Twitter Got Hacked, Is Mastodon Immune?(mikestone.me)
mikestone.me
Twitter Got Hacked, Is Mastodon Immune?
https://mikestone.me/twitter-got-hacked-is-mastodon-immune
91 comments
With every account the user is a point of failure. Just like Twitter users can also fall victim to social engineering.
On top of that, it's possible that some Mastodon instances have weak security.
But others will not.
So there will never be a full-blown Mastodon hack just like there's never been a full-blown email hack.
On top of that, it's possible that some Mastodon instances have weak security.
But others will not.
So there will never be a full-blown Mastodon hack just like there's never been a full-blown email hack.
You're making an argument for why Mastodon is more immune here and not less. Since there are many different servers administered in different ways by many different users, you have to infiltrate each server on case by case basis. This is orders of magnitude more effort than compromising a single administrator and getting access to the entire network.
I think the point is that good security takes effort and that is something that economies of scale help with. When each instance is run by a single administrator, it is much harder for anyone to have high quality security,
Counterpoint is that a distributed system doesn't have a central point of failure, so the effort to subvert the entire network is significantly more involved. So, as everything it's trade offs, but a distributed system will be more robust overall.
Even though federation is big thing, saturation of users in single instance and poor moderation are problems.
So,if users are very huge in single instance(mastodon main instance is the example) and the moderation is not likeable,there will be problems.
Also federation like this is new to people.
Will it work out? Currently, not likely.
Also,it can't be claimed immune. Bugs might be present.
So,if users are very huge in single instance(mastodon main instance is the example) and the moderation is not likeable,there will be problems.
Also federation like this is new to people.
Will it work out? Currently, not likely.
Also,it can't be claimed immune. Bugs might be present.
Currently, Mastodon is a federation with millions of users on it, and it's been working for many years now. So, it's very clear that it's already worked out.
I think that the point being made was that there's nothing in Mastodon to counteract the natural tendency of people to concentrate in a relatively small number of individual online spaces.
A quick eyeball of the English-language instances listed on instances.social, sorted by # of users, would suggest that this is true. There are a couple very large general-purpose instances, but after that it's largely much smaller topical communities.
My hypothesis would be that, if one tracked these numbers over time, it would turn out that the larger ones aren't just bigger, they also grow at a faster rate. So, if Mastodon were to grow to the scale of one of the major social networks, we'd also find that the users were mostly all clumped into a single instance that's roughly the size (and level of nastiness) of one of the major social networks.
At which point, from a social impact perspective, the fact that Mastodon is, from a technical standpoint, open and federated, would be beside the point.
A quick eyeball of the English-language instances listed on instances.social, sorted by # of users, would suggest that this is true. There are a couple very large general-purpose instances, but after that it's largely much smaller topical communities.
My hypothesis would be that, if one tracked these numbers over time, it would turn out that the larger ones aren't just bigger, they also grow at a faster rate. So, if Mastodon were to grow to the scale of one of the major social networks, we'd also find that the users were mostly all clumped into a single instance that's roughly the size (and level of nastiness) of one of the major social networks.
At which point, from a social impact perspective, the fact that Mastodon is, from a technical standpoint, open and federated, would be beside the point.
As someone who uses Mastodon semi-regularly, I can tell you that the majority of active users are not on the large instances. Most active users are on extremely small instances moderated by single individuals, and most instances are actually extremely short lived. It's common to get DMs from accounts saying that they've migrated from foo.social to bar.social every once in a while. Most people also have alts on multiple instances. My theory is that the largest instances are only large because they are the instances that have been around for the longest, and therefore have had time to accumulate a large amount of inactive accounts.
If scaling is the issue, try pleroma. Its based on elixir Phoenix. https://pleroma.social/
Mastodon is immune because it doesn't have any influential users.
In the same way that OSX was immune for viruses from decades.
Security by obscurity:D
More like deterrence by "poverty" - if you don't have anything remotely valuable to them to exploit you don't need any security.
