shellsharks Notes

Useful Pokémon

mike@shellsharks.com (Mike) — Thu, 12 Mar 2026 11:10:00 -0400

Inspired by this post on Threads, I thought about which Pokémon would be the most useful to me in real life. Here’s what I came up with (in index order)…

Jigglypuff is a fluffy li’l guy who can help put my kids to sleep when it’s time. 😆
Diglett would be a great helper for my gardening tasks—tilling soil, digging, etc…
Meowth can literally produce coins/money, can talk, is playful, and hunts around at night finding treasures to bring back to me. All wins there.
Poliwrath seems like a good bro to have around. Strong swimmer and can be a useful, amphibious body guard.
Machoke’s are chill and can help with stuff around the house.
Chansey’s got eggs that are nutritious and delicious.
Lapras is a gentle chap that can ferry me around.
Meganium can legit bring dead plants back to life—need that given my not-so-green thumb.
Miltank can produce tasty, nutritious and healing milk. I’m sure it’s protein packed too.
Blissey brings good luck and healing powers. Gotta have one in your corner.
Gardevoir is a zealous protector and could also lift stuff with its mind which could be useful around the house.
Latias seems like a good option for flying and is gentle and can understand humans.
Rayquaza could be useful from time to time on bad weather days—though it seems a bit intense to have around…

NOTE: I’m only really familiar with Pokémon up through Gen III so this list doesn’t consider anything beyond that.

Museum memories

mike@shellsharks.com (Mike) — Fri, 06 Mar 2026 10:50:00 -0500

This month’s IndieWeb Carnival, hosted by James (of James’ Coffee Blog), is “Museum memories”. I wouldn’t say I’m a big museum go’er or anything, but I’ve been to my fair share. As such, nothing immediately sprang to mind as I thought about how to respond to this particular prompt. Ultimately though, I’d say my favorite, and most memorable museum is the Steven F. Udvar-Hazy Center (Air & Space Museum).

I don’t think I really have to sell the Udvar-Hazy Center—it’s really friggin’ cool, and a must-see for anyone visiting or living in the Northern Virginia area. It’s huge, packed with history, and features a lot of really amazing and thought-provoking exhibits. I mean, it’s got the SR-71 Blackbird, the Space Shuttle Discovery and my son’s personal favorite, the Air Tractor AT-400A (a.k.a. Dusty Crophopper)—and that’s just an extremely tiny sampling of what you can see there.

Sure, if you’re a flight geek, or a war buff, you’re going to be in heaven there. But as neither of those really, I can attest to how really cool it is to walk around there regardless of your interests. I mean, how can you not gaze in wonderment at an actual spaceship, imagining the many stellar voyages it took. Wondrous. 🚀

'Self-host it' is an answer. Let me explain...

mike@shellsharks.com (Mike) — Tue, 24 Feb 2026 09:18:00 -0500

My response-to / thoughts-on Neil’s write up, ‘Self-host it’ is not the answer.

👹 Strapping on my devils advocate ~~horns~~ hat…

Neil is right, self-hosting isn’t a panacea for the ills of big tech, and barriers absolutely exist, some insurmountable for many, but I think spreading the self-hosting gospel, i.e. educating the larger populace of potential self-hosting aspirants, is a good thing. The subset of folks who could self-host but don’t is probably pretty large. Heck, that includes me! The subset of folks who never knew, or never considered self-hosting something is also non-zero. As others have pointed out, solutions/services/platforms (e.g. YunoHost) which help bridge the gap between big tech reliance and full-on self-hosting have started multiplying. Why? As a direct response to the enshittification of big tech and the growing demand that has sprung up in that wake.

So no, saying “just self-host it” isn’t really the right approach, sure. It’s a bit more nuanced than that isn’t it? As Neil has pointed out, it requires resources, time, money, know-how, etc… This is all true. But each layer of that stack can be managed in different ways, not all of them by the individual. And know-how? Is it too much to ask to have someone learn something new? You don’t need to become an SRE over night, and you should expect-to and plan for failure along the way, but you can surely figure something out in time yeah?

But let’s take a step back. To say ‘just self-host it’ isn’t the answer, let’s first try to derive/understand the question. Neil doesn’t explicitly say, but in my mind we say “just self-host it” as an answer to a (generalized) question like “big tech platform A is bad, how can I lessen my reliance on it”? In this case, the operative word is “bad”, which can mean anything from said big tech company is violating one’s privacy, enshittifiying, being sunsetted, etc… A better answer to this question is to point out the vast array of alternative options, self-hosting of course being just one of those. You also have managed hosting, FOSS alternatives, smaller/non-big-tech (though still centralized) platforms, etc… Do we have a well-known vocabulary for suggesting “managed” or partially-“managed” hosting alternatives? I don’t think so. Instead, we just tend to say “self-host it”. But I think this answer can be inclusive of more things than just, full-on, purist, I own/control the entire stack self-hosting.

Neil does make the distinction between his definition of ‘self-hosting’ and that of ‘self-managing’ (running stuff on hardware/a-platform that is not your own), but I think that this is the core problem. This vocabulary (“self-managed”) is not agreed upon, or known. He makes a lot of valid points about why “pure” self-hosting isn’t a great answer, but I think he’s taking it too literally. I think ‘self-hosting’ as the most well known term here can be thought of more inclusively as being everything from owning the whole stack, to just owning part of it (call it “partially” self-hosted if you’d like).

Rather than dismissing the idea of self-hosting as something only the most dedicated of tech nerds could possibly figure out, let’s instead continue to educate the masses on what it means to move away from big tech. How truly possible it is and what the benefits are. A more educated populace will in turn create more demand—for community hosting, managed hosting, content on how to self-host, tools to make self-hosting easier/more-secure, etc… It’s important to lay out the obstacles and pre-reqs, yes. It’s very possible to bite off more than one can chew here, but you can right-size how you approach this and ease yourself in a responsible way.

Setting off on a self-hosting journey

mike@shellsharks.com (Mike) — Fri, 20 Feb 2026 11:46:00 -0500

I want to self-host a bunch of things. Why? Let’s see here… techno-fascism, privacy disasters, tech companies randomly sunsetting things, enshittification spirals, etc… I’m tired of it. I want to run some stuff myself, own the data, and be happy with my tech.

Here’s some of the things I’m looking to run myself…

RSS
Read-It-Later / Bookmarks / Links
My Website (aspirationally)
Fediverse Account(s)
A Community Platform (to replace Discord)
Podcast
XMPP?

So for each of these technologies, here’s what specific platforms am I considering thus far… I am still researching my options here and will add to this list as I discover new alternatives. I also give a little reasoning as to why I’m looking for alternatives for each tech.

RSS: I use Feedly now which is ok. It doesn’t cost that much but there’s limitations on the amount of feeds I can subscribe to, even on the pro tier. Annoying. They’ve also had some not-so-great stuff in the news.
- FreshRSS - This is probably what I’ll go with since I’ve heard good things about it.
Read-It-Later / Bookmarks / Links: Stupid Mozilla killed Pocket. So here I am…
- linkding
- floccus
- Grimoire
- Postmarks
- Omnivore
- linkblocks
Website: I have a static site. It’s been on GitHub pages forever. I like GitHub pages. It’s worked really well for nearly 6 years. What I don’t like is Microsoft. It’s high time I find a better place to stick my site.
- Codeberg / Forgejo
Fediverse Account(s): My main Fedi account is on Masto.host. It’s been a great experience. I will honestly probably keep it there. My only gripe with them is that I have to use vanilla Masto which has the awful character limitation. My GtS instance however needs a new home.
- GoToSocial (for malici.ous.computer)
- Mastodon (currently with Masto.Host and I am pretty happy there)
Community Platform: I’ve had a “shellsharks” Discord for ages. It’s not terribly active, but I’ve kinda liked having it. I’m interested in creating a new place but not sure exactly what that would look like. Maybe it could be more of a forum, like with Discourse. Or perhaps it could be Discord-ey and I could use Matrix. Or maybe I’ll just set up shop in an existing Lemmy instance. TBD!
- Chatmail
- Discourse
- Lemmy / Kbin
- Matrix (yeah I know about all this)
- IRC
- Stoat
- etke.cc - Matrix hosting
Podcast: My old Castopod (managed) instance needs a new home. (Not that I’m doing a great job keeping my podcast alive but w/e)
- Castopod

OK, so once I know what I want to self-host, I need to figure out how exactly to do it. This is where I’m in the beginner-iest of stages. I’ve not self-hosted much of anything before so I’m looking to understand the best way to do this for each of the things I’ve mentioned above. The list below is a bunch of toolinng and other resources/writeups related to this endeavour (in no particular order).

A newbie’s guide to self-hosting with YunoHost: For YunoHost (duh)
Setting up a Discourse Server: A guide from Adam
Setting up an IRC server
How and Why To Ditch GitHub: Migrating to Codeberg
Host static websites with Codeberg Pages
Beginner’s Guide to Nextcloud
Grow Your Own Services
selfh.st: A newsletter related to self-hosting
Owning your data
Homelab Alamanac
Tailscale
32x33 guide to self-hosting
Decorporatization
Hold on to your Hardware

This is where you fine folks come in! What should I do? Any recommendations? Are there platforms you like? What’s your go-to strategies for self-hosting? Cloud? At-Home? What should I do!?

Feel free to email me, hit me up on Fedi, or contact me any of these other ways…

citations.css

mike@shellsharks.com (Mike) — Tue, 17 Feb 2026 16:51:00 -0500

I previously introduced the idea of using CSS as a means to selectively style references to other sites/authors/creators. There I also suggested using indieweb.txt as a place to share one’s own reference info, including this css styling. Since I somewhat routinely credit or otherwise shout-out other IndieWeb personalities throughout this site, I wanted an easier way to apply these styles when making said references. Why? Because I think it’s a fun way to pay homage to these other unique sites I enjoy and respect. Enter citations.css, a place to centralize these styling directives for referencing other sites and authors.

citations.css is a list of .class selector declarations where each reference maps to the site you are referencing’s domain name. You replace any dots “.” with a dash (“-“). So “shellsharks.com” becomes “shellsharks-com”. An example for this site can be seen below…

/* Shellsharks.com */
.shellsharks-com {
    color:#CA3342;
}

Once loaded up, you can then refer to my site using class="shellsharks-com" and voilà, you’ve got shellsharks!

For sharing your own styling preferences such that others can add it to their citations.css file, I suggested using indieweb.txt. You could have it as a field in indieweb.txt itself, or perhaps point to a citation.css (note: ‘citation’ singular, not ‘citations’ plural) file that houses just your site’s prefered reference css.

- citation-css: .shellsharks-com { color:#CA3342; }

- citation-css: https://shellsharks.com/citation.css

tiny note: I use the former, so you won’t find anything at “shellsharks.com/citation.css”.

Issues

This is just an idea—and like with many of my ideas, there’s many-an-issue…

Accessiblity is an obvious one. Some people’s preferred or chosen styling might just not look great on the destination site. This could result in accessibility concerns or just general eye-soreness.
Security, duh: Accepting arbitrary code from folks on the Internet? What could go wrong!?
Logistics: I’ve still not figured out the most friction-less way of sharing and otherwise ingesting other people’s reference css. Maybe it’s in indieweb.txt, maybe it’s in a static file named citation.css in the .well-known directory. I’m not really sure.

To solve for accessibility, maybe you could share light and dark mode-compatible styling code. For security, maybe there could be a centralized directory (github repo) that folks can submit their styling block to that get’s reviewed (scanned?) before it is accepted. Who would own/run/maintain this repo? Duno. For logistics, this is something that would probably just need to be agreed upon by the larger community (assuming this reached any level of popularity or adoption at all, which I honestly do not expect).

Other Considerations

As I’m talking with others and using this myself, I’ll add some other considerations here…

It may be useful to have a last updated value somewhere so that others can know if they have the latest styling block for your site.
Ideally, styling should not make text larger or smaller, but rather focus on font, color, framing, etc…
Though there’s no technical limitation, my recommendation is to keep your styling rather simple (e.g. no animation, etc…). To help with adoption, accessibility, security review and usability on other people’s sites.

Anywho… that’s my idea! So if you do feel like referencing my site in a fun way on your own site, feel free to get my citation styling from my indieweb.txt file! If you think this is fun and have decided to implement it yourself, let me know! I’ll add your info here too.

Shout out to fLaMEd, who’s unique styling inspired this idea. 🔥

Citations Directory

A list of sites (that I know of) that have implemented citations.css or shared their citation css block with me.

Things you'll NEVER hear me say

mike@shellsharks.com (Mike) — Fri, 13 Feb 2026 15:15:00 -0500

A list of things you’ll absolutely NEVER hear me say…

“I like AI art”
“No, I don’t feel like eating BBQ tonight”
“Trans women aren’t women”
“Check out my Substack”
“The Rise of Skywalker is a great Star Wars movie” 🤭
“My knees and ankles feel 100%!”
“You definitely should roll your own crypto”
“Follow me on X”
“Pluto is not a planet”
“I’m voting Republican”
“Lebron James isn’t the GOAT”
“I can’t eat any more boiled peanuts”
“I love having wolf spiders in my basement”

It's a lot of things

mike@shellsharks.com (Mike) — Mon, 23 Jun 2025 16:10:00 -0400

Hey everyone, I’m still here. If you’ve wondered where I’ve been, or if everything is OK—I’ve been around-ish and YUP! everything is A-OK over here.

There’s not really one thing I can point to and say “that’s why I’ve not been online as much”. I had some vacation time, work has gotten busier, family stuff, summer, other hobbies, the world being crazy, and a bit of just feeling behind on things all kinda happened over the past month and I’ve just not had the energy to get to all the things I had been doing with my blog, and with Scrolls, or with the online communities I am generally frequenting. I’ve been meaning to get back into the normal swing of things but getting that engine goin’ again has proved a bit harder than I first thought. But I miss it, so I’ve finally got ‘round to pushing some updates to the site that had been sitting in my editor for a while, and I’ve got some other things backlogged that I’m working on publishing out too.

A special nod to everyone who has reached out to me privately or on social media to check in—it means a lot 🧡

…and that’s it! See y’all around the webz! 👋

How I take my coffee

mike@shellsharks.com (Mike) — Tue, 13 May 2025 09:59:00 -0400

Riffing on Axxuy and Elena’s posts about how they drink coffee, here’s how I take my coffee… ☕️

As of March (2025) I’ve gotten into making at-home cold-brew coffee. It’s delicious! I normally take 2/3 of a pint glass with a splash of half-n-half, another splash of 2% milk, then top it off with ice (cubes). This is what I drink most of the time these days. Since I’m newish to brewing my own cold brew, I’m still exploring what types of beans I like most and have really been enjoying sampling different roasts and regions (speaking of, maybe I should start a sort of “coffeelog” where I can do some tasting notes / reviews… 🤔). Not sure what I like the most yet, but I do know that it’s far better than the french press swill I had been making before.

When I’m out ‘n about and ordering coffee, I typically go with an iced latte or sometimes just an iced coffee. I like getting the latte’s because I can’t make them at home. I never drink hot coffee. I’d rather have no coffee than have it hot. I just don’t enjoy hot beverages. When I do happen across a Starbucks, my go-to order is their Iced Brown Sugar Oatmilk Shaken Espresso, with just 1 pump of the syrup, otherwise it’s too sweet for my liking.

Cheers!

'cause nobody hurts me better

mike@shellsharks.com (Mike) — Mon, 12 May 2025 12:40:00 -0400

My song ranking of Sleep Token’s album Even in Arcadia. Honestly though, that top 4 is super hard for me to decide as they are all mind-blowing. Also, had to roll back into this post and drop the lyrics to my favorite parts of each song. Behold!

Gethesmane (shoutout to that epic riff tho’)

and I’ve learned to live beside it
and even though it’s over now, I will always be reminded
Caramel

too young to get bitter over it all
too old to retaliate like before
too blessed to be caught ungrateful, I know
Past Self

and if this is love, then i am out of hesitation
walking an inch above the pavement
taking it stride by stride together
if this is real, then i am all up in a frenzy
not like before when I was empty
say that the story we tell is never ending
taking it stride by stride together
Emergence

are you the carbide on my nano?
red glass on my lightbulb
dark light on my culture
sapphire on my white coat
burst out of my chest and
hide out in the vents
Damocles

and nobody told I’d be begging for relief
when what is silent to you feels like it’s screaming to me
and nobody told me i’d get tired of myself
when it all looks like heaven, but it feels like hell
Look to Windward

oh and I
I used to know myself
oh and you
you used to know me well
oh and I
I wish that I could leave myself alone
oh and you
you wish that you could make me whole
Provider

and our bodies converse like old friends
exchanging in years silence
with something unsaid on both ends
surely we know the difference
Infinite Baths

even if I’m on my own
when the silcence is deafening
I could be stuck here alone
when even my future is threatening
something is lifting the bones
something is dancing in revelry
wider than oceans below
taller than titans on boxsprings
Even in Arcadia
that final…

have you been waiting long!!!
Dangerous

when’s the last time you tasted blood?
and what will it take to stem the flood?

So you've got a blog, now what?

mike@shellsharks.com (Mike) — Wed, 07 May 2025 22:27:00 -0400

OK, so you’ve got a blog/website, but you’re wondering “now what”? Here’s some ideas for what to do next!

🏡 My “Good Sitekeeping” guide has a list of style-ey things I personally like to see on web sites
🥇 What to add to your site first is self-explainable
⁄ Add as many “Slash Pages” as you can
⚙️ Here’s some other commonly found website components you can consider
😀 Here’s a list of my favorite things I’ve built/written for this site, some of which could inspire you!
💜 Get weird with it
🌎 Put anything and everything there (e.g. remember to PESOS)
🏠 Make it homey
📧 Share your site with me! I want to see it, subscribe to your RSS feed, and probably add it to my newsletter
📜 Speaking of Scrolls—check it out for other what-to-do-next ideas and inspiration from across the IndieWeb

Remember! Having a website isn’t about blogging, it’s about you.

Professional Path

mike@shellsharks.com (Mike) — Mon, 05 May 2025 12:40:00 -0400

I saw a thread recently which asked people to share their “path” in cybersecurity. I’ve long maintained a few lists that sorta represent this path, so I decided to mush them together to create this simplified timeline of notable career events (e.g. degrees, job changes, certs and other large life or professional-adjacent events).

Timeline

Pre-2010 My infosec path really begins in 2010-ish, but prior to then, I worked a number of IT-related jobs, which gave me some work history and tech-related experience
2010 (through 2013) Started new role as a Intern Software Engineer / Systems Engineer I (software developer)
2010 Started Bachelors degree in Information Assurance & Network Security
2012 Graduated with BS in Information Assurance & Network Security
2013 Achieved CompTIA Security+ degree
2013 Switched to security compliance role (First security position!)
2013 Started new role as a Security Analyst (First “technical” security role - e.g. Tenable, AppScan, Burp, etc…)
2014 Started new role as a Senior Consultant (Infosec)
2014 Achieved ECCouncil CEH certification
2014 Started new role as an Application Security Consultant
2015 Started new role as an Application Vulnerability Management Analyst
2015 Achieved Qualys VM certification
2015 (through 2021) Started new role as an Information Security Engineer (First “engineer” title)
2016 Achieved Tenable TCSE and Core Impact CICP certifications
2016 Started Masters degree in Cybersecurity
2016 Achieved GIAC GPEN, ISC² CISSP and eLearnSecurity eJPT certifications
2017 Promoted to Lead Information Security Engineer
2017 Achieved eLearnSecurity eCPPT, GIAC GCIA, GIAC GPYC & GIAC GMOB certifications
2018 Achieved OffSec OSCP & GIAC GCIH certifications
2018 Started shellsharks.com!
2019 Achieved GIAC GSEC, GIAC GWAPT, GIAC GREM & GIAC GRID certifications
2020 Achieved GIAC GXPN, AWS Solutions Architect, GIAC GAWN & AWS Security Specialty certifications
2020 Graduated with MS in Cybersecurity
2020 Became a father!
2021 Achieved GIAC GCPN & GIAC GSOC certifications
2021 Started new role as Senior Enterprise Security Engineer
2023 Kid #2!
2024 Switched to a new role, Application/Infrastructure Security

BQC: Random Questions

mike@shellsharks.com (Mike) — Wed, 30 Apr 2025 16:15:00 -0400

Answering a particularly random set of questions via the Blog Questions Challenge Bot…

What’s a food that instantly makes you feel cozy?

Boiled peanuts. These are my favorite food, and they just remind me of being in South Carolina as a kid and just chillin’ and munchin’.

Describe the best cloud you saw recently.

Super random question lol. But! I did see a particularly impressive cumulonimbus storm formation recently ⛈️.

What song is stuck in your head right now?

Caramel by Sleep Token. In fact, all of their songs from their new album have been rotating through my head of late.

If you could add one silly feature to your phone watch, what would it be?

I changed the prompt from phone to watch 😅. I wish my watch could somehow ✨magically✨ track my calorie intake and break it out via macros.

I like doing these blog questions challenges… but sometimes the prompts are a little too random. Also, the provenance of these questions (AI-generated) is a little ehhhhh to me, so I’m questioning whether I will really continue taking part in the weekly challenge write-up. I suppose if a particularly interesting set of questions were to pop I would do it—or if I was “challenged” by someone else in the larger IndieWeb community I may bite. Still haven’t decided though… Honestly, I think I can come up with my own prompts. The “fun” of this was always meant to be having the same prompt answered by a lot of people, and I just don’t know what the adoption is at this point. Is anyone else out there answering these prompts?! Let me know.

Thanks for reading!

What's a newsletter?

mike@shellsharks.com (Mike) — Mon, 28 Apr 2025 14:20:08 -0400

@darius @t54r4n1 I’ve never thought of a “newsletter” as being defined by its transmission medium, though I understand the instinct to associate the “letter” suffix with e-“MAIL”. I’ve always emphasized the “news” part of newsletter (w/ “letter” referring to the fact that newsletters were written, i.e. not videos or podcasts). In this way, newsletters would be defined more as written pieces that focus on recent topics (i.e. news), regardless of how it is delivered.

BQC: Outdoor Activities

mike@shellsharks.com (Mike) — Mon, 21 Apr 2025 10:17:00 -0400

Answering the Blog Questions Challenge Outdoor activities…

What’s your favorite thing to do outside when the weather is perfect?

Hiking a mountain. Preferably one with a nice rocky ridgeline so I have views of the valley and surrounding ranges.

If you could only do one outdoor activity for the rest of your life, what would it be?

Kind of an odd question tbh. I mean I love to hike, but I also love sitting by a campfire. Must I choose!? Y’know what? It’s my blog. So I won’t.

What’s the silliest thing that’s ever happened to you while enjoying the great outdoors?

A bird pooped on my head once while I was traveling in South Africa… 🐦💩😡

Would you rather explore a dense forest or relax on a sunny beach?

Easy—the forest all the way. I like the sense of adventure.

Hypocrisy. Illiteracy. Deception.

mike@shellsharks.com (Mike) — Mon, 14 Apr 2025 10:17:00 -0400

We need to stop platforming Nazis—available on my Substack.

The importance of decentralized social media—posted from my Bluesky acccount.

The dangerous rise of fascism in America—follow me on Twitter for more.

The importance of open source—from my WordPress blog.

Starting to get the theme here? These are all things I’ve seen in the last year. Kinda awkward right? We’ve got Substack eagerly platforming Nazis, Bluesky is laughably not decentralized, Twitter is… well…, and ooph, WordPress has been quite the open source debacle now hasn’t it? Why do these authors and creators continue to publish such incongruous content to platforms that are in direct conflict to their own message?…

Are they enslaved to the “reach” and “community-effects” that these larger, morally-compromised platforms provide?
Are they simply tech-“illiterate” and don’t understand what’s going on with these platforms?
Have they been outright deceived by the marketing and influencers of that platform—led to believe their platform of choice is something that it isn’t?
Or are they just full of shit?

I have my theories… 🤦‍♂️

The ol’ Cringe-o-Meter is just pegged to max these days a’int it?

Infosec gatekeeping

mike@shellsharks.com (Mike) — Tue, 08 Apr 2025 09:04:00 -0400

A line I see repeated a lot amongst infosec professional circles is “infosec is not an entry-level field”. This is typically followed by recommendations from these same “professionals” to first get jobs within the help desk for a few years before trying to move into a true cybersecurity role. This is crap advice, and very gatekeepey.

Look, I don’t buy the gatekeep-ey, “infosec isn’t an entry level field” line—and neither should you. Infosec, like any other field, has junior-through-super-senior-level roles. What you could argue, is that the industry is more saturated these days and there just aren’t enough roles to satisfy all the more-experienced demand and all the newcomers. A lot of “analyst” roles are pretty well-suited for entry level folks. Yeah you should have some know-how, but that isn’t something you have to sweat at the help desk for 3 years to get. The level of skills, training and know-how these “kids” are walking into interviews with these days is off the charts—far more than I had when I got my start in infosec (which mind you was a true “entry-level” role).

