back to article Twitter docs hack exploits stupidity vuln

Over a month ago, a hacker gained access to Twitter's internal documents and thereby introduced the unprofitable Web 2.0 darling to the blunt end of internet justice. Hacker Croll - the still anonymous Frenchman who has claimed responsibility for the attack - cracked the personal e-mail account of a Twitter administrator. In its …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    FAIL

    "Twitter being in enough of a spotlight that folks who work here can become targets"

    does not excuse those same people from being dumb enough to break Rule Numero Uno of passwords, namely Don't Use The Same One For Everything, Dummy. Not that I'd actually expect anyone at Twitter to understand that, much as they apparently don't understand their own business model, or the market in which they're operating.

    This is your life, Twitter, and it's ending 140 characters at a time...

  2. jake Silver badge

    Fuckwits, assholes, and marketing shits.

    I hate 'em all. I'm right there with you, Ted. However ...

    "Twitter is fun and all, but the now public internal discussion about justifying the investment to the venture capitalists shows that yes, at some point in her life, every big-titted fat girl needs to be told flat out that she's nothing more than a big-titted fat girl."

    ::wince::

    That comment's quite a bit lower than even I find comfy.

    How about next time, you use "Yes, at some point in their life, every small-dicked [Corvette|Tesla|Veyron|Porsche|etc.] (wannabe) owner needs to be told that if he actually measures it, his conveyance of choice doesn't actually enhance the size of his dick."

    In my opinion, my version would get the point across without potential collateral damage ...

  3. Anonymous Coward
    Thumb Up

    Techcrunch bashing

    Holy crap, someone doesnt like techcrunch.

    Also, WTFBBQ wordpress... come on man

  4. Jonathan 17

    Author = fail

    Frankly, the author is the one with a life full of fail. The moral of the story is NOT "dont use teh interwebz, ever, for anything", its "make sure your passwords are secure".

    Lots of companies are turning to software as a service to lower costs by reducing the amount of insfrastructure and software licenses required. They dont do it arbitrarily, on a whim. I should know, I work in the industry, and we have multi billion pound clients for whom security is very much an issue. They trust us with their confidential data - why not? Our security is good enough to satisfy their auditors and internal IT.

    I'm sorry you hate Google Docs, personally I cant see why. But really, the fail isnt with using Google Docs, okay maybe they could have picked a more secure cloud service, but the cloud in itself is not at fault. The fault is with the idiot who sets his password to his firstname and uses the same password everywhere.

  5. Anonymous Coward
    FAIL

    You what .... ??

    "In its observance of the San Francisco startup law of relying on free, online productivity suites instead of ponying up to Microsoft for something that actually works,"

    Sorry this article lost all credibility when I read that bit.

  6. Xusen
    FAIL

    Twitter?

    Why is twitter even needed?..no one cares that you just took a dump or looked yourself in the mirror.

    The stupidity hack is probably one of the most common, during a stint as Techie in a school, we had teachers turning on the projector in the classroom and start typing their username and forget to press the tab button properly, the result was that all the little buggers in the class have just memorised the password, I mean how hard is to remember potato or any of the other lame passwords they used.

  7. Duncan Hothersall
    FAIL

    Yeah, right Ted

    "the San Francisco startup law of relying on free, online productivity suites instead of ponying up to Microsoft for something that actually works"

    Yeah, cos that's the choice isn't it, really. Microsoft is the only organisation in the world which produces a usable office suite. OpenOffice.org doesn't exist, StarOffice doesn't exist, KOffice doesn't exist, Lotus Symphony doesn't exist (okay, fair dos), Ability Office doesn't exist, Gnome Office doesn't exist, iWork doesn't exist, NeoOffice doesn't exist.

    The reality is that you don't need to pony up to anyone to get a desktop operating system and a full-featured office suite. Why not acknowledge that?

  8. Q We
    Stop

    GApps authentication

    "Anybody who knows Eric Schmidt's e-mail password can go to http://mail.google.com/a/google.com to browse messages." Actually, no.

    GAFYD admins can implement an additional SAML-based authentication scheme and thus enforce any additional rules they wish, which can include access from specific ip addresses (like being on corporate network or VPN). This is what Google itself does. So no, you could not read Eric Schmidt's email even if you knew the password.

  9. Mike48
    Thumb Up

    Good SHow

    Thanks again, Ted, for your wit and wisdom! And, per the usual, I'll bet the legion of nay sayers will be out in force complaining about your views.

    Keep up the good work!

  10. Darren Lingham 1

    Missed the point?

