July 16, 2020 - Clif High
26:40
| 
| Time | Text |
|---|---|
| Hello, it's 10.30, it's 10.30 a.m. on July 16, 2020. | |
| Here to say a few words about the Twitter hack. | |
| It's basically the same thing that had occurred to my first Twitter account, my primary Twitter account. | |
| So I'll explain this and I'll draw what actually happened. | |
| My old account was at Cliff Underbar High. | |
| I have a new account. | |
| It was my alternate account. | |
| The alternate account was used to access the Twitter feed for some software I wrote where we used PGP software. | |
| Not to get into it, but I took words off the Twitter feed and did a real-time analysis for advertising purposes. | |
| But this was my primary account for years. | |
| It had like maybe 49k followers or something. | |
| I don't know, something like that. | |
| But here's how your authentication stuff works. | |
| They have a database. | |
| There's actually probably two separate databases if they are smart, rather than two tables within a single database. | |
| One is the admin. | |
| This is all part of the two-factor authentication. | |
| And what happens is your password is in your ID unique ID number account here in the one primary database that also has the other information about you, you know, your location and all the stuff they collect that describes you as a person relating to their account. | |
| And you know, it'll ultimately may include how many times you log in and in a given week how active you are, the number of tweets, all the analytic stuff that you can see on your Twitter account by going to the analytics. | |
| And all of that stuff is kept over here and this can be thought of as your personal master record within the Twitter system. | |
| Over on this other database, they're going to have your phone number. | |
| That phone number is used by their software to send you a message, a text, that provides a code that you have to respond to in order to have that code trigger a piece of software here. | |
| And so when you receive this code, and actually it's not that, when you respond to it, so you respond to that code and you send off a message which is received back via the software here, | |
| and that response is logging in and replying and refeeding this code back into the software. | |
| And so this is two-factor authentication in the sense that you have to have both the password being input as well as having received the code. | |
| Now, having received the code depends, obviously, on the phone number that's stored in this database. | |
| And so here's where it gets really tricky for us because it's a beautiful system because if people can't crack into this database, they can't get that phone number or change it and take over your account as has happened with this latest Twitter hack. | |
| But if you've got somebody inside there, they can just open up the database with an admin tool, make a change to that phone number, and then when the software requests two-factor authentication to prove who you are in order to allow something to happen, that code is sent to you. | |
| So if you also have the password, you are that account from that point forward. | |
| And if you make a change and you cause this phone number to change, as well as the password on the account, then Twitter was in deep trouble. | |
| Anybody who would be an admin would be in deep trouble trying to retrieve and take that account back over because your software is actually set up to, your security system is set up to prevent changes to both, except through authorized channels. | |
| And basically, you need to have those in order to prove that you have the authority to make changes to them. | |
| So just having them. | |
| So it's like It's a very sort of an elegant hack, but it requires somebody inside. | |
| Or there is another far-out, far-fetched possibility that I actually ran into once in real life, okay, in a much more limited system that used a similar two-factor phone-based authentication system. | |
| In that case, I was involved with a, I was a software subcontractor and technology subcontractor and system designer and network analyst and all of that kind of shit for a number of years, a great number of years, 25 or 30 years, actively, and did a lot of contracts. | |
| One of them involved a company that had access to the back channel post office inter-banking system through which maybe a billion dollars a year was transferred for people. | |
| And so, as you can imagine, there's tight security on that. | |
| When I took over the job, without going into too much detail, within the first day and a half, it became known to me because I always sweep to find out what I'm, you know, go through the machines and look at how it's all set up just to figure out what I'm dealing with. | |
| I became aware of the fact that there were these open ports on a Unix-based Sun Spark system, actually. | |
| And so I shut the ports off and did the usual cleanup on it and stuff. | |
| There was nothing really amiss I could see, but I didn't like the fact that there were just these access ports that were unmonitored and so forth, especially on such a sensitive system. | |
| And so what occurred was I came back a couple of days later. | |
