
Twitter Got Hacked, Is Mastodon Immune? - yogthos
https://mikestone.me/twitter-got-hacked-is-mastodon-immune
======
zamalek
I'd argue that Mastodon is less immune, at least if their vision of true
distributed comes to fruition.

In Twitter's case, it came down to some pretty poor opsec and could have been
avoided. Ultimately you're going to have at most N points of failure. With
security keys, the number of points of failure in Twitter could have been
reduced to one (and that one user could be proactively educated).

In Mastodon, every user is potentially in control of their instance. Every
user is a potential point of failure. Users routinely fall victim to social
engineering each day, possibly someone is this very second.

~~~
yogthos
You're making an argument for why Mastodon is more immune here and not less.
Since there are many different servers administered in different ways by many
different users, you have to infiltrate each server on case by case basis.
This is orders of magnitude more effort than compromising a single
administrator and getting access to the entire network.

~~~
solidasparagus
I think the point is that good security takes effort and that is something
that economies of scale help with. When each instance is run by a single
administrator, it is much harder for anyone to have high quality security,

~~~
yogthos
Counterpoint is that a distributed system doesn't have a central point of
failure, so the effort to subvert the entire network is significantly more
involved. So, as everything it's trade offs, but a distributed system will be
more robust overall.

------
varbhat
Even though federation is big thing, saturation of users in single instance
and poor moderation are problems.

So,if users are very huge in single instance(mastodon main instance is the
example) and the moderation is not likeable,there will be problems.

Also federation like this is new to people.

Will it work out? Currently, not likely.

Also,it can't be claimed immune. Bugs might be present.

~~~
yogthos
Currently, Mastodon is a federation with millions of users on it, and it's
been working for many years now. So, it's very clear that it's already worked
out.

~~~
mumblemumble
I think that the point being made was that there's nothing in Mastodon to
counteract the natural tendency of people to concentrate in a relatively small
number of individual online spaces.

A quick eyeball of the English-language instances listed on instances.social,
sorted by # of users, would suggest that this is true. There are a couple very
large general-purpose instances, but after that it's largely much smaller
topical communities.

My hypothesis would be that, if one tracked these numbers over time, it would
turn out that the larger ones aren't just bigger, they also grow at a faster
rate. So, if Mastodon were to grow to the scale of one of the major social
networks, we'd also find that the users were mostly all clumped into a single
instance that's roughly the size (and level of nastiness) of one of the major
social networks.

At which point, from a social impact perspective, the fact that Mastodon is,
from a technical standpoint, open and federated, would be beside the point.

~~~
yogthos
Clearly there are already multiple large instances in existence, so the
situation is already fundamentally better than Twitter where there is only a
single instance.

Furthermore, I think that small instances are just as important as the big
ones. If a small group of people has a shared interest and they want to run an
instance in a specific way that's possible to do with Mastodon.

There are tons of small Mastodon communities for all kinds of niche interests
right now, and their users can make up their own rules for how they interact,
what they allow, and so on. This is an incredibly important aspect of the
federated model. There isn't one set of rules that applies to everybody the
way there is with a centralized platform.

~~~
Vinnl
Yeah, I guess it's like email. Sure, it's not great that in practice there's
only a small number of providers and that it's _really_ hard/scary to run your
own, but it's still lightyears better than it being a single company's
proprietary messaging system.

~~~
yogthos
Worth noting that running a Mastodon instance is vastly easier than setting up
your own mail server. Digital Ocean even has it provisioned nowadays, so if
you wanted to set one up for yourself and friends for example, it's mostly
point and click.

~~~
Vinnl
It currently is, but I can imagine that changing if it were to be as
widespread as email, and anti-spam measures are going to take the instance
toots are coming from into account.

~~~
yogthos
On the other hand, there might not be a similar incentive to create spam in
the first place. I guess we'll see how that develops going forward.

------
richardwhiuk
Mastodon is immune because it doesn't have any influential users.

~~~
pal_9000
Security by obscurity:D

~~~
Nasrudith
More like deterrence by "poverty" \- if you don't have anything remotely
valuable to them to exploit you don't need any security.

