Mastodon Stats

May 3, 2018

I’ve been taking a closer look at the world of ActivityPub and related federated social networking standards.

Mastodon is probably the most widely used implementation of ActivityPub today1. Here are some random stats I gathered, current as of yesterday:

  • I was able to identify 2,621 public Mastodon instances.
  • Across these, there appear to be 1.23M registered accounts.
  • In the last week, there were 111k accounts that actively published content.
  • The largest single instance is, run by the Pixiv Japanese artist community, which appears to account for a quarter of both registered and recently active users (at 368k and 33k, respectively).
  • Three of the top five largest instances, which in sum account for almost 50% of the entire network’s accounts and activity, are based in Japan.
  • One of the largest instances is, an “open and free community for sex workers” that appears to have been created in light of the FOSTA and SESTA bills.

The entire network reports slightly over 121 million “toots” across Mastodon’s entire history; for comparison, it’s estimated that there are 500 million tweets every day — that means a new Mastodon is created on Twitter roughly every six hours.

[1] Okay, it’s not strictly an ActivityPub implementation; there’s a more involved history that’s not relevant here but is worth reading.

Audacious Goals

April 17, 2018

I’m a boostrapper by nature. I typically look for low magnitude outcomes with a high probability of success that I can tackle with a small team. Today’s software world is full of these, ripe for the picking.

Lately, however, I’ve been thinking about the other end of the spectrum.

Audacious goals are low probability but, at their grandest, have the potential to effect high-magnitude systemic change in the world. They’re also notoriously slippery beasts; it’s hard to see their shape at the outset.

To grapple with the biggest challenges, I find myself asking two simple questions:

  1. Assuming success, what should be quantifiably true of the world tomorrow that is not true of it today? (A single razor-sharp test is ideal but can be hard to find; a small set of slightly duller tests, some high percentage of which ultimately prove true, might suffice.)

  2. What separable pieces can be built today that will likely be accretive toward the final goal?

By taking small concrete steps while holding the desired quantifiable outcomes as our North Star, perhaps it’s possible to slowly illuminate the shape of the beast. Then, one day, when it’s least expected, we can grab it by the tail.


December 2, 2017

Andrew Louis is building a modern Memex. He’s also writing wonderful short-form essays about the history, technology, and politics of personal data.

In the past, when I’ve written about indie web projects, I’ve tried to make the point that they won’t succeed unless they offer fundamentally new and compelling features. Louis makes this same point with much more eloquence:

“Controlling your personal data is an ideology, not a feature.”

As I build my Memex and work on launching it as an app for others, I have to remind myself that products need to solve problems — simply fulfilling an aesthetic about data ownership isn’t enough.

With this in mind, I think Memexes are fertile terrain well worth exploring. Back in the late 90s the web flirted with Memex-y ideas in the form of (goofily named) Blikis, but they never took off. At the time, I found the tools hard to use and poorly integrated with the wider world. Yet, the few hard-core adopters who stuck with their Blikis have built some of the weirdest, most contextually rich personal content I’ve ever run across on the web. The value of Blikis to dedicated authors, at least, seems undeniable.

So let a thousand Memexes, Blikis, Memkis, and Blogexes bloom. I’ll be watching with interest as Louis attempts to craft both a compelling product and a razor sharp value proposition for Chronobase.

Why It's Hard To Choose A VPN Provider

April 16, 2017

As @SwiftOnSecurity says:

“Just pick a good VPN” is like telling thirsty people to “go to a store and drink clear liquid.” They drank bleach, but at least you helped.

Yup, that pretty much covers it.

The amount of misinformation directed at potential VPN customers is vast. Worse, most prospective customers deeply misunderstand what VPNs do and under what circumstances they’re useful. It should be no surprise that this combustible mix of misinformation and misapprehension leads many astray.


Misinformation about VPNs comes in many forms and is not always easy to spot.

For example, a simple Google search for “best VPNappears to turn up reputable and timely VPN rankings. Alas, the top results are nearly all driven by affiliate marketing; placement in the rankings is entirely dependent on financial performance. It’s hard to imagine that the VPN with the best affiliate payouts is necessarily the most trustworthy and secure service on the market!

