Compare this to Google where every employee is issued multiple hardware keys, internal systems require security keys, and they put a lot of effort into their "Advanced Protection Program" to make it useable: https://landing.google.com/advancedprotection/
had escalated more, I don't think it's too far-fetched to imagine an unstable dictator sending off a nuke after being goaded on twitter.
I think it's within the realms of possibility at the very least, although very unlikely (mostly because NK hasn't got a decent delivery system, their nukes aren't very advanced/portable yet and Kim Jong Un's probably not too keen for NK to be destroyed in retaliation).
Given Trump's recent tweet of the spy satellite image, and the apparent taunting of Iran, it's also possible that type of thing could be responsible for triggering future terrorist attacks (although obviously that's not millions of people).
Imagine what effect that would have on already-pressured populations across the globe.
I'm the kind of person who, for example, doubted the Covington Kids story from the beginning. By which I mean I'm not particularly alarmist about a putative vast right-wing catastrophe taking place. But any popular leader (and he's very popular among the people he's popular with) can start incidents like that by accident.
You could effectively use the data on Twitter to control the leaders of the US. "Hey, remember that congressman who didn't like us and then accidentally tweeted his own sexts? That was hilarious. Anyway, we'd really like you to increase funds and be more permissive about what our agency can do."
Apropos of nothing, here's an interesting interesting website: https://votesmart.org/candidate/key-votes/23162/anthony-wein...
> You could effectively use the data on Twitter to control the leaders of the US. "Hey, remember that congressman who didn't like us and then accidentally tweeted his own sexts? That was hilarious. Anyway, we'd really like you to increase funds and be more permissive about what our agency can do."
> Apropos of nothing, here's an interesting interesting website: https://votesmart.org/candidate/key-votes/23162/anthony-wein....
I may be dense but it was not clear to me what the point in linking to the votesmart site was? Is it the change between pro/against for patriot act?
He's suggesting that anthony weiner was "framed" by some 3-letter agency.
* Plausible so that people do not believe it is a compromise
* Offensive enough to cause action
* Not in the category that people just roll their eyes and think Trump is being outrageous on the internet again.
This is probably harder than it seems at first glance.
> * Plausible so that people do not believe it is a compromise
> * Offensive enough to cause action
> * Not in the category that people just roll their eyes and think Trump is being outrageous on the internet again.
> This is probably harder than it seems at first glance.
Is the third bullet even a thing after the whole Greenland debacle? Before then I had already thought I'd heard it all.
As an outsider, I would have thought that the Twitter security team would have a set of high-value users (with @jack being at the top of the list) who'd they keep very close tabs on in terms of any unusual activity.
Realistically Twitter is where announcements are made by world leaders and major corporations, control of these accounts could have repercussions, although in this case it just seems to have been a general hack...
What could prevent an attack is limiting the features available to high-value users. One could imagine, for example, limiting 3rd party API access. Depending on what actually happened here, that might have prevented this. But there is a downside of reduced functionality for the owners of the accounts in question. There's always tradeoffs.
In an enterprise setting where people work in an office I don’t see the point of allowing self-service password resets. It opens you to huge risk for very little upside compared to having to physically walk into the office (if you aren’t there already) and have HR/line manager/etc do it for you.
It's less like a 2nd factor and more like a poor man's password-protected private key authentication, but it's way better than just a password.
U2F is "great".
TOTP can be phished, whereas U2F is virtually impossible to phish.
That control should not be solely in Twitter's hands.
Those leaders and orgs need to take a strong look at authenticity via ActivityPub self-hosted on their own namespaces.
And Twitter is where the audience is.
The fact that the account was used to spread racist & nazi propaganda should be a clue; timing it for 1pm on a Friday afternoon suggests a degree of sophistication.
1pm is sophisticated in which timezone?
I just tested the flow. If your phone is linked to your account, regardless of your 2FA settings you can just start tweeting to your account by texting to 40404 without being asked to enter a password and completely bypassing any 2FA settings on your account.
That seems highly unusual to me. Most of these attacks happen with the hacker knowing the password as well. In this case, so long as you’ve successfully ported the number you’re “in”.
"I know this is an old Tweet. But are you helping out with Shrouds jacked account? Looks like whoever took over the account is using Cloudhopper to post these hateful messages on Shrouds Timeline."
You use your brain a little. You prepare your positions months in advance, and hedge out market risks.
You can also use less regulated brokers in far away places and trade TWTR derivatives.
(If you're going to be arrested for CFAA violations, might was well throw in some financial crimes too. Make sure you're unemployable for the rest of your life.)
