
Twitter Tells Users They May Be Targets of a 'State Sponsored Attack' - tdurden
http://motherboard.vice.com/read/twitter-told-a-bunch-of-users-they-may-be-targets-of-a-state-sponsored-attack
======
rev_bird
I'm very heartened by Twitter taking this approach to protect their users, but
it comes about a week after I was very disappointed by the process of signing
up for a Twitter account through Tor. I wanted an account that wasn't linked
to me personally -- it was at least partially an experiment in anonymity, but
it failed completely when Twitter blocked my signup until I provided a
verifiable phone number.

Twitter denies this in the article, of course:

>(Twitter has denied blocking Tor. In September, Twitter spokesperson Nu
Wexler told Motherboard, “Twitter does not block Tor, and many Twitter users
rely on the Tor network for the important privacy and security it provides.
Occasionally, signups and logins may be asked to phone verify if they exhibit
spam-like behavior. This is applicable to all IPs and not just Tor IPs.”)

I get why they want to keep suspicious actors out of their ecosystem, but the
only suspicious thing I did was try to be anonymous. If protecting people from
"state-sponsored attack" was actually a priority, they'd figure out ways to
enable people to protect themselves.

~~~
damienkatz
If you used tor then your IP came out of a Tor exit node, which is almost
certainly associated with someone else's concurrent bad/spammy behavior. How
could they know your aren't the bad guy?

~~~
netheril96
I wonder why IP based blocking is still a thing (e.g. Wikipedia). With the
IPv4 exhaustion and IPv6 non-adoption, many people who are not associated at
all share a single public IPv4 address. How could a blocking policy based on
IP ever going to have lower enough false positive rate?

~~~
wavefunction
There are perfectly legitimate reasons to ip block.

I block connections from most of the world to my various network resource
admin points because only I am going to be connecting to them and I'm not
going to be connecting from China or Nigeria or Romania. And if I am, I
unblock them temporarily.

~~~
netheril96
I was thinking about websites meant to be accessed by the public.

------
adrtessier
It seems that working publicly on information privacy tools (and especially
the Tor Project) increasingly makes you a target for nation-state-level
adversaries. I'm very curious who the actor was, and what they expected to
gain of value from Twitter accounts.

I find it extremely unlikely for this attack to have been perpetrated by the
United States; after all, Twitter is an American company and a three-letter
could just NSL them for the data they wanted on these "activists".

------
ryanlol
I've commented about this before
([https://news.ycombinator.com/item?id=10410658](https://news.ycombinator.com/item?id=10410658))

I received one of these alerts from Gmail years ago, and frankly... it was
completely useless to me.

Telling someone they're being attacked doesn't provide much value, what are
you supposed to do? I ended up wasting loads of time going through all of my
account logs and searching through months worth of emails trying to find signs
of this supposed attack... and discovered nothing at all.

Although, props to twitter for recommending Tor. That's significantly better
than nothing, although of little use since you are in for a bad time trying to
use twitter over Tor.

~~~
anotheryou
they send it to groups of people, doesn't even mean you personally have been
targeted.

I got the notification too, it was around the time protests in turkey heated
up for the first time.

------
theGimp
It's weird people are complaining about how Twitter did something wrong this
once or how knowing you're being attacked is useless.

I see this as nothing but positive. Could it be better? Sure, but what can't
be better.

Kudos to the Twitter team for doing what's right rather than what's easy.
Here's hoping others will follow your lead.

~~~
bigbugbag
Don't assume twitter, or any other gateway centralized websites, is
trustworthy. For example, they could have been gamed into putting pressure on
a selection of people, diverting their mind from their activities.

What I'm saying is that to consider the larger and deeper than the framed
picture.

------
comboy
I'm very curious how twitter came to the conclusion that it was done by
"state-sponsored actors".

~~~
adrtessier
Attribution is generally hard in these types of things, and some guy with IR
experience can probably explain more than I can.

However, some of these attack groups follow specific patterns, use specific IP
addresses, domains, emails, etc. because there is no real consequence to them
doing so. Kaspersky, Mandiant et al [1] often have great writeups on these
types of things that are often posted to their own blogs and to netsec-related
mailing lists that show some of these common attack patterns.

On top of this, Twitter could have been tipped off by law enforcement or
intelligence.

[1] [http://www.mandiant.com/apt1](http://www.mandiant.com/apt1)

~~~
UshZilla
Right, specific attribution is often challenging, but tactics, techniques, and
procedures often have signatures or fingerprints common to the level of
sophistication of the actor. Of course this also opens the opportunity to
spoof attack vectors, but who knows.

With the inside visibility of the traffic across their network Twitter would
be able to estimate (whether with their own internal security experts or an
outside service) the sophistication of the attacker.

Would expect that at this point there was some discussion with FBI as well.
Also, as pointed out, very common for a tech company to be notified by
FBI/NSA/police in these situations.

I work with one of the people interviewed in the article, we've been having
some fun on Slack with it :)

~~~
adrtessier
Well, it's good to know that I basically got it right. I don't work in
incident response, so I had to make an educated guess at what signatures I'd
assume IR people would use to respectably say "this is a nation-state."

> I work with one of the people interviewed in the article, we've been having
> some fun on Slack with it

Ooh boy. I don't think there's much you can do about something like this other
than laugh it off, and also maybe recognize that hey, you're probably doing
something of influence. (And probably make lots of jokes about APTs.)

------
aaronem
I think it's really neat how they put the article together so that, by the
end, it makes this sound like a revival of COINTELPRO despite a total and
complete absence of anything even remotely resembling evidence in that
direction.

------
rajacombinator
All criticism aside, really impressed that Twitter is taking this step. Now if
they could just reestablish faith with the dev community...

------
unusximmortalis
This is why you should use twister instead ;-)

------
fiatjaf
What? They're reminding users they are obliged to pay taxes now?

~~~
airza
What?

~~~
drdeca
I think they are making some unrelated point about how they consider taxes to
be an attack.

