I don't understand this angle because typically admin panels only let you manage the account; deactivate, manage email address, etc. As shown in the screenshots.
Tweeting on behalf of another user seems like an unnecessary feature to give admins.
Some suggested the admin panel can initiate a password reset, and that, coupled with email management would allow account takeover, effectively (without allowing 'tweet as user' functionality).
All the hacked accounts seem to have had the associated email changed. I think the attack goes admin panel -> change email -> reset PW -> tweet bitcoin scams.
if this were true, youd think itd be trivial to review changelog for two affected users and deactivate the in-common admin account. not sure why this would take hours to solve.
Given the number of accounts that were taken over, there must have been many people conducting the hack. Also considering that tweets were being deleted then re-tweeted, others must have been monitoring the tweets. Seems somewhat well coordinated.
The feature wouldn't be tweeting per-se but acting on behalf of the user, which can prove useful for support or debugging. The side-effect is that obviously it also allows tweeting if you wanted to.
It's painful (although I suppose all airgap solutions are) but remote access protocols like RDP or SSH tunneling to a jump host which has access to the administration portal is one common(?) solution.
That's only safer from attacks that bypass the public admin portal authentication. Any social engineering attack that steals credentials directly won't be impacted.
It’s another layer of defense. Someone has to not only know your credentials but also know how to use them to get to the jump host, and from the jump host know what to do next (although unless it’s ephemeral, there are probably enough bread crumbs to find the proper url).
I don't know... I've seen a lot of forums that just put a login form in /admin and I just kind of assumed a site like Twitter would use a VPN or ssh or a custom app with its own secret sauce protocol or something... better than I could have whipped up in my PHP monkey days.
IP restrict the admin console at the application or (better) firewall layer. This means you need to VPN in to use it offsite. Put MFA on your VPN. None of this will save you from a malicious internal actor.
What part of it's administration? For example, if it's a windows machine, you control it (or it's AD PDC) with a PAW (privileged access workstation), which has to connect from a specific interface, which is not on the internet (that is, you connect via a hard line, usually via a pair of dedicated encryption devices over a point to point telco link, like ISDN/MPLS etc).
If you mean "log onto the machine and change the config" then it isn't really an air gap anymore. Usually it's a group of VMs, you change the image master (via Chef, docker etc) and boot a new instance. Ideally it's architected so most admin tasks go through an API, with auth, access control, logging, change control, etc. If you have a standardised message bus for your API you can used a Trusted Guard, aka CDS, which is a carefully designed (for high assurance, formally verified) protocol inspector designed to only allow correct protocol messages to transit. If the guard and it's ruleset pass independent analysis it is considered airgap equivalent under govt rules.
>A little over ten years ago: Twitter settled with the FTC as a result of an internal tools breach. Their internal tooling was available directly over the web and accessed through an employee account protected by the password "happiness"
Please stop posting unsubstantive and/or flamebait comments. It's not what this site is for, it destroys what it is for, and we ban account that do it.
At least the GP comment contained actual information, however little.
Practically every "trending" algorithm involves some degree of manual tweaking. Otherwise, they end up prone to identifying uninteresting trends (like the current day of the week, or other time-sensitive trends like "lunch" showing up around local noon), or are easily manipulated by groups of users.
Besides, one of the features of Twitter's Trends is a prose description of what the keyword references -- there's no way that could be generated automatically.
If the screenshot is real, I'm pretty sure that Scott Adams (the cartoonist) has that Search Blacklist button applied to him. I recently tried to search for users with his name, and he wouldn't appear at all (while unverified names with 0 followers would show up).
I was surprised because I searched for users with the name "Scott Adams" and it was promoting users with 0 followers and not showing his verified account at all. This was through Tweetbot iOS.
A user called '@viennacat921' joined in August 2019 with 0 tweets and is shown in the screenshot. '@b' is pernamently suspended and '@arceus' is protected and locked with all of this being reflected in the admin dashboard.
Because filtering trends and search is not the same as banning accounts. These are unique features that affect all users, not just the ones who misbehave.
The worst part is the racist use of the word black to describe a list of things to be excluded. Twitter should really use the less offensive term 'shitlist.'
Twitter is removing those because it's of their own internal backend, not because they're necessarily connected to the hack. Huge leap from Mboard on this
Why would a screenshot of their tools warrant a content takedown? People have posted far worse things that have been allowed to stay up. It's not like there's any personal information visible in the screenshots.
This was my first thought as well. It must have been an oversight on someone’s part. Maybe infrastructure changes due to the shift to work remotely made it possible to access.
I don't know about twitter, but a lot of companies are trying to drop VPNs entirely going no-vpn/boyond-corp/"zero trust", so it's not terribly surprising to me.
How would a VPN help in this case though? They social-engineered some employees to gain privileged access to the admin UI. If a VPN was in the way they'd do the same thing to get access to the VPN first.
I've seen some solutions where the VPN only works on the company machine. In this case, the social engineered employee would at least have to hand over their laptop.
That's indeed often the case, how it works is that the machine itself has a client certificate it uses to authenticate with the VPN.
There's no reason that certificate can't be used directly for the HTTPS connection to the admin UI, providing the same security benefits without actually requiring a VPN.
Furthermore depending on how "deep" the social engineering attack goes, a local user with administrator privileges can typically export those certificates unless they are stored on a hardware module (either a smartcard or an internal TPM/secure element).
> Hawley said "please reach out immediately to the Department of Justice and the Federal Bureau of Investigation and take any necessary measures to secure the site before this breach expands
It's kind of bizarre when you have the highest levels of government doing their critical communication on a free social media service to the point where they are critically dependent on it, then begging for support when things go wrong.
Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?
"Maybe government should embrace popular communication media instead of spending billions on custom IT infrastructure to post a message on a custom page that everyone screenshots and copies to their timeline anyway."
(Also if they don't create an "official account", someone else will do it for them)
They don't have to convince any verifier. They don't have to be verified. If there's no official account and you create an account with a reasonable name, reposting every post from the official feed, you can get significant following. A lot of the followers will not care whether it's official or not and may not question an extra information appearing on the feed one day.
> Also if they don't create an "official account", someone else will do it for them
Yes, but this account will still not have the same legitimacy. Right now, if Trump tweeted a declaration of war, it would have been reasonable to assume that it was real, because, for all we know, it's an official channel. Previously at lot of people would've at least checked back with the official channel before taking it for granted.