For a taste of how distasteful VPN affiliate marketing can be, peruse Google’s results for “VPN affiliate programs”. Here’s the current top hit; it gets worse from there:

If economic incentives are stacked against VPN consumers, so too it seems are the words of the providers themselves. The recent repeal of FCC privacy regulations led to a bonanza of new VPN customers and new VPN marketing efforts. Many providers conveniently forgot to mention important details about the repeal, including the fact that the privacy regulations in question had never gone into effect. If you didn’t feel the need to protect yourself from your ISP yesterday, perhaps you shouldn’t feel the need today. Moreover, when you use a VPN from home you’re effectively replacing your ISP with your VPN. Alas, the policies and behavior of VPN providers as a class is typically far less scrutinized than that of the largest ISPs. Is the tradeoff a clear win?

Publications with specific agendas also have a part to play in misleading customers about when VPNs are useful and what they’re useful for. For instance, TorrentFreak seems to think that third-party VPNs are useful for anonymity; in my opinion, they aren’t. Anonymity is a very strong condition that is hard to achieve in practice. Consider that people with deep technical skillsets and strong incentives to remain anonymous regularly fail to do so. I can’t decide if TorrentFreak’s language about VPNs is a sign of compromised ethics or just wishful thinking; either way, I’m sure it generates clicks.


Consumers interested in VPNs typically have zero experience with threat modeling. A good threat model addresses three questions:

  1. What information am I worried about having exposed?
  2. Who might be able to access that information?
  3. How might they be able access it?

The vast majority of customers can’t answer either of the first two questions with any clarity. Are you concerned about losing your banking password, being tracked by advertisers, or having interlopers learn about the sites you’re visiting? Is your attacker the NSA, your ISP, or people sitting in the same coffee shop? The right answers necessarily alter the strategy and, critically, the tools. (If your adversary is the NSA, no consumer VPN will help you. And if you’re worried about losing your banking password, breathe easy: your bank uses HTTPS everywhere; you don’t need a VPN, even on untrusted networks.)

Beyond this, the question of how an attacker might obtain one’s data requires a grasp of networking and software security that understandably goes far beyond the ken of all but the most sophisticated potential purchasers.

Needless to say, VPN providers take advantage of these fundamental misunderstandings to sell “enhanced privacy”, “true anonymity”, “military-grade encryption”, and other meaningless concepts. Snake oil sells.

Into this swirling chaos arrive the knights in shining armor, striving to shed light on a murky situation. Amongst them is That One Privacy Site (TOPS), which seems to have seen a massive spike in traffic after the United States’ ISP regulation repeal.

I have every reason to believe that the intentions of the TOPS website are good. Alas, even the white knights end up mostly leading consumers astray. TOPS attempts to provide objective metrics by which VPN providers can be judged. Information about providers is broken into categories like logging, data leaks, jurisdiction, etc. For truly savvy consumers, I suspect TOPS is extremely useful. For everyone else, I suspect it simply makes them miss the forest for the trees. Naive consumers visiting TOPS do the obvious thing: look for the VPN with the most green boxes and conclude that it’s the one to buy. The problem with this approach, as @KennWhite of the Open Crypto Audit project expressed to me:

Unlike trying to technically evaluate, say, IPSec vs OpenVPN which have fairly well-characterized objective security properties, assessing the security guarantees of a VPN service is less straightforward, and it basically comes down to trust signaling.

That strikes me as exactly right. When you use a VPN, you’re sending all of your data — presumably including unencrypted data — through your provider. No technical guarantees exist to ensure that your provider will be a trustworthy steward of this information. Instead, one must look at qualitative measures to evaluate a VPN; none of these are addressed by TOPS:

Questionable/sketchy product marketing & SEO, transparency of technical architecture decisions & assurances, openness to independent 3rd party review, ethical business practices, and — crucially — existence of an actual sustainable business model; these are all factors in evaluating the security posture.