------
lapcatsoftware
This is a mostly trivial article with a terrible clickbaity title. "Hacked"?
"Immune"? No, and no.

Could a Mastodon server be compromised? Of course. Would it affect all of
Mastodon? Of course not, because it's distributed. Duh.

~~~
im3w1l-alt
If mastodon had a security hole they could all be owned at the same time.
Fediverse servers on different software would be unaffected unless the hole is
in a library used by both.

~~~
lapcatsoftware
The Twitter account takeover was an inside job.

To be fair, the article is just part of a challenge to write 100 blog posts in
100 days. Nothing wrong with writing whatever you want, although the title of
the post is still terrible. The question is, why did anyone think this article
was worth submitting to HN?

~~~
im3w1l-alt
Yes I'm aware. An inside job against mastodon would be harder. A few people
may be able to deliberately insert malicious code but that goes for any open
source project.

------
AndrewStephens
My website didn't get hacked either. Of course it only gets a few dozen hits a
day from a sophisticated audience so it is not really a target.

Mastodon at the moment is basically a cozy little community. If a bunch of
celebrities joined you can be sure they would all be on a professionally
managed server - a tempting single-point of attack in the same way that the
Twitter admin console was.

~~~
yogthos
Mastodon has millions of users now, and it's a part of a bigger fediverse
community. Let's not belittle open source alternatives to commercial social
media. The point that the article makes is that while obviously nothing can be
immune, the same kind of hack would not be possible because Mastodon is
decentralized. If you trick a single Twitter employee into giving you
credentials, then you can get access to the entire Twitter network as recently
happened. However, with Mastodon you'd have to convince the maintainer of each
individual instance to give you access which is a much trickier proposition.
Distributed nature of the network removes single points of failure.

~~~
dolmen
But what could happen is that your instance get destroyed.

I can trust Twitter to have backups. I know almost nothing about the
community-served Mastodon instance on which I created an account, and I'm
kinda locked there.

~~~
yogthos
It depends on the instance. Larger instances do have backups, and they have
operational funding. There is also a history of these instances operating for
years without issues. Mastodon also makes it very easy to extract your data.
Finally, you can always run your own instance if you wanted to and have full
control over it.

------
css
> Obviously Mastodon has it's own internal tools, but those tools on
> mastodon.social have absolutely no effect on Fosstodon, and vise versa.

Mastodon has "post as user" in its internal tools? Why?

~~~
0-O-0
AFAIK Twitter's internal tools allowed to reset emails and circumvent 2FA, not
post as users.

~~~
css
Do Mastodon's internal tools allow administrators to circumvent 2FA?

~~~
throwanem
Not directly. You can do it with access to the instance's Postgres database,
but I'd expect relatively few instance admins (as opposed to instance _owners_
) to have that; the admin tools don't include a database console, and you
can't use a credential for the admin tools to authenticate to the database.

------
stormdennis
Just for interest's sake I looked at joining a Mastodon instance. There was an
application form to fill out which expected comprehensive answers to four
questions about myself, my motivation for joining and my interests. I found it
surprising but maybe it works for them.

~~~
paulgb
The thing about federation is that every instance can have their own criteria
for joining. I haven't seen one that requires an application like that, but it
doesn't surprise me. But surely if you just want to spin the wheels there are
instances that are easier to join.

~~~
stormdennis
Yes thank you. I might do that, that one was the most interesting sounding one
see the time.

------
tracker1
I would think it would depend on specific instances, the age of the server in
use and any bugs that may exist, or the motivations and access to
administrative tools.

It could be easier and harder to target celebrity accounts, but would again
depend on the specific hosts.

------
tehabe
The attacker gained access to the admin interface, I'm pretty sure this is
also possible with Mastodon. Just you have to gain access to the right server.
If someone attacks server A and the actual target is on server B, they are out
of luck.

~~~
yogthos
The difference is that you can't compromise the whole federation by
compromising a single server the way you can with Twitter.

~~~
tehabe
That was kinda my point. Mastadon has sadly other issues which let me stick
with Twitter.

