
On the Twitter Hack - MindGods
https://www.schneier.com/blog/archives/2020/07/on_the_twitter_.html
======
sanderjd
I really feel like everyone is getting one of the broad points in this
discussion wrong. If Twitter is a national security risk because people can
hack it to speak in the official voice of prominent leaders, or discover state
secrets through direct messages, that is nobody's fault but the government's,
for relying on a platform _they have no control over_ for official business.

Can you imagine the military complaining that the enemy was able to give false
orders or discover troop movements through messages on a privately owned
communications network completely outside their control? No, because it would
be absurd for the military to rely on such a network. It is no less absurd
that the civilian government (which nominally has _more_ power than the
military) is doing so.

It was a scandal when Hillary Clinton relied on a private email server. It is
a far larger scandal that so many leaders, and especially the President, are
now relying on a private company for their official communications.

~~~
anonbcpolitics
> If Twitter is a national security risk because people can hack it to speak
> in the official voice of prominent leaders, or discover state secrets
> through direct messages, that is nobody's fault but the government's, for
> relying on a platform they have no control over for official business.

I don't see the government relying on it. I see public officials using it as a
platform. No coordination is being done (unless it's redundancy), just
communication with constituents.

> It was a scandal when Hillary Clinton relied on a private email server.

One problem with using a private email server was because it circumvented FOIA
requests. Twitter is open, a private email server is not. We still don't know
what 33k of the subpoenaed emails were about that her personal IT guy deleted,
other than the ones found on Huma Abedin's laptop.

The other problem of course is having a personal IT staff run your email
server with classified secrets (yes there were classified emails). It's not
quite the same as having Twitter or the DoD run your security. I mean, the guy
(stonetear) was on Reddit asking how to delete emails, I doubt he knew how to
protect against state actors.

~~~
EvanAnderson
>Twitter is open, a private email server is not.

In what way is Twitter "open"? Can I FOIA a government official's DM's? I
don't see that as likely.

From my standpoint, Clinton's private server is equivalent to Twitter (albeit
likely less well-maintained from a security perspective).

To my mind, it's wholly unacceptable for the US government to maintain secret
communication platforms outside the reach of FOIA. Working to keep
communications off-the-record and out of the public's hands is a betrayal of
the public trust.

~~~
Thorrez
>In what way is Twitter "open"?

If a Tweet is posted, journalists can see it and write articles about it. Of
course this doesn't apply to DMs, they are not open. I think anonbcpolitics
was ignoring DMs.

~~~
EvanAnderson
I can FOIA my government's one-to-one email communication. If I can't do that
w/ Twitter they shouldn't be using Twitter.

The local government I work for uses some god-awful subscription software to
"archive" all their various social media interaction. I'd rather just see the
government not use third-party-hosted communications systems but, grudgingly,
I'll take thr "archived" social media data over nothing. The data needs to be
accessible to the public, ultimately.

~~~
Thorrez
Shouldn't be using Twitter at all or shouldn't be using Twitter DMs?

------
jsnell
> Companies like Facebook and Twitter have so much power because they are so
> large, and they face no real competition.

I find it hard to take the rest of the article seriously when it's talking
about Twitter as a giant monopoly that needs to be broken up...

But also the argument seems fundamentally wrong. Account security is a prime
example of a place where economies of scale bring a lot of benefit. I would
absolutely trust the security of say Facebook, Google or Microsoft above that
of Twitter just due to the larger scale. They can afford to spend more on
security, since they have more users, and their users are more valuable. Every
dollar spent on security applies to the whole user base. And similarly I'd
trust Twitter above a 100 person web startup.

If you start regulating for some kind of a minimum security bar, either you're
going to be killing a lot of companies, or you're going to be setting the bar
laughably low compared to what these companies already do.

> Were there 100 different Twitter-like companies

... they would all be bankrupt.

~~~
metalliqaz
This is very typical of the libertarian streak that underpins HN. I'm always a
little turned off by this strange dominate-the-world culture out of SV. I come
from a culture that valued open source and interoperable open standards. Where
did my people go?

Twitter is clearly and objectively a monopoly or in a duopoly with
Facebook/Instagram. At my most charitable, I could include YouTube in the mix.
But I'd still say monopoly.

Even though Google and Facebook are much bigger companies, Twitter has clearly
cornered the market for online publishing of thoughts and opinions. Only
Facebook/Instagram and Reddit come anywhere close, but those platforms are
mostly for different types of content.

There's a reason that modern "news" publishes article after article that
merely reports on whatever conversation is trending on Twitter. There's a
reason that celebs on Reddit provide proof via tweet. There's a reason Trump's
YouTube and Facebook accounts are run by staffers.