Not just that, it is also the distributed and transient nature - one instance can become far more popular than the next far easier than a twitter clone can. This makes it hard to gain and sustain traction on the platform not designed for it. Extreme example is 8chan kind of boards.
Imagine how twitter will be if it never displayed any counts - followers, like, retweets etc nothing is shown to the user, even if they used all of it in the background, just by not showing it will have enormous impact on user behaviour.
Linkedin did that by not showing connection count beyond 500, to dis-incentivize people from making connection requests like facebook friend requests.
Architecture in Mastodon case makes it not attractive for influencers as compared to other platforms(IG, twitter etc) where they have higher Return on Effort put in.
Imagine how twitter will be if it never displayed any counts - followers, like, retweets etc nothing is shown to the user, even if they used all of it in the background, just by not showing it will have enormous impact on user behaviour.
Linkedin did that by not showing connection count beyond 500, to dis-incentivize people from making connection requests like facebook friend requests.
Architecture in Mastodon case makes it not attractive for influencers as compared to other platforms(IG, twitter etc) where they have higher Return on Effort put in.
And that is a feature. Influencers are best in IG , FB, Twitter and HN , is where they get their public.
This is a mostly trivial article with a terrible clickbaity title. "Hacked"? "Immune"? No, and no.
Could a Mastodon server be compromised? Of course. Would it affect all of Mastodon? Of course not, because it's distributed. Duh.
Could a Mastodon server be compromised? Of course. Would it affect all of Mastodon? Of course not, because it's distributed. Duh.
If mastodon had a security hole they could all be owned at the same time. Fediverse servers on different software would be unaffected unless the hole is in a library used by both.
The Twitter account takeover was an inside job.
To be fair, the article is just part of a challenge to write 100 blog posts in 100 days. Nothing wrong with writing whatever you want, although the title of the post is still terrible. The question is, why did anyone think this article was worth submitting to HN?
To be fair, the article is just part of a challenge to write 100 blog posts in 100 days. Nothing wrong with writing whatever you want, although the title of the post is still terrible. The question is, why did anyone think this article was worth submitting to HN?
Yes I'm aware. An inside job against mastodon would be harder. A few people may be able to deliberately insert malicious code but that goes for any open source project.
My website didn't get hacked either. Of course it only gets a few dozen hits a day from a sophisticated audience so it is not really a target.
Mastodon at the moment is basically a cozy little community. If a bunch of celebrities joined you can be sure they would all be on a professionally managed server - a tempting single-point of attack in the same way that the Twitter admin console was.
Mastodon at the moment is basically a cozy little community. If a bunch of celebrities joined you can be sure they would all be on a professionally managed server - a tempting single-point of attack in the same way that the Twitter admin console was.
Mastodon has millions of users now, and it's a part of a bigger fediverse community. Let's not belittle open source alternatives to commercial social media. The point that the article makes is that while obviously nothing can be immune, the same kind of hack would not be possible because Mastodon is decentralized. If you trick a single Twitter employee into giving you credentials, then you can get access to the entire Twitter network as recently happened. However, with Mastodon you'd have to convince the maintainer of each individual instance to give you access which is a much trickier proposition. Distributed nature of the network removes single points of failure.
I don't mean to belittle Mastodon, it is a cool project. But it doesn't face the problems that makes Twitter such a tempting target, and slightly smug blog posts are not going to convince anyone otherwise.
The twitter attackers had access to everything but only used it to target a few users. A hypothetical Mastodon attacker might only have access to a single server but that would likely be enough to perform the same actions.
The twitter attackers had access to everything but only used it to target a few users. A hypothetical Mastodon attacker might only have access to a single server but that would likely be enough to perform the same actions.
But what could happen is that your instance get destroyed.
I can trust Twitter to have backups. I know almost nothing about the community-served Mastodon instance on which I created an account, and I'm kinda locked there.
I can trust Twitter to have backups. I know almost nothing about the community-served Mastodon instance on which I created an account, and I'm kinda locked there.
How about this?
"I can trust Gmail to have backups. I know almost nothing about the corporate-provided mail service on which my administrator created my account, and I'm kinda locked there."
