Mastodon! Twitter is burning!! Ahhhhh!!! The drama, right?! So what is this Mastodon thingy and what’s going on w/ Twitter? I’m delighted to tell you that I won’t really be writing much about either of those things as there are plenty of others who have done so. Never fear though, what I will do is provide you an awesome, aggregated list of guides, resources, analyses and other cool stuff that has come out on the topics of Mastodon, Twitter and the greater “Fediverse”. Now you’re thinking, “A bunch of lists you say? That sounds kinda boring…”. You’re probably right, so in addition to that I’m going to first drop my own take on Mastodon! Woooo!

* Shoutout to @mttaggart@fosstodon.org who told me not to do this. Here it is anyways!

* Oh, and if you’re on Mastodon, and so inclined, please give those I have referenced in this piece a follow, boost, like, w/e! They are awesome parts of this growing community.

Jump to Section


My Take On Mastodon So Far

There is a lot about Mastodon (and the Fediverse) that I have yet to learn, but what I do know is that it has (pretty much) already surpassed what Twitter was to me in both personal and professional contexts. I had a Twitter account for years, and try as I might, I never felt quite comfortable being anything more than a passive consumer - a lurker of those in the #infosectwitter community who had big followings. Though there was of course a decent amount of discussion/engagement within the infosec Twitter world, it often seemed to me very clique-ey, reserved only to those with big followerships or with well-known personas and established circles. I also always had the sense that trying to cultivate a following on Twitter was, sorta cringey. People there seemed more interested in boosting their follower counts or their follower-to-following ratio than expanding their true community. This feeling was ever-perpetuated by the constant deluge of tweets sounding off about how many followers they had, or how close they were to a certain follower threshold, etc…

Look, I get it - I have a blog, a podcast, I understand why people crave followers. It’s the engagement I am after though, not so much just having my tweets/toots/posts/stuff show up in a lot of people’s timelines. I genuinely enjoy sharing my thoughts/ideas, and even moreso hearing/learning from others. Naturally, a good way to create this engagement is to network, follow a lot of people and of course, have others “follow” me. I never had a big following on Twitter (~190ish as of the last time I looked), and I never got much engagement there (partially because I rarely posted). I’ve been on Mastodon for nearly 2 weeks and already I’ve seen much better engagement (and I am not alone). Maybe it’s the novelty factor, or maybe it’s because it hasn’t had time to turn into a toxic stew, it could be because I am more actively engaging. I’m not really sure yet, but what I do know is the vibe is different. That sense of community is definitely there and I am looking to make the most of it.

Alright, so I have a few other thoughts/takes on my Mastodon experience so far, and as I am want to do, I will share via a list!

  • As others have pointed out, two reasons why Twitter always felt a bit, icky, was because of forced ads in your timeline and the bedeviling algorithm which fed not what YOU wanted into your timeline, but what Twitter thought would yield maximum engagement, which typically meant trying to fill you with rage. Mastodon is a breath of fresh air in comparison.
  • I joined the infosec.exchange instance, which is relatively quite large (~24k and growing) and have followed nearly 400 people so far. What I’ve seen across my home feed and the local timeline has been really great! No ads, literally just what I’ve signed up for. I’ve been consuming/scrolling most of it so far and have encountered a lot of new people and genuinely look forward to (most) of what they have to share.
  • Mastodon is a series of unique, networked instances. When folks from other instances are boosted into my timeline, there is a sense of excitement, of exploration. For example, if I see someone with the handle @hax@supercyber.pizza, I think “wow! I’m happy to have discovered this indvidual in the wide Fediverse, and look forward to what they post/boost into my timeline”. That hunger to follow, to connect moreso than “get followers” is really great. I have this desire to collect as many cool instances and awesome people as I can into my following list.
  • If you want people to follow you, or engage with you, I highly recommend spending some time to tell people what you’re all about in your account profile. Also, toss a picture of some kind in there. Anything will do.
  • Each instance will likely have its own culture, traditions and of course rules. Spend some time trying to figure out what those are, and leverage the content warning (CW) feature to try and be a little less offensive. It’s not hard to do!
  • Being on an instance which has a population that best shares your personal/professional interests will give you a local timeline that will help you find people to follow and consume your posts. This is true. But! With a little effort, you can, regardless of what instance you are on, curate a following of people across instances, building a home timeline that is perfect for you, void of ads or algorithmic influences. This feed/timeline will continue to grow and mature thanks to the boosts and discussions of those you follow and engage with. So spend less time trying to find the perfect instance, and more time building that list.

