Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Twitter Hack Details Revealed

CmdrTaco posted more than 5 years ago | from the my-password-is-p4ssw0rd dept.

Security 222

Jack Spine writes "Twitter co-founder Biz Stone has confirmed both to ZDNet UK and Wired's Threat Level blog that a dictionary attack was used to hack Twitter. After the hacker distributed details on the Digital Gangster forum, celebrities such as Britney Spears and Barack Obama had their accounts defaced. Wired spoke to the alleged hacker, while ZDNet UK got in contact with someone who had been on the Digital Gangster forum at the time."

cancel ×

222 comments

Sorry! There are no comments related to the filter you selected.

Lack of Hacker Ethics (5, Insightful)

alain94040 (785132) | more than 5 years ago | (#26373731)

Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.

Twitter is doubly at fault here. First, it's not that hard to detect rapid-fire password attacks. Even Unix (way before Linux) knew to kick you out after 3 failed attempts. Second, they should enforce better passwords for their employees (not necessarily for regular users, that's another discussion).

He decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster offering access to any Twitter account by request.

That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

When I hacked my university's computer network (Vax machines on Bitnet back in 1990), I did it with the knowledge of the sysadmin staff. And once you have made your point, you stand back.

--
FairSoftware.net [fairsoftware.net] -- geeks starting fair and open software businesses together

Re:Lack of Hacker Ethics (5, Funny)

Anonymous Coward | more than 5 years ago | (#26373871)

That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

Maybe so, but really nice hackers patch the exploit with fairy dust and unicorn farts.

Re:Lack of Hacker Ethics (1, Interesting)

daveatneowindotnet (1309197) | more than 5 years ago | (#26374989)

Overrated, really? I thought it was hilarious even if it was crude and cynical.

Re:Lack of Hacker Ethics (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26375071)

The moderation here has taken a huge dump, lately. I swear lately more things are modded down than modded up. It seems mostly to be moderators apparently devoid of senses of humor and/or unwilling to give people the benefit of the doubt.

Re:Lack of Hacker Ethics (5, Funny)

Jonah Bomber (535788) | more than 5 years ago | (#26373873)

Aw, what's the use of going through all that trouble if you can't have Bill O'Reilly announce he's gay?

Re:Lack of Hacker Ethics (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26374783)

If I was a nigger, I could drive a Cadillac with class
My pocket stuffed with welfare checks, and I could sit on my big black ass
Now you take a nigger, he aint nobody's fool
He doesn't buy any gasoline, to drive his kids to school

Our government has gone crazy, I'd change things if I could
If I was only a nigger, I could afford to live in a white neighborhood
Oh the things that I could do, if i was black and Hell-bent
I could send my kids to college, and it wouldn't cost me one damn cent

The wife and I were down on our luck, we were really getting uptight
They said at the welfare office, "You aint black, you're white."
Oh how I've tried to get a job, a diploma I had with pride
The post office man laughed, and said "You're not dark enough to even qualify"

I took a civil service exam, and passed it without shame
A nigger took one next to me, he couldnt even write his own name
The nigger, he got the job, now he's government top brass
He couldn't qualify for a trash truck, while I'm out on the street on my ass

If I was a Jesse Jackson, I'd be nobody's slob
Wearing $500.00 dollar suits, that nigger hasn't even got a job
If I was Barack Obama, I could sit back and relax
And when sworn in as President, I could paint The White House black

Damn, I wish I was a nigger

If I was a jig-a-boo, I could find me my roots
With a afro big as a watermelon, and a pair of white disco boots
If I was only dark complected, I could stand tall in this life
I could live high off the hog, just me and my white wife

Things used to be segregated, but things are a little off-key
I've never seen a white man as head of the NAACP
It aint that I don't like a nigger, if I've rubbed you wrong by chance
Take a look at that mistletoe hanging on the seat of my pants

If I was a kinky top, I could be a Martin Luther King
I'd have me a vision on a mountain top, my song the whole world would sing
I could have me a peace march on the streets of Memphis, Tennessee
I could tear up the whole damn city, and the police wouldn't dare stop me

A lot of things in life I know, but one thing I cant figure
Why a nigger can call me a honkey and I cant call a nigger, a nigger
If I was a jungle bunny, I could ring a golden bell
I could be a Mohammed Ali, and be loved by Howard Cosell

Damn, I wish I was a nigger

If I was a golliwogg, 7 foot tall and lean,
I could be a famous player on the Washington basketball team
If I was only chocolate brown, I could have me some turnip greens
A possum fat and watermelon, chitlens and a pot of butter beans

Now when Martin Luther King was buried in Washington with class
They put him face down in his box, so the politicians could kiss his ass
I guess its just politics, but it sure gets my goat
Kiss assing with a nigger, just so you could get his vote

If i was only a burr-head, I'd live high on the hill
Selling cocaine and prostitutes, and popping all kinds of pills
Now take the NAACP, they can march and raise all kinds of hell
Let the KKK start to move, and they'll all wind up in jail

I dreamed my life was over, I heard Saint Peter say,
"Today we're taken only niggers, you've gotta go the other way"
Then I heard the Devil, he said "I heard what Peter had to say
But I'm sorry to tell you son, Today in Hell is Nigger Day."

