How the Twitter hacker got in

Once again I am profoundly glad that I am letting social media pass me by… at a distance.

I can’t believe someone smart enough to have a Bitcoin account would believe bill gates be involved in an obvious scam.

Admin pw’s posted on a Slack channel with service login links? LOLlllllllll. That is beyond… I don’t even have the words except to laugh. OMG

You are smart to. You are not missing much. Don’t let them entice you. Your life will be so much richer and righter without it. Nature, books, your hobbies, a few blogs like this one, articles on Medium and Substack, some news, maybe a game or two… but that’s a very full life. That’s where I’m at. I use computers ALL DAY LONG for work, and so I have no problem going, NOPE, I do not need the full experience of social media to fill some gap in my life. I would much rather put on some music and go cook in the kitchen and then do stuff outside, call a friend up or talk to my family, play with the dog or create something.

Come on everybody, Jack’s sorry, OK?

Sure, nobody can even manage to act surprised when one of those gets knocked over.

I too am practising social media distancing.

"…Twitter’s internal Slack messaging channel "

Management wants FULL access to all Slack traffic for employee surveillance.

Anyone who works using Slack today is well aware of this. It’s not Signal. It’s not private, let alone secure.

All your base…

Oh never mind

How about a website that can start thermonuclear war? Just needs one tweet saying “I’ve just used the football Rocket Man, your move.”

At least Seoul and Tokyo will be gone in minutes. Anchorage, certainly, but maybe even Seattle might be hit.

I used to work for a company that did managed services for some of their colo customers. We had a handful of names that you would recognize and a bunch of smaller customers that you probably wouldn’t.

This whole thing reminds me of some of the worst, least competent of our managed services customers. “What do you mean you don’t have any backups?”

Who among us has never posted an admin password into slack? Anyone? Anyone?

Guilty. I kind of assumed our slack was secure.

For what it is worth, I think every cloud based operation should have one reliable home base for secure information. Something we can trust with our secrets.

Twitter admits 130 A-lister accounts compromised to promote Bitcoin scam after ‘social engineering’ attack

20120220576×821 91.3 KB

So we can infer a couple things here.

• Twitter created a user account which can post as nearly anyone.
• Twitter staff shared a credential to this permission.
• This account was accessible to the public Internet.
• This account did not require two factor auth.
• Twitter did not have logging of posts created with this credential.
• A Twitter employee posted this credential to slack.
• A Twitter employee pinned this credential to make it easier to find.
• None of the people in this Slack channel escalated this or reversed it.

If I were government infosec person, I would have to say, guys it was fun but we can’t be on there. Remove every “official” account because we can’t risk someone posting as us, and Twitter can’t even do ordinary well understood SOC2 security stuff that every bank and hospital portal does. (A workaround would be to post your “tweet” on a institution-controlled website, and link to it via Twitter. Every single time.).

Also, safe to assume Russia has every Twitter DM ever sent.

We have a hard policy on “no confidential information on Slack.” And we help each other when mistakes are made.

Every so often I’ll see someone post something to Slack who was clearly intending to type in a different window. There will just be a random “Jumb0$hrimp87” in some channel or other. It will be immediately tagged by someone with something like a flaming dumpster icon, then followed up with something like “Someone needs to change his password!”

Also, it’s an occasional reminder to not use offensive or embarrassing words in your password. Because that’s happened, too.

Someone is gonna get fired over this… for making a reasonable, if a dumb assumption… that “company” Slack channel is, well, not easily accessible to the outside.

Why would such info be pinned, on the other hand…

Well because its useful.

The thing is, that the best place for these things is a password manager. But the password managers I have used are over engineered, prescriptive and over structured. Slack is largely free form and makes it easy to save something for later. Thats why the creds were stored there.

This, basically in a nutshell. All governments (not just the USA) need to make an official policy that nothing posted on any server they don’t own is official, and should be assumed spoofable.

In a way, this is old Discordian teachings, to not believe everything you read. It’s exhausting and hard to keep up without becoming a Greyface, but the ease of spoofing in the modern era means a lot of Jakes are out there.

Uh… Slack is a message/forum for teams. Pinning stuff is useful for announcements such as FAQs and ReadMe’s. Password list, not just regular password list, for account and password for FAMOUS accounts? Pinned on a semi-PUBLIC slack channel, not just for admin?