Recent searches
Search options
@tedivm@hachyderm.ioIn exciting news I appear to be part of one of the first data breaches of the fediverse era!
I got this email 20 minutes ago letting me know my data migration from mastodon.social was dumped in a breach.
I'm going to be honest, I've got some opinions on the fact that a public bucket is used to store archives, with just obfuscation to stop people from downloading them.
@tedivm
i can't tell if i should be grateful they're honest thst they were relying on security by obscurity (or as i like to call it, the rhythm method for the internet), or upset that they were relying on that, or mad at myself for not pitching in more as a community member to ensure the server and security were robust.
@cyberlyra I'm personally falling more towards the later- I kind of wish I had volunteered to review their security config for them. I've read and debugged more IAM policies than is reasonable.
Outside of that I full to the first one- I'm super happy they are least said something. The transparency is important. I do worry about the number of people who are deploying their own instances too, as I imagine there's all sorts of things going on there.
@tedivm This touches on a key issue I’ve grappled with over a decade of opting out of big tech systems. So much of our current security paradigm relies on big company tools instead of singular deployments and individual instances. Home sysops work across patchwork tools unevenly updated and with minimal securitization optimized for home systems. We desperately need robust tools for individual users, small scale servers, else we all risk data losses of this kind.
It can't do every case, but I find the compliance testing sites that do things like rate your web servers TLS configuration or your email antispam configuration really helpful.
For example https://internet.nl/
The newest Mastodon version released yesterday already contains a fix 
https://github.com/mastodon/mastodon/releases/tag/v4.1.1
Maybe give your server admin a nudge if they haven't updated by tomorrow.
@cyberlyra @tedivm The free and open-source https://steampipe.io (disclaimer: my current gig) offers deep and comprehensive tools for security and compliance.
@judell @cyberlyra you could ask your company if they're willing to throw some resources at a nonprofit (although a non profit in Germany).
@judell @cyberlyra @tedivm Very happy user of Steampipe here. I use it to query the labyrinthine infrastructure at work at the speed of thought. Keep up the amazing work!
My only grievance with it is that not enough people use it, so I’m the human steampipe of my team. And two adjacent teams.
@judell Thank you for providing today’s rabbit hole. Was gonna waste a few hours on social media, but think I will play around with this and see what I can do.
@Archnemysis It can do a million useful things, I'm happy to answer any questions about #Steampipe.
German law states that companies have to inform the authorities about every data breach or risk huge fines. And depending on what exactly happened, what kind of data got lost, they have to inform the affected people, too.
So while I'm also happy about the transparency, the laws might have played a role in that.
@cyberlyra @tedivm The DSGVO (or GDPR in English, I think) covers everyone who handles personal data with only a few exceptions like "a natural person in the course of a purely personal or household activity;".
So in most cases, it makes no difference and has to be reported at least to the authorities.
@cyberlyra @tedivm
"the rhythm method for the internet"
@tedivm I'm always baffled when people use random filenames when they make file accessible to trusted users.
S3 already has an API to support signed downloads, and all the application needs to do is to sign a URL which the client can use to access the resource.
I've implemented it from scratch (there was no client library for Common Lisp at the time) and it was trivial. If you have a library, it's literally one function call. There is no excuse for this.
@tedivm same. The model seems... flawed.
@tedivm isn’t all the stuff you upload to a masto server public anyway?
@Steveb "followers only" posts and media are not public.
@tedivm good point. But would you really put anywhere on social media anything you cared about remaining private?
@tedivm It’s disappointing to see a breach like this, due to a fairly fundamental flaw in the way in which data has been handled. At least in my case, there’s very little in there that you couldn’t get from my public profile, but it still shouldn’t have been possible.
I appreciate the open and honest way in which this has been disclosed, though. Hopefully this will lead to a re-evaluation of the measures used to protect Mastodon data at all levels, and whether they are adequate.
@tedivm As someone, who has his own instance, I'm a bit worried for quite some time. The way, I've set up my bucket, it seemed to be too easy to be secure.
@tedivm agree about the obfuscation method. But their transparency is really important here. There’s integrity in that, especially as part of an open-source community.
@markwyner this notification was required by law since they fall under GDPR
@tedivm
Gotta love all the people whose non-public data *didn't* get breached saying "what's the big deal?" 
@tedivm May I ask how you got this notification? Email? Direct message?
@doctorlaura they sent it via email