
Hackers tell the story of the Twitter attack from the inside - jaredwiener
https://www.nytimes.com/2020/07/17/technology/twitter-hackers-interview.html
======
rosywoozlechan
So a kid got access to the keys to the kingdom at Twitter by social
engineering their way into Twitter's internal Slack. That sounds like crazy
irresponsible use of sharing privileged access information in Twitter's
internal processes. That could be career ending for someone. Just someone on
Twitter's slack, lurking there, seeing passwords and services and being able
to access them without an employee account or some kind of sane security
process? Huh?

~~~
panarky
So Twitter's admin panel just takes a username and password, no 2FA, no device
authentication??

~~~
GycDH6mb
Or even IP firewall? Hell, our admin panel can't be accessed outside of our
physical office, save for VPN.

~~~
comex
I’m pretty sure Twitter is still (mostly) working from home like all the other
tech companies in the area, so a physical proximity requirement is out. A VPN
requirement could work; in theory there’s no reason a VPN login is any more
inherently secure than the login to whatever admin panel they’re using, but in
practice VPNs can help centralize security policies across many applications.
(I have no idea what Twitter’s systems look like, though.)

~~~
tjohns
> there’s no reason a VPN login is any more inherently secure than the login
> to whatever admin panel they’re using

VPN credentials can also be tied to a device certificate, which can be
securely stored in the machine’s TPM.

This prevents VPN login from anything except a company issued machine. You
don’t get this with normal password auth.

------
toss1
>>... not the work of a nation-state or hacker group...

Quite concerning, a Twitter got really lucky that it was a mere scammer.

Every serious hacker group & adversarial nation-state has just learned a huge
amount about Twitter internals, and their weak security.

If Twitter fails to implement far more stringent controls (and yes those are a
pain in the neck, expensive and inconvenient), they are 100% sure to be used
for serious provocations.

At the very least, Admin access to blue check accounts should require
simultaneous triple access codes from admins who don't work together.

As a reference point for what real security looks like: when I worked at IBM,
I met a guy who had figured out how four people in different offices could
conspire to get $10MM transferred to an offshore acct, and reported it. He was
promoted up two levels for that insight (&the loophole was fixed).

That would take 4 people conspiring, probably twice that after the fix.

Meanwhile, a single Twitter admin can post ANYTHING from accounts of people
who can launch nuclear weapons.

Sure, it's all fun and games until someone wants to play Global Thermonuclear
War - and can.

I hope this gets security taken more seriously.

~~~
syshum
>>Meanwhile, a single Twitter admin can post ANYTHING from accounts of people
who can launch nuclear weapons.

Sorry but if our global security come down to twitter than we have far bigger
problems than twitter adding some security layers to their admin interface

~~~
toss1
Sure, a blatantly outrageous tweet would be caught

But with that kind of admin access to many accounts, it would be
straightforward to spread a LOT of chaos from a number of compromised accounts
with a series of plausible tweets. The rate things move, it could get out of
hand, and a lot of people killed before it got sorted.

Especially true for experts at provokatsiya (provocation) & dezinformatsiya
(disinformation) as the RUS FSB & GRU.

And yes, we do have bigger problems than Twitter's absymal security (start
w/FBs, which was hacked to hack multiple elections), but to act as if the
capability to make comments from a verified world leader accounts is
irrelevant is, to be polite, foolish beyond belief.

~~~
miracle2k
People are incredibly creative and we should consider that there are any
number of incentive ways such as access could be used for attacks.

Nevertheless, Twitter is a blip within the vast organizational structures that
the world functions on. There is a huge amount of inertia there as well.

Throwing around words like thermo-nuclear war is more than a bit shrill.

There is another factor here as well - it's the same mistake you and many
others make with the idea that Facebook was used to "hack an election". There
is no evidence at all that opinion forming through Facebook is of any
significant importance relative to Fox News, media making a big deal out of a
private email servers, SuperPACs (those used to be big election influence
scare of the olden days - now they are irrelevant and dwarved by Facebook).
Also, people have agency and they share their believes with each other.

Which is all the say - when parent says "we'd have other problems if a Twitter
hack brings down world government" then that is exactly that. If a 1000 other
things must go wrong to cause a war with a false tweet, don't blame Twitter
for that war.

~~~
toss1
>> Twitter is a blip within ...

