST 800-63-3 section 5.1.1.2 "Memorized Secret Verifiers." But, when I reviewed the code on github, there was visible intended endianness and the readme basically said the reference implementation was not for production use.
With git blame, I found the author and asked directly. I didn't expect to get a response, but I did!
github.com/usnistgov/800-63-3/pull/575
@jimfenton
The few implementations out there are not consistent.
Mentioning
More recently, I attended a webinar intended for managers and the like. Of course, like any infomercial, it was just a disguised sales call and I got a follow up from one of their sales teams.
Mid presentation, I yelled out into the void (Twitter). Turns out someone was listening, probably to the keyword "Yubico."
It sounds like you’re describing that identity attestation must be scoped to specific purposes under certain compliance requirements. Is that right?
Is this something that FedRAMP (just as an example) might require?
Building off your example, if you are building for FedRAMP High and you need AAL3 authentication for your employees. To meet AAL3, the credential must be stored on a FIPS certified authenticator.
Only hardware bound passkeys can meet that requirement.
This is distinctly different from Amazon (or any other big brand name) from scraping twitter for commercial support or upsell opportunities. I felt this was a more human to human interaction, it just so happened to be facilitated by a technological giant.
The future on the Fediverse
It may still be possible to directly reach out to some. But the mentioning story is quite different.
On mastodon at least, the only means to search is with hashtags. But, hashtags are not necessarily propigated between every server. Servers have to federate, and even then they are not obligated to notify each other of every post that occurs within their gates.
Filippo Valsorda
Hashtags in a federated setting are an interesting technical and UX challenge.
In the push direction, I am not too worried: at least one account follows me from most large instances.
In the pull direction though I lost ~all visibility moving to a personal instance.
I don't want a firehose relay (of which anyway there's no reliable ones), but maybe there should be such a thing as a #hashtag relay where you get posts with hashtags followed by people on the local instance?
But this issue may be mitigated next year. As you can see on the thread linked under Filippo's post above, several are working to improve this problem. I suspect that we will see more contributions to fediverse tech, be it mastodon or other implementations, now that developers and technologists are using something they can tinker with.
Conclusion
Twitter created a flat social network that anyone could use to reach each other, either by direct mentions or by searches. The fediverse requires participants to opt-in for searchable content by using hashtags. However, federated searching is a weakpoint which makes the latter difficult to accomplish. The fediverse is receiving a new wave of attention, so we should see these rough edges being improved soon.