Damn, don't you wish you were a nigger?

Bill O'Reilly is gay? (0)

Anonymous Coward | more than 5 years ago | (#26375341)

That sure explains a LOT.

hacker ethics (1)

mfh (56) | more than 5 years ago | (#26373945)

That's where the 18-year old kid is at fault. He showed a lack of hacker ethics.

Yes, there was no profit here. The least the kid could have done was to hold these twits hostage for some consulting fees!! /sarcasm

Re:Lack of Hacker Ethics (5, Insightful)

TheCycoONE (913189) | more than 5 years ago | (#26373951)

That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

Perhaps, but it's likely because this kid did a little harm that he's captured the attention of so many people. It adds a healthy dose of sensationalism to the story which convinces people to treat security seriously better than some hypothetical 'it could have been really bad if..' would"

Re:Lack of Hacker Ethics (5, Insightful)

bughunter (10093) | more than 5 years ago | (#26374253)

Um... what kind of harm can you cause by hacking Twitter? It's the internet equivalent of writing on a bathroom wall.

(Yes, I'm aware of the recursive metaphor I'm creating here.)

Compromise One Password, Compromise Them All (5, Insightful)

Alaren (682568) | more than 5 years ago | (#26374429)

Do you know anyone who uses the same password for everything?

Do you think Britney Spears might be one of those people? What about the President-Elect?

Bad security practices glom together and eventually snowball. In this particular case, the harm was likely de minimus but do you think the individuals whose accounts have been compromised thought to go change their password at their bank, or their email, or whatever?

You don't (probably) use the same key for your house and your care and your safety deposit box, but on the internet that's what a lot, maybe most, people do. It's a bad security practice. And if you can discover someone's password on one site due to that site's bad security practices, the security of other, responsible sites is moot.

I recognize that this is similar to the problem presented by writing your passwords on a post-it, but at least in that case physical access is necessary. And there are worse security threats out there. But in answer to your question specifically, "what kind of harm can you cause by hacking Twitter," I think the answer is "a lot more than you'd think."

Re:Compromise One Password, Compromise Them All (5, Informative)

SighKoPath (956085) | more than 5 years ago | (#26374791)

FTA:

GMZ doesn't know what the reset passwords were, because Twitter resets them randomly with a 12-character string of numbers and letters.

No passwords were compromised except for the admin account he used the dictionary attack on. So really, the GP's analysis of harm done is pretty accurate.

Different Questions (4, Interesting)

Alaren (682568) | more than 5 years ago | (#26374843)

So really, the GP's analysis of harm done is pretty accurate.

Yes, in this particular case, as I noted. But the GP question wasn't "how much harm was caused," but how much harm can you cause. And the security hole of allowing rapid-fire password attacks does create the potential for significant harm in an environment where most users aren't security-savvy enough to know that you don't use the same password for every site, even though the weak security is "just" on a site like Twitter.

Re:Compromise One Password, Compromise Them All (2, Informative)

Snorfalorpagus (1321189) | more than 5 years ago | (#26374801)

Do you know anyone who uses the same password for everything?

Do you think Britney Spears might be one of those people? What about the President-Elect?

Bad security practices glom together and eventually snowball. In this particular case, the harm was likely de minimus but do you think the individuals whose accounts have been compromised thought to go change their password at their bank, or their email, or whatever?

You don't (probably) use the same key for your house and your care and your safety deposit box, but on the internet that's what a lot, maybe most, people do. It's a bad security practice. And if you can discover someone's password on one site due to that site's bad security practices, the security of other, responsible sites is moot.

It should be noted that, for the most part, sites will encode the users password with a salt/hash of some form. From the article:

After resetting the password for the account, he gave the credentials to five people.

So, for this level of attack, using the same password isn't so much an issue. You'd need a more involved level of access to get the unencrypted password and do some *real* damage.

Re:Compromise One Password, Compromise Them All (1)

reashlin (1370169) | more than 5 years ago | (#26374949)

You just made me think then about "writing passwords on a post it" and actually how wonderfully secure a method it really is. Exempt from in a public place (at work say) a hacker has no way of getting your details but breaking in to your house. With the number of passwords I have I keep them in a password safe. Something that could be interfered with via the net. Possibly without me even noticing.

Re:Compromise One Password, Compromise Them All (1)

ByOhTek (1181381) | more than 5 years ago | (#26375031)

I do, and it's perfectly fine!

I mean who'd guess a password like "1FeelDumbEnteringThisPassword" anyway? I'm perfectly safe!