Not any more. The US has had for several years a person occupying the
Presidents chair who makes major policy announcements first via Twitter, from
abrogating treaties, to immigration policy, issuing pardons/commutations for
friends, etc. These pronouncements often surprise even his closest senior
staff, and are expected to be acted upon

This is a far cry from the original trivial "look at these beautiful scallions
I had on my breakfast plate!"

The platform needs to be treated with the appropriate seriousness.

Sure " thermo-nuclear war" is at the far end of the scale. Hacks using Twitter
or other SocMed would likely be lower on the scale.

But it is definitely true that with control of all and any verified accounts,
including Presidents, commanders, military commands, news outlets, etc., one
could craft a series of messages that would at the very least create
widespread deadly panic in minutes, if not start an actual war (Go look up the
results of Orson Welles's "War of the Worlds" broadcast.).

The problem is that with the right attack, a lot of things going right WILL
cause major problems. The entire point is that it would not require 1000 other
things to also go wrong.

As to Facebook, there is more than plenty of evidence that it successfully
influenced the election. Not primarily through forming major opinions as
through Fox, etc., but by targeting specific demographics down to the
individual level (using data stolen from other channels including voting
rolls) with tuned messages to generate a specific response, and more on the
side of suppressing or diverting voter turnout for HRC than generating it for
DT. It took only a few 10K votes in 3 states.

These technologies are far beyond mere juvenile startup toys. Their scale,
influence, and valuation show how much power they wield. We need to hold them
to levels of responsibility commensurate with that power, not continue to make
excuses as if they were children's toys.

------
andersco
I almost wish this attack had been perpetrated by sophisticated govt hackers.
The fact that it was some kids still living at home is almost more scary. But
the silver lining is this was hopefully a wake up call for Twitter.

------
pjc50
.. why would you hand all this info to journos? Do they have that much
confidence in source protection?

~~~
pnathan
I was thinking the entire thing was ripe for warrants. Usernames! Communities
described! Discord!

Head up, Discord lawyers, you've got subpoenas coming in hot.

~~~
manicdee
Pretty sure Discord already has processes in place for dealing with legal
processes. A few crackers isn’t going to increase their workload which is
likely reporting on dozens of child abuse, sexual abuse, stalking and
harassment cases a month.

------
westicecoast32
Does it end with "The Times was initially put in touch with the hackers by a
security researcher in California"? There was no information whatsoever

~~~
mintplant
> The Times was initially put in touch with the hackers by a security
> researcher in California, Haseeb Awan, who was communicating with them
> because, he said, a number of them had previously targeted him and a
> Bitcoin-related company he once owned. They also unsuccessfully targeted his
> current company...

I'm not sure what you mean. The story continues after that point. Maybe you
hit the paywall?

------
hevelvarik
Ok so I sign up early for every platform that hits hackers news and make one
letter, and one digit usernames and profit! Amiright

~~~
dmurray
Yes, you're right. This opportunity hasn't been completely arbitraged away.
Devote your time, and a moderate amount of technical chops, to this and you
can likely make millions over the next 10 years.

~~~
DonHopkins
John Gilmore used to have Jesus.com (when you could register domain names for
free, long before the days of the web), but when they started charging for
domains, he refused to pay for Jesus.com on principle, so then he lost
Jesus.com from his life.

Personally (having no such principles myself), I would have paid his rent,
kept him entombed for a while, then auctioned off Jesus.com to the highest
bidder. He must be worth at least 30 pieces of silver!

Fortunately, after an unfortunate series of events (including a creepy Jesus
dating site offering eligible women a chance to Win a Shower With Jesus),
Jesus.com finally ended up being adopted by the Metropolitan Community Church,
[https://mcchurch.org](https://mcchurch.org) (not affiliated with McDonalds),
which is pretty good, as churches go. (Their French Friars are excellent!)

[https://jesus.com](https://jesus.com) =>
[https://mcchurch.org](https://mcchurch.org)

>About Metropolitan Community Churches (MCC)

>Founded in 1968, Metropolitan Community Churches (MCC) has been at the
vanguard of civil and human rights movements by addressing issues of race,
gender, sexual orientation, economics, climate change, aging, and global human
rights. MCC was the first to perform same-gender marriages and has been on the
forefront of the struggle towards marriage equality in the USA and other
countries worldwide.

>MCC recognizes a state of need around the world in the areas of human rights
and justice including but not limited to the Lesbian, Gay, Bisexual,
Transgender, and Queer community. As people of faith, MCC endeavors to build
bridges that liberate and unite voices of sacred defiance. MCC leads from the
margins and transforms.

[https://www.namepros.com/threads/anyone-remember-jesus-
com.1...](https://www.namepros.com/threads/anyone-remember-jesus-com.151376/)

[http://web.archive.org/web/20001013080300/http://jesus.com/](http://web.archive.org/web/20001013080300/http://jesus.com/)

[http://web.archive.org/web/20001109055800/http://jesus.com/s...](http://web.archive.org/web/20001109055800/http://jesus.com/shower/)

[http://web.archive.org/web/20001109045900/http://jesus.com/f...](http://web.archive.org/web/20001109045900/http://jesus.com/faq.html)

16\. Why don't you use this web site to tell people about the real Jesus?

If people cannot find what they need to know about Jesus then they are truly
beyond hope.

17\. Will you sell your domain to me?

If you can write a check for 10+ million we might have something to talk
about.

------
neonate
[https://archive.is/SMDNY](https://archive.is/SMDNY)