And, to make matters worse, having Twitter as an official channel now gives everyone at Twitter the possibility to make official announcements - hardly a good state of affairs.
The government could put it's decisions and publications on a website, official, verified, more or less controlled by them. There's no reason that has to be done with consultant scams - oppositely, posting on Twitter doesn't guarantee consultants aren't raking in money for adding or removing periods or whatever.
I don't know, it'd probably take 18F like a month to add a page to whitehouse.gov called "Things the President said", add 2FA and whatever else it needs to be installed on his government phone, and a little bot that listens for whenever he writes something on there and tweets it on Twitter. Then you have a source of truth that we know wasn't modified between the government and the reader, and it doesn't break the social following.
But I guess its easier to just complain about Twitter.
The FBI is very commonly involved in cyber crimes and the other departments have a role to play as well. Calling the FBI during a major security incident is not unusual at all, I’ve done it a number of times.
In the early days of the internet the FBI was kind enough to call my employer and inform us that we had left open an anonymous FTP server, and it was serving up Disney movies. Those were good times.
>Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?
But we hate it when governments spend money on things. And no one would trust a word that came from any service the government controlled or regulated.
If the goal is to simply publish statements, the press already exists for that. The value of a platform like Twitter is in the network and communication. Twitter already has politicians and official accounts from around the world, and millions of users. I don't know how a particular state-owned platform could replicate that... and let's not get into the technical acumen that government contracts lead to. Remember the debacle that was the Obamacare website right after launch.
And on top of all of that, people will still complain that their tax dollars are being used rather than existing public platforms (Twitter, Facebook, etc.) Whichever administration puts it up, the next administration of the opposing party will call it waste and propaganda and burn it down.
An RSS feed is not expensive. As one example it'd be great to have RSS feeds for e.g. the US Forest Service or Bureau of Land Management about camping/hiking conditions, wildfires, etc.
Let's not forget the ongoing breach is being used to con people. Maybe that was the representative's concern.
> Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?
What are you referring to exactly? I thought the govt had their own IT and websites across the board, and only used things like twitter to aid in communicating to the public.
> Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?
No, I think they should use best-in-class media and Twitter is exemplary for that. Twitter is only dangerous for this because it is very effective at being a communication medium.
Yeah no one is going to fall for the 5th ColdFusion site with an admin backend left open on sqolkla7.info.gov.us/press-releases but that's because no one is reading that site.
According to some images, Twitter low level employees can see email address of all accounts (and I guess phone numbers). I know some celebrities have their real email address and phone numbers on those accounts. Isn't that something bad?
In this thread some people shared screenshots of the dashboards. I said low-level because some reports said that the hacker paid 2k to the employee to have access. I dont think a high-level employee would sell the credentials for that amount of money.
Although I could be wrong if the reports are wrong too.
The management of individual accounts is generally performed by low-level employees at companies like this. It's operational work that is thought to scale poorly and the costs of it are looked upon unfavorably by public market investors. Hence, there is constant pressure to push it to as low of a level as possible.
Perhaps a higher tier of user support personnel handles verified accounts (or accounts somehow flagged for extra review in a non-public fashion), but I'd still be surprised if anyone particularly high-level is doing the grunt work of using this tool.
Having access to some is not the same as having access to all. Rate limiting , or restricting to ones I am managing and approval processes are pretty easy . It does not like Twitter is doing any of that .
Which shows that Twitter probably doesn't properly employ 2FA and two-person-principle when dealing with high-profile accounts. Otherwise, social engineering would have been almost impossible.
The mechanism isn't relevant because the admin tool has a reset function. It is needed of course, because people loose their phones, keys and whatnot. No security mechanism is safe against an administrative reset for services like Twatter.
SMS is seen as less safe because the transport layer is not encrypted. But there isn't much difference in the practical security of the average user.
> SMS is seen as less safe because the transport layer is not encrypted.
Lack of encryption is only part of the problem. Lack of proper authentication is more important. Mobile networks are vulnerable to SS7 redirects, SIM-Jacking and plain old social engineering.
The 2FA reset function is also a part of doing 2FA properly. Your reset needs to be at least as secure as the regular 2FA flow. Meaning that "just phoning support" isn't an option. Yes, resets will be cumbersome and might involve stuff like physical presence, showing a government ID and maybe being vouched for by a third party. Most companies fail badly at this.
That and many users wouldn't do that for online accounts. Blue checkmarks are the exception while ignoring conventional internet wisdom... which came at a steep price.
Edit to the topic: As I said, the transport layer of SMS isn't safe, but I don't think it has practical merit. How often were SMS redirected or spied upon? In high profile cases? Even that would be difficult to determine, but the occurrence is probably very low.
And for a twitter account? Seriously? Depends on the account but assessment of threats is the first step of an honest security review. My reddit pwd has been 'reddit' for years. That wouldn't fly if I were Madonna and if I had any attachment to it.
It's way harder to get a device stolen, and impossible to have a trojan installed, even simple apps can read sms. If the device has a 5-6 digit pin on top being stolen, it would require the pin.
>"We used a rep that literally done all the work for us," one of the sources told Motherboard. The second source added they paid the Twitter insider. …
In the screenshots of the admin panel, it looks like they have blacklists of things that shouldn't show up in searches or on trending. It's not clear if it's accounts, or some other criteria that's blacklisted though.
The account tagged with "trends blacklist" and "search blacklist" was also tagged with "compromised", which suggests that the account was known to be hacked by a malicious actor so it was set to not show up in discovery flows to stop attackers from exploiting it for visibility.
Does confirm past claims that they shadowban accounts (which does hide them from search, among other things) at the very least, even if the exact criteria are unknown.
>We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
I wonder the size of the population of employees that have access to these internal tools. How many people can independently fire off a Tweet from Jeff Bezos or Elon Musk and erase billions from the stock market? How many people can seize the account of Joe Biden (or presumably Donald Trump) and cause a huge international incident?
Accounts of the employees. There was a statements somewhere else, that this might be close to the token system. Token have a validity which expires in hours.
All assumptions on my behalf bit it explains your question.
RE: social engineering, as long as a human is involved somewhere, the system can be compromised. IT security is a very depressing field because of this fact.
I also hope these incidents remind people of how little control you really have over your online identity. We're all just IDs in a database somewhere, waiting to be impersonated.
Decentralization is the only solution for this IMO.
Honest question, how do I recover a lost identity?
The reason why this attack worked is primarily because of a recovery system. I agree this is a significant vector, but I can't see how decentralized solves this?
