182 comments

[ 8.9 ms ] story [ 259 ms ] thread
It's worth noting the client is Cloudhopper: that has been compromised before.

https://twitter.com/gruber/status/859857475146854402

Here's some background on what "Cloudhopper" is:

https://twitter.com/bhaggs/status/1090016722415845376

And a reply to that tweet mentions that it was used to hack other accounts before:

"I know this is an old Tweet. But are you helping out with Shrouds jacked account? Looks like whoever took over the account is using Cloudhopper to post these hateful messages on Shrouds Timeline."

I wonder if Jack is a victim of a SIM port hack?
Looks like it's gone now but there was a Tweet from Jack's account that said, "Unsuspend my shit @plugwalkjoe @percocet @99 u bald skeleton head tramp"
(comment deleted)
Here's a screenshot of that and some of the retweets:

https://imgur.com/a/7jm6JkE

You can see them on the web archive:

https://web.archive.org/web/20190830200105/twitter.com/jack

Don't forget to rotate your credentials and revoke any unused applications, ladies and gentlemen.
Did he really get hacked or did he just get his phone back from his PR team?
Move along now, nothing to see here, just another user getting their account hacked and forgot to enable 2FA on their account.

On a serious note the people who hacked Jack and several others are called #ChucklingSquad. So actually be cautious of protecting your account.

(comment deleted)
(comment deleted)
A better report: https://www.theverge.com/2019/8/30/20841288/jack-dorsey-ceo-...

The fact that the account was used to spread racist & nazi propaganda should be a clue; timing it for 1pm on a Friday afternoon suggests a degree of sophistication.

Why is 1pm on a Friday significant?
Markets close at 1pm PT/4pm ET though I wouldn’t think investors would care (and judging by lack of movement it seems to be the case)
Because people in the same timezone are mostly at lunch and starting to relax for the weekend, so the potential audience is large. I wasn't thinking of anything market-related as another person suggested.
You're probably right. After-hours trading is so large these days that the big movers don't care when the news is announced.
1pm PT is 4pm ET, and as we know from cron, 4pm is teatime.
Looks like big standard troll content.

1pm is sophisticated in which timezone?

I decided not to include links to the overt nazi/racist content.
In the same time zone where getting 10 people on planes at the same time is "highly sophisticated."
Ok, we'll change the URL to that. Thanks!
Vulnerability in their 2fa or did @jack just not have it turned on?
Couldn’t he have just gotten phished?
Some forms of 2FA are unphishable. If he used Authy or SMS, where you type in a code that can be intercepted in replayed within a window, yes. If he had set up a hardware key like U2F (like a yubikey), no.

edit because I can't reply: for twitter you have to remove your phone number. I keep TOTP active as a backup, but might not if I had a highly followed account.

Does twitter let you disable sms/authy fallback if you are using u2f? Many websites don't.
One point of 2FA is to protect from phishing.
Looks like a sidestep around it using an SMS bridge that got hit with an AT&T internal breach.
I was thinking exactly the same. Surely, surely he had 2fa on
Twitter has option of using 2FA with a authenticator app though if this is an ATT issue he must’ve fallen victim to a port attack and must’ve been using SMS based 2FA (which many would argue is not really 2FA at all)
If it's this easy to hack Trump's Twitter account and say things that could trigger war, maybe we need to reconsider allowing elected officials to use social media as their official communications channel. Instead, they should have a government run portal where they relay whatever info they need to.
How, precisely, does a 280 character payload trigger war?

Is UTF-8 just so much U-238 in drag?

If someone is starting a war, than any tweet is fungible with another.

What if a world leader said something along the lines of.. "Just ordered a strike xxxcountry. This is war."

That would probably trigger war.

Would it? Is there any country whose leaders are so foppish as to believe what they read on Twitter as though it were some actual diplomatic channel, or even an early warning system?

Color me skeptical, sir.

I'd wager you're correct in your assumption that most decision makers would not be duped by something like that, however a bogus tweet from an official source could be used as plausible cover for leaders who are seeking justification to take actions they wanted to take anyway.

Can you imagine what would have happened if a post-9/11 Iranian leader's account had tweeted "we have successfully acquired nuclear weapons and will be attacking Washington DC and Jerusalem tonight"? Elements within the governments of the USA and Israel have been agitating for war with Iran for decades, and that could give them the cover they need to act on it.