Re:Compromise One Password, Compromise Them All (1)

mcgrew (92797) | more than 5 years ago | (#26375057)

Using the same password for slashdot as your bank account would be stupid, yes, since nobody wants Cowboy Niel in his bank account, but I do reuse certain passwords.

My various email accounts have the same passwords as each other. My password for the dozens of newspapers I log on to is 111111, easy to remamber and what possible reason would I have for keeping it secret? That password is not for my benefit, it's for the newspaper's benefit, and is only an annoyance to me.

My slashdot password is unique, as is my network password at work.

I don't bank by mail and do as little online commerce as possible, because a tinfoil hat only goes so far.

Re:Compromise One Password, Compromise Them All (2, Informative)

Anonymous Coward | more than 5 years ago | (#26375259)

Many credit card companies offer a one-time-use credit card number you can use for online purchases. I find it invaluable for online shopping.

Re:Compromise One Password, Compromise Them All (2, Interesting)

mcgrew (92797) | more than 5 years ago | (#26375497)

You don't (probably) use the same key for your house and your care and your safety deposit box

No, but I wish I could. They're all on the same key ring, after all. If I lost my keys and whoever found them knew whose keys they were, I'd have to change all the locks anyway.

Another "bad security practice" I do is to keep my passwords written down. That's a no-no in the security field, but it's a stupid no-no. I keep them in my wallet, along with my security code for the building I work in, my money, debit card, and other valuables. Unlike money and cards, the passwords are easily disguised as building addresses (1234 Spring Street) or phone numbers (525-1234). Yeah, posting it on a post-it on the monitor is stupid, but keeping it written down with other valuables allows you a tougher to crack password, one a dictionary attack like the one used at Twitter is impossible. E.g., d5#6*;mtTMbp can't be remembered by anyone but a savant, but if it's written down it can't be forgotten.

You could also use the title of a book, write that down, and use every n character in the password. For example, Shrew 9 would be SBlatsle which is every ninth character (exclusing spaces) from the introduction to Wm Shakespeare's Taming Of The Shrew.

Re:Lack of Hacker Ethics (0)

Anonymous Coward | more than 5 years ago | (#26374431)

Um... what kind of harm can you cause by hacking Twitter? It's the internet equivalent of writing on a bathroom wall.

(Yes, I'm aware of the recursive metaphor I'm creating here.)

Well, twitter might hack you back, or just use a sock puppet to mock you.

Posted anonymously because I'm "not new here"

Re:Lack of Hacker Ethics (3, Funny)

not new here (1448011) | more than 5 years ago | (#26374825)

Liar, I'm not new here!

Re:Lack of Hacker Ethics (1)

truthsearch (249536) | more than 5 years ago | (#26374457)

I'm sure news agencies and bloggers watch twitter accounts of famous people. Putting in messages (that aren't obviously defacements or spam) could cause incorrect information to spread to "reputable" sources. We've seen bloggers post incorrect information that gets spread around until newspapers pick it up. The same could happen here.

Re:Lack of Hacker Ethics (2, Interesting)

sexconker (1179573) | more than 5 years ago | (#26374771)

Anyone trusting blogs, twitter, etc. for news is a moron. Any newspaper, news network, etc. doing the same is run by morons, and should go back to journalism school.

Re:Lack of Hacker Ethics (1)

truthsearch (249536) | more than 5 years ago | (#26375101)

I don't disagree at all. But the fact remains that most people blindly trust mainstream media, and there are some mainstream organizations that report what's found on blogs with no corroborating evidence.

Re:Lack of Hacker Ethics (1)

corywingerter (917335) | more than 5 years ago | (#26375493)

You could cause harm to thousands (millions?) of users by placing a link to a dangerous site on a well known and trusted Twitter user (Obama...).

Would I trust a link from The President Elect's Twitter? Sure.

Re:Lack of Hacker Ethics (5, Insightful)

silentquasar (1144257) | more than 5 years ago | (#26373981)

That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

When I hacked my university's computer network (Vax machines on Bitnet back in 1990), I did it with the knowledge of the sysadmin staff. And once you have made your point, you stand back.

Indeed. At my college a while back, some seniors found a way to hack into the school's network. They posted every user's password on a local network site. Only a handful of weeks away from graduation, they were expelled. Sure, they meant no harm, just to expose the weaknesses in the system, but they broke the rules and seriously compromised the system by posting the passwords, so they had to pay the price. Yikes!

Re:Lack of Hacker Ethics (0)

Anonymous Coward | more than 5 years ago | (#26374051)

Wow! "Hacked into the network", you say? Kids these days.

Re:Lack of Hacker Ethics (1)

silentquasar (1144257) | more than 5 years ago | (#26374163)

Sorry about that - my terminology was weak. They hacked some supposedly-secure-from-the-student portion of the network. And FWIW, this was back in ought one.