The people who continue to repeat this line are either jaded because they felt they had to go that path, or frustrated with the lack of talent/understanding that seems to plague the industry as a whole. Which in my opinion isn’t a byproduct of “unseasoned” newbies entering the infosec ranks, rather it is a testament to our collective inability to NOT gatekeep, properly train and adequately open doors for those of us who don’t fit the typical infosec-person-criteria (i.e. college-educated folks with money for certs, blah blah). Imagine where we’d be if we stopped saying, “you have to go to the helpdesk” and instead said “here’s what you need to learn to bypass the helpdesk”. Imagine how much more secure and healthy the infosec workforce would be if we put time and resources into training, retention, mentorship, etc… Instead, we’ve got a handful of bloodthirsty training vendors and bootcamp peddlers and a whole lot of us who are just too tired to do our own jobs, much less help others 😩

So yeah, stop gatekeeping. Stop pretending like what we do is soooo advanced that there’s just no way it could possibly be “entry level”. I’m not saying junior folks should easily walk into roles that actually require experience and years of technical training, but we are kidding ourselves if we think all of infosec is comprised of roles that couldn’t easily be done by smart junior staff. Sys admins, SOC analysts, vulnerability management analysts, GRC, the list goes on.

Stale career advice

mike@shellsharks.com (Mike) — Thu, 20 Mar 2025 10:11:00 -0400

I saw this post from Jacob titled Beware tech career advice from old heads and I think it’s spot on. Infosec, even back when I was first getting into the field in 2010-ish, has always had that seemingly artificial barrier-to-entry, but there was A LOT that was different then and just doesn’t apply today. The technical/experience expectation(s) for newcomers has skyrocketed, the competition for jobs has ballooned by several orders of magnitude it seems, opportunities have stagnated to a degree, and the advent of AI has started to put pressure on these sorts of technical roles.

When I was getting into the field the recommendation was basically, “get a certification or two, starting with the Security+—and ideally, have a degree in computer science”. That was it. Nowadays the expectations are through the roof, and you’re competing with others who are building incredible resumes before even landing their first job. Open source contributions, participating in capture the flag competitions, bug bounty hunting, multiple certifications, advanced degrees—all to just qualify and compete with other similar portfolios for an entry-level gig.

I do have advice (e.g. my playbook and clout-boosting tips, among other things), and I do share it quite often, but if you’re new to the field and trying to break in, it’s worth asking yourself how valuable that advice really is. After all, it’s been a while since I’ve had to “break in” myself…

Good luck on the hunt!

Is cybersecurity a good career?

mike@shellsharks.com (Mike) — Sat, 08 Mar 2025 21:53:00 -0500

Here I answer the question “Is cybersecurity a good career?…”

Let’s put it this way. I don’t have experience in any other field, so I can’t really give it a fair comparison to anything else. But I’ve never thought to myself that I wanted to switch careers, not because there isn’t something out there I’d enjoy more, but that when I consider all things, I’m not sure there’d be a better career for me. Like, I’d love to just be a park ranger, but it’d require too much time (probably) away from my family and not pay what I’d like. I’d love to have made it as like a tech YouTuber or something, but the chances of that working out and me becoming “successful” at it is SUPER low, and honestly not sure I have the stamina to do it. For all its faults, and there are plenty, cybersecurity is interesting, pays well, comes with plenty of perks and theres always been pretty solid opportunities. Not sure another career has that same entire package for me.

Career mistakes I've made

mike@shellsharks.com (Mike) — Sat, 08 Mar 2025 21:29:00 -0500

A lot. Let’s talk about ‘em…

Not asking questions. Never be afraid to ask questions. It doesn’t matter what anyone else thinks, and most of the time, they aren’t going to think what you are worried they might think about you asking a question. It’s an opportunity to learn something and each time you don’t ask the question, you miss out on that opportunity. Don’t let imposter syndrome get to you, don’t let some expectation of what you’re “supposed to know” stop you, don’t be shy. Just do it.
Don’t discount the small things. There’s a lot you may learn (or be forced to learn) that you think is “unimportant” or “uninteresting” but in my experience, those things have a way of coming back and being of importance later. The amount of times I’ve had to relearn things is absolutely infuriating.
Take breaks, but don’t let off the gas. Look, you don’t want to be burned out, but you don’t want to lose your motivation, your drive, your momentum either. I wonder sometimes where I could be if I had remained focused and really kept my eye on certain goals.
Build a portfolio. I have a portfolio / personal website (combined) that I’ve been maintaining since 2019. I graduated college and joined the workforce full time in 2010-ish. In those 9 years I wish I had that same idea to document my journey, blog about what I’d learned and built a reference for myself over the course of my entire career. It would have been game changing I think.
Focus on the journey, not the destination(s). Cliché maybe, but the wisdom is there I think. I spent too much time trying to get to X job, or Y certification, or Z salary and less time focused on building a skillset brick by brick which would have given me the foundation required to really make it farther.
Take risks, especially earlier in your career. I’m mostly satisfied with my early career moves. But I think I’ve missed some opportunities. Hindsight is always 20/20 (as they say) but there are a few things I think I regret.
Network. Yea, by this I mean traditional networking across your industry, but more specifically, I mean at your company. Spend the time to cultivate relationships - with your team, with your manager, with your skip, with other “movers-and-shakers”. Find ways to be impactful for them. I’ve always been terrible at “playing the game”, so it’s a “mistake” I own to some degree, but I advise others to try a slightly more determined approach.
Being a generalist is fine, but go deep on SOMETHING, maybe a few things. I wish I had spent more time just diving super deep into one specific domain, rather than getting distracted by every little thing across my entire field. Sure, I’m a perfectly good generalist and have some specialties, but I’m not super specialized in anything specific I don’t think.

I’m sure there’s more things, but I’m tapped out. Don’t make all these mistakes! I got time to fix ‘em though 😃

Sure, AI isn't useless, but is it a net negative?

mike@shellsharks.com (Mike) — Wed, 05 Mar 2025 00:12:00 -0500

A discussion on the polarizing, hot-button issue of AI. Many laud its uses, others frame it as “useless”. The truth is never black and white. AI (and LLMs) are still very much a nascent technology, at least as I see it in the grand scheme of things to come. But, given the proliferation of this technology throughout the tech world, permeating much of our regular daily lives, you’d assume it was much more mature and robust. Below, I try to point out some of the many concerns that I have observed, in order to juxtapose those against the reality that AI/LLMs do in fact have real-world uses, and when employed correctly, can admittedly be powerful tools.

You can write something on this subject… but I’d scope it a bit differently, because their’s a lot more at play here than just “is it useful” vs “is it not”. To make a fair, leveled case for why LLMs have value, I think it’s worth first acknowledging all the things that are off-putting about LLMs. To name a few… (I’m going to use the terms “AI” and “LLMs” interchangeably throughout…)

The seemingly devastating environmental impacts (and general resource consumption concerns)
The whole “we had to rip off everyone’s writing, art, content, and general IP to make this work” aspect
The plenty of use-cases where companies are trying to shove “AI” into things that just don’t make sense. (I saw someone post about an AI-enabled toilet… what?)
The uncomfortable reality that LLMs (or generally “AI”) have been employed in place of actual humans, leading to workforce reductions, blah blah. (I understand this is the nature of technology advancements to some degree, but there’s still a human cost here that can’t be discounted, and just saying “git gud” to folks who are impacted isn’t really the best argument)
The embarassing AI fails - e.g. remember when Gemini told us to put glue on our pizza?
The scenarios where AI is used in ways that are actually not that great for AI
The general griftiness and undeserved grandiose claims from the tech-bro CEOs that keep promising “huge leaps”, and “AGI is just around the corner”, but still can’t do seemingly basic shit a normal human can do…

Because look, I don’t think most people, if you were to ask them face-to-face and get an honest, tempered reply, would say that LLMs are literally “useless”. Instead, I think they would just point to any combination of the bullets above and try to make the argument that it’s just not worth the overall hype we’re seeing across the industry and the world at large. It’s just annoying. It’s jammed into every single product, and in these early stages of the tech, it’s had some really public face plants. Sure, it’s set to get better, tech has a way of doin’ that, but you have to admit the souring effects these fails have. So when we (the AI doubting populace) see these constant stream of visible fails coupled with surging product costs (to offset maintaining AI systems), mass layoffs (again because companies think AI can replicate those functions), and reports about how catastrophic this all is for the environment, we get to the point where we make statements like… it’s useless.

So, maybe without even diving into all those things you could just phrase your post as something like… “Yeah AI (or LLMs, whatever) suck for so many reasons, but they’re not COMPLETELY useless. Here’s a few things they’re OK at…” 😅

AI Threat Modeling Resources

mike@shellsharks.com (Mike) — Tue, 04 Mar 2025 08:52:00 -0500

Some AI threat / threat modeling / security resources I’ve collected…

Thoughts on a career in infosec

mike@shellsharks.com (Mike) — Sun, 02 Mar 2025 21:23:00 -0500

Answering a series of questions orbiting the larger question “how is the job (in infosec)?”. I answered this kinda rapid-fire on Reddit, but decided to come back here in the note and give it a bit more thought and embellishment…

Work-Life-Balance: Maybe I’m lucky here, but I’ve always felt my WLB was pretty great. Mostly I think WLB is something you have to learn to manage yourself, otherwise you can be eaten alive. Sure, I get busy sometimes, but usually I see this as “good stress”, not something that is overwhelming.
Hours: I work 8 hour days ~~at most~~. Anything I work over that is for no other reason than I’m a nerd and I’m literally doin’ work-related/adjacent stuff in my free time because I genuinely want to. Look no further than this blog. Sometimes I write about infosec stuff, and sometimes that infosec stuff just happens to be what I’m actively doin’ at work at that time. A nice symbiosis if you ask me!
Companies: Most companies I’ve worked for (imo) don’t really care about infosec. There is regulation which compels them to do certain things, and there is the very real, ever-present threat landscape, but investment into infosec is always seems to be reactionary and bare-minimum-ish. Sure, there have been some exceptions, at least to some degree, but the fact is infosec is a cost center, and companies continue to see responding to potential breaches/incidents as being preferable to staffing up appropriately. As such, you’ll probably always feel understaffed in your orgs, and that’s because you are.
Difficulties: see “Companies” above. Besides that, infosec is hard. Even when it shouldn’t be. The basics really aren’t that hard, but you wouldn’t know that given how often even “pros” seem to get the basics wrong. I swear burnout happens mostly because it seems people just continuously seem to fail on the easiest stuff and it gets a little frustrating… One more thing, there’s a lot to learn. Which is awesome really, but if you don’t have time to learn, then you can feel constantly behind. Too many companies don’t make time for folks to skill up, and that’s an issue.
Getting hired: Yes it was difficult (for me), and that seems to still be the case for a lot of folks. Traditionally, it’s been hard to break in, and then easy to move up and around after that. That said, seems like the market is tightening more and more these days to the point where even experienced folks are having more trouble staying gainfully employed…
Getting necessary qualifications: Though a career in cybersecurity might not be as dependent on certs as it once was, you still universally see them as requirements or “nice-to-haves” on job reqs. I don’t think you need to pile up certs, but having one or two that are applicable to the job roles you are applying to can help you get past resume screens. So don’t focus on “certification paths”, instead focus on learning actual skills. I have a bunch of thoughts on what cert you should take here. It’s also worth pointing out that you don’t need to spend thousands to get the necessary skills. You’ll also have to factor in the amount of time it takes to study and actually take these exams.
Pay: Pay has been good. You can make good money and there’s decent opportunities. From a money perspective, I’m not sure what I’d really do in my life it wasn’t for tech, and more specifically, infosec. I know plenty of folks outside the industry and their prospects are just not as good, and most of them have worse hours, less perks, more stressful jobs, etc…

GOOD LUCK!

Shellsharks operating costs (2025)

mike@shellsharks.com (Mike) — Sat, 01 Mar 2025 14:39:00 -0500

Annual report on how much it costs to run all of my Shellsharks-related services and components… ¹

Costs

Shellsharks.com

Domain fee (GoDaddy): $22.17/year (~$1.85/month)
Image hosting (AWS S3): $.01/month ($.12/year)
Site hosting (GitHub): $4/month ($48/year)

Shellsharks.social

Domain fee (GoDaddy): $54.17/year (~$4.51/month)
Instance hosting (Masto.host - “Planet” plan): $9/month ($108/year)

Malici.ous.computer

Domain fee (GoDaddy): $30.17/year (~$2.51/month)
Instance hosting (K&T Host): ~$5.75/month ($69/year)

The Shellsharks Podcast

Hosting (K&T Host): $4.60/month ($55.20/year)

Total operating cost: ~$32.24/month (~$387/year)

Not too bad. Could definitely save some money perhaps by switching domain registrars or finding cheaper hosting for my Mastodon instance. But for now this remains worth it!

Shellsharks.com operating costs (2023) ↩

Infosec-only

mike@shellsharks.com (Mike) — Wed, 19 Feb 2025 14:20:00 -0500

In the past, I’ve been a bit self-concious about how/what I posted on my site. I believe there’s some part of my readership that comes to my site specifically for infosec-related stuff. So anything NON-infosec that I post is something that they may see on my site, or in their RSS reader and cause them to lose interest in my site because it’s no longer just the infosec stuff they want to see.

Not long ago, I was publishing a lot of my “non-infosec” stuff as “notes” rather than as formal “posts”, but this was not the right way to think about things. Notes are meant to be short-form micro-blogs afterall. So now, I’ve created a separate infosec-only RSS feed and now a special blogs page just for things tagged as infosec. I want to lean into my IndieWeb nature, and write about everything, but I don’t want to alienate the part of my readership that is only interested in infosec stuff (and vice versa tbh). So, I’ve added these things. Hope y’all enjoy! 🧡

omg, Kramdown can do what?

mike@shellsharks.com (Mike) — Mon, 17 Feb 2025 13:59:00 -0500

omg, I just realized I can auto-generate Table of Contents and Footnotes using kramdown. I’ve had this blog for over 5 years, using kramdown the whole time and never bothered once to read the documentation and learn about all it can do 🤦‍♂️. Turns out I can generate a table of contents using this syntax and insert a footnote like this [^1].¹

Wonder what else it can do that I never realized?…

Skimming the quick reference to see what else I should look into…

🤦‍♂️🤦‍♂️🤦‍♂️

I’m sure Jekyll has a ton of stuff too that I can do that I never realized, especially when it comes to it’s plugin library. Maybe it’s time for me to not be as much of a noob?

Insert a footnote at the end of the doc using [^1]: Text here ↩

I am <sup>

mike@shellsharks.com (Mike) — Fri, 14 Feb 2025 13:46:00 -0500

I took the James Coffee Blog “Which HTML element are you” quiz (I got the idea from @reillypascal) and it turns out I’m the <sup> element.

I don’t know the logic James has in place to come up with this, but damn if it isn’t kinda spot on… a little TOO spot on if you ask me 🤨 😄

If you’re a regular around these parts, you know I do a lot of inline-linking, both to my own content, and elsewhere on the web. And though I don’t really make heavy use of the <sup> element specifically, I think the spirit of it is very much alive and well here on the site. In fact, the entire premise of the Scrolls newsletter is to do these two things, “add info”, & “connect ideas from multiple places”.

Well done James! 👏

What cybersecurity certs to take?

mike@shellsharks.com (Mike) — Thu, 13 Feb 2025 19:48:00 -0500

Answering the age old question, “what certification or training should I take?”

For “what you need”, just look at job reqs for jobs you are interested in and get one of the ones you see commonly listed. For “learning”, I like to offer this counter as advice. That said, it’s not like you can’t learn from taking certification training courses, so focus on some that are more practical. OffSec has traditionally been good, though they’re known for being challenging and their reputation has started to tilt a bit after the acquisition. SANS is pretty good, but VERY expensive. If you want to learn basic stuff, go pick up a book or something. But when you have an idea of what niche you might be interested in breaking into, let us know so we can give more specific examples. Good luck!

Oh, and I have a bunch of reviews of certs I’ve done in the past here if you’re interested in perusing…

Mastodon.social is fine

mike@shellsharks.com (Mike) — Thu, 13 Feb 2025 07:43:00 -0500

As others have said, Mastodon.social is fine, you have not screwed up. Are there some downsides to Mastodon.social? Sure, but that goes with any server, or any platform or any choice you make in life (haha). Some folks on Mastodon (or the Fediverse at large) deride Mastodon for A. being “too big”/centralized, B. not liking their moderation practices, C. their association with efforts such as Meta’s Threads federating, and/or D. certain accounts they have that folks may not like elsewhere. Whatever. Mastodon.social is FREE to join, is obviously widely federated - which helps with reach and search, and since it is the flagship instance, has decent moderation, good support, bleeding-edge features, etc..

Also, as others have said, you can migrate your followers elsewhere later if you decide you want a smaller instance, or don’t like mastodon.social for some reason, etc.. The only caveat is right now you can’t also migrate your posts, but I personally don’t see that as being a big deal. If you care about things you post over there, you can download a post archive, or maybe just archive your good stuff on a personal blog or something.

I have an account on Mastodon.social, an account on a secondary (much smaller instance) and a self-hosted instance (yeah I know, I have a problem). There are pros and cons to each experience. What’s important is that you made it out (of the centralized platforms) and are building a presence on the open, federated, social web. Congrats! You can also ask for help there using hashtags like (#fedihelp, #askfedi) and you’ll be sure to get lots of responses.

Saying it again: Someone will read your blog

mike@shellsharks.com (Mike) — Mon, 10 Feb 2025 07:55:00 -0500

@sol2070 I’ve seen a few posts like this pop up in the last few weeks, all with similar theme, e.g. “no one reads your blog but you should do it anyways”. I agree, in part - at least with the fact that you should blog, whether anyone reads or not. But the fact is, people DO read your blog, they will stumble across it, and given the scale of the Internet, of the world, you do have an audience, no matter how niche what you have to say is. I talk about that here.

I get it, I used to have the same thoughts when I started. “No one will read this, but I’ll do it for myself”. That’s fine, but I’ve learned that it just isn’t true, and becoming less true by the day. More people want the IndieWeb, a return to the more authentic web. Your silly “blog” is where people increasingly want to go. So blog for yourself, sure. But blog for everyone out there who, right now, is looking to find something real, some human connection, something that isn’t AI slop, blog for them.

And if that ain’t enough, consider blogging for these reasons.

Did I inspire the Tapestry timeline aesthetic?

mike@shellsharks.com (Mike) — Thu, 06 Feb 2025 19:44:00 -0500

Very interesting… In April of 2024 I debuted my “Activity” feed, which serves as a cool unified timeline of all the different things goin’ on on my site (e.g. changes, posts, notes, podcasts, social media stuff, etc…)

I tooted excitedly about it then thanking a few folks for being part of what inspired me to make it.

But now that I’m looking at it, and at the Tapestry unified timeline aesthetic, they bear a FREAKY resemblence, like… maybe I inspired @Iconfactory 😃. SO much so that I started to wonder if I had gotten the idea from them somehow. So I did some digging. The Project Tapestry kickstarter didn’t reveal their first sneak-peek of the timeline aesthetic until June 25, 2024, 2.5 months AFTER I unveiled my own unified activity feed 🤔. To be sure, I checked web.archive.org to make doubly-sure that I indeed had the same design then, that I have today - and YEP, I did.

Pretty weird/cool huh?! Now, I’m no app/web designer, that should be clear from looking around my site, but it’s pretty cool that I came up with what is a VERY similar design to what the Iconfactory shipped with Tapestry. Tapestry is after all, amazing looking 🤩, and the Activity page on my site is my favorite thing I’ve built there. To be clear, I’m not accusing Iconfactory of stealing any ideas/design, for all I know, this is a well-known design thing to do or perhaps it’s just a case of “simultaneous invention”, just the timing of it is pretty wild. But even if they did borrow some ideas from me, I’m cool with it 😄.

@chockenberry you can tell me 😜

Also got the git commit proof just to be sure I’m not crazy

Fedi gon' Threadi

mike@shellsharks.com (Mike) — Thu, 06 Feb 2025 15:08:00 -0500

Forgive everyone here asking about Lemmy. I mean you are on the Fediverse here so people will naturally ask you about Fedi-native stuff 😄. But, it’s not just that. Reddit has, how to put this delicately… become garbage. First, attacking sub mods and now this. It’s just not a great place to be, even if it still has some juice thanks to all the time and energy those communities have invested in that place over the many years.

So what’s the alternative(s)? Well that’s where Lemmy and other “Threadiverse” platforms come into play. For that, I have this write-up you may find interesting. There’s a lot of options, in addition to Lemmy you could consider. Many of them are Fediverse-compatible, so you could leverage your entire network here as people who could instantly interact there, no new account, and no reddit-interaction required. Not a bad thing to consider!

Save your links. Archive everything.

mike@shellsharks.com (Mike) — Wed, 05 Feb 2025 12:51:00 -0500

If you find something on the web you like, bookmark or otherwise save that link straight away, preferably with some sort of commentary/tags/context so you can search for it when the time comes for you to access it again. Seeing how search engines are rapidly becoming useless, it’s no longer a given that you can re-find things after you’ve lost them. I’ll add that search over the Fediverse is still very bad, so this saving advice is doubly true for here. Find a good toot? A good link from a toot? Save it.

Better yet, given the rampant global censorship wave and general digital book/site burning that’s goin’ on these days, you’d probably be best-off to archive an offline copy of whatever you find that you want for later.

Time to start hoarding.

But don’t just hoard for yourself! Take the time to share your links and distribute what you’ve archived. We need to have information resiliency. If you have a blog/site (and you should), consider sharing links via a linklog, link-roundups, or a /bookmarks or /links page! This will help with discovery in addition to retrieval!

Resources

A Guide to Archiving on the Internet
Safeguarding Research
Linkwarden: a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages (Linkwarden.app)
Readwise
YunoHost
CryptPad.fr + Privacy Guides
Control Your Collaborations | The Opt Out Project
Paperless-ngx
Nextcloud Office

Security scanner directory

mike@shellsharks.com (Mike) — Thu, 30 Jan 2025 14:05:00 -0500

A reference directory of known vulnerability scanners.

Web Application Vulnerability Scanners

Network Vulnerability Scanners

Publish with pride

mike@shellsharks.com (Mike) — Wed, 29 Jan 2025 23:46:00 -0500

Phew 🥵, what a flurry. Made a ton of changes to the site. The home page now features a mixed feed of all of my posts, notes, logs and other content types. I’ve also started a link blog to share cool links I come across. Finally, I’ve figured out how to paginate a TON of stuff, to make some of my pages more performant (my Activity page is one good example of how pagination is making that page usable on mobile now).

With respect to my home page, I used to be kinda precious about only exposing my formal “blog posts”, which are supposed to be longer-form, and in some undefinable way, “better” than other things I write and publish on the site. Inspired by others in the Indieweb community, who proudly feature everything they write, I decided to try out the same. To distinguish between different content types, i’ve added a splash of color with icons corresponding to different post types. I also hope it can call attention (for those who are interested) to all the other things I publish. For so long, I had these hidden away in pages you could find via my “hamburger” menu, but you had to go exploring to really find most of it. And given the number of things I link to in that menu, I doubt many people had the patience or interest to really hunt down other things. So, here we are!

Let me know what ya think! I’m still tinkering around with the format, theme and other general aesthetics of the site and various pages, but I like it well enough at this point.

Tinkering with the site again

mike@shellsharks.com (Mike) — Tue, 28 Jan 2025 15:49:00 -0500

After quite an extended hiatus, I am getting the itch to start tinkering around with my site again - fixing some stuff that doesn’t work well, adding new features, sprucing up the theme, etc… I’m even considering re-writing the whole thing in 11ty, but that’s the nuclear option. For now, I’m going to try and fix/add things while staying on Jekyll

Here’s a list of things I want to take a look at in the near-term…

Paginating various feeds that have a lot of content, i.e. notes, activity, changelog, etc… Right now, all the content is in one huge list on these respective pages and it makes it a little unwieldy. What’s worse though is the performance degradation that I’ve seen on mobile for those pages 😬
Changing up the general aesthetics of the site - things like white space, font, colors, etc… I’m inspired by these
To help with some of these changes, I want to move to using GitHub Actions to build/deploy the site. This will allow me to use other Jekyll plugins, like jekyll-paginate-v2
There is some little bug that causes the site to trip over itself on mobile when Safari is in the background. I will return to the tab and it’ll say it’s had a bunch of errors. I suspect this has something to do with janky .js code I’ve written somewhere (looking at you hamburger menu)
I’d like to add a Link blog
Revist the Statboard
Maybe even changing up the way the home page looks and/or what content makes its way into the home feed

Planet & Satellites: Using multiple Fedi accounts

mike@shellsharks.com (Mike) — Tue, 28 Jan 2025 00:29:00 -0500

I have a lot of different points-of-presence on the Fediverse - my “main” Mastodon account, this GoToSocial account, another “alt” Masto account, a Lemmy account, my new Pixelfed account, and many more actually.

My story isn’t unique, a lot of people who have embraced the wider Fediverse have accounts for different services and I’ve seen a lot of those same people asking for a way to have a “singular” identity (I actually wrote about this here). But since that isn’t a thing, I’ve seen another interesting thing happen, at least with my own fedi usage/accounts. My central, “main” account has become what I boost all of my other accounts content from. The “main” account has the majority of my “followers” (yuck - always dislike that term), so when I post something from one of my satellite accounts, the main one can just boost it.

It’s working-ish for me so far I think.

This let’s me post things on each respective service, which goes out to just the followers of the satellite accounts themselves, and if I choose, I can boost from my “main” account so it can receive the full reach of the main account.

Remembering to PESOS

mike@shellsharks.com (Mike) — Tue, 28 Jan 2025 00:13:00 -0500

I really need to remember to “PESOS”, i.e. reverse-syndicate things that I write about here to my site. Too often I want to reference something I posted about on Fedi but can’t find my post thanks to the abysmal search there. Copying things to my site is supposed to be what fixes this issue!

So I just went and backdated a few things on the site. Woo!