"I can trust Gmail to have backups. I know almost nothing about the corporate-provided mail service on which my administrator created my account, and I'm kinda locked there."
I'm not sure common personal websites are a great analogy to Mastodon... Does your website allows millions of people to interact with each other bidirectionally WHILE being decentralized - in the sense that no single authority can takeover/remove content over ALL the ecosystem? Because that's what Mastodon tries to be.
I know that a disproportionately large instance may attract the level of attacks that twitter gets, but - while I'm ignorant of all possible attack vector of activitypub or all mastodon instances - I think it would be hard to take over all those celebrities accounts if they are split among several instances.
Each instance admin could potentially try to interrupt the attack on their users on their own.
I'm sure ActivityPub and Mastodon are not flawless but I think that if they decentralized in the right way, it does prevent this type of attacks such as the ones witness on Twitter. It's not even through obscurity, it's just through friction of having multiple admins to deal with.
I know that a disproportionately large instance may attract the level of attacks that twitter gets, but - while I'm ignorant of all possible attack vector of activitypub or all mastodon instances - I think it would be hard to take over all those celebrities accounts if they are split among several instances.
Each instance admin could potentially try to interrupt the attack on their users on their own.
I'm sure ActivityPub and Mastodon are not flawless but I think that if they decentralized in the right way, it does prevent this type of attacks such as the ones witness on Twitter. It's not even through obscurity, it's just through friction of having multiple admins to deal with.
> Obviously Mastodon has it's own internal tools, but those tools on mastodon.social have absolutely no effect on Fosstodon, and vise versa.
Mastodon has "post as user" in its internal tools? Why?
Mastodon has "post as user" in its internal tools? Why?
AFAIK Twitter's internal tools allowed to reset emails and circumvent 2FA, not post as users.
Do Mastodon's internal tools allow administrators to circumvent 2FA?
Not directly. You can do it with access to the instance's Postgres database, but I'd expect relatively few instance admins (as opposed to instance owners) to have that; the admin tools don't include a database console, and you can't use a credential for the admin tools to authenticate to the database.
If you are the instance owner you can do whatever you want. Additionally, many instances are installed on a single host (https://masto.host) and almost all instances are on VPS in various managed clouds.
tootctl accounts modify USERNAME --disable-2fa --reset-password
Then check your mail server for outgoing mail, and use the mail sent to the user to change the password.
Then check your mail server for outgoing mail, and use the mail sent to the user to change the password.
The vast majority of instances are one man shows where the admin also has root access to the server the instance is running on. Aside from that I don't think there's anything on the Mastodon webapp itself that lets you post as a user. It's mostly limited to blocking/hiding instances and users.
Just for interest's sake I looked at joining a Mastodon instance. There was an application form to fill out which expected comprehensive answers to four questions about myself, my motivation for joining and my interests. I found it surprising but maybe it works for them.
The thing about federation is that every instance can have their own criteria for joining. I haven't seen one that requires an application like that, but it doesn't surprise me. But surely if you just want to spin the wheels there are instances that are easier to join.
Yes thank you. I might do that, that one was the most interesting sounding one see the time.
That’s specific to the instance. Each one can individually choose to have open registration, moderated registration (like the instance where you applied), or invitation-only.
Thanks for your reply and the information. Did not see it until now.
I would think it would depend on specific instances, the age of the server in use and any bugs that may exist, or the motivations and access to administrative tools.
It could be easier and harder to target celebrity accounts, but would again depend on the specific hosts.
It could be easier and harder to target celebrity accounts, but would again depend on the specific hosts.
The attacker gained access to the admin interface, I'm pretty sure this is also possible with Mastodon. Just you have to gain access to the right server. If someone attacks server A and the actual target is on server B, they are out of luck.
The difference is that you can't compromise the whole federation by compromising a single server the way you can with Twitter.
That was kinda my point. Mastadon has sadly other issues which let me stick with Twitter.
I use both, and I find that I generally prefer Mastodon nowadays. I find it's strictly better, and a lot snappier as well. Meanwhile, the community is now large enough that there's no lack of interesting content.
