In the EU, you have a right to get all personal information about you deleted from any service, unless you are a person of the public.
That would be relevant enough here (and several Germans have successfully got courts to issue warrants for that, and got restraining actions against twitter users)
EU law does not extend to US entities that do not have a nexus in the EU.
I could not find, from a cursory review, any GitHub offices in the EU. Nor does an entity not investigating a doxxing claim in a timely manner make them "hostile", only apathetic.
> EU law does not extend to US entities that do not have a nexus in the EU.
I'd have agreed with you on that until last year, when the US decided that US law applies to foreign entities, even if they have never been in the US, never did business with US entities, never used USD, etc (the famous case w.r.t. 9/11 and Saudi Arabia which Obama vetoed).
That case legitimizes using national law against a foreign entity. And, just like in the Megaupload case, where the US seized assets of a German citizen in New Zealand, the EU could seize GitHub's assets remotely.
Such a situation has happened only once before, where an airplane of a foreign airline was seized to force the airline to issue a refund to a customer. In the same way, servers rented by GitHub could be seized, and, as argued above, enough cases exist to justify that.
Is it appropriate in this case? Probably not. Does the EU have a legal tool to enforce it? Yes.
> Seizing US-based assets? Not in this political cycle.
I’m not so sure. France seizing Google assets last year was quite a sign, and they’d likely be able to do so again.
Yes, the EU Commission and the German government are quite corrupt since Google, Uber, MS and co have outright bought them, but France, the EU Parliament and the courts would still fight in this case.
What about "Privacy Shield Framework"? EU is pretty serious when it comes to handling its' citizens personal data.
Also, according to the EU law even storing personal data is regulated.
Really? I contacted GH support twice and they answered surprisingly quickly and humanly. I wondered how they could do that, given they're so big and with surely so many bogus emails coming in.
Yeah, my first contact with their support was excellent. My issue got explained within half an hour and it got resolved within an hour (IIRC).
The second was literally caused by a typo on my end, and it literally took 82 days and me asking some random GitHub employee on his AMA repository what to do when support ignores you to get it resolved.
I reported a minor security issue once and it was fixed in a day or so.
Edit: Your first reminder email is already quite harsh ("STILL no response? [...] Come on!")... wouldn't be surprised if that pissed the assigned support worker off.
This is unreadable on mobile. I have to click on the image to read it, which takes me to a tweet (after quite some time loading), and then have to click the image again. Then click back twice to get to the next image and do the same.
If it makes you feel any better, it was a pain in the ass to write it down on mobile too. I had to rearrange tweets every time I've added a new one, and then when I published it, they were suddenly all in a different order than the one I've set up. So I had to edit them from the desktop. And I've failed multiple times to edit the description (both on desktop and mobile), so it remains "I'm this moment" instead of "In this moment" in the description of the moment.
They're too busy changing the icons and adding border-radius to everything. Don't you know it took them 6 weeks to change the star button into a heart? They are very proud of it! /s
This is just another indication how much these idiotic companies take security seriously. Once some news outlet picks this up and it gains traction, and it becomes a PR problem for them, will this be solved.
It's like they are paying them to reply with irrelevant links to their support page. I would really not be surprised if every mail that they send to OP was made by bots.
I've often wondered that about most tech support avenues. At times, I wouldn't have been surprised if Microsoft had an entire staff whose only purpose was to tell people in the MSDN forums that they asked their question in the wrong place (whether they did or not).
Agree. Really seems to be a general thing in some circles.
See stackoverflow etc were for a couple of years at least it seemed that more likely or not any really useful question/answer would be flagged/closed/something. I've seen less of it lately so either I developed a blind spot, google changed ranking, SO decided to stop doing this (I've seen some people trying to advocate common sense in meta.)
One of my favourites: an otherwise relevant question on networking being flagged of because the equipent in question was placed between two corporate networks and the rules specified that it had to be placed in a corporate network. :-/
It's not really a "security issue" in the way we think of them. This is just an -- optional -- security feature that isn't working, and as it turns out, not working on just one person's account. The OP shows that Twitter Security actually did investigate reasonably promptly, and replied that they couldn't repro the issue.
