On the Twitter Hack

Twitter was hacked this week. Not a few people’s Twitter accounts, but all of Twitter. Someone compromised the entire Twitter network, probably by stealing the log-in credentials of one of Twitter’s system administrators. Those are the people trusted to ensure that Twitter functions smoothly.

The hacker used that access to send tweets from a variety of popular and trusted accounts, including those of Joe Biden, Bill Gates, and Elon Musk, as part of a mundane scam — stealing bitcoin — but it’s easy to envision more nefarious scenarios. Imagine a government using this sort of attack against another government, coordinating a series of fake tweets from hundreds of politicians and other public figures the day before a major election, to affect the outcome. Or to escalate an international dispute. Done well, it would be devastating.

Whether the hackers had access to Twitter direct messages is not known. These DMs are not end-to-end encrypted, meaning that they are unencrypted inside Twitter’s network and could have been available to the hackers. Those messages — between world leaders, industry CEOs, reporters and their sources, heath organizations — are much more valuable than bitcoin. (If I were a national-intelligence agency, I might even use a bitcoin scam to mask my real intelligence-gathering purpose.) Back in 2018, Twitter said it was exploring encrypting those messages, but it hasn’t yet.

Internet communications platforms — such as Facebook, Twitter, and YouTube — are crucial in today’s society. They’re how we communicate with one another. They’re how our elected leaders communicate with us. They are essential infrastructure. Yet they are run by for-profit companies with little government oversight. This is simply no longer sustainable. Twitter and companies like it are essential to our national dialogue, to our economy, and to our democracy. We need to start treating them that way, and that means both requiring them to do a better job on security and breaking them up.

In the Twitter case this week, the hacker’s tactics weren’t particularly sophisticated. We will almost certainly learn about security lapses at Twitter that enabled the hack, possibly including a SIM-swapping attack that targeted an employee’s cellular service provider, or maybe even a bribed insider. The FBI is investigating.

This kind of attack is known as a “class break.” Class breaks are endemic to computerized systems, and they’re not something that we as users can defend against with better personal security. It didn’t matter whether individual accounts had a complicated and hard-to-remember password, or two-factor authentication. It didn’t matter whether the accounts were normally accessed via a Mac or a PC. There was literally nothing any user could do to protect against it.

Class breaks are security vulnerabilities that break not just one system, but an entire class of systems. They might exploit a vulnerability in a particular operating system that allows an attacker to take remote control of every computer that runs on that system’s software. Or a vulnerability in internet-enabled digital video recorders and webcams that allows an attacker to recruit those devices into a massive botnet. Or a single vulnerability in the Twitter network that allows an attacker to take over every account.

For Twitter users, this attack was a double whammy. Many people rely on Twitter’s authentication systems to know that someone who purports to be a certain celebrity, politician, or journalist is really that person. When those accounts were hijacked, trust in that system took a beating. And then, after the attack was discovered and Twitter temporarily shut down all verified accounts, the public lost a vital source of information.

There are many security technologies companies like Twitter can implement to better protect themselves and their users; that’s not the issue. The problem is economic, and fixing it requires doing two things. One is regulating these companies, and requiring them to spend more money on security. The second is reducing their monopoly power.

The security regulations for banks are complex and detailed. If a low-level banking employee were caught messing around with people’s accounts, or if she mistakenly gave her log-in credentials to someone else, the bank would be severely fined. Depending on the details of the incident, senior banking executives could be held personally liable. The threat of these actions helps keep our money safe. Yes, it costs banks money; sometimes it severely cuts into their profits. But the banks have no choice.

The opposite is true for these tech giants. They get to decide what level of security you have on your accounts, and you have no say in the matter. If you are offered security and privacy options, it’s because they decided you can have them. There is no regulation. There is no accountability. There isn’t even any transparency. Do you know how secure your data is on Facebook, or in Apple’s iCloud, or anywhere? You don’t. No one except those companies do. Yet they’re crucial to the country’s national security. And they’re the rare consumer product or service allowed to operate without significant government oversight.

For example, President Donald Trump’s Twitter account wasn’t hacked as Joe Biden’s was, because that account has “special protections,” the details of which we don’t know. We also don’t know what other world leaders have those protections, or the decision process surrounding who gets them. Are they manual? Can they scale? Can all verified accounts have them? Your guess is as good as mine.

In addition to security measures, the other solution is to break up the tech monopolies. Companies like Facebook and Twitter have so much power because they are so large, and they face no real competition. This is a national-security risk as well as a personal-security risk. Were there 100 different Twitter-like companies, and enough compatibility so that all their feeds could merge into one interface, this attack wouldn’t have been such a big deal. More important, the risk of a similar but more politically targeted attack wouldn’t be so great. If there were competition, different platforms would offer different security options, as well as different posting rules, different authentication guidelines — different everything. Competition is how our economy works; it’s how we spur innovation. Monopolies have more power to do what they want in the quest for profits, even if it harms people along the way.

This wasn’t Twitter’s first security problem involving trusted insiders. In 2017, on his last day of work, an employee shut down President Donald Trump’s account. In 2019, two people were charged with spying for the Saudi government while they were Twitter employees.

Maybe this hack will serve as a wake-up call. But if past incidents involving Twitter and other companies are any indication, it won’t. Underspending on security, and letting society pay the eventual price, is far more profitable. I don’t blame the tech companies. Their corporate mandate is to make as much money as is legally possible. Fixing this requires changes in the law, not changes in the hearts of the company’s leaders.

This essay previously appeared on TheAtlantic.com.

Posted on July 20, 2020 at 8:49 AM73 Comments

Comments

Alan July 20, 2020 9:31 AM

I’ve been wanting for a long time to see a truly decentralized, encrypted version of something like Twitter become the new standard. Mastodon does a lot of things well, but I feel like a way to cryptographically sign all new posts would really help cases like this. It would have to be integrated into the authentication process in a way that a rogue administrator couldn’t access the private keys, but if done well I feel it could be really useful.

chuck July 20, 2020 9:31 AM

No. You either give users ability to recover a lost password (and the whole ‘security’ becomes a theater) – or you don’t. US Banks are notoriously easy to fool. Every time I call my US bank I’m shocked how easy it would be for anyone who knows me well to impersonate me.