    The author of this article seems to have missed the main point, or the crux of what caused this. The issue isn't with web services, cloud computing or web 2.0. Online service providers need to look in to better ways of providing a password retrieval function.

    People forget their passwords, some on a regular basis - so it's important that the functionality is there to reset it in someway, but anyone providing a service that utilises an online log-in (that's about 90% of websites, not just the web 2.0 ones...) must investigate a better way to implement this than just a "secret" question and answer.

  11. Robert Ramsay
    Thumb Down

    This sentence...

    "ponying up to Microsoft for something that actually works"

    ...saves me the trouble of reading the rest of the article.

  12. Anonymous Coward
    FAIL

    Tweeter sucks

    Tweeter sucks and I hope they continue to store their docs on Google so they humiliate themselves, again.

  13. Dean Higginbotham

    lotions and potions

    Great post as always Ted. Poignant and humorous.

    .

    .

    .

    .

    Follow me on the *new* and *improved security* Twitter and make million$$! twitter.com/iTrackmine

  14. Anonymous Coward
    Thumb Up

    Google Docs feature - not new

    Nice one Ted, but I have to disagree with this bit:

    >> Even without Google Docs's innovative new feature - "run really fucking slow when I'm trying to get work done, and then stop responding to all clicks on UI widgets" <<

    Credit where credit's due, MS Word has been "running really fucking slow" on my PCs for the last 15 years or so, and I'm pretty sure it beat Google Docs to the punch with "not responding to UI clicks" too.

    I'd also like to bring your attention to some other industry milestones like "corrupting my important fucking document when I'm on a deadline", "having a repair feature that can never fucking repair anything" and "changing the UI every few years so I have to learn this shit all over again".

    So whilst I agree with the thrust of your argument - online cloudy apps are a pile of insecure wank and businesses shouldn't entrust them with their crown jewels - I feel you have overlooked the enormous contribution to local networking failure and suckiness that Microsoft has made during its distinguished career.

  15. Spiracle

    Unguessable usernames as well?

    I would imagine that eric.schmidt@gmail.com has a random 25 digit string as a password and is actually driven through some.unguessable.name@gmail.com.

  16. Bob H
    Dead Vulture

    Yet another rant...

    Well done Ted, you've manage to show us all the way with yet another mindless rant against someone you don't like...

  17. Craig McLean 1
    FAIL

    Sorry, couldn't hear you....

    ..Take Bill Gates' dick out of your mouth and try again. Your "issue" is bad password management, not bad software you achingly poor writer, you.

  18. Anonymous Coward
    WTF?

    Unbelievable choice of words...

    "...ponying up to Microsoft for something that actually works."

    Unbelievable choice of words... and VERY liberal use of the word "works" here. More to the point, there is a long history of inadvertent loss of confidentiality associated with the MS Office suite due to complete stupidity on the DEVELOPER'S part, let alone the users. Google Docs, like any other cloud service requires responsible password use. Duh.

    People's cloud accounts are "hacked" every single day, whether this is Yahoo, MSN, Google, Amazon, eBay, In almost every case, this is due to poor password management on the part of the USER. Why would you make the claim that Google Docs is somehow at fault for someone using an extremely poor choice of passwords?

  19. Psymon
    FAIL

    So many comments, so many tangets from the real point

    @Jonathan 17

    Sorry, but if you think the answer is to force your users to use stronger passwords, I'm afraid you've not lived in the real world.

    As a system administrator, no matter how many times you try to hammer this point home, you will still get users that are so inept, anything more complex than 'password' means they come running back to you every single morning to have it reset.

    It's a cold hard fact of life that every security measure you put in place, makes life just a little more difficult for your users. There's a balance that you have to hit between security and usability.

    Unfortunately, if your systems are built in the cloud as our dear author has so clearly pointed out, you automatically increase the attack surface of your systems a thousand fold.

    You are advertising your entire systems profile to the rest of the world, and it only takes one weak link in the chain to allow for a serious security breach. Just because it's a new or different approach, certainly doesn't automatically make it a better, or even appropriate solution for your organisation, and the cloud is a niche solution at best.

    This fetish for the cloud reminds me of a certain company that was targetting gulible schools across the country trying to sell them thin client computing solutions.

    I can't even begin to list all the reasons that this is a wholly inapropriate solution to 95% of schools, but the only question I needed pose to our headmistress that shot the whole idea down was:

    "Do you want to pay this much more, just to put all your eggs in one basket?"

  20. The Mole
    Stop

    Different passwords don't help

    Even if someone has used a different password for their email account than everything else this won't generally help. If you have control of the email account you have control of almost everything short of bank accounts.

