LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Twitter: Are You Vulnerable?

Twitter Going DownUnless you’ve been living under a rock – or only follow sports – you’ve probably heard something about Elon Musk buying twitter.  It was on, it was off, they went to court, then suddenly it was back on, and now the deal has gone through.  Musk owns Twitter.

And it’s been a drunken clownshow ever since.

This piece from Platformer is a good starter.  Among other things:

  • Musk fired all of the leadership (CEO, COO, etc.)
  • Thousands of staff were let go.
  • Those who didn’t faced the worst of the corporate Hunger Games, sometimes overseen by Tesla engineers.
  • Then there was a desperate (and by all accounts unsuccessful) attempt to rehire some.
  • New features were demanded on 48 hours notice, causing staff to work all weekend, only to be laid off on Monday.
  • New feature rollout has been very botched, to say the least, with the platform changing nearly daily.  Meanwhile, the Blue/Red/Gold organization has been shredded, resulting in chaos, as many of the SMEs on Twitter’s home-engineered systems have been shown the door.

Some of this is not unusual in these kinds of acquisitions.  Like many of these deals, Musk borrowed heavily and now is eager to radically slash costs to pay back the massive debt he’s saddled Twitter with.  Unfortunately, Twitter was not exactly a cash cow prior to acquisition.

Depending on your lifestyle, this ranges from “amusing drama” to “a grave threat to the free world” to “a disruption in my life”.  But no matter where you land on that spectrum, you should stand up and take note of news today that all of Twitter’s privacy and security heads have resigned en masse.

Can’t Comply

Included in the resignations are

  • Chief Information Officer (CIO).
  • Chief Information Security Officer (CISO).  This is the person in organizations who bears ultimate responsibility for information security.  In other words, it’s their job to make sure Twitter doesn’t get hacked.
  • Chief Privacy Officer
  • Chief Compliance Officer.  Rather important since Twitter faces potentially billions in FTC fines owing to previous compliance issues (including spamming the phone numbers provided for OTP verification!)

As mentioned, Musk already fired the CEO, CFO, Chief Legal Officer, and General Counsel.  The head of trust and safety also resigned earlier.

That’s pretty much everybody at the top who has anything to do with security and privacy and legal compliance.

If you’ve ever had a Twitter account, that should scare you because one of the world’s largest social media networks is about to get hacked, and probably hacked hard.

A Large Torrent Coming Soon

I have no inside knowledge, but the scale of threats that Twitter faces from random hackers, state actors, political operatives (in many countries), criminal networks, terrorists, etc. is massive.  It will not take more than a few missed security advisories or a couple disgruntled engineers deciding to sell some code on the darker side of the web before Twitter is going to blow up, spewing everyone’s personal data all over the web.

Haven’t a number of recent high profile hacks been from developer laptops?  And now Twitter just mass-fired a few thousand people…hope they kept track of all that gear.

Yes, of course, the point of Twitter is tweet publicly so you might think “who cares if my public tweets are made public”.  But consider, there’s also

  • Emails, login information, passwords, authentication.  Tons of people use Twitter as an authentication mechanism.  And of course, who’s to say hackers will make it immediately obvious they’re in control.
  • Private messages.
  • A ton of behavioral data about you.
  • Correlations between that secret account you use to post nasty reactions on celebrities’ tweets when you’re drunk at 2am, a thousand other hacks, and your real email.
  • And who knows what shenanigans are possible once someone gets inside or subverts the API.

Here’s a fun one: Richard Stallman of GNU fame once had a Twitter account that he used solely so he could comment on various articles on web sites.  He’s since added Twitter to his personal cancelled list, but suppose someone decides to assume that account?  Who cares if rms deleted it, if he ever did – an insider will just restore it.  We might get all sorts of fun rants retracting that whole GNU/Linux thing.

But seriously, cracking open Twitter wide and hard is going to be very ugly.  And once the platform goes down, it’s going to take a long time to recover because a lot of the people who need to recover it have probably been let go.

What You Can Do To Protect Yourself.  Just Kidding.

Unfortunately, this article does not end with a “here’s what you can do to protect yourself”.  You could remove your Twitter account, but it’s not clear that would really protect you.  Stopping use of any Twitter authorizations is probably wise.  If you were a low-volume user like me, well…

Twitter Goodbye

3 Comments

  1. Gday

    I recommend self hosting
    – Social Site
    – Video Site
    – Picture site
    – Cloud Site
    – Blog Site

    Don’t rely on these ‘free’ services by International Corporations and Multi National ‘platforms’
    which will always move the goal post, not follow their own rules and collect data from the user/consumer
    along with having a know bad track record for insecure data base/systems, privacy and
    working with certain groups to the users/consumers determent

    ——–

    Self Host – Social Media

    * Mastodon – https://github.com/mastodon/mastodon
    * Pleroma – https://docs.pleroma.social/backend/installation/otp_en/ https://pleroma.social/
    * Misskey – https://join.misskey.page/en-US/ https://github.com/misskey-dev/misskey
    * Diaspora – https://github.com/diaspora/diaspora
    * Acropolis, Magic Stone’s fork of diaspora – https://github.com/magicstone-dev/acropolis
    * Movim (XMPP)- https://github.com/movim/movim https://movim.eu/
    * TwTxt (Textfile) – https://github.com/buckket/twtxt

    ——–

    Self Host – Video Site
    * PeerTube – https://github.com/Chocobozzz/PeerTube
    * Avideo – https://github.com/WWBN/AVideo
    * MediaCMS – https://github.com/mediacms-io/mediacms
    * NodeTube (Newtube) – https://github.com/mayeaux/nodetube
    * Tube (new one) – https://prologic.github.io/tube/
    * Tube (old one) – https://github.com/wybiral/tube

    ——-

    Self Host – Live Streaming

    – OwnCast – https://owncast.online/
    – AVvideo – Video and live streaming – AVvideo – https://github.com/WWBN/AVideo
    – Peertube – https://github.com/Chocobozzz/PeerTube https://joinpeertube.org/
    – Ant Media Server – Community Edition – https://github.com/ant-media/Ant-Media-Serverhttps://www.youtube.com/watch?v=k5IbcYqXCqs

    – RMTP + NGINX – https://www.nginx.com/blog/video-streaming-for-remote-learning-with-nginx/ https://www.youtube.com/watch?v=Js1OlvRNsdI
    – RTMP + HLS – https://www.youtube.com/watch?v=D-UjQo_8_rY

    —–

    ________
    Regards
    Charliebrownau
    People’s Republic of Australia
    * Email – charliebrownau@protonmail.com
    * Website – http://Charliebrownau.com/
    * Video – https://JoshwhoTV.com/channel/charliebrownau
    * Social – https://pieville.net/@charliebrownau

    November 11, 2022 @ 4:41 am | Reply
  2. Rob:

    Are you at risk? Yes.

    Before Twitter was a publicly held company with a board of directors. Now all the years of data, user information and such are now all owned privately by one man with no restrictions at all on how he can use that data. Yes you are at risk. BIG RISK. Why else buy a business that has never made money? When what that company possesses is worth a lot of money.

    Your data.

    November 14, 2022 @ 10:27 am | Reply
  3. Yes you are at risk

    November 15, 2022 @ 4:38 am | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published.