Re:Lack of Hacker Ethics (2, Insightful)

severoon (536737) | more than 5 years ago | (#26375095)

I think if you run a system that a good number of people depend upon, and a breach in security could cause important problems, then you have a serious obligation to institute a good security policy. If you don't, it's negligence and should be treated as such.

Are unethical hackers responsible for their actions? Sure, just as responsible as a business that takes on the trust of its users willingly.

Re:Lack of Hacker Ethics (0)

Anonymous Coward | more than 5 years ago | (#26375401)

same thing at my high school, though they ended up with only a fine. of course in that case they wouldn't have gotten caught if they'd implemented the plan correctly instead of the dipshit who installed the keyloggers freezing his name in to every login box in the lab

Re:Lack of Hacker Ethics (1)

drx (123393) | more than 5 years ago | (#26374197)

If pushing out some ironic/satirical messages is already harm, then i don't know ...

Re:Lack of Hacker Ethics (4, Insightful)

girlintraining (1395911) | more than 5 years ago | (#26374327)

As much as I don't want to say it, ethics don't mean crap these days. If you hack into a system and leave a note saying "Hey, hacked your box, here's how I did it, here's how to fix it, Thanks. Signed, Good Samaritan"... It only means they will send an army of lawyers and g-men after you because you embarassed them, and because while techies like us might understand what the hacker wanted to accomplish, management will not. Frankly, given that there is no protection for people who adhere to the hacker ethos as opposed to those who don't, there is no incentive do be nice. If you get the chance, gut the bastards and don't leave anything behind except a zero'd drive and a message on the screen saying "Next time, don't use a 'password' as the root login." Is it damaging? Yes. But if you don't crap the server, all you're doing is beating the hornet's nest with a stick.

It's sad that nobody has thought to pass a law to protect digital good samaritans -- that is, people who discover and report (in good faith) security issues either to the people running the servers directly, or the vendor(s) of the software/hardware that is vulnerable -- provided they do nothing else but confirm the exploit is present and notify the appropriate parties. And, of course, do not retain copies of any sensitive information once the report is made.

Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way? A pity the legal system does not see it this way... Which leaves only the recourse of scorched earth to make the point.

Re:Lack of Hacker Ethics (5, Funny)

RemoWilliams84 (1348761) | more than 5 years ago | (#26374451)

Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way?

I like to do this when I find a car sitting outside a gas station still running.

Re:Lack of Hacker Ethics (1)

Tibor the Hun (143056) | more than 5 years ago | (#26375477)

Haha, yeah, that's a good trick. It sure spooks the kids inside.

Re:Lack of Hacker Ethics (4, Insightful)

liquidpele (663430) | more than 5 years ago | (#26374519)

It's sad that nobody has thought to pass a law to protect digital good samaritans -- that is, people who discover and report (in good faith) security issues either to the people running the servers directly, or the vendor(s) of the software/hardware that is vulnerable

It will never happen, because "harm" is arguable, so they can accuse you of harm no matter what you do. You should always *always* report these things anonymously. Not doing so is... a learning experience.

Re:Lack of Hacker Ethics (1)

causality (777677) | more than 5 years ago | (#26374679)

It's sad that nobody has thought to pass a law to protect digital good samaritans -- that is, people who discover and report (in good faith) security issues either to the people running the servers directly, or the vendor(s) of the software/hardware that is vulnerable

It will never happen, because "harm" is arguable, so they can accuse you of harm no matter what you do. You should always *always* report these things anonymously. Not doing so is... a learning experience.

If they're (the vulnerable site) going to be that way about it, maybe the solution is to stop reporting anything to them at all. I mean really, if you intend to do something good, why go where you're not wanted? Let them wonder why they've seen a sudden spike of $ACTIVITY and let them find and fix the flaws on their own. Let them explain to their users that they couldn't perform damage control/threat mitigation early on because they have soiled any kind of trust relationship between companies and the would-be white hats who could have tipped them off.

If you're going to start shooting messengers, you're going to start running out of messengers. Make sure you don't need their message before you do that. This sort of common sense seems to be the first loss whenever there is a "prosecute everyone!" mentality.

Re:Lack of Hacker Ethics (0)

Anonymous Coward | more than 5 years ago | (#26374831)

If they're (the vulnerable site) going to be that way about it, maybe the solution is to stop reporting anything to them at all

Oh, no no no. You report it, just to different people. :-P

Re:Lack of Hacker Ethics (1)

causality (777677) | more than 5 years ago | (#26375467)

If they're (the vulnerable site) going to be that way about it, maybe the solution is to stop reporting anything to them at all

Oh, no no no. You report it, just to different people. :-P

"To them" was a key component of that sentence. The implication that you have explicitly stated was intentional.

