What. A. Week.

One of my biggest concerns for this past Tuesday (and the coming week as some contentious races are finally tabulated) was the possibility of mass voter intimidation and actual violence. Thankfully, most violent encounters only made it to the level of shouting matches, and it certainly seems Gen Z dgaf about where Meal Team Six setup shop with their open carry holsters (which all oddly seem to be right above where they carry their snack fanny packs).

As we return to the general abnormal, the internets are all abuzz with the Fediverse, so we'll take some time in this and future drops to cover various aspects of it (Mastodon — where many of us have [re-]migrated to — is far from the only piece in the Fediverse puzzle). We also cover how to stay safer on the bird site now that it's a ✵ free (well, $8) for all. Together, we have the real potential to dismantle the siloed, centralized ecosystem that’ dominated the internet for over a decade.

I̶t̶ ̶A̶i̶n̶'̶t̶It's Sure Easy Being Blue

The slave labor in Musk's twitter engineering teams managed to roll out his blue check scheme; multiple times, in fact! It's, um, not going well for us twitter users:

vx-underground @vxunderground

The new check mark system has resulted in Threat Actors successfully impersonating Twitter and defrauding users out of money Although the account is now suspended, it rapidly got 35,000+ retweets and 4,990 likes. A simple $8 investment can result in thousands of dollars stolen.

9:59 AM ∙ Nov 10, 2022

---

604Likes232Retweets

Grifters and spammers are absolutely taking advantage of this desperate, daft move by a capricious billionaire, but it's not all doom and gloom (screen cap of one exchange from, now suspended, accounts is below).

Buried within the JSON XHR requests in a given twitter session is information about the twitter account associated with a post. Within the twisty, horribly nested maze of fields are two fields (oddly, {rtweet} isn't giving me these when I hit the user endpoint, even with parse = FALSE):

"is_blue_verified": true // `true` for the twidiots who pay $8
"verified": false        // `true` for old school twidiots like me

It certainly would be 👍🏽 to at least know the difference, visually, without having to do multiple clicks (talk about a gift to the spammers).

Thankfully, a clever 17-year-old coder in France has our collective backs. But, you'll need to do some work to take advantage of it. (Here's the part where I, again, tell you to install a browser extension, despite my regular counsel to not use browser extensions.)

Said work first involves finding a safe userscript extension. ViolentMonkey [GH] isn't a bad one for Chromium browsers (def hit me up to eval other choices you come across).

After you do that, head on over to this gist by the aforementioned busybox11 and copy the source to your clipboard. Then go to twitter, tap on the ViolentMonkey extension icon and paste it into there. Finally, refresh twitter.

Now, when you come across $8 twidiots, you'll be able to identify them (at least until Musk has another whim):

Honestly, though, it's a better and safer idea to just ditch the 🐦 for the 🐘.

Enter The Matrix

As noted, Mastodon is only one part of the Fediverse. Even though I know the tech and protocols involved, and have trust in the runners of some Mastodon instances, I'm not going to be dropping DMs into Mastodon any time soon.

Despite being in cybersecurity, I've also never been a fan of the Signal cult (and I really try to have no need for secrets of any kind anyway).

Thankfully, there's a very viable and secure DM alternative, dubbed Matrix [GH].

The wall of text below is pretty much straight from the site (I've made the presentation a bit more fluid, but you're free to just read this in bits over there), but does a decent job explaining what Matrix is and why you should use it. You can, ofc, just grab a Matrix account (or standup a server) and start playing with it. I'm @hrbrmstr:matrix.org if you want to say "Yo!" (I use the Element client).

Matrix gives you simple HTTP APIs and SDKs (iOS, Android, Web) to create chatrooms, direct chats and chat bots, complete with end-to-end encryption, file transfer, synchronised conversation history, formatted messages, read receipts and more.

Conversations are replicated over all the servers participating in them, meaning there are no single point of control or failure. You can reach any other user in the global Matrix ecosystem of over 40M users, even including those on other networks via bridges.

Matrix provides state-of-the-art end-to-end-encryption via the Olm and Megolm cryptographic ratchets. This ensures that only the intended recipients can ever decrypt your messages, while warning if any unexpected devices are added to the conversation.

Matrix’s encryption is based on the Double Ratchet Algorithm popularized by Signal, but extended to support encryption to rooms containing thousands of devices. Olm and Megolm are specified as an open standard and implementations are released under the Apache license, independently audited by NCC Group.

With the advent of WebRTC, developers gained the ability to exchange high-quality voice and video calls – but no standard way to actually route the calls.

Matrix is the missing signalling layer for WebRTC. If you are building VoIP into your app, or want to expose your existing VoIP app to a wider audience, building on Matrix’s SDKs and bridges should be a no-brainer.

