In the bustling cyber security operations center of a top-tier banking institution, two analysts, Sergey and Ionis, were intently monitoring the network for any signs of suspicious activity. Suddenly, they noticed a series of strange anomalies that looked like the beginning of a massive cyber attack.

“This looks like a nation state attack,” said Ionis, furrowing their brow. “We need to alert the incident response team immediately.”


This post tries to consolidate information available across multiple websites on the topic of securing a Mastodon server. (Where available, I linked to’s wayback-machine for long-term access.)


Attended NolaCon (in New Orleans, LA) for the last three days and had a blast. Also contributed by speaking about “How to build your First SOC”, you can find the slides here.


I try out different Linux distros for my personal computers quite often. (Right now I'm running Manjaro on my laptop and Ubuntu on my personal workstation.) While hopping through various Linux distros per year, I observed that some distros have a better security posture by default than others. Good default security settings are important because a lot of users won't bother to improve security of their desktop OS by fiddling with settings or installing extra software.

So I decided to do some research and document the results within blog posts here. I will choose the distros based on their distrowatch ranking, starting with MX Linux. In this post I will define all the tests I run through, when reviewing the default settings of a vanilla install of the distros.


This post tries to summarize the key steps to take for an effective Privilege Access Management program. Segmenting Privileges in an Active Directory based IT infrastructure is a key defense strategy against automated as well as human operated Ransomware attacks.

Key Challenges:

  1. Domain Admin group members have global privileges
  2. IT staff has local Admin privileges on all workstations
  3. The local Administrator account has the same password on many/all systems
  4. Passwords of highly privileged accounts aren't rotated frequently
  5. IT staff's normal user accounts have high privileges

The problem with the above is not that IT staff will misuse these privileges – The problem is rather that if one of the IT staffs' privileged accounts is compromised, adversary can laterally move very easily and quickly create a lot of damage (like encrypting all the systems they get access to).

Let's look into mitigating strategies for the above 5 Challenges!


The Fediverse is a vastly different place than Twitter. Functions like the Local Timeline and server announcements in Mastodon create communities that do feel way more like real communities than let's say #infosec Twitter.

Things are just more civilized on Mastodon.

However, there are users on Mastodon, who use cross-posting integrations to toot all their Twitter tweets to Mastodon. With that the following issues arise:

  1. High frequency tweets flood the otherwise civilized Local Timeline of the user's home instance.
  2. The Mastodon user account becomes more or less a Bot – You cannot interact with it because the actual human never logs into Mastodon to check notifications there.

For the above reasons I have decided to limit such user accounts on the two instances I'm responsible for going forward. Below is a description of the 'Limit' moderation action.


As a fellow #infosec practitioner I enjoy maturing the Cyber Security capabilities of the organization I work for. And as we make progress almost every day, I keep thinking about what the perfect state will be like and whether a state of perfection can ever be reached.

So, what does a perfect state of Cyber Security Operations look like?


Cyber blue team leader by day, tinkerer/hacker at night. Designing secure systems and traveling the world is what I like. Unfair, harsh, inconsiderate behavior is what I don't like.

Twitter: @iocseb | Mastodon:

I work in #infosec, have a history with #opensource, and am passionate about #decentralization (the one without the crypto).

I recently gave a public talk at NolaCon in New Orleans, the slides are available here.

One of my hobbies is to play soccer, another one is trying out Linux distros. As a way of giving back to the FOSS community, I run two Mastodon instances: and

I also run and sometimes add content to a Cybersecurity Wiki:

And I have a Gemini capsule at gemini:// (via https gateway)

I especially dislike business models that rely on the sales of personal information. When I was studying the impact of computer science and the Internet on human societies in college back in the early 2000's, I was doubting that anyone will ever want to give away their info in return for free services. History has taught me otherwise.


It probably is a good time to share books worth reading – Below you can find my favorite #infosec books.

Sandworm (Andy Greenberg)

Sandworm (Amazon) is currently my favorite because it gives you an understanding of nation-state actor capabilities. It gives you good reasons for making excellence in cybersecurity a habit and not an act.

The Cuckoo's Egg (Cliff Stoll)

The Cuckoo’s Egg (Amazon) I like because it plays in a time that is so long ago with inferior tech and is a good reminder that things used to take forever. Today we do so many amazing things in a matter of minutes or hours (our adversaries do too) that we forget about all the little details that have been automated by tech.

Cult of the Dead Cow (Joseph Menn)

The cult of the dead cow (Amazon) is a book that explains a lot about the hacker culture in the US. This one might be a little nerdy but also gives some insight on how the US government came to understand cybercrime.


Key Performance Indicators (KPI) are what people in business generally use to measure the performance of a business function or team. In the Cybersecurity world we are blessed (or cursed) with plenty of KPIs. And even in the cyber sub-section of phishing we still have a lot of metrics that email security vendors force on us – Here are some examples:

  • Number of hard spoof emails blocked
  • Number of soft spoof emails blocked
  • Number of phishing emails quarantined
  • Number of malicious attachments quarantined
  • Number of phishing URLs blocked
  • Number of phishing emails reported by users
  • Number of phishing test failures

Now, let's take a step back! Does any of the above metrics make any sense to a normal (non cyber) person? And who is giving you your cyber budget again..?