Why Twitter Can't Even Protect Tech CEOs From Getting Hacked (buzzfeed.com) 61
Over the past few weeks, we have seen a number of CEOs -- including Google's Sundar Pichai, and Facebook's Mark Zuckerberg -- become victims of Twitter hacks. One must ask, what's wrong with Twitter that so many people -- including high-profile names -- keep getting hacked? BuzzFeed dives deep into the problem, and says it's how Twitter interacts with third-party apps that's at fault. From the article:Over the past several weeks, however, a three-person hacking team called OurMine has made clear that years after the problem first came to light, third-party authentication is still a security nightmare for Twitter. By gaining access to apps with third-party write access, OurMine has been able to post to the Twitter accounts of tech bigwigs like Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Uber CEO Travis Kalanick. In other words, whichever write-authorized app connected to your Twitter is least secure is exactly how secure your Twitter account is. [...] The public nature of Twitter, whose main point is to share information as quickly and widely as possible, has made these attacks a much bigger issue for Jack Dorsey's company than they are for Facebook. And there's very little Twitter can do to solve the problem that doesn't defeat the incentives for third-party writing privileges in the first place: Speed and functionality. Adding layers of security -- like an extra login -- to access Twitter through a third-party app defeats the purpose of speedy cross-platform sharing. And disabling third-party writing would anger developers and hurt engagement, a cost Twitter probably isn't willing to bear.
Re: (Score:2)
Apparently neither can those who claim they can do.
Which leads to the question, is it better to overpay someone who can't do but at least they're out of the way and not screwing up things, or to overpay someone who claims to be a doer yet continually screws up?
From the near daily reports of developers who leave these gaping holes in software, then try to blame someone else for the problem, it seems the answer is clear.
Re: (Score:2)
Why not create an invisible VIP-account class (Score:5, Interesting)
While you can't fix the general weakness of the platform, there's nothing stopping Twitter from slapping on a "VIP" mark on special accounts, which will make any attempt to change passwords, etc, take extra steps and authentications.
There is a verified account badge (Score:3)
Twitter already has a VIP badge [twitter.com], currently displayed as a white checkmark on a blue eight-lobed shape. Occasionally the loss of this badge
What you recommend amounts to requiring all verified accounts to use 2-factor authentication. But that'll be impractical until Twitter starts allowing second factors other than SMS, such as TOTP (e.g. Google Authenticator) or a U2F key. As of the last time I checked, a single phone line could be associated with only one account [jessysaurusrex.com]. Trying to use a single phone line as the se
Re: (Score:2)
Re: (Score:1)
Because you plebs don't deserve security. If someone hacks your account, posts as you, and tries to ruin your life... Twitter and social media companies simply do not care.
Re: (Score:3)
Once again, convenience trumps security.
There is a lot of power to convenience. It's the user experience, which is what the application is most supposed to facilitate.
An application that is totally secure and totally inconvenient is not very useful for the average person.
Re: (Score:2)
Maybe an option to turn all additional API stuff off, except for the web page? Facebook allows people to disable the third party app API platform.
Then revoke all the apps you don't use (Score:3)
Maybe an option to turn all additional API stuff off, except for the web page?
To revoke the access of a third-party application [twitter.com], open the Apps pane of your account settings.
Re: (Score:3)
While you can't fix the general weakness of the platform, there's nothing stopping Twitter from slapping on a "VIP" mark on special accounts, which will make any attempt to change passwords, etc, take extra steps and authentications.
That would have made no difference here however, since it wasn't Twitter but another application connected to Twitter that was compromised. They used the compromised application, which had been granted read/write access to their Twitter accounts by the account holders, to post tweets to their Twitter feeds.
Re: (Score:2)
Could Twitter periodically ask users to revoke write privileges of apps with read/write access that haven't used a write call in 30 days?
Hashtags explained (Score:1)
Why did you prefix some of your words with a #?
On Twitter, a word beginning with # is a hashtag [twitter.com]. A hashtag is displayed as a link to a page of search results for other recent Tweets containing the same hashtag. Users use hashtags to group Tweets by subject.
Re: (Score:2)
IF you go far enough left and far enough right, the two circle around, meet, and become surprisingly similar.
Re: (Score:2)
> To a right winger everything bad is 'leftist'. I know multiple idiots who think
> Hitler was a leftist despite his corporation worshipping, union busting, executing,
> you know, leftists, and also of course declaring war on the Soviet Union which by the
> was just a thuggish dictatorship but at least nominally leftist. But none of that
> matters. To them, Hitler bad and bad equals leftist no matter the actual ideaology.