Security through obscurity, not a valid security plan. Regarding things like hacking into prominent accounts, DDOS/DOS attacks obscurity means it isn't worth the effort, like the author points out.
The article isn't talking about security through obscurity at all. What it says is that Mastodon doesn't have a single point of failure like Twitter because it's a distributed network. With Twitter you can hack the entire network by compromising a single employee into giving you their credentials. With Mastodon you'd have to exploit each individual instance independently. This is orders of magnitude more effort.
This is what suggests that: "For the time being, Mastodon remains a small enough presence in the social media sphere that this kind of attack hasn't been worth the time."
Yes, this is what I was referencing from the author.
Git is decentralized version control. I would bet a site like Github protects itself from mass attacks because of its popularity. It has nothing to do with decentralized software.
If a specific Mastodon node becomes super popular then it should have a plan to protect itself from these types of attacks.
Git is decentralized version control. I would bet a site like Github protects itself from mass attacks because of its popularity. It has nothing to do with decentralized software.
If a specific Mastodon node becomes super popular then it should have a plan to protect itself from these types of attacks.
Sure, however the more important point here is that this kind of attack is fundamentally more difficult to carry out and less effective than it would be against a centralized service.
[deleted]
It's "immune" to the extent that it is impossible to have a coherent identity across instances.
This is akin to saying you can't have a coherent identity across instances for email. It's a nonsensical statement because the whole point of having a federation is that you have identity on one instance and you can interact with people from other instances.
[deleted]
> Unless you've been hiding under a rock the last week or so
What’s the purpose of starting a blog post like that? The phrase is a cliché, and not a polite one. Whatever follows that introduction is either something the reader already knows and has fresh in memory (thus useless to mention) or you’re calling them oblivious.
A sentence that’s irrelevant or mocking the reader seems like a poor way to start an essay.
Most of us would do well to “hide under a rock” for a while. News and the way they are presented to us are stressful and largely irrelevant. Chances are you could live the rest of your life without knowing Twitter was hacked.
What’s the purpose of starting a blog post like that? The phrase is a cliché, and not a polite one. Whatever follows that introduction is either something the reader already knows and has fresh in memory (thus useless to mention) or you’re calling them oblivious.
A sentence that’s irrelevant or mocking the reader seems like a poor way to start an essay.
Most of us would do well to “hide under a rock” for a while. News and the way they are presented to us are stressful and largely irrelevant. Chances are you could live the rest of your life without knowing Twitter was hacked.
Humans communicate using an imprecise language. Some parts of our language are designed to convey belonging and familiarity - rather than facts.
Why do fairy tales start with "once upon a time"? It helps the reader feel familiar with the text they're about to encounter. Why do formal speeches start with "Ladies and Gentlemen"? The audience knows the expectation of formality which that structure provides.
In this case, the author is using a cliché for a couple of purposes. This first is to let the reader know that this is an informal piece of work and shouldn't be treated as a rigorous scholarly article.
The second is, hopefully, to make the reader feel "in the know". Anyone from the target audience reading that might think "I haven't been hiding under a rock! Unlike other people who read this. I am smart!"
Not every piece of writing has to be original. Clichés exist to help guide people through unfamiliar territory and to provide them reassurance.
And they all lived happily ever after.
Why do fairy tales start with "once upon a time"? It helps the reader feel familiar with the text they're about to encounter. Why do formal speeches start with "Ladies and Gentlemen"? The audience knows the expectation of formality which that structure provides.
In this case, the author is using a cliché for a couple of purposes. This first is to let the reader know that this is an informal piece of work and shouldn't be treated as a rigorous scholarly article.
The second is, hopefully, to make the reader feel "in the know". Anyone from the target audience reading that might think "I haven't been hiding under a rock! Unlike other people who read this. I am smart!"
Not every piece of writing has to be original. Clichés exist to help guide people through unfamiliar territory and to provide them reassurance.
And they all lived happily ever after.
Your first examples are timeless and neutral. They don’t convey when they were written and make no assumptions of the reader.