Jeremy Dubansky July 20, 2020 10:07 AM

I would like to see proof of “Someone compromised the entire Twitter network” otherwise everything else you say has to taken with a grain of salt. Other articles are saying the attackers just paid off a rep at twitter and what you are saying has further implications.

echo July 20, 2020 10:33 AM

In the UK at least as far as some state services go if you are a person with a public profile or obscenely wealthy or one of a number of categories “client accounts” have special protection such as sign off by a manager before access or is spun off into a special unit. Various whimsical equivalents exist in the private sector. With respect to these largely unreglated or badly documented systems I’m too lazy to rattle off the inadequacy and negligence that I’m familiar with suffice to say it’s pain.

I don’t believe 99% of what I’ve read from media hysterics about this. It reeks of speculation on speculation with no supporting evidence.

EU/UK privacy legislation is somewhat ahead of America but I do agree these social media and other big tech companies are abusing monopoly law as practiced in the US and trying to dodge EU/UK legal responsibilities as hard as they are trying to dodge tax.

Michael July 20, 2020 10:35 AM

@Alan I do believe Mastodon gets us very close to the solution. It is meant to be ran by hundreds of organizations but still being able to follow users not in your organization. It only lacks the “verified accounts” from Twitter.

Ari Trachtenberg July 20, 2020 11:00 AM

I can think of no technical reason why Direct Messages are not end-to-end encrypted. With a central authority, this can be done fairly easily and efficiently.

wiredog July 20, 2020 11:07 AM

So how do you break up Twitter? It’s a messaging/microblogging service with an advertising service.

Facebook has Instagram, Facebook Messenger, the ad platform, and a couple of other bits that could be spun off.

YouTube is owned by Google, which certainly could be broken up into a dozen or so pieces.

Vesselin Bontchev July 20, 2020 12:03 PM

“All of Twitter was hacked” is a bit of an exaggeration. True, the attacker could compromise any Twitter account – but they compromised only about 300.

It is known whether DMs were accessed – they were. The full user content (which includes DMs) of 8 accounts was downloaded; none of them were verified accounts, though.

Anders July 20, 2020 12:24 PM

I’d like to point out one problem that infosec field has – hiring.
Go to Twitter webpage, Javascript turned OFF. Can you find there their HR email address? NO, even Javascript turned ON it’s not there.

Companies hide their HR behind the Iron Curtain, all the hiring is done through third party hiring companies, where you must separately make account and you can BET that your personal data WILL LEAK from there.

So companies hide their HR contacts effectively sending the message to the talents “go AWAY, leave us alone, we won’t want you”. Information security experts don’t want to upload their personal data to some third party hiring company from where personal data can easily leak – there’s already numerous cases when it had happened.

With this kind of policy they get only some third grade beginners. And with this kind of policy they deserve getting hacked.

MK July 20, 2020 12:33 PM

I don’t know how many Twitter accounts were compromised. My daughter changed her password after noticing that someone had logged into her account from Kansas (halfway across the country), and she certainly isn’t an important user.

vas pup July 20, 2020 1:44 PM

@Bruce stated:

“Internet communications platforms — such as Facebook, Twitter, and YouTube — are crucial in today’s society. They’re how we communicate with one another. They’re how our elected leaders communicate with us. They are essential infrastructure. Yet they are run by for-profit companies with little government oversight. This is simply no longer sustainable.” Agree 100%.

But my nickel: do you remember the fact that Skype before it was acquired by Microsoft had P2P architecture with no middle man as those begemot-type companies above, but everything was changed thereafter by Microsoft when they add middle agent into the architecture – definitely not for benefit of users od the service and protection their data/privacy.

So, I am not sure that government oversight may require less protection not more. -:(

lurker July 20, 2020 3:51 PM

We had a similar discussion a few weeks ago about Zoom. The trouble is that all of these social media systems with centralised servers have the weakness that somebody can see what happens on those servers, and possibly meddle with it. I’m in the school that favours decentralized systems, but these have at least two problems: first, the user must install and configure their own system and understand the security implications, which is known to be “too hard” for the average user; second, if the system is decentralised Silicon Valley doesn’t get to clip the ticket, and will raise whatever it takes to get such systems taken down, either by law, or by besmirching their reputation.

I’m old enough to remember when sysadmin had no capitals, yet sat at the right hand of God. Sysadmin has since become commoditised, the sys function carried out by management committees, and admin relegated to green graduate cubicle fodder. The dollar costs of security must be ammortised against quarterly results. The human cost of account breaches doesn’t show on the books, and no time should be wasted on it.

Maybe P.T.Barnum was the original Silicon Valley magnate. If the Bearded Lady now lives at 1600 Pennsylvania Ave, it doesn’t seem to deter Gates et al. from coming to bask in the publicity. I watched Twitter at its birth, and thought it might have useful application in my field. But the light went out when people started posting photos of their lunch…

Freezing_in_Brazil July 20, 2020 4:10 PM

“Internet communications platforms — such as Facebook, Twitter, and YouTube — are crucial in today’s society. They’re how we communicate with one another. They’re how our elected leaders communicate with us. “

As I understand that this is the ‘de facto’ situation, I can’t help but feel a great displeasure about it all. It is a sad state of affairs. These platforms are not serious enough, circumspect enough, independent enough to be the channel of communication with elected officials. In a perfect world even common people would be better off with more personal platforms – which still abound. Elected Officials still have official sites, and these must be the primary communication tools. I they are not, just try harder and make them so!

Government officers should have no business with these frivolous environments, more suited to hormone-addled teenagers and vain celebrities. It worries me that people like our most excellent host Bruce Schneier speaks of them as even remotely important – or worthy.

*You see, I’ve never visited Bruce’s Twitter account in order to be in touch with him and his affairs. I just think Twitter is bellow him. I’m more than happy to be in his blog.

lurker July 20, 2020 4:25 PM

@Anders: Recall “Project Chess”.

and recall the improper linking of GPL code to Skype’s secret stuff; and the worldwide outages – another problem with centralized systems.