~~~
istjohn
The article is cut off with that link. Use this instead:
[https://archive.is/YLHKw](https://archive.is/YLHKw) I should say, I'm not
sure if that's the full article either.

~~~
neonate
Sorry about that, I had no idea. Your link looks good because it has a
correction and they put those at the end.

~~~
istjohn
I don't think your link was wrong. It looks like they updated the article a
few times.

------
Mirioron
If this is true, then this is even more concerning than the hack itself.
Twitter asks us to trust them with our data, but can't even keep access to
their own information secure. How do they expect us to trust them with
_anything_?

~~~
creato
Do we actually trust twitter with any data? I don't use twitter much but I
can't think of anything on twitter that isn't already public.

The only thing we trust twitter to do is to provide some notion of
authentication for well known users. That's still very important and not
something Twitter can afford to lose, but it's not trusting them "with our
data", I feel that is a very heavily overused phrase these days.

If these hackers had been more subtle and somehow made the confusion last a
long time, it could have been a lot more serious. If people can't rely on
Trump being Trump and Musk being Musk on Twitter, then Twitter is just an
overgrown internet forum.

~~~
blisseyGo
I think private messaging is where most of the goods are. Also user's phone
numbers and emails.

------
hmmazoids
I finally understand why I kept seeing headlines saying "the Twitter hack
could have been much worse"

------
ajsharp
I created Sharesecret ([https://sharesecret.co](https://sharesecret.co)) to
protect against exactly these kinds of attacks.

Most company Slacks are a ticking timebomb of sensitive artifacts waiting to
be discovered. Whether it's passwords or just general internal info you
wouldn't want to be public, it's wild how much sensitive info is sitting in
like 4 systems (Slack, Gmail, Notion, Dropbox).

Protect y'selves people.

~~~
grishka
A proprietary security product. That's always funny.

~~~
ecf
[https://github.com/pinterest/snappass](https://github.com/pinterest/snappass)

An Open-source and self-hosted version of what this service seems to be doing.

~~~
ajsharp
In addition to basic secret sharing, Sharesecret has a slack extension that
detects different types of potentially sensitive data and alerts the sender to
redact and encrypt to get it out of Slack. We also have an auto-destructing
private chat feature.

------
LockAndLol
Looks like in a few months we'll have another article about these kids being
arrested and dragged in front of a judge - or they'll silently be recruited by
the state.

They could've just deleted all accounts, cleaned up after themselves and made
it difficult to be tracked down. With the information they gave, it wouldn't
surprise me if 4chan anons were able to track them down and spam their details
"for the lulz".

------
Firebrand
So either this Kirk worked at Twitter and went insane or he’s lying and gained
access through a third party. Should be easy for the FBI to track him from
Discord.

~~~
sudosysgen
I don't think so. It's likely either a hacked Discord account or connected
entirely through a botnet and or Tor.

If I'm guessing, he lied and got access somehow and wanted to destroy Twitter.

~~~
wisemanwillhear
Didn't the feds hack a lot of Tor exit nodes some years back?

[https://arstechnica.com/information-
technology/2014/11/law-e...](https://arstechnica.com/information-
technology/2014/11/law-enforcement-seized-tor-nodes-and-may-have-run-some-of-
its-own/)

What's to stop them from doing that today or simply running their own? It
would be a minor expense and effort for them.

~~~
techntoke
Tor + VPN makes it very difficult. You have a lot of faith in the government.
They usually just go for hackers who make research papers publicly available
using school and library computers.

~~~
pcwalton
Ross Ulbricht, Bureau of Prisons number 18870-111, also thought Tor and a VPN
would protect him from the US government.

~~~
ALittleLight
It might've if he didn't use his real name while posting on stack overflow.
Plus, a few other lapses in security.

------
jakeogh
Ah the sourceless NYTimes. Totally just a news org. [https://gawker.com/here-
are-some-top-n-y-times-editors-and-s...](https://gawker.com/here-are-some-top-
n-y-times-editors-and-staff-joking-a-1713336525)

Still run by the BBC's Mark Thompson.

[https://imgur.com/VUdcIou](https://imgur.com/VUdcIou)

[https://pbs.twimg.com/media/CIMxvS-
WEAER49I.png](https://pbs.twimg.com/media/CIMxvS-WEAER49I.png)

[https://pbs.twimg.com/media/CINJUoqUwAEkSip.jpg](https://pbs.twimg.com/media/CINJUoqUwAEkSip.jpg)

------
pixxel
Anyone else reading this with great skepticism?

~~~
blisseyGo
Yep. I find this story hard to believe. Finding credentials on Slack for the
most important resources at the company seems too hard to believe. Also if
this was the case, how come Twitter was having a hard time to figure out how
to stop the hack?

~~~
Mandatum
I've worked with a lot of organisations, including tech orgs. It's very
believable.

------
thinkingkong
I wonder if this is related to the yg account being stolen / suspended at
Github.

------
jakeogh
I don't say it lightly. The New York Times is not what it pretends to be.

[https://twitter.com/TuckerCarlson/status/1285386153093464065](https://twitter.com/TuckerCarlson/status/1285386153093464065)

[https://news.ycombinator.com/item?id=23880201](https://news.ycombinator.com/item?id=23880201)

[https://news.ycombinator.com/item?id=21367594](https://news.ycombinator.com/item?id=21367594)

------
ngcc_hk
The story is so real.

It is a surprise if they do not just do the slow kill. The donation one is
great as it looks harmless. I bet those may not be aware that it is fake. And
if there are messages enough ...

It could be a bigger news. Luckily it is not nation. But if a kid can do it
...

------
Stevvo
Sounds like a bunch of loosers. How much more damage could have been caused by
a sophisticated group of motivated attackers?

------
noxer
>...and sent out pictures of Twitter’s internal dashboards as proof that he
had taken control of the requested accounts.

Screenshots - The internets best proof(TM)

------
dry_soup
> The interviews indicate that the attack was not the work of a nation-state
> or a sophisticated group of hackers.

So it was not the work of "a state in which a great majority shares the same
culture and is conscious of it"?

~~~
dragonwriter
“narion-state” is frequently used to denote independently and supremely
sovereign participants in the Westphalian system, the principal actors in and
subjects of modern international law, to distinguish from other uses of the
term “state” alone, which can also refer to subordinate political entities
(such a those within the USA or México.) “Soveriegn state” has a similar
problem to “state” alone (US states are described as “sovereign”, as well.)
“Westphalian state” would probably be somewhat more clear than “nation-state”,
but the use is so well established that I don't imagine it changing.

------
eternalban
Twitter incident report & post-mortem kindly provided by NYTimes and
"hackers". Perception management precedes forensics.

"But four people who participated in the scheme spoke with The Times and
shared numerous logs and screen shots of the conversations they had on Tuesday
and Wednesday, demonstrating their involvement both before and after the hack
became public."

[Text file?] Logs and screenshots as evidence! That's funny.

[https://techcrunch.com/author/kate-
conger/](https://techcrunch.com/author/kate-conger/)

[https://www.nytimes.com/by/nathaniel-
popper](https://www.nytimes.com/by/nathaniel-popper)

------
boogies
Interesting to hear they “got access to the Twitter credentials when [they]
found a way into Twitter’s internal Slack messaging channel and saw them
posted there”. I wonder if using a free-as-in-freedom alternative like Zulip
(on the front page yesterday), Mattermost (closer alternative, whose website
[https://mattermost.com/](https://mattermost.com/) emphasizes security), or
Matrix (also seems popular on HN) would have prevented the hack.

~~~
trhway
it doesn't matter. The main point is the apparent security [mis]architecture
at Twitter such that those posted credentials is enough to get access. It
means no 2FA, the bare minimum for prod access. It probably also means no role
based access control (or such an ugly one that instead of roles
assigning/modifying/etc. people resort to posting/sharing credentials of
critical prod accounts).

~~~
boogies
I'm not trying to say that the communication platform is the most important
factor, but I don't see how it hurts to pose a question about it.