Some stuff I’ve written on “PESOS”-ing in the past…

Fundraising Pixelfed vs Free Our Feeds

mike@shellsharks.com (Mike) — Fri, 24 Jan 2025 13:30:00 -0500

Not to beat this into the ground, but I think it’s an interesting side-by-side comparison. Let’s look at the fundraising efforts for Pixelfed and Free Our Feeds…

Pixelfed: They wanted to raise ~35k, blew through this very reasonable goal in less than a day, and have no raised nearly ~60k. This is an effort to continue improving what is already an existing platform with 100s of thousands of active users.
FreeOurFeeds: They want to raise (to start) 4 million dollars, and after 10 days, have only raised ~75k. This effort is to replicate the entirety of Bluesky’s infrastructure to prove that it can be decentralized.

There’s a lot you can try to pull from this. One, Pixelfed is a real thing. You can go get the app right now and use it. It works well! It connects to other stuff on the Fediverse, it’s got actual users, etc… The fundraising goal isn’t ridiculous or exorbitant, it’s practical. The Kickstarter description is VERY comprehensive, explaining everything they’ve done, and everything they want to do. There’s no emphasis on Daniel as some tech visionary or thought leader, it’s just down to Earth.

Contrast that with Free Our Feeds - Light on details, grossly insistent on telling me all the “advisors” titles, weird site design, and all in support of something that is entirely unproven.

It’s painfully evident, just in the fundraising alone that FoF is not substantive, and is not attracting meaningful interest. Or maybe FoF should set their sights a bit lower. Build something small to start proving out their claims, demonstrate this to the public and then ask to raise money, similar to what the Pixelfed team has done.

But what do I know…

Bluesky, ATProtocol, Free Our Feeds: Hope abounds, but very little is proven

mike@shellsharks.com (Mike) — Thu, 23 Jan 2025 11:33:00 -0500

Here we go again… Mike Masnick just posted his writeup titled “How ATProtocol Encourages Competition, Resists Evil Billionaires, Lock-In & Enshittification”, and as usual, I’ve got some thoughts…

Note: First, I want to preface this by saying that I’m no ATproto expert, or an expert on social media protocols in general. Similarly, I’m not an expert on business, or VC funding or an enshittification scholar. I’m just a nerd who cares way too much about these things so I feel compelled to share my thoughts… here we go…

Alright, so Mike likes Bluesky. Duh! He’s on the board of Bluesky. He very willingly discloses this, and that’s important. Because there is definitely bias. We all have biases. I’m not on the board of anything, but I “main” the Fediverse, and as such also have some innate bias to be sure about why this place is better, blah blah blah. Ok, disclosures out of the way now…

Let me sum up Mike’s reasoning for why Bluesky (or ATproto specifically) is super great, billionaire resistant, enshittification resistant, etc…

ATproto is an “open protocol”, i.e. someone else can take it, and use it to stand up another Bluesky. For him, this means a billionaire is less likely to try and capture Bluesky, because another one could spawn up causing the billionaire to have to whack-a-mole these networks…
Free Our Feeds (See 1). Mike see’s “FoF” as proof that ATproto works. That another bluesky will be created, and by extrapolation, even more will come up beyond this initial effort.
Bluesky won’t enshittify because competing Bsky networks exist. (Well first, no they don’t. They might, if the FoF thing works out.)
Mike also makes a lot of assumptions around people hosting their own PDS’s (something a very small fraction of people will actually do) and about their willingness to switch Bluesky providers, or “take the fire exit” (to use Doctorow’s terminology).

Let’s poke-a the holes, yeah?

Alright, ATProto looks open enough, the docs are right here!. Again, I’m no expert, and have spent no time standing up any aspect of the Bluesky network or implementing ATproto in any way, but the docs seem comprehensive and theres write-ups out there of people standing up just about all of the infra required to replicate Bluesky, at least in some limited fashion. As of 11/24, there was this ONE holdout (based on this blog) where it seemed like you couldn’t yet really self-host your own AppView. Maybe this has been resolved by now? But let’s assume you CAN stand up every bit of Bluesky (if you have the money - we’ll cover that later), does this mean someone will? I mean “Free Our Feeds” is going to try to, but that’s just one other person. There’s close to 30 million users, so there’s definitely non-trivial interest in Bluesky and maybe in the underlying protocol, but how can we be so sure that if the main Bluesky were to go down, that anyone would care enough to keep standing up more instances of it? Sure it’s open, but do people care enough? You can point to FoF as proof that someone cares enough to do it, but you need more than just one replica of Bluesky to be billionaire-resistant. Also, I’ll remind you that FoF is experimental. No one has actually done what they are trying to do. Sure parts of the network have been replicated, but to build a full-on, interconnected bsky clone and get people to move over to it? Unproven.
Free Our Feeds. I’ve covered the FoF thing extensively here. Basically, building a Bluesky clone for 4 million dollars, or 30 million dollars or w/e proves nothing to me. That alone is not enough to outmaneuver a hungry billionaire. If Musk can buy Twitter for 44 Billion, he can absolutely snatch up like 10 Bluesky instances without breaking a sweat.
On enshittification. I think some level of enshittification is inevitable for Bluesky. Which isn’t to say it will make the service unusable, or that it will become “bad” because of it. The simple fact is that Bluesky needs to monetize. They have to because they took VC money. right? This seems like a simple truth, but happy to be explained why that isn’t the case. So yeah, how will they monetize? They don’t want to paywall the entire service, that will kill the open-ness and definitely cause them to lose active users. SO they need to paywall power-user stuff? Ok, that’s not going to get VC-level returns. What else? Sell domain names? Yeah, not going to cut it either. I dont know what they’re going to do. Mike has said, (and he has inside knowledge) that they are working on some ideas. I hope he’s right. But if the end result is paywalling actual useful features, or doing ads, or selling peoples data, then the service is enshittifying. Which again, doesn’t mean it’s bad, and doesn’t mean that it will become something most people don’t wanna use. Only that compromises had to be made, so that the VCs could see their returns. Think about it though, if there was some magical way to monetize and make MILLIONS, without doing ads (or similar), wouldn’t someone have done it? He says, they won’t enshittify, because there are competing services people will run to. Like where? To FoF? They don’t even exist yet, and even if they did, they are also battling the enshittification demons. The Fediverse? Lol. If people wanted to go there, they’d be there. Back to X? Threads? C’mon. Sure, these other networks might prevent them from going FULL-ON enshittifiy mode, but it’s just a game of, can we make our platform just a LITTLE LESS awful than any other.
Let me get to the real reason why none of this matters. The costs of moving. People DO. NOT. WANT. TO. MOVE. They just don’t. If Bluesky enshittifies, a lot of people just won’t go. I mean look at X. So many have stayed because it’s just too much of a hassle to sign up for ANOTHER thing, and rebuild. Now before you say, “but AT is open protocol! I can move my followers, I can host my own PDS! blah blah”. Stop. Most people aren’t going to host their own PDS. So they’re not migrating their posts elsewhere. More importantly, let’s talk about followers. People don’t want to lose their communities, their followers, their friends. I don’t know exactly how ATproto handles moving followers, but the idea is that it can be done. So if Bsky main goes to shit, FoF is now there, people can just sign up there, move their followers over. Great right? Problem solved? No. For one, not everyone’s going to do that. Remember, people HATE moving. Ok, so now you have another fracturing event. Half of your friends are on Bsky main, and you and the other half of your friends have moved to FoF Bsky. No problem right? ATproto is meant to communicate between instances. Sure… but this ASSUMES that the main Bsky is being a good citizen and allowing this communication right? Maybe for those who have opted to host their own PDS’s you can have the FoF relay scoop your posts, but for everyone on the main Bsky PDS (which again, is most people), you might not be so lucky.

You see, we on the Fediverse know these things. People get confused when there is more than one instance, people get confused when Mastodon instance 1 can communicate with Mastodon instance 2, but they have different names, different cultures, different features. They just don’t grok it. But the larger network of ATproto-enabled bsky instances have to contend with instances being adversarial. How will they do this? In the Fedi world, you just defederate and move on. But in a world where there’s only two bsky instances (or three or 4 or whatever), each hosting an equal portion of the entire network, you can’t do this without handicapping the entire network. So in a scenario where a billionaire takes over Bsky main, shuts off communication with the second Bsky instance, and becomes adversarial (not allowing follower moves? not sure if that’s possible), keeps people from getting their content, etc… then what? There’s just not enough resiliency in the model.

Finally, I want to touch on some of his closing thoughts. He makes a lot of statements about how FoF is “proof” that this is possible, and that when successful it will “bring us back towards the original promise of the open web where users are in control, rather than giant companies”, neither of which makes sense to me. For one, FoF hasn’t proved anything. They want to raise 4 million to start and haven’t even hit 100k. They haven’t proven it will work, they haven’t even proven that people care about decentralization enough to fund a second instance (spoiler, people don’t care about decentralization, if they did they’d go where its already been proven). Second, he says bluesky, or ATproto puts the users in control, not companies. Does it though? Users don’t run these platforms. They can’t afford to. FoF needs 4-30 million to do it, and again, they haven’t yet.

With Bluesky, we are not in control. Maybe, just maybe you can make a convincing argument that it can be billionaire-resistant, but it sure isn’t something that then people own. It takes big money to run these instances, and the people don’t have big money. Corporate interests do. That’s why Bluesky needs VC. The Fediverse on the other hand doesn’t. It’s for the people, by the people, funded by the people. It’s a proven solution. I want to end this by saying that I don’t want to see Bluesky fail. I want to see the protocol evolve. I want to see it compete with ActivityPub, each pushing each other forward. I want to see FoF succeed and for another real decentralized player to come into form. I want things to be billionaire proof. I just don’t think this is it.

Infosec and Social Web RSS feeds

mike@shellsharks.com (Mike) — Wed, 22 Jan 2025 19:56:00 -0500

If there is anyone out there who subscribes to my blog’s RSS feed who would like to only get the infosec / cybersecurity-related things I write about, I now have an infosec-only RSS feed you can sub to.

I’ve also created a “Social Web” feed which similarly is an RSS feed for just the IndieWeb / Socialweb / Fediverse things that I write about.

All my available feeds are listed here.

I’d say those are the two topics I write most about these days, and for those of you who only are interested in one of those two topics, you may not want to see the other stuff. So here ya go!

Surfing the Social Web

mike@shellsharks.com (Mike) — Wed, 22 Jan 2025 09:19:00 -0500

The Surf app from Flipboard (currently in Beta) is actually pretty cool / powerful for certain types of feeds. I would describe Surf as, an app for the Social Web that let’s you build and share custom feeds. So what does this mean in practice? The Surf about page is a little light on detail, but has gobs of style. When I first downloaded the app and got into the Beta, I admit I wasn’t sure what the app would do for me that my already-well-curated Fediverse timelines wasn’t doing. But then, I built my first custom feed. From there, I started to see the potential…

Surfing Shellsharks

To test out Surf, I first tried creating a simple feed pulling all of my Shellsharks-related things from across the “Social Web” together. I was able to add Sources for my RSS feeds, my Podcast, my Bluesky profile, my Threads profile, my various Fediverse accounts and even posts that were “about” or matched the term “shellsharks”. Interesting! It’s easy enough to create a “list” in a given Fediverse client that can capture most of these things (e.g. my Fedi accounts, Bsky, Threads, RSS feeds, etc…) but not all of them. Pulling in posts that match certain search criteria is an added layer of discovery for me. It also treats Bluesky and Threads and other non-Fedi-native content as first-party content within the Surf app itself, bundled in a pleasing, swipable, card-style view, allowing me to flick through posts that match my source material.

OK, well that looks cool, and I’ll definitely go to it to check in on myself, but what else can I [do with Surf](#benefits-of-a-social-web-browser-and-feed-builder?

So what can Surf do beyond building eye-pleasing lists of Fediverse accounts and hashtags? Let’s talk about it.

The first obvious answer is sharing. There’s no easy way to create and then share lists of Fediverse accounts. We saw this when Bluesky unveiled their “Starter Packs” and the Fediverse tried to mimic it, and it’s true to this day. The Fediverse’s non-algorithmic way of life means we rely mainly on self-curating and network-related-boosting. Without robust list sharing features, we’ve never really had an easy way to share our curated lists, but Surf tries to make this easier. I have several custom feeds now that you can add (if and when you get the Surf app). Since you log in to Surf with your Fedi account, you can also interact with and follow things directly from the app!

Another thing I like about the Surf model is the ability to follow feeds or accounts in a more, casual manner. Everything I follow in my regular Fediverse timeline is something I want to see. I want to read what my follows post and potentially interact with those things. I am a timeline completionist in this way. But there are times I want to casually scroll, to be entertained, or informed or to discover new things I want to follow. Custom feeds via Surf give me the ability to peruse things in a non-commital way. For example, to do something similar in Mastodon, I would need to A. follow an account/hashtag, B. add that account/tag to a list, and then optionally C. decide whether I want to remove what’s in that list from my timeline. This forces me to follow things I might be interested in looking at from time to time, but not actually following, and it forces me to make a decision on how to bisect my main timeline, which is not something I want to do. In short, I don’t like Mastodon lists, but I like what I can do with Surf.

Let’s talk about content diversity. Within the Fediverse, I can curate a list or feed of a lot of things. Micro-blogs, pictures, videos, podcasts, forum posts, and more. The beauty of the Fediverse is in it’s diversity. But the Fediverse, as large as it is, is still only a subset of an even wider “Social Web”. What Surf let’s me do, that you can’t exactly do within a traditional Fediverse client, is build a feed that has even more types of things - generic keyword searches, YouTube videos, podcasts, native (not-bridged) Bluesky profiles, and I suspect more in the future.

The final benefit (at least that I’ve discovered thus far), is the opportunity for improved search. At the bottom of the Surf app is a text box that says “Surf the social web”, and it seems to bring back a lot of good results! Far better than what I can get on my single-user instance, and I suspect better than most people can get even on larger, mid-sized instances. I don’t know a lot about how this search works under the hood, but it’s already an improvement over what I have.

This is just a beta, so there’s lots of room to iron kinks out and add even more types of content, and ways to further tailor feeds. I’m looking forward to

My Custom Surf Feeds

If you’re in the beta, feel free to check all of my custom feeds out! Note: They are all a work in progress.

Shellsharks feed: Just a feed which aggregates my various blog RSS feeds, Fedi accounts, podcast and Bluesky
Fedi Artists feed: All my favorite artists from the Fediverse (inspired by this. )
IndieSec feed: A curated list of high signal-to-noise infosec/cybersecurity researchers and accounts
Fedbuilds and Builders feed: A list of accounts for Fediverse platforms and the builders behind them
Reality: a news feed: Independent / trust-worthy news. An attempt to capture “reality”, not spin

If you’re interested in Surf, go check it out!

I’m going to go play around with it more and make some more feeds! Shoutout to @mike!

Appendices

Feature Requests

As I’m beta-testing the app, I’m documenting some features I’d like to see in-app here…

I’d like a way to just punch in an RSS endpoint and have that load via the search box
As someone who has multiple Fedi presences, I’d like to be able to go multi-account within the Surf app
Maybe notifications for what/when things are added/changed in a feed you are subscribed to
More ways to programatically customize things in custom feeds

Bugs

Also, as I’m beta testing the app, I’m going to document some bugs I’ve encountered here…

Some general slowness loading the app, loading in to a custom feed, etc…
I can’t set the “Tile Image” to “Always use uploaded photo” in Feed/Cover Settings

No one cares about YouTube shorts

mike@shellsharks.com (Mike) — Sun, 19 Jan 2025 14:35:00 -0500

Funny that in the context of the TikTok ban, everyone is talking about either the Chinese TikTok (Redbook?), Instagram (Reels) or Loops (here on Fedi). But literally haven’t seen a single mention of YouTube’s “shorts” as a place that people will turn to as a viable alternative 🤭

Legal & regulatory threats to the Fediverse

mike@shellsharks.com (Mike) — Fri, 17 Jan 2025 13:55:00 -0500

In a recent post, I made the case for why the Fediverse, with it’s many thousands of instances would be impractical for billionaires to ‘take down’, in the same way that billionaires have successfully bought-out, or otherwise taken down other centralized social media/news platforms. This I think is true, in terms of the Fediverse’s resiliency to the power of just money being thrown, but vulnerability remains. Specifically, I am concerned about recent government regulation that has already proven to be effective in closing down Fediverse instances and deterring others from even spinning up an instance.

I’m no legal professional, so excuse me if I say anything that is wrong or doesn’t make sense. Anecdotally, I’ve seen a bunch of posts across the Fediverse about how they are closing down an instance thanks to the UK’s Online Safety Act (2023). Similarly, it seems like the US bill (KOSA) could have similar effects? From what I understand, there is some new liability if your server hosts certain content and given how many Fediverse servers operate, caching content locally from other servers, there introduces a vulnerability by which a malicious actor could spam the Fediverse with something “bad”/illegal which would then be stored/cached across a large swath of the Fediverse which could expose these instance admins to legal liability.

Not good. And as someone who runs an instance themselves, I certainly don’t want to open myself up to legal attack / prosecution just because some A-hole out there decides to spam me with illegal pictures or w/e.

So my question to the Fediverse, and to those that build the platforms we use here is, how can we re-architect the platforms and protocols to better protect ourselves? What do instance admins need to know about this threat? Someone smarter than me, please weigh in! 😅

#askfedi #legal #fediverse

Updates and Other Stuff

Updates on the OSA 2/4/25

The magic of PESOS

mike@shellsharks.com (Mike) — Thu, 16 Jan 2025 09:41:00 -0500

I’ve seen many-a-person annoyed or otherwise dissatisfied by the fact that your posts on one Fedi instance don’t move with you when you switch instances. (There’s some obvious technical reasons for why this is the case that I’m not going to explain here.) This is why having your own website is so important and can be so valuable! If there’s something you’ve posted on social media (or wherever on the web) that’s worth saving, then why not make a copy of it and have it published on a web site? Your website!

I like to refer to this as “Reverse Syndication”, but for those of you that speak indieweb, you’ve probably heard of PESOS (“Publish Elsewhere, Syndicate Own Site”). Basically it means that what you publish FIRST on social media, you make a copy of on your site. This could be as an archive, a canonical representation, a data ownership/soverignty play, w/e!

I’ve used a ton of social media sites, sites like Reddit, and switched Fedi instances multiple times. Across these years (at least since I’ve been bathed in the glorious light of the Indieweb), I’ve been PESOS-ing things I think I want to hold on to to my site. The vast majority of these things I file away as “notes” (in my “Notebook”). This allows me to A. archive things as I’ve discussed, while B. not “junking” up my main RSS feed, or blog post timeline with silly reverse-syndicated social media posts/micro-blogs. It takes a little bit of effort, (unless you have some fancy-pants automated PESOS-ing system), but the pay-off is huge imo.

So let this be your answer for “I wish I could transfer my old social media posts to my new social media platform”

Another thing you can do, specifically with Mastodon (but likely with other post archives), is turn the entire archive into something you can publish on the web. Look at this!. This is all my posts from my infosec.exchange days in one gargantuan web page on my site. In all its insignificant splendor. (More details on how I did this are on that page).

Happy data owning everyone!

500 characters is a prison

mike@shellsharks.com (Mike) — Thu, 16 Jan 2025 09:15:00 -0500

Since starting this GoToSocial instance, I’ve made several long-winded posts (and replies). Some examples…

Intro post
Free Our Feeds rebuttal
A take on social web-related foundations
and many many more…

Each of these I’m referring to exceed Mastodon’s 500 character post/reply limit. If it wasn’t for me having this instance, which gives me ample room to say what I want to say in a single post, you would have had seen these posts broken up into a threaded series. One of these posts was some 6000+ characters long, which would have necessitated ~13 individual posts to get my point across. Spam much? This is what I don’t understand about folks here who say they don’t want increased post limits, or from the Masto devs who seemingly refuse to budge on this issue. If I can jam everything into a single post, you can decide to read, or just scroll on past, never clicking on the ‘Read More’ link to expand the post. done! But with the 500 char count, you are forced to A. scroll past all my blathering, or B. try to navigate the confusing-AF threading UI that most masto clients seem to have. How. is. this. better?!

For others, you might say, “jeez, if you have so much to say, why not just make it a blog post”. You’re not wrong. That’s probably a good idea… but! There’s something you get by just organically, and informally typing something into this box that it hard to replicate when you are writing up a formal blog post/note. At least for me where I have to A. be at my computer, B. fill out the proper SSG front matter, C. worry about headings, markdown, etc… And sometimes, it’s not a blog post. It’s just an off-the-cuff, albeit somewhat long, response to something

Also, I can’t count the amount of posts/replies I want to publish that are like 600 characters. So this means I have to either somehow truncate what I want to say, or god forbid, have a threaded post where the child post is like 50 characters long 🤦‍♂️. There are a lot of cringey things on social media, but one thing I really despise is when people have to use the dumb 🧵 or 🪡 emoji before they launch into something. Like.. just have it all in one post! Oh wait, they can’t.

Finally, I’m someone who bookmarks, saves and references a lot of stuff I see on the web, and that includes social media posts, especially on the Fediverse where people tend to share a lot of great stuff! Having an excellent analysis of something forcibly chunked into 500 characters is pretty obnoxious when you want to bookmark something to check out later.

So yeah, I’m going to continue to write lonnnnnng posts, and you’ll all thank me for not having to scroll past 10+ atomic posts in your feed just because you were kind enough to follow me here. Hell, this post is nearly 3k words at this point.

Challenges and opportunities of the singular Fedi identity

mike@shellsharks.com (Mike) — Thu, 16 Jan 2025 08:12:00 -0500

@fj @dansup What would the options have been for dansup?

As far as I know, you can, through ActivityPub, move followers from one ‘instance’ to another, but I don’t know if you can ‘clone’ them, i.e. have everyone you follow on Account A magically follow Account B without initiating that move directive. So it’s not like you could port your social graph in that way.
Second option would be that Pixelfed is just a pic-forward UI on top of an existing fedi account. But would that necessitate instance admins bear the responsibility of image hosting? I imagine Pixelfed servers are purpose-built to handle image storage, delivery, processing, etc… Instance admins already have a hard enough time funding their instances, the last thing they need is sky-rocketing image hosting (object storage) costs
Some sort of SSO option? Sure, “Login with Mastodon” could be a thing, but there would still need to be an account on the backend for Pixelfed yeah?

For me, and I know I can’t be the only one, though maybe I’m in a minority - the group of folks I would want following me, and who would want to follow me on my micro-blogging account, are NOT the same group that would be interested in the photos I want to share. Same in reverse. I follow a lot of people here, my more professional-leaning account specifically, that I wouldn’t really care to see their photos (sorry! no offense!). What would my options be then? Not follow them because now their Pixelfed posts are from the same account as their microblog posts? For many, (though I know not all) photo sharing is more personal, and thus limited to a smaller subset of people (i.e. IRL friends, family, niche groups, etc…), whereas microblogs (commonly just shit posts) are perfectly fine for the wider public.

I’ve seen plenty of people gripe that they have to create multiple accounts across Fedi services. But I think that’s better given how identity works here. Imagine you had accounts across Lemmy, Pixelfed, Mastodon, Bookworm and Loops - all tied to your Mastodon instance. Then, that instance goes down, for any one of the reasons that instances tend to die. Then what? Sounds messy. I think the problem is more that instance-tied identity needs to be fixed rather than expecting platforms like Pixelfed to rely on other Fedi services to do this (Looking at you ActivityPub folks).

To those folks who have existing social graphs/networks and would like those folks to follow them on Pixelfed, I encourage you to just boost yourself. Yep! Follow your Pixelfed account from your “main” Fedi account and when you post something on Pixelfed, it will show up in your (for example) Masto feed, and you can boost it to your network. Anyone who’s interested in that content from you, can choose to follow ya. I think that’s also very much in line with the ‘opt in’ culture of the Fediverse. Especially considering how touchy folks can be here about stuff in their feeds, especially images, I think this is the smart move 👍.

But like with all things, it would be cool to see a centralized Fedi identity thingy take shape eventually and this be at least an option for those who want to use these various services all under a single persona. I’ve seen people talk about (at minimum) a way to ‘link’ or otherwise associate accounts. For example if you follow my ‘main’ Fedi account, it would also present my associated (child?) accounts - those could be Pixelfed, Lemmy, Masto alts, w/e!

If you got this far, sorry, and thank you!

Bluesky won't free your feed

mike@shellsharks.com (Mike) — Wed, 15 Jan 2025 08:19:00 -0500

Okay, so Cory Doctorow published his take (Billionaire-proofing the internet) on the Free Our Feeds thingy, all about “billionaire-proofing” the Internet (or more accurately, billionaire-proofing social media), and I have some thoughts…

His main argument is this (paraphrasing): yeah, Bluesky isn’t perfect, but it’s what’s fun and popular right now, and if we can billionaire-proof it, then we should, rather than getting people to adopt the existing, already proven, billionaire-proofed Fediverse ecosystem.

Okay, that’s fair I think. I have no objection to this on its face. The “Fediverse” has been around for a while and though it has never been more popular than it is now, it has struggled to really gain mainstream appeal. (Perhaps that will change more drastically this year as fedi platforms like Pixelfed gain more attention though). So though he (Cory) admits that Mastodon/Fediverse is ideal, would be perfect for what they’re (“Free our Feeds”) trying to do, it’s just not the clearest solution because the difficulty of getting people to adopt it en-masse seems somewhat insurmountable at this time.

Fine.