@Freezing_in_Brazil
+1

I had trouble in my last regular day job when I couldn’t convince people that Skype, Twitter, FB, et al should be beneath their dignity.

SpaceLifeForm July 20, 2020 4:44 PM

Allegedly, “Kirk” hacked into Slack, and found that people working for Twitter had posted creds. Those creds then allegedly used to access the admin panels.

“Kirk” has disappeared. I think this is a cover story.

bcs July 20, 2020 5:22 PM

The problem with breaking up something like Twitter is that it’s virtually inevitable that, regardless of how you break it up, in short order months all but one of the pieces that provide any given functionality will die as their users switch to whichever piece has the largest audience, best features, best security, or whatever else turns out to be the dominant market factor.

You could break it up by functionality, but those functionalities would still be monopolies, which wouldn’t accomplish anything.

Maybe that can be taken advantage of: regulate that “security metrics” (and good luck defining those without them becoming a meaningless political football) must be easily visible. With a little luck, a small security/trust advantage will balance a large advantage of scale. A upstart competitor with better security then becomes an existential threat to the established provider and forces them to follow suit, or better yet; lead.

Anders July 20, 2020 5:45 PM

Seems like nowadays everything has it’s own wiki page…

en.wikipedia.org/wiki/2020_Twitter_bitcoin_scam

TimP July 20, 2020 6:07 PM

Tax tech companies in proportion to their market share. This would act as a break on the tendency towards monopoly.

echo July 20, 2020 7:57 PM

Oh yes the days of not having IT directors on company boards, prima donnas, and hiding the manuals in the back office. I remember those. But no I can’t understand peoples obsession with Silicon Valley. I also can’t understand why chickenshit management are so quick to sell companies off. As for current woes in my opinion all the pluses and minuses are known knowns. There really are little to no surprises to be found in organisation culture, management being out of touch, linear minded rote learned two faced ass kissing jobsworths, work to the box tick mentalities, appalling human resources, wilfull blindness, negligence, and so on.

It’s never one single thing. I think it’s been an evolution. A gradual replacement of the precedence of law with unwritten “rules”. A willingness to lie and greed. An environment of this can fuel a cycle of cynicism and dispair and sap energy. Then “they” blame you for it.

There’s nothing new in this article (and in my opinion CBT or at least the out of date form of CBT which is peddled by the NHS at any rate is a makework con) but it does highlight the issue of perspective.

Your ‘Doomscrolling’ Breeds Anxiety. Here’s How To Stop The Cycle
https://www.npr.org/2020/07/19/892728595/your-doomscrolling-breeds-anxiety-here-s-how-to-stop-the-cycle

Big July 20, 2020 7:59 PM

Back in 2018, Twitter said it was exploring encrypting those messages, but it hasn’t yet.

And now in the “enlightened times” of 2020, they are looking like not being legally allowed to E2E encrypt private messages…

:sigh:

Marc July 20, 2020 11:26 PM

Bruce Schneier, your posts are educational and masterfully written, connecting all of the variables to deliver an informed, clear, and succinct take on every little matter without missing the grander scheme of things. Please continue writing these.

Were there 100 different Twitter-like companies, and enough compatibility so that all their feeds could merge into one interface, this attack wouldn’t have been such a big deal.

Was that your pitch for SOLID :)?

JPA July 20, 2020 11:59 PM

I think the fundamental “class break” is the pay-per-click system. If there were to be regulation I would like to see that outlawed.

Casper the Ghost July 21, 2020 12:01 AM

Yes, better regulation and oversight of social media is needed. However, security and integrity of personal data are not the only relevant aspect, perhaps not even the most important one.

At present, due to worldwide U.S. dominance of social media, all the world (except China, where it’s even worse) has to knuckle under to an unholy alliance of government, mainstream media, “higher” education, social media, authoritarian ideologies, and far-left activists. Twitter and Facebook are exempted by law for liability of what users post on their platforms, but users have no recourse against being censored or banned by these companies.

These bannings and beatdowns fall very unequally on one side of the political and cultural divide. At first, it was actual neo-Nazis getting kicked, and nobody cared. One by one, more and more dominoes fell over. Speak up about the dangers of militant Islam and you are labeled “racist” -> deplatformed. Say that Men Are Not Women and the mentally ill (gender dysphoria) transsexuals come after you with a vengeance. Question the choices made in response to Coronavirus, and your videos are deleted even if you are a credentialed medical scientist. On and on it goes. For centrists, moderates, conservatives it is awkward and risky to speak our minds on Twitter and F-book. And now, even traditional left-liberals are beginning to feel the heat.

This needs to change. Social media companies that disclaim responsibility for content (like a phone company) must be forced to become strictly neutral, hands-off in regards to what their users post. Illegal content such as incitement to violence is covered by criminal law and a matter for law enforcement.

We have a chance if President Trump wins re-election. Zero chances if a Democrat wins.

Mr. H July 21, 2020 2:01 AM

@Freezing_in_Brazil, @all
“It worries me that people like our most excellent host Bruce Schneier speaks of them as even remotely important – or worthy.
*You see, I’ve never visited Bruce’s Twitter account in order to be in touch with him and his affairs. I just think Twitter is bellow him. I’m more than happy to be in his blog.”

Amen brother!
My take on twitter:
You don’t know Jack, but Jack knows you. Jack does not know me – I don’t have a twitter or a facebook account. Thank God I’m not that desperate (yet).

Ismar July 21, 2020 2:52 AM

As Bruce mentioned, the best way to make this type of exploit less probable in future is to have enforceable laws which would put pressure on the service providers (in this case Twitter) to focus more on their security infrastructure. Until then, nothing substantial will change.
It will, therefore, be interesting to see if any of the ‘powerful’ Twitter account holders affected by this compromise are going to use their leverage to bring these laws forth.
My guess, unfortunately, is that they will not, and it probably has something to do with the human physiology not catching up with the rapid technological advancements of the last 20 years.
Our evolution is still trying to catch up and the Silicon Valley is laughing all the way to the bank until the chickens come home to roost, which will happen much sooner than they expect.

echo July 21, 2020 5:41 AM

@La Abeja

No. I said “Oh yes the days of not having IT directors on company boards, prima donnas, and hiding the manuals in the back office.”