    For the stupidest of websites you can just do a search for "password" to find the emails from all those helpful websites who on registering email you back the password you used.

    The slightly more advanced websites you just go on to them, click the "I've forgotten my password" link and have your password emailed back to you. A few sites reset the password but most don't so if you then delete the email the victim won't even know.

  21. lukewarmdog

    well it made me lol

    I fail to see the point of Twitter and wouldn't trust anything called "The Cloud" with anything I actually thought was valuable so it was nice to see my cynicism isn't misplaced.

    Since Twitter can't find a business model I'm guessing this is how they save money.. no stationery, paid for apps or USB storage for their staff.

    Maybe they SHOULD have used MS Office, works fine across my organisations Enterprise.

  22. Anonymous Coward
    Pint

    lol

    Once one realises the man's here to distract in his own style , the whole

    article changes perspective. There's good chuckles and a boatload of irony

    in there and that's the ticket.

    If he's serious ... well ... ill get all the big titted fat girls to converge on him and lock

    em all in a tape safe :) .. or the service elevator for the weekend.

    Cheers .. time for a beer.

  23. Anonymous Coward
    Stop

    RE: Yeah, right Ted

    @Duncan:

    Well no, not really. I've test trialled a roll out of StarOffice in my company and I know others that rolled out OpenOffice. The problem is that there is a relearning cost to getting everyone onto a new productivity suite. Once you've gotten over that you then have the problem that most people use MS Office to create documents and when you open it with OpenOffice or StarOffice you get an approximation of the original document. The fonts and tables are noticably incorrect but there are also errors with page breaks, margins and other subtle changes. This means that sharing documents around with people using MS Office doesn't work very well. This may change with the XML formats introduced in Office 2007 but having looked at the spec I'd be amazed if anyone manages to implement that 100% correctly. The spec is extremely complex from years of performance and backwards compatibility hacks (whether this is a bad design or not is a different discussion, none of us have a time machine).

  24. Barracoder
    Flame

    Did any of you fuckers actually read this?

    Contrary to the entirely expected meerkatting by the M$-haters when Ted made the fatal mistake of saying Microsoft software actually works better than Google Docs, this article was not about Microsoft. Or Google Docs. Or bad password management.

    This article was about the fact that the internet totally removes the barriers to entry for the standard hacker. In the good ol' days, we had to tunnel into private networks before getting the chance to enjoy exploiting someone's bad password management. Now all you need is a frickin IPhone. That's a good point to make and Ted, in his enjoyably Tourettian way, made it well.

    If you want to post a comment, post your thoughts on a solution to the internet's woefully inadequate Email Address/Password/Password Reminder paradigm and stop getting all hot and bothered because Ted happens to prefer Word to Google Docs: you're missing the point and looking like a fundamentalist, which is never an intelligent look.

  25. Anonymous Coward
    Thumb Up

    RE: Did any of you fuckers actually read this?

    You're bang on right here. If you forget a password on your corporate network you ring up IT support and after they can reset your password. The problem is that the password reminder is woeful at verifying your identity - especially since so many of them on the web are your city of birth, your birthday or your mother's maiden name. Anybody who remotely knows you should be able to get this information easily. It doesn't matter if how good your password is with a backdoor like this.

    Perhaps a digital certificate should be created for corporate Google accounts and then they can be stored in local storage on the corporate LAN and managed by an administrator. Those certs can be used to recover your password if necessary.

    Or maybe storing private data on third pary servers is just a really, really bad idea.

  26. Anonymous Coward
    Badgers

    Simple solution

    Open access on the net or not there is a simple way to protect all these so called cloud services as well as actually useful stuff like internet banking and amazon.

    A unified RADIUS authentication so people have to carry only one token around with a timeout of 30secs on the token. Only the most determined and resourceful attack will ever get past this. (Nothwithstanding the fact that most people will write their pin down on the token itself <g>)

  27. SlabMan

    The 2 laws of password security

    1. Never write your password down.

    2. If you can remember your password, it's too simple.

  28. Anonymous Coward
    Gates Halo

    "maybe storing private data on third pary servers is just a really, really bad idea."

    Would it be better if it was "maybe storing >>unencrypted<< private data on third pary servers is just a really, really bad idea." ?

    Or are you worrying about availability of The Cloud as well as security of The Cloud?

    My local IT department's services are 100% available. Oh yes. As long as you only measure the times when the systems are working. Their staff are 100% trusted too. As long as you don't count the one that was working for a competitor while employed here.