Re:Lack of Hacker Ethics (2, Interesting)

liquidpele (663430) | more than 5 years ago | (#26375097)

If they're (the vulnerable site) going to be that way about it, maybe the solution is to stop reporting anything to them at all. I mean really, if you intend to do something good, why go where you're not wanted

I guess it depends on what you think is ethical. In my opinion you should always be ethical, but that doesn't mean you should be stupid. Report it to them anonymously with a date when you will make it a public thing (so they can't just ignore you). The hard part is making sure they actually got your message though.

Personally, I like 1 month before going public for a website, and 3-6 months for a product they'll have to distribute the fix for.

Re:Lack of Hacker Ethics (1)

madhurms (736552) | more than 5 years ago | (#26374337)

He decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster offering access to any Twitter account by request.

That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.


I think its more serious than "lack of hacker ethics". A cracker with an admin access can potentially delete and wipe out entire twitter accounts of not only the high profile celebrities, but also any other accounts they can find, probably including other (twitter) admins.

Re:Lack of Hacker Ethics (1)

madhurms (736552) | more than 5 years ago | (#26374399)

To add to this, a system is only as secure as its weakest point. In this case, it happened to be the admin password. So even if the user (say Barack Obama) had a very strong (cryptic) password, his account could still be accessed by password resets by an admin.

Re:Lack of Hacker Ethics (0)

Anonymous Coward | more than 5 years ago | (#26374869)

First post? check
Has a spamvertizement for FairSoftware.net? check

Re:Lack of Hacker Ethics (1)

reashlin (1370169) | more than 5 years ago | (#26374907)

Twitter is doubly at fault here. First, it's not that hard to detect rapid-fire password attacks. Even Unix (way before Linux) knew to kick you out after 3 failed attempts.

Its a nice thought that you could do this but its actually not that easy to implement on a real world basis. Wouldn't it be funny to just write a bot to brute force the username and submit "a" as a password. Twitter/whoever becomes obsolete as no-one can log into their accounts. Worse still the bot works quicker than most because it doesn't even have to vaildate the return page. It can drop it entirely.

Re:Lack of Hacker Ethics (1)

FeepingCreature (1132265) | more than 5 years ago | (#26375077)

Indeed, if you were to count three attempts per user account.

Which is of course the reason why you count attempts by IP.

Digital Gangsters are... (1)

mfh (56) | more than 5 years ago | (#26373893)

Twits!

Re:Digital Gangsters are... (1)

jornak (1377831) | more than 5 years ago | (#26373905)

Oh, c'mon. They're responsible for those Miley Cyrus pictures. Who doesn't love them for that?

You know who made minutiae funny and interesting? (0)

Anonymous Coward | more than 5 years ago | (#26373927)

Seinfeld. Sorry, but your tweets are fucking boring and have no value.

Re:You know who made minutiae funny and interestin (0)

Anonymous Coward | more than 5 years ago | (#26374367)

What's the deeeeeeaaaaaalllllllllllll with tweets?

Twitter co-founder Biz Stone ... (1)

maxwells daemon (105725) | more than 5 years ago | (#26373955)

porn name?

Re:Twitter co-founder Biz Stone ... (0)

Anonymous Coward | more than 5 years ago | (#26374293)

porn name?

Nah, that could also be a drug dealer's name you insensitive clod!

After all of this... (1)

Thelasko (1196535) | more than 5 years ago | (#26374003)

Re:After all of this... (3, Interesting)

NewbieV (568310) | more than 5 years ago | (#26374233)

Blackberries are safer than Twitter accounts. If you enter the wrong password into a Blackberry a set number of times (usually 10), it erases its contents.

Re:After all of this... (0)

Anonymous Coward | more than 5 years ago | (#26374819)

Apartments are a the true killer app in this economy.

Re:After all of this... (2, Funny)

Joe Snipe (224958) | more than 5 years ago | (#26375469)

That sounds more dangerous; because now my buddy is going to have a blank phone when we go out drinking tonight.

Bill'O exposed (0)

Anonymous Coward | more than 5 years ago | (#26374097)

A fake message sent to followers of the Fox News Twitter feed announced that Fox host Bill O'Reilly "is gay,"

Maybe the hacker DID have some good intentions after all.

As much as I dislike crackers in general, I also dislike the Fox propaganda machine and especially Bill, but seeing the first attack the later.. oh well. I'm curious as to how the mainstream media will respond to this hacking and attacking story.

So why do you hate gay people? (1)

SuperKendall (25149) | more than 5 years ago | (#26375161)

I also dislike the Fox propaganda machine and especially Bill

Don't forget gay people! Your seething hatred of gay people comes out in treating "I am gay" as an insult. How many more frightened people still in the closet will be afraid to come out when it's demonstrated so clearly that "being gay is uncool".

Pretty lame all the way around. It speaks volumes about the attacker that the wittiest attack they could come up with was that.

Re:Bill'O exposed (0)

Anonymous Coward | more than 5 years ago | (#26375255)

"I also dislike the Fox propaganda machine"

Let me guess... You're okay with the much larger and much more pervasive and well-funded Obama propaganda machine, though, right?