If there is any drawback to Mastodon so far that I have seen, it is the lack of full-text search (for privacy reasons). This makes some of the intel-gathering I used to do on Twitter a bit more difficult (I’m not the only one with this sentiment). One frequent use-case was to search for info on CVEs (e.g. PoCs, research, etc…). To address this concern, the infosec community on Mastodon has been putting their heads together on how best to use hashtags to make intel-gathering possible on Mastodon. 1, 2, 3


Mastodon

Intro to Mastodon

To avoid writing a regurgitated “how to get started w/ Mastodon” section, I’m going to first just link to the Wired article on this - How to Get Started on Mastodon. Again, I want to emphasize - try not to stress too much on what “instance” you choose. This should only really affect your “local” timeline, not your ability to follow those anywhere, on any instance (unless you wish to follow the dregs of the Fediverse that tend to get de-federated from the upstanding servers). Alternatively, for those that are adventurous, have some free time and are relatively tech savvy, hosting your own instance on a vanity domain is another option! If you don’t end up liking an instance you’ve landed on, check out how to migrate from one server to another. OK, that out of the way, here’s a list of other Mastodon stuff…

Quick (I promise) rundown of Mastodon verbiage/mechanics…

  • Posts are wereToots”, now they’re just “posts”. Ask your instance admin to tootify the server if you miss tootin’ (via @benjaminhollon@fosstodon.org)
  • A re-post (or re-tweet) is a “Boost”. There is no quote-boost, so don’t ask. Boosting helps propagate stuff you like to all your followers and to your local timeline. This helps get stuff out to other instances. Boosts are good.
  • A “Star” simply communicates to the OP, “I like that”. It has no effect on anything else. So star star star away!
  • Lists exist.
  • Unlike Twitter, Mastodon has no full-text search. It instead relies on hashtags. So use those liberally where applicable. You can also follow hashtags. (per @tinker@infosec.exchange)
  • The consensus seems to be that the first-party Mastodon client is bad. Try some of these other apps instead…
  • One cool thing you can do via Mastodon is retrieve a .rss feed of an account’s posts per @SteveD3@infosec.exchange

Now get out there and toot to your hearts content!

Verification

Mastodon has a verification capability, though it differs from what Twitter traditionally offered. Essentially, you can establish a “verified” relationship between your Mastodon account and other third-party endpoints, such as a website. What this can prove is that, for example, the identity/person behind the @shellsharks@infosec.exchange Mastodon account is the same person who runs shellsharks.com. Some other verification related resources are provided below.

Security & Privacy

Is Mastodon secure? Is my data private? Is it more secure than Twitter? (these days, almost assuredly). How can I best lock down my Mastodon account(s)? All great questions. I’ll share a list of articles that best answer these questions but first, some basic security/privacy hygiene advice. Use a strong/unique password, enable 2FA, understand that your instance admin has access to your data.


Infosec Community

I have used Twitter for years, as there was a relatively vibrant #infosec community that shared research, articles, etc… With the meltdown of Twitter, it seems the infosec-Twitter diaspora has gone full-force and we (as a community) now primarily exist across a variety of Mastodon instances. The community that has developed, and the speed at which it has developed, has been truly astounding to behold. For my part, I joined infosec.exchange.

If you’re looking to find others in the infosec world on Mastodon…

infosec.exchange

infosec.exchange is described as “a Mastodon instance for info/cyber security-minded people.” No better way to describe it! It was stood up and is admin’ed by Jerry Bell (host of the Defensive Security Podcast and seemingly trustworthy infosec fella.) So far, the experience as a member of this server has been great. The community is very infosec-ey, friendly and growing quickly. Some other cool tidbits on infosec.exchange have been provided below…

  • There is an infosec.exchange wiki!
  • Currently, infosec.exchange supports 11k word posts. ELEVEN THOUSAND! Plenty of elbow room
  • Running a Mastodon instance, and doing it as well as Jerry has takes time, expertise, patience and money. To help out, consider contributing via liberapay
  • Anecdotally (and from multiple accounts I have seen from infosec.exchange members so far), engagement on posts/polls/replies has been outstanding - easily outpacing what others saw on Twitter, even with much more massive follower counts
  • infosec.exchange very quickly ramped from ~300 to over 20k (24k at the time of this post) in a matter of weeks. So donate and consider configuring post auto-delete (per @spapjh@infosec.exchange)
  • For those interested in Jerry’s stance on GDPR, check this wiki article (from @jerry@infosec.exchange)

Infosec Instances

A running list of infosec-related/adjacent Mastodon instances.


Hosting a Mastodon Instance

There are plenty of great, open instances to join if you are interested in Mastodon. But if you’re interested in hosting your own server, that too is possible! In fact, I plan on trying this out at some point. For anyone interested, and for reference myself when the time comes, here are some resources/discussions I have collected…


Twitter Migration

I’m not particularly interested in analyzing or writing much about what’s going on w/ Twitter. What I will say is that I’ve pretty much left (my account still exists but I am no longer looking at my feed and haven’t signed in since I joined Mastodon), and generally speaking, the infosec community seems to have almost fully disowned the platform. From what I have read and seen, it does seem to have turned into a dumpster fire. I know not what the future holds for Twitter, but for many reasons I am happy with where I have landed and look forward to making Mastodon my long-term home, regardless of Twitter’s ultimate fate. That said, if you are interested in moving yourself or reading more about the #twittermigration, check out the resources below.


Expanded Fediverse

I joined Mastodon in 2018, but never really made much of it at the time. I rejoined in earnest in November (2022) so I am obviously not a Mastodon pro nor particularly experienced/knowledgeable about the wider “Fediverse”. So I won’t pretend to be. Instead, here is some stuff that you may be interested in, and that I will continue to dig into as I have time…