  29. Anonymous Coward
    Thumb Up

    @lol

    "If he's serious ... well ... ill get all the big titted fat girls to converge on him and lock

    em all in a tape safe :) .. or the service elevator for the weekend."

    Is this by way of a punishment or a reward?

  30. Anonymous Coward
    Anonymous Coward

    fail indeed.

    A 10 year old child could set up a decent word processor on every machine and a NAS box for them all to connect to. From then on encryption, backup and off-site access can be added and tailored to the companies specific needs And it needn't cost an arm and a leg either. It's not rocket science people.

    But no lets just trust google with everything. It's better because they say so and isn't doing something because someone else told you to always a good enough reason to do anything?

    On the other hand, I very much doubt Twitter have anything worth keeping secure.

    Their crap is available online now and I don't feel in the least bit compelled to take a peak. The BNP member list yes, but this? Who cares?

    I'd rather watch paint dry. I'd rather untangle Christmas tree lights with one hand tied behind my back. I'd rather train my dog to play Monopoly with me. I'd rather spend my entire life trying to invent a washing machine that plays the saxophone.I'd rather buy 100 different brands of kettle and time how long each one takes to boil.

    Take a hint Twitter, nobody cares. You are triviality defined.

  31. Duncan Hothersall
    Grenade

    Re: Anonymous Coward 10.46

    Your comment appears to be a description of challenges faced when migrating from MS Office to another package with a user base and document archive mired in MS formats and functions. I agree that this can be a problem for the reasons you suggest, but it has nothing to do with the situation Ted brought up here, which is companies choosing to use Google Docs rather than "pony up for" MS Office. Google Docs can save all of its documents in ODT/ODS formats, and has a much more limited subset of functionality than OpenOffice or StarOffice, so there is no migration pain in a shift from Google Docs to Oo.o.

    As for the issues with formatting changing in Word docs - this also happens between different versions of MS' own software, and yet people apparently cope with that sort of transition - why should they not cope with it in this case? Anyone who expects a word processor file to paginate identically on different machines even if they are running an identical word processor has never worked seriously with Word files.

  32. Anonymous Coward
    Thumb Down

    It's just another...

    ...twatter splatter!

    Nothing to see here folks.

  33. Mark C 1
    Thumb Up

    Irk The Fanboys

    "In its observance of the San Francisco startup law of relying on free, online productivity suites instead of ponying up to Microsoft for something that actually works,"

    ... is it me or is it just getting too easy to bait people these days?

  34. Tom Paine
    FAIL

    Fail and Ted

    I admit I enjoy reading Ted's latest lawnsprinkler / flamethrower crossover piece, for the same reason I enjoy the writing of Hunter S Thompson or P.J. O'Rourke, and pull up a chair when I see Will Self on the panel of a popular news and current affairs panel discussion programme - you don't have to agree with what he says, or indeed any of it, to enjoy the spectacle of insight, humour, wit and insight flaying well-deserved targets. However... this time, I couldn't help noting the fails:

    1. "... [If you could steal the password of a typical corporate drone] you most likely had credentials for a Windows NT domain or Active Directory" Hey, Ted, care to explain the difference between an "active directory" and a "Windows domain"? (Hint: they're the same thing.)

    2. "What can you do with this [password]? Unless there's remote access set up, you'll need to be on the physical network to access file shares."

    Well, I hate to break it to you Ted, but there's a thriving market in what are known as "remote access solutions". These days there are very few corps larger than a few tens of employees who don't have that. There's also Outlook Web Access, and any internal web-apps which have been recklessly exposed to Internet-based logins, rather than restricted to internal and VPN users only. Oh yeah, and wifi.

    Oh, and by the way, any idea of the easiest way to snaffle a Windows password? No, silly, the pass-the-hash attacks are OLD. No, today the smart kids use targeted, socially-engineered 0day attack - pretty trivial to do when you know how to use metasploit, when so many execs' egos mean that info about their job titles, interests, lunchtime menu etc are freely available on, uh, El Reg f'r'instance. Guess what? _you're already inside the network at that point_.

    I got bored at that point. 10/10 for the flaming contempt for all the losers out here in the big wide world, but really methinks the lady doth protest too much.

    And wouldn't you know it.... hitting the link to Dzubia's brave new dotbomb (the latest one, where he jumped shortly before the last crazily-named doom-balloon where he tried to hang out went to the great shitpile in Sand Hill Drive, I couldn't help but spot a link (bottom left of the page) to... egad! It's Twitter!! http://m.twitter.com/miloshopping

    Well I'm blowed. But not by Ted.

