Archive for July 17, 2020

Friday, July 17, 2020

A New and Improved Twitter API

Twitter (via Hacker News):

With this new foundation, developers can expect to see:

  • A cleaner API that’s easier to use, with new developer features like the ability to specify which fields get returned, or retrieve more Tweets from a conversation within the same response
  • Some of the most requested features that were missing from the API, including conversation threading, poll results in Tweets, pinned Tweets on profiles, spam filtering, and a more powerful stream filtering and search query language

[…]

In the past, the Twitter API was separated into three different platforms and experiences: standard (free), premium (self-serve paid), and enterprise (custom paid). As a developer’s needs expanded, it required tedious migration to each API. In the future, all developers — from academic researchers to makers to businesses — will have options to get elevated access and grow on the same API.

Previously:

Hackers Convinced Twitter Employee to Help Them Hijack Accounts

Joseph Cox (also: Jack Dorsey, Twitter Support, Jason Koebler, SwiftOnSecurity):

A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts.

On Wednesday, a spike of high profile accounts including those of Joe Biden, Elon Musk, Bill Gates, Barack Obama, Uber, and Apple tweeted cryptocurrency scams in an apparent hack.

[…]

The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard. One of the screenshots shows the panel and the account of Binance; Binance is one of the accounts that hackers took over today. According to screenshots seen by Motherboard, at least some of the accounts appear to have been compromised by changing the email address associated with them using the tool.

Nick Statt:

One notable exception in the attack was the account of President Donald Trump. The New York Times is now reporting that Trumps’s account has special protections in place following past incidents — including when a third-party Twitter contractor used internal company tools to deactivate the president’s account in 2017. Those protections may have spared Trump’s account from being taken over, although it is not clear right now whether the hackers even attempted to assume control of his account.

Quinn Nelson:

On the plus side, Apple just made its first public tweet ever.

John Gruber:

Looks like the heist netted around $118,000. A pittance compared to the disruption it caused.

Brian Krebs (also: Hacker News):

Also, it seems clear that this Twitter hack could have let the attackers view the direct messages of anyone on Twitter, information that is difficult to put a price on but which nevertheless would be of great interest to a variety of parties, from nation states to corporate spies and blackmailers.

Previously:

Update (2020-08-03): Bruce Schneier (also: MacRumors):

Motherboard is reporting that this week’s Twitter hack involved a bribed insider. Twitter has denied it.

Nick Heer:

Earlier this year, two Twitter employees were allegedly bribed by the Saudi Arabian government to track dissidents. If humans are, indeed, the greatest security vulnerability within any company, Twitter needs to do far better. It did not ask to be a broadcast arm for weather services and world leaders, but that’s what it has become — and it is clear that it is unprepared for that reality.

Nathaniel Popper and Kate Conger (via tweet, John Gruber, Hacker News):

But four people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public.

The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.

Twitter (via John Gruber):

The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets.

[…]

For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool.

Bruce Schneier:

This kind of attack is known as a “class break.” Class breaks are endemic to computerized systems, and they’re not something that we as users can defend against with better personal security. It didn’t matter whether individual accounts had a complicated and hard-to-remember password, or two-factor authentication. It didn’t matter whether the accounts were normally accessed via a Mac or a PC. There was literally nothing any user could do to protect against it.

[…]

The security regulations for banks are complex and detailed. If a low-level banking employee were caught messing around with people’s accounts, or if she mistakenly gave her log-in credentials to someone else, the bank would be severely fined. Depending on the details of the incident, senior banking executives could be held personally liable. The threat of these actions helps keep our money safe. Yes, it costs banks money; sometimes it severely cuts into their profits. But the banks have no choice.

The opposite is true for these tech giants. They get to decide what level of security you have on your accounts, and you have no say in the matter.

Thomas Clement:

So, hackers got access to Twitter accounts (including all of the accounts data) via the company’s internal support tools. Could the same happen with iCloud?

It’s a good time to remind you that most of the iCloud data is not end-to-end encrypted, Apple holds the keys.