He goes on to say that the answer is, as he puts it, “installing our own fire-exits in Bluesky”, or in other words, standing up a second Bluesky relay/infrastructure that “federates” or otherwise interoperates with the main Bluesky infrastructure - similar to how distinct Fediverse instances can communicate with each other. This too makes sense. If the main Bluesky enshittifies, or goes down, or is subject to hostile/billionaire takeover, than people have the choice to switch over to the other relay, the “good” one. Now here is where his argument starts to fall apart…

First, “Free Our Feeds” is asking for 30 million dollars to do this. Wow. That’s a lot, and doesn’t speak well to how easy it is to stand up and maintain a second instance of the entire Bluesky infra. Second, the Free Our Feeds website speaks nothing of how they will keep that infra alive, i.e. pay for ongoing operating costs. Even the main Bluesky company doesn’t have a realistic monetization strategy, they are kept alive by VC money alone pretty much.

Finally, what Cory fails to address, and in my mind, the biggest issue with his whole argument is that having just ONE single other relay/instance of Bsky as a whole is not the robust “fire exit” he thinks it is. Let’s say Free Our Feeds succeeds and they stand up a fully interoperable, yet fully isolated instance of Bluesky, and they manage to get a sizable portion of the existing Bluesky userbase to move over there. Like, 5 million of Blueskys ~30 mil or w/e. Let’s say then that Bluesky sells out to Elon Musk or Bezos or whomever. This triggers another mass migration of 5 million, or 10 million or even everyone over to the Free Our Feeds relay. (Though we all know that they’d be lucky to get half of regular people to figure out how to “Switch” relay providers). Now they are RIGHT BACK to where they were to begin with. A single provider, just as vulnerable to hostile takeover or enshittification as the original Bluesky was.

So you might say, okay? well then stand up ANOTHER relay. Crowdfund another 30 million. Right? … What?!? Bags of 30 million dollars don’t just grow on trees ya know? It’s hard enough to get people to pay for these types of services, and I just don’t think having one, or two or even 5 other relays is enough redundancy, enough resiliency to combat the billionaires and the governments of the world that want to control what we see, what we talk about, and who’s allowed to speak.

That’s why the Fediverse works. It’s made up of literally thousands of servers, of all different sizes, some Mastodon, some GoToSocial, some Lemmy, some I mean w/e. Theres tons of different platforms that all interoperate, and they don’t cost 30 million to run. I’m typing this out on a GoToSocial instance that literally costs $3.75/mo. You heard that right. Less than $4/mo. To put that in perspective, I could run 8 million GoToSocial instances at this price if I was given 30 million dollars. I’d like to see Musk try to buy all those out 😄.

I’ll try to put it another way here. I’m in cybersecurity, and one thing we’re taught is that attackers, with enough time and resources can literally get into anything. So our jobs as defenders, on top of all the usual stuff (e.g. defense in depth, blah blah), is to just slow them down. Make it impractical (from a time-spent perspective) to achieve a reasonable return on (time) investment. It wouldn’t be hard for a billionaire or a hostile government to take down one, two, three or maybe even 10 Bluesky relays. But it seems wholly impractical for a billionaire, or a team of billionaires to snuff out thousands of Fediverse instances. And hell, these are just instances that exist now, in a very fledgling model where Fedi only has like a couple million MAU. Imagine a timeline where Fediverse got REAL world-wide adoption, and we went from a few thousand instances, to hundreds of thousands, or millions of instances. Taking that down would be like taking down the Internet itself, and if that could happen, we might have bigger issues.

Oh and I forgot to mention, that FreeOurFeeds can’t even stand up another relay. Bsky devs have already stated that’s impossible at the moment. Though theoretically this will be addressed in time…

Alrighty, let’s wrap this up. I get it. Bluesky is hot. It’s popular. It’s got steam. It’s got gobs of cursed VC money. It’s got some admittedly cool tech behind it. But it just isn’t it. Not unless it can find a way to solve for the whole it’s-insanely-expensive-to-run-another-relay issue. If Free Our Feeds succeeds, stands up another instance and figures out a way to run it on the cheap, then I’ll be the first to say “congrats” and “I was wrong”. Until then, I will remain skeptical, and I’ll keep saying that this sort of money would be better thrown at building out the proven solution, the Fediverse.

Curious timing

mike@shellsharks.com (Mike) — Tue, 14 Jan 2025 10:20:00 -0500

Seems like the hot thing to do in the Fediverse / social space these days is stand up some pie-in-the-sky “foundation” with flowery language. In just the last like 2 months we’ve seen all these sprout up ⬇️

They’re all very keen on telling you who’s behind the operation, and why “governance” is so important. Less so on providing substantive info on what they will actually do to help secure or otherwise make these platforms better. They’ve all anointed themselves fancy li’l titles, and put their cool headshots on some prominent page on the site. It all just screams, “look at me! I’m an important person!”. I’m not saying all of these are bad, or that any of them are. I’m not saying none of them will be impactful or succeed in some way relative to their stated missions. I’m only pointing out that it’s interesting how much “organizing” has been happening lately. Why now? Why not before?

Note: I do think Mastodon’s move from Gargron owning everything makes a lot of sense. Y’know, to mitigate the chance that someone might mullenweg the whole operation. But I lumped that story in with these others merely because of the timing of everything.

It’s an exciting time in the Fediverse, and in the larger world of social media to be sure. Time will tell if any of these foundations amount to much of anything beyond letting me know what these “founders” professional backgrounds are… 🤨

GoToSocial on K&T Host

mike@shellsharks.com (Mike) — Fri, 10 Jan 2025 21:31:00 -0500

Back in March of 2024 I moved my main Fediverse presence from Infosec.Exchange to a single-user, managed (by Masto.Host) Mastodon instance at Shellsharks.Social. I wrote all about it here. I’ve really enjoyed “owning” my own social in this way, and honestly Masto.Host has been a really great provider. But, it’s missing one really important thing for me, and that’s the ability to write posts that exceed vanilla Mastodon’s limit of 500 characters. Look, I’m just a verbose person I guess, and I really don’t like threading what I want to say. There are a lot of ways to fix this issue, there is the Mastodon Glitch Edition, and a plethora of other Fediverse platforms that, especially when “self-hosted”, allow you to change this cap. For a while, I had settled on just keeping my posts/replies 500 chars or less and for anything that required a longer response, I would simply write a quick blog post/note and link to that in my post/reply. But in practice, I really didn’t want to have to draft up a whole formal post/note on the site just to respond to something I saw on social media. There were so many things that I really just needed a bit more breathing room on to respond as I would have liked. After nearly a year running with this handicap, I’ve decided to check something new out. Enter GoToSocial.

GoToSocial

GoToSocial is a lightweight, customizable, ActivityPub-compatible social network server. There’s not alot I can really say about GoToSocial actually. Maybe in the future, as my trial of the software progresses, I will put more into this section about what makes GoToSocial special. What I will say is that I chose it because it is A. very customizable, and B. light-weight, and therefore cheap to run/host. Which brings me to K&T Host.

Hosting

In the leadup to me starting up this instance on GoToSocial, I had seen someone ask about Fediverse managed hosting providers and provided them the list I created a while back. After cleaning up that list, I really started thinking about what software I wanted to try out to move beyond the limitations of vanilla Mastodon. Though I ultimately went with K&T Host because of their GoToSocial offering, I had considered using SpaceHost as they have a wide range of microblog options including Akkoma + Mangane, Pleroma and Sharkey. I also know a few people who use SpaceHost, so I knew they would be a reliable provider. But K&T Host had the GoToSocial offering, and that was the most intriguing to me in the moment. It also helps that I actually already use K&T Host for my Castopod-powered Shellsharks podcast!

K&T Host

K&T Host makes it extremely easy to get things up, running and configured. You can peruse their “App Cloud” to see the variety of things you can host, and for any of them, click the “Order Hosting” button to get started configuring your instance. I’ll add here that in my experience with K&T Host, their support team is really helpful, extremely prompt (even at the bizarre hours I tend to message them at), and very knowledgeable about the services they support. On the configuration page, you can configure Disk Space, Memory, CPU and PostgreSQL Disk Space. The starting price for a GoToSocial instance with K&T Host is only $3.75 USD/month. Incredible value if you ask me for what you get. Scaling up if you want/need seems pretty reasonable too from a cost perspective. I didn’t choose any upgrades, but I probably will need to if I end up moving my primary Fedi presence to GoToSocial in the future. Set those configs as you want, give them the domain name you want to have your instance hosted at, and they get goin’ setting it up! For me, I think they got it all set up within like 30 minutes of me submitting the order.

They’ll send you an email explaining how to set up the A records for your domain, you add those records and then send them a ticket and within literally minutes, GoToSocial will be installed and ready to use. You can SSH directly into your GoToSocial server (they will email you credentials), manage user accounts, and get right to any customizations you’d like to do. If you run into any issues, or need help in any way, check out their great GoToSocial support documentation, or just create a support ticket!

Some other factoids about the default GoToSocial installation with K&T Host…

Snapshots are enabled and will run once a day. Seven snapshots are kept. Snapshosts can be found in /snapshots over SSH.
Database backups happen once a day. Seven days worth are kept. Database backups can be found in /autobackup over SSH.
K&T Host does not provide object storage (e.g. S3) services directly. But any external S3 provider can be configured and used.
GoToSocial media is stored in the /apps/gotosocial-storage directory.
K&T Host uses distributed storage powered by MooseFS (https://github.com/moosefs/moosefs). All customer data is stored that way, and accessed by the compute nodes over the network. The same applies when logging in over SSH. Data is triple-replicated for safety and redundancy.
K&T Host prices disk space at $1/m per 200GB or $5/m per TB of storage. Space can be scaled up to 10TB per service by default.

Note: K&T Host will instruct you to set up SMTP on your shiny new instance, but you don’t really need to for single-user instances. You manage your user (create a new user, promote it to Admin, delete the default administrator user) all through the command line. A useful support doc for these operations are here.

Customizations

For anything else you want to do with your GoToSocial instance, the official GoToSocial Documentation should be your go-to place. For example, I really wanted to increase my post character count, so I found this setting. A quick change to statuses-max-chars, a restart (touch /system/action/gotosocial.restart) and boom! I was in business.

I also found this, A complete guide for your GoToSocial server, which has a lot of useful advice for hardening your GoToSocial instance.

I really haven’t had much opportunity to really dig into more advanced or fun customizations, but as I do, I will try to update this doc/section.

That’s it!

Not much more to say! It’s early days for trialing GoToSocial but I am enjoying it so far. There’s really two big things that need to clear before I make it my main fedi presence/software.

I need my favorite Fedi client, Ivory to add support for GoToSocial. They say it is coming in the next release!
I need to migrate some follows and followers to see how well the instance handles the increased activity. I suspect I will need to scale a few things, but I feel pretty sure that when it’s all said and done, it will still be cheaper than the 19/mo I currently pay for my Mastodon instance with masto.host.

More to come! For now, find me @shellsharks@malici.ous.computer!

GoToSocial Resources

Masto Gear Solid: Migrate your Mastodon posts to GoToSocial

Welcome to the Fediverse!

mike@shellsharks.com (Mike) — Fri, 10 Jan 2025 17:48:00 -0500

So you’ve just joined the Fediverse? Congrats and welcome! Here’s a bunch of stuff that might be useful or interesting as you set out on your journey…

The Mastodon “Starter Pack”
🦈 A writeup on why I run my own single-user Fediverse instance
🐘 My original Mastodon guide
💭 Some thoughts on why I think Mastodon (and the greater Fediverse) will never die
💰 A list of benefits of the Fediverse, as compared to other centralized platforms
🚀 Some great accounts to follow that boost a lot of good stuff
🦄 A sampling of the awesome accounts you can find across the Fediverse
🧑‍🎨 Some of my favorite artists found here
🍣 My “Fediroll” of awesome Fediverse accounts to follow
📜 Scrolls—A newsletter featuring great IndieWeb and Fediverse content and stories each week

See ya around! 👋

ous.computer

mike@shellsharks.com (Mike) — Fri, 10 Jan 2025 16:33:00 -0500

Alrighty, testing out this shiny new GoToSocial instance. For now, I’ve migrated by @afterdark account here and will be using this alongside my “main” @shellsharks account. I’ve heard great things about GTS and I’ve desperately wanted a Fedi presence that has a text box that can handle more than 500 characters at a time. In time, if I find this to be a suitable alternative to my beloved Mastodon experience, I may migrate my main account here as well.

This may end up coinciding with my favorite Fedi client, Ivory’s plan to support GTS in their next release.

And look at that, I’m already past 500 chars and I can just keep on typin’. Glorious. So continuing…

On Hosting

This instance is hosted by K&T Host, who I’ve used to host my Castopod instance and have enjoyed their prompt and reliable service. They have a GTS offering (duh) which I would invite others to check out if they’ve been considering having their own li’l fedi home. It starts at under $4/mo which is pretty stellar. How well that scales for larger accounts we’ll see. But they make it pretty easy to scale up as needed and since I’ve been paying #mastohost 19/mo for a year now, I’ve got quite a bit of room to beef things up and still stay under what I’ve been paying. I still think Masto.Host is great, and would highly recommend them for anyone who wants a vanilla masto experience with top notch support and stability 👍

Why GoToSocial?

Honestly, I had a lot of choices, I considered Akkoma + Mangane, Sharkey, Glitch Masto, and others… Maybe I’ll end up at one of those some day. But for now, I wanted to try this first. GTS is very actively developed, seems to be very resource “mindful”, has plenty of customizability and has fast became a go-to platform for small or single-user instances like this one.

ous.computer

Yep, I bought another domain. This one is silly, but the subdomain possibilities are pretty endless.

So if you follow my main shellsharks account, feel free to follow me here! If you don’t already follow me, but want to see my posts about infosec, tech, general Fediverse stuff, art, probably NBA stuff, nature, and a ton of other things - go for it!

FIN URG PSH

mike@shellsharks.com (Mike) — Mon, 23 Dec 2024 07:50:00 -0500

                   ★                         
                  ***                        
                 **O**                       
                *******                      
               *********                     
              ***********                   
               ******o**                     
              ***********                    
             **SYN********                   
            ***************                  
           ****o***o********                 
          *******************                
        ***********************              
           *****O***********                 
          ********ACK********                
         ****************o****               
        **O********************              
       ***********o********O****             
     *****************************           
         *********************               
        ***o*******************              
       ***********o*****FIN*****             
      ***************************            
     ***********************O*****           
    ***O***************************          
  ***********************************        
       *************************             
      *******o********o**********            
     *****************************           
    **************o****************          
   *************************O*******         
  ***URG*****************************        
**************o************************      
      ***************************            
     ***********PSH***************           
    ***********o*******************          
   **************************O******         
  ***o******************O************        
***o***********o****************o******      
                  ###                        
                  ###                        
                  ###                        
              ###########                    
              SHELLSHARKS
              ###########

Flash takes on W3C's Ethical Web Principles

mike@shellsharks.com (Mike) — Thu, 12 Dec 2024 10:30:00 -0500

The W3C published a statement proposing Ethical Web Principles meant to “guide the community to build a better web”. These principles serve as a call to action, rather than a statement of the web’s current state. See them listed below…

There is one web

The web does not cause harm to society

The web supports healthy community and debate

The web is for all people

The web is secure and respects people’s privacy

The web enables freedom of expression

The web makes it possible to verify information

The web enhances individuals’ control and power

The web is an environmentally sustainable platform

The web is transparent

The web is multi-browser, multi-OS, and multi-device

The web can be consumed in any way that people choose

Those look lovely don’t they! Here’s some “flash takes” (i.e. quick thoughts) on each of them…

There is one web

China’s Great Firewall, dark web, deep web, local networks, intra-networks, etc… There’s a lot of webs. Though I think the point here is to keep the larger web open, free and available to the masses.

The web does not cause harm to society

Ooph. If only. You could probably argue that the web has done more societal and economic good than it has bad, but it’s tough to say that the web is wholly good, causing no harm to society right? Sure, maybe you could pin it on bad actors rather than the web itself, but that sounds a bit like the “guns don’t kill people, people kill people” argument.

The web supports healthy community and debate

In some ways yes, in other ways not at all. The anonymous nature of many web-based forums facilitates a lot of very unhealthy communities and toxic debate stages in my opinion. But of course the web also allows people from different backgrounds, means, cultures, etc… to all connect which is a wonderful thing.

The web is for all people

It should be. Agree 100%. However, there are still a lot of disadvantaged people, even here within the USA who do not have equal access to the modern web. Whether that be no internet access at all, or they have access but it is too slow to properly render much of what the web has to offer, the web may be for all, but not all have equitable access.

The web is secure and respects people’s privacy

Laughable. Sure, the “Internet” (to genericize all things) has made some strides implementing some form of SSL/TLS across the board (Thanks Let’s Encrypt!), which improves some security properties but the web being “secure” is a very loaded term and companies have done just about everything they can to ensure the web won’t respect your privacy. Assuming a site you are interacting with actually has an SSL cert, you still have to worry about…

Does that web server limit what SSL/TLS specs / cipher suites to those that are “secure”?
Does the web application have vulnerabilities?
Does the entity that owns/controls the web server properly secure/protect any data you share?
other things…

The web enables freedom of expression

This is true, to a point. As more of the “Internet” trends into the behemoth centralized platforms though (e.g. Facebook, Cloudflare, Google, etc…) and their content moderation/censorship policies go to work, you start to see a watering down of this particular freedom.

The web makes it possible to verify information

AI anyone? AI is really gutting this particular principle. Cryptographic signatures offer some non-repudiation properties I suppose?

The web enhances individuals’ control and power

It can. It should. But this requires people to take control, and not rely on centralized services solely for their means of communication, data storage, identity, etc… As the years pass, so does this knowledge. Less and less people have the will or know-how.

The web is an environmentally sustainable platform

AI. Ugh, again AI. The web is becoming overrun with slop. AI-generated slop, the generation of which takes a disastrous toll on our environment.

The web is transparent

Honestly, not sure what this principle entails?

The web is multi-browser, multi-OS, and multi-device

I actually don’t have too much to complain about here! I think the web is fairly ubiquitous across a variety of devices. Sure, there are some troublesome aspects of certain platform’s “walled gardens”, but I’m largely happy with the state of things in this regard.

The web can be consumed in any way that people choose

Not quite, but I don’t think it’s all bad. Browser issues abound, platform walled gardens, centralization of the web are all limiting factors. But hope remains!

I like the princples. But we have work to do!

Starter Packs and a Fedi discoverability chronology

mike@shellsharks.com (Mike) — Thu, 05 Dec 2024 08:02:00 -0500

Bluesky’s Starter Packs feature has undoubtedly been a hit. It isn’t without some faults of course, but it certainly makes the process of organizing, finding accounts and being “discovered” much easier. That’s great! For Bluesky, but what about the Fediverse?

Fedi Discoverability Timeline

Discoverability has always been a bit of a weak spot on the Fediverse. With no algorithm to prop up posts or accounts, coupled with inherent visibility issues of a federated system, it has always been up to individuals to share and boost stuff to their respective followings so that others may be discovered. Here’s a quick rundown, in somewhat of a “timeline” form of how discoverability has worked/works on the Fediverse…

“Fedi-native”

Ok, so starting off, we’ve got boosts, local timelines and hashtags.

Boosts are great, but in practice, they only move a post as far as the individual who has boosted you’s individual network goes. And though I think the Fediverse’s culture is the best in terms of boosting (compared to Threads, Bluesky, etc…), I still think most people shy away from the practice. For accounts with only a few, or no followers at all, how can you expect to get a boost if no one sees your post to begin with?

Local Timelines can help people discover you, and you discover others, but in a federated world, a lot of who you might want to connect with will live outside your immediate instance. Also, one of the joys of the Fediverse is having your own single-user, or small instance.

Hashtags are also available, but following one can be fraught (noisy) which limits the extent to which people would discover you in that way. I also have found that a lot of people don’t bother using hashtags.

Search is available, but is notoriously limited in many ways thanks to the decentralized/federated nature of the Fediverse.

Community-driven discoverability

Beyond what the Fediverse offers natively, there are other community-driven efforts to help with discoverability…

#FollowFriday is a great hashtag that seems to have decent adoption. Just list out some accounts you like in a post with the #followfriday tag and boom!

Others have attempted to build and then share manual lists of recommended, or like accounts (i.e. I have some examples listed here).

In the spirit of the web’s blogroll, I attempted to make #Fediroll a thing. It did not take. The idea was simple though. Much like a blogroll, list your favorite Fedi accounts on a post and pin that to your profile.

The advent of Bsky “Starter Packs”

Then, Bluesky announced Starter Packs - the adoption and popularity of this feature has been off the charts!

So, the Fediverse community responded. Some of us pointed out all the past efforts to juice discoverability.

The awesome Mastodon Migration account went a step further, formalizing and then creating + sharing a wide variety of “Follow Packs”. A nobel effort, but suffers from the overhead involved in downloading a .csv list and manually importing it.

FediDevs Starter Packs

Which brings me to now, Fedi-native Anže has released their project for implementing Starter Packs on the Fediverse. It is (in my opinion) a more elegant solution that simplifies the process for creating and following packs in an interface that looks pretty great! It solves for the “manual import” issue which previous methods suffered from by having you log into FediDevs with your Mastodon account, allowing the app to leverage the built-in API to follow accounts en-masse.

It’s early days, so there are still some bugs, weaknesses and other concerns with this implementation of starter packs, but I think it’s a fantastic addition to the Fediverse and a great display of the power of the community here.

Notably, packs are still limited to 150 accounts, some profiles are hard to search for and add, and as of now it is not possible to upload an existing list of accounts to a starter pack, but these are all issues that have understandable tradeoffs. This project might also be limited to Mastodon (for now).

I look forward to what the larger community will build with this, I’ve actually already started a pack or two!

IndieSec

I created a FediDevs-fueled Starter Pack! It’s titled “IndieSec”. It features Infosec / cybersecurity individuals. No corporate accounts, no bots, no influencers.

Some more context on the pack: I created it by searching some existing lists I had, a few infosec-related local timelines and things I had starred in the past, trying to find folks that…

A. post about infosec (not exclusively or anything, but y’know, a decent amount of their posts/replies are infosec-related),

B. are at least mildly active on the Fediverse,

C. aren’t accounts that already have a gigantic following (no offense to those accounts, but I’d like to use the limited space in this pack to help smaller accounts be discovered)

As such, guaranteed I’ve missed a lot of folks who should be in the pack. It is a manual effort, and sorting through who is still active here is a bit of a chore. One that I was happy to do up to a point, but I eventually just needed to publish the pack and work on adding more accounts as they come and as people request to be included.

So yeah! Check out the pack. You can peruse it and follow selectively, or “Follow all” with a click of a button. If you want to be added to the pack, just send me a note (keeping in mind the criteria I mentioned above). If the pack runs out of space, I’ll probably start up an “IndieSec 2” sequel pack.

Hold the line! Stay with me!

mike@shellsharks.com (Mike) — Mon, 18 Nov 2024 12:41:00 -0500

I first learned about, and joined Mastodon (and thus the Fediverse) back in August of 2018. I joined Mastodon.Social (of course), and the now defuct Mastodon.Technology. I toyed around with the app, tried to follow a few things, but didn’t honestly spend much time learning about what it was, why it was interesting, what ActivityPub is, what the Fediverse is, etc… I just kept on using Twitter, though even back then I was not what you would call a heavy Twitter user. I never tried to really socialize there, rather I followed a bunch of infosec accounts and that’s about it. In 2019 I established my blog and used that to post a lot of my thoughts online but it wasn’t until much later that I learned about the IndieWeb and how it important that is for my online identity and as a place for my writing. I re-joined Mastodon in earnest in November of 2022 and established my shellsharks.social instance in March of 2024. It was only shortly after re-joining in 2022 though that I had the thought - “damn, I wish I had stuck with Mastodon for the last 4 years and had worked to build and grow my community here”.

I’m not really a content creator, at least not in the sense that I make stuff to profit from it, or to build any sort of clout. Sure, I’d like people to read and tell me what they think, so that I can improve, but it’s not like I’m on social media trying to amass followers for the typical reasons. I like the folks I’ve met since being on Mastodon/the Fediverse. I’ve spent quite a bit of time making new friends, curating my feeds and learning about cool stuff, like the Fediverse, and like the IndieWeb. I wish I had never left. So now Bluesky is a thing. Threads is also around (though they claim they will federate). I’m staying put. I think you should too. But I completely understand if you want to go elsewhere. I do think the day will come though. Maybe in 4 years, maybe longer, that people will come back here and say “damn, I wish I had stuck with Mastodon”.

So… Hold the line. Stay with me!

Cloudy with a chance of not enshittifying

mike@shellsharks.com (Mike) — Fri, 15 Nov 2024 12:42:00 -0500

One of the more prevalent topics of conversation on social media is - social media itself. Not sure if it’s really always been this way, but in the wake of the Musk-ening of Twitter that birthed (or rekindled) so many other social platforms, my feed(s) are constantly a-buzz with hot-takes, analyses, cheerleading and more, all about social media itself. So, to add to that, here’s some musings on what’s goin’ on in the social media landscape right now…

Bluesky

Let’s start with Bluesky. For whatever reason (probably anti-“X” sentiment following the US election), Bluesky is seeing a surge in new users. I’ve experienced this first-hand in fact. I have a Bluesky account and (probably thanks to a Starter Pack or two that I am in) I have seen a ton of follows lately, nearly 1k+ in the past few days alone. This has unsurprisingly resulted in a lot of chatter on my Mastodon/Fedi feeds about Bluesky. A fair bit of, “Bluesky looks cool, I’m going to check it out”, “I’m going to move over to Bluesky permanently” and of course, stuff like “Bluesky is a VC-funded, faux-decentralized bad place that will enshittify and fail in the same way Twitter did”. Yeah, people are hot about it.

