VPN credentials can also be tied to a device certificate, which can be securely stored in the machine’s TPM.
This prevents VPN login from anything except a company issued machine. You don’t get this with normal password auth.
Practitioners take issue with these gross failings, but the markets and regulators seem to not care in the slightest. Disheartening to say the least, yet the reality of the situation.
Quite concerning, a Twitter got really lucky that it was a mere scammer.
Every serious hacker group & adversarial nation-state has just learned a huge amount about Twitter internals, and their weak security.
If Twitter fails to implement far more stringent controls (and yes those are a pain in the neck, expensive and inconvenient), they are 100% sure to be used for serious provocations.
At the very least, Admin access to blue check accounts should require simultaneous triple access codes from admins who don't work together.
As a reference point for what real security looks like: when I worked at IBM, I met a guy who had figured out how four people in different offices could conspire to get $10MM transferred to an offshore acct, and reported it. He was promoted up two levels for that insight (&the loophole was fixed).
That would take 4 people conspiring, probably twice that after the fix.
Meanwhile, a single Twitter admin can post ANYTHING from accounts of people who can launch nuclear weapons.
Sure, it's all fun and games until someone wants to play Global Thermonuclear War - and can.
I hope this gets security taken more seriously.
Sorry but if our global security come down to twitter than we have far bigger problems than twitter adding some security layers to their admin interface
But with that kind of admin access to many accounts, it would be straightforward to spread a LOT of chaos from a number of compromised accounts with a series of plausible tweets. The rate things move, it could get out of hand, and a lot of people killed before it got sorted.
Especially true for experts at provokatsiya (provocation) & dezinformatsiya (disinformation) as the RUS FSB & GRU.
And yes, we do have bigger problems than Twitter's absymal security (start w/FBs, which was hacked to hack multiple elections), but to act as if the capability to make comments from a verified world leader accounts is irrelevant is, to be polite, foolish beyond belief.
Nevertheless, Twitter is a blip within the vast organizational structures that the world functions on. There is a huge amount of inertia there as well.
Throwing around words like thermo-nuclear war is more than a bit shrill.
There is another factor here as well - it's the same mistake you and many others make with the idea that Facebook was used to "hack an election". There is no evidence at all that opinion forming through Facebook is of any significant importance relative to Fox News, media making a big deal out of a private email servers, SuperPACs (those used to be big election influence scare of the olden days - now they are irrelevant and dwarved by Facebook). Also, people have agency and they share their believes with each other.
Which is all the say - when parent says "we'd have other problems if a Twitter hack brings down world government" then that is exactly that. If a 1000 other things must go wrong to cause a war with a false tweet, don't blame Twitter for that war.
Not any more. The US has had for several years a person occupying the Presidents chair who makes major policy announcements first via Twitter, from abrogating treaties, to immigration policy, issuing pardons/commutations for friends, etc. These pronouncements often surprise even his closest senior staff, and are expected to be acted upon
This is a far cry from the original trivial "look at these beautiful scallions I had on my breakfast plate!"
The platform needs to be treated with the appropriate seriousness.
Sure " thermo-nuclear war" is at the far end of the scale. Hacks using Twitter or other SocMed would likely be lower on the scale.
But it is definitely true that with control of all and any verified accounts, including Presidents, commanders, military commands, news outlets, etc., one could craft a series of messages that would at the very least create widespread deadly panic in minutes, if not start an actual war (Go look up the results of Orson Welles's "War of the Worlds" broadcast.).
The problem is that with the right attack, a lot of things going right WILL cause major problems. The entire point is that it would not require 1000 other things to also go wrong.
As to Facebook, there is more than plenty of evidence that it successfully influenced the election. Not primarily through forming major opinions as through Fox, etc., but by targeting specific demographics down to the individual level (using data stolen from other channels including voting rolls) with tuned messages to generate a specific response, and more on the side of suppressing or diverting voter turnout for HRC than generating it for DT. It took only a few 10K votes in 3 states.
These technologies are far beyond mere juvenile startup toys. Their scale, influence, and valuation show how much power they wield. We need to hold them to levels of responsibility commensurate with that power, not continue to make excuses as if they were children's toys.
Why not just say “provocation & disinformation”?
For example, a tweet by Musk saying that he's seriously considering leaving Tesla "because it's not going in the right direction".
Of course the tweet would be denied and deleted soon after, but who's gonna believe entirely that it was a hack, given Musk's history and a single tweet? It's "Inception", by tweet.
Now imagine what you could do with Trump's account.
Imagine immediately following the “going private... funding secured tweets” if a malicious actor wrote something about Saudi funding, or cashing out of it’s rejected. It’d be much hard to separate fact from fiction when the baseline is already crazy sounding.
Or, in a high-tension war scenario, not only posting tweets from POTUS, and adversary accounts, but also from varios mil commands and news organizations - think creating the entire scenario of Orson Well's War Of The Worlds broadcast...
Might not start a war (we can hope there are enough safeguards in place), but it could cause a lot of damage in a few minutes/hours...
