backtop


Print E-mail del.icio.us 24 comment(s) - last by FaceMaster.. on Jul 28 at 8:36 PM


Twitter's May hack has taken more embarassing twists. The company is now considering legal action against blog site TechCrunch and others who posted some of the stolen materials. The news raises unpleasant question for TechCrunch about whether its bloggers compromised their journalistic integrity.  (Source: ICanHasCheezburger.com)
<tweet>Things aren't going to well here at Twitter, we just got hacked and now everyone is reporting on it... </tweet>

In May a hacker broke into Twitter and stole over 310 pages of confidential documents and secured access to some of its employees' accounts.  Reportedly the malicious user gained access to the site initially by using the site's password-question system, the same system that allowed individuals to hack Sarah Palin's Yahoo email account last year.  "Hacker Croll" distributed internal Twitter documents that he stole to various news agencies -- most refused to release them.

A few, however, did.  According to TomSoft, accounts on Amazon, Apple, AT&T, Gmail, MobileMe, and PayPal belonging to Twitter co-founder Evan Williams, his wife Sara Morishige Williams, and Twitter employees Margaret Utgoff and Kevin Thau were compromised.  Mr. Landspurg posted screenshots from Croll as evidence of the hack.

TechCrunch also reported on the documents, though it has been careful not to release too many details.  Ironically, TechCrunch was one of Twitter's favored sites, which it recommended its users visit.  TechCrunch's Robert Scoble comments, "
TechCrunch is on Twitter's Suggested User List.  They have been gifted about 880,000 followers by being on that list, AKA "SUL". That's worth a lot of money."

Evan Williams wrote in a blog yesterday, "We are in touch with our legal counsel about what this theft means for Twitter...and anyone who accepts and subsequently shares or publishes these stolen documents. We're not sure yet exactly what the implications are for folks who choose to get involved at this point but when we learn more and are able to share more, we will."

Most of the published documents are mildly embarrassing, but don't contain anything dynamite against the company.

The debacle is uncomfortable for everyone involved.  For the bloggers and journalists who published the materials, they unquestionably accepted documents they knew to be illegally obtained.  Furthermore, in TechCrunch's case, they were selective in which to publish. 

According to Reuters, Twitter and TechCrunch negotiated the release of the obtained information to the public.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

I CAN HAZ GRAMMERZ
By EricMartello on 7/16/2009 1:45:12 PM , Rating: 3
quote:
In May a hacker broke into Twitter and stole over 310 pages of confidential documents and secured access to some of its employees' accounts.


f1Xx0r3d

Anyway, I don't think those password questions are a good idea. Someone with an otherwise solid password LESSENS the security of their account with moronic, easy to guess questions like:

"Where do you live the most?" -America

"What is your cat's name?" -Spot

"What is your dog's name?" -Spot

It's just too easy to guess these and then gain access to a user's account. Instead they should just advocate that users stop using "passWORDS" and move to "passPHRASES" that are 20 char or less. It's not that hard to remember a phrase, no more difficult that it is to remember an obfuscated word.




RE: I CAN HAZ GRAMMERZ
By aKarma on 7/16/2009 2:11:28 PM , Rating: 5
Or people could just remember their passwords (shock horror)


RE: I CAN HAZ GRAMMERZ
By EricMartello on 7/16/2009 2:19:49 PM , Rating: 5
What's easier to remember?

"p4ssW0rD!" (a "good" password)

or

"This is my super-secret password! Don't hack me!" (passphrase)

Then ask yourself which is more secure...

Even I forget passwords because I don't use the same one in all instances. I probably wouldn't use the same passphrase either, but at least I can have the same or better security with a plain-english phrase than I can with a password considering of numbers, random punctuations and strange capitalization.


RE: I CAN HAZ GRAMMERZ
By JasonMick (blog) on 7/16/2009 2:30:39 PM , Rating: 4
Actually, both systems are okay. Some people I know can easily recall 12 char or longer passwords, which use foreign words and numbers. Others prefer passphrases.

The problem is people using dictionary words with standard spelling for their password. A similar problem arises with passphrase -- many people blindly adopt popular passphrases presented on the internet like "Remember the milk".