Even along axes measured by TOPS, confusion can reign. For instance, privacy policies vary greatly amongst VPN providers. Plenty of reputable providers perform some kind of minimal time-limited logging both to help with customer support and to ensure that their network is responsive to abuse complaints. It’s absolutely possible for providers to both log data and provide meaningful security guarantees to customers. On the TOPS site, a “red” box in the policies or logging columns might genuinely be a red flag, or it might instead be the sign of a subtle and thoughtful provider.

Another axis that TOPS attempts to “measure” objectively is jurisdiction. With red boxes aplenty, naive consumers are quickly led to believe that VPN companies based in the United States or other Five Eyes countries are somehow worse on privacy matters. This conclusion is trivially wrong, of course. A VPN company based outside of Five Eyes can easily have a rotten privacy policy. Worse, they can simply fail to uphold the policy, silently abusing their customers’ trust. On the other hand, a VPN provider based in the United States is beholden to strict consumer protection laws and the potential scrutiny of agencies like the Federal Trade Commission. Policy documents should be legally binding; a good provider will have a government that enforces them.

Finally: TOPS is sometimes completely wrong. The TOPS maintainers have to keep a lot of information up-to-date so I don’t fault them for this. Nevertheless, the inaccuracies I’m aware of do make me suspicious of TOPS’ overall reliability. For example, TOPS claims that Cloak’s native apps leak IPv6 and DNS traffic. Neither is true. We’ve actually prevented leaks on dual-stack networks since our earliest alpha builds; we suspect this puts us ahead of the curve on such a fundamental security issue.

Trust signaling

In sum: it’s hard to choose a VPN wisely. For many potential customers, I worry it’s impossible.

Over time, I’ve developed a framework of six trust signals that I look for when I evaluate competing providers. I hope these will prove helpful in choosing your VPN provider:

  1. Do they have a clear and sensible threat model? (See Cloak’s; for more color, read my thoughts on security, privacy, and anonymity.)
  2. Do they have clear and unambiguous corporate ownership? (Cloak seems unique in offering actual pictures of our actual faces.)
  3. Do they have clear and unambiguous privacy policies? (See Cloak’s.)
  4. Do they have a demonstrable track record of security-mindedness and responsiveness? (See Cloak’s response to Heartbleed and to the “Looking Glass” paper.)
  5. Have they undergone a technical audit? (Cloak has and will again.)
  6. Do they charge money? (Free VPNs are usually the shadiest of the bunch, in my experience.)

It’s rarely easy to answer these questions! In my book, the VPN providers that make it easy to do so stand at the top of the heap.

Every once in a while, I think about starting “That Other One Privacy Site” to address these six broader concerns. Then I remember that I’m likely to simply become another pseudo white knight, contributing more to the noise than to the signal.


January 20, 2017

Today, as Donald Trump takes the oath of office, America is diminished.

And yet, I have hope.

After the election, I worried that protest would be meek and partisan. It has been neither. Voices across the political spectrum have risen in dissent. I’ve been particularly heartened to find many thoughtful conservatives who understand exactly what Trump represents, and who will give no inch when none can be given. John Kasich, John McCain, David Frum, Evan McMullin, Mindy Finn, Susan Hennessey, Eliot Cohen, and Rick Wilson have all spoken clearly, and unequivocally, about Trump’s perilous potential. These are Americans with whom, in sunnier times, I might entirely disagree. But such disagreements live within normal political boundaries. Trump operates far outside those boundaries; we must realign in response.

From Eliot Cohen’s savage and sobering Truth in the Age of Trump:

Trump lies because it is in his nature to lie. One suspects that there is nothing inside this man that quivers, however slightly, at an untruth. It is not uncommon for politicians, to a greater extent than most people, to believe what they want to believe, or to change their take on reality depending on what is convenient for them. With Trump, however, this will to believe is pathological: his psyche is so completely besotted by Trump that there is no room for anything, or anybody else.

I hope to one day revisit what I’ve written about Trump and laugh at how hilariously wrong I was. I hope, but I fear that day may never come.