Oh Noes! (0)

Anonymous Coward | more than 5 years ago | (#26374199)

Not another poorly implemented trendy little site that everyone will forget all about six months from now! Better make a twit or a tweet or a snit or a shite or whatever they're called while you still can! If you don't you might have to wait until you can make a boop or a blup or a doot on twatter.com!

Really now, am I the only one who thinks of the sound of a mosquito in your ear when I see the word "twitter"? Annoying Slashdot troll with multiple personality sockpuppet account disorder notwithstanding...

why is this news? (2, Insightful)

iron spartan (1192553) | more than 5 years ago | (#26374313)

Why should we care about this? Its not like someones SSN or Credit Card info was stolen. Stuff like this happens all the time.

If you want to defame someone, its a lot easier to just make some wild and unprovable claim on the right webs sites and let the internet do its thing.

Re:why is this news? (1)

PoitNarf (160194) | more than 5 years ago | (#26374651)

We should care about this because this directly shows end users that many /. readers such as myself support exactly why a weak password such as "happiness" is an inherently bad thing.

Re:Oh Noes! (0)

Anonymous Coward | more than 5 years ago | (#26374957)

you can make a twat on twattle.com!

There fixed it for you!

Limit logins without DOS? (4, Interesting)

Manip (656104) | more than 5 years ago | (#26374271)

This is one of my favourite security conundrums.

How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?

Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).

IP Limit - Very easy to bypass with a proxy list.

Hard Account Limits - Denial of service

Thus is the problem. How do you limit logins without hurting legitimate users?

Re:Limit logins without DOS? (5, Insightful)

larry bagina (561269) | more than 5 years ago | (#26374371)

Slow down cowboy! It's been 1 minute since your last failed attempt to login.

Re:Limit logins without DOS? (0)

Anonymous Coward | more than 5 years ago | (#26375141)

If IP Limits are not used, this will still allow for denial of service (for as long as the attack is ongoing (plus the login timeout)).

Re:Limit logins without DOS? (0)

Anonymous Coward | more than 5 years ago | (#26374401)

[ 0) limit simultaneous tries per account, and perhaps ip ]

1) Randomize the amount of time the login verification takes.
2) If login fails, then force the attacker to wait for a long time to know the answer.

Not bulletproof but helps...

Re:Limit logins without DOS? (3, Insightful)

jeffmeden (135043) | more than 5 years ago | (#26374411)

Easy, increase the amount of time between the password being supplied and the pass/fail response being sent. If the script has to wait for 5 seconds to see if the password is bad, it increases the dictionary run time by a LOT. The only way around this is to run multiple iterations of the script, each with a section of the list to run. This makes them much easier to spot by other filters.

However, a legit user waiting 5 seconds for the login to complete probably won't generate a lot of complaints.

Re:Limit logins without DOS? (4, Interesting)

Phrogman (80473) | more than 5 years ago | (#26374663)

Perhaps even add +x seconds after every attempt, so your first attempt goes through and fails the next one has a delay of 5s and thereafter its incremented. Most users will get their password correct on the second try or perhaps the third, the script will die a slow death.

Re:Limit logins without DOS? (1)

BarryJacobsen (526926) | more than 5 years ago | (#26375399)

Perhaps even add +x seconds after every attempt, so your first attempt goes through and fails the next one has a delay of 5s and thereafter its incremented. Most users will get their password correct on the second try or perhaps the third, the script will die a slow death.

The problem with this is that it doesn't prevent the denial of service scenario that the institution of the delay was trying to prevent! If the script is running on the account, the legitimate user now has to wait an incredibly long time to log in.

Re:Limit logins without DOS? (0)

Anonymous Coward | more than 5 years ago | (#26375429)

Aka "Tarpitting" - usually applied with an exponential delay increase each iteration.

Re:Limit logins without DOS? (1)

cdfh (1323079) | more than 5 years ago | (#26375231)

The attacker does not need to wait until the response is sent: many can be sent concurrently. Preventing multiple concurrent login attempts opens the window for DoS attacks.

Re:Limit logins without DOS? (1)

the_humeister (922869) | more than 5 years ago | (#26374415)

Encryption with a unique keyfob just for you. I'd want that for banks, but not necessarily for Twitter because who cares if I'm now "taking a huge crap in the toilet that's now overflowing."?

Re:Limit logins without DOS? (3, Interesting)

paulhar (652995) | more than 5 years ago | (#26374447)

One way would be to get progressively slower at *processing* a login for a particular user based on the number of failed attempts. I.e. user enters a password, the timer ticks away, and then at the end it really does the test and checks if the password was right.

You would typically double the time delay with a reasonable limit of say 1 minute so that each failed attempt sticks at 1 minute delay.

You put up a banner after the delay reaches 10 secs or so saying "Your login will be slower as you have had X failed attempts recently".