And I think that's not unreasonable. The security team is mainly about triaging security vulnerabilities. They likely aren't equipped to deal with an issue that appears to be restricted to a single account, that's related to an optional feature.
Now, Twitter's main-line support seems to be worse than useless, but I suppose that's to be expected, sadly.
I'm not saying it's the right way to do things, just that it's not unreasonable. Corporate infosec teams just usually aren't staffed to deal with this sort of issue. At best they can pass the user to regular support, or pass the issue on to whatever engineering team is responsible for third-party 2FA. And that's where the issue lies: if Twitter's regular support wasn't completely useless, we wouldn't have this problem here.
> and as it turns out, not working on just one person's account.
It's actually three. Three accounts, on three different browsers (Chromium, Firefox, Safari), using three different operating systems (Ubuntu, Windows, macOS). I was able to replicate it exactly as I've described every single time. They claim that they haven't. I'm in no position to try it with a larger number of accounts.
And that's basically the worst thing to happen in any bug report scenario: unable to reproduce. Obviously we all want our support issues to get resolved in a positive manner, but sometimes it's not possible. And it's not like we're paying for Twitter, so they have no obligation to help us beyond what they think might make their actual paying customers unhappy. You may disagree with their math on this one, but it's their math to make.
If you read the last image in the article, Twitter's security team already responded (within 2 days) that because this wasn't reproducible, there was nothing they could do to attempt to fix it.
The current rise of "bots" that I'm seeing being developed of late seems to forget one really crucial thing about humans, especially in a time of need: We need to talk to another human.
It started with "choose your option", "press x.." call routing. You know, the ones which keep you trapped in a menu while charging premium rates. How many times have we all shouted "give me a human!!" to an automated call system?
This rampant increase in (money/job/man-hour -saving) bots seems to me to be very short-sighted and totally destroying the relationships that companies used to have (or dreamed of having) with their customers/users/(unwitting prisoners).
The icing on the cake is that engineers cost more than support reps. Sure the bot can "scale" but in a lot of cases I wonder if they are really saving by having a team of engineers who cost so much more than phone agents.
> The current rise of "bots" that I'm seeing being developed of late seems to forget one really crucial thing about humans, especially in a time of need: We need to talk to another human.
I don't think this is true at all. If the bots were effective problem solvers then there'd be no problem. The issue is not some emotional need for human connection. OP certainly didn't need that - he would have been fine with a bot that correctly identified his email as a security report, forwarded it to the appropriate engineer, and let him know.
The issue is that the bots are completely useless for anything but idiot problems. Frankly, a comparably competent human would be much more frustrating.
The author seems to be assuming that, if they enable third-party app 2FA, SMS-based 2FA will be disabled; and so, they're assuming because they are still getting SMS verification codes, app-based 2FA hasn't been set up. But the support documents don't actually say that enabling app-based 2FA disables SMS-based; in fact, the docs seem to view app-based 2FA as a supplement to SMS-based 2FA (to be used when you don't have a signal), rather than a replacement. I tried enabling app-based 2FA, and Twitter still sends me SMS codes, but using the code from Google Authenticator, rather than the one from the SMS, also lets me log in.
So, it's not clear to me that app-based 2FA actually is broken. Still, given the security weakness of SMS, not letting people disable it in favour of an alternative form of 2FA does seem like a bad decision.
I've actually never gotten a response to @support on Twitter. And I've messaged them dozens of times about different issues. I didn't even realize that account was for getting questions answers, I thought they just posted out status updates or something.
Common problem for all major services: if you have support that actively answers the requests, you'd get flooded with all kinds of junk, and hiring people that can a) sort through the junk without quickly burning out and b) be able to distinguish "i clicked something and now internet is gone!!! help!!!" people from people reporting legit problems - it is very expensive. I'd say prohibitively expensive. And if you don't go to this expense, eventually somebody somewhere gets false negative and shames you on all social media.
