The data that appeared on “Breached” this week was actually stolen during 2021. Per the Washington Post, cybercriminals exploited an API vulnerability in Twitter’s platform to call up user information connected to hundreds of millions of user accounts. This bug created a bizarre “lookup” function, allowing any person to plug in a phone number or email to Twitter’s systems, which would then verify whether the credential was connected to an active account. The bug would also reveal which specific account was tied to the credential in question.
Everything I’ve read about the technical side of Twitter suggests the software was like a ship with a bloody great hole in the bottom, and rather than fix the hole they kept hiring more people to bail the water out as the ship got more and more heavily loaded.
Why on earth are people building systems where such internal-system-admin stuff is available from outside? That’s the sort of stuff that should be only physically possible using an actual computer inside the actual office connected via the actual physical internal office infrastructure, not over a public access network.
It makes sense to have remote access: any serious server fuction needs to be spread geographically, so you don’t lose everything if the building next door catches fire, or the server room, built on a flood plain, actually floods (on a flood plain!!…who knew?)
Yes. Both have happened in my business, though not on my patch.
You don’t want to be driving round the country, going into unmanned anonymous buidings in deserted industrial estates at 3AM…unless you must!
But the remote access does need serious security and access control.
But what do you expect from a bunch of amateurs whose political posturing creates & defines reality? (Or so they think).
10/10 for entertainment value.
BiS, about prepaid debit cards here in Italy.
There is a company called SisalPay which issues such cards. A large number of small retailers accept them, and many issue the cards over the counter, having machines which register and activate them.
One pays a small fee for the card, deposits some cash, and within a short time it should be usable.
If a business accepts SisalPay cards, it displays the fact prominently.
I have no experience of the scheme, and this morning had forgotten I even knew about it. Apologies, and it may answer your question.
Thanx TOBiI. That may well be a solution to a problem. Unfortunately, it’s Reggie Maggots Day today. And I expect all the shops are closed like they are here, for the industrial scale god-bothering.
I’m pretty certain this particular “Feature” has already *ahem*…featured.. in earlier reporting, and not just Twitter. Facebook, ( LinkedIn? ) at least, had a similar …Challenge in the past.
As-is it’s Olds. But given the fact that everybody + dog at Twitter could get into the databases at levels that have you cringe foot-to-nuts style, no doubt some Idiots there exposed their credentials often enough to enable some subtle farming.
As things are slowly becoming apparent how bad the level of sheer, utter incompetence at Twitter was, it’s not surprising, and even laudable that he fired most of the codemonkeys. They were obviously not fit for purpose. Any purpose by the looks of it.
The only positive thing about this is that this kind of list generally only starts circulating publicly when the Hole used to datamine them is closed efficiently and permanently.
So looks like Musk’s team of codewranglers did their job there.
Of course… The Narrative Spinners will make it all out to be Musk’s Fault.
Even though it’s literally impossible for him to be responsible for this particular gaffe.
The guy is down some $200 billion!
Now he knows what it’s like to be trapped in a burning Tesla.
Tim: I agree that certain systems need remote access, but you either: don’t make that access over the public network, or: make it over the public network with a non-public protocol. Customised equipment at each end, using a non-standard non-public IP protocol, and tight whitelisting of communication nodes.
jgh: that sounds suspiciously like roll-your-own security. That really is a big no-no unless you are a TLA with lots of funds & expertise. Good comms security is hard both to design and to execute, so it makes sense to use solutions that have withstood the fires of the Internet already. When I was employed we used IPSec for remote access embedded in products designed for corporate use with the usual deployment & management bells & whistles. Now I’m free of that I use WireGuard to talk back to my home network when away.
As I understood it, he needs to reduce the headcount – doesn’t matter too much whether they are good or bad at what they do!