So, if all that's sought is a pretext, why don't state actors just hack accounts and stage pretexts at will?

The elevation of social media to the level of a United Nations general assembly just doesn't seem to pass muster, boss.

I'd wager that government-run portals might be even easier to hack.

Regardless of that, separating "official communications" from "personal" would be really tricky. Which tweets would come as "the current president" and which as "the candidate up for re-election"?

In addition to that, there are actually separate accounts (official @POTUS / personal @realDonaldTrump) but Trump-the-person has no incentive to ever use the official account (it's not "his") and so all @POTUS account does is just retweet the personal account, sort of defeating the purpose.

look at Equifax for example: huge organization yet undone by very elementary errors
If it’s that easy to hack Jack’s Twitter account then we should think twice about its safety. Sounded like a joke.
seems like a a waste of a hack posting some messages that are quickly deleted and forgotten with no long term gain. I would have done the eth/btc giveaway scam thing and at least made good $ off it. Its like being smart in some regard, such as hacking, but dumb in others , such as maximizing the gain from the hack.
I guess this is the "in for a penny, in for a pound" school of thought?

(If you're going to be arrested for CFAA violations, might was well throw in some financial crimes too. Make sure you're unemployable for the rest of your life.)

The hacker could have said he is stepping down from TWTR because of massive financial fraud, and make money by trading TWTR.
except that governments would quickly try to freeze the banks and stock accounts
There are millions of traders trading randomly (see r/wsb). Good luck spotting the one belonging to the hacker.
This is one information theory war against the FBI I can almost promise you would lose.
Doing so would make it really easy to trace it back to him, if he decides to make a trade big enough. The data of all trades on public markets is, after all, public.
Is it possible to make a substantial amount of money on such schemes while evading detection and subsequent prosecution?

https://www.marketwatch.com/story/to-catch-a-thief-how-nasda...

You don't do it by selling TWTR one minute before the hack.

You use your brain a little. You prepare your positions months in advance, and hedge out market risks.

You can also use less regulated brokers in far away places and trade TWTR derivatives.

Ok but brokers aren't less regulated, exchanges are, and Twitter isn't traded on every exchange.
There are a couple offshore companies that let you buy/sell stocks with Bitcoin semi-anonymously. The problem is you can't short, so your attack has to result in pumping the stock: "Taking Twitter private at $420 a share".
If you want jail time, insurance fraud is probably a tad quicker.
This is currently on every news channel and the content was pure trolling, no politics or agenda besides pushing some Discord channel. So seems like a win to me.
The "hacker" called AT&T and conned the call center rep into swapping Jack's SIM. It's not like they exploited a buffer overflow on Twitter's authentication service or something. They aren't smart.
(comment deleted)
Hmmm what's stopping someone from hacking Trump's twitter account and announcing things that would swing the stock market?

"I am now placing sanctions on the Bank of China and PetroChina for North Korean oil sales" "I am now announcing Magnitsky sanctions on [insert Central Committee members here] for Xinjiang" "The whole country of China is now subject to technology sanctions" "I am now placing tariffs on German cars until Germany cancels Nord Stream" "I am banning US companies who source components from China from participating in federal contracts"

or even positive news like "Tomorrow, my great friend Xi Jinping and I will announce a wonderful deal with China that lifts all tariffs, solves IP issues, and lets our great economy invest in theirs and vice versa"

Instead of posting bullshit on @jack's timeline, what about "I'm thrilled to announce Twitter is being acquired by Amazon for $82 a share."
No point. All trades made can be reversed especially based on false news
This is a dumb question and want to qualify with my field is medicine, not technology: would one have the same username and password on the web facing side of a website as the backend of things (having access to servers or I have no idea what else one would do)? I have no idea how any of this works, but am curious if this would be the case.
Could you? Sure.

Would you? Not unless you were completely batshit insane.

How often does this happen?
I'm sure it happens plenty. people are unaware, forgetful and lazy.
Very frequently. Off the cuff, I'd estimate that 99% of not tech-savy users utilize the same password for everything, maybe with subtle variations according whatever service's requirements for a password.

Probably among tech savy people, the perecentage is lower, but still higher than it should be.