Back in the day in most companies IT was typically under the control of a none IT director. Not always but typically finance. The odd few did represent IT in board meetings but had no seat on the board. (This is in addition to raging egos and concealing sources from users so they appeared more godlike.) I’m also not your muse nor am I interested in nonsenical politics or whatever you got thrown off twitter for. I simply do… not… care.

bcs July 21, 2020 9:55 AM

The primary “advantage” of there being 100 Titter like companies is that there is no way they will all have good security, and no way that they will all verify anyone’s identity (other than POTUS and a very few others), and no way at all that the end user will be able to keep track of any of that. As such, hopefully nobody would trust anything they heard from anyone.

While it would avoid the “occasionally, everything get broke at once” issues, it would trade it for the “all the time, some of it is broken” issues. (Which might actually be a worthwhile trade.)

But even then, a class break is still there: inject a new maliciously controlled service into whichever index people use to find the mini-twitters. Depending on what you want to do, it may be a bit of a longer-con, but the increase in attack surface makes it easier to hide your activity.

Curious July 21, 2020 10:01 AM

I think third party involvement seems like an obivous no no, especially for people in government or anybody else that want to rely on having secrecy. That is not to say people shouldn’t get to have privacy, but it would be a entirely differnet kind of problem. I mean, if something terrible happens because of espionage or whatever that relies on compromised information as such, I think the bigger “problem” would be people relying on third party applications. I think this is so very obvious. I like to think this kind of basic recklessness is sort of like having sent stuff in the mail, which you trust to be safe, and then, even if the package is tracked, the package is either seriously damaged (this happened to me), or a tracked package went entirely missing forever at its final destination (also happened to me), and so, if something is really important it is obvious to me that I simply can’t rely on my postal service, so if an unreplacable thing sent as a package is damaged or lost, then any refund, if any, probably isn’t worth it.

I think the idea of third party services being “crucial” is a mistake if such solutions aren’t the best in the first place.

CuriousCat July 21, 2020 10:06 AM

After reading about the hacked users, one really stook out to me: Mr. Beast. If you aren’t big on the whole YouTube famous thing, Mr. Beast is known for things such as ordering a pizza for delivery, and tipping the delivery man the house. A strange Bitcoin promotion wouldn’t be all that strange from his official Twitter.

Curious July 21, 2020 10:12 AM

To add to what I wrote:

So there would imo be this ethical dimension to things, and so being just pragmatic, or whatever goes for being reactionary (for wanting to fix things or whatever), would imo not be enough if ending up overlooking the ehtical dimension to things.

Clive Robinson July 21, 2020 11:55 AM

@ Bruce, All,

Class breaks are endemic to computerized systems, and they’re not something that we as users can defend against with better personal security.

Not quite true.

Long before we had the Internet and other Computer networks, in fact before we even had computers, people were communicating securely but openly.

One of the reasons we realy do not have security in this day and age is we do not have anything even remotely having “end point security”. It matters not if it’s the client or server they are all designed in a realy bad way. Hence easy vulnerabilities and loss of any kind of information security.

We should realy stop making excuses, it’s just not good enough and we know how to do better, a lot better. The fact we have not is a sad indictment against the technology industry. Worse it gives an easy or almost free ride to all sorts of criminals, including those in national and corporate governance and their agents. Thus we loose not just privacy but all that rests upon it in the foundations of society.

We need better and a lot lot faster than we do the regulation or break up of the large Silicon Valley Corporates and their ilk (though doing so will marginaly help). Because the “army of one” principle applies, any individual with the right knowledge can wreck havoc not just to privacy but the technology we use.

But lets not forget the flip side of the near usless security of technology, is we the users. As long as we give priority to low cost convenience and baubles we will not get the technology we and society desperately need.

For those that need security above what current insecure technology can give, then you have to mitigate the various technologies failings. To do that means you have to take a firm grip on the security of your end point and those to whom you wish to communicate with in private. Then treat everything in between as hopelessly insecure mess beyond redemption, in effect as though you are “broadcasting to the world”, which in many ways you are. All of which means end to end encryption carried out not on the devices that are connected to that hopelessly insecure network but run independently and as seperate cipher units, with as much segregation as possible be it electrical, audio, mechanical and to a degree physical.

FromTheUSA July 21, 2020 3:30 PM

“They [Facebook, Twitter, YouTube] are essential infrastructure.”

Bullshit.

Anders July 21, 2020 4:30 PM

“Internet communications platforms — such as Facebook, Twitter, and YouTube — are crucial in today’s society. They’re how we communicate with one another. They’re how our elected leaders communicate with us. They are essential infrastructure.”

I’m not sure if i can agree on this. I think people imagine
that those channels are so important because they are so used to them
and can’t live without them any more.

I have seen and remember times where even cell phones didn’t exist.
Our society didn’t collapse back then because of lack of those then unimaginable communication devices or platforms we only seen on sci-fi movies. No, on the contrary – people agreed to meet at certain time at certain place and they KEPT THEIR promises, they were on time. Now people call 5 minute before – sorry, i will be late…

Nothing bad will happen if Twitter, FB, Instagram and all the other
“critical infrastructure” sites will cease to exist tomorrow. Our leaders will continue to communicate with us exactly as before – via lying – because those platforms doesn’t make them better people. Moreover – those platforms allow them to delete their previous statements, change them, alter them when they want to. Perfect platform for lying politicians.

We are so blind. We depend on those platforms. We are junkies.
Covid isn’t excuse. When you really met your friend last time?
Or called instead of texting? Yes, this is wake up call, but wake up
call in the sense what’s really important. All those “critical infrastructure” sites depend reality on us, their business strategy is build on constantly sweeping through our DATA. They make billions by selling our personal data.