So does the president
Would you? Not unless you were completely batshit insane.
I appreciate the answers here!
A large website is made up of many different complex, interconnected components, and it would be quite possible for an attacker to compromise a public account without gaining full control of the backend infrastructure is unaffected.
Probably among tech savy people, the perecentage is lower, but still higher than it should be.
I myself, having been in IT for over 20 years, am guilty of this for non sensitive accounts. For significant accounts, they're randomly generated to the longest and highest degree a service allows. My gmail password, for instance is a 40 character random spread along their allowed characters. I cannot remember it.
Twitter seems incapable of dealing with these issues. If Twitter died tomorrow, or split the platform into multiple namespaces, the world would be a better place, especially since it seems to have a disproportionate hold on the minds of journalists.
edit because I can't reply: for twitter you have to remove your phone number. I keep TOTP active as a backup, but might not if I had a highly followed account.
Wonder if the affected users all used the same system in the past?
Only if they (and jack) used a FIDO U2F key would they be really safe.
In this case, Jack's account would've been compromised regardless because the tweets were sent via a third-party application that he had authorized to use his account.
Some of them say racist things or speak about Hitler because they know it will attract far more attention than say: posting a link to some shady website to spread malware.
You can see them on the web archive:
"I am now placing sanctions on the Bank of China and PetroChina for North Korean oil sales"
"I am now announcing Magnitsky sanctions on [insert Central Committee members here] for Xinjiang"
"The whole country of China is now subject to technology sanctions"
"I am now placing tariffs on German cars until Germany cancels Nord Stream"
"I am banning US companies who source components from China from participating in federal contracts"
or even positive news like "Tomorrow, my great friend Xi Jinping and I will announce a wonderful deal with China that lifts all tariffs, solves IP issues, and lets our great economy invest in theirs and vice versa"
On the other hand, it did make me consider that there are some accounts that could be compromised that would be very significant: Trump.
* locked to 2fa with security keys
* limiting the set of apps that can access account data
* better scrutinized account reset - i assume this means it makes your account more resistant to phishing on Google employee's part.
Its nice that Google apparently makes this available to anyone who is willing to buy the security keys. It would be nice if all major social media services had such a program.
Trump? I'm not really being facetious when I ask what difference it could possibly make. Of course, sometimes his tweets do appear to move the stock market, but still.
The official policy of the White House is that the President's tweets from @realDonaldTrump can be statements of the President in his official capacity, and therefore binding to the extent that any Presidential order or command can be. He has fired people, he has announced sweeping policy changes, made nominations, and so on through Twitter, which have then been acted on by the executive branch, Congress (which held appointment hearings for a SecDef before a formal nomination, but after a tweet), and the courts.
1. of the executive branch by and through the US Department of Defense, among other examples
2. the legislative branch, by and through committee hearings and acceptance as fact of nominations not yet formally made, among other examples
3. and the judicial branch, by and through accepting as fact the arguments of the DOJ through the solicitor general that statements by the President via Twitter are "official statements of the President", among other examples
That's not wink wink, nod nod. That's just fact. The federal government, in its three branches, accepts as fact that the President issues official edicts through Twitter.
Sure, but pretty much everybody in the world accepts as fact that he uses it to issue random nonsense as well. Surely you don't need examples of this.
Which comes back to my question: would you take real-life, consequential action based solely on a Trump tweet or would you look for verification elsewhere first?
Regardless of that, separating "official communications" from "personal" would be really tricky. Which tweets would come as "the current president" and which as "the candidate up for re-election"?
In addition to that, there are actually separate accounts (official @POTUS / personal @realDonaldTrump) but Trump-the-person has no incentive to ever use the official account (it's not "his") and so all @POTUS account does is just retweet the personal account, sort of defeating the purpose.
Is UTF-8 just so much U-238 in drag?
If someone is starting a war, than any tweet is fungible with another.
That would probably trigger war.
Color me skeptical, sir.
Can you imagine what would have happened if a post-9/11 Iranian leader's account had tweeted "we have successfully acquired nuclear weapons and will be attacking Washington DC and Jerusalem tonight"? Elements within the governments of the USA and Israel have been agitating for war with Iran for decades, and that could give them the cover they need to act on it.
The elevation of social media to the level of a United Nations general assembly just doesn't seem to pass muster, boss.
On a serious note the people who hacked Jack and several others are called #ChucklingSquad. So actually be cautious of protecting your account.
These appear to have been done by the same people who compromised Jack