Twitch's Security Problems Started Long Before This Week's Hack (theverge.com) 19
A massive security breach at Twitch has exposed a wealth of information pertaining to the website's source code, unreleased projects, and even how much the top streamers make. As data analysts and journalists work to decipher what exactly is contained in the hundreds of gigabytes of information, others are still wondering how this happened. From a report: Such a breach seemed like it was increasingly likely to some. The Verge has spoken to multiple sources who claim that during their time at Twitch, the company valued speed and profit over the safety of its users and security of its data. This data breach, which Twitch blames on an error to a server configuration, is the latest in a series of security and moderation problems that have plagued the Amazon-owned streaming platform. In August, hate raids in which marginalized streamers were subjected to uncontrollable numbers of bots spamming hate speech erupted across Twitch. Streamers banded together to create the #twitchdobetter hashtag and organized a walkout on September 1st to bring attention to the problem and spur Twitch to deploy safety measures to stem the hate tide. In response, Twitch acknowledged streamers' complaints, urged patience, and promised it was working on tools that would help to better protect streamers and their communities.
Don't they use Rust? (Score:1)
Re: (Score:3)
Looks like mostly a mixture or Go, Ruby and some other HLL stuff. Which should be alright but a cursory look seems to indicate that best practices and design principles were not generally observed.
Now is the part where Amazon and Twitch rediscover that you can't get 200 man weeks of software development by assigning 200 developers for 1 week - while the 25 or so who know anything about the original ball of mud frantically patch it and are not available to answer questions for the re-implementation.
Will be
Re: (Score:3)
Looks like mostly a mixture or Go, Ruby and some other HLL stuff. Which should be alright but a cursory look seems to indicate that best practices and design principles were not generally observed.
After 40 years in industry I can tell you that best practices and design principles are not generally observed. Every codebase has plenty of "get it patched; get it out the door; get some cashflow" code in it.
That's just reality - aim for the stars and hope you miss your foot.
Re: (Score:2)
Indeed. The current state of affairs is more often than not pathetic and has nothing to do with competent engineering. There is a high price to pay for that, but it comes with a delay. Twitch just found that out.
Typical InfoSec whiners (Score:1)
"the company valued speed and profit over the safety of its users and security of its data"
Sounds like a typical security team asshole. Maybe if they did their jobs more quickly instead of complaining this wouldn't be a problem.
Why didn't InfoSec notice the exfiltration of data? I'm sure they'll point the finger at IT.
Re: (Score:3)
Yes, obviously infosec fell down in a huge way as far as data leak protection, identification, and exfil prevention go..
It absolutely must be considered a black eye for those folks. Someone getting RCE in your app and dumping a database is one thing (especially when spotting the exfil there is hard because your a big high volume public site) but the attackers getting all the other stuff like code repo access, internal docs etc - is both horizontal and lateral movement that infosec should spotted.
Not looking
Re: (Score:1)
Re: (Score:2)
InfoSec can only act within the boundaries set by management. What InfoSec people can do is leave if they are prevented from doing a good job. For good InfoSec people that is not a problem. The bad ones stay behind. And that explains part of the current mess.
Conflating Abuse with Security (Score:2)
This source claims raids were internally discussed as being a vector for harassment just by virtue of their name alone and that the team had to rush to secure the feature before it went live. ...
Really? Conflation of the Twitch raid feature and the Hate raids made it into a news article? For those who weren't paying attention.. Hate raids consist of bots automatically registering numbers of accounts and spamming - They are a form of Abuse for sure, but at least up to now they don't have any special acc
Those seem unrelated issues though (Score:2)
> In August, hate raids in which marginalized streamers were subjected to uncontrollable numbers of bots spamming hate speech erupted across Twitch.
What the fuck does that have to do with cybersecurity?
Re: (Score:2)
Nothing, of course. This is some combination of a few things:
1. Clickbait to drive ad revenue
2. Clickbait to draw attention to someone's pet issue
3. The writing of an idiot
Re: (Score:2)
> In August, hate raids in which marginalized streamers were subjected to uncontrollable numbers of bots spamming hate speech erupted across Twitch.
What the fuck does that have to do with cybersecurity?
Denial-of-Service attack type. Quite often this one is unknown to non-experts in the security field. It is a separate area though and it has nothing to do with data-theft, except potentially as a misdirection measure, i.e. as a supporting attack.
The IRS is thrilled (Score:3)
Just like the kid who bragged about all the money he made [slashdot.org] during covid by scalping video cards and other items. I'm sure he was reporting his income, right?
Re: (Score:2)
Re: (Score:3)
Twitch does issue 1099s. The IRS doesn't need the output of this dump to do their jobs.. aside from the fact that Amazon is already required to report the numbers to the IRS (Or be severely penalized); they're also required to do so over the full year in an ongoing basis, and the IRS can request -- order/subpoena any records they want from Amazon; they wouldn't have to wait for some 3rd party to put them out in public.
Furthermore, as for these numbers that got dropped.. it's not entirely clear that
Twitch's Security Problems Started Long Before (Score:1)