SpaceLifeForm July 21, 2020 5:35 PM

@ Clive

You get it. I get it.

But, I keep hearing this whooshing noise.

We must bootstrap.

SpaceLifeForm July 21, 2020 6:01 PM

@ Clive

Let’s pick this apart, shall we?

I’ll split the pieces.

I have not read it all yet, but, the article deals with pertinent issues.

That said, I will bet you that it misses the main problem, separation of comms and crypt.

Bet you.

Don’t have time atm to go thru it.

hXXps://blackhole.dev/keybase-id/

echo July 21, 2020 6:45 PM

@Anders

This is a fair point. I have found when I used it briefly twitter can be useful but it’s really dependent on existing power structures and the calibre of people and the quality of information being fed in. All too often it is a place for highfollower count blowhards with a job title to vent their office politics or therapy issues or push indirect self-promoting marketing. This or wingnuts and trolls killing time although thankfully mostly auto-filtered out but they are there. Personally I found I got very little done via twitter.

I did get Boots to stop their staff pushing store card application forms on me every time I visited the makeup counter so that’s something.

SpaceLifeForm July 22, 2020 12:26 AM

hXXps://twitter.com/TwitterSafety

We will permanently suspend accounts Tweeting about these topics that we know are engaged in violations of our multi-account policy, coordinating abuse around individual victims, or are attempting to evade a previous suspension — something we’ve seen more of in recent weeks.
7:00 PM · Jul 21, 2020

Clive Robinson July 22, 2020 2:32 AM

@ SpaceLifeForm,

We must bootstrap.

That’s probably the worst thing we can do when it comes to identity. It’s an unjustifiable perversion thought up by idiots in authority as a way to solve a problem they realy do not understand.

Traditionaly the identity “root of trust” is a “birth certificate” that is issued to your parents upon request in person at a government office.

Do you see any problems in this scenario?

Well as the head of MI5 Stellar Rimington[1] pointed out a number of years ago, a piece of paper is not a person. Yes you can put all kinds of administrative proceadures and tricks around the process but at the end of the day that certificate is just a serial number into a register or database….

That is your birth certificate is not you, it’s a portable record from a database from before the times of reliable postal services telegraphs, telephones and electronics of any kind.

In fact when you look a little deeper you find that as with my birth certificate, it’s actually a “tearout” from a book. That is the serial number has little relationship to the date you were born. In a major town or city they would have gone through those register books quite quickly, however in some sleepy little town miles from anywhere it might take a year or so just to go through one register book.

Thus your birth certificate even though printed on fancy paper these days is just a number printed on a forgable piece of paper. If there is a coresponding entry in the “register” few people have ever checked if the details in it match those on the certificate. And lets be honest who looks like their baby and proud mum photo a couple of years later? OK the mum might 😉

The fact is nobody asked me for any proof of ID along the way to my name being registerd as the “father” likewise the “mother” it was kind of taken from hospital records that were taken from GP (community doctor) records that again nobody ever asked for proof of ID on. And even if they had what would they have taken as my proof of ID?

The whole heirarchal system is based on very very simple trust that people do their jobs without errors and falsifications. Not that the actual system ever realy picks them up[2]… Thus the entire system is riddled with more holes than a very large Swiss cheese.

If you read the article you linked to at blackhole.dev the version I got from a cache copy has a seriois flaw in it which is your basic “chicken and egg” problem…

The author says you register and as you do online activities you build a prescence or if you like reputation for which you get a score. But a service can check if you meet their reputational score in a saltpack. The problem is that if you have no reputational score to start with and people won’t accept you without one how do you get one?

It’s the same issues as with credit scores, if you behave as a trust worthy individual living within your means you don’t get a credit score…

The people that run these sort of schemes have not set them up for security but to invade your privacy as much as possible for their benifit not for yours.

However the author does get one brownie point for recognizing that people have “roles in life” and that being Jo Green manager at an engineering firm and Jo Green club secretary for a sailing club are seperate roles as well as Jo Green member of the PTA at Withering Hights High and also parent/gardian of one or more disgruntled teenagers are actually seperate roles. But perhaps more importantly are the seperate roles of Jo Green account holder at ABC Bank and Jo Green card holder at BCD Bank and Jo Green pension fund holder at SGR Finance.

I got my first property to live in when I was technically not an adult by the standards of the mortgage industry. This only happened because I had a 2/3rds deposit and the head of the company I worked for stood as guarantor on an initial loan. That loan and the later mortgage are now distant history and I do not get into debt in any way nor use cards etc. Thus I realy do not have a credit rating simply because I follow the old advice from Polonius in Shakespears Hamlet of “Neither a borrower nor a lender be” I get penalized…

So reputational systems do fail and fail badly, the fact I have no wish to participate in “social media” would count against me in that developers idea of an identity and authentication system (which is actually neither).

Experience tells me that all such systems at the end of the day are at best a thinly disguised attempt at the end of the day to push you into somebody elses “pigeon hole” so they not you can gain status and power all at your expense as they milk you in every which way they can…

[1] And now successful author.

[2] There is a wry smile lifting example from the US. During WWII when America and Russia were allies, some Russian Officers were transfered over into the US Army and issued US army paperwork. Well it turns out that one who did not go home worked his way up in the ranks and became a quite senior officer and had held quite a few sensitive posts. It was only when he retired that when sorting out his pension it was noticed there was a date discrepancy, on checking back it was found that he was still Russian and still technically entitled to a few rubles of Russian Army pension. Oh and one heck of a security scare… (there is no indication he ever betrayed the US to the CCCP nor has anyone suggested it).

K July 22, 2020 4:13 AM

@Clive Robinson wrote, “The author says you register and as you do online activities you build a prescence or if you like reputation for which you get a score.”