At the moment with blockchain wallets, once you've lost your private key, you're screwed. There is no recovery.
So, I'm all for decentralized but if it is truly my identity, I need a way back if I lose it. Not sure how to solve that vector even in a decentralized case.
Do I need to upload my identity to specific 'verifiers'?
You need to stop thinking identity singular, and identity as valuable. Have many and treat them as disposable. Of course you can't do this on the 2020 web that consists of four websites filled with screenshots of each other, but that's just one of the many reasons to burn those websites to the ground and resist any attempts to remake them. And it turns out your parents were right about not using your real name on the Internet. Social media and their consequences have been a disaster for the human race.
But that's not really identity then right? That just becomes my hnews/reddit username that's unverified.
I read @elonmusk because I trust it's him and I'm interested in what he says. Personally, I genuinely like Starship + Starlink updates... I ignore most the other stuff. But still, I want to see those awesome rocket tweets!
So, I want to know what he says.
He can change his username because it got hacked/whatever... but then I personally have to see what he changed it to... how do I know that he is the one who changed it? how do i know it's not some rando dude impersonating him?
Your hnews username is an identity. A small, weak, and reasonably disposable one, that you can have many of. Why do you want to use your God damn real name on the Internet unless you are a public person already? What do you have to gain? Hate mail, Death threats and calls for your firing? I've always wanted more of those. You do not WANT to be verified. Verified is a euphemism for doxxed.
You could trust it was Elon because it's published on his own website instead of on the worst thing to happen to human communication since writing was invented (I.e., Twitter)
For other cases we can evaluate merit based on previous performance and character of published material instead of "identity". I do not care who is behind a pseudonymous blog if the blog is good.
The most natural solution for most people is to give shards of your key to various friends/family that you trust not to collude and reconstitute your key (or be socially engineered -- make them talk with you on video chat or something). Require 5 out of the 9 shards to reconstitute it.
Obviously you can scale up your security according to the value of your account and your threat model.
That's a great method for preventing loss as opposed to allowing recovery.
We need to keep the conversation in recovery because eventually it'll happen. Your 5/9 people could have n+1 unwilling parties where n is the losable amount.
It is unrealistic to say it will _never_ happen.
When my identity is lost... is it lost for good? how do i recover?
If it's lost for good, and i make a new 'identity' then what is my 'identity'... is it just... my reddit username?
Often, what people think is "good customer service" really means "allowing me to socially engineer you".
I don't think there is any solution to this. "Decentralization" in this context seems equivalent to a centralized system that simply gives up on any ability to recover accounts. Whoever owns the authentication details of an account is the owner, period. If you lose the password or the account gets hacked and stolen from you, tough shit. Start a new account.
I think the real solution is that social media should simply be valued lower. No one should care if their Twitter account gets hacked. The fact that politicians and important people use it in an official capacity is the problem that needs fixing.
I don't think a replacement is needed. If your communication is important to a lot of people, it shouldn't be just immediately jammed into 280 characters using your thumbs while sitting on the toilet or whatever.
Post it on congress.gov using some inefficient boring process or whatever the official communication method of your role is.
Pass regulation that puts in a place a federated messaging infrastructure, so that Twitter users can subscribe to messaging from Government official that sends out messages via an external system.
My father recently had an issue getting into his Southwest Airlines account so he called customer service. All he had to do was give them the email address attached to the account, and they read off a temporary password that he entered to get logged in.
As far as I’m aware they didn’t even make him create a new one and he thought everything was totally fine.
It was the moment where I realized I want nothing to do with IT Management/Security in the future and am actively working to distance myself from that aspect.
The Vice article (https://news.ycombinator.com/item?id=23853786) was recently updated with a note that the Twitter insider was paid to help take over the accounts, which raises further questions on the nature of "social engineering":
> we spoke to two hackers and we were able to independently verify they were in control of hijacked accounts today. One of them said they paid the Twitter employee to help them take over accounts; not sure on the specifics here at the moment
This makes a lot more sense. I can't imagine Twitter isn't using some sort of phsyical 2FA like yubikeys which are virtually Phish proof if implemented well.
That being said, what was the employee's endgame here?
Sometimes people behave very irrationally. In the most sensational cases that manifests as violence, but I think it might also manifest as acts of sabotage.
Especially if the real motivation is not the BTC scam, but the access to who knows how many DMs for possibly blackmail/propaganda down the line. (And not necessarily just DMs from the known compromised accounts, either.)
If true, then what Twitter officially posted makes more sense.
Without this bit of information from Vice it would make what Twitter officially posted downright scary and not add any comfort factor to what the heck is really going on.
This makes things sound even fishier. I think there has to be something else going on we don't yet know about. The amount of money this scam will actually earn the hacker is tiny compared to the potential of this hack and yet they still have enough money left over to bribe a presumably highly paid Twitter employee? Or maybe the Twitter employee is a low paid person which leads back to a question I raised elsewhere in this thread[1], how many people at Twitter have the power to take over these accounts unsupervised? Whatever the number is, this hack is probably an indication that it is too high.
The most logical conclusion is that this probably wasn't about money. Plenty of better ways to make money than telling people to give you BTC. I'm expecting a huge data drop on wikileaks/pastebin/wherever of private DMs, images, who knows what else.
Plus there was no way they knew beforehand they'd only make 12BTC. People always overestimate the value of twitter and conversion rates when an actual action is required - even with targeted audiences like cryptocurrency people in this case.
People seem to assume everyone takes tweets at face value and won't do a double take when it doesn't sound like something they would normally say.
Even here there was plenty of people on HN who were claiming outlandish possibilities while it was happening.
I can't help but make the obvious observation here. It's bitcoin... The space has a prior for people who are willing to rush head first into something they don't understand in order to attempt to make a quick buck. I'm surprised it was only 12 BTC.
But there's also a precedent of scams like this being posted on twitter, esp. from accounts impersonating e.g. Elon Musk. Just because it's tweeted by an official account doesn't suddenly make it less scammy - sure some people clearly fell for it, but I reckon most people using twitter with an interest in cryptocurrency would immediately recognise these tweets as a scam, regardless of the source
Not really, when you factor in inflation, unless you're planning on living in abject poverty your whole life or not planning on living very long.
e.g., Vietnam is a livable place and GDP per capita is ~$2600. That'd get you a very modest living. GDP/capita is also up 2x from 10 years ago and 10x from 20 years ago. You could maybe squeak out 20 years with very modest living and few unplanned expenses and assuming the economy and thus cost of living doesn't grow tremendously (like it likely will).
Somalia would give you a little more value for your money. But I think if someone suddenly had that much money in Somalia, they'd probably be getting out of Somalia or hoping nobody found out.
$110k for the rest of your life? $500/month for 18 years? That wouldn’t cover health insurance plus rent (even though I’m sharing rent with a partner) here in Berlin, and Berlin is cheap compared to the UK or the bits of the USA I’ve visited.
I am struggling to think of any better system than BTC.
Almost anything else I can think of would require either (a) substansal amount of starting cash (for example trying to crash Tesla's stock price), or (b) be almost impossible to pull off without getting caught (blackmail, or again stock manipulation if you do it in a big enough way to make some decent money).
In terms of risk/reward, assuming someone found some easy trick and wanted to cash out ASAP, this feels like the best option.
I don’t think it would take very much starting cash at all to make money off a Tesla crash. Options can be pretty cheap for moonshots.
Alternatively, is it possible they bought options on twitter itself? It’s down 4% in after-hours (which is less than I expected, but still enough delta to make some cash).
Lots of uncertainty, but I could see it being relatively mundane.
It wouldn't surprise me if a lot of Twitter support people had access to these tools and that they often worked with larger (more valuable) accounts.
It also wouldn't surprise me if some employee had a bad 1:1 and then responded to a spear fish just because they were disgruntled. To take payment for it is particularly stupid.
Of course, could also be something more serious - but if it's really just the BTC piece and the people are dumb enough to talk to the press, it may not be a group of criminal masterminds.
I hope for the employee's sake they have communication that can help the feds catch the BTC group. Either way, an incredibly stupid thing to do on their part and I don't see a good ending for them.
If this turns out to be true, they'd be lucky not to go to prison.
It seems to generally be a crime to access a computer system you aren't supposed to, regardless of how you came by the login info (phishing, guessing passwords, etc).
I'm no lawyer either, but I imagine that the definition of authorisation is key here.
If you're a sysadmin on a company email system, then you do technically have access to everyone's data on that system.
However, you're generally limited by company policy that you are not permitted to access/modify that data without direct authorisation, say from the employee themselves or from HR.
So, therefore, if you go and read the email of your boss, you're still in breach because you didn't have the authorisation.
It would surprise me if a lot of Twitter support people had access to tools that allowed them to post tweets as another user. That's not functionality that should be available to a Twitter support person.
People's accounts get hacked all the time. To help them recover is often a manual process, because the true owner of the account can become unclear. To be able to do that a support worker must be able to change the email address on an account, undo 2FA settings and make other changes because hackers will typically change the email address and add 2FA of their own phone as the first step in an account takeover.
They way I understand it based on the article is that they were only able to change the email address, then used that to reset the password and log in.
Having worked at large tech companies - it would not surprise me at all if many did. ...at least through unofficial channels or not-entirely-secure processes.
Weird that they didn't require any MFA from a second support // Admin account when dealing with account security settings for prominent accounts. That's not that hard to set up and makes these sort of things harder to pull off. Not to mention severe rate limitation on internal accounts. How many prominent accounts does one support person need to reset password or email per day? Not that many, I'd wager.
Imagine the potential damage if an attacker tweeted something on behalf of the US President (let's say Biden in 2022), that China or Iran or Russia ships could be sunk at any moment if they didn't withdraw (due to some ongoing real incident)... The other side might fire on US ships before the tweet could be corrected.
As you say, it would probably not work on foreign governments, but would be very effective on the general population. They could have used that to cause political turmoil (hopefully not enough to change something like elections results?) or influence stock prices etc. This just looks so uninspired...
The CFAA makes it a federal crime to access a computer in excess of authorization. The employee was unlikely to be authorized to use Twitter's customers' accounts to collect money from their followers, so it sounds like an open and shut case.
I know HN doesn't believe in laws, but the rest of the world does, and they're the ones with prosecutors.
But surely they didn't access the system and post these messages themselves.
They could argue, with the advent of remote working getting more and more predominant, that they simply left their computer unattended for a second while logged in.
Beyond that, they could argue they simply clicked on a link and something might have happened they aren't aware of. Or that they didn't know what running that one executable would do.
They don’t sound like a criminal mastermind, it’s very likely they left some trace either locally or in Twitter’s system that will contradict that story.
The most reasonable explanation might be that they’re lying to sound cool. Bribery is a thing, but any twitter employee would know that their employment (and future career prospects) would be terminated.
On the other hand, $1M in BTC might do the trick. Interesting thought experiment...
There’s bribery but I think blackmail is even likelier. This is such a huge breach that no one should think they could get away with leaking their credentials or opening a backdoor. Plus Twitter employees are really well paid. Now some life-ruining online behavior material is another type of a motivator.
You're thinking of an engineer, not a low paid worker in the tech company equivalent of a call center working on repetitive tasks for low pay in India or some other country where labor is cheap.
And you're also making the assumption that the accomplice thought about it rationally. All the attacker has to do is find someone who doesn't realize that they will get caught.
If they wanted to get as much money as possible without being caught what else could they have done?
If that was the case they could only deal with bitcoin. Blackmailing with bitcoin may be smarter but maybe they figured that would be investigated more or treated more harshly? They could have released fake financial tweets and shorted the market - but that still would be investigated much faster.
I'm sure the 100k or whatever they got isn't as much as it could be - but for a random dude who paid 10k to a disgruntled employee it is pretty good.
Buy shares in a small publicly traded company. Pump/dump shares. One tweet from musk stating he was adding such and such to all Teslas would send the target company through the roof.
The post you're replying to is suggesting that manipulating the market like that draws the attention of some very powerful organizations. It'll likely be investigated swiftly and they'll come down on you harshly when compared to the consequences of some Bitcoin scamming.
US federal agencies actually investigate market activity around big events like 9/11. Very likely to be caught doing that unless you have some way of shuffling money in and out of the market anonymously.
Though I was the one who suggested this would be easily catchable - Tesla is probably the one company where you could get away with this. There is no shortage of random Robin Hood users making pretty big plays on it constantly.
Geez every poster is assuming that the hackers knew they would only get 12BTC.
In their minds, they are thinking at least 200 Million followers at least 10% success rate. So 2 Million in BTC or several millions of untraceable wealth.
BTC hackers aren't exactly known for smartness in other areas
Is this really true though? If you ramp up multiple short positions under a few weeks from a lot of different accounts, how would you tell? I'm assuming TWTR is a pretty busy stock.