But then you gain in immediate effect but all those accounts will immediately say that they have been hacked. And since it's many uncoordinated and adversary accounts, people will have less trouble believing in a hack.
While if you do it with a single tweet, the suspicion it was in fact authentic will linger.
Head up, Discord lawyers, you've got subpoenas coming in hot.
We've recently seen the police over here raiding the homes and offices of prominent journalists (quite publicly) to gain access to their sources and related material. :(
That's one data point in opposition (although not exactly revealing a 'source', the difference is splitting hairs).
Blogged under his full name until a couple years ago, blogs under first and middle still, full name still all over the internet and discoverable within a couple minutes, details of life all over blog still. Hell you probably don't even need to know his last name to find him. Scott Alexander Bay Area Psychiatrist is probably enough to go trawling through psychiatrist practice staff pages and find him fairly quickly.
Dude's basically wishing he was anonymous and living in denial because to accept that he isn't would be to accept that he really shouldn't continue his career and blog.
I think it's entirely possible for a person to both be willing to publish his last name and also go to prison in order to protect a source, all while remaining consistent in their principles.
Now, whether or not given journalists are following good enough data handling practises (eg encryption, etc) to still maintain confidentially is unknown.
We're at the point where the NYT is doxxing random bloggers. I don't think this is a good time to be relying on journalistic integrity for your safety.
I'm not sure what you mean. The story continues after that point. Maybe you hit the paywall?
Personally (having no such principles myself), I would have paid his rent, kept him entombed for a while, then auctioned off Jesus.com to the highest bidder. He must be worth at least 30 pieces of silver!
Fortunately, after an unfortunate series of events (including a creepy Jesus dating site offering eligible women a chance to Win a Shower With Jesus), Jesus.com finally ended up being adopted by the Metropolitan Community Church, https://mcchurch.org (not affiliated with McDonalds), which is pretty good, as churches go. (Their French Friars are excellent!)
https://jesus.com => https://mcchurch.org
>About Metropolitan Community Churches (MCC)
>Founded in 1968, Metropolitan Community Churches (MCC) has been at the vanguard of civil and human rights movements by addressing issues of race, gender, sexual orientation, economics, climate change, aging, and global human rights. MCC was the first to perform same-gender marriages and has been on the forefront of the struggle towards marriage equality in the USA and other countries worldwide.
>MCC recognizes a state of need around the world in the areas of human rights and justice including but not limited to the Lesbian, Gay, Bisexual, Transgender, and Queer community. As people of faith, MCC endeavors to build bridges that liberate and unite voices of sacred defiance. MCC leads from the margins and transforms.
16. Why don't you use this web site to tell people about the real Jesus?
If people cannot find what they need to know about Jesus then they are truly beyond hope.
17. Will you sell your domain to me?
If you can write a check for 10+ million we might have something to talk about.
This is in the FAQ at https://news.ycombinator.com/newsfaq.html and there's more explanation here:
That is unbelievably sloppy on Twitter's part. Not acceptable at a tiny company. I would fire everyone involved with posting the credentials if that's true.
That said, I'm not convinced this story is true but it does add up.
The only thing we trust twitter to do is to provide some notion of authentication for well known users. That's still very important and not something Twitter can afford to lose, but it's not trusting them "with our data", I feel that is a very heavily overused phrase these days.
If these hackers had been more subtle and somehow made the confusion last a long time, it could have been a lot more serious. If people can't rely on Trump being Trump and Musk being Musk on Twitter, then Twitter is just an overgrown internet forum.
Thats our data.
Do they? As far as I can tell, Twitter is for loudly shouting all your ill-conceived thoughts in public.
Don't post anything on twitter you wouldn't stand on a street corner screaming.
Most company Slacks are a ticking timebomb of sensitive artifacts waiting to be discovered. Whether it's passwords or just general internal info you wouldn't want to be public, it's wild how much sensitive info is sitting in like 4 systems (Slack, Gmail, Notion, Dropbox).
Protect y'selves people.
An Open-source and self-hosted version of what this service seems to be doing.
They could've just deleted all accounts, cleaned up after themselves and made it difficult to be tracked down. With the information they gave, it wouldn't surprise me if 4chan anons were able to track them down and spam their details "for the lulz".
If I'm guessing, he lied and got access somehow and wanted to destroy Twitter.
What's to stop them from doing that today or simply running their own? It would be a minor expense and effort for them.
There are certainly some other kinds of attacks that could deanonymize this who are using tor, but the attacker needs to have control of a big percentage of the network, and I actually hope other state actors run enough nodes to make this non viable.
Why would you assume so?
Still run by the BBC's Mark Thompson.
It is a surprise if they do not just do the slow kill. The donation one is great as it looks harmless. I bet those may not be aware that it is fake. And if there are messages enough ...
It could be a bigger news. Luckily it is not nation. But if a kid can do it ...
Screenshots - The internets best proof(TM)
So it was not the work of "a state in which a great majority shares the same culture and is conscious of it"?
"But four people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public."
[Text file?] Logs and screenshots as evidence! That's funny.