I believe this isn’t a modern undertaking as it’s been long done in the past, studies have been set forth to “quantify” natural occurances, which includes human relationships, into mathematical formulae. A couple decades ago there were studies such as control systems and in a more civic manner a study of cybernetics. Some of those have been long erased from the memoires of our past while few traces remain. The systems methodology is applicable to a broad range of applications.

myliit July 22, 2020 5:23 AM

@Clive Robinson, popcorn eaters, or skeptical children

“… The fact is nobody asked me for any proof of ID along the way to my name being registerd as the “father” likewise the “mother” it was kind of taken from hospital records that were taken from GP (community doctor) records that again nobody ever asked for proof of ID on. And even if they had what would they have taken as my proof of ID? …”

OT, but at least up until recently, of course, “you have only your mother’s word that you are your father’s son.” [1]

[1] iirc, I learned that from a literature teacher while reading the Illiad.

Ergo Sum July 22, 2020 6:07 AM

@SpaceLifeForm

Imagine if you’d found out today that FBI, CIA, NSA & every state AG had received intelligence about possible Russia interference. And had done nothing. And 4 years later, they’d still done nothing. And plan now is: to do nothing

Securing the election system would prevent local/national election officials interfering with the elections as well. Both, the DNC and RNC, are guilty of election interference and it is clearly visible in the primary elections. Just look at the 2016 DNC primary. Do you really believe that they would stop, when it comes to national elections?

Blaming foreign entities for election interference is just a cover for election officials, DNC, RNC, etc. In reality, there’s no Russian, Chinese, Mongolian, etc., election interference.

myliit July 22, 2020 12:16 PM

@Clive Robinson

re: YouTube and LANCE PERCIVAL – ‘Shame And Scandal In The Family’ – 1965 45rpm

That was fun. OT, with covid-19 some youngsters may be deprived of the joys of summer camp. For example,

https://www.last.fm/music/Allan+Sherman/_/Hello+Muddah,+Hello+Faddah 1963

Hello Muddah, Hello Faddah [1]

[1] https://en.wikipedia.org/wiki/Hello_Muddah%2C_Hello_Fadduh_(A_Letter_from_Camp)

“… Allan based the lyrics on letters of complaint which he received from his son Robert who was attending Camp Champlain, a summer camp in Westport, New York.[1]

In 2020, the song was selected by the Library of Congress for preservation in the National Recording Registry for being “culturally, historically, or aesthetically significant”.[2] …”

echo July 22, 2020 8:21 PM

Not a suprise really. I dare say the Alt-Right libertarian free speech nutters will throw a hissy fit but they were dealt with a few weeks back in the Guardian who called out their nonsense for what it was. The noose is tightening around the criminals in Downing Street.

Twitter takes down 7,000 accounts linked to QAnon
https://edition.cnn.com/2020/07/21/tech/twitter-qanon-crackdown/index.html

Also:

https://www.theguardian.com/uk-news/2020/jul/22/julian-lewis-warns-dominic-cummings-not-to-politicise-isc-inquiries

Julian Lewis, the new chair of parliament’s intelligence and security committee (ISC), has demanded that ministers prevent Dominic Cummings and other special advisers from politicising its future inquiries.

I doubt the biggest threat to democracy and the rule of law is Russia.

“We categorically reject any suggestion that the UK actively avoided investigating Russia,” Brokenshire said. “We are unafraid to act wherever necessary to protect the UK and our allies from any state threat.”

Libertarian free speech nutter July 22, 2020 11:25 PM

The future? It’s already here. It’s echo’s boot on your face … forever.

echo July 23, 2020 1:06 AM

@Weather

No I’m not blind to the extremes whichever flag or flag of convenience they fly under. Why pick up on me taking a swipe at the Alt-Right and their fellow travellers while missing my taking a jab at “Comrade Corbyn”? Anyway. None of this matters. There’s loads of academic papers on this stuff if anyone bothered to read them. I’ve collected some discussion links which would probably be better off in the next squid topic.

Clive Robinson July 23, 2020 3:53 AM

@ Weather,

Are you blind to far left extreme people?

No she is not.

The point you and many others miss is that theory and practice only agree on paper.

In warfare you have two choices, fight everbody and loose to all of them, or attack those who are currently doing the most harm. Then you stand a chance of living to fight the next attacker who ever they might be.

The neo-liberal alt-right mantra is actively killing people right now in a quite serious way.

Whilst the idiots in their ranks shout out about “personal rights” over “societal responsabilities”. Those that are driving them see the proffit in hundreds of thousands if not millions of untimely deaths in society by which they will personaly profit. They will also by way of faux “stimulus” borrow trillions from the future with no intention of repaying it, that will be the responsability of the next three to ten generations of your children and their children and so on.

Oh that faux stimulus money they are stealing from the future, they are going to use to buy up the assets of those with untimely deaths probably at bargin basment prices or less. They will then “rent them out” to earn even more personal wealth. That is the neo-liberal mantra, the few will hold the assets whist the rest hand over the benifits of their labour as rent or other tithing and taxation. In short you become a mear vassle or surf, which is actually worse than being a slave when you analyse it.

That’s the plan of the few, but they care not if those they manipulate to get it are politically left, right or center. They care only who currently has their hands on the wheel thus can be told which way to steer the ship of state… Remember the helmsman might look in charge, but it’s the navigator that gives him his directions, whilst the captin decides the destination and overall course.

In modern day parlance the President is not the all powerful he’s made out to be, he’s just the helmsman, the navigators are the lawyers and lobbyists, and the Captin’s they are what some call the 1% of the 1%. In reality they are less than the 0.01% of the population, if you want to know who they are some call them the “Davos Set” from their annual gathering, however these are just the more visable of them.

If you do not understand this, then your personal future looks very bleak as does that of your descendents.

SpaceLifeForm July 23, 2020 4:33 PM

The nature of the hack is not what you are hearing or reading.

Do the math. For small values of 42.

hxxps://mobile.twitter.com/TwitterSupport/status/1286123465276178433

130 total accounts targeted by attackers
45 accounts had Tweets sent by attackers
36 accounts had the DM inbox accessed
8 accounts had an archive of “Your Twitter Data” downloaded, none of these are Verified

just-another-nerd July 24, 2020 8:37 PM

In case it hasn’t been mentioned:

  • admin panel allows changing of email without notifying actual account owner. This could mean they can hijack that account via email confirmation of password change.