Then elsewhere you limit the number of failed logins from a single IP address to different accounts via a similar method to slow them down trying 100,000,000 accounts with password X.

Oh, and you internally you check that passwords aren't common dictionary attack words to prevent users from running with knives when they create / modify their account...

Re:Limit logins without DOS? (4, Informative)

liquidpele (663430) | more than 5 years ago | (#26374463)

1) Allow a certain number of tries per IP address. Ban the IP, not the user. If they're behind a NAT, sorry. You may want to have the threshold to block kinda high to alleviate NAT networks.

2) Block anonymous proxies. If you ever look at your logs, slashdot will sometimes request a file when you're not logged in and post (http://slashdot.org/ok.txt) from you to see if your IP is an anonymous proxy. IF they get their own file from your IP, they block you.

3) Ban times should not be hard coded, but should be a function. Ban for 5 minutes, then if they get banned again make it 30, then 2 hours, etc etc. This takes care of serious cases but makes the wait short if it's a false positive.

4) Captchas and other things can be used in conjunction (like gmail adds a captcha with the login after 2 failed attempts).

Re:Limit logins without DOS? (1)

evanbd (210358) | more than 5 years ago | (#26374465)

A global limit with an exception that grants a per-ip limit to ips that have previously had a successful login (within the last $time_period) does better than those options.

Re:Limit logins without DOS? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26374469)

Here's an idea: make the login username private and separate from the public-facing username (and not an email address either). Thus when signing up for an account, you would select a public username and a private username in addition to a password.

This would most forms of attack next to impossible, because the publicly visible username would have no bearing on the login credentials. A potential hacker would have no idea what account they needed to hack.

Patent pending, patent pending, patent pending. But surely someone has done this already?

Re:Limit logins without DOS? (1)

el3mentary (1349033) | more than 5 years ago | (#26374883)

I've seen this system used on forums before.

Re:Limit logins without DOS? (3, Insightful)

causality (777677) | more than 5 years ago | (#26374473)

This is one of my favourite security conundrums.

How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?

Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).

IP Limit - Very easy to bypass with a proxy list.

Hard Account Limits - Denial of service

Thus is the problem. How do you limit logins without hurting legitimate users?

One approach is to still allow the login but to insert artificial delays. Maybe your password cracker can guess several thousand passwords in one second; too bad, because the site will only allow you to try one every three seconds. Even a fairly weak password can be extremely difficult to guess this way, though it is no substitute for strong passwords that are never sent as cleartext.

biometrics (1)

JeanBaptiste (537955) | more than 5 years ago | (#26374609)

of course that opens a whole other can of worms, but it solves everything you've listed.

Re:Limit logins without DOS? (1)

TubeSteak (669689) | more than 5 years ago | (#26374623)

Hard Account Limits - Denial of service

Thus is the problem. How do you limit logins without hurting legitimate users?

Give locked out users the option to send a one-time login link to their e-mail address of record.
It isn't much different than sending out a password reset e-mail.

But it's fairly stupid not to include a hard cap on the # of login attempts per [unit of time]

Re:Limit logins without DOS? (1)

RoFLKOPTr (1294290) | more than 5 years ago | (#26374643)

IP Limit - Very easy to bypass with a proxy list.

Not really. He was able to fire off thousands of passwords a minute and left it running overnight. Whereas, if they would only allow his IP address 5 failed attempts within, say, a 30 minute period, he would have had to switch proxies every 5 password attempts. Beside the fact that he will probably run out of proxies by midnight, it would also take him probably 5 seconds to establish a connection with the proxy and then only be able to use that proxy for 5 password attempts. It would be much more hassle than it's worth, and would make 100 password guesses take probably 20 times as long as they would have without proxies.

Re:Limit logins without DOS? (1)

bendodge (998616) | more than 5 years ago | (#26374829)

Security question after a few attempts. And let people make their own security question.

Re:Limit logins without DOS? (1)

Thaelon (250687) | more than 5 years ago | (#26374833)

One way to do it is to have the person with the locked account call or stop by the helpdesk to get their account password reset.

In the case of twitter it would likely be calling only. Real users have no problem confronting a real human being to get access to their account. Hackers are less likely to. Also, it's a lot more difficult to brute force something involving a phone call to a person every 4 attempts.

DOS, can still be used, but if the user can let you know there's a problem via a phone call you can take additional attempts to protect their specific account, or to block the DOS on a case by case basis. This will help very little against a DDOS against a single account, but will typically thwart a malicious individual that is just harassing your user.

Re:Limit logins without DOS? (1)

Kozz (7764) | more than 5 years ago | (#26374905)

Congratulations, you've DOSed the help desk.