Ultimately there's ways to defeat every security scheme. I do agree, though that password retrieval systems are horrible ideas as they work with easily determined public information or easily guessed information like -- what was your first car? (x person was born in xxxx, started driving in xxxx -- guess makes and models with 5 years...) The only way to use such systems with a degree of certainty is to lie. e.g. *Ahem* my first car was... the Model T.


RE: I CAN HAZ GRAMMERZ
By EricMartello on 7/16/2009 2:43:40 PM , Rating: 2
The thing I'm trying to get at is that you can make a plain English (or whatever your native language is) passphrase using dictionary words and have it be at least as secure as a 'tricky' password. Yes, it is true that common phrases like the one you mentioned are a bad idea and it's also true that nothing is 100% secure, but these days any given person on the net has at least 5 logins and hopefully they are not using the same ID/PW combo on all of them.

Ironically, institutions which should have the highest security like banks and brokerage accounts FORCE their clients to answer three of those password questions, sometimes more. I think BoA wanted me to do 5 at some point...and I can assure you that most people are answering those questions with simple, easy to guess dictionary words. It's like they want to make it easier for hackers.

The way I handle those questions is like this:

Q: What is your olders brother's name?
A: My brother was killed in Iraq.

Q: What was your first car?
A: I believe in global warming. Cars are evil.


RE: I CAN HAZ GRAMMERZ
By jsonc on 7/16/2009 3:31:35 PM , Rating: 2
i totally agree. i usually answered security questions that has no relation to the questions. it works so well that i even forget the answer to certain questions at times. answering security questions is asking to be hack.


RE: I CAN HAZ GRAMMERZ
By Tegeril on 7/17/2009 5:00:27 PM , Rating: 3
I use a separate alphanumeric password for the answers to those questions :)


RE: I CAN HAZ GRAMMERZ
By Runiteshark on 7/16/2009 5:15:47 PM , Rating: 3
I prefer the passphrase "Centipedes? In my vagina? Its more likely then you think."

Oh hell, time to change my passwords.


RE: I CAN HAZ GRAMMERZ
By Smilin on 7/16/2009 6:34:24 PM , Rating: 2
Although I agree with your point neither are good options as the phrase is comprised entirely of dictionary words.

Try your phrase this way:

"Timssp!Dhm!"

My big suggestion:
DO write down your passwords. Seriously. If they are so simple that you can memorize more than a few of them then they suck. Keep the paper in a safe place and not on a post-it note obviously.

Passwords as a whole need to go the way of the dinosaur.


RE: I CAN HAZ GRAMMERZ
By Tamale on 7/17/2009 12:12:34 PM , Rating: 2
I'm still of the opinion that we should have computing education courses just like we have driver's ed courses.. and you can't buy / use a computer without passing.

maybe then we'd start seeing less security problems.


RE: I CAN HAZ GRAMMERZ
By BrianMCan on 7/20/2009 12:03:54 PM , Rating: 2
I don't know about your area... but the drivers around here scare me, I think they need more testing, and have to do a driving re-test every 5 or 10 years to keep the terrible ones off the road.


RE: I CAN HAZ GRAMMERZ
By cochy on 7/16/2009 3:00:34 PM , Rating: 2
I agree the secret question is a large security hole as these are much easier to compromise than the actual password itself. Personally I just use a secondary password for all the secret questions. If I somehow forget both well most of the time technical support can help you out.


RE: I CAN HAZ GRAMMERZ
By MonkeyPaw on 7/16/2009 8:42:31 PM , Rating: 3
"What's the combination?"

"1-2-3-4-5. "

"1-2-3-4-5?"

"Yes."

"That's amazing! I've got the same combination on my luggage!"


RE: I CAN HAZ GRAMMERZ
By JimboK29 on 7/17/2009 10:09:23 PM , Rating: 2
Why do people post secret questions with generic answers???? My Twitter secret question has nothing to do with my answer, but it triggers my answer. Well, sometimes.