  • over 1000 people have access to this admin panel. This includes contractors.

SpaceLifeForm July 25, 2020 12:02 AM

@ Clive

“That’s probably the worst thing we can do when it comes to identity.”

True. The keybase article I found useful to address some things.
And I was correct that separation of comms and crypt not addressed.

Furthermore, I missed on first perusal that they were bought by Zoom.

That said, when I talk about bootstrap, and I am looking at no identity required. I am thinking about a way for secure comms, logically, point-to-point only.

But physically distributed comms. No hierarchy.

Using a federated cloud (think Usenet and peering).

The user will generate a key-pair, and the public key becomes that users identity.

They can never lose their private key. There is no recovery process.
If they do lose their private key, the public key effectively becomes a zombie identity, that can never be reused. There is no reaper.

If someone loses their private key, they will have to start over.

It will be too hard for most people to use.

خرید ناودانی در مشهد July 25, 2020 2:06 AM

<a href="http://ahan-wiki.ir/%d8%ae%d8%b1%db%8c%d8%af-%d9%86%d8%a7%d9%88%d8%af%d8%a7%d9%86%db%8c-%d8%af%d8%b1-%d9%85%d8%b4%d9%87%d8%af/&quot;.خرید ناودانی در مشهد ، یکی از پروفیل هایی با مقاطع باز می باشد. که مشخصه آن را با حرف لاتین U نشان داده می شود. به دلیل شکل ظاهری مناسب درپروسه ساختمان سازی و سایر صنایع مختلف کاربرد فراوان دارد.
برای مثال، برای ایجاد قاب و پایه نقش اساسی در سازه دارد. همچنین در مواردی همچون چارچوب، تشکیلات دریایی، تجهیزات ساخت‌ وساز، اسکلت کامیون، ماشین آلات و… نیز کاربرد فراوان دارد .
ناودانی از نورد بیلت که از جنس فولاد کربنی می باشد و در طول هایی مابین 3 تا 12 متر و در نمره های 3 تا 40 (ارتفاع بین 3 تا 40 سانتی متر) ساخت و تولید می شود.
برای تهیه و تولید ناودانی های ساده به عنوان ماده اولیه، ورق گرم را مورد استفاده قرار می گیرد. که قابلیت گالوانیزه(خرید ورق گالوانیزه)شدن را نیز دارد .
برای نمونه، ناودانی ساده یکی از موارد محبوب برای ماشین آلات صنعتی است که برای ساخت پل نیز کاربردی می باشد .

lurker July 25, 2020 8:26 PM

@SpaceLifeForm

It will be too hard for most people to use.

You could do it, I could do it, that’s generate our own key-pairs and look after the private part, but I know too many who could lose their private key; and too many who just couldn’t handle somebody’s public key changing…
So is the tech too hard, or are people too dumb?

SpaceLifeForm July 25, 2020 10:30 PM

@ lurker

At minimum, it would be at least as difficult as PGP/GPG.

So, yeah, it is not trivial.

And to separate the comms from the crypto, it is more work.

It’s not really all about dumbness. It is that too many want good, fast, cheap.

They are willing to believe in magic pixie dust security.

Hell, even Senator Ron Wyden, whom I respect immensely, still does not understand the difficulties. He wants Twitter to support end-to-end encryption for DMs. Where are the keys to be stored?

Clive Robinson July 26, 2020 4:35 AM

@ SpaceLifeForm,

Further on “bootstrapping” in the more traditional way.

The idea goes back a number of years to the owner of the “Financial Cryptography” web site IanG[1].

He did not like the idea of the delay between people posting comments and him moderating them before they appeared to users.

His idea was that each user would have a PubKey as their ID and the screen name was irrelevant. Attached to that PubKey would be a reputation score for the FC site, that as they posted comments he would increase or decrease their reputation score linked to it, at some point their score would be sufficient for their posts to go through unmoderated as they had built up a level of trust. If I remember correctly from our chats one concern he did have was the same as mine, that the reputation system would get usurped by others. That is he did not want a “credit score” system where it was one score per person. That is he understood the notion of individuals having multiple roles in life that were effectively unrelated. We also both understood the “Tyrant problem” that arises from such systems which is essentialy the same thing as pops up in Spy Thrillers with the idea of a “Burn Notice” where you can be rendered “untrustworthy to all” thrown out of your home etc etc for no real reason[2].

[1] IanG still writes on the site and has done for a decade or two. In fact one from nearly sixteen years ago kind of answers the question you and @lurker are debating,

http://financialcryptography.com/mt/archives/000279.html

Oh and on that subject “Johny Still Can’t Encrypt” with PGP (original) I’ve actually got the 1995 O’Reilly Yellow “Hasp-lock” book by Simson Garfinkel by my chair in the dead tree cave at the moment (for entirely unrelated reasons). It’s the one that says at the very top of the cover,

    Encryption for Everyone

And the little joke on the back cover where the “Pretty” in “A Pretty Good Book” has been crossed out and “Really” written above it.

I guess 95 was PGP’s high point most techno-geeks were using it and we even had local “key signing parties”… Does anyone else remember going to one of those?

As for the rest of the populous most were still strugling with Windows 3 and MS-DOS 5 on 486’s with four megs (yeh megabytes not gigabytes) of RAM[3] or if lucky MS-DOS 6 with the hotly disputed memory compression driver that caused Microsoft serious legal pain.