To be honest, there's a study out there that says the average employee will their out their employer for $500... I wonder what the skew would be on tech companies.... 10k? 30k?
Here[0] are the supposed pics of the admin panel the hackers accessed. Assuming their legit, it seems like Twitter has some blacklist features. Can't find any info detailing how they exactly work, but it seems an admin can blacklist a user from the trending page or from search results. Pretty interesting.
Oddly enough, posting the screenshots resulted in some users getting their account suspended or Twitter pulling the picture down.
This could end up being a big deal in the days to come if legitimate. Twitter has made strong public statements that they don't have shadow banning tools[0].
Apparently sworn statements have been made about this.
To be fair, the linked article states that they do not shadow ban, not that they don’t have the capability/tools to shadow ban.
Also what do people consider as a shadow ban?
- Removing the tweets from people’s feeds, and only showing them if you browse/go to the offending users profile ? (Personally I don’t think this counts as a shadow ban)
- The offending user is the only person who can see their tweets, even if other users look at their profile (This is shadow banning imo)
> You are always able to see the tweets from accounts you follow (although you may have to do more work to find them, like go directly to their profile).
This doesn't seem to contradict what's shown in the screenshot (which only shows blocking from the search and trends page).
I'm sure they've publicly spoken about also having search and trending blacklisting, I've heard about it before. So these statements are not incompatible.
authentication cannot be protected against rouge actors, but such broad write access and no approval over so many rapid writes to customer data which is supposed to be tamper proof is just poor opsec.
Such social media platforms have to be tamper proof even from the CTO, the reddit incident proved that years ago.
This is going to hurt their credibility hard in the run up to the election.
The tool in question is likely used by low level support/abuse control workers. The huge pressure put on social media firms by liberals in recent years to crack down on "abuse", "hate" etc means they need a vast army of people to review complaints about harassment, "fake news", account hijacking etc. Those employees aren't all sitting in expensive San Francisco on a corp VPN, are they? They're probably going to be in places like India.
From the mention of BeyondCorp, it feels like there are a lot of Googlers in this thread who aren't really familiar with how Google handled the same problem, or at least, used to. For example back when Orkut was big there were huge numbers of people in Brazil who had the power to censor content, ban users, handle victims of phishing and so on. It was the only way to scale the moderation users and governments there demanded.
An ideal user admin tool is very fine grained. But once account hijacking entered the picture, it gets hard to truly restrict takeover permissions to a tiny number of people, because accounts are constantly being taken over by third parties and need to be reset back to the true owner via manual intervention. Attempts to automatically handle that are very hard, I know from experience. Hackers like to abuse any system put in place to stop them taking over accounts (like 2FA) to stop the true owner taking it back once captured.
The term "social engineering hack" is doubtful.
This is the social engineering hack: "I am very important Twitter board member, give me an access to the internal tool."
To gain access by bribe, coerce or persuade the frustrated low paid worker is not.
There's always someone, usually many people, with abilities like this for any service that's automated enough. Even for banks, as much as they might try to separate portions and mitigate access. The solution is not making it impossible, it's making it easy to find out if it was done and being very careful who you put in those roles. That's just the nature of the world.
I find it hard to believe this was a Social Engineering based attack. Elon Musk’s account was accessed multiple times after their tweets being deleted and it seemed to last forever, account by account being taken over.
The account was fully hijacked, email and password changed, 2FA was disabled. At that point the account basically belonged to someone else. I don’t think they realized the scope and angle of the attack.
They spent an hour or two deleting tweets on Elon Musk's account, with new tweets appearing soon after. So it seemed like they were aware of his account being compromised but did not immediately [successfully] lock his account.
It’s possible they didn’t understand the scope of the issue for a good amount of time. Elon’s account was the first to drop and was famous in the past for being faked for crypto scams. It’s entirely possible that they assumed it was a single account hijack and avoided notifying the correct people until it was too late. They might not have realized that the account info was changed as well until it was too late.
If it’s really a social engineering attack then I think it happened because everyone is working remotely and it is easier to perform social engineering attacks. Maybe this incident will have impact on their long term remote work plans.
I dunno why you're getting downvoted. I think this idea makes some sense.
If you're doing something shady to your employer, it seems to me that it would feel a lot safer to do so while working from your home office by yourself then when sitting right in the middle of an office pod with other coworkers.
I agree, also remote employees might not have the same layers of security as they do if they were in the office. For example, there could be a firewall that blocks malicious code at the office or someone is logging into the VPN on their home computer that is infected with malware.
I wouldn't be too surprised to learn that some people that are working from home are actually working from a coffee shop (in countries where they have re-opened obviously) or other public places with little to none protection against social engineering attack.
Absolutely amazing. A friend and I just tested this and it's true. It makes me think this is a little more than the "rogue employee" story they're peddling.
Seems like a huge liability. They are still disseminating these messages under the identities of major public figures, 8 hours after they became aware of it.
Heh. One response I just saw complained about Trump using Twitter, since a hacker could take over his account and say anything.
Thankfully, the only good thing about Trump's complete descent into batshit insanity, and our apparent acceptance of it as a country, is that he could tweet literally anything and no one would react.
Maybe in his first year as president? But now he could tweet that he was planning on a preemptive nuclear strike against Antifa headquarters in Antarctica and we'd all wait for the White House communications office to issue a correction about what he really meant.
Anyone else unimpressed with Twitter's U2F/FIDO token support?
They support a total of 1 (one) U2F token on an account :( The only other company I know that does that is AWS and one U2F token. Every other site I use allows multiples, usually at least 5 or more.
I setup U2F on Twitter but then got rid of it after realizing they only allow one.
AWS has a simple workaround though as you can create as many users as you want, each with its own unique token. Combined with roles it’s straightforward to set up a backup user / device.
It makes sense technically to have a single token anyway. Otherwise you either need to include then identifier of the auth token (in addition to the secret) or have the verification step try out all N options.
> It makes sense technically to have a single token anyway. Otherwise you either need to include then identifier of the auth token (in addition to the secret) or have the verification step try out all N options.
I'm not sure if that is true. Most sites support multiple tokens. Off the top of my head I can think of Google, Facebook, Github, Gitlab, and more that support multiple. So it seems like the normal method is to support multiple.
One one site I have over 5 auth tokens configured. And tested with four of them connected to my PC at the same time. I could tap on any one of them to authenticate. This is on a Windows 10 PC.
