(C) Daily Kos
This story was originally published by Daily Kos and is unaltered.
. . . . . . . . . .



Surviving the Mastodon stampede [1]

['This Content Is Not Subject To Review Daily Kos Staff Prior To Publication.', 'Backgroundurl Avatar_Large', 'Nickname', 'Joined', 'Created_At', 'Story Count', 'N_Stories', 'Comment Count', 'N_Comments', 'Popular Tags']

Date: 2022-11-18

Join the stampede - but learn what you're getting into first

OK, What’s going on here? Why are Twitter users flocking to this Mastodon place?

I’ll start with the basics, in as sober and non-dramatic a fashion as possible. The basic reason is that from the moment Elon Musk declared his intention to purchase Twitter until today, Twitter as a business became increasingly unstable. Starting with his objectively boneheaded initial offer, through his unsuccessful attempts to wriggle out of the deal, and finally his ascension as the head of the social media behemoth, it had become increasingly clear that something had to give.

Run-up to a meltdown I won’t cover all of the events that led up to Thursday, November 17, 2022. But yesterday, word began to leak out that Musk’s lame ultimatum — really just a particularly heavy-handed and clumsy execution of an operation that will feel all too familiar to long-time technology professionals — had backfired badly. Rather than work under a brutal regime of 70-80 hour work weeks, or more, since they would be assuming the roles that used to be performed by the huge number of staff that had just been summarily laid off, many of the employees that had been given the choice of uncertainty for themselves and their families — or taking Musk’s offer — chose uncertainty: uncertainty about whether they’d still have health insurance, uncertainty about whether they’d make the next mortgage payment, uncertainty about whether new employment would be readily available in a market saturated with experienced technology workers. And Twitter, and Musk, and Twitter’s enormous customer base were left with infrastructure that was pretty certain to crash and burn without the operations personnel that had just left the building (those who weren’t inadvertently locked in). Which is where Mastodon comes in. Twitter users — which include many here on Daily Kos, as evidenced by the large number of embedded tweets in stories and comments, as well as those now voicing concern about the viability of the platform that they had relied on for years to support their businesses or organizations, wanted to know if there was a Twitter-like service out there that they could migrate to without too much trouble, and pick up where they’d left off with Twitter.

The following is basically content I’ve pulled from stories and comments over the past 24 hours. In the first section, I’ve tried to put together some links that provide good information about the Mastodon service without burying the reader in jargon. There’s also information about creating an account on Mastodon. It’s important to understand the differences between Twitter and Mastodon, and also to understand that Mastodon, while an established open-source social media infrastructure, is nowhere near the scale of Twitter, and there will be limits on how fast it can grow to support the demand.

Still, we can be assured of some growing pains, and I am paying close attention to how security events and bugs are addressed by the Mastodon maintainers and community. This is a time of particular stress on the system, and its resilience under these conditions would be a positive sign to me.

The second section discusses issues related to how Mastodon’s content can be integrated into Daily Kos, hopefully as seamlessly as the Twitter content has been. I also discuss possible issues related to content that, until yesterday, would have been flagged and made unavailable to the public by Twitter’s human moderators and automated algorithms. Thus providing reasonable assurance that such externally-hosted content would never show up on DK, whether inadvertently or by malicious action.

What is different about Mastodon and how can I get signed up?

Because of the spike in interest (and because I’ve had to read up on it recently), I’ve put together a few Mastodon-related links:

I chose these because they’re not only helpful in setting up, but also help explain how it differs from Twitter. And then, as I’m doing a couple of searches looking for some good info, I find this:

Our first security event

Well, I better include this one, since it’s dated today: Leaky server exposing Mastodon account info If you set up a Mastodon account, I advise you log in, click on ‘Profile’ link and lock down your prefs. (‘hide social graph’, ‘require follow reqs’ minimum). I’ll update as I find out more about this.

And then reviewed it a bit more and followed up with:

P.S. Don’t freak out. Or if you are, go ahead and delete your account. I figured it was inevitable that security gaps would be found in a ‘trial by fire’ where a platform gains 700,000 users in a week. My advice. If you’ve already created a Mastodon account, address the security issue first by enabling the recommended options (and really, it’s social media: your data is already pretty exposed :). ). And then learn about it and what to expect, and what not to expect. That’s what I’m doing.