I myself, having been in IT for over 20 years, am guilty of this for non sensitive accounts. For significant accounts, they're randomly generated to the longest and highest degree a service allows. My gmail password, for instance is a 40 character random spread along their allowed characters. I cannot remember it.

It happens (a few times?) in this fun podcast: https://darknetdiaries.com/episode/45/

Admins at game companies used the same password for their remote access to their game company data as they did on some other compromised site, so attackers were able to easily break into the company.

Why would this make you batshit insane? Would a long enough password negate this or would you never want the login to be obscure?

I appreciate the answers here!

In general, you shouldn't ever reuse a password for multiple things, no matter how complex the password is (see https://xkcd.com/792/). If your password is leaked (which might not even be your fault), you don't want the attackers getting access to everything.

A large website is made up of many different complex, interconnected components, and it would be quite possible for an attacker to compromise a public account without gaining full control of the backend infrastructure is unaffected.

Is this interesting? Not a shit post question - do routine minor security breaches rise to the level of noteworthy these days?
It is karmic justice for yet another company that pushes SMS 2fa as "safe"
That was my first thought too -- it seems profound, although it's difficult to articulate why. It's not like high-profile individuals have special security protocols available to them. Just the same password/2FA like the rest of us proles.

On the other hand, it did make me consider that there are some accounts that could be compromised that would be very significant: Trump.

Although technically available to anyone, Google has an "advanced protection program" for highly targeted accounts. It has the follow (may have missed some) effects on your account:

* locked to 2fa with security keys * limiting the set of apps that can access account data * better scrutinized account reset - i assume this means it makes your account more resistant to phishing on Google employee's part.

https://landing.google.com/advancedprotection/

Its nice that Google apparently makes this available to anyone who is willing to buy the security keys. It would be nice if all major social media services had such a program.

Yeah. At this point, any identity provider that doesn't support FIDO u2f is either incompetent or negligent or both.
Not sure if this falls into the advanced protection for Google, but about a year or two ago, got a notification of a suspicious login from Moscow (I'm from the US and have never travelled out of North America). Promptly changed my password.
"there are some accounts that could be compromised that would be very significant"

Trump? I'm not really being facetious when I ask what difference it could possibly make. Of course, sometimes his tweets do appear to move the stock market, but still.

This isn't a "routine minor security breach".
Did all of Twitter get hacked, or did a single user get embarrassed?
I'd say influential figures (i.e. the CEO of the platform) having their accounts hacked and posting bomb threats is considered noteworthy...
It is. The consequences of hacking e.g. @RealDonaldTrump would be disastrous (especially if the adversary is a hostile nation state whose hackers are smart enough to make plausible, but damaging statements).
Would it, in that particular case? Don’t get me wrong, I agree with your general point (imagine a police department account tweeting a photo of someone while accusing them of a crime), but given the Tweets of his that people quote I get the impression that even if Trump’s account posts open declarations of war nobody would do anything?
Agreed. Trump's Twitter account is a bad example of things that people read that might have real world consequences.
https://www.mediaite.com/online/pentagon-reportedly-feared-t...

The official policy of the White House is that the President's tweets from @realDonaldTrump can be statements of the President in his official capacity, and therefore binding to the extent that any Presidential order or command can be. He has fired people, he has announced sweeping policy changes, made nominations, and so on through Twitter, which have then been acted on by the executive branch, Congress (which held appointment hearings for a SecDef before a formal nomination, but after a tweet), and the courts.

Of course that's the nod nod wink wink official policy - how could it be otherwise, and with any other president you would be wise to attach some weight to presidential tweets. But here's the only test you have to make: would you take real-life, consequential action based solely on a Trump tweet or would you look for verification elsewhere first? Because if it's the latter, it doesn't really matter if Trump's account gets hacked.
I just gave examples:

1. of the executive branch by and through the US Department of Defense, among other examples

2. the legislative branch, by and through committee hearings and acceptance as fact of nominations not yet formally made, among other examples

3. and the judicial branch, by and through accepting as fact the arguments of the DOJ through the solicitor general that statements by the President via Twitter are "official statements of the President", among other examples

That's not wink wink, nod nod. That's just fact. The federal government, in its three branches, accepts as fact that the President issues official edicts through Twitter.

> The federal government, in its three branches, accepts as fact that the President issues official edicts through Twitter.

Sure, but pretty much everybody in the world accepts as fact that he uses it to issue random nonsense as well. Surely you don't need examples of this.

Which comes back to my question: would you take real-life, consequential action based solely on a Trump tweet or would you look for verification elsewhere first?

He's used to to announce trade sanctions, with the tweets in question literally being cut and pasted together to form the official White house statement a few hours later.
@RealDonaldTrump is already disastrous without a hacker, no need for one now.
If someone got into Zuck's facebook account I'd be interested in knowing.
I'll be interested to see the post-mortem on this breach for sure.

As an outsider, I would have thought that the Twitter security team would have a set of high-value users (with @jack being at the top of the list) who'd they keep very close tabs on in terms of any unusual activity.

Realistically Twitter is where announcements are made by world leaders and major corporations, control of these accounts could have repercussions, although in this case it just seems to have been a general hack...

I think most of the suspicions so far have been pointing to a sim swapping attack.
Hopefully if that's the case, more attention will be paid to the fact that using mobile phones for 2FA or identification on high value services is a bad idea :)
Using phones is fine, using phone numbers is the problem. TOTP is great
Until the authenticator app which holds the TOTP secrets in clear text is on the same phone as you are using to access the website/app in question to start with. Then you'd probably be better off instead storing a token in the secure enclave in the app itself instead.
I don't understand why people do that. Your 2nd authentication factor should not be something relying on the same device that you're using.
It reduces the set of people who can access your account from "people with the password" to "people with the password and access to my phone."

It's less like a 2nd factor and more like a poor man's password-protected private key authentication, but it's way better than just a password.

TOTP is OK (probably would have been adequate for @jack).

U2F is "great".

TOTP can be phished, whereas U2F is virtually impossible to phish.

I don't think "keep very close tabs on" can prevent an attack on an account before it happens. All it can do is help clean up the damage quickly. Which is what happened here. The offending tweets were deleted in 10-15 minutes. That's a pretty good response time.

What could prevent an attack is limiting the features available to high-value users. One could imagine, for example, limiting 3rd party API access. Depending on what actually happened here, that might have prevented this. But there is a downside of reduced functionality for the owners of the accounts in question. There's always tradeoffs.

I'd agree that there are always trade offs however, you could do a number of things to detect an active attack, changes in user agent, location etc can be detected and flagged for review. Now that's not possible at scale, but for high value users,it would seem like a not outrageous countermeasure.
they've confirmed jack's SIM was hijacked. no amount of 3rd party API stuff canhelp there
Why can his password even be reset remotely, and not something done by other company employees (HR, etc)?

In an enterprise setting where people work in an office I don’t see the point of allowing self-service password resets. It opens you to huge risk for very little upside compared to having to physically walk into the office (if you aren’t there already) and have HR/line manager/etc do it for you.

i mean its easy to say after the fact but i guarantee you most CEOs dont think to do this until theyve been hacked.
It's the same idea though: they could turn off posting via SMS for high value accounts.
no once they pwn your number its a 2FA vector so they get full control
>where announcements are made by world leaders and major corporations, control of these accounts could have repercussions

That control should not be solely in Twitter's hands.

Those leaders and orgs need to take a strong look at authenticity via ActivityPub self-hosted on their own namespaces.

That's a view for sure, however it seems that some world leaders and corporations have decided that the trade offs are worth the risk...
Self-hosting and security don't necessarily go hand-in-hand. For laypeople, self-hosting is usually worse: they don't know what threats to protect against, and even if they knew what to protect against they wouldn't know how.

And Twitter is where the audience is.

By self-hosting I would propose the Gmail/G Suite model. Managed service but the organization controls users and the DNS.
That’s not usually known as “self hosting”
No but owning the namespace is important. It puts you, not Twitter, in the driver's seat.
Jack's account is self-hosted on a website he runs. It just happens to be Twitter dot com.
I believe they do keep close tabs on high profile accounts. I happened to notice it in my feed when the news hadn't broken out yet (took a couple of screenshots out of surprise too). The team quickly took all of it down as and when they were being posted. It lasted for about 10minutes or so. The hackers were adding mentions to other accounts which were immediately suspended by the folks at Twitter too.
Top of the list should be all presidents, starting with the US.
given his less than clear, very confused thinking, which also infected his company, this is no surprise, or even newsworthy.
The psychology behind what hackers say in these high-profile attacks is far more interesting than the account takeover itself.

Some of them say racist things or speak about Hitler because they know it will attract far more attention than say: posting a link to some shady website to spread malware.

Hmm, apparently the people behind this have been behind quite a few high profile Twitter account hacks recently. They also hacked the account of a gaming YouTuber called Etika, as well as others like Shane Dawson and James Charles:

https://knowyourmeme.com/memes/events/chuckling-squad-hacks

Wonder if the affected users all used the same system in the past?

These high-level Youtubers used 2Fac with their phones, which nowadays is easy to port (port their phone numbers to your SIM using social hacking).

Only if they (and jack) used a FIDO U2F key would they be really safe.

Does Twitter even permit that? If I recall correctly, it forces SMS 2FA.

In this case, Jack's account would've been compromised regardless because the tweets were sent via a third-party application that he had authorized to use his account.

Does anyone know anything about the service Jack was using called CloudHopper? The official website appears dead http://www.cloudhopper.com/
It was the provider that handled the SMS gateway for posting tweets through the 40404 short code. The prevailing theory is that his account was hijacked using SIM swapping, and the hijackers tweeted through SMS. Cloudhopper is still the name of the "twitter app" that gets attribution for tweets posted through SMS.
I got some more intel on this -> unlikely sim swapped, probably just number spoofing. The "quality" of the "hackers" indicates this is the work of skiddies rather than an actual hack.
Ahh, the old 90s "skiddies" trope. Aka "I wish I had thought of that first.
Indeed! Its a pity "rootshell" is gone, otherwise this would be a popular topic there lol.
Embarrassing but inconsequential
I can only imagine the possibilities if the president's account were hacked.
Fortunately the hackers always seem to speak like excited teenagers instead of impersonating the people they hack.
“speak like excited teenagers”

So does the president

I get more of a "grouchy geriatric in the early stages of dementia" vibe
Come on now, Uncle Joe may like little girls but he was very clear on that - he isn't going nuts
Well, he's already cheerfully posting photos of classified satellite Intel, so how bad can it be?
Would it really make a difference? That account is already unhinged, and few take it seriously.

It's like, we say it would be a big deal, but I think it has proven itself to not be, again and again. Precedents are being passed every day and in the end it hasn't been a scandal that sticks, catastrophe or anything..

Why do you say the account is unhinged and not taken seriously? Is this just your political bias showing?
I don't know how the account was compromised - but, I notice that Twitter's hardware U2F support is not designed to be very useable. They only allow one security key per account, whereas most users have multiple - one on the keychain, one left in the laptop, etc. So, I bet that high-risk accounts like Jack are not even using this enhanced security mode because of its poor user experience.

Compare this to Google where every employee is issued multiple hardware keys, internal systems require security keys, and they put a lot of effort into their "Advanced Protection Program" to make it useable: https://landing.google.com/advancedprotection/

(comment deleted)
I use U2F everywhere and can tell you that Twitter's usability with U2F is really poor. Can't remember why I stopped using U2F on twitter, but it's probably because of that fact that I couldn't use multiple keys.
Twitter and Google are on completely different planes when it comes to what data and access they have to protect.
And? If you want your company to avoid becoming a headline, you need the best security you can afford.
That's true. One is the President's principle mechanism of speaking with the American public and firing top officials.
If Trump's account got hacked it could quite literally result in the death of millions.
(comment deleted)
More likely is that some Russian or Chinese hackers would make statements that tank the stock market. While setting up some short positions immediately prior.
The funny part about this is that if we are to believe Trump is a Manchurian candidate, they already did this with the trade war.
If Trump’s account gets hacked it will be difficult to tell the difference between his normal incoherent ranting.
I’m just curious how you imagine this happening. @realdonaldtrump tweeting “I HEREBY ORDER...” is not a legally binding order. Launching nuclear missiles or whatever requires authentication codes and can only be ordered via a portable radio alongside a series of codebooks, all of which is carried by a military aide who is always near the President. Another country isn’t going to start a war based on some weird tweets. It’s an extremely unlikely and weird risk.
A well crafted message that inflames followers to riot...

I'm the kind of person who, for example, doubted the Covington Kids story from the beginning. By which I mean I'm not particularly alarmist about a putative vast right-wing catastrophe taking place. But any popular leader (and he's very popular among the people he's popular with) can start incidents like that by accident.

