Twitter is Flat Mon Dec 12 2022 Twitter provided an accessible means to reach out to nearly anyone and actually get honest and interesting responses. -------------------------------------------------------------------------------- Twitter is Flat =============== Published Dec 11, 2022 - 9 min read /------ Table of contents ------\ | Table of contents | | * Twitter is Flat | | * Reaching out | | * Mentioning | | * The future on the Fediverse | | * Conclusion | \-------------------------------/ Twitter has not crashed and burned yet, but it has changed since the Elon acquisition. "Infosec twitter" has migrated to several mastodon instances among the "fediverse." Today, it is harder to find engaging novel content from technical sources. For that reason I am not looking at Twitter as much and in a way I am a little happier overall. Weird, right? Twitter had some great experiences for me. In particular, Twitter was incredibly flat. Pre-existing social relationships were not, for many, a gatekeeper to interacting with someone, or to be interacted with. /[cendyne: stonks]-------------------------------------------------------------\ | This has incredible ramifications for honest and constructive social | | behaviors. Email is a similarly flat way to interact with people, assuming | | filtering rules were not involved. | \------------------------------------------------------------------------------/ /[cendyne: not-stonks]---------------------------------------------------------\ | However, it is also an incredibly dangerous property that dishonest and | | malicious actors take advantage of all the time. Spam, scams, abuse in | | general is a rampant problem which requires active human effort to mitigate, | | in addition to automated tools. | \------------------------------------------------------------------------------/ /-------------------------------------------------------------[jacobi: loading]\ | Unfortunately Twitter terminated all their social moderation teams. | \------------------------------------------------------------------------------/ On Twitter, I could reach out to specific people on something revelant to them and people could reach out to me when I mention something relevant to them. Reaching out ------------ At the time, I was researching key derivation functions, specifically ones I might be able to implement as a learning experience. I found Baloon Hash [L1] while reading NIST 800-63-3 [L2] section 5.1.1.2 "Memorized Secret Verifiers." But, when I reviewed the code on github [L3], there was visible intended endianness [L4] and the readme basically said the reference implementation was not for production use. With git blame, I found the author and asked directly. I didn't expect to get a response, but I did! /------------------------------------------------------------------------------\ | Cendyne (@cendyne@meow.social) @CendyneNaga@twitter.com | |------------------------------------------------------------------------------| | Why would NIST recommend balloon hash if here’s no specification for it and | | the reference project says do not use in production? github.com/usnistgov/ | | 800-63-3/pull/575 [L5] @jimfenton [L6] The few implementations out there are | | not consistent. | | [L7] 5/5/2021 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Jim Fenton 🇺🇸🇨🇦 @jimfenton@twitter.com | |------------------------------------------------------------------------------| | @CendyneNaga [L8] That guideline is being revised for SP 800-63B-4, | | currently being worked on. More project details at www.nist.gov/identity- | | access-management/nist-special-publication-800-63-digital-identity- | | guidelines [L9] | | [L10] 5/6/2021 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Cendyne (@cendyne@meow.social) @CendyneNaga@twitter.com | |------------------------------------------------------------------------------| | @jimfenton [L6] Thank you for the reference, I’ll watch for updates! | | [L11] 5/6/2021 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Jim Fenton 🇺🇸🇨🇦 @jimfenton@twitter.com | |------------------------------------------------------------------------------| | @CendyneNaga [L8] You might also want to watch for notifications from | | github.com/usnistgov/800-63-4 [L12] | | [L13] 5/6/2021 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Cendyne (@cendyne@meow.social) @CendyneNaga@twitter.com | |------------------------------------------------------------------------------| | @jimfenton [L6] Perfect, again thank you for the resources. | | [L14] [L15] 5/6/2021 | \------------------------------------------------------------------------------/ /[cendyne: guess-i-will-die]---------------------------------------------------\ | While I did bring it to his attention that this was weird, no changes have | | been made to remove this recommendation. Oh well. | \------------------------------------------------------------------------------/ Mentioning ---------- More recently, I attended a webinar intended for managers and the like. Of course, like any infomercial, it was just a disguised sales call and I got a follow up from one of their sales teams. Mid presentation, I yelled out into the void (Twitter). Turns out someone was listening, probably to the keyword "Yubico." /------------------------------------------------------------------------------\ | Cendyne (@cendyne@meow.social) @CendyneNaga@twitter.com | |------------------------------------------------------------------------------| | I'm listening to the Yubico webcast and hold up, you're saying passkeys with | | user verification (e.g. biometrics) are not sufficient for corp security? | | I'd like to hear why. | | [L16] 11/17/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Cendyne (@cendyne@meow.social) @CendyneNaga@twitter.com | |------------------------------------------------------------------------------| | They mention certificate support on their