Evan Williams Is No Lawyer.
By Tom mc3s on 7/17/2009 1:53:33 AM , Rating: 2
First of all its best that the bloggers and journalists accepted the info unquestionably. They are allowed to do so and are allowed to print information they know was acquired illegally. As long as they are not responsible for the acquisition they should remain as distanced as they can from how it was obtained. Much larger media outlets have been doing this for many many decades. Now they may have a claim against those that published this information but it's going to be an uphill climb to do so. I didn't see much that was released that could be construed as damaging. At best they can get the individual responsible on a felony charge but its a much harder case to take on the media.

Furthermore, there was no "theft" that took place here so I'm not sure what Mr. Williams is trying to accomplish with his wording. Perhaps he's dumbing it down or over sensationalizing it. Either way it does get tiring when 1's and 0's being copied is considered theft. Words have meanings and its best not to arbitrarily throw them around. What he meant to say is that private information was illegally obtained.




RE: Evan Williams Is No Lawyer.
By tmouse on 7/17/2009 8:01:45 AM , Rating: 2
So by your definition Identity theft is not a theft? There are MANY statutes that describe the unlawful access of information as theft.


RE: Evan Williams Is No Lawyer.
By rdeegvainl on 7/17/2009 8:29:37 AM , Rating: 2
nope, it's fraud


RE: Evan Williams Is No Lawyer.
By tmouse on 7/20/2009 8:06:13 AM , Rating: 2
The use is fraud, taking the information is the theft. You can be prosecuted for having information you have not used.


RE: Evan Williams Is No Lawyer.
By tmouse on 7/20/2009 8:31:46 AM , Rating: 2
This is of course subject to jurisdiction (as most legal things are). In Texas for example theft is codified as:

"Every one commits theft who fraudulently and without color of right takes, or fraudulently and without color of right converts to his use or to the use of another person, anything, whether animate or inanimate, with intent

•to deprive, temporarily or absolutely, the owner of it, or a person who has a special property or interest in it, of the thing or of his property or interest in it;
•to pledge it or deposit it as security;
•to part with it under a condition with respect to its return that the person who parts with it may be unable to perform; or
•to deal with it in such a manner that it cannot be restored in the condition in which it was at the time it was taken or converted.

"A person commits theft when, with intent to steal anything, he moves it or causes it to move or to be moved, or begins to cause it to become movable.

"A taking or conversion of anything may be fraudulent notwithstanding that it is effected without secrecy or attempt at concealment."

As you can see even pledging something for security can also be considered as theft. Now some have argued that theft applies only to property, while this is true; in many legal circles the definition of property is not the same as we would think. In In Manrell v. Canada 2003 FCA 128 the Federal Court of Appeal adopted these words:

"Property is sometimes referred to as a bundle of rights. This simple metaphor provides one helpful way to explore the core concept. It reveals that property is not a thing, but a right, or better, a collection of rights (over things) enforceable against others. Explained another way, the term property signifies a set of relationships among people that concern claims to tangible and intangible items.
"It is implicit in this notion of property that property must have or entail some exclusive right to make a claim against someone else. A general right to do something that anyone can do, or a right that belongs to everyone, is not the property of anyone."

Again in Texas, property is divided as Real (immoveable property ) like land and personal (moveable property also know as chattels). Personal property is also further divided as tangible and intangible property, which information is an example.


ROFLMAO
By DigitalFreak on 7/16/2009 7:43:29 PM , Rating: 5
If it was anyone but Twitter, I might actually care.




Man...
By MrBlastman on 7/16/2009 1:21:49 PM , Rating: 2
What a twit.




RE: Man...
By FaceMaster on 7/28/2009 8:36:51 PM , Rating: 2
quote:
What a twit.


Nah. He's worser than that. He's a twitter.


Password recovery question
By overlandpark4me on 7/16/2009 11:31:01 PM , Rating: 2
Password question:

What's your favorite website?

Answer: Twitter.

Ya think?




Is Google getting a free pass here?
By Smilin on 7/16/09, Rating: 0
"People Don't Respect Confidentiality in This Industry" -- Sony Computer Entertainment of America President and CEO Jack Tretton














botimage
Copyright 2009 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki