It took us 30 minutes to set up a fake, anonymous Twitter account. So you can imagine what nation-states or bad actors can do.
10 November 2022 (Washington, DC) – As my regular readers know, I take the old Spanish proverb to heart: “It is not the same thing to talk of bulls as to be in the bullring”. So I spend a lot of time with black hats. For my new readers (there are 551 more of you since I started these “coffee chats”) it’s all part of my methodology which I explain in the postscript to this post.
And Twitter has opened the floodgates to new opportunities for black hats. As I noted in a previous post, Twitter has a complex architecture for very good reasons. For example, they have on on-premise data centers and advanced infra (eg multi-level feature flags, advanced infra-level incremental rollouts). Much of these sophisticated systems are in place to reduce the likelihood of outages, and to allow for safe changes and experimentation, and to provide membership security. A week after Elon Musk took over, Twitter executed a massive ~50% layoff. And then realised they had fired people whose expertise they desperately need. Hence all of the news stories that less than a day after the firings Twitter managers got desperate, trying to call back people they laid off.
The entire Twitter infrastructure could be taken down easily. I’ll explain how next week. For now, how to create a fake account. Taking the lead from “DEVDEVIL” (one of my black hats in the Dark Web) plus some cleansed advice I found on Twitter itself (before Twitter removed it), a few points.
A lot of this will be familiar to my regular Rat Pack. Technology and processes exist to easily change or mutate anything. For instance, every mobile device and every laptop has a quasi-immutable device ID, broadcasting hundreds of times a day on mobile ad exchanges. I say “quasi-immutable” because it can actually be changed. When I am on a sensitive media assignment I use an altered mobile phone which is unconnected to me.
But the Twitter escapade was far easier. It took us 30 minutes to set up a fake anonymous Apple ID using a VPN and disposable email, attach a masked debit card to it (with the address being Apple’s HQ if you can believe it), and we got a verified account for an obscure (fake) government functionary. So you can imagine what a nation-state or bad actor can do.
The problem is obvious. Twitter wants to pass the verification steps off to Apple and card providers but Apple doesn’t check a single detail and you can easily find disposable cards with no links to you … or even stolen/hacked card details if you’re a particularly malicious actor and troll the Dark Net. This policy is simply unworkable. Twitter claims they’ve raised costs for malicious actors but I think they’ve actually lowered them. Now anyone with $8 can buy a verified badge rather than having to hire someone to hack a verified’s account or trawl through password leaks.
As “DEVDEVIL” noted, it is not impersonations of high-profile accounts that are the problem. It’s the person impersonating a minor online celebrity, an obscure government functionary, or perhaps their ex. That’s where the harm will be done and no one will notice or care until it’s far too late. The problem with the argument that “the verification system now just means something different and we should accept that” is that the new system is very unintuitive and counter to what every other social media site does. If you’re not terminally online you may not realize what’s happened.
There will be a few examples of big accounts doing big damage but I suspect the more common scenario we’ll see is small to medium size accounts doing small to medium size damage (or big damage to a small number of people). It’ll be death by a thousand cuts not a single blow. If everyone can get verified (without anybody actually verifying their identity at any stage of the process) how will anyone – let alone Twitter – know who the real “Dr X” is? But it’s even worse than this. Twitter will have no way to know which of the 7 accounts claiming to be “Dr X” is really “Dr X”. They may find fakes but they’ll ban many real users, too.
The high-profile/high-impact accounts will be caught quickly. It’s the smaller accounts that are the issue and a few thousand followers can be easily bought or gained.
My argument is not only that bad stuff might happen. It is also a response to Twitter’s repeated claims that just because they’re not doing verification it doesn’t mean no one is. Our experiment … and countless others doing the same … debunks this claim. No one checked our identity at any stage of the process.
Twitter should focus on prevention rather than mitigation with the impersonation issue. As long as they only treat impersonation as their problem after it’s happened I’m not sure they’ll get far. This is exactly the sort of somewhat lower level stuff that could become a bigger issue. Another is people impersonating sex workers, either to get details on their customers, expose the sex workers, or even just to sell their content without permission.
A lot more to discuss but I’ll leave it there. I need to get back in the real world. Russian forces are booby-trapping the city of Kherson, turning it into a city of death. As it departs, the Russian military is mining everything it can: apartments, sewers, etc. It is booby trapping dead bodies. Typical Russian warfare: they invaded, they robbed, they celebrated, they killed witnesses, and they left the place in ruins.
I keep reading how Russia has “lost the war”. No. For Vladimir Putin, the focus was never a military objective, but the general will to destroy the Ukrainian people. The exact course of events is not so important to him; what is decisive is that in the end the Ukrainians either disappear from Ukraine – or die. The mass rape, execution and mutilation of women, the general depravity and dehuminization in Ukraine, is all instrumental violence directed at achieving a specific goal: the destruction of the Ukraine people, Ukraine culture, Ukraine civilisation. From that standpoint, he has won.
* * * * * * * * * * * * * *
POSTSCRIPT
My media team and I receive and/or monitor about 1,500 primary resource points every month. But I use an AI program built by my CTO (using the Factiva research database + four other media databases) plus APIs like Cronycle that curate the media firehose so I only receive selected, summarized material that pertains to my current research needs, or reading interest.
Each morning I will choose a story to share with you – some out-of-the-ordinary, and some just my reflections on a current topic.
I take the old Spanish proverb to heart:
Or even better:
-John le Carré, in The Honourable Schoolboy