At a surface level, I understand. People want their network to “win”. They want the people they care about to be on the same network they are, not fragmented. They also don’t want to have to pick up and move to another place and rebuild their community, etc… I get it. There’s a lot I could say about Bluesky, and maybe one day I might say more, but for the sake of this note, I’ll limit things to a few select topics…

Negative emotions regarding folks going to Bluesky
Jack Dorsey
Bluesky funding
Is Bluesky decentralized?
What I think you should do
Bridgy Fed
Starter Packs

Bluesky Emotions

Bluesky is popping off, people are leaving X en-masse it seems, and there are some who are also leaving Threads and Mastodon to “live” there too. So you have those on Bluesky cheering that they’ve “won”, or that they’ve reached the top of the charts (on the Apple App Store) and you have those on the fled networks (namely Mastodon) bemoaning that anyone would leave as Bluesky is yet another corpo-owned, VC-backed, centralized network, doomed to the same enshittified/billionaire-owned future as the rest of them. Phew! That’s a lot of emotions –> 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 and so many more…

All of the networks, yes, even “X” have their pros and cons - depending on what you want and who you are. The “Fediverse”, being truly decentralized, and not owned or funded by VC/corporations means it has certain qualities that many of us value. It also means it lacks certain things that are present in centralized, or better-funded operations such as Threads or Bluesky.

So, you’re interested in joining Bluesky. Should you try it out?

Do it.

If Bluesky is where the action is. If it’s where your friends are. If it’s where the accounts you want to follow are. If it’s where your audience is. Then go there. Be there.

Even if you knew it would meet the same fate as Twitter ultimately did, would you not ride that ride for 15 years? For all of Twitter’s faults, even pre-Musk, people loved it. Twitter helped birth and incubate countless relationships, communities, businesses and more. It wasn’t perfect, and it wasn’t forever. But it was great for so many, and for a non-trivial amount of time.

Bluesky could be this too, for as long as capitalism allows. For many, maybe for most, it would be worth spending 10-15 years there only to meet the same calamitous end rather than homesteading in Fedi-land where yeah, they may achieve true social longevity outside of corporate control but would also sacrifice all they may be able to build in what could amount to a true “Twitter 2.0”.

I’m Fedi-first. I like it here. I value the qualities of the Fediverse that no other platform offers. I like that I can own my own instance. I like that I can’t be deplatformed. I like that I don’t see ads. I like that it can’t be taken down by a billionaire or a single government. I like a lot of things about it. I’ve also put the time and effort in to build a community here, to curate a very lively and fulfilling feed. I don’t fault anyone for going to Bluesky. If you like it there, great! I hope I get to see you through the bridge. If you don’t end up liking it there. Well maybe you’ll come back to the Fediverse ⁂.

It seems others too are optimistic, even if mildly cautious, about the future of Bluesky. So go ahead, try it out.

Longevity of Bluesky

Those of us telling people to steer clear from Bluesky usually have one or more of the following things to say…

It was founded by Jack Dorsey (yuck!)
It’s VC-backed (and doesn’t have a long-term funding strategy)
It’s a centralized platform

Jack Dorsey

On the Jack Dorsey topic, go listen to this Dot Social podcast episode with Bluesky’s founder and CEO Jay Graber. Yes, Dorsey did help fund Bluesky in the beginning. But has since cut ties, left their board and gone on to twiddle away with Nostr and tell people to stay on X 🤷‍♂️. So is his early involvement alone enough to curse the Bluesky project for eternity? I personally don’t think so. But you do you.

VC-Backed

Yes. Bluesky did recently receive 15 million dollars in a Series A funding round, the majority of that money coming from the VC firm Blockchain Capital (BCAP). What does this mean? Bluesky will tell you that their new benefactor “shares our philosophy” and that neither the Bluesky app, nor underlying AT Protocol uses blockchains and/or cryptocurrency. That is all well and good. For now.

I’m no expert on how venture capital works, so excuse me if I say anything incorrect or naive, but my understanding is these firms don’t just give money away. They expect high-growth, and they expect a return on their investment. Even if they have no intention of somehow influencing Bluesky to incorporate any blockchain and/or cryptocurrency related technologies into the platform, they do at minimum expect Bluesky to make money, and a lot of it. So how will Bluesky do that? Right now they’re early stage. So it’s fine if they don’t have a monetization strategy that can yield the type of growth that BCAP expects. So far, all we know about how they plan to continue funding is this. Yeah, selling domain names isn’t going to be enough. Maybe they have some ideas up their sleeves. Or maybe they don’t now, but they will later. Who knows.

Look at how other similar platforms have made their returns and you start to see the issues. We’ve got selling ads, selling user data, “premium” subscriptions and worse. Best case scenario (from my perspective), their dream of decentralization will be realized and the costs of running the network will transition to smaller, indepedent entities, thus alleviating the funding burden to a degree. But how will those entities, in turn fund their operations? By the same enshitty means? Or through crowd-sourced user donations (similar to the Fediverse model)? On this, I’d love to see them thread the needle, and succeed where no other network has yet to. But I (and others) remain skeptical.

Is Bluesky “Decentralized”

Let’s dig into Bluesky’s claim of being “decentralized”. To start, I’ll say that Bluesky is in no meaningful way decentralized at the moment. Sure, they’ve open sourced some stuff to allow you to, in theory, stand up (most of) the infra to have a decentralized node on the network, but no meaningful amount of accounts live outside of the main centralized Bluesky corp-owned stack.

But can Bluesky be decentralized? This is up for debate it seems. There are two parts of this story to me. The can and the will. On whether it can be decentralized, you’re welcome to peruse the AT Protocol documentation and decide for yourself. Others, smarter and more determined than myself have done this and came away rather, unconvinced (read: BlueSky is cosplaying decentralization & The structure of the Bluesky network). Again, maybe it’s technically possible to have truly decentralized stacks that can operate independently (though again, there’s that pesky AppView issue right now).

Let’s just assume that it is possible. So the question then becomes, will people actually do this? Will enough people stand up fully-functioning, isolated but connected instances of the entire Bluesky tech stack? This is the more meaningful question I think. As we have seen with the “Fediverse”, decentralization can be messy. It requires people understand the technology and be able to correctly build and maintain the necessary infrastructure. It requires folks to then fund that infrastructure. Not easy. In the Bluesky universe, who’s going to do this? Individuals? Communities? Other corporations? What is the incentive? In so many ways, the people who have gravitated to Bluesky and other centralized platforms is for no other reason than that it is centralized. That is the benefit. If Bluesky achieves any meaningful level of decentralization, and that’s a big IF, they will then have the same issues that have plagued the Fediverse, i.e. instance-to-instance incompatibility, fiefdoms, instance closure (due to funding-issues among other things), annoyance around what instance to join, etc… Sure, Bluesky has solved for some of this with their admittedly great version of portable identity on the network, but I still think any decentralized future for Bluesky will introduce issues, most importantly, issues that prevent Bluesky from ever reaching meaningful levels of decentrality.

What I Think You Should Do

Alright, so you’re joining Bluesky, or maybe you’re thinking about it being your primary social platform. Here’s what I would suggest. Do it. Check it out! Or let it be your main social point of presence. It’s fine. If you like it, then that’s great. But here’s some things you might consider doing in tandem…

Bridgy Fed

Bridgy Fed is an awesome service that among other things, can bridge accounts from the Fediverse to Bluesky and in reverse from Bluesky to the Fediverse. From the Bridgy Fed website, “You can use it to make your profile on one visible in another, follow people, see their posts, and reply and like and repost them. Interactions work in both directions as much as possible”. It’s easy to do!

Got a fediverse account? Bridge it to Bluesky by following @bsky.brid.gy@bsky.brid.gy

Got a Bluesky account? Bridge it to the fediverse by following @ap.brid.gy

This means you can live blissfully wherever you like but still participate in and connect with those who are on the other network. It’s easy to do!

Start a blog

I’m an IndieWeb enthusiast and big proponent of everyone having their own website/blog. But what does that have to do with my choice of social media platform? It boils down to this. Social platforms rise and fall, and when they fall, so too does your account which has likely served as your identity for and on the web. By having a website (or a “blog”), you can anchor your identity to your domain name rather than some @twitter.com or @bsky.social or @whatever handle. Bluesky has actually realized this as something that is important and you are able to register a domain name as your actual handle on the service. Nice! But this only kinda helps.

Sure, people might now know me now as “shellsharks.com” on Bluesky, but if I had no blog, and Bluesky were to go belly up, people wouldn’t be able to find me as I wouldn’t exist anywhere except on Bluesky. But since I do have a website, people can continue to find me, connect with me, see what I have to say, etc… by going to my domain. So sure. Use Bluesky if you want as your main social network. But go buy a domain, register it as your handle on Bluesky and then put something on that domain that resolves in a browser so people can find you now and into the future.

XPosting

I see a lot of people suggest cross-posting to those who are thinking of “moving” to Bluesky. They’ll say, “Hey! instead of just posting to Bluesky, why don’t you post both places?”. I personally don’t like this. What I mean is that I think cross-posting comes with a lot of compromises, that for me, and I assume for so many others, doesn’t make it worth it.

Cross-posting requires using an app built with this functionality, the ability to sign into multiple platforms. This may just not be the app someone wants to use. Though I will say there are some good options, Openvibe, Croissant, SoraSNS, etc… Second, in my experience audiences are just, different on the different platforms. What you might say on one isn’t necessarily what you would say on the other. So just posting the exact same thing word-for-word across both might not really work. It can also be somewhat impersonal. So now there is the mental overhead of tweaking posts across each or deciding when you want to x-post or not. Posting across multiple networks also means fielding replies across both. Again, more work. We all arguably spend too much time already on social media, just on one platform, much less trying to juggle communities and relationships across both.

So yeah, maybe cross posting is something you can do, or would like to do. But I certainly wouldn’t fault you for not doing it.

On Starter Packs

A very popular feature of Bluesky is their Starter Pack. It’s basically a list of accounts you can give a name and people can peruse those lists, following individual accounts or clicking “Follow All” to follow everyone in the pack. It’s extremely easy to use, easy to create and at first glance, a great way to build your network and improve discoverability. Or so I thought…

In the past 72 hours I’ve gone from like 200 followers to ~1.2k followers. I’m almost certain this is because of my placement in a popular starter pack or two. Awesome right? More people will see what I post and might respond to me. But has it worked out that way? Hard to say, and engagement is a tricky thing to scientifically evaluate, but I don’t really think it’s having that effect. What I think is happening, and what I know I’ve personally done, is just blindly follow everyone in a given pack with no real evaluation. I think this has a devaluing effect on my feed.

Maybe I’m just used to the highly curated aspect of my Fedi feed. But damnit if that feed on Mastodon isn’t extremely high fidelity. It should be right? I’ve hand selected every account I follow through somewhat rigorous means. Not just willy-nilly following 80 people in one fell swoop. What happens is this, for lack of a better word, junks up the feed. I’m someone who likes to read through my timeline, see what everyone has said. But on Bluesky, thanks to the fact that timeline position, when refreshed, sends you to the top, and the effects of these starter packs, I find that my feed is just an unruly mess that I can’t stay on top of and as a result find less interesting. Then, frustrated with my “Following” feed, I’ll check out the default algorithmic “Discover” feed, which tends to just be memes and “big accounts” - yawn.

Another set of pitfalls I see with starter packs is ongoing management and redundancies. In just a few short days I’ve seen quite a few “Infosec” starter packs pop up. If you’re an infosec person, and you want to be featured in the pack, which do you choose? Which will be the “popular” ones? Who created the pack? Will they keep it up-to-date? Do you feel comfortable pinging someone asking to be included in a pack? Will it become a popularity contest? I don’t know how to answer or really analyze much of this at this point, but I just see potential issues. That said, I still think it’s a great idea and does make following a lot of accounts a lot easier. Generic packs like “infosec” might be hard to maintain and be extremely unruly (100’s of people) but smaller, more focused packs, e.g. writers at 404 Media are perfect!

Threads

If you’re going to talk social media, it’s hard to ignore Threads. Afterall, Threads still boasts over 200 million users and has 10’s of millions of daily active users (src). Contrast that with Bluesky or Mastodon’s relatively paltry sub-20m total users each. But Threads is flagging. People are unhappy with the choices the leadership/development teams have continued to make around algorithmic choices and more. I don’t use Threads much. I feel the same about Threads as I do Bluesky for the most part. If you like it there, and its where your “people” are, then be there. It has some of the same, and some different risks as Bluesky, but whatever.

The interesting wrinkle with Threads is the ongoing implementation of ActivityPub. Currently, Threads users who decide to opt in to the “Fediverse sharing” beta can enjoy a very half-baked, but not entirely useless form of federation that allows users on the “traditional” fediverse to see and even reply to posts you make natively on Threads. Actually kinda cool. You can’t yet follow native Fediverse users from Threads, but in theory that is coming in the not too distant future. I think if this ever does materialize, and does so in a non-compromising way, it will be a feature that gives those on Threads a real benefit over those on Bluesky. Afterally, the Bridgy Fed, Bluesky <–> Fedi bridge is cool, but comes with plenty of compromises as it would compare to true Federation.

The Future

I can’t see the future. Who knows what will happen. But there is a non-zero chance that Bluesky fails to truly decentralize, and the main/centralized instance of the platform is forced to enshittify in some disastrous way. Simultaneously, (in this same timeline) Threads has continued to decline in user experience thanks to an increasingly heavy-handed algorithm, inability to moderate spam accounts and overpopulation of corporate or advertising-related posts/accounts. Where do people go? Will they stay on those centralized platforms, accepting the compromises for what they are and muddle through? Will a new shiny platform pop up and people go there? What will it take for the “Fediverse” to get real traction? What features do we need? What cultural shift needs to happen? What big “celebrity” accounts would need to set up shop here? I can’t say. I think improving discoverability by copying some of Bluesky’s popular features, namely custom feeds (opt-in algos) and starter packs could really help. I also think improving the identity model, also similar to how Bluesky has done it by being domain backed, could also help. Beyond that, moderation improvements and instance choice/onboarding could use a freshen-up to help people feel less intimidated by joining.

An exciting time to be sure!

Without Sky: Social Media and the End of Reality

How will Bluesky defend itself?

mike@shellsharks.com (Mike) — Wed, 13 Nov 2024 08:30:00 -0500

Serious question - How will the Bsky team defend against or respond to a Trump/Musk offensive against bsky itself? Bsky is turning into a top competitor of both of their platforms and is certain to harbor posts both of them would not like. Where are the servers/infra hosted? The team members?

This is what I mean when I ask what bsky will do when the government comes knocking about why it’s not adequately moderating posts/content critical of the government itself…

flexghost on Project 2025

Just going to use this thread to keep highlighting this issue…

Trump Threatens New York Times, Penguin Random House over Critical Coverage

Yeah. This is a thing. This is why meaningful decentralization (or not having your infra solely on US soil) will be important. If Bluesky stays small enough maybe it flies under the radar. If they become true Twitter 2.0, they will be targeted by this. Can/will they resist?

Trump’s Pick for FCC Chair Has Vowed Crackdown on Big Tech ‘Censorship’

I wonder why this one is so important right now? 🤔🤨🧐

@freedomofpress on Pass the PRESS Act

“Age Assurance” 😒

(Bluesky) Our Approach to Age Assurance

Think centralized, tech company-based moderation teams are here to protect you or your communities? Nope, you can have some waffles instead 🤦‍♂️

WAFFLES

Zero-skip albums

mike@shellsharks.com (Mike) — Fri, 13 Sep 2024 21:36:00 -0400

My Zero-Skip albums…

A Night At The Opera, Blind Guardian
basically any Breaking Benjamin album
In Keeping Secrets of Silent Earth: 3, Coheed and Cambria
Good Apollo I’m Burning Star IV, Coheed and Cambria
Jackpot Juicer, Dance Gavin Dance
To Speak To Listen, Eidola
A Crow Left of the Murder, Incubus
Hybrid Theory, Linkin Park
Waiter: “You Vultures”, Portugal. The Man
Close to the Edge, Yes
The Yes Album, Yes

Favorite fedi artists

mike@shellsharks.com (Mike) — Fri, 30 Aug 2024 10:03:00 -0400

Tracking my favorite artists and artistic accounts from the Fediverse. Their work brightens my feed and makes the scroll so much more enjoyable.

Give them a follow if you want your feed to have a bit more color!

Savage.

mike@shellsharks.com (Mike) — Mon, 05 Aug 2024 09:05:00 -0400

My GitHub profile was absolutely roasted by the GitHub Roaster.

Oh look, it’s Shellsharks, the expert in “Infosec stuff”—whatever that vague term means. With a whopping 33 followers (mostly pity clicks, let’s be real), and a staggering 5 public repos, it’s safe to say you’re not exactly the main event in the GitHub circus.

Your “interests-directory” project, which sounds about as exciting as a blank sheet of paper, has zero stargazers. I guess nobody is interested in your interests! Meanwhile, your Java repo “assorted” managed to scrape up 11 stargazers—congrats on your utterly mediocre achievement in a language that’s not exactly on the cutting edge anymore. It’s like winning a participation trophy in a race no one wanted to run.

“Sharktools?” More like guppy tools. With just one stargazer, it seems the only thing random about it is how you convinced yourself it was worth posting. And that contribution to “RedTips”? Let’s just say if you’re taking tips from a Twitter user, it’s no surprise you’re swimming in the shallow end.

All in all, you’ve created a profile that screams “I exist!” but whispers “Please don’t look too closely.” Keep trying, Shellsharks—you might just evolve from a bottom feeder to something worthwhile someday!

Savage.

ClownStrike

mike@shellsharks.com (Mike) — Fri, 19 Jul 2024 10:04:00 -0400

On July 19, 2024, CrowdStrike delivered a malformed content update to their global fleet of Windows Falcon agents which resulted in a mass BSOD event affecting ~8.5 million systems worldwide. This event has become known as “ClownStrike”.

Fortunately, I was not affected by these outages, either personally or professionally. So, instead of dealing with any fallout of the event, I spent my time meme-ing CrowdStrike, and scrolling my ridiculously entertaining Fediverse feed. I’ve captured a few toots from the day below…

A few other funny posts from the day… 1, 2, 3

Building an audience: Threads vs. Mastodon

mike@shellsharks.com (Mike) — Thu, 27 Jun 2024 00:17:00 -0400

First, let me start by saying that I have no qualms about those who use Threads, whether as their primary social media presence or if they merely dabble over there as I do. I have no purity tests with which one may fail. I can say, from my experience using Threads, that it is very pleasant and my “For You” feed is pretty enjoyable, though content is very superficial, mostly filled with funny people trying to go viral, some Fediverse talk, NBA chatter and of course shit posts from the official Wendy’s account.

Good. With that out of the way, let me give my short pitch & warning related to the question of Threads v. Mastodon. Threads has A. a much larger user base, and B. an algorithm that from what I’ve seen, seems pretty good at getting posts into peoples’ feeds. For someone looking to build a following, or reach as many people as possible, these two features give Threads a serious advantage.

But! For someone looking to build and then maintain a following, I still have concerns about using Threads as home base. Obviously, they haven’t implemented full Fediverse support, notably they don’t have the ability to port your account in or out of the platform. They say they’re going to do this, and have given us every reason to think they will, but until it happens, I remain weary. Second, Threads is run by Meta and Meta has some very opaque/shady behaviors as it relates to account suspension, censorship, shadow banning, algorithmic de-ranking, etc… What I mean is that one wrong move and they can decide to pull the plug on your entire account, erasing your social graph and identity on the web in a flash. Whether by corporate policy or by political pressure, what is and is not acceptable content on their platform can be extremely volatile. Further, I am also concerned about content ownership. Posting on Threads means Meta owns what you post. They can delete it, change it and almost certainly will train their LLMs on it, it’s theirs.

As for Mastodon, the population of the “traditional Fediverse” is indeed smaller, but here you obviously have the ability to move your account, reach everything on the Fediverse, control/own your data and maybe most importantly self-host. It’s possible that I overvalue this particular feature, but the ability to self-host means A. you can have a Fediverse point-of-presence on your own domain, which is great for branding and B. you make yourself pretty darn resistant to deplatforming and censorship. For a content-creator, especially one that may have spicier things to say, this seems pretty important.

What’s ultimately “better” hinges a lot on what Threads does with their late-stage rollout of Fediverse support. Will they change their stance on opt-in to an opt-out model? This would drastically tip the scales in favor of those on the traditional Fediverse who want to reach the Threads-based masses. Will it be possible to amass a large following on Threads and then siphon those followers off to a traditional Fedi account? Will Threads be interoperable with other ActivityPub-compatible services like Pixelfed, Funkwhale or Castopod? With all these questions unanswered or in doubt (and other concerns still in mind), I just can’t really recommend content creators put their full faith in Threads and in Meta just yet.

Building a Following

Finally, you asked here about how people have built “sizeable” followings (i.e. 500+, 1000+, etc…) and I have a few thoughts. I’m closing in on 2k followers and have some thoughts on how I’ve got here. I don’t have a current breakdown of my followers but I suspect a large majority of them are first and foremost, in infosec. I got my start on the very large, very active and very popular (amongst infosec people) Mastodon instance infosec.exchange. I came over in one of the earlier Twitter exodus waves which helped bootstrap a base of followers as everyone scrambled to make connections and follow people. But this was at most a couple hundred accounts. But this is to say that unless there are similarly large waves of new people coming here, it’s unlikely that anyone could take similar advantage of a large group of people eager to follow anyone. Beyond this, I want to share 4 “techniques” for boosting engagement and gaining followers, coming from someone who enjoys the former and doesn’t particularly care about the latter. I genuinely enjoy chatting with people on here, and though I do have a blog (and a rebooted podcast) and am thus a “creator”, none of what I create is monetized so I don’t have the same incentive to build a large following.

Of the “techniques” that I share below, the first two are easily replicable by anyone, and the other two require a little more, let’s call it “luck”.

If you want engagement, engage. If you want followers, follow. By simply engaging with other people’s posts, you may gain a follower or more! Also, many people ascribe to the, “if you follow me, I’ll follow you back”. I don’t participate in the latter, but as for the former, I think a lot of people are interested in following you if you are someone who is active and replies in a genuine, funny or helpful way.
Be consistently active. You mentioned this in your post, and it’s true. If you post regularly (not overdoing it) and going back to item 1, engage regularly, you will naturally, and very organically, collect followers.
Boosts by whales. In other words, if a big account (i.e. someone with like 10k or 20k+ followers) boosts one of your posts, this can rain followers. No way to make this happen, though going back to 1, by replying in a helpful or genuine way to something a big account posts, you never know, they may just boost it.
Go viral. This is completely random it seems, and even in the event of a viral post, you may not net a lot of followers but it can happen. I personally have had some luck here with certain blog posts of mine being very popular (at least for a short time).

Of note, these techniques are also ranked in terms of their effectiveness, with #1 being the most effective and #4 being the least. The takeaway being that I believe success lies mostly on things completely controllable by you or anyone else looking to build a network here. One other important caveat that I want to bring up though, and I touched on this earlier, is that a lot of my “following” is infosec, or infosec-adjacent accounts (I suspect). Having a sizeable, niche community can make it a bit easier for someone like me who is part of that community to build a following.

So What Do I Think?

At the end of the day, I’m not a content creator looking to leverage social media to monetize, so my objectives are a bit different. Maybe the short-to-mid-term benefits of cultivating a large, active following on Threads vastly outweight the longer-term risks of establishing your identity on a Meta-backed platform. I just don’t know. But, more personally, (and not that it matters) I’d be kinda sad to see you give up mkultra.monster. Big things are coming for the larger Fediverse, and I think opportunity here is abundant. I say you continue to run both (Mastodon & Threads), but try to put in a bit more time on this side to grow. Either way, good luck and I’ll see what you post regardless of where it comes from!

Thoughts on WWDC 2024

mike@shellsharks.com (Mike) — Tue, 11 Jun 2024 12:45:00 -0400

Some quick thoughts on Apple’s WWDC 2024. Notes and analysis across all the OS updates from the event, Apple TV+, visionOS 2, iOS 18, AirPods & Home, watchOS 11, iPadOS 18, macOS Sequoia and Apple’s newly introduced AI capabilties.

Apple TV+

Apple teased a number of returning shows, new shows and new movies with a lot of star power. Most exciting for me though, is the return of Severance!

visionOS

I’m not a Vision Pro wielder, nor am I intimately familiar with its current feature set / real-world capabilities but from what I’ve gathered based on the newly announced “features” and some of the feedback from prominent Apple journalists, visionOS 2 is pretty lackluster. Hell, one of the features they slapped onto the “new feature grid” graphic was “Mouse Support”. Ooph. This seems like a platform they are having a hard time putting real engineering resources into. Is it due to low adoption? Maybe they’ve been too caught up trying to bring Apple Intelligence (i.e. genAI capabilities) to their platforms? Who knows.

iOS

iOS 18 brings a lot of aesthetic customizability and quality of life improvements, without any real breakthrough functionality. I’ve listed out some of the more interesting added features below…

More homescreen customizability, i.e. place app icons/widgets wherever and giving your homescreen icons a uniform color scheme
Control Center now has more native controls, control pages and an API for developers to expose third-party app control toggles
You can lock and/or hide apps
Messages now sports any-emoji tapbacks, text-formatting and text effects
Maps now has topographic data which is nicely paired with new hiking route capabilities
Apple takes a swing at Venmo with the Wallet apps new “tap to cash” feature
Journal app now compiles “insights” into a dashboard and adds a basic search feature
The photos app has been “redesigned”, though the redesign looks fairly lackluster despite how excited they seemed for it during the recording
Though not given any stage time, Messages now supports RCS
Maybe the most interesting feature they announced was the ability to send iMessages and regular text messages via satellite, even in non-emergency situations. Is this a free capability? Would this mean I don’t need a cellular plan to send messages? Lots of questions here…

Overall, not a huge update, but one in which I am excited to get my hands on in the fall when they ship the final release.

