Twitter going feudal on security

I have recently experienced security issues with Twitter, as my account was in some way hacked. And I am not happy of the way Twitter handles this situation.

First, here are the facts that I know:

  • Two weeks ago, a got an e-mail from a colleague warning me that he just received a spam Direct Message from me and that my account may have been hacked
  • I immediately looked at Twitter, just to find that another one of my followers had received spam
  • I then changed my password, and started to review the authrozations I gave
  • My authorizations were not looking good. Over the years, I had authorized many companies, usually those building Twitter clients. Some of them sported exotic names, and had the “read, write, and direct message” privileges.
  • I removed privileges to all these guys, and many more, and only kept the ones that I use daily and are issued by supposedly “good” companies, like Twitter and HTC, and service that I had used recently, such as Pullquote.
  • At this stage, I was hoping that this minimal work was sufficient to solve this hack thing (Disclosure: I am currently recovering from eye surgery, and at that time, my vision was very bad).

Well, I am not sure that these measures were sufficient to stop hackers, but none of my friends/followers have complained about receiving direct messages after that day. And knowing the proportion of security people in this crowd, this makes me feel quite good.

But then, Twitter kicked in:

  • Two hours after I fixed things, I received a “Your password has been reset” e-mail from Twitter, explaining me that my account may have been hacked, and that I should change my password. That sounded about right, so I changed my password (again), as instructed.
  • The next day, I received the same e-mail again: “Twitter has reset your password”. That got me a bit worried, so I took a few additional steps. First, I considered the possibility of spam: instead of clicking on the password reset link directly, I copy-pasted it into the browser and hand-typed the https://twitter.com/ part, just in case. I also made a more drastic review of my authorizations, only keeping the clients on my phone and iPad.

Everything went fine for 5 days. And just as I was thinking that the issue was over, I got another “Your password has been reset” e-mail from Twitter. This time, it was just not fun, and I had recovered a bit, so I investigated a bit more.

  • Since I knew that some contacts had received direct messages from me, I checked my direct messages, and no spam appeared there. This is strange, since my non-spam DMs sent from authorized clients do appear there.
  • I checked all the links provided in the e-mails, and I have not been able to find any useful information, or any way to ask for details.
  • I Google’d the problem, found other people with the same problem (or worse), but no clue of a solution.
    • So, in the end, I know that (1) my account has been hacked about two weeks ago, (2) Twitter noticed it somehow and reset my password, (3) Twitter then found two more reasons to reset my password in a week, and (4) the only thing that I can do is hope that this is over, because I don’t have a way to get any additional information about the problem.

      So, I do believe that this is an instance of what Bruce Schneier calls feudal security. The Lords of Twitter provide me some security in exchange of me using their service and reading a few ads, and as a good serf, I am not allowed to ask any question or participate to the defense.

      This is a bit scary to me. I like the Twitter service, and I am a rather happy user, exchanging information on this social network. But what am I to do if the Twitter police keeps resetting my password? How do I know whether this is a mistake, or I am really getting hacked? In such a situation, I guess that the only way would be to either stop using Twitter, or get a new handle. None of these solutions look good to me.

      So, I can only hope that the Lords of Twitter protect me well, that the Prince of Facebook does the same. But mixing this kind of desperate hope with my professional hope that the Internet of Things becomes a reality is not reassuring. Feudal security is not a good future.

No Comments

Leave a Reply

Your email is never shared.Required fields are marked *