Former Twitter Executive Blows Whistle on Company's "Negligent" Cybersecurity, Stating that It Lacks Even Basic Protections for User Data

rinaldo00

[H]ard|Gawd
Joined
Mar 9, 2005
Messages
2,015
According to the former head of security at Twitter it has terrible security. It also alleges that some of the company's senior-most executives have been trying to cover up Twitter's serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service. The scathing disclosure, which totals around 200 pages, including supporting exhibits -- was sent last month to a number of US government agencies and congressional committees, including the Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice.
https://www.cnn.com/2022/08/23/tech..._content=2022-08-23T10:35:44&utm_source=twCNN
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
36,076
Maybe I am a bit ignorant here, as I am not really a Twitter user, but what private user data does Twitter really have that users haven't already chosen to make public?

I mean, it's a platform for making public statements, 140 characters at a time.

Or I guess that is 280 now, but still.
 

auntjemima

[H]ard DCOTM x2
Joined
Mar 1, 2014
Messages
11,267
Maybe I am a bit ignorant here, as I am not really a Twitter user, but what private user data does Twitter really have that users haven't already chosen to make public?

I mean, it's a platform for making public statements, 140 characters at a time.

Or I guess that is 280 now, but still.
How to get a blue Check:

"For individuals, the organization that owns the website must be Verified on Twitter. ID verification: Provide a photo of a valid official government issued identification document, such as your Driver's License or Passport. This requirement applies to individuals, not companies, brands, or organizations."

Googled.

Edit: so I'm sure they have quite a few IDs floating around.
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
36,076
How to get a blue Check:

"For individuals, the organization that owns the website must be Verified on Twitter. ID verification: Provide a photo of a valid official government issued identification document, such as your Driver's License or Passport. This requirement applies to individuals, not companies, brands, or organizations."

Googled.

Edit: so I'm sure they have quite a few IDs floating around.

I didn't know they collected that data.

What is a blue check?
 

auntjemima

[H]ard DCOTM x2
Joined
Mar 1, 2014
Messages
11,267
I didn't know they collected that data.

What is a blue check?
It's the blue checkmark next to "verified" accounts. You probably don't notice it because everyone is verified these days. They have all paid their dues and given up their IDs.
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
36,076
It's the blue checkmark next to "verified" accounts. You probably don't notice it because everyone is verified these days. They have all paid their dues and given up their IDs.

What does it mean to be "verified" on Twitter?
 

1_rick

2[H]4U
Joined
Feb 7, 2017
Messages
3,622
What does it mean to be "verified" on Twitter?
You've provided ID to prove your identity, if you're a regular person. If you're part of an organization, point them to your page on the org's website, showing the email that matches your Twitter account.
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
36,076
You've provided ID to prove your identity, if you're a regular person. If you're part of an organization, point them to your page on the org's website, showing the email that matches your Twitter account.
It means that it is verified that you are actually who you say you are. But many view it as some sort of badge of honor that gives legitimacy to the nonsense they spew.

I can see that having value if you are some sort of person who is known. A celebrity, politician, business leader or something like that.

For your average opinionated asshole, not so much.
 

Sycraft

Supreme [H]ardness
Joined
Nov 9, 2006
Messages
5,309
I should get out the Fry "I'm shocked" gif. A .com company that has shit cybersecurity? Why I've never seen that except for every single one of them!

Twitter in particular doesn't surprise me. None of the social media platforms seem to give a crap.
 

Mystique

Limp Gawd
Joined
Mar 28, 2009
Messages
366
It's social media, they don't give a damn, and all have the same problem. Tons of bots, lots of doxxing, lots of spyware, and operates like a hatebox certain to get you outraged after reading it. Oh. And some of them have upvotes to make some people chase popularity.
 

RanceJustice

Supreme [H]ardness
Joined
Jun 9, 2003
Messages
6,380
It's social media, they don't give a damn, and all have the same problem. Tons of bots, lots of doxxing, lots of spyware, and operates like a hatebox certain to get you outraged after reading it. Oh. And some of them have upvotes to make some people chase popularity.
Its important to note that this isn't a requirement - this is a design choice; a feature, not a bug. I could write a whole screed on this problem in depth, but suffice it to say that many present it as something that just "happened, natively and organically occurring" with the development of social media. This is not at all the case. Rather, it was made this way to benefit the data miners, advertisers, and others seeking as much useful information as possible to be monetized; surveillance capitalism. It is often stated that the "genie can't go back in the bottle" by those with vested interests, that somehow social media has to be a giant shitstorm of privacy obliterating garbage and horrid policies but this is not at all true. It is completely unacceptable that Twitter, one of the largest social media monoliths in an increasingly centralized Web , should be in possession of such user data and storing it without security commiserate with the size and scope of the site not to mention its financial value.

While its true that the younger generation post "social media" will not be likely to go back to the kind of "Usenet, IRC, messengers and forums" focus that [H] exemplifies, it doesn't mean that "social media" needs to be a centralized, privacy hostile, proprietary hellscape either. There are alternatives to simply moving to another centralized "also-ran" site hoping to become the next big thing, as well. Looking at all the alternatives, I've found that its generally best to focus on open source, decentralized, federated (non-blockchain/crypto asset linked) technologies. Distributed (ie full on peer to peer) tech has its place but for social media, it has crappy discoverability and usability among other potential issues. Blockchain/crypto is its own whole thing but suffice it to say there's almost no social media alternative that takes place entirely ON the blockchain (with good reason, you wouldn't want it there in the first place) and every related alternative has basically stapled a crypto-asset to a social media platform in the hopes that by forcing its use in that ecosystem, its valuation will go up. That is to say, its not for making the best social tech, but rather for making money for those who want to see a particular asset raise in value - I'd rather not have that conflict to deal with, among other problems.

For pragmatic social media alternatives to fix the problem with incumbents (centralized, proprietary, monolithic etc), I find that open source, decentralized, and more specifically federated projects are likely best. Much like email itself or XMPP, this means a user can either create their own server or sign up on an existing one (assuming you agree to that node's rules) while all users and servers are interoperable! Many of these projects, particularly those that support the ActivityPub standard, fall under the moniker of the "Fediverse" . Though individual projects have their own homepages and links to many instances, sites like https://fediverse.party/ , https://fedidb.org/ and others (the Links section within the FediverseParty "fediverse" page shows quite a few project indexers and metrics) can describe many projects and what they are attempting to do / what mainstream service to which they are comparable etc. For instance Mastodon and Pleroma are popular microblogging Twitter-like platforms, but they also highlight some key differences between major sites and fediverse alternatives. For instance, Twitter's "retweet" function allows you to post another's tweet and comment on it, which makes it a prime tool in creating content by rageposting : a "Look at this hot take, isn't it bullshit?" sort of thing. Conversely, Mastodon et al have "boosting" which allows you to forward another's message to your followers but WITHOUT the ability to editorialize on it. Thus, people have to think twice - " if I boost this thing, will people think I'm in favor of it? Against it? Sure I can write another post afterward saying it was good/bad, but the original one could be easily taken out of context so...maybe I shouldn't do it at all just because someone said something stupid". Thus, a small change means less rage-posting ; anathema to Twitter where that is the core of generating content and spreading it in monetizable ways, but for a FOSS Fediverse alternative with myriad servers interoperate each with varying owners/admins, viable.

Be it Mastodon/Pleroma (Twitter-like), Friendica/Diaspora (Facebook-like macro-social), Pixelfed (Instagram image focus), PeerTube (YouTube alternative, with livestreaming!), OwnCast (Twitch, livestreaming focus), Funkwhale (Spotify style music streaming), FChannel and Lemmy ( Imageboard and link aggregator respectively), Mobilizon (MeetUp/Facebook Events style calendar/RSVP, quite useful) and many more, there are many alternatives to the mainstream that offer similar functionality. If a modest percentage continues to switch to or join these platforms , there is a chance that social media will not be the unholy shitfest that it currently embodies. Now this doesn't mean that Fediverse servers are perfect - there are still jerks who run a particular instance and/or set up draconian restrictions for their users - but unlike a centralized proprietary site, it doesn't mean the entire platform is compromised! You can move to another instance and, depending on the protocol, sometimes you can "take it all with you" from one to the other. The biggest issue is of course the network effect and inertia, but issues like the Twitter security fiasco above consistently add to people looking for an alternative. I'd prefer them to move to libre, decentralized/federated alternatives rather than the next bad actor or knockoff looking to monetize a captured audience.
 

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
21,633
Cybersecurity firm links Piers Morgan Twitter hack to leak of 400m records
https://www.theguardian.com/technol...400-million-records-including-scott-morrisons

The hacker claimed the data had been “scraped” from Twitter via a “vulnerability” in the site, and includes emails and phone numbers of celebrities, politicians, companies, normal users, and a lot of OG and special usernames”.

The hacker offered data for sale “exclusively” to Twitter for US$200,000 (A$300,000) in order for the company to avoid paying EU General Data Protection Regulation (GDPR) fines.



Twitter in data-protection probe after '400 million' user details up for sale
https://www.bbc.com/news/technology-64109777
Cyber-crime intelligence company Hudson Rock says it was the first to raise the alarm about the data sale.

While acknowledging the amount of data taken had not been verified, the firm's chief technology officer, Alon Gal, told the BBC a number of clues appeared to support the hacker's claim.

The data did not appear to have been copied from an earlier breach in which details were published from 5.4 million Twitter accounts, Mr Gal said.

Only 60 emails out of the sample of 1,000 provided by the hacker in the earlier incident appeared, "so we are confident that this breach is different and significantly bigger", he said.

Also, Mr Gal noted: "The hacker aims to sell the database through an escrow service that is offered on a cyber-crime forum. Typically this is only done for real offerings."

An escrow service is a third party that agrees to release funds only when certain conditions (such as handing over data) are met.


https://twitter.com/RockHudsonRock/status/1606644986363400193?

1672449454886.png


There goes the neighborhood! -- Ice-T
 

1_rick

2[H]4U
Joined
Feb 7, 2017
Messages
3,622
Cybersecurity firm links Piers Morgan Twitter hack to leak of 400m records
Dammit, I thought this was going to be a story where it was his fault, so they could finally throw him in an oubliette, but no, he's just another victim.
 
Top