The author’s intro will be relevant for a few months at best and has a negative connotation. I doubt anyone will feel empowered or happy by the author’s phrasing.
I agree clichés have a purpose. I’m commenting on this one because I feel it has no redeeming qualities.
The author’s intro will be relevant for a few months at best and has a negative connotation. I doubt anyone will feel empowered or happy by the author’s phrasing.
I agree clichés have a purpose. I’m commenting on this one because I feel it has no redeeming qualities.
No in this case you are negative.
It could read as funny. No way I've been hiding under a rock silly my 4 year old might say.
Informative: I have been at the cottage this week what happened?
Creates a narrative/introduction: I've been following this story what's new?
There are people who will turn it into.. I've only been following this a bit. I suck, I could do better. Why did I waste my time on some other story? I need to do better in life.
How you perceive that old boring saying tells us about you.
It could read as funny. No way I've been hiding under a rock silly my 4 year old might say.
Informative: I have been at the cottage this week what happened?
Creates a narrative/introduction: I've been following this story what's new?
There are people who will turn it into.. I've only been following this a bit. I suck, I could do better. Why did I waste my time on some other story? I need to do better in life.
How you perceive that old boring saying tells us about you.
I agree it could be read in different ways, though that could be said of anything. Even your mood or current context can influence how you perceive what you read.
I don’t think being old and boring is a reason to not reevaluate our words; I find doing so can be interesting.
I don’t think being old and boring is a reason to not reevaluate our words; I find doing so can be interesting.
The entirety of the article is relevant for a few months at best.
As for the negative connotation, it's certainly there, but it sure seems to me that it's meant to be taken facetiously, presumably made under the assumption that it's relatively unlikely to offend anyone. I would guess that a Venn diagram of people who read this blog (or follow news sites that would link an article on this blog), and people who hadn't heard of the Twitter hack, probably looks a lot like an illustration of Mars and the Sun, drawn to scale.
There's always Scalzi's Law waiting in the wings when someone tries to be humorous on the Internet, but, considering that this particular formula doesn't have any clearly discernible minority group as its victim, or anything like that, I'm inclined to say it's safe to stick to HN's 3rd guideline on commenting here.
As for the negative connotation, it's certainly there, but it sure seems to me that it's meant to be taken facetiously, presumably made under the assumption that it's relatively unlikely to offend anyone. I would guess that a Venn diagram of people who read this blog (or follow news sites that would link an article on this blog), and people who hadn't heard of the Twitter hack, probably looks a lot like an illustration of Mars and the Sun, drawn to scale.
There's always Scalzi's Law waiting in the wings when someone tries to be humorous on the Internet, but, considering that this particular formula doesn't have any clearly discernible minority group as its victim, or anything like that, I'm inclined to say it's safe to stick to HN's 3rd guideline on commenting here.
> As for the negative connotation, it's certainly there, but it sure seems to me that it's meant to be taken facetiously
I agree. I don’t think the author (or most people who use the sentence) wrote that to be intentionally disparaging. But I also think it’s healthy to reevaluate the idioms we use on auto-pilot.
My commentary is on the phrase, not the author.
I agree. I don’t think the author (or most people who use the sentence) wrote that to be intentionally disparaging. But I also think it’s healthy to reevaluate the idioms we use on auto-pilot.
My commentary is on the phrase, not the author.
The parent showed two good examples why it isn't completely negative: informality signaling and tribal/relevance awareness signaling. The fact that some people aren't part of the tribe doesn't mean that it serves no purpose.
Not all writing has to appeal to or be directed towards everyone.
Not all writing has to appeal to or be directed towards everyone.
Too much sugar is bad for you.
“Of course too much is bad for you. Too much of anything is bad for you. (…) That’s what “too much” means. (…) “Too much” is precisely that quantity which is excessive. That’s what it means.”
From https://youtu.be/XewVicFzRxw?t=2m44s
From https://youtu.be/XewVicFzRxw?t=2m44s
I suppose that if you start with an obvious fact without any disclaimer of that then it gives the impression that everything else will be obvious too, and so the article isn't worth reading. They could perhaps have phrased it a bit differently e.g. "you're no doubt aware that ...". Personally, I wasn't offended.
