Mastodon! Twitter is burning!! Ahhhhh!!! The drama, right?! So what is this Mastodon thingy and what’s going on w/ Twitter? I’m delighted to tell you that I won’t really be writing much about either of those things as there are plenty of others who have done so. Never fear though, what I will do is provide you an awesome, aggregated list of guides, resources, analyses and other cool stuff that has come out on the topics of Mastodon, Twitter and the greater “Fediverse”. Now you’re thinking, “A bunch of lists you say? That sounds kinda boring…”. You’re probably right, so in addition to that I’m going to first drop my own take on Mastodon! Woooo!
* Oh, and if you’re on Mastodon, and so inclined, please give those I have referenced in this piece a follow, boost, like, w/e! They are awesome parts of this growing community.
Jump to Section
- My Take on Mastodon
- Mastodon Intro
- Verification on Mastodon
- Security & Privacy
- Infosec Community
- Hosting a Mastodon Instance
- Twitter Migration
- Expanded Fediverse
My Take On Mastodon So Far
There is a lot about Mastodon (and the Fediverse) that I have yet to learn, but what I do know is that it has (pretty much) already surpassed what Twitter was to me in both personal and professional contexts. I had a Twitter account for years, and try as I might, I never felt quite comfortable being anything more than a passive consumer - a lurker of those in the #infosectwitter community who had big followings. Though there was of course a decent amount of discussion/engagement within the infosec Twitter world, it often seemed to me very clique-ey, reserved only to those with big followerships or with well-known personas and established circles. I also always had the sense that trying to cultivate a following on Twitter was, sorta cringey. People there seemed more interested in boosting their follower counts or their follower-to-following ratio than expanding their true community. This feeling was ever-perpetuated by the constant deluge of tweets sounding off about how many followers they had, or how close they were to a certain follower threshold, etc…
Look, I get it - I have a blog, a podcast, I understand why people crave followers. It’s the engagement I am after though, not so much just having my tweets/toots/posts/stuff show up in a lot of people’s timelines. I genuinely enjoy sharing my thoughts/ideas, and even moreso hearing/learning from others. Naturally, a good way to create this engagement is to network, follow a lot of people and of course, have others “follow” me. I never had a big following on Twitter (~190ish as of the last time I looked), and I never got much engagement there (partially because I rarely posted). I’ve been on Mastodon for nearly 2 weeks and already I’ve seen much better engagement (and I am not alone). Maybe it’s the novelty factor, or maybe it’s because it hasn’t had time to turn into a toxic stew, it could be because I am more actively engaging. I’m not really sure yet, but what I do know is the vibe is different. That sense of community is definitely there and I am looking to make the most of it.
Alright, so I have a few other thoughts/takes on my Mastodon experience so far, and as I am want to do, I will share via a list!
- As others have pointed out, two reasons why Twitter always felt a bit, icky, was because of forced ads in your timeline and the bedeviling algorithm which fed not what YOU wanted into your timeline, but what Twitter thought would yield maximum engagement, which typically meant trying to fill you with rage. Mastodon is a breath of fresh air in comparison.
- I joined the infosec.exchange instance, which is relatively quite large (~24k and growing) and have followed nearly 400 people so far. What I’ve seen across my home feed and the local timeline has been really great! No ads, literally just what I’ve signed up for. I’ve been consuming/scrolling most of it so far and have encountered a lot of new people and genuinely look forward to (most) of what they have to share.
- Mastodon is a series of unique, networked instances. When folks from other instances are boosted into my timeline, there is a sense of excitement, of exploration. For example, if I see someone with the handle @firstname.lastname@example.org, I think “wow! I’m happy to have discovered this indvidual in the wide Fediverse, and look forward to what they post/boost into my timeline”. That hunger to follow, to connect moreso than “get followers” is really great. I have this desire to collect as many cool instances and awesome people as I can into my following list.
- If you want people to follow you, or engage with you, I highly recommend spending some time to tell people what you’re all about in your account profile. Also, toss a picture of some kind in there. Anything will do.
- Each instance will likely have its own culture, traditions and of course rules. Spend some time trying to figure out what those are, and leverage the content warning (CW) feature to try and be a little less offensive. It’s not hard to do!
- Being on an instance which has a population that best shares your personal/professional interests will give you a local timeline that will help you find people to follow and consume your posts. This is true. But! With a little effort, you can, regardless of what instance you are on, curate a following of people across instances, building a home timeline that is perfect for you, void of ads or algorithmic influences. This feed/timeline will continue to grow and mature thanks to the boosts and discussions of those you follow and engage with. So spend less time trying to find the perfect instance, and more time building that list.