> if they didn't validate the damn key type then it would probably just work out of the box
That thought makes it so much for frustrating. ed25519 is the future anyway, it’s hilarious how many cling to RSA (I’ve got nothing against RSA but at some point we’ll have to switch anyway)
476 comments
[ 4.8 ms ] story [ 180 ms ] threadAlso, if you search for the source for one of the images (mentioned in the article), you can find this tweet: https://twitter.com/UnderTheBreach/status/128349929454113177... which says the recent hacks were done through that tool.
https://imgur.com/a/2sqjNUo
Tweeting on behalf of another user seems like an unnecessary feature to give admins.
https://twitter.com/sniko_/status/1283485972286656517
My experience with internal tooling in general suggests otherwise.
But I'm surprised it's still a thing.
If you mean "log onto the machine and change the config" then it isn't really an air gap anymore. Usually it's a group of VMs, you change the image master (via Chef, docker etc) and boot a new instance. Ideally it's architected so most admin tasks go through an API, with auth, access control, logging, change control, etc. If you have a standardised message bus for your API you can used a Trusted Guard, aka CDS, which is a carefully designed (for high assurance, formally verified) protocol inspector designed to only allow correct protocol messages to transit. If the guard and it's ruleset pass independent analysis it is considered airgap equivalent under govt rules.
https://twitter.com/Magoo/status/1283520203679133696
At least the GP comment contained actual information, however little.
Actively overriding what's really trending with what they prefer to trend.
Assuming this leak is real.
Besides, one of the features of Twitter's Trends is a prose description of what the keyword references -- there's no way that could be generated automatically.
Had to go through DuckDuckGo to find his handle.
I was surprised because I searched for users with the name "Scott Adams" and it was promoting users with 0 followers and not showing his verified account at all. This was through Tweetbot iOS.
This leak seems to be legit.
There's no reason that certificate can't be used directly for the HTTPS connection to the admin UI, providing the same security benefits without actually requiring a VPN.
Furthermore depending on how "deep" the social engineering attack goes, a local user with administrator privileges can typically export those certificates unless they are stored on a hardware module (either a smartcard or an internal TPM/secure element).
It's kind of bizarre when you have the highest levels of government doing their critical communication on a free social media service to the point where they are critically dependent on it, then begging for support when things go wrong.
Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?
"Maybe government should embrace popular communication media instead of spending billions on custom IT infrastructure to post a message on a custom page that everyone screenshots and copies to their timeline anyway."
(Also if they don't create an "official account", someone else will do it for them)
What do you mean? How would anyone not affiliated with a given government agency convince human verifiers at Twitter that they're official?
If you don't snatch up your (organization's) name first, someone will surely do so for you.
(Honestly not trying to incite anything by using him as an example; I just hardly use Twitter and he was the first to come to mind.)
Yes, but this account will still not have the same legitimacy. Right now, if Trump tweeted a declaration of war, it would have been reasonable to assume that it was real, because, for all we know, it's an official channel. Previously at lot of people would've at least checked back with the official channel before taking it for granted.
And, to make matters worse, having Twitter as an official channel now gives everyone at Twitter the possibility to make official announcements - hardly a good state of affairs.
The government could put it's decisions and publications on a website, official, verified, more or less controlled by them. There's no reason that has to be done with consultant scams - oppositely, posting on Twitter doesn't guarantee consultants aren't raking in money for adding or removing periods or whatever.
But I guess its easier to just complain about Twitter.
But we hate it when governments spend money on things. And no one would trust a word that came from any service the government controlled or regulated.
And on top of all of that, people will still complain that their tax dollars are being used rather than existing public platforms (Twitter, Facebook, etc.) Whichever administration puts it up, the next administration of the opposing party will call it waste and propaganda and burn it down.
> Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?
What are you referring to exactly? I thought the govt had their own IT and websites across the board, and only used things like twitter to aid in communicating to the public.
No, I think they should use best-in-class media and Twitter is exemplary for that. Twitter is only dangerous for this because it is very effective at being a communication medium.
Yeah no one is going to fall for the 5th ColdFusion site with an admin backend left open on sqolkla7.info.gov.us/press-releases but that's because no one is reading that site.
Although I could be wrong if the reports are wrong too.
Perhaps a higher tier of user support personnel handles verified accounts (or accounts somehow flagged for extra review in a non-public fashion), but I'd still be surprised if anyone particularly high-level is doing the grunt work of using this tool.
I imagine a support person does more than in an average day.
And while we might have seen all the tweets at the same time, they might have been changing emails and passwords over few hours.
Remember twitter has so many users they probably get tens of thousands support requests per day.
Even if you have monitoring, I don't think volume was enough to pick it up.
https://twitter.com/TwitterSupport/status/128359184496275046...
I’m guessing someone re-used a hacked password and SMS 2FA is to blame. Maybe it’s not even that sophisticated.
I'd like to think it's a bit harder to intercept a former President's text messages.
SMS is fine for end user access but companies can do better, even RSA/Google authenticator are a lot better option than SMS
SMS is seen as less safe because the transport layer is not encrypted. But there isn't much difference in the practical security of the average user.
Lack of encryption is only part of the problem. Lack of proper authentication is more important. Mobile networks are vulnerable to SS7 redirects, SIM-Jacking and plain old social engineering.
The 2FA reset function is also a part of doing 2FA properly. Your reset needs to be at least as secure as the regular 2FA flow. Meaning that "just phoning support" isn't an option. Yes, resets will be cumbersome and might involve stuff like physical presence, showing a government ID and maybe being vouched for by a third party. Most companies fail badly at this.
Edit to the topic: As I said, the transport layer of SMS isn't safe, but I don't think it has practical merit. How often were SMS redirected or spied upon? In high profile cases? Even that would be difficult to determine, but the occurrence is probably very low.
And for a twitter account? Seriously? Depends on the account but assessment of threats is the first step of an honest security review. My reddit pwd has been 'reddit' for years. That wouldn't fly if I were Madonna and if I had any attachment to it.
>"We used a rep that literally done all the work for us," one of the sources told Motherboard. The second source added they paid the Twitter insider. …
https://www.washingtonexaminer.com/business/jack-dorseys-per...
Does confirm past claims that they shadowban accounts (which does hide them from search, among other things) at the very least, even if the exact criteria are unknown.
1: https://www.washingtonexaminer.com/business/jack-dorseys-per...
EDIT: thanks for the downvotes, twitter.
It's against the site guidelines to do that, so please resist.
https://news.ycombinator.com/newsguidelines.html
I wonder the size of the population of employees that have access to these internal tools. How many people can independently fire off a Tweet from Jeff Bezos or Elon Musk and erase billions from the stock market? How many people can seize the account of Joe Biden (or presumably Donald Trump) and cause a huge international incident?
“ Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers.”
The accounts were posting for hours after it seemed Twitter became aware what was going on.
Oddly, it was just Elon Musk's account that had multiple tweets over a long period of time. The other accounts did just one.
All assumptions on my behalf bit it explains your question.
I also hope these incidents remind people of how little control you really have over your online identity. We're all just IDs in a database somewhere, waiting to be impersonated. Decentralization is the only solution for this IMO.
The reason why this attack worked is primarily because of a recovery system. I agree this is a significant vector, but I can't see how decentralized solves this?
At the moment with blockchain wallets, once you've lost your private key, you're screwed. There is no recovery.
So, I'm all for decentralized but if it is truly my identity, I need a way back if I lose it. Not sure how to solve that vector even in a decentralized case.
Do I need to upload my identity to specific 'verifiers'?
I read @elonmusk because I trust it's him and I'm interested in what he says. Personally, I genuinely like Starship + Starlink updates... I ignore most the other stuff. But still, I want to see those awesome rocket tweets!
So, I want to know what he says.
He can change his username because it got hacked/whatever... but then I personally have to see what he changed it to... how do I know that he is the one who changed it? how do i know it's not some rando dude impersonating him?
You could trust it was Elon because it's published on his own website instead of on the worst thing to happen to human communication since writing was invented (I.e., Twitter)
For other cases we can evaluate merit based on previous performance and character of published material instead of "identity". I do not care who is behind a pseudonymous blog if the blog is good.
Obviously you can scale up your security according to the value of your account and your threat model.
We need to keep the conversation in recovery because eventually it'll happen. Your 5/9 people could have n+1 unwilling parties where n is the losable amount.
It is unrealistic to say it will _never_ happen.
When my identity is lost... is it lost for good? how do i recover?
If it's lost for good, and i make a new 'identity' then what is my 'identity'... is it just... my reddit username?
Give enough people using the system, it's not if, it's when. So how do I recover?
I don't think there is any solution to this. "Decentralization" in this context seems equivalent to a centralized system that simply gives up on any ability to recover accounts. Whoever owns the authentication details of an account is the owner, period. If you lose the password or the account gets hacked and stolen from you, tough shit. Start a new account.
I think the real solution is that social media should simply be valued lower. No one should care if their Twitter account gets hacked. The fact that politicians and important people use it in an official capacity is the problem that needs fixing.
I don't disagree, but with what?
It's easy to say this is 'wrong/broken', but I don't see a great fix other than people 'rolling their own solution' and that's not realistic.
Post it on congress.gov using some inefficient boring process or whatever the official communication method of your role is.
As far as I’m aware they didn’t even make him create a new one and he thought everything was totally fine.
It was the moment where I realized I want nothing to do with IT Management/Security in the future and am actively working to distance myself from that aspect.
> we spoke to two hackers and we were able to independently verify they were in control of hijacked accounts today. One of them said they paid the Twitter employee to help them take over accounts; not sure on the specifics here at the moment
https://twitter.com/jason_koebler/status/1283594885292077056
That being said, what was the employee's endgame here?
General disgruntlement maybe? Maybe they were simply pissed off and looking for a way to hurt the company.
Sometimes people behave very irrationally. In the most sensational cases that manifests as violence, but I think it might also manifest as acts of sabotage.
Especially if the real motivation is not the BTC scam, but the access to who knows how many DMs for possibly blackmail/propaganda down the line. (And not necessarily just DMs from the known compromised accounts, either.)
Without this bit of information from Vice it would make what Twitter officially posted downright scary and not add any comfort factor to what the heck is really going on.
[1] - https://news.ycombinator.com/item?id=23855328
People seem to assume everyone takes tweets at face value and won't do a double take when it doesn't sound like something they would normally say.
Even here there was plenty of people on HN who were claiming outlandish possibilities while it was happening.
Poorly executed, frankly. The tweet just wreaked of spam.
e.g., Vietnam is a livable place and GDP per capita is ~$2600. That'd get you a very modest living. GDP/capita is also up 2x from 10 years ago and 10x from 20 years ago. You could maybe squeak out 20 years with very modest living and few unplanned expenses and assuming the economy and thus cost of living doesn't grow tremendously (like it likely will).
Somalia would give you a little more value for your money. But I think if someone suddenly had that much money in Somalia, they'd probably be getting out of Somalia or hoping nobody found out.
Almost anything else I can think of would require either (a) substansal amount of starting cash (for example trying to crash Tesla's stock price), or (b) be almost impossible to pull off without getting caught (blackmail, or again stock manipulation if you do it in a big enough way to make some decent money).
In terms of risk/reward, assuming someone found some easy trick and wanted to cash out ASAP, this feels like the best option.
Alternatively, is it possible they bought options on twitter itself? It’s down 4% in after-hours (which is less than I expected, but still enough delta to make some cash).
It wouldn't surprise me if a lot of Twitter support people had access to these tools and that they often worked with larger (more valuable) accounts.
It also wouldn't surprise me if some employee had a bad 1:1 and then responded to a spear fish just because they were disgruntled. To take payment for it is particularly stupid.
Of course, could also be something more serious - but if it's really just the BTC piece and the people are dumb enough to talk to the press, it may not be a group of criminal masterminds.
I hope for the employee's sake they have communication that can help the feds catch the BTC group. Either way, an incredibly stupid thing to do on their part and I don't see a good ending for them.
If this turns out to be true, they'd be lucky not to go to prison.
If you're a sysadmin on a company email system, then you do technically have access to everyone's data on that system.
However, you're generally limited by company policy that you are not permitted to access/modify that data without direct authorisation, say from the employee themselves or from HR.
So, therefore, if you go and read the email of your boss, you're still in breach because you didn't have the authorisation.
The only item I can see here is fraud (impersonating the people whose accounts have been taken over), of which the mole would be complicit.
That's been exceptionally controversial, as it can turn contract breach into a federal criminal offence in the US.
Doesn't something similar happen with employer-provided accommodation and burglary laws?
People's accounts get hacked all the time. To help them recover is often a manual process, because the true owner of the account can become unclear. To be able to do that a support worker must be able to change the email address on an account, undo 2FA settings and make other changes because hackers will typically change the email address and add 2FA of their own phone as the first step in an account takeover.
Twitter is a disaster waiting to happen.
I can't think of any serious risk posed by 'the general population'. Maybe particular stocks would dip a bit?
I’m not sure what you’d charge them with?
I know HN doesn't believe in laws, but the rest of the world does, and they're the ones with prosecutors.
They could argue, with the advent of remote working getting more and more predominant, that they simply left their computer unattended for a second while logged in.
Beyond that, they could argue they simply clicked on a link and something might have happened they aren't aware of. Or that they didn't know what running that one executable would do.
Parting shot: unnecessary, obnoxious. -1
Net: 0
On the other hand, $1M in BTC might do the trick. Interesting thought experiment...
And/or they just thought it couldn't be traced back to them.
And you're also making the assumption that the accomplice thought about it rationally. All the attacker has to do is find someone who doesn't realize that they will get caught.
If that was the case they could only deal with bitcoin. Blackmailing with bitcoin may be smarter but maybe they figured that would be investigated more or treated more harshly? They could have released fake financial tweets and shorted the market - but that still would be investigated much faster.
I'm sure the 100k or whatever they got isn't as much as it could be - but for a random dude who paid 10k to a disgruntled employee it is pretty good.
In their minds, they are thinking at least 200 Million followers at least 10% success rate. So 2 Million in BTC or several millions of untraceable wealth.
BTC hackers aren't exactly known for smartness in other areas
I don't think there is something super nefarious involved. Probably some unpaid intern in a third world country where Twitter outsources tech support.
If the attackers had a big short position in TWTR, they may have made a lot more money than they received from BTC.
Also, if you had Elon tweet that, I am not sure if the price will go up or down like you expect. :)
Oddly enough, posting the screenshots resulted in some users getting their account suspended or Twitter pulling the picture down.
[0]: https://video-images.vice.com/test-uploads/_uncategorized/15...
Apparently sworn statements have been made about this.
[0]: https://blog.twitter.com/en_us/topics/company/2018/Setting-t...
Also what do people consider as a shadow ban?
- Removing the tweets from people’s feeds, and only showing them if you browse/go to the offending users profile ? (Personally I don’t think this counts as a shadow ban)
- The offending user is the only person who can see their tweets, even if other users look at their profile (This is shadow banning imo)
This doesn't seem to contradict what's shown in the screenshot (which only shows blocking from the search and trends page).
You can't use the b-word.
Some of the scuttlebutt says that these guys are tied to multiple crypto hacks.
But my personal opinion is that this is just a 20-something trying to make a mark for themselves. We'll see within a week or two.
Such social media platforms have to be tamper proof even from the CTO, the reddit incident proved that years ago.
This is going to hurt their credibility hard in the run up to the election.
The tool in question is likely used by low level support/abuse control workers. The huge pressure put on social media firms by liberals in recent years to crack down on "abuse", "hate" etc means they need a vast army of people to review complaints about harassment, "fake news", account hijacking etc. Those employees aren't all sitting in expensive San Francisco on a corp VPN, are they? They're probably going to be in places like India.
From the mention of BeyondCorp, it feels like there are a lot of Googlers in this thread who aren't really familiar with how Google handled the same problem, or at least, used to. For example back when Orkut was big there were huge numbers of people in Brazil who had the power to censor content, ban users, handle victims of phishing and so on. It was the only way to scale the moderation users and governments there demanded.
An ideal user admin tool is very fine grained. But once account hijacking entered the picture, it gets hard to truly restrict takeover permissions to a tiny number of people, because accounts are constantly being taken over by third parties and need to be reset back to the true owner via manual intervention. Attempts to automatically handle that are very hard, I know from experience. Hackers like to abuse any system put in place to stop them taking over accounts (like 2FA) to stop the true owner taking it back once captured.
Curious as to what types of changes might come out of this going forward
had that feeling... wonder how much more vulnerable working from home is making us to such things.
also scary that targeted employees with such level of access fell for it. must have been really sophisticated.
Also, the ability to impersonate people (not just celebrities) should require at least manual approvals. Not sure why this ability even exists.
The original speculation (that it was an API vulnerability) is actually easier to stomach.
This must be some new meaning of the word 'immediately' that I wasn't previously aware of. It took them quite a while to get these accounts locked.
If you're doing something shady to your employer, it seems to me that it would feel a lot safer to do so while working from your home office by yourself then when sitting right in the middle of an office pod with other coworkers.
For example try this with JS disabled vs enabled (404): https://mobile.twitter.com/JoeBiden/status/12835123178466590...
curl 'https://mobile.twitter.com/JoeBiden/status/12835123178466590... -H 'cookie: m5=off;'
FFS Twitter, get your act together.
Thankfully, the only good thing about Trump's complete descent into batshit insanity, and our apparent acceptance of it as a country, is that he could tweet literally anything and no one would react.
Maybe in his first year as president? But now he could tweet that he was planning on a preemptive nuclear strike against Antifa headquarters in Antarctica and we'd all wait for the White House communications office to issue a correction about what he really meant.
They support a total of 1 (one) U2F token on an account :( The only other company I know that does that is AWS and one U2F token. Every other site I use allows multiples, usually at least 5 or more.
I setup U2F on Twitter but then got rid of it after realizing they only allow one.
It makes sense technically to have a single token anyway. Otherwise you either need to include then identifier of the auth token (in addition to the secret) or have the verification step try out all N options.
I'm not sure if that is true. Most sites support multiple tokens. Off the top of my head I can think of Google, Facebook, Github, Gitlab, and more that support multiple. So it seems like the normal method is to support multiple.
One one site I have over 5 auth tokens configured. And tested with four of them connected to my PC at the same time. I could tap on any one of them to authenticate. This is on a Windows 10 PC.
as you've described: the U2F functionality is completely useless because if you lose/break your single U2F key then you're completely screwed
and they still have no support for ed25519 keys (which were added to OpenSSH in 2013), unlike every other cloud service
I have to have an RSA key just for AWS (particuraly annoying as I have all my other ssh keys stored in a hardware token)
if they didn't validate the damn key type then it would probably just work out of the box
That thought makes it so much for frustrating. ed25519 is the future anyway, it’s hilarious how many cling to RSA (I’ve got nothing against RSA but at some point we’ll have to switch anyway)
> if they didn't validate the damn key type then it would probably just work out of the box
Yep. So incredibly frustrating.