Could 100 Twitter-like companies all make it? Perhaps not, but we'd be in a
better place. Twitter is poison and I'd not shed a tear if it went bankrupt.

~~~
stickfigure
How exactly do you propose to split up Twitter? Split the userbase into 100
groups? Who goes in which group? And what happens when people want to switch
groups... ultimately coalescing in a single node? Because, you know, network
effects.

I don't like Twitter either, so I don't use it. It's a really effective
solution!

~~~
basch
There's other ways to deal with anti-trust besides breaking the companies
apart. Data portability, interoperability, ownership of your own social graph.
If these platforms were forced to act more like email, where leaving google
for microsoft doesnt mean i can no longer contact my friends, the network
effects that give them monopoly-like power diminish.

Imagine how ridiculous email would feel if you need a gmail account to email
gmail peeps, a microsoft account to email outlook peeps, and another separate
account to communicate with people in every mom and pop community. Imagine not
being able to export your address book in an industry standard format. Imagine
not being able to use whatever third party client you want to access your own
data.

~~~
stickfigure
So let's imagine Facebook/Twitter/etc was based on open protocols like SMTP...

* You'd have the same spam and abuse problem that email has.

* You'd have _zero_ control over the information you post to it, just like email. There would be absolutely no way of stopping or even slowing down the Cambridge Analyticas of the world.

"Ownership of your own social graph" is complete and utter nonsense. As soon
as you share data with other people through open protocols, _they own it_.
Just like email.

Even email is tending towards centralization, with a few big players that can
manage the spam and abuse and still get their messages delivered.

~~~
basch
>You'd have the same spam and abuse problem that email has.

Don't you have that already, and they have anti spam measures? How would a
facebook post coming from facebook or twitter change what they remove as spam?

~~~
jsnell
What you're basically proposing is a model of spam where only the content of
the message is considered. I do not think that would be very effective in
practice, in the modern world.

Email spam filtering is already a lot more powerful, since it can consider
things such as IP reputation. (IP reputation would be a non-starter for a
federated social network, since it would require passing raw IPs along with
messages in the federation protocol. And that is just unthinkable from a
privacy perspective).

When all entities posting messages on a social network are managed by the same
identity provider, and the identity provider can share information about the
account with the social network, you get yet another layer of increase in
power. You can, for example, tell whether the account is newly created or not.
Or whether it was bulk-created along with 10 other accounts posting similar
spam. Or a dozen other account reputation signals which let you classify
accounts into organic vs. abusive, and use that to inform the classification
of messages from those accounts. And again, the only way this happens is if
the identity provider and the social network are one and the same. If they
were separate companies, it'd be inexcusable for either party to share
detailed information with the other.

~~~
basch
I dont see why the identity providers couldnt pass trust ratings between each
other.

~~~
jsnell
There's one element of the tragedy of the commons. Honest Bob's Social Media
Emporium might not be entirely motivated to mark their users as untrusted,
when most of the pain of the spam is felt by the other thousands of providers
they federate with.

"Hey, doing SMS verification of new accounts is expensive, but required by the
other nodes on the network. How about we don't, but say we did?"

Imagine a solution to email spam that replaced looking at IP address
reputation with looking at the sender's claim about their own reputation.
Laughable idea, right?

The other problem with your suggestion is that you can't do abuse prevention
with a single signal, even if it's not Boolean. I even gave an example in the
previous post, with checking whether accounts doing similar abuse were
clustered together at account creation time.

~~~
basch
Then " Bob's Social Media Emporium" as a whole would get dinged in the trust
web. If you cant trust the verifier, you wouldnt trust any of their
participants.

I guess nitpicking the details doesnt matter, but none of these problems seem
insurmountable.

~~~
jsnell
Oh, man. You dropped the "Honest" out of "Honest Bob". That's harsh, it's like
you think he's some kind of a crook :(

Once the biggest node on this network starts not peering with smaller nodes
due to them being untrustworthy, what do you think happens? I suspect that the
users will move from the smaller nodes to the bigger ones. And then we're
right back to where we started. People will be complaining about monopolies
and will want the big nodes broken up.

~~~
dane-pgp
This does seem like a genuine problem, and there are already signs of this
happening in the Fediverse. Perhaps it needs a name, so that people can notice
when it is happening, and discuss potential solutions to it. The name I
propose is "Federator's Dilemma", as it seems like a game theoretic problem.

As for a solution, my intuition is that the first step might be to create a
Sybil-proof voting system for determining how popular individual services are.
If a service is refused federation by other services which collectively
contain 90% of user accounts, then that's a sign that the service doesn't do
enough to stop its users from posting objectionable content. Similarly,
service A could report to service B how many abuse reports it is getting from
its users about people on service B, with a clear rule about when service B
would be blocked.

This isn't a perfect system, and I admit that a Sybil-proof global anonymous
distributed voting system might be harder than just solving the Federator's
Dilemma more directly, but I think it's worth considering, not least because
such a voting system would be useful for countless other applications online.