It reminds of something a little different but on a similar theme: the advice to never say "clearly, ..." in lectures, because it serves no purpose except to intimidate people that don't already know what follows. Actually, it does serve a purpose: so that people who do find it trivially obvious aren't thrown off wondering if there's something deeper there than they had realised.
It reminds of something a little different but on a similar theme: the advice to never say "clearly, ..." in lectures, because it serves no purpose except to intimidate people that don't already know what follows. Actually, it does serve a purpose: so that people who do find it trivially obvious aren't thrown off wondering if there's something deeper there than they had realised.
This. Those phrases are useful for distinguishing between “I’m giving new information” vs “I’m starting from what I expect to be common knowledge”.
And yes, it’s possible to abuse such phrases but that doesn’t mean they don’t have their place.
And yes, it’s possible to abuse such phrases but that doesn’t mean they don’t have their place.
The comment wasn’t on those types of phrases, but on that phrase in particular. There are better (more positive, don’t lose significance) ways to convey that information: https://news.ycombinator.com/item?id=23897649
Honestly, your comments so far were the most negative thing I saw in all this.
The intro provides no information now, and the the more time passes the more irrelevant it will be. A variant of “it’s all over the news that Twitter got hacked” would do the same job without commenting on the reader.
The author didn’t even need to rephrase the sentence. Cutting everything up to the first comma would be an instant improvement with zero effort, conveying the same information just as clearly and in less words:
> You probably know that Twitter got “hacked”.
The author didn’t even need to rephrase the sentence. Cutting everything up to the first comma would be an instant improvement with zero effort, conveying the same information just as clearly and in less words:
> You probably know that Twitter got “hacked”.
> What’s the purpose of starting a blog post like that?
The author is excusing themselves for beginning the post by adding some context - that is likely already well-known to readership. They are saying "yes, I know you already know this, but please excuse me while I pop in some context in case there's a reader who is unfamiliar with it".
Hope this helps.
The author is excusing themselves for beginning the post by adding some context - that is likely already well-known to readership. They are saying "yes, I know you already know this, but please excuse me while I pop in some context in case there's a reader who is unfamiliar with it".
Hope this helps.
Speaking of hiding under a rock, this is the first I'm hearing of Mastodon. Is it really an issue if Mastodon gets hacked? Do any notable people like Bill Gates or Obama use it, or would it be like how people were impersonating politicians on Parler [1]?
[1] https://www.politico.com/news/2020/07/02/republicans-parler-...
[1] https://www.politico.com/news/2020/07/02/republicans-parler-...
Wil Wheaton was on it for a while and gained a significant following (relatively speaking) but then he got cancelled: https://mastodon.cloud/@wilw/100635779449174251
In theory, people of note would have their own instances which are run and provided by their employers.
This feels a little over sensitive. As you say yourself it’s just a turn of phrase!
> News and the way they are presented to us are stressful and largely irrelevant.
This perspective comes from privilege. Nothing wrong with that but I could just as easily complain that assuming everyone has the luxury of ignoring the news is insulting in the way you think the original post was.
> News and the way they are presented to us are stressful and largely irrelevant.
This perspective comes from privilege. Nothing wrong with that but I could just as easily complain that assuming everyone has the luxury of ignoring the news is insulting in the way you think the original post was.
> This feels a little over sensitive. As you say yourself it’s just a turn of phrase!
That’s a limitation of text. Were we conversing in person, I doubt you’d have felt that. I don’t feel personally attacked by the sentence, I just don’t think it’s a good one.
> I could just as easily complain that assuming everyone has the luxury of ignoring the news
I did mention “for a while”.
To clarify, there are relevant news we should and want to know. My concern is about the barrage we are fed, not in the name of keeping us informed, but to keep us glued for more.
That’s a limitation of text. Were we conversing in person, I doubt you’d have felt that. I don’t feel personally attacked by the sentence, I just don’t think it’s a good one.