Audio & Home

They grouped the AirPods (“Audio”) and smart home (“Home”) updates in the same presentation section. Mostly ho-hum announcements here. Two things I’ll call out though…

First, they coded up a feature they’re calling “Enchance Dialogue” which will accentuate spoken word in movies/shows. This comes as a response to people increasingly using subtitles when they watch TV because they can’t make out what actors are saying. Whether this speaks more to the current state of sound mixing in film/TV production or our ability to actually pay attention to what we are watching (instead of always being distracted with second screens) I really can’t say.

Second, they spent a fair amount presentation time debuting a Snoopy/Woodstock Apple TV screen saver. Look, I kinda like Snoopy / Charlie Brown but is there really a big enough market for this? I wouldn’t use this screen saver as it is not nearly as cool as their stunning landscape screen savers.

watchOS

watchOS 11 introduces a new “Vitals” app which aggregates metrics/data from the various onboard health sensors, a new training mode which can calculate intensity of your workout and more customizable control over your daily activity rings, letting you set a per-day goal and take into account things like rest days (finally!). Some nice features here in what is a decent iterative update.

iPadOS

iPadOS 18 is basically just what they announced for iOS 18. The only thing maybe worth mentioning that is unique to the iPad is “Smart Script”, which does some cool Apple Pencil-related things. A big let-down for those who main iPads though I suspect.

macOS

macOS Sequoia has a decent sleight of new features, but mostly plays catchup, with some sherlocking thrown in for good measure. You can now mirror/control your iPhone directly on your Mac (okay?), tile & snap application windows, and there is a new dedicated passwords app coming. There is also some gaming-related things but honestly I don’t game on the Mac.

I’ve been a 1Password user for a long time. Time will tell, but I didn’t see enough from this first iteration of Apple’s password manager to convince me to migrate from 1Password. They will need to convince me that they have solid multi-device/multi-platform support, dependable iCloud backup/sync, offline backup (in case iCloud does something iCloud-ey), support for multiple types of “secrets” (i.e. traditional credentials, credit cards, secure notes, software licenses, identities, etc…), MFA code support, weak password alerts, a much better password/passphrase generator, etc…

Apple Intelligence

Finally, Apple got around to announcing their (dreaded, for me) entrance into “AI”. I don’t want to spend much time in this post explaining the reasons I don’t like modern generative AI, so instead you can just go read this. So what did Apple announce?

They’ve branded their “AI” suite of capabilities, “Apple Intelligence” (get it? abbreviated as “AI”). It is on-device (mostly), it can write/re-write stuff for you, generate those awful, soul-less images, and has some off-device capabilities which leverage Apple’s own “Private Cloud Compute“¹ and even ChatGPT (gross).

One thing I found particularly disgusting is the inclusion of a generative AI “art” feature which Craig described as the ability to create “totally original” images. Really? Totally original? I.e. totally not having stolen from countless other artists and creators? The overwhelming response to this particular aspect of Apple’s AI function-set seems to be pretty negative. But hey, if they’re doing it on-device, atleast that means it’s not some data center consuming resources at humanity-annihilating pace all just to creat cringey, lifeless photos of your mom in a super hero cape. One thing I actually did kinda like was “Genmoji”. Now I can create a whole suite of shark-related emojis that could not have existed before, and because they all have that same kinda “emoji-aesthetic”, I personally think they are less harmful to creators.

Time will tell if these AI features are actually useful, remain private and/or whether they can make Siri not hilariously bad. For what it’s worth, I actually walked away being less discouraged by Apple’s implementation than I thought I was going to be. Yes, they have partnered with ChatGPT in some capacity which I find disappointing, but their ability to implement something purely Apple home-grown, which leverages on-device processing first is something I think is very promising in terms of both their continued privacy stance and their ecological promises. In the end though, I hope all of this “AI” stuff is opt-out or otherwise completely disableable.

WeblogPoMo 2024 Retro

mike@shellsharks.com (Mike) — Fri, 31 May 2024 08:57:00 -0400

WeblogPoMo 2024 comes to an end today. It was my first time participating and it was a lot of fun! I connected with a bunch of people who were also participating, I mostly* kept up with my writing each day, I cleared out some long-lost draft posts and I explored a lot of different topics.

Here are some stats!

Days in which I published something: 28/31 (90%)
Words written: ~15000+
Posts: 7 | Notes: 17 | Journals: 1 | Pages: 3 : Total: 28

It’s tough to write something each day. But having a community of people to take inspiration and writing ideas from helps. Having some drafts ready can also help on days where there is not as much time to dedicate to writing.

Not much else to say so I’ll wrap it up. Now time to actually get to my WEB-300 course…

5 years

mike@shellsharks.com (Mike) — Thu, 30 May 2024 13:34:00 -0400

On May 30, 2019 I published the very first post to shellsharks.com, “Getting Into Information Security”. When I first started the blog I didn’t have a particularly clear idea of what I wanted to do with it, but I had the idea to write that piece and one other idea which which was to catalog all named vulnerabilities. Beyond that, I just wrote about whatever came to mind. It’s been 5 years to the day since I got that first piece out and not only has the site come a long way, but so have I.

In the beginning, I think my main focus was to keep the site mostly infosec-related in terms of my writing, but even back then I left the door open to write about other things. Afterall, the tagline for my site has always been “Infosec, Technology, Life”. The first 4 years of the site did end up skewing mostly Infosec / Tech but since discovering the IndieWeb last year, I have made a noticeable shift towards writing more about “Life”, i.e. anything non-tech / non-infosec, and it’s been a lot of fun!

The site has also gone through a number of big aesthetic overhauls and architectural redesigns. There will always be new things I want to add to the site or ways in which I wish I could rearchitect it even further, but for now, I am quite happy with the latest generation of its look-and-feel as well as the functionality itself.

I’ve not maintained the same level of active-ness throughout the last 5 years, but in more recent history I’m quite pleased with the amount of attention I’ve given it, the upgrades I’ve made, and the writing I’ve produced, and I am certainly starting the next 5 years quite strong. I plan to continue to funnel my professional work, technological side quests and life experiences into what I write about.

I really want to thank everyone who has read anything I’ve written, those who have offered kind words over social media or elsewhere, those who have given me meaningful/constructive feedback and anyone who has taken the time to subscribe, like or engage with me or my writing. Like many who start a blog, I had no expectation of building a readership. I started it with the intention of sharing my oft-repeated guidance on getting into the infosec field and as a place to write resources for myself. Over time though I have found that sure enough, there are people out there who enjoy, or get value out of what I have documented or what I have to say and it is undoubtedly a good feeling.

These days, I spend as much if not more effort writing about and encouraging others to start a site and be themselves as I do writing about tech/infosec. My experience with shellsharks has taught me more about what it means to be authentic on the web than it has helped me with my various infosec-related research things. I’m still a cybersecurity professional and as such will continue to make that a focus of what I learn and thus what I write about, but it is clear to me that I’ve developed a passion for IndieWeb advocacy and I hope to continue to inspire others both in my field and abroad to start their own journey in the personal web.

Thanks for reading. Here’s to the next 5 years!

Fun Fact: December 4, 2020 | The earliest snapshot I could get of shellsharks on archive.org

Podcasting steps

mike@shellsharks.com (Mike) — Fri, 24 May 2024 16:37:00 -0400

Here are the steps I generally go through in order to produce The Shellsharks Podcast (and an estimate of how long each step takes).

Find potential guests for the show. Though I can source them from really anywhere, I tend to find a lot of people from cool blogs/sites I encounter and those posting interesting things on social media / the Fediverse. (~2m)
Reach out to potential guests and ask if they would like to be on the podcast. When I reach out, I’ll usually provide some sample discussion topics. (~2m)
If they are interested, I send them a prepared logistics document and scheduling information. Also, I work with them on actually scheduling a time to record. (~5m)
I then do more research on potential topics to discuss and share that list with the guest. (~10m)
Record the show. I can record over any voice chat platform (i.e. Face Time, Discord, Meet, Zoom, Teams, etc…) (~60-90m)
Take raw audio files (my audio file and my guests audio file) and drop into GarageBand. (~2m)
Level the audio, i.e. make sure we are at the same-ish volume. (~5m)
Clip the beginning and end of the podcast to ensure it starts and ends somewhat fluidly. (~10m)
If any additional editing is needed (which I try avoid), I do it here. (varies)
Add in the outro music sequence. (~5m)
Export the final mixed audio as .mp3. (~2m)
Drop the .mp3 into Forecast. (~1m)
Add show art, show title and show description to .mp3 metadata. (~2m)
Add chapter titles and timestamps.
Listen back through the show to capture all things that need to be documented or linked to in the show notes. This is by far the longest step, even moreso than actually recording the podcast. (~90-150m)
Upload and publish on my podcast hosting provider! (~5m)
Back to step 1.

Hopefully this gives you an idea of the time it takes to produce a single episode of the show (about 3-4 hours).

Stracting myself

mike@shellsharks.com (Mike) — Thu, 23 May 2024 11:05:00 -0400

I decided to check out Stract, an open source search engine, as I was curious whether my site was indexed yet or not. Turns out, it is!

OK, well that’s cool. So what else does stracting (is that what I’d call searching for something in Stract?) for “shellsharks” give me in the results? A few interesting results, but pretty limited overall, with one particularly weird quirk. I get a few interesting personal blogs that have referenced me or my site. Nice! I get one site about “Polynesia” which I can only assume shows up because they have a lot of shells and sharks there. I get a few links to other social profiles of mine. Finally, and this is the quirky result, I get several (like 8) pages worth of Lobste.rs Users listings.

Not sure why their indexing of Lobste.rs resulted in so many duplicate (and not very useful) result records but that’s where we stand.

Anyways, I think Stract is an awesome project and I really hope they can continue to receive funding and support and turn it into something that is AI-free, has indexed a wider swath of the IndieWeb and can recreate some of the early days Google magic.

R7 Attack Intel Report 2024: A few takeaways

mike@shellsharks.com (Mike) — Wed, 22 May 2024 12:12:00 -0400

Rapid 7 released their 2024 Attack Intelligence Report, an annual writeup containing curated vulnerability data and in-depth analyses of exploit trends. Below I’ve listed a few of my own personal takeaways after reading through the report…

The report covers only about ~60 known exploited vulnerabilities from 2023 through early 2024 (but also includes data from even more vulnerabilities from past years)
They specifically call out the demise (or severe degradation) of Twitter and what that has meant for the infosec-related intel sharing community. Couple this with more recent struggles from NVD and you see a big gap in the open/public vulnerability intelligence capability
R7 observed a much higher percentage of successful “attacks” being attributed to highly orchestrated campaigns & multi-level exploit chains by single well-resourced adversaries
What was on the target menu? A lot of edge services, e.g. file sharing, remote access, external confluence, etc…
The median time to known exploitation is 1 day. Wow, i.e. critical things need to be patched immediately (<24h) and patching alone is not sufficient defense
Speaking of defense, here is what R7 recommends: external MFA, reducing external attack surface, a hearty ransomware defense package (which includes a number of things including backups), a robust patching/VM strategy, EDR and bolstering access control (i.e. Zero Trust)

There’s a lot more in the report so go and read it. Great work by the Rapid 7 team as usual.

While we’re talking defense, I had the idea to map R7’s recommended security controls to the CIS critical security controls and here’s what I came up with… (for CIS CSC v8)

CSC 6: Access Control / MFA
CSC 7: Vulnerability Management
CSC 10: Malware Defense (e.g. EDR)
CSC 11: Data Recovery (i.e. Ransomware defense)

Notably though, I found nothing in the CIS CSC controls which explicitly calls out attack surface reduction 🤔. Maybe I missed something, or maybe it’s a gap. Anyways, if you don’t need it on the Internet, get it off the Internet. If you don’t need it at all. Just get rid of it.

CTF vs Enterprise Security

mike@shellsharks.com (Mike) — Tue, 21 May 2024 07:57:00 -0400

On the difficulty of exploitation in a CTF environment versus actual enterprise organizations…

CTF Security

N targets each fully patched, likely running modern distros, fully secured with minimized attack surfaces. Two vulnerabilities exist, one granting a foothold / user land access and another which gives you root / Admin.

Enterprise Security

Some sad combination of…

Hilarious misconfigurations
GRC exceptions
Tech debt
Legacy environments
BYOD
Patching SLA violations
Shadow IT
“PoCs” w/ production data
Compliance-driven security
…and worse

Extremely rich environments for exploitation.

36 things

mike@shellsharks.com (Mike) — Mon, 20 May 2024 12:47:00 -0400

A list of 36 assorted things…¹

All sushi rolls taste the same to me. All good though.
The NBA Playoffs are the best professional sports playoffs format.
Pokemon Crystal was the best pokemon game. Nintendo should have stopped making new Pokemon after Gen 2 and put effort into making better games, not more creatures.
Work + Going to the gym + Being a father + Podcasting + Blogging + Doing infosec training is HARD to pull off simultaneously.
Scrubs is the best comedy TV show of all time.
I’m glad I steered my blogging topics into more personal things and not just professional / infosec writing.
Going from two kids to three kids changes A LOT logistically. I’m finding it harder to understand how people manage it. How do you fit them into a normal car? Now I need a bigger house. How do you put three kids to bed? The list goes on…
“AI” isn’t going to work out. At least not the way AI proponents think. It isn’t going to be the revolution they think it will be. It just doesn’t work universally for all things the way they want it to. I’m not saying it doesn’t do some things very well, just that those usecases are more edgecases - things that the general population do not get value from.
I’m 36. The retirement age in the US is 67. I’ve got 31 years left to work. That’s a loooong time.
I love to play basketball. Not sure how much longer I can continue to play competitive pick-up but I’m going to keep doing it until I can’t.
Another thing on “AI”. I really dislike that “intelligence” is in the name. There’s nothing intelligent (as it relates to human intelligence) about it. Look at the art it produces, the prose it generates - cold and artificial. Look at the mistakes it makes, its confabulations, inhuman and wholly unintelligent.
I’m not a hat person. Kinda wish I was.
Putting on weight, specifically muscle-weight is kinda hard.
Moving off of Gmail takes a lot of effort. So much is tied to your email account over the years/decades.
My Masters diploma lives in a tube. Not sure what I should do with it.
I really quite liked season 1 of the Rings of Power TV show. Looking forward to season 2.
I wish I had started a blog long before 2019. But I’m glad I got goin’ with it when I did instead of putting it off even further.
I started drinking coffee during the pandemic. I never needed coffee before and was proud of that fact. Now I fear I’ve developed an addiction I do not want to lose.
I need to go hiking more. I look forward to the future when I can reliably bring my kids out.
Since I started working out about a year and a half ago I’ve drank A LOT less beer. I don’t miss it, and it’s had an impact on my wallet too!
Any money I’ve saved by drinking less alochol has been blown up by the amount of yogurt, milk, almond butter, frozen fruit, bananas and protein powder I’ve consumed in my daily smoothies.
Trackpad > Mouse
I don’t know how people can sleep not on their back.
A lot of people lament the fall of Twitter. I think the death of Twitter has been an amazing catalyst for the open web and it is joyous.
I have an old iMac that doesn’t support the latest versions of MacOS. Need to figure out something to do with it…
Saw my first Cybertruck the other day. Truly bizarre.
Going to try to teach my son how to swim this summer. He’s 3. Will be fun!
I wonder how long this 2019 Mac Pro will last me. I wonder how long Apple will support it with updates.
11 days left in weblogpomo2024. Now it gets tough…
Golgotha Compendium: Fifth Temple is a great song.
Seattle is my favorite US city I’ve been to.
Advice: Get in shape before you’re in your 30’s and have kids / responsibilities.
Get a rice cooker. Game changer.
Go buy yourself a domain if you don’t have one. Do it!
I need to set up my Stream Deck (again).
Impostor syndrome is unshakeable. So stop shaking, you’re in good company.

¹ (Inspired by nic lake.)

Bowser's crimes

mike@shellsharks.com (Mike) — Sun, 19 May 2024 13:59:00 -0400

In a previous note, I grumped a bit about how low-stakes the Super Mario Wonder plot is, specifically, how much of a nothing-burger Bowser’s actions were. So I decided to go back through the history of Mario games and list Bowser’s various crimes (attempted and successful) below…

Super Mario Bros - Invades Mushroom Kingdom, Kidnaps Princess Toadstool, transfigures the Toads
Super Mario Bros 2 - N/A. No mention of Bowser
Super Mario Land - N/A. No mention of Bowser
Super Mario Bros 3 - Seeks to conquer Mushroom World, steals magical wands, transfigures toad kings
Super Mario World - Invasion (of Dinosaur Land), kidnapping (Princess Toadstool of course)
Super Mario RPG - Kidnaps Princess Peach (but redeems himself by joining forces with Mario to defeat Smithy & gang)
Super Mario 64 - Kidnaps Peach, steals Power Stars
Super Mario Sunshine - Lying (Bowser told Bowser Jr. that Peach is his mother so Bowser Jr. does crimes…)
New Super Mario Bros - N/A (only Bowser Jr. seems to appear)
Super Mario Galaxy - Attacking with airships, stealing Power Stars, kidnapping Peach, wrecklessly creating unstable galaxies that seek to destroy Mario’s reality
Super Mario Galaxy 2 - More attacking of the Peach’s castle, kidnapping Peach, Power Star theft, attacking spaceships
Super Mario 3D Land - Kidnaps Peach, steals Super Leaves
New Super Mario Bros U - Imprisons Peach, invasion
Super Mario 3D World - Kidnaps Sprixie princesses
Super Mario Odyssey - Kidnaps peach, attempts a forced marriage, destroys Marios hat
Super Mario Wonder - Partying too hard? (I guess he also steals the Wonder Flower and imprisons some flower people)

A lot of kidnapping, turning people into things, theft, trying to conquer everything and of course general assault/battery. But with Wonder? I’m still not sure what he did. Bowser just trying to get his groove on…

Mission Control snapshot

mike@shellsharks.com (Mike) — Sat, 18 May 2024 16:00:00 -0400

Here’s pretty much what my Mac desktops look like on a daily basis. I have a lot of apps open and tend to do a lot of multi-tasking.

Apps pictured within those Mission Control snapshots include: Messages, Notes, VMware Fusion, Terminal, Obsidian, Visual Studio Code, nvALT, Ivory, Reminders, Mimestream, Safari, Proton Mail, Timery, Element & Preview.

Some observations…

That’s 15 apps total, 4 of those are note taking apps 😬 (i.e. Notes, nvALT, VScode, Obsidian)
I have 2 mail apps and 3 “social” apps
I used to run three desktops/screens but my top monitor has been glitchy so it is currently off and dormant

That’s about it, what do your desktops look like?

Powered by Castopod, Hosted by K&T Host

mike@shellsharks.com (Mike) — Thu, 16 May 2024 10:31:00 -0400

The Shellsharks Podcast is coming back! Where did it go? Why did it go? Well, life got a little busy, and I just didn’t make time for it I suppose. I really enjoyed the first run of the podcast but never got in a sustainable groove when it came to fielding new guests for the show. I really don’t want the show to be a solo operation, i.e. just me talking, and as cool as it would be to have a regular co-host, one thing I really enjoyed most about the experience was meeting with and talking to new and interesting people in and around the infosec / larger tech community. So this time around, my plan is to be more committed to building a pipeline of folks to come on the show and to a degree, expand what is regular topics of conversation. Notably, tying themes of infosec/cybersecurity with that of the indieweb, personal web and social web.

I want to add that I really appreciate those of you who subscribed the first time around and have shown interest in the show returning in the months/years since I aired the last episode. It means a lot!

But that’s not all that’s new about the show! Somewhat fresh off my big-time foray into the Fediverse, the podcast is now powered by Castopod! It is, in short a free and open-source solution for podcasting and notably has the ability to federate a podcast such that accounts on other federated social platforms (i.e. Mastodon) can follow. So when new episodes are released, it will be posted on the show’s account and people can even comment on those posts!

So if you’re interested in listening to me chat with others in the infosec / tech / indieweb / social web communities, Subscribe today!

K&T Host

On the matter of hosting - I’m moving away from Podbean and am now hosted on K&T Host. A quick note on Podbean: It is a simple, cost-effective and easy to use platform for podcast hosting. For newbies like myself to the space, it was a great experience and I would continue to recommend them to others. OK, so about a week ago I asked the Fediverse if they had any opinions or experience with Castopod and to my delight, a representative from K&T Host reached back out about their beta offering for managed Castopod. Now I had never heard of K&T Host but decided to give the beta a try as it was free, their website looks great and their support staff seemed very engaging and responsive.

Getting my account set up and the podcast initiated within the Castopod portal on K&T Host was incredibly easy. There’s plenty to fiddle with in the various settings menus within Castopod, but if you just want to get your show up and import episode files it couldn’t be easier. The only issues I’ve really encountered so far have been with Castopod itself and seemingly not with the underlying hosting infrastructure. The only small snag that I had to overcome at first was upping the max file size upload limit for podcast files as it was set way too low by default. A quick support ticket and I was able to adjust this myself by remoting into the provisioned instance and changing a config file. On the matter of K&T Host support, they are lightning quick, and super helpful.

I’m happy with K&T Host and plan to continue with them through the beta and into their public offering at which point I will be converted into a paying member. All beta testers not only receive free hosting during the beta period, but will also receive 3 months free post-beta and a 20% discount for the lifetime of the service. This sounds like an incredible deal and I would recommend anyone else curious about moving or starting a podcast with Castopod to check it out!

A quick note about pricing. Castopod.com, which is the quasi-official hosting engine for Castopod powered podcasts has what I think is kinda aggressive pricing. You can see their pricing page here. For reference, i was paying just over $100 ($9/mo) at Podbean for unlimited audio. I could have gotten away with the €10/mo option at Castopod.com for a while as I only have a backlog of ~20 episodes to move over, but it wouldn’t be long until I exceeded their storage threshold and would need to move up a tier to their “Podcaster” tier which is priced at €24/mo or €288/year! Now K&T Host hasn’t announced official pricing for their Castopod offering, but I did ask them what I should expect and they gave me the following estimate. Spec’ed with 2GB memory and 200GB of storage I would be looking at around $6.75/mo, even cheaper than what I had with Podbean! Plus you throw in a 20% lifetime discount and 3 months free and the difference is pretty stark. Their pricing model moves up incrementally from there as your storage, processing (and maybe bandwidth) needs increase, rather than having to have huge t-shirt size jumps in pricing.

Castopod Observations

I still have a lot to learn and experience with Castopod (v1.8.2) itself, but here are some observations thus far.

It’s great that I can host the show on my own (sub)domain. Instead of going to podbean.com, you can instead go to podcast.shellsharks.com. This is something I’ve wanted from the beginning.
Castopod supports show permalinks, the concept of “seasons”, full / trailer / bonus episode-types, parental advisories, markdown-powered show notes, advanced RSS tagging capabilities and even premium/paid episodes.
You can import an entire podcast from somewhere else. Unfortunately I didn’t see this option until after I had already manually brought all the audio files over. Oops!
Since Castodpod is “Fediverse-compatible”, you can do things like block accounts and even entire domains from accessing your federated podcast profile, you can post and reply to comments, and other social things. The podcast’s handle is @ShellsharksPodcast@podcast.shellsharks.com.
You can also create other accounts to access the admin portal, co-host or guest profiles and more within the Castopod administrative portal.
Additional pages can be created on the domain for anything you would want.
Podcasting 2.0 support.

I’m stoked about this new era of The Shellsharks Podcast and hope you will tune in!

Nostalgia Music

mike@shellsharks.com (Mike) — Wed, 15 May 2024 13:26:00 -0400

Responding to this post from Flamed Fury, I wanted to write about music that I found nostalgic or that I associate with certain memories. I’ll attempt to write these in a chronological fashion as best as my memory will allow… (Note: All music links are to Apple Music listings.)