------
skmurphy
Core argument is for "building codes" for software that is effectively mission
critical infrastructure. Data and identify security--and privacy--concerns may
drive a fair amount of regulation in the next five to ten years. Here is
Schneier's core thesis:

"There are many security technologies companies like Twitter can implement to
better protect themselves and their users; that's not the issue. The problem
is economic, and fixing it requires doing two things. One is regulating these
companies, and requiring them to spend more money on security. The second is
reducing their monopoly power.

The security regulations for banks are complex and detailed. If a low-level
banking employee were caught messing around with people's accounts, or if she
mistakenly gave her log-in credentials to someone else, the bank would be
severely fined. Depending on the details of the incident, senior banking
executives could be held personally liable. The threat of these actions helps
keep our money safe. Yes, it costs banks money; sometimes it severely cuts
into their profits. But the banks have no choice.

The opposite is true for these tech giants. They get to decide what level of
security you have on your accounts, and you have no say in the matter. If you
are offered security and privacy options, it's because they decided you can
have them. There is no regulation. There is no accountability. There isn't
even any transparency. Do you know how secure your data is on Facebook, or in
Apple's iCloud, or anywhere? You don't. No one except those companies do. Yet
they're crucial to the country's national security. And they're the rare
consumer product or service allowed to operate without significant government
oversight."

------
f38zf5vdt
Great to see Schneier with a totally level-headed response in comparison to
Krebs, who wrote a 5 page apparent doxxing of someone he maybe suspected could
potentially have been the hacker.

We have a standard (TLS) for general HTTP secure communications over the
internet. We should also have standards for the transport and storage of user-
to-user and user-to-public messages.

~~~
jacquesm
Yes, the level of class difference is substantial. Doesn't make this
particular argument much stronger though. It also shows Schneier put in some
actual thought before firing this off.

------
jdkee
This strikes me as particularly salient as to the point on privacy and
security:

"The opposite is true for these tech giants. They get to decide what level of
security you have on your accounts, and you have no say in the matter. If you
are offered security and privacy options, it's because they decided you can
have them. There is no regulation. There is no accountability. There isn't
even any transparency. Do you know how secure your data is on Facebook, or in
Apple's iCloud, or anywhere? You don't. No one except those companies do. Yet
they're crucial to the country's national security. And they're the rare
consumer product or service allowed to operate without significant government
oversight."

Perhaps this hack will bring the security issue to the forefront of our U.S.
legislators.

------
valuearb
“Those messages -- between world leaders, industry CEOs, reporters and their
sources, heath organizations -- are much more valuable than bitcoin.“

If they had DN access, then those hackers were like a bumbling bank robbery
gang who tunneled in during the medieval of night and ran off with all the
pennies, leaving the paper money and safety deposit boxes unmolested.

~~~
Aperocky
Why would anyone message another on twitter with anything important though?
Even if they really needed that contact info wouldn't they just use private
messages to ask "what's your phone number"?

~~~
valuearb
I’m sure that is true 98% of the time. But buried in the mass that is the
other 2% are likely some messages that will be very valuable.

------
Thorrez
>It didn't matter whether individual accounts had a complicated and hard-to-
remember password, or two-factor authentication. It didn't matter whether the
accounts were normally accessed via a Mac or a PC. There was literally nothing
any user could do to protect against it.

Are we sure it didn't matter? 130 accounts were targeted, but attackers only
got into 45 accounts. Maybe there was a security setting that stopped the
attackers from getting into the other 85.

------
Thorrez
>Were there 100 different Twitter-like companies, and enough compatibility so
that all their feeds could merge into one interface, this attack wouldn't have
been such a big deal.

That has its own security downsides. Now attackers don't need to find
vulnerabilities in 1 specific company, they can search across 100 different
companies. And each one has much less revenue so a much smaller security team.

------
d--b
The comparison with banks is fair. I wonder if people can sue Twitter over
this shit show.

------
jacquesm
I would be highly surprised if world leaders communicated anything sensitive
via DM on Twitter.

~~~
Tenoke
World leaders maybe not but e.g. journalists almost definitely.

~~~
jacquesm
He specifically mentions world leaders. Also, tons of speculation in the
article about things nobody is sure about yet and then extrapolating from
there and proposing countermeasures that are off the scale. Security is
important. But it wouldn't be the first time a communications service is
hacked and assuming a nation state adversary you can consider every tech
company in the world compromised to some degree by infiltrating employees into
key positions. Those can play the long game and work at it for years to reach
their destination.

I would consider anything you entrust to a keyboard or some internet or
wireless medium to be in principle compromisable, an in practice most likely
compromised in the sense that people that should not have access to that data
probably do.

------
perryizgr8
Breaking up monopolies like Twitter may not work. They must be subjected to
heavy regulation. They must not censor/block/shadowban any account or tweet.
They must open their entire operation to APIs at reasonable costs. They must
allow interoperability with any other Twitter clone, tweets from everywhere
should be visible across all Twitters.

Follow all this, or pay $1M/day compounding fine.

