
The trouble I had trying to contact Twitter support about a security issue - r3bl
https://twitter.com/i/moments/878356515622617088
======
r3bl
On the bright side, at least it didn't take me 82 days to reach someone within
Twitter, as much as it took me to reach someone within GitHub two years ago:
[https://blog.r3bl.me/en/worst-support-experience-
ever/](https://blog.r3bl.me/en/worst-support-experience-ever/)

~~~
snakeanus
I remember reporting someone for doxxing in github comments and I received a
reply that they will investigate it 2 months after.

~~~
kuschku
That’s where you send a C&D to their HQ, or post on social media.

The only two ways to reach such hostile corporations is via legal or a PR
disaster.

~~~
toomuchtodo
Doxxing isn't against the law, at least in the US. No privacy rights, first
amendment, all that jazz.

~~~
kuschku
In the EU, you have a right to get all personal information about you deleted
from any service, unless you are a person of the public.

That would be relevant enough here (and several Germans have successfully got
courts to issue warrants for that, and got restraining actions against twitter
users)

~~~
toomuchtodo
EU law does not extend to US entities that do not have a nexus in the EU.

I could not find, from a cursory review, any GitHub offices in the EU. Nor
does an entity not investigating a doxxing claim in a timely manner make them
"hostile", only apathetic.

~~~
kuschku
> EU law does not extend to US entities that do not have a nexus in the EU.

I'd have agreed with you on that until last year, when the US decided that US
law applies to foreign entities, even if they have never been in the US, never
did business with US entities, never used USD, etc (the famous case w.r.t.
9/11 and Saudi Arabia which Obama vetoed).

That case legitimizes using national law against a foreign entity. And, just
like in the Megaupload case, where the US seized assets of a German citizen in
New Zealand, the EU could seize GitHub's assets remotely.

Such a situation has happened only once before, where an airplane of a foreign
airline was seized to force the airline to issue a refund to a customer. In
the same way, servers rented by GitHub could be seized, and, as argued above,
enough cases exist to justify that.

Is it appropriate in this case? Probably not. Does the EU have a legal tool to
enforce it? Yes.

~~~
toomuchtodo
Forgive me if I think the EU enforcing any terms with the US as humorous.
Seizing US-based assets? Not in this political cycle.

~~~
kuschku
> Seizing US-based assets? Not in this political cycle.

I’m not so sure. France seizing Google assets last year was quite a sign, and
they’d likely be able to do so again.

Yes, the EU Commission and the German government are quite corrupt since
Google, Uber, MS and co have outright bought them, but France, the EU
Parliament and the courts would still fight in this case.

------
smsm42
Common problem for all major services: if you have support that actively
answers the requests, you'd get flooded with all kinds of junk, and hiring
people that can a) sort through the junk without quickly burning out and b) be
able to distinguish "i clicked something and now internet is gone!!! help!!!"
people from people reporting legit problems - it is very expensive. I'd say
prohibitively expensive. And if you don't go to this expense, eventually
somebody somewhere gets false negative and shames you on all social media. I
haven't found many exceptions from that rule - if you want to report something
to a big company, you'll have to deal with several layers of bots or bot-like
script readers, which have zero incentive of escalating your issue (they are
probably trained to have very high escalation threshold, otherwise everybody
would demand to speak to Twitter CEO about some dude posting offensive stuff
on Twitter). So either arm yourself with a lot of patience, or give up.

------
snakeanus
It's like they are paying them to reply with irrelevant links to their support
page. I would really not be surprised if every mail that they send to OP was
made by bots.

~~~
douche
I've often wondered that about most tech support avenues. At times, I wouldn't
have been surprised if Microsoft had an entire staff whose only purpose was to
tell people in the MSDN forums that they asked their question in the wrong
place (whether they did or not).

~~~
reitanqild
Agree. Really seems to be a general thing in some circles.

See stackoverflow etc were for a couple of years at least it seemed that more
likely or not any really useful question/answer would be
flagged/closed/something. I've seen less of it lately so either I developed a
blind spot, google changed ranking, SO decided to stop doing this (I've seen
some people trying to advocate common sense in meta.)

One of my favourites: an otherwise relevant question on networking being
flagged of because the equipent in question was placed _between_ two corporate
networks and the rules specified that it had to be placed _in_ a corporate
network. :-/

------
ourcat
The current rise of "bots" that I'm seeing being developed of late seems to
forget one really crucial thing about humans, especially in a time of need: We
need to talk to another human.

It started with "choose your option", "press x.." call routing. You know, the
ones which keep you trapped in a menu while charging premium rates. How many
times have we all shouted "give me a human!!" to an automated call system?