keys. I guess that is important if | | you don't want to keep track of all permitted public keys with certs + | | revocation. | | [L17] 11/17/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | derekhanson @derekhanson@twitter.com | |------------------------------------------------------------------------------| | @CendyneNaga [L8] 1/2 They MAY not be sufficient, the questions about | | whether they are right for enterprise employees will be driven by security | | and compliance requirements. The security reasons will be driven by the | | properties of shareable credentials. | | [L18] 11/17/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | derekhanson @derekhanson@twitter.com | |------------------------------------------------------------------------------| | @CendyneNaga [L8] 2/2 If the credentials can be synced, shared, or co- | | mingled between work/personal life, the user verification properties become | | less important than where the private keys are stored. | | [L19] 11/17/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Cendyne (@cendyne@meow.social) @CendyneNaga@twitter.com | |------------------------------------------------------------------------------| | @derekhanson [L20] Thank you for following up Derek! It sounds like you’re | | describing that identity attestation must be scoped to specific purposes | | under certain compliance requirements. Is that right? Is this something that | | FedRAMP (just as an example) might require? | | [L21] 11/17/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | derekhanson @derekhanson@twitter.com | |------------------------------------------------------------------------------| | @CendyneNaga [L8] That is correct. Building off your example, if you are | | building for FedRAMP High and you need AAL3 authentication for your | | employees. To meet AAL3, the credential must be stored on a FIPS certified | | authenticator. Only hardware bound passkeys can meet that requirement. | | [L22] 11/17/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Cendyne (@cendyne@meow.social) @CendyneNaga@twitter.com | |------------------------------------------------------------------------------| | @derekhanson [L20] Makes sense now! Thank you for walking me through that. | | Have a great week Derek! | | [L23] [L24] 11/17/2022 | \------------------------------------------------------------------------------/ This is distinctly different from Amazon (or any other big brand name) from scraping twitter for commercial support or upsell opportunities. I felt this was a more human to human interaction, it just so happened to be facilitated by a technological giant. The future on the Fediverse --------------------------- It may still be possible to directly reach out to some. But the mentioning story is quite different. On mastodon at least, the only means to search is with hashtags. But, hashtags are not necessarily propigated between every server. Servers have to federate, and even then they are not obligated to notify each other of every post that occurs within their gates. > Filippo Valsorda > > Hashtags in a federated setting are an interesting technical and UX challenge. > > In the push direction, I am not too worried: at least one account follows me > from most large instances. > > In the pull direction though I lost ~all visibility moving to a personal > instance. > > I don't want a firehose relay (of which anyway there's no reliable ones), but > maybe there should be such a thing as a #hashtag relay where you get posts > with hashtags followed by people on the local instance? > > Dec 11, 2022, 01:41 [L25] (archived [L26]) But this issue may be mitigated next year. As you can see on the thread linked under Filippo's post above, several are working to improve this problem. I suspect that we will see more contributions to fediverse tech, be it mastodon or other implementations, now that developers and technologists are using something they can tinker with. Conclusion ---------- Twitter created a flat social network that anyone could use to reach each other, either by direct mentions or by searches. The fediverse requires participants to opt-in for searchable content by using hashtags. However, federated searching is a weakpoint which makes the latter difficult to accomplish. The fediverse is receiving a new wave of attention, so we should see these rough edges being improved soon. -------------------------------------------------------------------------------- [L1]: https://eprint.iacr.org/2016/027 [L2]: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver [L3]: https://github.com/henrycg/balloon [L4]: https://en.wikipedia.org/wiki/Endianness [L5]: https://github.com/usnistgov/800-63-3/pull/575 [L6]: https://twitter.com/jimfenton [L7]: https://twitter.com/CendyneNaga/status/1390072199533453314 [L8]: https://twitter.com/CendyneNaga [L9]: https://www.nist.gov/identity-access-management/nist-special-publication- 800-63-digital-identity-guidelines [L10]: https://twitter.com/jimfenton/status/1390105050219892741 [L11]: https://twitter.com/CendyneNaga/status/1390105472930353152 [L12]: https://github.com/usnistgov/800-63-4 [L13]: https://twitter.com/jimfenton/status/1390105941626916866 [L14]: https://twitter.com/CendyneNaga/status/1390107094427316225 [L15]: https://archive.ph/cWk1b [L16]: https://twitter.com/CendyneNaga/status/1593294813432086529 [L17]: https://twitter.com/CendyneNaga/status/1593296590302748673 [L18]: https://twitter.com/derekhanson/status/1593318659656540162 [L19]: https://twitter.com/derekhanson/status/1593318793647824896 [L20]: https://twitter.com/derekhanson [L21]: https://twitter.com/CendyneNaga/status/1593323364298461185 [L22]: https://twitter.com/derekhanson/status/1593335402898739201 [L23]: https://twitter.com/CendyneNaga/status/1593337166486183937 [L24]: https://archive.ph/BYdhP [L25]: https://abyssdomain.expert/@filippo/109492495635224153 [L26]: https://archive.vn/3R5EG