I haven't found many exceptions from that rule - if you want to report something to a big company, you'll have to deal with several layers of bots or bot-like script readers, which have zero incentive of escalating your issue (they are probably trained to have very high escalation threshold, otherwise everybody would demand to speak to Twitter CEO about some dude posting offensive stuff on Twitter). So either arm yourself with a lot of patience, or give up.
45 comments
[ 5.6 ms ] story [ 112 ms ] threadThe only two ways to reach such hostile corporations is via legal or a PR disaster.
That would be relevant enough here (and several Germans have successfully got courts to issue warrants for that, and got restraining actions against twitter users)
I could not find, from a cursory review, any GitHub offices in the EU. Nor does an entity not investigating a doxxing claim in a timely manner make them "hostile", only apathetic.
I'd have agreed with you on that until last year, when the US decided that US law applies to foreign entities, even if they have never been in the US, never did business with US entities, never used USD, etc (the famous case w.r.t. 9/11 and Saudi Arabia which Obama vetoed).
That case legitimizes using national law against a foreign entity. And, just like in the Megaupload case, where the US seized assets of a German citizen in New Zealand, the EU could seize GitHub's assets remotely.
Such a situation has happened only once before, where an airplane of a foreign airline was seized to force the airline to issue a refund to a customer. In the same way, servers rented by GitHub could be seized, and, as argued above, enough cases exist to justify that.
Is it appropriate in this case? Probably not. Does the EU have a legal tool to enforce it? Yes.
I’m not so sure. France seizing Google assets last year was quite a sign, and they’d likely be able to do so again.
Yes, the EU Commission and the German government are quite corrupt since Google, Uber, MS and co have outright bought them, but France, the EU Parliament and the courts would still fight in this case.
The second was literally caused by a typo on my end, and it literally took 82 days and me asking some random GitHub employee on his AMA repository what to do when support ignores you to get it resolved.
Edit: Your first reminder email is already quite harsh ("STILL no response? [...] Come on!")... wouldn't be surprised if that pissed the assigned support worker off.
If you don't pay for the product you are the product.
I wonder how they respond to 2FA fault complaints from accounts like @realKimJongUn .
See stackoverflow etc were for a couple of years at least it seemed that more likely or not any really useful question/answer would be flagged/closed/something. I've seen less of it lately so either I developed a blind spot, google changed ranking, SO decided to stop doing this (I've seen some people trying to advocate common sense in meta.)
One of my favourites: an otherwise relevant question on networking being flagged of because the equipent in question was placed between two corporate networks and the rules specified that it had to be placed in a corporate network. :-/
What can you realistically expect from "support" when you're not an actual paying customer of Twitter?
And I think that's not unreasonable. The security team is mainly about triaging security vulnerabilities. They likely aren't equipped to deal with an issue that appears to be restricted to a single account, that's related to an optional feature.
Now, Twitter's main-line support seems to be worse than useless, but I suppose that's to be expected, sadly.
It is security for the user, not for the server. It is still security.
It's actually three. Three accounts, on three different browsers (Chromium, Firefox, Safari), using three different operating systems (Ubuntu, Windows, macOS). I was able to replicate it exactly as I've described every single time. They claim that they haven't. I'm in no position to try it with a larger number of accounts.
"Security issue" should be a red flag for support.
https://about.twitter.com/company/security
It started with "choose your option", "press x.." call routing. You know, the ones which keep you trapped in a menu while charging premium rates. How many times have we all shouted "give me a human!!" to an automated call system?
This rampant increase in (money/job/man-hour -saving) bots seems to me to be very short-sighted and totally destroying the relationships that companies used to have (or dreamed of having) with their customers/users/(unwitting prisoners).
I don't think this is true at all. If the bots were effective problem solvers then there'd be no problem. The issue is not some emotional need for human connection. OP certainly didn't need that - he would have been fine with a bot that correctly identified his email as a security report, forwarded it to the appropriate engineer, and let him know.
The issue is that the bots are completely useless for anything but idiot problems. Frankly, a comparably competent human would be much more frustrating.
So, it's not clear to me that app-based 2FA actually is broken. Still, given the security weakness of SMS, not letting people disable it in favour of an alternative form of 2FA does seem like a bad decision.