[2] Just one more reason why I think the majority of people who do not use “cash” but go for credit cards etc are shall we say “not playing with a full deck”. Look at it this way, when you put your ability to survive fully into the hands of other people you have no control over, just for the sake of a little bit of convenience, well…

[3] No I personaly avoided that pain early on even though Microsoft had given me pain with Xenix a few years before. I was going down the “Unix Path” and had had SCO but had switched to Consensys. And yes I was considered a “supremo-nerd” not just because I could use PGP, but because at work I had my own personal owned “server”, I was using as a develooment computer. It was a Dual Pentium motherboard 128megs of RAM and 3 SCSI hard drives, and two optical drives and was running AT&T Unix Sys V 4, with multiple instances of DOS_Merge so I could run five In Circuit Emulator (ICE) systems across serial ports to do hardware / software development for 8bit processors for multi handset cordless phones. It also had a couple of network cards in it and I had it “Multi-boot” so I also had Novel Netware and MS NT on it as well as DOS, when I needed them. And yes it did play games rather well which some of my work colleagues were envious about, not that I was the one who took much interest in playing them. Oh and it did run CAD quite well as well with a couple of 20″ monitors I still have it as well as a MicroVax that I was using for non-work related video crypto development and a couple of Wyse Terminals… They were fun days, but I guess I realy do need to clear out the old junk at some point.

JonKnowsNothing July 26, 2020 10:06 AM

@lurker
re:

So is the tech too hard, or are people too dumb?

You are missing the point.

A great deal of the world does not read or write. They cannot count to very many digits. They may not be able to multiply and divide. They have little to eat and what work they get pays them near nothing.

They provide your clothes, your shoes, most of the food on the planet and build your techy-glitz-gear.

They are not dumb or stupid.

Your solution is imperfect and limited. That’s your basic misunderstanding.

You are solving a problem that affects the 3%.

They are not dumb or stupid either.

Clive Robinson July 26, 2020 3:16 PM

@ Anders, SpaceLifeForm, All,

Sadly no info on the politicians name.

Oh and the sting in the tail of a tax doge failing because they did not make enough money did make me smile…

SpaceLifeForm July 26, 2020 7:29 PM

@ Anders, Clive

Apparently, the Dutch politician is Geert Wilders.
In the second link, he apparently says his DMs were modified. Not just read.

hxxps://www.theverge.com/2020/7/22/21335039/twitter-dm-inbox-elected-official-netherlands-bitcoin-scam-attack

hxxps://www.reviewgeek.com/48460/twitter-says-a-dutch-politicians-direct-messages-were-compromised-in-hack/

Clive Robinson July 27, 2020 3:54 AM

@ SpaceLifeForm,

Apparently, the Dutch politician is Geert Wilders.

Whilst he does tend to make a target of himself with his opinions, in the larger scheme of things he’s effectively a non entity.

Though having his visual identifier changed would have no doubt ammused a certain mentality.

The problem is that sort of mentality does not much fit in with the other accounts accessed.

I suspect that there was an underlying reason why this attack was carried out but the picture being painted is one of adolescents seeking Ego-food, which does not sit well, thus looks like it’s a distraction / smoke screen. Likewise the bitcoin, I’m aware of the sums quoted but if you had been asked prior to the attack what sort of money would be raised, the chances are most people would have said something covered by zero to peanuts.

Even so the money raised is only a small worth in comparison to being able to read anyones private messaging and knowing how to exploit it.

The whole thing is bizarre, and smells almost of “disgruntaled ex employee” or “competitor business attack” to devalue the organisation or potentially even some one trading futures etc on devalued share value.

It will be interesting to see what drops out of the bottom.

Oh I would not be surprised to find out that it’s a political attack by someone associated with right wing views. I’m guessing that the Dutchman concerned will be used as a “flag” in some way.

Oh and don’t be supprised if Iran or one of the other three some how get blaimed by US politicos, it’s just the sort of opportunity some idiot would jump on.

SpaceLifeForm July 27, 2020 4:19 PM

@ Clive, Anders

What I failed to mention is that Geert Wilders saying his DMs were modified, is, well, cheap smoke.

If, in actuality, the DMs were incriminating, or, at minimum, embarassing, that is what someone would say to proclaim innocence in the case where the actual original DMs were leaked.

Here is the delimma Geert Wilders has.

There is no reason to believe that any DM can actually be modified. The recipient has a copy of the original. Twitter has a copy of the original.

There is no digital Signature on the DM that he can use to prove his argument.

Me thinks he doth protest too much.

SpaceLifeForm July 27, 2020 5:01 PM

Ah, typoing dilemma properly with a bloody worthless speelcheeker is always a clanger.

Clive Robinson July 27, 2020 6:33 PM

@ SpaceLifeForm,

Me thinks he doth protest too much.

Yes I was tactfully trying to say the same thing with,

    Whilst he does tend to make a target of himself with his opinions, in the larger scheme of things he’s effectively a non entity.

Let’s just say that he and the current vice president are very very similar in oh so many ways.

Which reminds me, there is a joke about certain politicians,

    The only time the truth passes his lips, is at the dinner table, when some one leans forward and asks a person on the other side of him to pass the salt…

SpaceLifeForm July 31, 2020 4:22 PM

@ Anders, Clive

They say the caught the mastermind.

I have doubts.

It is interesting what “Rolex” was not charged with.

hXXps://www.justice.gov/usao-ndca/pr/three-individuals-charged-alleged-roles-twitter-hack

Washington DC Field Office Cyber Crimes Unit analyzed the blockchain and de-anonymized bitcoin transactions allowing for the identification of two different hackers.

hXXps://www.forbes.com/sites/jasonbrett/2020/07/10/us-secret-service-shares-how-crypto-is-viewed-from-a-law-enforcement-perspective/#2d317e9628c7

Jurgen August 10, 2020 4:47 AM

It seems it was a problem with the integration between outlook and MS Teams. Hackers could have access to the details of the meetings and used that information.

Wanda Haskins September 18, 2020 9:37 AM

Hello, I work appointments, and online realty co ordinations for Eco House real estate. I just thought I’d leave this here for anyone interested in making some money doing legitimate under the table work.
Okay, with this job you’re not necessarily going to be reporting to the office. I’ll be your task manager, and you report back to me.

It’ll require only a couple hours of your time daily, and you can earn as much as $500 every week.
It’s a great opportunity for Partially disabled, stay-at-home moms, dads, singles, college students, retirees, or anyone looking for extra income. The hours are flexible and can be done alongside a full-time position as well as around your schedule.

If you’re fully interested, let me know through a message here; wandahaskins.ecohouse @ my.com
Reply with your email so I can have the full details of the job sent to you.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.