Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Twitch's Security Problems Started Long Before This Week's Hack (theverge.com) 19

A massive security breach at Twitch has exposed a wealth of information pertaining to the website's source code, unreleased projects, and even how much the top streamers make. As data analysts and journalists work to decipher what exactly is contained in the hundreds of gigabytes of information, others are still wondering how this happened. From a report: Such a breach seemed like it was increasingly likely to some. The Verge has spoken to multiple sources who claim that during their time at Twitch, the company valued speed and profit over the safety of its users and security of its data. This data breach, which Twitch blames on an error to a server configuration, is the latest in a series of security and moderation problems that have plagued the Amazon-owned streaming platform. In August, hate raids in which marginalized streamers were subjected to uncontrollable numbers of bots spamming hate speech erupted across Twitch. Streamers banded together to create the #twitchdobetter hashtag and organized a walkout on September 1st to bring attention to the problem and spur Twitch to deploy safety measures to stem the hate tide. In response, Twitch acknowledged streamers' complaints, urged patience, and promised it was working on tools that would help to better protect streamers and their communities.
This discussion has been archived. No new comments can be posted.

Twitch's Security Problems Started Long Before This Week's Hack

Comments Filter:
  • by Anonymous Coward
    * ducks *
    • by DarkOx ( 621550 )

      Looks like mostly a mixture or Go, Ruby and some other HLL stuff. Which should be alright but a cursory look seems to indicate that best practices and design principles were not generally observed.

      Now is the part where Amazon and Twitch rediscover that you can't get 200 man weeks of software development by assigning 200 developers for 1 week - while the 25 or so who know anything about the original ball of mud frantically patch it and are not available to answer questions for the re-implementation.

      Will be

      • by nagora ( 177841 )

        Looks like mostly a mixture or Go, Ruby and some other HLL stuff. Which should be alright but a cursory look seems to indicate that best practices and design principles were not generally observed.

        After 40 years in industry I can tell you that best practices and design principles are not generally observed. Every codebase has plenty of "get it patched; get it out the door; get some cashflow" code in it.

        That's just reality - aim for the stars and hope you miss your foot.

        • by gweihir ( 88907 )

          Indeed. The current state of affairs is more often than not pathetic and has nothing to do with competent engineering. There is a high price to pay for that, but it comes with a delay. Twitch just found that out.

  • "the company valued speed and profit over the safety of its users and security of its data"

    Sounds like a typical security team asshole. Maybe if they did their jobs more quickly instead of complaining this wouldn't be a problem.

    Why didn't InfoSec notice the exfiltration of data? I'm sure they'll point the finger at IT.

    • by DarkOx ( 621550 )

      Yes, obviously infosec fell down in a huge way as far as data leak protection, identification, and exfil prevention go..

      It absolutely must be considered a black eye for those folks. Someone getting RCE in your app and dumping a database is one thing (especially when spotting the exfil there is hard because your a big high volume public site) but the attackers getting all the other stuff like code repo access, internal docs etc - is both horizontal and lateral movement that infosec should spotted.

      Not looking

    • by Aubz ( 7986666 )
      Now that people know that TimTheTatman earns more than Asmongold there will really be trouble,
    • by gweihir ( 88907 )

      InfoSec can only act within the boundaries set by management. What InfoSec people can do is leave if they are prevented from doing a good job. For good InfoSec people that is not a problem. The bad ones stay behind. And that explains part of the current mess.

  • This source claims raids were internally discussed as being a vector for harassment just by virtue of their name alone and that the team had to rush to secure the feature before it went live. ...

    Really? Conflation of the Twitch raid feature and the Hate raids made it into a news article? For those who weren't paying attention.. Hate raids consist of bots automatically registering numbers of accounts and spamming - They are a form of Abuse for sure, but at least up to now they don't have any special acc

  • > In August, hate raids in which marginalized streamers were subjected to uncontrollable numbers of bots spamming hate speech erupted across Twitch.

    What the fuck does that have to do with cybersecurity?

    • by Cinder6 ( 894572 )

      Nothing, of course. This is some combination of a few things:

      1. Clickbait to drive ad revenue
      2. Clickbait to draw attention to someone's pet issue
      3. The writing of an idiot

    • by gweihir ( 88907 )

      > In August, hate raids in which marginalized streamers were subjected to uncontrollable numbers of bots spamming hate speech erupted across Twitch.

      What the fuck does that have to do with cybersecurity?

      Denial-of-Service attack type. Quite often this one is unknown to non-experts in the security field. It is a separate area though and it has nothing to do with data-theft, except potentially as a misdirection measure, i.e. as a supporting attack.

  • by smooth wombat ( 796938 ) on Thursday October 07, 2021 @11:51AM (#61869481) Journal
    Getting ones hands on the raw numbers, any one of these twitchers who were either underreporting or not reporting their income may get a nasty letter in the mail saying they're being audited.

    Just like the kid who bragged about all the money he made [slashdot.org] during covid by scalping video cards and other items. I'm sure he was reporting his income, right?
    • by tgeek ( 941867 )
      I'd be very surprised if Twitch wasn't required to issue 1099s to their streamers. I suppose if I really cared, I could look thru their code and see if they were doing that ;-)
      • by mysidia ( 191772 )

        Twitch does issue 1099s. The IRS doesn't need the output of this dump to do their jobs.. aside from the fact that Amazon is already required to report the numbers to the IRS (Or be severely penalized); they're also required to do so over the full year in an ongoing basis, and the IRS can request -- order/subpoena any records they want from Amazon; they wouldn't have to wait for some 3rd party to put them out in public.

        Furthermore, as for these numbers that got dropped.. it's not entirely clear that

  • It was never a secret that streamers made a fortune with Twitch and all the gaming opportunities. I know one streamer who plays cs go and earns money by selling skins on this page [dmarket.com]. It's pretty profitable, so I thought about doing the same since I'm good at this game, and I think I'll try it one day for sure.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...