If there is any drawback to Mastodon so far that I have seen, it is the lack of full-text search (for privacy reasons). This makes some of the intel-gathering I used to do on Twitter a bit more difficult (I’m not the only one with this sentiment). One frequent use-case was to search for info on CVEs (e.g. PoCs, research, etc…). To address this concern, the infosec community on Mastodon has been putting their heads together on how best to use hashtags to make intel-gathering possible on Mastodon. 1, 2, 3
Intro to Mastodon
To avoid writing a regurgitated “how to get started w/ Mastodon” section, I’m going to first just link to the Wired article on this - How to Get Started on Mastodon. Again, I want to emphasize - try not to stress too much on what “instance” you choose. This should only really affect your “local” timeline, not your ability to follow those anywhere, on any instance (unless you wish to follow the dregs of the Fediverse that tend to get de-federated from the upstanding servers). Alternatively, for those that are adventurous, have some free time and are relatively tech savvy, hosting your own instance on a vanity domain is another option! If you don’t end up liking an instance you’ve landed on, check out how to migrate from one server to another. OK, that out of the way, here’s a list of other Mastodon stuff…
- Find an instance via instances.social
- How To Use Mastodon and the Fediverse via Fedi.Tips
- Some general Mastodon etiquette from @email@example.com
- A Twitter User’s Guide to Mastodon from Marcus Hutchins
- Tips for Mastodon newcomers from @Em0nM4stodon@infosec.exchange
- Useful Mastodon guides courtesy of @firstname.lastname@example.org
- A Twitter Off Ramp
- Getting started with Mastodon per @email@example.com
- Some more Mastodon tips from @firstname.lastname@example.org
- What Everyone Seems to Get Wrong About Mastodon per @email@example.com
- Mastodon migration, moving to a new server per @Patricia@vivaldi.net
Quick (I promise) rundown of Mastodon verbiage/mechanics…
arewere “Toots”, now they’re just “posts”. Ask your instance admin to tootify the server if you miss tootin’ (via @firstname.lastname@example.org)
- A re-post (or re-tweet) is a “Boost”. There is no quote-boost, so don’t ask. Boosting helps propagate stuff you like to all your followers and to your local timeline. This helps get stuff out to other instances. Boosts are good.
- A “Star” simply communicates to the OP, “I like that”. It has no effect on anything else. So star star star away!
- Lists exist.
- Unlike Twitter, Mastodon has no full-text search. It instead relies on hashtags. So use those liberally where applicable. You can also follow hashtags. (per @email@example.com)
- The consensus seems to be that the first-party Mastodon client is bad. Try some of these other apps instead…
- One cool thing you can do via Mastodon is retrieve a .rss feed of an account’s posts per @SteveD3@infosec.exchange
Now get out there and toot to your hearts content!
Mastodon has a verification capability, though it differs from what Twitter traditionally offered. Essentially, you can establish a “verified” relationship between your Mastodon account and other third-party endpoints, such as a website. What this can prove is that, for example, the identity/person behind the @firstname.lastname@example.org Mastodon account is the same person who runs shellsharks.com. Some other verification related resources are provided below.
- Thoughts on Mastodon verification from @email@example.com
- How to verify your GitHub via a thread on infosec.exchange
- KeyOxide - A privacy-friendly tool to create and verify decentralized online identities. For help using KeyOxide on Mastodon, check out this thread per @firstname.lastname@example.org or this from @IntlLawGnome@law.builders
- If Keybase is your jam, check out this article on Keybase verification or this infosec.exchange wiki article on Keybase verification
- For WordPress users, check out Mastodon, WordPress, and Verification per @TindrasGrove@infosec.exchange
- For a Twitter-similar, centralized “verification” offering, check out Fedified (via @email@example.com)
- Using rel=”me” on Wix-hosted site
Security & Privacy
Is Mastodon secure? Is my data private? Is it more secure than Twitter? (these days, almost assuredly). How can I best lock down my Mastodon account(s)? All great questions. I’ll share a list of articles that best answer these questions but first, some basic security/privacy hygiene advice. Use a strong/unique password, enable 2FA, understand that your instance admin has access to your data.
- Is Mastodon Private and Secure? via EFF.org
- Graham Cluley’s take on security and privacy on Mastodon
- Can Mastodon Survive Europe’s Digital Services Act? per @firstname.lastname@example.org
- GDPR and Mastodon, analysis by @email@example.com
- (GDPR-related) Record of Processing Activities per @RGrunblatt@sciences.re
- The venerable PortSwigger has already gone to work bug hunting Mastodon (The Daily Swig). Point being, vulns do exist. Stay frosty
- For those interested in TOTP MFA on desktop (per @firstname.lastname@example.org)
- Private messaging is not recommended on Mastodon. For this, other options are available, as discussed by @email@example.com
- More Mastodon Scraping without Consent per @firstname.lastname@example.org
- For those interested in security testing a live Mastodon instance, check out cybervillains.com
- How to use a security key as two-factor authentication on your Mastodon account
I have used Twitter for years, as there was a relatively vibrant #infosec community that shared research, articles, etc… With the meltdown of Twitter, it seems the infosec-Twitter diaspora has gone full-force and we (as a community) now primarily exist across a variety of Mastodon instances. The community that has developed, and the speed at which it has developed, has been truly astounding to behold. For my part, I joined infosec.exchange.