Somewhere within my childhood: I have a lot of memory fragments of assorted music from my childhood, most of it stuff my dad really liked. e.g. Driving at night in the car listening to Zombie by The Cranberries or hearing my dad sing Photograph by Def Leppard and a number of songs by The Goo Goo Dolls.
~1997-2000: I can’t pin down the exact year, but I remember listening to A LOT of Celine Dion courtesy of my sister and the drives we had when she would drop me off at school when we lived in Jacksonville, FL. I remember she was in High School at the time. Specifically, I remember listening to It’s All Coming Back to Me Now & That’s The Way It Is a lot. Like, every single morning a lot.
2000: Hybrid Theory from Linkin Park is one of those rare albums where every song is good and I will listen to the entire album without skipping any of ‘em. It has also stayed in my regular listening rotation for nearly 25 years now. When this album came out, it was all I listened to. If you had asked me what kinda music I liked back then, I would have just shown you the Hybrid Theory CD case. I honestly don’t think I really cared about music before this album came out.
2000: The Infest album from Papa Roach is also a big one from my early music-listening days. I sang each of these songs endlessly. I remember convincing my grandma to buy it for me at some flea market in South Carolina and she being very concerned about the parental advisory warning 😂.
2001: Blurry by Puddle of Mudd and Crawling in the Dark by Hoobastank were both mini-obsessions built on top of my love for Linkin Park.
2001-2002: My sister was constantly singing both Complicated by Avril & Everywhere by Michelle Branch when they came out. It’ll always remind me of my parents house in Stafford and how it looked at that time.
~2002-2004: I can’t pin down exactly when, but I vividly remember the first time I listened to Stairway to Heaven. I was going through my dad’s collection of vinyl records and playing them on a turntable I had set up under my bunk bed. I must have replayed the song 5 or 6 times (maybe more) after that first listen. It was I think the exact moment where I pivoted into classic rock as a core musical preference.
~2003: In highschool I went through a BIG AFI phase, and really loved the Sing the Sorrow album that came out around my freshman year. (I also really enjoyed The Art of Drowning & Black Sails in the Sunset). It’ll always make me think of that time in my life.
2003: There were a few months that I think I just listened to the album Year Of The Spider by Cold. Notably, the songs Cure My Tragedy, Wasted Years, The Day Seattle Died & Black Sunday. Peaky teen angst type-uh stuff.
2003: A rendition of A Favor House Atlantic by a friend at lunch in high school introduced me to Coheed & Cambria. When Good Apollo I’m Burning Star IV came out 2 years later, I remember some friends playing Welcome Home on my stereo in the basement and was blown away. Will never forget. Still one of my favorite artists of all time.
~2003-2006: At some point in High School I saw this YouTube video featuring Metallica’s song No Leaf Clover. I loved DBZ at the time and this song was just insanely good. I’ll always associate the two.
~2005: I remember filming a very silly cover of Jeezy’s Soul Survivor, I dubbed it “Bacon & Young Cheesy” where I was “Bacon” and my brother was “Young Cheesy”. I held a package of bacon in my hand while my brother waved around a frozen Stouffers Mac ‘n cheese. It’s a shame I don’t remember the lyrics we came up with. Silly silly stuff.
~2005-2006: One summer in high school I worked at Kings Dominion. For some reason I listened to The Beatles album Abbey Road every morning during that commute.
~2006+: I had not one, but TWO Elvenking CDs (The Scythe & Heathenreel) I had burned in my Kia Sephia that I would listen to all the time. Whenever I would drive my friends anywhere they would joke that I was always listening to Elvenking. They expected me to play it too anytime they were in the car. I didn’t disappoint.
~2006: Into the Ocean by Blue October always reminds me of an internship I had in DC where I commuted in with my dad. It was a frequent play on the radio during that time.
~2011: The song We Found Love by Rihanna will always remind me of the first time I went to Mardi Gras. Though admittedly a lot of those memories are quite hazy.
2016: Closer by Chainsmokers always reminds me of my wedding.
2019: When me and my wife were in Prague, we heard a beautiful rendition of Many Shades of Black by The Raconteurs. I wish I had a recording.
2020+: OK. So in 2020 my son was born and as new parents we didn’t exactly have everything figured out. Putting this kid to sleep was of notable difficulty. In one such event, I was trying to get my son to sleep and walked him upstairs to the bathroom where my wife was showering. She was listening to 34+35 by Ariana Grande. Upon hearing the song, my son immediately calmed down. Desperate, I took that as a sign that he loved Ariana Grande. Turns out, I think I was onto something. From then on, we played the album (Positions) for him at every nap time and magically, it really did put him to sleep or otherwise had a very calming effect. As a result, it will forever be in my top songs ever played because I had to listen to this full album 3x+ times a day for, and I am not kidding here, YEARS.

One of us

mike@shellsharks.com (Mike) — Tue, 14 May 2024 09:12:00 -0400

I recently came across this post where the author laments that the IndieWeb is “not for them”, simply because of their inability to implement Webmentions and thus (as they put it) the “IndieWeb is a social club for developers” only. (See also this one with respect to not feeling part of the “community”.)

Let me be extremely clear. You do not need Webmentions to be part of the “IndieWeb”. The only real “requirement”, if you want to think of it that way, is to just have your own site on your own domain where you put your own stuff. That’s it. How you make it look, what you put on there, what fancy IndieWeb.org “building blocks” you decide to implement, doesn’t make your site any more or less “IndieWeb” than any other.

Indieweb.org is a great resource. But I fear that for as much good as it does, it can do equal harm. On the surface, Indieweb.org has a fantastic message.

What is the IndieWeb?

The IndieWeb is a people-focused alternative to the “corporate web”.

It is a community of independent and personal websites connected by open standards and based on the principles of: owning your domain and using it as your primary online identity, publishing > on your own site first (optionally elsewhere), and owning your content.

Your content is yours

When you post something on the web, it should belong to you, not a corporation. Too many companies have gone out of business and lost all of their users’ data. By joining the IndieWeb, your content stays yours and in your control.

You are better connected

Your articles and status messages can be distributed to any platform, not just one, allowing you to engage with everyone. Replies and likes on other services can come back to your site so they’re all in one place.

You are in control

You can post anything you want, in any format you want, with no one monitoring you. In addition, you share simple readable links such as example.com/ideas. These links are permanent and will always work.

The message is simple. The IndieWeb is about people. It’s about owning your own domain and putting your stuff there. Great! But just below the surface, as you start to click on some of the links, IndieWeb.org begins to preach complexity. IndieAuth, Webmention, Micropub, WebSub, Microsub, building blocks, microformats, backfeeds, etc… These convolutions are niche, techno-aristocratic IndieWeb fever dreams which discourage and alienate those desperate to break from corporate web-silos and start anew on a simpler, more human web. Ignore them.

A note on “community”…

If you are reading this, or you have a personal site, you are already part of it. Full stop. You don’t need to be shy. You have things to say and people WANT to listen, they want to read, they want to connect. You don’t have to be an “influencer” or have a big following. Your writing doesn’t need to be AMAZING. You don’t need to write to an audience. Write for yourself. Then share it. People will be interested I promise you. The #indieweb revival is here and you are 100% invited! Tell your friends.

So, hopefully this message can make it out to those who need to hear it…

You want to be part of the IndieWeb? Be one of us? Get a domain. Put your site on it. Be yourself. Because the IndieWeb is about you.

Songs I was feelin' in 2020

mike@shellsharks.com (Mike) — Fri, 10 May 2024 09:08:00 -0400

I found an old note in my Simplenote archive (circa August 2020) titled “Favorite Songs”. I thought I’d share it here. Best I can tell, the first part of the list was a ranked “top 12” and everything else was just other songs I was feelin’ at the time.

2112 (Rush)
Close to the Edge (Yes)
Stairway to Heaven (Led Zeppelin)
No Leaf Clover (Metallica)
In Keeping Secrets of Silent Earth: 3 (Coheed and Cambria)
And Then There Was Silence (Blind Guardian)
Since I’ve Been Loving You (Led Zeppelin)
Civil War (Guns & Roses)
Aqualung (Jethro Tull)
And You And I (Yes)
Unforgiven II (Metallica)
The Maiden and the Minstrel Knight (Blind Guardian)

Other songs I was feelin’…

The Story of Benjamin Darling Part I (State Radio)
Americans (This or the Apocalypse)
Subverse (This or the Apocalypse)
Do You Call My Name (Ra)
Far From Heaven (Axenstar)
My Spirit Will Go On (Dragonforce)
A Rose for Epona (Eluveitie)
Wish You Were Here (Pink Floyd)
Time (Pink Floyd)
Delirium Trigger (Coheed and Cambria)
Hallowed be thy name (Iced Earth)
Cygnus…Vismund Cygnus (Mars Volta)
Inertiatic ESP (Mars Volta)
Talk Shows on Mute (Incubus)
Starship Trooper (Yes)
I’ve Seen All Good People (Yes)
Hey Hey What Can I Do (Led Zeppelin)
Tea for One (Led Zeppelin)
Don’t Kill the Whale (Yes)
Yours is No Disgrace (Yes)
Spirit of the Radio (Rush)
Pigs (Three Different Ones) (Pink Floyd)
Dogs (Pink Floyd)
Have a Cigar (Pink Floyd)
Nothing Else Matters (Metallica)
Locomotive Breath (Jethro Tull)
Ohio (Crosby, Stills, Nash & Young)
Key Entity Extraction I: Domino the Destitute (Coheed & Cambria)
Mother Superior (Coheed & Cambria)
A Favor House Atlantic (Coheed & Cambria)
Welcome Home (Coheed & Cambria)
Mother May I (Coheed & Cambria)
The Willing Well III: Apollo II: The Telling Truth (Coheed & Cambria)
The Red (Chevelle)
Roswell’s Spell (Chevelle)
The Circus (Chevelle)
The Soulforged (Blind Guardian)
Fiddler on the Green (Demons & Wizards)
Blood on my Hands (Demons & Wizards)
My Last Sunrise (Demons & Wizards)
The General (Dispatch)
Aqueous Transmission (Incubus)
Pardon Me (Incubus)
Meccamputechture (Mars Volta)
Asilos Magdalena (Mars Volta)
Roulette Dares (The Haunt Of) (Mars Volta)
Eriatarka (Mars Volta)
Fight No More (State Radio)
Right Me Up (State Radio)
Seasonspeech (Elvenking)
Dominhate (Elvenking)
Insomnia (Periphery)

Looking at this list, I still love all these songs, though there are some I realize I need to add back into the more regular rotation…

Crystal Six

mike@shellsharks.com (Mike) — Wed, 08 May 2024 10:12:00 -0400

Though the original Pokemon (Blue/Red) game will forever hold a particularly special place in my heart, I think of Pokemon Crystal as both my favorite and the best of the entire Pokemon series. With the recent legitimization of classic game emulators on iOS, and thus the rebirth of Delta, I once again spun up a Pokemon Crystal rom and did a playthrough. Even after all these years and countless playthroughs, it was still as fun as ever. To commemorate, I’ve decided to document my team, the “Crystal Six” below.

Gengar
Dragonite
Crobat
Steelix
Feraligatr
Gyarados

For those follow poke-fans out there, you may notice that I still have a bit of a preference for Gen I, with 5 of the 6 having base forms that are from the original games.

iPad (actually) Pro

mike@shellsharks.com (Mike) — Tue, 07 May 2024 11:08:00 -0400

#Apple #iPad event kinda a snoozer? The iPad **Pro** needs one if not all of these to push it forward…

Xcode-level IDE for developing apps on-device
Ability to run M-arch-based Mac apps
Unconstrained scripting environment (e.g. r/w/x Python, Ruby, shell, etc… scripts)
Alternative app stores (coming to EU soon it seems…)
Extended emulation / Rosetta capabilities (mac apps, ARM-based environments, etc…)

C’mon Apple, do ittttt.

Favorite movies

mike@shellsharks.com (Mike) — Sun, 05 May 2024 22:00:00 -0400

A point-in-time look at my ever-fluctuating list of favorite movies (Top 25)…

Gladiator
Gattaca
Star Wars: Return of the Jedi
Star Wars: Empire Strikes Back
Apocalypto
Sunshine
IP man
Clockwork Orange
Hook
Interview with the Vampire
300
eXistenZ
Star Wars: A New Hope
Dune: Part Two
There Will Be Blood
Mad Max 2: Road Warrior
The Matrix
Rogue One
Starship Troopers
Master and Commander
Planet of the Apes
The Departed
Shawshank Redemption
Waterworld
American Gangster

Ranking fry cuts

mike@shellsharks.com (Mike) — Thu, 02 May 2024 10:30:00 -0400

French fries are great. Duh!. But how they are cut makes a big difference in how great they can be. Here’s how I would rank different fry cuts 1-10:

Waffle
Curly
Home
Tornado
Wedge
Steak
Shoestring
Cottage
Crinkle
Standard

Note: No matter the cut, a regular potato fry is vastly superior to a sweet potato fry.

I also have thoughts on chips.

Be yourself.

mike@shellsharks.com (Mike) — Wed, 01 May 2024 09:11:00 -0400

I really enjoyed reading this piece by alexandra 🧡. The #indieweb is a place to be yourself, and find others who are, well.. who THEY are. Forget about likes, forget about follower counts, forget about page views. I have found, both in my own experience writing on my site as well as in my journey exploring other sites across the “indieweb” that it’s people being truly genuine in both their writing and their style that brings life back to the web.

Before “shellsharks”, I tried and failed a few times at starting a “blog” / website. Though I could probably point to a few reasons why those projects never took off, I think the root cause was ultimately me writing for someone else, rather than just for myself. Putting ridiciulous expectations on writing cadence / content, or boxing myself into a specific “niche”, whatever. It made the process of building the site and writing very inauthentic and just, not fun. Once I let all that go, and started writing for me, that’s when it stuck. Though I’ve had lulls over the years, I’ve continually come back to it, re-styled, re-architected, added things, and just wrote. I don’t limit myself in what I write about either, and though I have been fortunate to develop somewhat of an “audience” over time, I don’t write for them per say. I write about what I’m interested in and it just so happens that others are interested in those same things! I think you’ll find that you would be hard-pressed to have interests that are not shared by at least a few other people somewhere out in the world and on the Internet, it’s a weird and diverse place afterall.

The IndieWeb is also uniquely un-algorithmic. In a world where everyone has turned “influencer”, and every social interface, even Mastodon, is tuned and swayed by black-box algos, like counts and boosts, your “personal” site can be a haven. One of no-pressure idea sharing, brain dumping, therapeutic writing, really whatever you want it to be. Though Google captures some site analytics for me, I very rarely log into that console and look at things. I don’t have really any telemetry which tells me how popular my site or any given post is. I share things on the Fediverse and occasionally get some nice replies. Other times I am mentioned in other places on social media wherein someone was inspired or otherwise liked something I wrote. These are good feelings, but I don’t chase it. My site isn’t monetized, my career / livelihood doesn’t depend on post performance, page views or ads. I just write, publish, share - then repeat. I encourage others to follow this same formula. Just be yourself.

WeblogPoMo 2024

mike@shellsharks.com (Mike) — Tue, 30 Apr 2024 08:38:00 -0400

Last year, I participated in my very first NaBloPoMo, whereby I attempted to post some writing/content on my site each day for the entire month of November. This year, I have discovered a new blog-posting-month, WeblogPoMo which is pretty much the same thing, just in May. So, I have decided to embark upon another daily posting journey, you can see I am listed as one of the WeblogPoMo 2024 Participators!

As I publish throughout the month, I will maintain a list of each piece below.

Be yourself.
Ranking fry cuts
HIRING::::URGENT!::SECURITYSPECIALIST:::REMOTE
/Interests
Favorite movies
An Ode to Lost Friends
/Chipotle
Crystal Six
Blogging Methodology
Songs I was feelin’ in 2020
CSC at Home (Part 1): Hardware Inventory and Control
CSC at Home (Part 2): Software Inventory and Control
CSC at Home (Part 3): Vulnerability Management
One of us
Nostalgia Music
Powered by Castopod, Hosted by K&T Host
Trying Harder: A Live OSWE Memoir
Mission Control snapshot
Bowser’s crimes
36 things
CTF vs Enterprise Security
R7 Attack Intel Report 2024: A few takeaways
Stracting myself
Podcasting steps
Memorial Day Break!
Memorial Day Break!
Memorial Day Break!
/Slashes
Captain’s Log, Entry: May 29, 2024
5 years
WeblogPoMo 2024 Retro

Follow @Pomo@beep.town to see content from across the web-logpomo!

Fediroll

mike@shellsharks.com (Mike) — Mon, 22 Apr 2024 14:21:00 -0400

I’m pumped that #blogroll’s are back but in the spirit of sharing follow recommendations for folks on the #fediverse, not just the #indieweb, I wanted to introduce the idea of a #fediroll. This is simply your shortlist of accounts you love and would recommend others follow! Here’s my starting 10 below (there’s many more I’d like to add in the future).

Some added context - I see a lot of people new to Mastodon who ask, “Hey I’m new here who should I follow?”, and up until recently I’ve been directing them to my blogroll since I have Fediverse handles included there for those behind the blogs I enjoy. But there are many others on the Fediverse that are great that don’t also have an active website presence. For those folks, a different “roll” was needed.

You may also notice that many of those on this list I don’t directly follow with my main @shellsharks@shellsharks.social Fediverse account. This is because I follow them on other alt accounts that aren’t more dedicated to infosec. I’ve written a bit about why I run multiple accounts on social media before for those interested.

The Fediroll is something I will continually add to and maintain, keeping it pinned in my Mastodon profile as well. Would be awesome to see this become something more widely adopted as blogrolls have started to be.

Having a website isn't about blogging, it's about you

mike@shellsharks.com (Mike) — Wed, 17 Apr 2024 09:09:00 -0400

A lot of people choose not to have a website because they believe they have nothing to put there. I believe they think this because they equate “having a website” with “having a blog”. But this isn’t the case! An IndieWeb site for example is nothing more than having your own domain where you have published something to it. That something could be anything! Sure, a lot of websites do have some sort of “blog” component where the site owner publishes new content at some interval but this is not a required characteristic for a website. There is in fact a lot of really fun things you can do with a website without ever needing to post content in “blog” format. In fact, the IndieWeb itself is not about blogging, it’s about you.

So what can we put on a website if not a blog? Blogging is afterall, time consuming and expectation-laden. So instead, let’s do some simpler, more fun things that I believe almost anyone has to share.

About: Start with an “about” page! There is no standard format, just write whatever you want to share about who you are, what you like, what the site is about, really anything!
Blogroll: A “blogroll” is a simple page meant to share and link to other sites on the web that you like. If you’re on the Internet, there has got to be places you enjoy going. Typically this focuses on other indie sites but you’re free to share whatever you like!
Ideas: An “ideas” page (typically located at [site]/ideas) is also a simple concept. Just list any ideas you have for your site, for other projects you have, for things in your life or just ideas in general. There is again, no real format. Just what ideas do you have!
Notes*: A “note” is basically just any short piece of writing. Notes are to a site, what a post is to a microbloging site like Mastodon or Twitter. The idea is that any silly little 10 word post that you might drop on social media you could also publish as a “note” on your site. So consider instead of having traditional full-length “blog” posts, you could instead microblog directly on your site. Publish whatever you like, no matter how long it is. It doesn’t need to be well-researched or even coherent. It is your site and you can just note things into the Internet void. The concept of a note allows people to effectively “blog” without all the expectation that comes with normal blogging.
Now: A “now” page is probably one of the best IndieWeb additions to a site that anyone can do. A now page (typically located at [site]/now) is a place for you to write about or list just things you are up to currently. What are you listening to, working on, reading, watching, learning, thinking about, or just “doing” in general. Everyone is doing something, so you can just put it on this page! It isn’t really meant to be serious so there is no real expectation. Just a fun thing to do.
Social Links: A simple feature for an IndieWeb site. Just put some links to other places you exist on the web. Social media sites, email, whatever!
Uses: A “uses” page is where you share anything you are using. What software, what tools, what kitchen appliances, literally anything. Everyone uses things, so you can write about them or simply list them out here! (A Uses page is typically located at [site]/uses)

So as you can see, even without a blog, you can share a rich set of things on a personal site. You can update these single pages when you feel like it, and make them uniquely yours as none of them really have any expected format. Make the site yours, the web is ours.

If you've gone ahead and made your site but are looking for more inspiration or things to do, you could read about why I blog, a list of other things to add to your site, using your site as your identity, other website content types and really all other things I write about blogging. Have fun!

Favorite iPad apps

mike@shellsharks.com (Mike) — Tue, 16 Apr 2024 11:27:00 -0400

@kir5ty My top (3rd-party) iPad apps FWIW… (in no particular order)

Fantastical (calendar)
Textastic (text editor)
Working Copy (Git client)
Obsidian (knowledge mgmt)
Proton mail
1Password
Reeder (RSS client)
Tydlig (calculator)
Delta (game emulator)

I also really enjoy a lot of the stock Apple apps and prefer them over 3rd-party alternatives (i.e. Safari, Reminders, Music)

Edit: Oh and the PDF app I use is “PDF Expert”. Not sure what it costs these days but its easy to use and works well.

Nostr vs. Mastodon

mike@shellsharks.com (Mike) — Mon, 15 Apr 2024 12:17:00 -0400

@Rabble, a Nostr advocate and developer recently posted a list of shortcomings of Mastodon / ActivityPub as it relates to Nostr. [1]

Intro to the post below…

In part of our launch of the Creator and Journalism Accelerators note1z866al6xs9xhnlqgwt0lkxr9lrynstyc52ls29sej96hfxpwxzws5u3m9u some people have asked why we’re doing this on Nostr and not ActivityPub and the Fediverse. It’s a good question, and the answer for me is about the way both the protocols and the culture of the people creating them work. I wrote this out here in a reply, but it deserves it’s own post. So here’s my why Nostr instead of Mastodon & ActivityPub.

Here’s his list of things that he believes are shortcomings of Mastodon & ActivityPub… (I’ve numbered them to more easily address them later.)

There are a lot of things that Mastodon & ActivityPub can’t do.

User identities are tied to a server; if the server goes down, you lose your account, as happened when queer.af had their domain name seized.

Users can’t migrate between servers. In some servers there’s a system where they can request a migration, where they can stop using one account and point their followers to a new account, but server admins need to allow this, and your followers don’t automatically follow your new identity on a new server.

On a single server, it is impossible to change your username!

Fediverse servers have total control over your account and data; they can see all of your private messages or write new ones on your behalf.

The fediverse is a network of fiefdoms, each server admin having total control over their users. Often they are benevolent and use their power to decide what behavior is acceptable on their server, but it’s opaque. Most fediverse server admins keep their moderation and defederation decisions secret. So, users must choose a trust and safety regime without any understanding of the rules and how they’re enforced. When combined with the very limited ability to migrate between servers, only with server admin’s permission, it’s a problem.

Each kind of fediverse server is isolated. You can use a Peertube instance to federate with other Peertubes for video, or Mobilizon for meetup-style events, or Pixelfed for Instagram-like photo sharing, or WriteFreely for blogs. But each of these is isolated. I need a new account on an instance of each of these servers. They all run the same protocol, but they aren’t actually interoperable. You can’t use a single fediverse identity with your profile and followers in Peertube, Mobilizon, WriteFreely, and Pixelfed. You need a totally separate account in each one. With Nostr, you can use dozens of apps all with your same identity, content, and followers.

The fediverse has no privacy; there is no system of end-to-end encrypted messaging. In Nostr, you can have private direct messages and even private groups that are encrypted. Nostr even supports encrypted private file sharing.

The fediverse has no system for micropayments. The zaps on Nostr enable easy ways to fund creators and journalists with either one-off tips or subscriptions to unlock paid content, like paid Substack newsletters or OF accounts.

Lastly, and most importantly for me, the culture of fediverse server admins and developers is vindictive. It’s a community that attacks people who make proposals or want to try out new ways of using the network. That is why there is no search, no ability to choose an algorithm, no private groups, no private messages, no system for payments, etc. Those have all been proposed or even built, but the fediverse culture has gone after those people, punishing them for suggesting new ways of doing things.

Here are my thoughts on what Rabble said…

Agreed. This is known weakness, though what happened with queer.af is certainly an anomaly. You can also mitigate this in other ways such as A. running your own server, B. choosing a more established/stable instance and/or C. deploying a Webfinger redirect to have your domain point to whatever your Fediverse instance handle is.
This is false. Mastodon, and many other Fediverse platforms do allow migration of an account to another server and the protocol has the ability to migrate your followers as well. Now that migration process is somewhat clunky but it DOES work.
I’ve never tried this, but it seems like a pretty small detail. I can change my display name if I want to though 🤷‍♂️.
Agreed. ActivityPub and DMs on AP platforms is not secure.
Agreed. There are many awesome servers that are run either as a community or by really great teams of admins/moderators. Others though, not so much.
This is debateable. The beauty of AP is the cross-platform experience I can get in terms of following and interacting with accounts on other services. Plus, with “sign-in-with-Mastodon” there is even more ability to have a single account across multiple apps.
Agreed. Though, social apps may not be the best mediums for “privacy” to begin with.
LoL. I don’t know what a Zap is, but if it’s anything “crypto” related, it’s hard to take it seriously here. Setting aside whether the entire cryptocurrency “thing” is a huge grift or not, I can at least comfortably state that its at best volatile in terms of popularity and still not mainstream enough where most would want to rely on it in this context.
Culture. This is an interesting debate point. Mastodon has millions of users and yes, there is a very opinionated minority that is somewhat reflexive and defensive for many reasons. But Mastodon, and the wider Fediverse (now especially thanks to Threads) is incredibly diverse and that one group hardly speaks for the masses. Nostr on the other hand has been extremely mono-culture, that culture of course being weird Crypto-folks. I like Nostr, I think the tech is cool and the benefits for some are clear, but unless that community can outgrow the weird crypto-culture and make other parts of the service more “approachable” to regular folks, I don’t think it can take off in any meaningful way.

Security lone wolf

mike@shellsharks.com (Mike) — Thu, 11 Apr 2024 09:21:00 -0400

CIS Critical Security Controls and/or NIST CSF as frameworks to help put you in the right mindset. But so much of what you should do first depends on some variables imo.

What is your budget?
What already exists security-wise at your company?
What level of executive support do you have? Can you enact real change?
What is most important to the company? i.e. “Crown Jewels”
What does the network/infrastructure/endpoint environment look like?