Hitler was the leader of the NSDAP. The full name was "Nationalsozialistisch
Re: (Score:3)
This troll was pretty weak, I doubt someone with a mod-point fell for it. Sockpuppet account.
Re: (Score:3)
Yes. Twitter is an excellent networking tool. The best way to use it is through the "search" box at the top right. Just now I typed in "Utah 3d Printer" https://twitter.com/search?q=U... [twitter.com] and found stories about a Utah surgery and find https://3dprint.com/139265/bea... [3dprint.com] a story about use of 3d printers to use CAT scans to print a copy of her kidney, revealing the hidden tumor. If I was in Utah and involved in 3d printing, I'd now have a list of users who "tweeted" the story and some of them might likely b
Re: (Score:2)
Lol. ISIS is "left wing."
Re: (Score:3)
They've been fighting all this time for universal health care, pre-K school for low income families and a clean water/air.
Re: (Score:2)
1. Marketers (including tech company execs promoting their companies)
2. Extreme leftists (including ISIS)
3. Hackers (trying to exploit the above two groups)
4. LUDDITES
Re: (Score:2)
It would be more entertaining than most of the useless banter on here...
The question is (Score:3)
Do people expect that CEOs have some magical power or distinction that make them somehow less vulnerable to hacks?
I would expect that, because of celebrity status, they would be hacked more than other people, not less.
I expect its something like this (Score:4, Insightful)
PR Manager: CEO Bob needs a twitter account. Can you set that up for him?
PR Intern: You got it. OK, here's the account and password.
CEO Bob: Hey, I need to get the twitter account on my phone and tablet.
PR Manager: OK, we can add them.
PR Intern: We need to change the password on CEO Bob's twitter account.
PR Manager: We can't, he's in Davos/Aspen/St. Bart's and he won't know how to log back in.
Hacked CEO Bob on Twitter: I suck! My company is a fraud!
Client certs are a usability nightmare (Score:3)
Probably because the present user interface for managing client certificates stored on a machine is horrible. See BrowserAuth.net's writeup [browserauth.net] and my writeup, which suggests a couple fixes [pineight.com].
Re: (Score:3)
It wouldn't matter whether a third party had access to a password or a client cert; they'd still have access to the account. Passwords are only bad because of keyloggers and guessability. When neither of those two is involved in the hack, there's no benefit to using certs.
How to not "get hacked" on Twitter, 3 easy steps (Score:4, Insightful)
1) Think about why you post to Twitter. (Are you reaching anyone? If there actually is someone, is this the only way you can reach them? Is this an easy or convenient way to communicate? Does it help you express your ideas?)
2) Draw a total blank. Stare into space a while. Make sure. (Hmm.. nope, still nothing.)
3) Delete account.
Twitter is one of the dumbest and least-useful ideas ever. Even Facebook is a good idea, a model of interactivity and convenient expression and dialog, compared to Twitter.
Re: (Score:2, Funny)
Young adults (and kids) are using twitter a lot more than over-40s. This isn't because the older generation is falling behind on the tech curve. This is because twitter is fucking stupid, and the kids haven't figured that out yet
Re: (Score:2)
Twitter isn't for expressing ideas, Twitter is for posting news, some of general interest, some not. Twitter's popular for that precisely because it's not possible to post long rants there, and because condensed stupidity tends to at least be quotable.
Twitter is a "sensory stream", not thought stream.
"A little more equal" (Score:4, Insightful)
There's an in-built assumption here that goes to the heart of the whole privacy debate: that people like Zuckerberg and Pichai deserve a higher standard of protection than the rest of us from having their private information accessed by people who may not have their best interests at heart.
Re: (Score:2)
That's a very interesting thought. It's one of the more interesting ways I've heard to hold people with power to account.
Including high-profile names? (Score:4, Insightful)
Over the past few weeks, we have seen a number of CEOs -- including Google's Sundar Pichai, and Facebook's Mark Zuckerberg -- become victims of Twitter hacks. One must ask, what's wrong with Twitter that so many people -- including high-profile names -- keep getting hacked?
What does a person's status have anything to do with the ability for his/her Twitter account getting hacked? Passwords and/or protocols are either weak or not and don't play favorites based on a person's status.
Obvious question (Score:2)
So, does anyone keep a list of Twitter-connected apps (there is something other than logging on through the website?), and their relative security strengths?
Incentives (Score:2)
Exactly what are the incentives for some of these CEOs to prevent their accounts from being hacked? How does it look bad if the CEO of Facebook or Google if their Twitter account is hacked? They can just point out that it wasn't their company's platform being breached.