"EndWokeness" is in interesting/worrying as it is allegedly Jack Posobiecs alternate account.
The Russia ones should be ringing alarm bells. How can TikTok take so much flak (some of this is reasonable, some is not IMH) but Elon is allowed to run a fifth column for Russia in the US?
So ironic that they all thought Twitter was a left-wing propoganda machine even though I don't think Jack Dorsey ever made a political statement. Meanwhile, we have an explicitly pro-Trump guy running the site now and they think it's based.
This confirms that vx-underground is aware of the claim, and that it likely leaked from them, but they are very explicitly not verifying the claim. It doesn't seem particularly verifiable at the moment.
I mean, the original screenshots do seem a bit weird, but what rule did the Twitter account break by posting it in order to be banned?
Why would they used Okta to pass such list of "protected users" to the clients? vx-undeground also mentioned that requesting the endpoint from different locations return different status codes (404 and 403).
I tried submitting this above URL just now because this link is now flagged (probably because of the domain allegedly distributing malware) but I think it got immediately shadow-banned (https://news.ycombinator.com/item?id=41070308).
I saw some folks on Twitter pointing out that "TatetheRailsman" is likely a typo of "TatetheTalisman", which is Tristan Tate's (Andrew Tate's brother) account. Weird that it would be typo'd in their list of protected users. I also don't really buy this from a technical perspective. Why on okta? Why is the list of users and keywords so short? Why is everything a screenshot?
The fact that the list only consists of known right-wing accounts and confirmed mouthpiece accounts is pretty suspect. Also that this was available from a public facing Okta url makes no sense.
You'd think a "leak" would reveal several other, as of yet unknown users, right? Not even a few internal test accounts? Some of them are even misspelled.
Occam's razor is that someone doctored a random page and threw in every well-known salacious account and then screenshotted it.
the screenshot for sure is fake. But that twitter Okta subdomain (twitter.okta.com) isn't. I got redirected to some twitter.biz site when I went to the Okta URL on my phone. and then got a cloudflare message saying I got blocked.
I did some more digging. there is a SOA record for twitter.biz which says noc.twitter.com is responsible for it.
Sure, that means Twitter probably uses Okta for corporate SSO (as do many companies), but nothing more. Okta offers white-labeling on your own domain (and some advanced Okta features are only available via white-labeling), so twitter.biz is probably their corporate domain.
(that's noc @ twitter.com, by the way, the RNAME is an email address where you replace the leftmost dot with an @.)
Be careful with "that subdomain", though -- beeflourishing.okta.com also resolves, they've probably got a wildcard DNS entry and definitely have a wildcard SSL cert there.
If they are fake why were they so quick to ban the leakers? They would let Community Notes do their job, something tells me they panicked.
Regardless, there definitely exists a hidden whitelisting to "protected users" spread their hatred, otherwise accounts like this that explicitly use slurs (https://twitter.com/NsPostingFs) would be banned long ago.
as much as I dislike the current state of Twitter (now X (formerly Twitter)) and I'm aware of its biases - what is that serialization format? kebab-cased key names? no quotes around strings?
if it is real - keyword here being if - Twitter would have to had created its own parser for this. while not hard, why wouldn't they just... use something like JSON? YAML? TOML? ...XML?
i'm also not sure why would they host a configuration file like this out on the open web, when it's accessed strictly by the backend. why? what's the point...?
somethings fishy here, can someone clue me in on this...?
I’m skeptical. This just doesn’t make sense. If I was on this dev team, aside from objecting like crazy, I would be throwing a fit over the level of unnecessary complexity here. All this would take is an associative array, or dictionary, or map, or whatever your language calls it. Why tf would this be stored in okta. I see only 2 possibilities.