Once you answer these questions then you can get a better idea of where to spend the limited time / money you have. The CSC will likely tell you to tap into an inventory and do some form of Vulnerability Management. This is a decent idea as you need to know what you are trying to protect and also catch low-hanging fruit via vuln scanning. Instrumenting endpoints (EDR) or gaining visibility into your infra is also important but which do you pick first? e.g. Crowdstrike is awesome but expensive. No one solution is a silver bullet.

Have a plan, create a reasonable roadmap, figure out your companies risk threshold, ask for more resources depending on what level of risk they’re willing to accept and how quickly they want things implemented.

The joy of incremental website improvements

mike@shellsharks.com (Mike) — Thu, 11 Apr 2024 00:51:00 -0400

I’ve been thinking about this post https://jamesg.blog/2024/03/04/incremental-website-improvements-joy/ from @capjamesg@indieweb.social and it just really hits home. My site has been around nearly 5 years and in that time I have gone through very active periods in terms of working on / writing for the site and very much inactive periods. But to see it now, knowing where it was 5 years ago is an immense source of pride and getting from there to here, 733 commits later, has been nothing less than real joy - one little change at a time.

#indieweb

Indieweb chat: CSS naked day & community

mike@shellsharks.com (Mike) — Mon, 08 Apr 2024 23:03:00 -0400

@eb@social.coop One of the things I like most about my #indieweb site is everything I’ve put into its design via the CSS. To remove it seems like a cool enough flex in terms of playtesting your HTML-fu but less so (IMO) in sharing your unique, authentic self which is what makes indieweb so fun. That said, I would like to participate in the future 😅.

For socializing and search: Use the #indieweb and #indiewebchat tags here on Fedi. I’ve documented indie search engines as well.

Explore the IndieWeb

The Activity feed

mike@shellsharks.com (Mike) — Mon, 08 Apr 2024 12:54:00 -0400

Pushing further into #indieweb *stuff*, I’ve just published v1 of my “Activity” feed, a unified chronological timeline featuring all of my site notes, posts and logs.

https://shellsharks.com/activity

In the future, I’d like to bring in some other content from around the web as well (e.g. other Mastodon posts, Lemmy discussions, etc…)

This feed was inspired by the following sites…

Thanks! (cc: @molly0xfff@hachyderm.io @jkottke@saturation.social @aaronpk@aaronparecki.com)

Does Meta want to destroy the Fediverse?

mike@shellsharks.com (Mike) — Thu, 04 Apr 2024 14:41:00 -0400

There is a lot of consternation within the traditional “Fediverse” community around what Meta’s entrace means for the future of the network. Setting aside fears around moderation, surveillance capitalism, data harvesting & other threats to marginalised communities (which I admit are very real and valid things to be concerned about), one main fear seems to be that Meta wants to completely destroy the Fediverse via the classic “Embrace, Extend, Extinquish” (“EEE”) approach. For this one particular fear, I think we can feel somewhat safe.

A post from @argv_minus_one@mstdn.party

Defederating #Threads will, however, stop Threads from drowning out the entire rest of the Fediverse.

The result of federating is that Threads is the Fediverse now, and the rest of us are just the silent periphery that no one cares about and aren’t even allowed to speak to Threads users (the federation is one-way). This kills the Fediverse. Easiest #EmbraceExtendExtinguish ever.

Here are my thoughts on EEE as it relates to Threads vs Fedi…

Thanks to our feeds here being follower-defined and not “algorithmic”, I don’t see how Threads posts (and thus Threads itself) could drown out my feed or anyone else’s feed unless they (the Fedi account) consciously decide to overwhelmingly follow Threads accounts. Plus, since we have access to Threads posts (for now) and not the other way around, this in some ways gives us MORE capability than those natively on Threads. ¹

(One reply I received on Mastodon was around Threads-borne posts homogenizing the “All Servers”/Federated timeline. This is an interesting concern. I’ve never found that view to be of any particular use as it is already just a completely unmanageable stream of stuff that is not of interest to me, but if you are someone that has traditionally found it useful, maybe having Threads overwhelm it could be a valid (if not niche) concern for you.)

Now I can understand how you may see this as, “the traditional Fediverse is muted because our posts are not federated back” (this is presumably temporary as Threads continues enabling full Fediverse support), but this only amounts to having discussions siloed here vs there which is no different than how it was before they began the beta. I don’t see how Threads enabling any level of Fedi support makes their platform more attractive than staying here. If audience is all you care about (for example), Threads had this as a “threat” to Fedi from day one. ²

I think Threads can play in the Fediverse sandbox without the intention of destroying traditional Fedi. I’m not saying they don’t have the same surveillance capitalist goals for first-party users of their own platform but I think there are good reasons for them to enable AP support beyond trying to crush us or harvest our data. ³

Other large platforms have already started going the Fediverse path (i.e. Tumblr, Wordpress, Flipboard, Mozilla, Medium, etc…) and if Threads didn’t do this then someone else might have. *If* (and I realize it’s a big IF) they enable FULL AP support which in theory gives people the ability to move their accounts OUT of Threads (as they have indicated they are planning on doing), you might think this is a vulnerability for them in terms of platform lock-in. ⁴

But I think they have the hubris to believe they can build a platform superior on features and Local audience that they need not fear traditional Fedi. ⁵

Note: I should qualify that I am cursed with naive optimism 😅.

I think what I mean to say is that the people who are here (on Fedi) are here because of what Threads isn’t, and what they can’t be. Everyone else is already on Threads or X-Twitter. Threads goal is to suck out what remains of Twitters user-base, enable AP-based Federation to block out Bluesky (and perhaps achieve some regulatory requirements around platform lock-in) and then play ball with other (previoulsy mentioned) large ActivityPub players. ⁶

The thing is, Mastodon has been humming along just fine since 2007 or so, long before Threads came along and all through the rise and fall of Twitter. There are communities there that are not going to leave and do not need more people to sustain themselves. They are insular, and self-sustaining (quite literally). Yes, there are prominent individuals within the Fediverse who are eager to grow the userbase and they see Threads federation as a mind-boggling huge win to that end but the failure to achieve native growth or growth by extension via Threads is not a death knell for the Fediverse. So as I’ve written before, Mastodon (or more generally, the “Fediverse”) will never die.

While we’re on this subject, I wanted to take a minute to conduct a mental bake-off (i.e. brainstorm) around what benefits we get by being on Threads vs. the “traditional Fediverse”.

Threads Pros

Larger audience / Local userbase
Algorithmic feed (if that’s your thing)
Fancy schmancy, well-designed client
Faster to market features (given they have billions of dollars and hundreds of talented engineers). It is worth noting that at this point in their development, they are vastly behind in features that Mastodon clients support
Easier to get signed up and started? (subjective perhaps)

Traditional Fediverse Pros

Mastodon is teeming with advantages over Threads, read more here

My conclusion is that Mastodon (specifically, as the largest and most developed of the Fediverse platforms) has an incredible and unbridgeable advantage as it compares to Threads. You used to be able to argue that Threads gave users access to a much larger network of people, but assuming Threads completes the act of bidirectional Federation, this advantage will be gone. Beyond that, its advantages are very minimal. Getting signed up for Threads is maybe a bit easier, sure. The algorithmic feed is nice if you are into that sorta thing (and many people I suppose are), but it pretty much stops there. I’m not saying that any significant majority of people will come to this same conclusion or “see the light” as it were, but I think these advantages are enough to keep enough people here that it is entirely immune to extinction.

Contrasting timelines: Fedi vs Threads

mike@shellsharks.com (Mike) — Thu, 04 Apr 2024 10:28:00 -0400

Here are some observations on who/how I follow on Threads vs Mastodon and the downstream effects those follow decisions have on my respective social timelines.

On Mastodon (and other “traditional” Fediverse platforms), you don’t have an algorithmic timeline. Which means when you follow someone, you are signing up for all of their posts, boosts and replies to populate your chronological timeline. Each is effectively weighted the same with respect to the amount of room they take on your feed and the time it takes to scroll past. For this reason, I (and I’m sure others) tend to be more selective of who we follow on Mastodon, prefering those who have a higher “signal-to-noise” ratio, i.e. they post more about subjects I care about. I’ve written about my methodology for deciding who I follow back before.

Meanwhile, on Threads, you are pushed to use the (notably non-chronological) algorithmic “For you” timeline which will of course feed you some posts from people you follow but also mixes in other things Meta thinks you may want to see or engage with. How this algorithm actually works is not public knowledge and is something Meta is likely tuning in the background on a near daily basis. As such, how and why things are prioritized in that timeline is incredibly opaque. Who you follow is only a small part of why you see what you see in your feed. What you “like”, what you reply to, what you linger on, what you click into, are all data points Threads can ingest to adjust what gets pushed into your timeline. Beyond even your own habits, Threads will deliver content to you based on what is being popularized network-wide, regardless of whether it fits your calculated interests (i.e. if something is going viral they may just send it to you). So who you follow is not as important, which means you are more free (so to speak) to follow people much more blindly and without as much selectivity. This has what I believe to be a somewhat negative effect on how your algorithm is ultimately trained. Since you are conditioned to give less significance to who you follow you end up following accounts who you might not otherwise follow based on their historical post portfolio. This will inevitably skew your timeline towards that mean.

Subjectively, I think the Threads algorithm isn’t awful. My timeline there is somewhat entertaining. But where it shines in spiritedness, it lacks sorely in substance. My Mastodon timeline is as I’ve discussed, a carefully curated mix of awesome people sharing an interesting and diverse mix of things. I’ve somewhat painstakingly built it to be this way over the years I’ve been on the platform. In contrast Threads is, and will continue to be, a platform designed to send you endless waves of xyz-bait posts meant to force engagement. This results in Threads being highly social in many ways, but again, lacking the substance that makes Mastodon so much more of a pleasure to use.

Breaking in is the hard part

mike@shellsharks.com (Mike) — Wed, 03 Apr 2024 09:27:00 -0400

In response to one Reddit user’s breaking into infosec plight…

Hey all

I’ve been trying to get a job in cyber for some time, specifically in GRC, but have found it incredibly difficult to break into it, always getting rejected with no further feedback. Due to this I’ve also tried applying in to entry level SOC and appsec. I have had my resume checked by several professionals of which they’d always say that I’m overqualified for entry level and be a great fit, but yet this seems to never be the case when I apply.

In terms of qualifications, I have a Software Engineering bachelor’s degree and a Cybersecurity Master’s degree.

I’ve got a lot of software projects including making discord bots, a twitter bot that would tweet whenever my ISP’s speed would drop, an AI turret, maglev device, rock paper scissors game on android, etc.

In terms of cybersec projects, I documented breaking into a virtual machine that had a vulnerable SQL service running, documented my creation and usage of azure active directory, setup my own cloud environment and for fun a steganography GUI that would allow a user to hide information in an image. I’ve used tools such as Splunk and Wireshark, along with having used cisco packet tracer to create multiple network configurations.

I don’t know if I need more projects to add to this list. Most of the projects i mentioned here are on my personal portfolio site, so I don’t understand if they’re too weak or if the hiring manager just does not check them out. I do list two projects on my cv, but I only list the most relevant ones to the specific job.

Here’s some ideas for things to boost up your resume.

Breaking in is tough. Not enough XP, too much XP, don’t have the certs you need, etc… It’s one artificial bullshit barrier after another. I experienced it, you’re experiencing it, pretty much everyone does. There’s no exact formula unfortunately. It seems more than anything it’s a numbers game, resume tweaking and pure perseverance that wins. On the face of it, your portfolio sounds great, and definitely one I would take a swing on if I was a hiring manager hiring for interns/entry level. I can’t be the only one. The market is pretty crap right now and the pool is being squeezed. Budget cuts, AI, layoffs, desperate senior engs taking down-leveled roles, increased competition at the bottom, I could go on… It’s not an impossible task though. APPLY to more jobs! Just keep applying. Every possible industry, be willing to relo, whatever you have to do. Breaking in is the hard part than it gets easier. If you’re clearable (i.e. no crim record and US citizen), consider federal work (which may require relo to certain areas). These is an evergreen area (thanks bloated US spending!) which has a ton of GRC work.

Good luck!

Infosec work life balance

mike@shellsharks.com (Mike) — Wed, 03 Apr 2024 09:21:00 -0400

A commonly asked question is whether infosec / cybersecurity is “stressful” and generally “what is the work life balance like?”. I think there are three main things that contribute to whether a job is stressful, none of them particularly unique to infosec.

The organization: Some companies have a work culture that is just, more stressful. This typically permeates throughout an entire org or department. Try researching (e.g. Blind, Glassdoor, etc…) more about a company before you join.
Your manager: Having a good manager is probably the most key factor in whether your job will be good or bad. This is hard to research before-hand but you can certainly get a feel for their management style in interviews before you join.
Yourself: A lot of job stress is unnecessarily produced by those of us who put too much pressure on ourselves. Often expectations are lower than we think and we can do ourselves a big favor by not taking things as seriously, drawing boundaries and taking time away.

One thing that tends to make prospective infosec professionals anxious is this idea that you have to be “learning at all times”. Though I will admit there is a lot to learn in this field, the demands don’t need to be nearly as high as you may fear.

Reverse Syndication, i.e. PESOS

mike@shellsharks.com (Mike) — Tue, 02 Apr 2024 13:11:00 -0400

“Reverse syndication”, i.e. archiving discussions I have elsewhere on the web (PESOS) on my site is very valuable to me for a few reasons…

I often find myself having the same discussions over time, so being able to quickly search for what I’ve said in the past and sharing that directly is helpful. Further, I can more easily add to my previous set of thoughts.
Stylistically, when I write, I like to include a lot of links, both to outside resources and internal things I’ve already written about. Building this knowledge graph is great as my own site is my primary resource for learning and retention.
Not only will I forklift discussions straight from social media and archive on my site, but I often take the time to enrich it with more thoughts, context, resources and links. So for those who subscribe to my feeds, they get bonus material.

It’s worth noting here that now that since moving to my personal Mastodon instance, running vanilla Mastodon, I am limited (to 500 chars) in how I can write longer posts without spamming the timeline with a long detailed thread of child posts.

I encourage others who are active on social media (or elsewhere, such as places like Reddit) to create a site and document their own discussions directly on the site. This helps you centralize your thoughts and index the more valuable/repeated things you say.

#indieweb #POSSE #PESOS #infosec #cybersecurity

Cybersecurity: A life-long pursuit

mike@shellsharks.com (Mike) — Tue, 02 Apr 2024 12:05:00 -0400

A redditor asks…

So I know that Cyber Security is a field with a lot of knowledge that needs to be gained and I am aware that it changes everyday and you can get left behind. But surely there is a point where you reach a level where you have done the majority of the learning and dont need to sit down all day long studying right? How much studying really needs to be done once you have experience? Cyber interests me and I am enjoying my learning so far but having a life outside is also important in my opinion. I dont want to not find a gf because I have to sit down learning CyberSec nearly everyday lmao

So what do I think?

As a human, you are probably going to need to life-long-learn regardless. But I know what you mean. The answer is somewhat nuanced. No, you don’t need to be reading white papers every day and doing cutting edge research to succeed as a general security practitioner. I’ve worked in the field for nearly 15 years and 95% of people I encounter are pretty much bare-minimum kinda folks. That said, the IT industry moves fast and security must try to keep up. This means spending some effort staying on top of trends, tech, attacks, etc.. The good news is the basics have not and pretty much will not change. We still talking CIA triad out here folks =P

Adding more to this…

Not everyone has to love their job, but I think infosec/cybersecurity is fun and affords a lot of luxuries for people who are interested in pursuing it as a career (e.g. remote work, high pay, new things to learn, lots of mobility opportunities, etc…) It can be intimidating and a little exhausting to constantly stay on top of things in the industry but its doable! I’ve posted before about how I personally keep current in infosec and where I find the time do so.

The current infosec job market

mike@shellsharks.com (Mike) — Tue, 02 Apr 2024 11:51:00 -0400

I see a lot of questions about the infosec / cybersecurity job market…

Where are all the infosec jobs?
Is there really a massive shortage of talent in the field?
What is the current infosec market like?
Is the market for infosec professionals over-saturated?
Is the future bright for infosec?

I wanted a single place to try and gather my thoughts and provide some responses…

On the topic of the supposed “talent shortage”, there was this interesting read that was published recently. Here’s what I think…

I think there is a shortage, but from a supply & demand perspective, it only really applies to experienced / qualified professionals who possess certain skills. What I mean is that companies are looking for more senior individuals to fill their cybersecurity roster rather than taking a chance on more junior folks and training them.
Further, there is a shortage in terms of the amount of cyber folks companies need versus what they are willing to pay for. Most companies try to get by with as little as possible until they have a security incident, then they tend to hire a bunch. So a lot of reporting will say that SO MANY CYBER POSITIONS ARE NEEDED, despite not that many actually being open.
Gatekeeping. I see a lot of positions that stay open FOREVER because hiring teams are just too picky or unwilling to hire and train.
Competition. More and more people have caught wind of infosec and there’s just a lot more competition in the space.
Nowadays there are lots of other crises in terms of budgets, economy, pleasing investors which leads to layoffs, etc…

How is the market right now and will it stay strong into the future?

I would say the future is still relatively bright for infosec. Tech continues to grow and so do investments in it. Hacks are becoming more prevalent and government regulation is making strides to catch up. Regulation will mean companies are required by law to do more in the security space which will require companies to invest in people and tech to comply. Despite a recovering economy, we are currently experiencing an era of layoffs thanks to a number of factors, e.g. employer-employee power struggle, play testing AI, rampant corporate greed, political undercurrents, etc.. This too shall pass. Honestly I’m not sure what I would do if I wasn’t in tech. What exactly is a safe profession these days? Medicine?

Should i even get into cybersecurity?

I don’t think the market is oversaturated, but I do think there’s more competition than ever at the “bottom” (entry/junior level). Like many other IT disciplines, salaries are pretty good, even from the start, the hard part being breaking in in the first place. To be fair, it’s always been this way for cybersecurity, specifically even before the “boom”. But yes, you will need to study, get credentials, get skills, apply yourself likely even before you even get your first job (i.e. home lab, CTFs, training, etc…) but you absolutely can do these things if you are interested in the field.

Feel free to check out my “guide” for getting into the field if you’re interested.

Discussions

Other

Cybersecurity is full!

Should Meta re-make Reddit?

mike@shellsharks.com (Mike) — Mon, 01 Apr 2024 23:30:00 -0400

Meta should come out with a Reddit clone and federate that. Because Reddit sucks now.

This sparked quite a bit of discussion on Threads! I’ve pulled some of the more interesting threads out below.

What happened to Reddit?

It’s been a long(ish) saga but the main points off the top of my head…

Effectively killed third-party app clients (RIP Apollo)
Hostile towards and threatened subreddit mods (during the Reddit strike)
Made weird AI partnership with Google to sell off all posts data
Waste all their money on the CEO instead of making the platform better
Probably other stuff I’m forgetting tbh…

Their army of unpaid mods are now banning people for being against genocide because it’s uncivil. Reddit may as well get bought by Elon at this point because it’s a cesspool of hate.

Yeah and they’ve rolled out some thread monetization scheme which incentivizes crappy posts meant to rage-bait. Hence why you see this sort of nonsense.

So that’s why there’s suddenly a bunch of Ai generated “am I the asshole” posts on the front page. People think they are passing judgment on something that is real lol. I used to use Reddit a lot until they killed 3rd party apps. It already was low quality the way you can make a detailed post that calls on your decades of professional experience only to get told you are wrong by children or outright deleted by a tyrant who thinks their subreddit is their personal magazine they are editor of.

Even if Meta cloned Reddit, it would have the same problems as Reddit. Reddit’s problem is hive mentality upvoting stuff that resonates with them rather than actually correct information. This is compounded by Dunning-Krueger and Gell-Mann Amnesia phenomena. It’s not because of something unique to Reddit, it’s the nature of the upvote/downvote style ranked message board.

I mean if you haven’t ever liked Reddit that’s one thing. But I (and a lot of other people) really liked what Reddit used to be, up until really not that long ago. I’m not saying it’s never been flawed, but it was pretty good at facilitating discussions, building communities, etc… I don’t see Reddit reversing some of their bad decisions, so maybe someone else can swoop in as Meta did with Threads when Twitter imploded and stand up a worthy competitor.

@mk3s: I have 13 year old Reddit account and use it pretty regularly. What I’ve learned is that Reddit didn’t really change that much for the worse, its users grow more mature and start noticing the flaws a lot more but they’ve always been there. Real world example of this is the old heads talking about how the world isn’t how it used to be back in their day, repeat ad infinitum. Threads is too new but it’s already starting to have Twitter like problems. We’ll see how this goes.

Yeah I was on Reddit for 12 years and used it pretty heavily. I’ve gone back and tried using it since the whole blackout/reddit protest/API debacle and admit that on the surface things have mostly just kept on keeping on as they always had. So in that way, the experience is not terribly degraded. But I think they are at the inevitable point in our capitalist dystopia where they have nowhere to go but enshittify and extract as much money from their user base as possible before they get bought.

They already have a product similar to Reddit, Facebook Groups, although they should make it a bit more like Reddit imo

I want a reddit alternative to succeed, I’m not sure I want Meta behind it

Yeah agreed. I’m already using Lemmy as my main Reddit alternative and there’s some OK activity in the communities I am in. But unlike Mastodon, I don’t thing the Fedi-Reddit clones have reached critical mass and could benefit from a large player who could bring more activity. That said, I think my distaste for Reddit (to the point where I’ve stopped using it) is a minority view and for the most part, Reddit (and its users) have kept right on Redditing despite its enshittifcation 🤷‍♂️

I totally see what you mean and to some extent I would agree that a meta entry in the space could be beneficial, but it would feel more and more of a monopoly on social spaces around the internet and a bigger opportunity for meta to take over everything but yeah it’s like there is no good option for a big company to push for federated forums ig I have mostly stopped using reddit too since the API stuff but I agree probably people are just carrying on bc there is no other place like it

Yeah don’t get me wrong, I’m no Meta fan-boy. I’d say I somewhat reluctantly enjoy using threads even. But I gotta admit they’ve done a good job so far and since they are Federating, I am holding on to the hope that I’ll be able to main my Mastodon account and have discussions here still. It would be hard for someone to compete with Reddit’s mindshare in that space at this point but given how valuable Reddit’s data pool is, maybe someone like Meta would try. Ideally, Lemmy can gain more traction

Lemmy exists

Yeah I’m familiar with Lemmy and other existing Fediverse-borne reddit clones (e.g. Kbin, mbin, sublinks, etc…). They are great and ideally I’d see those adopted over a large player introducing a Reddit competitor. But much like Threads, if a big-tech org pioneered a federated (build on ActivityPub) Reddit clone that could interface with Lemmy/Kbin and drive adoption then I think that’d be a win.

Yeah and I honestly think they could pull it off with a slick app and some killer features like regular celebrity interviews, like on Reddit back in the day before they got rid of Victoria Taylor. Market the hell out of that and find hip artists and prereleases of music or games in various deals through exclusives, whatever, they could probably be a serious threat to Reddit. Reddit is getting awful and is mismanaged.

Besides ads or selling access to training data for AI, how would that be sustainable for Meta? Although I have higher confidence in Meta as a company to run a social platform, I fail to see how a Reddit clone would end up any differently than Reddit. Federating just means that content would be allowed to leave the platform, not necessarily that any of the existing moderation-related problems would improve.

It’s more can they harmonize the business / money-making aspects to it while also not being user hostile or enshittifying? The problem with Reddit isn’t the fact they want to monetize. I don’t care if Reddit goes for an Ads play, or makes AI-content deals, its rather the way they’ve gone about making these changes, all at the significant detriment of the usefulness of the site and the goodwill they earned from their user base. The federation aspect is really just something I personally like

There are federated Reddit clones, why would Meta make one?

Market opportunity (i.e. flagging Reddit), AI-driven data harvesting, money-making opportunity, cornering more markets, etc… I mean they entered a VERY crowded Twitter clone market because they saw the opportunity to take market share from a wounded Twitter and it looks like that could work out in their favor.

5 fingers, 5 liquids

mike@shellsharks.com (Mike) — Mon, 01 Apr 2024 11:23:00 -0400

I’m not a big April Fools person but in the spirit of silliness, here is a thought experiment / game to play…

My wife was listening to a podcast* which asked, “If you could (magically) make each finger on one hand produce a liquid, what 5 liquids would you choose”. My current list (and briefly why I chose it) below…

The five liquids.

Water - the obvious one. life sustaining and versatile
Gold - Printing $$ pretty much yeah?
Protein Smoothie - Has just about everything in it I need. My smoothies consist of milk, greek yogurt, fruit, vegetables (sometimes), almond butter & protein powder
Lava - Self-defense. You wouldn’t mess with someone with a lava finger would you?
Gasoline - Could be used for generator, fueling a sweet RV, tons of stuff…

Considering changing one to beer though…

*Note: (not sure what the podcast was)

Why does the Fediverse churn?

mike@shellsharks.com (Mike) — Fri, 29 Mar 2024 23:53:00 -0400

@multiverseofbadness Though a lot of people might point at HoA culture as a primary reason people are driven from here I think it’s something else…

No algorithm means you are fed a finite amount of things which is a factor of the amount of people you follow, and in turn how active they are. Once your timeline runs dry, you go elsewhere. In other words, this service does not try to capture your attention and keep you here.

The answer then is to find new content, i.e. new accounts to follow, but discoverability is notoriously middling here. Some very basic trending, boosts from your follows, hashtags (which most people don’t know about) are the tools we have and I think more is needed to help people find those that are here and active, which should in turn keep others here.

So until then, people have to put effort into manual curation and pruning of their feeds and this is hard for folks.