If you’re looking to find others in the infosec world on Mastodon…
- Gsheet with a mapping of Twitter–>Mastodon accounts
- Infosec Mastodon Lists! from tisiphone.net
- Or join an open infosec instance and just start following people! Pro tip: you can (for open instances) view the local timeline for any instance, whether you are a member or not
infosec.exchange is described as “a Mastodon instance for info/cyber security-minded people.” No better way to describe it! It was stood up and is admin’ed by Jerry Bell (host of the Defensive Security Podcast and seemingly trustworthy infosec fella.) So far, the experience as a member of this server has been great. The community is very infosec-ey, friendly and growing quickly. Some other cool tidbits on infosec.exchange have been provided below…
- There is an infosec.exchange wiki!
- Currently, infosec.exchange supports 11k word posts. ELEVEN THOUSAND! Plenty of elbow room
- Running a Mastodon instance, and doing it as well as Jerry has takes time, expertise, patience and money. To help out, consider contributing via liberapay
- Anecdotally (and from multiple accounts I have seen from infosec.exchange members so far), engagement on posts/polls/replies has been outstanding - easily outpacing what others saw on Twitter, even with much more massive follower counts
- infosec.exchange very quickly ramped from ~300 to over 20k (24k at the time of this post) in a matter of weeks. So donate and consider configuring post auto-delete (per @email@example.com)
- For those interested in Jerry’s stance on GDPR, check this wiki article (from @firstname.lastname@example.org)
A running list of infosec-related/adjacent Mastodon instances.
Hosting a Mastodon Instance
There are plenty of great, open instances to join if you are interested in Mastodon. But if you’re interested in hosting your own server, that too is possible! In fact, I plan on trying this out at some point. For anyone interested, and for reference myself when the time comes, here are some resources/discussions I have collected…
- Thread on running personal instance from @email@example.com
- Spinning up Mastodon on DigitalOcean (from @Tinker)
- Thoughts on Mastodon media storage from @firstname.lastname@example.org
- Thread on Mastodon hosting (from Reddit).
- Notes on nginx confs per @email@example.com
- Some tools for running small instances courtesy of @firstname.lastname@example.org
- Scaling Mastodon in the Face of an Exodus
- On Running a Mastodon Instance from @email@example.com
- Running a Mastodon Instance using docker-compose per @firstname.lastname@example.org
- Enabling the translation service per @email@example.com
- Build Your Own Mastodon Server on Debian from @firstname.lastname@example.org
- Notes on setting up a Mastodon instance from @Adman@infosec.exchange
- mastodon-on-aws per @email@example.com
- Mitigate potential liability by registering with copyright office and designating an agent to receive DMCA reports - per @firstname.lastname@example.org
- A guide to potential liability pitfalls for people running a Mastodon instance
- Hachyderm Infrastructure
- Mastodon with Docker and Traefik
- Single-node deployment of Mastodon on Linux w/ Flatcar per @email@example.com
I’m not particularly interested in analyzing or writing much about what’s going on w/ Twitter. What I will say is that I’ve pretty much left (my account still exists but I am no longer looking at my feed and haven’t signed in since I joined Mastodon), and generally speaking, the infosec community seems to have almost fully disowned the platform. From what I have read and seen, it does seem to have turned into a dumpster fire. I know not what the future holds for Twitter, but for many reasons I am happy with where I have landed and look forward to making Mastodon my long-term home, regardless of Twitter’s ultimate fate. That said, if you are interested in moving yourself or reading more about the #twittermigration, check out the resources below.
- Home Invasion, thoughts on the mass-move to Mastodon.
- Twitter migration resources from @firstname.lastname@example.org
- Deleting DMs from Twitter using the GDPR per @email@example.com
- Twitter alternative: how Mastodon is designed to be “antiviral” per @firstname.lastname@example.org
- Search for Mastodon accounts of the people you followed on Twitter via Debirdify
- Extract fediverse handles of your Twitter followings via Fedifinder
- Bulk-delete your tweets using tweetdelete per @email@example.com
- Recover your Twitter threads using Get-TwitterThread per @Lee_Holmes@infosec.exchange
- It’s time. Delete your Twitter DMs (Graham Cluley)
I joined Mastodon in 2018, but never really made much of it at the time. I rejoined in earnest in November (2022) so I am obviously not a Mastodon pro nor particularly experienced/knowledgeable about the wider “Fediverse”. So I won’t pretend to be. Instead, here is some stuff that you may be interested in, and that I will continue to dig into as I have time…
- Hints and tips about Mastodon and the Fediverse via Fedi.Tips
- BookWyrm is the Fediverse altnernative to GoodReads
- Some analysis on the existential threat to the Fediverse/Mastodon
- Twitter’s demise is ActivityPub’s future per @firstname.lastname@example.org
- After self-hosting my email for twenty-three years I have thrown in the towel. The oligopoly has won.
- Tailscale on the Fediverse
- Is the fediverse about to get Fryed?… via @email@example.com
- The Man Behind Mastodon Built It for This Moment
- Solid Project from @Dcuthbert@noc.social
- Mapstodon via @firstname.lastname@example.org
- Find verified journalists on Mastodon PressCheck.org
- The Fediverse Could be Awesome (if we don’t screw it up)
- Academics on Mastodon
- The Fediverse As Composable Distributed Applications per @email@example.com
- Journalists on Mastodon per @firstname.lastname@example.org
- The many branches of the Fediverse