Matrix owes its name to its ability to bridge existing platforms into a global open matrix of communication. Bridges are core to Matrix and designed to be as easy to write as possible, with Matrix providing the highest common denominator language to link the networks together.

The core Matrix team maintains bridges to Slack, IRC, XMPP and Gitter, and meanwhile the wider Matrix community provides bridges for Telegram, Discord, WhatsApp, Facebook, Hangouts, Signal and many more.

Matrix is really a decentralised conversation store rather than a messaging protocol. When you send a message in Matrix, it is replicated over all the servers whose users are participating in a given conversation - similarly to how commits are replicated between Git repositories. There is no single point of control or failure in a Matrix conversation which spans multiple servers: the act of communication with someone elsewhere in Matrix shares ownership of the conversation equally with them. Even if your server goes offline, the conversation can continue uninterrupted elsewhere until it returns.

This means that every server has total self-sovereignty over its users data - and anyone can choose or run their own server and participate in the wider Matrix network. This is how Matrix democratises control over communication.

👆🏽 is quite a bit to take in, but you really only need to grab the client and start using it to migrate your DMs away from Twitter and into a safer, federated place.

WebFinger

So, just how does your Mastodon figure out what to do when you look up @someone@example.com in the search box? Well, it uses the WebFinger (RFC 7033) protocol!

WebFinger is used to discover information about people or other entities on the Internet that are identified by a URI using standard Hypertext Transfer Protocol (HTTP) methods over a secure transport. A WebFinger resource returns a JavaScript Object Notation (JSON) object describing the entity that is queried. The JSON object is referred to as the JSON Resource Descriptor (JRD).

For a person, the type of information that might be discoverable via WebFinger includes a personal profile address, identity service, telephone number, or preferred avatar. For other entities on the Internet, a WebFinger resource might return JRDs containing link relations that enable a client to discover, for example, that a printer can print in color on A4 paper, the physical location of a server, or other static information.

When you look for me on Mastodon (we'll use my hrbrmstr@mastodon.social account for this example), the following WebFinger request is created

https://mastodon.social/.well-known/webfinger?resource=acct%3Ahrbrmstr%40mastodon.social

(We'll go over /.well-known at some point in the future, but you can read up on it now if you'd like.)

This is the response:

{
 "subject": "acct:hrbrmstr@mastodon.social",
 "aliases": [
   "https://mastodon.social/@hrbrmstr",
   "https://mastodon.social/users/hrbrmstr"
 ],
 "links": [
   {
     "rel": "http://webfinger.net/rel/profile-page",
     "type": "text/html",
     "href": "https://mastodon.social/@hrbrmstr"
   },
   {
     "rel": "self",
     "type": "application/activity+json",
     "href": "https://mastodon.social/users/hrbrmstr"
   },
   {
     "rel": "http://ostatus.org/schema/1.0/subscribe",
     "template": "https://mastodon.social/authorize_interaction?uri={uri}"
   }
 ]
}

The aliases array can hold all the aliases one might have, but Mastodon instances tend to just have that Mastodon instance alias links. I set up my https://rud.is/b blog to be a subscribe-able entity in the Fediverse (look for/sub to @hrbrmstr@rud.is in your Mastodon client for RSS-like blog updates). When Mastodon makes the WebFinger request, I've also had it return aliases to other Fediverse locations for me:

https://rud.is/.well-known/webfinger?resource=acct%3Ahrbrmstr%40rud.is

{
  "subject": "hrbrmstr@rud.is",
  "aliases": [
    "https://rud.is/b/author/hrbrmstr/",
    "https://mastodon.social/@hrbrmstr",
    "https://mastodon.social/users/hrbrmstr",
    "https://infosec.exchange/@hrbrmstr",
    "https://infosec.exchange/users/hrbrmstr"
  ],
  "links": [
    {
      "rel": "self",
      "type": "application/activity+json",
      "href": "https://rud.is/b/author/hrbrmstr/"
    },
    {
      "rel": "http://webfinger.net/rel/profile-page",
      "type": "text/html",
      "href": "https://rud.is/b/author/hrbrmstr/"
    }
  ]
}

We'll dig into links in future editions as this one is getting pretty long.

If you want to collect/poke t WebFinger entities, you can use any of the clients at webfinger.net, or use this nascent R package I made. I also threw together a bare-bones Rust CLI for it as well.

Share

FIN

If you're still a bit disoriented as you enter the Fediverse, that's totally fine! It's a big, complex system, and you've got a ton going on IRL. There's no rush to figure it all out right now. Drop me any q's you have along the way as you explore your new, federated, surroundings. ☮