My final thought on this:

Quick follow up — this doesn’t look too bad to me. The steps I advised are still good, I think. But getting the following parts of your profile scraped sucks, but isn’t the end of the world. I’m going to be paying close attention to how the Mastodon tech community responds to and patches this. That is important. Again, other viewpoints are good. I could easily be overlooking something. Fields scraper accesses (est. 150k users per author of article; I’ll wait on more official data): Account name

Display names

Profile pictures

Following Count

Follower Count

Last Status Update Account name is probably the most sensitive. most people probably just duplicate their display name (ok, I can’t back that up). :)

Embedding content from Mastodon in Daily Kos stories or comments

I have to make some assumptions simply because I have no visibility into the Daily Kos infrastructure nor its codebase, but I will try to point that out when necessary. At the most basic level, embedding a unit of content from Mastodon (a ‘toot’ as opposed to a ‘tweet’ but for our purposes here we can consider them the same). The process from your (the user’s) standpoint should be similar. You copy a piece of HTML code from the Mastodon server you’re logged into and you paste it into a comment or story.

And with all other pieces in place, that should be it.

But as of this moment, the other pieces are not in place because it requires some coding and testing by the DK Operations team. And they responded to a note I sent to the Help Desk earlier, so I know they are aware of the request from the user base. I don’t want to speak on their behalf; what I’m doing is some initial review of the Mastodon system, which is as new to me as it is to you (sort of; I may get to that later, but it’s unimportant to this discussion).

Please understand, though, that allow-listing Mastodon may not be as straightforward as it was with Twitter due to its architecture. I know it’s likely going to be requested by many users, especially if Twitter continues to deteriorate, but better to get it right than rush it. IMHO.

When I first received the email notifying me that my Mastodon account was active on the server tilde.zone (for no other reason than I’d more or less randomly chosen it) I logged in and found the share option from a random mastodon toot, which the inline documentation states is all that’s needed to embed in your site (i.e. a comment):

1 non-allowlisted iframe(s) have been removed from your story:https://bitcoinhackers.org/@mastodonusercount/109367054157698612/embed That is to say, the DK site software just stripped out the Mastodon embed I tried to include, so that would require DK-side allow-listing for it to work. That means that the DK Ops folks need to get a list of all of the active Mastodon servers (as of now, > 50 and growing) and incorporate them into their site code. But it isn’t that simple. Since the Mastodon server list is constantly in flux, growing as new ones come online and others close up shop for whatever reason, the DK-side config has to remain in sync with it. That is in contrast to what’s needed to allow-list Twitter, which may be as easy as adding a line that reads ‘*.twitter.com’. Again, I don’t know for sure, but I’ve managed other systems where it was basically set up that way.

So OK, that doesn’t sound too hard, right? Let’s get those Mastodon servers allowed and let er rip, right? Maybe. But in my experience, things that appear relatively straightforward can be anything but.

Next, let’s consider this bit of conversation from an earlier thread:

I have friends on Mastodon who claim that it’s a safe haven for Nazis and Klansmen. --- I’ve heard that too, but it's a large multiverse. You want Nazis & Klansmen you’ll have to search them out yourself. Its up to you, since each forum is “offered by a large number of independently run nodes, known as instances, each with its own code of conduct, [like DKos’ Rules of the Road] terms of service, privacy options, and moderation policies.”

I want to talk a little bit about what you can think of as reverse-allow-listing. Why? Twitter, as a U.S. company with its Board of Directors, tried to adhere to policies that would disallow certain content: the hateful stuff we’re all too familiar with, etc: the content that would be removed by either moderation filters or active moderation by employees.

Mastodon has a base content policy which states that the same standards are to be adhered to on its servers (basically). But it’s an open-source, decentralized system, and inevitably some unsavory content is going to crop up on some servers until a mastodon user flags it and reports it to get it removed from the network. Now, this is really an area where I cannot say what DK should or shouldn’t do. The reason I bring it up is that with Twitter, the company’s moderation acted as a shield against that sort of thing potentially getting embedded in a story here. In any case this would presumably be done by malicious users with newly created accounts. With Mastodon, one would have to implement the allow-listing in the other direction (getting the updated list of mastodon servers to ensure known-bad ones’ content can’t be included). I suppose that’s a judgment call — DKs got pretty well-behaved users, and I haven’t seen many drive-by's of new accounts spamming the place. Still, the main points are: That’s the harder type of allow-listing to do. Implementing it might provide better legal protection. Glad I don’t have to make the call. /s Essentially, I am concerned that it could present legal vulnerabilities to Daily Kos, however unlikely.

For developers

So these are the Mastodon API docs that one would use to get server info, etc. Which is part of what the DK Ops team will likely need to review before jumping in and making changes. There's a ton to digest, and I’m tired and I bet they will be too, so go easy. :) I’ll be taking a look at it later to see if something like what I speculated is possible (and whether it requires getting set up with client authorization) and probably just getting more familiar with it like the rest of you. I hope some of you find this useful. I wanted to get it out ASAP since who knows what tomorrow will look like.

[END]
---
[1] Url: https://www.dailykos.com/stories/2022/11/18/2137220/-Surviving-the-Mastodon-stampede

Published and (C) by Daily Kos
Content appears here under this condition or license: Site content may be used for any purpose without permission unless otherwise specified.

via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/dailykos/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.