  35. Anonymous Coward
    Gates Horns

    Re: the XML formats introduced in Office 2007

    I think we can take it as read that Microsoft won't manage to implement them 100% correctly

  36. George Marian
    Paris Hilton

    @Duncan

    There's a bit of difference between the compatibility issues of different version of Word documents and those of Word documents used with another word processor.

    Much of the time, we can forgo the half-baked features of a new version of the Word document format and simply back down to an older version that's a better common denominator. We shouldn't be surprised that an older version of Word has issues with rendering or even opening a Word document that's in a newer format. Much of the time, the need to cope here is due to the fact that not everyone upgrades to the latest version of MS Office. Even within the same company, there may certainly be situations where there's a mixed deployment of different versions of MS Office.

    The nature of the compatibility issues when opening a Word document in another word processor are more complicated and lead to more frustration. Some of these issues are due to fact that this compatibility is reverse engineered, or due to fundamental differences between the implementations and so on. Coping with these types of issues isn't necessarily as simple as using an older format.

    Nevermind that most of the alternative office suites you mentioned are still jokes in comparison to MS Office.

    "The reality is that you don't need to pony up to anyone to get a desktop operating system and a full-featured office suite. Why not acknowledge that?"

    That's true. However, even so it's not as cheap as using Google Docs. It doesn't matter that you can get it for free, if you have to deploy and maintain it, there's some cost associated with it. So, Ted's point still stands, IMO.

    To those of you that jumped all over that statement: Did you stop to think that it might just be flame bait? Enjoy your worm, little birdies. ;)

  37. Chris iverson
    Pint

    MS did it too

    Now whether you agree or not with Ted lets take a quick peek here at the issue he is describing. Now at the heart of the issue is the predictability of the link which google didn't seem to figure out from youtube that obscurity is not security. MS exchange has a similar feature known at Outlook Web Access. its kind of amazing that you can generally type in http://webmail.<insert organization here>.com and be presented with a pretty blue screen asking for login credentials. Its still a little more difficult since there are no hints but the idea is the same.

    Of course in that case once you have figured/beat/blackmailed it out you have access to the domain of said network. Given that admins can of course set rules that only allow certain access but a lot of times don't due to the level of inconvenience and whining that will be imparted on to said person when the great unwashed can't get at their email from the comfort of their skivvy's.

    So not shame on MS for whatever the reason is today or Google since they didn't have the responsibility per se. That being said Im not sure if there is a deal between Twitter and Google. But the user in question should be smacked for such poor discipline when dealing with passwords for sensetive documents on a service that is available to world + dog.

    </rant>

  38. KarlTh

    #Fail & Ted

    A Windows NT 4.0 domain* is not the same thing as an active directory. Nor, technically, is a W2K or W2K3 domain, but that's nitpicking in this context.

    *Yes, they are still in use. Last time I tarted around with Samba it was emulating at that level. Yes, I do know it's moved on, I just haven't fannied around with the version which talks AD yet.

  39. Steve Taylor 3
    FAIL

    Damn you Hunter S. Thompson!

    Ever since you showed the world how much fun it could be to hear a talented writer get apopleptic we've been forced to endure wanabees like Ted who have to simulate both rage and writing ability.

  40. Ian 37
    Thumb Up

    Thank you Psymon

    You saved me from having a rant at that twit. Thanks for the article Ted, an enjoyable read. It amuses me every time when you put some bait like "ponying up to Microsoft for something that actually works" into your articles and a bunch of chumps bite.

    Love it!

  41. Anonymous Coward
    Anonymous Coward

    Point of convention

    Dear Ted,

    'Butthurt' is not hyphenated. Thanks

  42. Reverend Brown
    FAIL

    Huh?

    Bunch of jibber jabber as usual. The expletives are better placed than usual.

  43. Charlie Barnes
    FAIL

    Pink Ponies

    "ponying up to Microsoft for something that actually works"

    Since when has ponying up to Microsoft produced something that actually works? Paying up to Microsoft doesn't even produce something that actually works.

  44. Llama-made
    Troll

    Keep it up!

    Totally troll-tastic as ever Ted. Keep practising, one day you will be good enough to troll Slashdot. Until then, good luck!

  45. joel 7
    Thumb Up

    TOP NOTCH

    Top notch journalism, bravo. It's good to read something by someone who doesn't fawn to the every move of the Web Shite 2.0 Facists.

  46. Anonymous Coward
    Anonymous Coward

    The Register

    The Register is any different than TechCrunch?? You couldn't tell based on the authors and articles

This topic is closed for new posts.

Other stories you might like