~~~
yogthos
I use both, and I find that I generally prefer Mastodon nowadays. I find it's
strictly better, and a lot snappier as well. Meanwhile, the community is now
large enough that there's no lack of interesting content.

------
matt_s
Security through obscurity, not a valid security plan. Regarding things like
hacking into prominent accounts, DDOS/DOS attacks obscurity means it isn't
worth the effort, like the author points out.

~~~
yogthos
The article isn't talking about security through obscurity at all. What it
says is that Mastodon doesn't have a single point of failure like Twitter
because it's a distributed network. With Twitter you can hack the entire
network by compromising a single employee into giving you their credentials.
With Mastodon you'd have to exploit each individual instance independently.
This is orders of magnitude more effort.

~~~
AdrianB1
This is what suggests that: "For the time being, Mastodon remains a small
enough presence in the social media sphere that this kind of attack hasn't
been worth the time."

~~~
matt_s
Yes, this is what I was referencing from the author.

Git is decentralized version control. I would bet a site like Github protects
itself from mass attacks because of its popularity. It has nothing to do with
decentralized software.

If a specific Mastodon node becomes super popular then it should have a plan
to protect itself from these types of attacks.

------
Angostura
It's "immune" to the extent that it is impossible to have a coherent identity
across instances.

~~~
yogthos
This is akin to saying you can't have a coherent identity across instances for
email. It's a nonsensical statement because the whole point of having a
federation is that you have identity on one instance and you can interact with
people from other instances.

------
latexr
> Unless you've been hiding under a rock the last week or so

What’s the purpose of starting a blog post like that? The phrase is a cliché,
and not a polite one. Whatever follows that introduction is either something
the reader already knows and has fresh in memory (thus useless to mention) or
you’re calling them oblivious.

A sentence that’s irrelevant or mocking the reader seems like a poor way to
start an essay.

Most of us would do well to “hide under a rock” for a while. News and the way
they are presented to us are stressful and largely irrelevant. Chances are you
could live the rest of your life without knowing Twitter was hacked.

~~~
quietbritishjim
I suppose that if you start with an obvious fact without any disclaimer of
that then it gives the impression that everything else will be obvious too,
and so the article isn't worth reading. They could perhaps have phrased it a
bit differently e.g. "you're no doubt aware that ...". Personally, I wasn't
offended.

It reminds of something a little different but on a similar theme: the advice
to never say "clearly, ..." in lectures, because it serves no purpose except
to intimidate people that don't already know what follows. Actually, it does
serve a purpose: so that people who _do_ find it trivially obvious aren't
thrown off wondering if there's something deeper there than they had realised.

~~~
SilasX
This. Those phrases are useful for distinguishing between “I’m giving new
information” vs “I’m starting from what I expect to be common knowledge”.

And yes, it’s possible to abuse such phrases but that doesn’t mean they don’t
have their place.

~~~
latexr
The comment wasn’t on _those types of phrases_ , but on _that phrase in
particular_. There are better (more positive, don’t lose significance) ways to
convey that information:
[https://news.ycombinator.com/item?id=23897649](https://news.ycombinator.com/item?id=23897649)

~~~
rimliu
Honestly, your comments so far were the most negative thing I saw in all this.

------
caymanjim
Except Twitter didn't get hacked.

~~~
pavel_lishin
Semantics, no? Someone gained unauthorized access.

~~~
caymanjim
In most cases, I do consider gaining authorized access via social engineering
to be a hack. I guess this probably qualifies, but just barely. If it turns
out it was just a rogue engineer then it doesn't qualify at all. It's not
clear that external "hackers" gained ongoing access. If someone leveraged an
insecure remote worker's PC to gain access, that counts as hacking too. I'll
wait and see if we find out what the root cause was.

~~~
manquer
The hack is exploiting weak internal security controls that twitter has. Reset
of email for so many high profile users requiring only one person to click a
button is weak design. No Review / no approval etc .

Also the amount of time for them to identify it, they had blocked tweeting the
address and blocked all verified users from posting before they could find the
rogue account indicates logging and analysis of their admin tool actions is
also not robust.

Exploiting these two vulnerabilities whether by blackmail, bribe or RAT should
not make a difference to consider it a hack

