Email or username:

Password:

Forgot your password?
Darius's posts Post Back to profile
Top-level
Darius Kazemi

But also: this could be a mass harassment vector for journalists! Someone goes to trust.txt, scrapes every account there, and harasses them.

But I do think that once you say in an official capacity "I am affiliated with [org]", you have to assume that anyone can find that info and can and will scrape it even if there isn't a directory available. idk. tough design space

15 Nov 2022 at 22:02 | Open on friend.camp
10 comments
blaine

@darius there's something interesting there. Thanks for sharing, filed in "folksprotocolonies" and labeled clearly "DO NOT ATTEMPT TO BIKESHED" 😅

15 Nov 2022 at 22:06 | Open on mastodon.social
Darius Kazemi

@blaine I will whack you with the no-bikeshedding stick if I have to

15 Nov 2022 at 22:07 | Open on friend.camp
blaine

@darius thank you. I know I can count on you. 🏑❤️

15 Nov 2022 at 22:09 | Open on mastodon.social
[DATA EXPUNGED]
Malle Yeno 🦝

@darius I'm interested in this idea, could you elaborate on it?

- What stops a malicious actor from spoofing a trust.txt and using that as validation in a similar way to phishing? ("verified by 'nytines' dot com", etc.) Would sites needs a whitelist of valid trust.txt sources?

- On a related topic to the harassment vector point you had: how would you sell trust.txt to orgs that are interested in verification but do not normally want contact exposure for some personnel? (ex. directors and exec)

15 Nov 2022 at 22:36 | Open on tech.lgbt
Darius Kazemi

@malle_yeno

(1/2)

- you're right, spoofing is simply always going to be a threat where DNS is involved, but also anyone could spoof the service that I mention in the original post too the same way. "fedifeid" or whatnot. solutions that get around that are huge crypto-based things that are unlikely to play nice with IT infrastructure at say, news orgs

15 Nov 2022 at 22:39 | Open on friend.camp
Darius Kazemi

@malle_yeno

(2/2)

- it's a necessary tradeoff. if an exec wants to say "I am truly CEO of CorpX on LinkedIn" then the point there is to publicly broadcast that that is who they are. This is about linking public profile information to public institutions (at least in the journalism context here)

15 Nov 2022 at 22:40 | Open on friend.camp
alys

@darius i guess the advantage of an instance like journa.host (or even a nytimes-specific instance) is that they could be keep an eye out for attacks targeting newsrooms' entire trust.txt lists and possibly handle it faster or more efficiently.

on the other hand, that might also overwhelm the moderation capabilities of a particular instance.

15 Nov 2022 at 23:39 | Open on selfy.army
Jan Adriaenssens

@darius To verify accounts associated with a public website (like newspapers or broadcasters):

You could diminish the "harassment" aspect by having the "trust.txt" document actually be a list of *hashed* accounts.

So when you want to verify whether an account is associated with a website, you can check this one-way (without being able to scrape the full trust.txt).

16 Nov 2022 at 8:47 | Open on mastodon.social
Go Up