Twitter is Flat

- 9 min read - Text Only

Twitter has not crashed and burned yet, but it has changed since the Elon acquisition. "Infosec twitter" has migrated to several mastodon instances among the "fediverse." Today, it is harder to find engaging novel content from technical sources. For that reason I am not looking at Twitter as much and in a way I am a little happier overall. Weird, right?

Twitter had some great experiences for me. In particular, Twitter was incredibly flat. Pre-existing social relationships were not, for many, a gatekeeper to interacting with someone, or to be interacted with.

This has incredible ramifications for honest and constructive social behaviors. Email is a similarly flat way to interact with people, assuming filtering rules were not involved.
However, it is also an incredibly dangerous property that dishonest and malicious actors take advantage of all the time. Spam, scams, abuse in general is a rampant problem which requires active human effort to mitigate, in addition to automated tools.
Unfortunately Twitter terminated all their social moderation teams.

On Twitter, I could reach out to specific people on something revelant to them and people could reach out to me when I mention something relevant to them.

Reaching out

At the time, I was researching key derivation functions, specifically ones I might be able to implement as a learning experience. I found Baloon Hash while reading NIST 800-63-3 section "Memorized Secret Verifiers." But, when I reviewed the code on github, there was visible intended endianness and the readme basically said the reference implementation was not for production use.

With git blame, I found the author and asked directly. I didn't expect to get a response, but I did!

Why would NIST recommend balloon hash if here’s no specification for it and the reference project says do not use in production? @jimfenton The few implementations out there are not consistent.
While I did bring it to his attention that this was weird, no changes have been made to remove this recommendation. Oh well.


More recently, I attended a webinar intended for managers and the like. Of course, like any infomercial, it was just a disguised sales call and I got a follow up from one of their sales teams.

Mid presentation, I yelled out into the void (Twitter). Turns out someone was listening, probably to the keyword "Yubico."

I'm listening to the Yubico webcast and hold up, you're saying passkeys with user verification (e.g. biometrics) are not sufficient for corp security? I'd like to hear why.
They mention certificate support on their keys. I guess that is important if you don't want to keep track of all permitted public keys with certs + revocation.
@CendyneNaga 1/2 They MAY not be sufficient, the questions about whether they are right for enterprise employees will be driven by security and compliance requirements. The security reasons will be driven by the properties of shareable credentials.
@CendyneNaga 2/2 If the credentials can be synced, shared, or co-mingled between work/personal life, the user verification properties become less important than where the private keys are stored.
@derekhanson Thank you for following up Derek! It sounds like you’re describing that identity attestation must be scoped to specific purposes under certain compliance requirements. Is that right? Is this something that FedRAMP (just as an example) might require?
@CendyneNaga That is correct. Building off your example, if you are building for FedRAMP High and you need AAL3 authentication for your employees. To meet AAL3, the credential must be stored on a FIPS certified authenticator. Only hardware bound passkeys can meet that requirement.
@derekhanson Makes sense now! Thank you for walking me through that. Have a great week Derek!

This is distinctly different from Amazon (or any other big brand name) from scraping twitter for commercial support or upsell opportunities. I felt this was a more human to human interaction, it just so happened to be facilitated by a technological giant.

The future on the Fediverse

It may still be possible to directly reach out to some. But the mentioning story is quite different.

On mastodon at least, the only means to search is with hashtags. But, hashtags are not necessarily propigated between every server. Servers have to federate, and even then they are not obligated to notify each other of every post that occurs within their gates.

Filippo Valsorda

Filippo Valsorda

Hashtags in a federated setting are an interesting technical and UX challenge.

In the push direction, I am not too worried: at least one account follows me from most large instances.

In the pull direction though I lost ~all visibility moving to a personal instance.

I don't want a firehose relay (of which anyway there's no reliable ones), but maybe there should be such a thing as a #hashtag relay where you get posts with hashtags followed by people on the local instance?

Dec 11, 2022, 01:41 (archived)

But this issue may be mitigated next year. As you can see on the thread linked under Filippo's post above, several are working to improve this problem. I suspect that we will see more contributions to fediverse tech, be it mastodon or other implementations, now that developers and technologists are using something they can tinker with.


Twitter created a flat social network that anyone could use to reach each other, either by direct mentions or by searches. The fediverse requires participants to opt-in for searchable content by using hashtags. However, federated searching is a weakpoint which makes the latter difficult to accomplish. The fediverse is receiving a new wave of attention, so we should see these rough edges being improved soon.