Jeff Johnson:

I as a lowly external offsite contractor had access to the name, address, and phone number of every member of the Apple developer program. In other words, you.

For no good reason other than this data was not specially protected.

Ron Avitzur:

I contracted at Apple in the early 90s. I am extraordinarily grateful for the extent to which they trusted engineering so that internal security did not impede productivity. It was a simpler time, a more civilized age.

Nick Heer:

Twitter will also show new and unrecognized logins on the Notifications page and send the user an email. I cannot think of a good reason why a similar notification should not be displayed when an engineer accesses private information in a user’s account — with the exception of criminal investigations when Twitter or Facebook would be prohibited from doing so. Ideally, employees should have to get some sort of confirmation from a user before their account is able to be accessed.

Twitter:

The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.

John Gruber:

My guess is that they’re saying that the attackers targeted low-level employees via the phone, tricked them into revealing details, and used those details to (here’s where the guessing starts) impersonate them on Twitter’s internal Slack. Then, impersonating them on Slack, they tricked other employees into giving them access to these incredibly sensitive account management tools?

Sean Hollister:

Early on July 31st, the FBI, IRS, US Secret Service, and Florida law enforcement placed 17-year-old Graham Clark of Tampa, Florida, under arrest.

[…]

Specifically, he allegedly convinced a Twitter employee that he worked in the Twitter IT department and tricked that employee into giving him the credentials.

Update (2020-10-20): NY Department of Financial Services (via Hacker News):

This Report reviews the facts surrounding the Twitter Hack, the reasons why it occurred, and what could be done to prevent future incidents. The Report also recommends steps for improved cybersecurity oversight of large social media companies.

Omni Group’s New Licensing

Ken Case (tweet):

With sign-in licensing (coming very soon), you will no longer have to keep track of license codes: to access purchases, you can simply log into our apps using your Omni Account. A single Omni Account can be used across all devices and platforms: with an OmniFocus subscription, for example, the same sign-in will unlock OmniFocus on Mac, iPad, iPhone, and Web.

We launched team subscriptions in March, and will be launching personal subscriptions at the same time as sign-in licensing. Subscriptions give you the latest version of our apps, enabling every feature on every platform (including Pro features)—with a lower cost up front and predictable spending in the future. But knowing that subscriptions aren’t the best choice for everyone, we continue to offer traditional licenses as well: traditional licenses are investments which may cost more up front, but save money in the long run.

Previously, OmniFocus 3 for Mac was $40 ($80 Pro) and for iOS was $40 ($60 Pro). Now, for Mac it’s $50 ($100 Pro) and for iOS it’s $50 ($75 Pro). Or you can subscribe to all platforms for $10/month or $100/year. So, the prices have increased, but you still have the flexibility to choose which platforms you want and whether to pay via subscription. (The long-term plan, though, is for all purchases to be universal.) If you do buy the subscription, you can either get it via In-App Purchase or direct from Omni, sending them a higher percentage of the price of the iOS app than was possible before.

Accounts seem more convenient than serial numbers in some ways, and may help reduce piracy, but presumably the apps will now require online activation. So, if you need to reinstall but the server is down, you may not be able to access your documents.

With frameworks like SwiftUI, it’s easier than ever to design and build an app which behaves consistently across all of Apple’s platforms, while adapting behavior to leverage the strengths of each platform. The combination of new designs and new cross-platform technologies is a perfect fit with our roadmap for improving the flow of using our apps. […] But when it comes to drawing content on the screen, processing input and commands, adapting to screen changes and so on, we’re going to take a fresh look at today’s technologies to see what we can best leverage as we redesign our apps.

Once again, there doesn’t seem to be much on the roadmap for OmniOutliner. It already does almost everything I want, but I would love to see some performance improvements. Typing in a large outline—ever since the engine was brought back from iOS—currently takes about one second per keystroke.

Ken Case:

With yesterday’s @OmniGroup app updates, all our Mac App Store apps once again have support for family sharing! You can use a shared Omni Account to license each family member’s devices (while continuing to use independent Omni Accounts for syncing).

Previously: