By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: July 17, 2020

Friday, 17 July 2020

Twitter: ‘An Update on Our Security Incident’ ★

Twitter:

At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme. What does this mean? In this context, social engineering is the intentional manipulation of people into performing certain actions and divulging confidential information.

The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets. We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken. In addition, we believe they may have attempted to sell some of the usernames.

“May” is a bit of a stretch here given that The New York Times reported hours ago that they had been selling usernames, and Brian Krebs reported it yesterday.

For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity. We are reaching out directly to any account owner where we know this to be true.

DMs are the first thing that comes to mind with the “Your Twitter Data” tool. That archive contains pretty much everything, including your location data.

NYT: ‘Hackers Tell the Story of the Twitter Attack From the Inside’ ★

Extraordinary reporting by Nathaniel Popper and Kate Conger for The New York Times:

But four people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public.

The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6. […]

The hacker “lol” and another one he worked with, who went by the screen name “ever so anxious,” told The Times that they wanted to talk about their work with Kirk in order to prove that they had only facilitated the purchases and takeovers of lesser-known Twitter addresses early in the day. They said they had not continued to work with Kirk once he began more high-profile attacks around 3:30 p.m. Eastern time on Wednesday.

In one of the first transactions, “lol” brokered a deal for someone who was willing to pay $1,500, in Bitcoin, for the Twitter user name @y. The money went to the same Bitcoin wallet that Kirk used later in the day when he got payments from hacking the Twitter accounts of celebrities, the public ledger of Bitcoin transactions shows.

Secret Police in Portland Are the Opposite of ‘Law and Order’ ★

Rep. Adam Schiff:

Federal officers wearing camouflage, using unmarked vans, arresting and detaining peaceful protestors, over the objections of local authorities, isn’t “law and order.”

It’s the exact opposite.

And it’s un-American and unacceptable.

My friend and lifelong Portlander Cabel Sasser:

p.s. I could’ve sworn one of the top 5 fantasies for gun owners was to bravely prevent an armed federal occupying force in unmarked vehicles and without identification from invading a city — super weird how quiet they are now.

The longstanding argument of rightwing gun nuts that they’re ready to defend liberty for all Americans in the event of some ever-imminent power grab by no-badge no-warrant “jackbooted” government forces, is quite obviously nonsense given their collective reaction — which ranges from silence to vocal support — of the Lafayette Square fiasco in Washington D.C. six weeks ago, and their continuing silence/support of what’s now happening in Portland. But more than mere hypocrisy or even fantasy, it’s projection: “attributing one’s own unacceptable urges to another”. Rightwing nuts live in constant fear of an armed fascist crackdown from the left because they assume the left would abuse such power against them in the ways they would abuse power (and now are) against the left. It’s always been obvious but now it’s transparently so.

Federal Agents Unleash Militarized Crackdown on Portland ★

Sergio Olmos, Mike Baker, and Zolan Kanno-Youngs, reporting from Portland for The New York Times:

Federal agents dressed in camouflage and tactical gear have taken to the streets of Portland, unleashing tear gas, bloodying protesters and pulling some people into unmarked vans in what Gov. Kate Brown of Oregon has called “a blatant abuse of power.”

The extraordinary use of federal force in recent days, billed as an attempt to tamp down persistent unrest and protect government property, has infuriated local leaders who say the agents have stoked tensions.

“This is an attack on our democracy,” Mayor Ted Wheeler of Portland said. […]

In a statement issued on Friday, Customs and Border Protection said agents who made the arrest had information that indicated a suspect had assaulted federal authorities or damaged property and that they moved him to a safer location for questioning. The statement said that the agents identified themselves but that their names were not displayed because of “recent doxxing incidents against law enforcement personnel.”

We don’t have secret police in the United States. Well, we didn’t.

Ken Klippenstein, reporting for The Nation:

While many people have criticized the alleged lawlessness of the arrests, some even engaging in conspiracy theories about them, these arrests are likely legal, according to current and former federal law enforcement officials interviewed by The Nation. And that’s exactly what makes them so troubling, explains Jenn Budd, a former senior Border Patrol agent.

“During the DC protest, many federal agents removed their insignia,” Budd explained, referring to a June 1 protest in front of the White House where protesters were teargassed. “What the agencies discovered was that they could do this without much blowback from Congress,” Budd explained.

A former senior DHS intelligence officer explained that while other federal agencies are required to wear identifiers when conducting arrests — NCIS agents have to wear both marked jackets and hats during arrests, for example — that is not the case with the DHS. “The fact is, they don’t have to do anything in marked vehicles,” he said. “Such operations happen all the time and at the discretion of supervisors.”

More fuel for the argument that the entire Department of Homeland Security should be disbanded.

Republican Governor Larry Hogan: ‘Trump Left Maryland Vulnerable to the Pandemic’ ★

Maryland governor Larry Hogan, writing in The Washington Post:

Meanwhile, instead of listening to his own public health experts, the president was talking and tweeting like a man more concerned about boosting the stock market or his reelection plans.

America’s governors took a different approach. In early February, we descended on Washington for the annual winter meeting of the National Governors Association. As chairman, I had worked closely with the staff for months assembling the agenda, including a private, governors-only briefing at our hotel, the Marriott Marquis, to address the growing viral threat. We brought in Anthony Fauci, the director of the National Institute of Allergy and Infectious Diseases, who was already widely admired but whose awesome knowledge and straight-talking style hadn’t yet made him a national rock star; CDC head Robert Redfield; Ken Cuccinelli, the acting deputy secretary of homeland security; Jay Butler, the CDC’s deputy director for infectious diseases; and Robert Kadlec, assistant secretary for preparedness and response at the Department of Health and Human Services.

They hit us with detailed presentations and the unfiltered truth, as well as it was known then. I remember hearing many dire claims: “This could be catastrophic.… The death toll could be significant.… Much more contagious than SARS.… Testing will be crucial.… You have to follow the science — that’s where the answers lie.”

It was jarring, the huge contrast between the experts’ warnings and the president’s public dismissals. Weren’t these the people the White House was consulting about the virus? What made the briefing even more chilling was its clear, factual tone. It was a harrowing warning of an imminent national threat, and we took it seriously — or at least most of us did. It was enough to convince almost all the governors that this epidemic was going to be worse than most people realized.

In theory it shouldn’t, but in practice it matters that Hogan is not just a Republican governor, but a popular one. Hogan’s scathing condemnation of the president’s response to the COVID-19 crisis puts the lie to the notion that the fundamental problem with Trump and his remaining supporters is about the left/right political divide. It’s about the science/anti-science divide, deferring to expertise vs. defiant know-nothing-ism as a political stance. There is nothing conservative or liberal about combating a pandemic.