> I could just as easily complain that assuming everyone has the luxury of ignoring the news
I did mention “for a while”.
To clarify, there are relevant news we should and want to know. My concern is about the barrage we are fed, not in the name of keeping us informed, but to keep us glued for more.
> What’s the purpose of starting a blog post like that? The phrase is a cliché, and not a polite one.
Different writers have different esthetics, Some have developed a more refined taste and a more exact language; while others have a less cultivated taste and are more given to cliches, mixed metaphors, tired jokes, and so on. It's a matter of style.
Different writers have different esthetics, Some have developed a more refined taste and a more exact language; while others have a less cultivated taste and are more given to cliches, mixed metaphors, tired jokes, and so on. It's a matter of style.
Except Twitter didn't get hacked.
Kevin Mitnick is crying somewhere...
the only hack Kevin Mitnick ever pulled was convincing people he was a hacker.
The words "hack" and "hacker" are cognates, but both words have evolved over time, and not all senses of the word "hacker" describe someone who produces hacks. Social engineers and script kiddies can absolutely fit under the umbrella, too, and that's been the case for roughly a quarter century now. Perhaps longer.
"Produces hacks" this isn't even a thing.
Can people please stop commenting on HN threads pretending to know about hacking and making false claims.
Can people please stop commenting on HN threads pretending to know about hacking and making false claims.
Producing hacks is a thing, even if the phrase itself is not common, and it's a thing that people were doing long before hacking/hacker had even taken on the sense of breaking into computers.
Look, there are really only two general approaches to arguing over the dictionary: Trotskyism (i.e., permanent revolution), and joining with the forces of evil.
Look, there are really only two general approaches to arguing over the dictionary: Trotskyism (i.e., permanent revolution), and joining with the forces of evil.
Sounds like someone is jealous of him. He was clearly a hacker.
Reading through his charges[0] regardless of what we here consider that he has done, his criminal conviction seems to imply he was considered a "hacker" by the law.
[0] https://en.m.wikipedia.org/wiki/Kevin_Mitnick
[0] https://en.m.wikipedia.org/wiki/Kevin_Mitnick
Did it get cyberattacked, then?
https://en.wikipedia.org/wiki/Talk:2020_Twitter_bitcoin_scam...
https://en.wikipedia.org/wiki/Talk:2020_Twitter_bitcoin_scam...
Yes it did.
Semantics, no? Someone gained unauthorized access.
I think the prev. comment is accurate in the sense that Mastodon can easily be vulnerable to social engineering attacks, because as long as humans run it, humans are going to make mistakes.
To be super clear, any (chat/microblogging/etc) software is going to be vulnerable to social eng attacks.
In most cases, I do consider gaining authorized access via social engineering to be a hack. I guess this probably qualifies, but just barely. If it turns out it was just a rogue engineer then it doesn't qualify at all. It's not clear that external "hackers" gained ongoing access. If someone leveraged an insecure remote worker's PC to gain access, that counts as hacking too. I'll wait and see if we find out what the root cause was.
The hack is exploiting weak internal security controls that twitter has. Reset of email for so many high profile users requiring only one person to click a button is weak design. No Review / no approval etc .
Also the amount of time for them to identify it, they had blocked tweeting the address and blocked all verified users from posting before they could find the rogue account indicates logging and analysis of their admin tool actions is also not robust.
Exploiting these two vulnerabilities whether by blackmail, bribe or RAT should not make a difference to consider it a hack
Also the amount of time for them to identify it, they had blocked tweeting the address and blocked all verified users from posting before they could find the rogue account indicates logging and analysis of their admin tool actions is also not robust.
Exploiting these two vulnerabilities whether by blackmail, bribe or RAT should not make a difference to consider it a hack
In Twitter's case, it came down to some pretty poor opsec and could have been avoided. Ultimately you're going to have at most N points of failure. With security keys, the number of points of failure in Twitter could have been reduced to one (and that one user could be proactively educated).
In Mastodon, every user is potentially in control of their instance. Every user is a potential point of failure. Users routinely fall victim to social engineering each day, possibly someone is this very second.