1. Elon fired everyone that knew what they were doing and this is a product of incompetence.
2. It’s fake.
Why would such a list be associated with usernames (which are changeable) rather than the unique user ids? if this isn't fake then it's implemented poorly
48 comments
[ 0.24 ms ] story [ 89.1 ms ] threadThe Russia ones should be ringing alarm bells. How can TikTok take so much flak (some of this is reasonable, some is not IMH) but Elon is allowed to run a fifth column for Russia in the US?
Shou Zi Chew TikToks CEO should just buy US citizenship like Elon did.
More or less. I don't really own my car until it's been paid off; X is still on the hook for billions, to foreign lenders.
https://files.catbox.moe/60azcq.png
Update 2: Twitter account sharing the leak suspended as of minutes ago:
https://x.com/TheAntifaTurtle/ https://x.com/TheAntifaTurtle/status/1816199705598255470
Why would they used Okta to pass such list of "protected users" to the clients? vx-undeground also mentioned that requesting the endpoint from different locations return different status codes (404 and 403).
> vx-undeground also mentioned that requesting the endpoint from different locations return different status codes (404 and 403).
That in itself, I wouldn't read too much into either way; not particularly uncommon.
I tried submitting this above URL just now because this link is now flagged (probably because of the domain allegedly distributing malware) but I think it got immediately shadow-banned (https://news.ycombinator.com/item?id=41070308).
https://knowyourmeme.com/photos/2869151 https://knowyourmeme.com/photos/2869352 https://news.ycombinator.com/item?id=41064931
And the list of slurs is so short and incomprehensive almost like someone made it for a screenshot based on whatever came to mind
Tangentially, I find it especially important to question evidence which so easily confirms my preexisting biases.
I also wonder the same, but also it wouldn't be the first time in our industry that we see a tool or service used in a complete backwards manner.
You'd think a "leak" would reveal several other, as of yet unknown users, right? Not even a few internal test accounts? Some of them are even misspelled.
Occam's razor is that someone doctored a random page and threw in every well-known salacious account and then screenshotted it.
The subdomain cannot resolve as it does not have a valid cert, and okta does not have an API to do this.
Come on fellas, do better.
CONNECTED(00000006) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Okta, Inc.", CN = .okta.com verify return:1 write W BLOCK --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Okta, Inc./CN=.okta.com i:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 1 s:/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA ---
the sub-domain in the image is "protected-users" - which makes no sense, btw.
I did some more digging. there is a SOA record for twitter.biz which says noc.twitter.com is responsible for it.
DATA: a.u09.twtrdns.net. noc.twitter.com. 2023050934 3600 600 604800 60 MNAME: a.u09.twtrdns.net. RNAME: noc.twitter.com. Serial: 2023050934 Refresh: 1 hour Retry: 10 minutes Expire: 7 days TTL: 1 minute
(that's noc @ twitter.com, by the way, the RNAME is an email address where you replace the leftmost dot with an @.)
Be careful with "that subdomain", though -- beeflourishing.okta.com also resolves, they've probably got a wildcard DNS entry and definitely have a wildcard SSL cert there.
None of that is evidence of this thing.
Regardless, there definitely exists a hidden whitelisting to "protected users" spread their hatred, otherwise accounts like this that explicitly use slurs (https://twitter.com/NsPostingFs) would be banned long ago.
if it is real - keyword here being if - Twitter would have to had created its own parser for this. while not hard, why wouldn't they just... use something like JSON? YAML? TOML? ...XML?
i'm also not sure why would they host a configuration file like this out on the open web, when it's accessed strictly by the backend. why? what's the point...?
somethings fishy here, can someone clue me in on this...?
1. Elon fired everyone that knew what they were doing and this is a product of incompetence. 2. It’s fake.
- The Okta URL that's just a unix timestamp from 12 hours ago.
- There's a missing/wrong cert per the original screenshot (given all other points, likely just a local /etc/hosts override)
- A misspelled list of rightwing accounts
- A very esoteric list of slurs, with some British/Australian stuff specifically
- It's an Okta SSO config.
This is definitely fake.
on top of what others have said, this seems super fishy.