You mean like accusing people of treason? (punishable by death) He’s already done that from his account. To my knowledge Comey hasn’t been lynched.
This is true. Trump is so loud the whole time that it's hard to take him very seriously, even for his supporters.
Ok but what “riot” in human history has killed MILLIONS of people? The Rwandan genocide was pretty close, except the groundwork for inciting it was laid over the course of months via state radio and they imported machetes into the country before the message was sent to “cut down the tall trees”. A compromised Twitter account isn’t going to do it.
His tweets regularly have material impact on the markets.
But how would that kill millions of people? There’s a super indirect chain of events there.
Imagine triggering a global depression.

Imagine what effect that would have on already-pressured populations across the globe.

If North Korea did have a means of delivering nukes with ICBMs, and this previous type of thing: https://twitter.com/realdonaldtrump/status/94835555702242099...

had escalated more, I don't think it's too far-fetched to imagine an unstable dictator sending off a nuke after being goaded on twitter.

I think it's within the realms of possibility at the very least, although very unlikely (mostly because NK hasn't got a decent delivery system, their nukes aren't very advanced/portable yet and Kim Jong Un's probably not too keen for NK to be destroyed in retaliation).

Given Trump's recent tweet of the spy satellite image, and the apparent taunting of Iran, it's also possible that type of thing could be responsible for triggering future terrorist attacks (although obviously that's not millions of people).

Terrorists and rogue dictators are often described as "unstable" or "irrational", but they tend to be rational within certain boundaries. For example, if you actually believe the nonsense about an afterlife filled with dozens of virgin concubines, suicide bombing becomes a rational decision, aside from being motivated by an irrational belief. Likewise, Kim's strategy follows the basic form of hostage-taking. If Kim actually "sent off a nuke", he would lose much of his leverage, just as a hostage taker loses leverage as soon as he starts killing hostages.
Yeah. On Twitter you can potentially impersonate the President and cause weeks/months of political chaos by calling someone the N-word or something similar.
This raises an interesting question. Such an attacker would need to craft a tweet with the following constraints:

* Plausible so that people do not believe it is a compromise

* Offensive enough to cause action

* Not in the category that people just roll their eyes and think Trump is being outrageous on the internet again.

This is probably harder than it seems at first glance.

> This raises an interesting question. Such an attacker would need to craft a tweet with the following constraints:

> * Plausible so that people do not believe it is a compromise

> * Offensive enough to cause action

> * Not in the category that people just roll their eyes and think Trump is being outrageous on the internet again.

> This is probably harder than it seems at first glance.

Is the third bullet even a thing after the whole Greenland debacle? Before then I had already thought I'd heard it all.

"DOUBLEING TARIFFS ON ALL CHINESE IMPORTS TMRW!!!"
"I am now reviewing papers to double the tariffs against China. I will win this trade war no matter what."
Imagine if you were an intelligence agency and you were permitted to surveil American communications, and there was this pesky congressman who didn't want to support your organization, so you collect lewd photos of him from his phone and post them on his Twitter repeatedly.

You could effectively use the data on Twitter to control the leaders of the US. "Hey, remember that congressman who didn't like us and then accidentally tweeted his own sexts? That was hilarious. Anyway, we'd really like you to increase funds and be more permissive about what our agency can do."

Apropos of nothing, here's an interesting interesting website: https://votesmart.org/candidate/key-votes/23162/anthony-wein...

> Imagine if you were an intelligence agency and you were permitted to surveil American communications, and there was this pesky congressman who didn't want to support your organization, so you collect lewd photos of him from his phone and post them on his Twitter repeatedly.

> You could effectively use the data on Twitter to control the leaders of the US. "Hey, remember that congressman who didn't like us and then accidentally tweeted his own sexts? That was hilarious. Anyway, we'd really like you to increase funds and be more permissive about what our agency can do."

> Apropos of nothing, here's an interesting interesting website: https://votesmart.org/candidate/key-votes/23162/anthony-wein....

I may be dense but it was not clear to me what the point in linking to the votesmart site was? Is it the change between pro/against for patriot act?

> collect lewd photos of him from his phone and post them on his Twitter repeatedly

He's suggesting that anthony weiner was "framed" by some 3-letter agency.

Is it worth considering advanced protection as a normal person? Would it make life a pain in the butt?