Re:Limit logins without DOS? (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26375063)

That is basically what we do for internal user logins, since we have to have a helpdesk anyway; but there is just no way that some barely-ad-supported-trendy-new-media-web2.0-mashup-widget-api-hipster outfit is going to be able to afford a bunch of real people sitting at phones and waiting for users with free accounts to have trouble. Also, while it definitely stops high-speed scripted attacks, humans are, on average, pretty easy to social engineer. In an environment where I can walk down and talk to you in person, or verify some sort of credentials you have as an employee, this is manageable. Random internet service user, though, not so much.

Easy... (1)

msimm (580077) | more than 5 years ago | (#26374965)

You don't. Instead you throttle login speed and monitor X multiple fails. You can also break-up the way the application responds to multiple failed attempts, you can redirect X failed logins to a help page or password reset page. Your only limited by your imagination, there is a lot you can do that won't really impact a human but will impact a script and quite differently.

Re:Limit logins without DOS? (1)

TrickyPeach (1377843) | more than 5 years ago | (#26375093)

How many login tries does a legitimate user need anyway? 3? Surely if you don't know it, you just don't know it?

Re:Limit logins without DOS? (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26375247)

For my users to log in they have to supply the correct password AND have not failed a password check in the last 3 seconds. If not, they get a "Wrong Password" message either way.

iam3prez (-1, Flamebait)

wsanders (114993) | more than 5 years ago | (#26374335)

Obama's account hacked with a dictionary attack?

Come on, he has people to warn him about this stuff. Assuming the account REALLY belonged to him.

Re:iam3prez (2, Informative)

Anonymous Coward | more than 5 years ago | (#26374417)

It wasn't Obama's account that got attacked. They attacked the account of a Twitter administrator, and then got access to the web-based control panel to reset Obama's password. Pretty lame that a) the admin had such a bad password and b) you can access the control panel from the public internet with the same login as your twitter account.

Re:iam3prez (1)

AntiNazi (844331) | more than 5 years ago | (#26374425)

RTFA.

I know it's /. so I'll give you the summary. He dictionaried a staff member and used the admin panel to reset passwords on the celeb/news accounts. The password strength of all accounts other than the staff member were irrelevant.

Re:iam3prez (3, Informative)

Mr. Sketch (111112) | more than 5 years ago | (#26374489)

Looks like you didn't actually read the article. The account of a twitter admin was hacked with a dictionary attack. That account was then used to reset the passwords for various other accounts (Fox News, Obama, Britney Spears, etc) to gain access to those accounts. The original passwords for those additional accounts were not obtained. Only one account (the twitter admin) was hacked, the rest just had their passwords reset.

Smelly linux crapware detected .. (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26374509)

on twitter servers. Why dont they use a real OS like NT instead of some toy hippie crap like linux. Oops I guess I forgot slashcrap "logic"

Windows site hacked - LOLZ!!111 bug in windows, M$ Suxx0rs
Linux site hacked - Sysadmin is incompetent

Year of the linux.. hell yeah !

http://lkml.indiana.edu/hypermail/linux/kernel/0901.0/00653.html [indiana.edu]

HAHAHA.

Best Result of Twitter Hack - new movies... (1)

Jherek Carnelian (831679) | more than 5 years ago | (#26374735)

Because of the message from the hacked britney spears account, I found out about a cool indie horror flick - Teeth [imdb.com] - found it online and enjoyed it for the quirky little story that it was.

Re:Best Result of Twitter Hack - new movies... (0)

Anonymous Coward | more than 5 years ago | (#26374867)

That was one of the most terrible movies I've ever seen.

Re:Best Result of Twitter Hack - new movies... (0)

Anonymous Coward | more than 5 years ago | (#26375293)

Agreed

The Britney Spears hack message (1, Funny)

Anonymous Coward | more than 5 years ago | (#26374741)

"HI Yall! Brit Brit here, just wanted to update you all on the size of my vagina. Its about 4 feet wide with razor sharp teeth."

Hacker Ethics? (1)

ezwip (974076) | more than 5 years ago | (#26374849)

It's a harmless attack.

Obama, a celebrity? (4, Funny)

IronChef (164482) | more than 5 years ago | (#26374935)

Somehow it is disturbing that the President-Elect is lumped in with Britney as a celebrity.

What is the level of discourse on Mr. Obama's twitter thing, anyway? I could look, I suppose, but it is more fun to imagine.

---

im in ur white house

secret service bitches following me everywhere. about 3 minutes ago from web

these pancakes are righteous! about 2 hours ago from airforce1r

are ufoz real? I am going to find out! about 4 hours ago from web

I think Hillary just cut the cheese LOLz about 8 hours ago from twitterrific

Re:Obama, a celebrity? (0)

Anonymous Coward | more than 5 years ago | (#26375001)

Hahahaha. I L0L'd. Mod points to you sir.

Re:Obama, a celebrity? (1)

mdm-adph (1030332) | more than 5 years ago | (#26375121)

You sure that's not Bush's twitter you're imagining? It looks like what one would expect...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>