This rampant increase in (money/job/man-hour -saving) bots seems to me to be
very short-sighted and totally destroying the relationships that companies
used to have (or dreamed of having) with their customers/users/(unwitting
prisoners).

~~~
nolemurs
> The current rise of "bots" that I'm seeing being developed of late seems to
> forget one really crucial thing about humans, especially in a time of need:
> We need to talk to another human.

I don't think this is true at all. If the bots were effective problem solvers
then there'd be no problem. The issue is not some emotional need for human
connection. OP certainly didn't need that - he would have been fine with a bot
that correctly identified his email as a security report, forwarded it to the
appropriate engineer, and let him know.

The issue is that the bots are completely useless for anything but idiot
problems. Frankly, a comparably competent human would be _much_ more
frustrating.

------
LeoNatan25
This is just another indication how much these idiotic companies take security
seriously. Once some news outlet picks this up and it gains traction, and it
becomes a PR problem for them, will this be solved.

------
ikawe
There are special channels for reporting security issues.

[https://about.twitter.com/company/security](https://about.twitter.com/company/security)

~~~
forthefuture
If you read the last image in the article, Twitter's security team already
responded (within 2 days) that because this wasn't reproducible, there was
nothing they could do to attempt to fix it.

~~~
ikawe
Ah, thanks. TFA is pretty unreadable on mobile.

------
culturedsystems
The author seems to be assuming that, if they enable third-party app 2FA, SMS-
based 2FA will be disabled; and so, they're assuming because they are still
getting SMS verification codes, app-based 2FA hasn't been set up. But the
support documents don't actually say that enabling app-based 2FA disables SMS-
based; in fact, the docs seem to view app-based 2FA as a supplement to SMS-
based 2FA (to be used when you don't have a signal), rather than a
replacement. I tried enabling app-based 2FA, and Twitter still sends me SMS
codes, but using the code from Google Authenticator, rather than the one from
the SMS, also lets me log in.

So, it's not clear to me that app-based 2FA actually is broken. Still, given
the security weakness of SMS, not letting people disable it in favour of an
alternative form of 2FA does seem like a bad decision.

------
pogue
I've actually never gotten a response to @support on Twitter. And I've
messaged them dozens of times about different issues. I didn't even realize
that account was for getting questions answers, I thought they just posted out
status updates or something.

------
graphememes
Just release publicly how it's broken.

~~~
nkozyra
It's a shame but this is typically the way to make the wheel squeak.

"Security issue" should be a red flag for support.

------
crispyambulance
The user:employee ratio at Twitter is something like 100000 users per
employee.

What can you realistically expect from "support" when you're not an actual
paying customer of Twitter?

~~~
janwillemb
We're talking about a security issue here, not regular support

~~~
kelnos
It's not really a "security issue" in the way we think of them. This is just
an -- optional -- security feature that isn't working, and as it turns out,
not working on just one person's account. The OP shows that Twitter Security
actually did investigate reasonably promptly, and replied that they couldn't
repro the issue.

And I think that's not unreasonable. The security team is mainly about
triaging security vulnerabilities. They likely aren't equipped to deal with an
issue that appears to be restricted to a single account, that's related to an
optional feature.

Now, Twitter's main-line support seems to be worse than useless, but I suppose
that's to be expected, sadly.

~~~
r3bl
> and as it turns out, not working on just one person's account.

It's actually three. Three accounts, on three different browsers (Chromium,
Firefox, Safari), using three different operating systems (Ubuntu, Windows,
macOS). I was able to replicate it exactly as I've described every single
time. They claim that they haven't. I'm in no position to try it with a larger
number of accounts.

~~~
kelnos
And that's basically the worst thing to happen in any bug report scenario:
unable to reproduce. Obviously we all want our support issues to get resolved
in a positive manner, but sometimes it's not possible. And it's not like we're
paying for Twitter, so they have no obligation to help us beyond what they
think might make their actual paying customers unhappy. You may disagree with
their math on this one, but it's their math to make.

------
calvinbhai
Could there be an external factor that's messing it up? is this replicable for
accounts that are not based in your country?

------
OliverJones
How many times do we forget and have to be reminded?

If you don't pay for the product you are the product.

I wonder how they respond to 2FA fault complaints from accounts like
@realKimJongUn .

------
maaaats
This is unreadable on mobile. I have to click on the image to read it, which
takes me to a tweet (after quite some time loading), and then have to click
the image again. Then click back twice to get to the next image and do the
same.

~~~
r3bl
If it makes you feel any better, it was a pain in the ass to write it down on
mobile too. I had to rearrange tweets every time I've added a new one, and
then when I published it, they were suddenly all in a different order than the
one I've set up. So I had to edit them from the desktop. And I've failed
multiple times to edit the description (both on desktop and mobile), so it
remains "I'm this moment" instead of "In this moment" in the description of
the moment.

------
mitja_belak
Disgusting

