Mastodon Cloud-Server Progress Update : Digital Door Knocking

As a small update since my first semester-project post my Mastodon cloud-server project has been approved!

My next step is to reach out to groups who may be interested or could benefit from having their own social media server.

While I may be able to target the project to my contacts in IT or cybersecurity, or from art school, my advisor had excellent suggestions for reaching out to established groups who could benefit such as campus clubs, non-profits organizations, a church group or even a city rec center. In other words, there is surely a group who would like to stay connected without having to use big social media platforms.

Currently, I’m compiling a list of possible contacts, and drafting fitting proposals per group. Hopefully, I can find a group that is interested and comfortable with the proposal. I’m very excited to get underway!

Cost allowing, I plan to setup a server for personal use, such as amongst friends, in order to get started on the technical and logistical aspects. This should help me when I make contact with an interested group.

Until next time, best of luck to you in all you do! : )

A Semester for Neglected Projects

Despite the fact that this is my last semester before I graduate, the most exciting part for me is that I can finally dedicate a substantial amount of time to hands-on projects. The main reason for this is, I’m working on my capstone project and have another class requiring a hands-on project. In both cases, the projects are very open and meant to encompass about 3 months of work. The only restriction of the second project is that it must be cloud based and for a nonprofit group.

Capstone: FitBit Telemetry, Privacy, and Security Analysis

For my B.S. IT degree, my capstone project is centered on security and privacy of wearable technology like the FitBit. As digital and internet technology expands into new areas of life, an unfathomable amount of data is generated by our comings and goings. Wearable tech is subject to the same concerns as other Internet of Things with the additional issues brought about by collecting biometrics, and health information. So, after a review of current literature, I will start by analyzing telemetry data sent by the FitBit Charge2, and possibly other models. While others have done research in this area I think it will be important to collect and analyze data myself.

One of my concerns with wearables such as fitness trackers is that in order to use them consumers must place full trust in the company selling them the hardware. Heartbeat data is collected, sent to servers, and analyzed in order to provide the user with useful reports. For the FitBit this means turning on location services and Bluetooth in order to authenticate and sync the device. While there is the option to encrypt data sent to the servers, I’d rather connect the tracker to a laptop, or other computing device to handle processing. So my second goal is to develop an application to handle the data locally, without needing to use other’s servers.

What excites me about this project is the chance to learn more about how health data is collected, stored, managed, and presented as information. In addition to that, I’d like to be able to develop programming skills to create a tool that puts control back in the hardware owner’s hands. This project will be the most difficult and research intensive of the two, but that’s why I’m so excited to begin!

Cloud Architecture: Mastodon

A mastodon leaps into the air holding a paper airplane in its trunk. He is surrounded by clouds and paper airplanes. The mastadon is the mascot of the decentralized social media platform Mastodon. This image links to Join Mastodon dot org

While my second project hasn’t been approved yet, the thing I’m really excited to use cloud services for is to set up and maintain a Mastodon instance. Eugene Rochko created Mastodon, which is built on standard protocols to allow any community to set up their own server. These independent servers are interoperable allowing a federation of independent social media servers to arise. Mastodon is free, contains anti-abuse tools, is naturally community moderated, and has no advertisements. This means that unlike Facebook, Twitter, YouTube and Patreon, content creators are not restricted or influenced by corporate interests outside of their control.

When I heard about Mastodon, I signed up for an account on Mastodon.Technology and since then, I’ve toyed with the idea of setting up my own instance. However, time and financial constraints meant that I had to keep putting the experiment off for ‘one day’. Particularly in light of deplatforming campaigns, which often become out of control due to the giant games of internet-telephone, which occur with increasing regularity, a community-owned decentralized social media platform is extremely appealing. I believe the internet is at it’s best when people can interact freely, without censorship, without having their intellectual property rights being undermined, and in communities which are not isolated, but can set their own standards.

The strength of hosting the instance on a cloud service is that it will be possible to pay for resources in proportion to their use. Therefore if the server has low usage, or suddenly high usage, service will continue and pricing should stay reasonable. I plan to promote it amongst security and privacy conscious friends, as well as my artist friends who may find themselves increasingly restricted by social media scrutiny and standards.

Hosting the Mastodon instance will provide another real world avenue to understand resource usage and allocation over time, as well as cloud server vulnerabilities. If I can get the server up and active quickly, then my focus will be on maximizing privacy and control for users as well as safety.

Future Updates

As I progress through both of these projects my plan is to document my progress here. Hopefully, it can help someone else, as well as serve as a useful personal record.

Collegiate Cyberdefense Competition Injects Part 1 : Introduction to Business Injects

Collegiate cyberdefense competitions evaluate teams through several different metrics. While technical skills and concepts like incident response take center stage, soft skills and business knowledge are also tested. Business injects in particular, tend to test general knowledge, understanding of business policy, ability to communicate and influence non-technical superiors without technobabble and so on.

In keeping with the business scenario the team operates within, business injects often require creating policies, plans for implementing them, and giving professional recommendations to your CEO who… doesn’t speak computer geek.

For Example:

  • CEO requests a report covering what GDPR is, whether the company can become compliant within 12 months, whether they can afford to do it, whether they can afford not to do it, and a justified recommendation about how to move forward.
  • Log and Report all known breaches and countermeasures taken against them.

Some injects are purely technical, or pure business, but others require competency in both areas. Such as:

  • Report on the effectiveness of the implemented SEIM using specific examples
  • Create an incidence response policy and plan for implementing it

Because the technical injects cover a range of operating systems, and types of tasks, this post will focus on aspects of technical writing, and business documents.

There are some critical things that you need to remember when writing these reports:

  1. More likely than not, you will not have enough time but you must still be comprehensive. If you’ve been asked for A, B and C, and have 30 minutes left before submission you need to make some tough calls about where to cut your losses. If you have no understanding of how to address part C then pour your heart and soul into the rest of B. But chances are, you’re best off at least briefly addressing all parts of the request.

2. Save a substantial chunk of your allotted time for delivering injects.

Arbitrarily, you might was to save 30% for nonsense, interruptions, stopping to put out a fire, or delivery mishaps. You can rely on the USB dries remaining pure and uncorrupted, might lose email at any time, and who knows if the printer is still functional.

3. Your team captain is your best asset for data collection, task management and time management.

My team captain was invaluable, because he was always able to help me find out who was dealing with the systems I needed information on. He also helped me track time, which was super important at the National competition level.

4. This is a role you need to study for!

If you have enough work experience in a corporate setting then you may have a feel for what privacy policies, acceptable use policies and the like contain. But if you have to think about it too long you’ll get bogged down and lose time. Ideally, you shouldn’t have to google anything but new laws or specific products. Therefore, make sure you familiarize yourself with the basics of GDPR, HIPAA, memos and policy documents.

If you can outline a 10 page thesis paper reasonably well, or outline a 3-10 minute speech, then you should have little trouble organizing the reports logically.

There are a lot of resources online about technical writing. I’d recommend starting with SANS templates. Print them out, mark them up, and make sue that you understand the content and structure. I will be following this post up with a part two focused on resources for technical and policy writing, and other resources for collegiate cyberdefense competitions.