| So that happened like on a Tuesday. | |
| And then the following Monday I came back in because of the nature of how I'd been hired and all of this kind of stuff. | |
| There was a little gap there over the weekend. | |
| I come back in to find that those ports are open again and I popped a cork and discovered that a backup had been used, a backup tape. | |
| It was on digital one-inch digital high-speed tape, DST backup, and had been used over the weekend to restore an image to a machine because there had one of the servers because there had been a hitch in the get-along, right, in one of the software things and somebody had really buggered it up and they had to restore. | |
| There was a lot of this stuff I didn't control. | |
| I was just on the IT system admin security part of things. | |
| And so it's like I didn't control the customer software or the internal software used by the workers there in servicing the clients and so on. | |
| I just had this particular role. | |
| And I was only going to be there for a few months anyway, but I had to have control of the system in order to do what I needed to do. | |
| So I got a little bit out of shape about this and then went in and looked and through maybe a week and a half of serious analysis, discovered that nobody in that office had ever authorized these two ports to be open. | |
| And yet they were open and they were continually open and I found them on every single one of the backups. | |
| That's normal in the sense if you open up some ports on a machine and then you scan that machine for all the software settings, dump it to tape, and they stay open. | |
| It's always going to be on every backup. | |
| And if you have a backup cycling that, you know, uses a 727, 48, or 128 or whatever number of tapes to accommodate a year's worth of backup, you might find that this pollution, in the sense of these two open ports, is on any number of these backups. | |
| And it's not really possible to edit them out. | |
| So you have to have a log of corrections you need to make and you make a patch tape that you have to run against the thing after every restore and it becomes quite tedious to deal with. | |
| Well that may have occurred here on Twitter, but that's highly unlikely, okay? | |
| It's highly unlikely. | |
| Now, the reason that, by the way, it was determined later on, maybe a year and a half after I left the job, I get a query from local law or from federal law enforcement about this, explained to them what I had done. | |
| I had some of my notes and stuff I gave them at the time. | |
| They were investigating some shit. | |
| And learned that what they discovered was that somebody was actually actively hacking the backup tapes, that one of the places in the storage or on the way to the storage, all the tapes from this and a number of other places were being messed with. | |
| And this was decades ago. | |
| Anyway, so that's how things, that's what I'm assuming, is that they were actually just going through and putting these open ports in these machines trying to compromise this system. | |
| And this was decades ago. | |
| I had no under, I don't know whatever happened to the issue or how it was all resolved. | |
| Anyway, so Twitter at the moment has some serious issues, very serious issues. | |
| Not only just the software hack and the potential compromise of an inside person, right? | |
| They have all kinds of other ramifications to this as a result of what's happened already and what may yet have to happen as a result of the compromise of their system, because their system has been 100% compromised from we'll go into it. | |
| Okay, so the security software that allows you to log in has now been taken over because the data upon which it relies cannot be trusted anymore, and thus these accounts were able to be seized by parties unknown, presumably parties unknown. | |
| Okay, so this whole software system, now the software itself might be uncompromised, but you don't know. | |
| You've got to go through and check it, especially if you're running on an active kernel like a Linux system or a Unix system where the kernel itself can be altered while it's running and images thereafter also polluted. | |
| So you have to check that software. | |
| You have to go through and you have to check the entire database in an automated fashion with AI, with something that's outside this system that potentially hasn't been compromised itself. | |
| Because hackers frequently, in order to scrub out their footprint of what they're doing, will instantly compromise the security services and microservices on the systems they're attacking in order that if those things are run against them, because someone might discover a half a second after you started or two seconds or five minutes and start running security routines against you, those are already deadened, hardened off so that they can't see you, right? | |
| It's a commonly employed technique just to buy you more time and make life easier for you once you've penetrated the system. | |
| So they now have to worry about any potential alteration of their own internal software systems by something from the outside. | |
| This sounds sophisticated enough that I wouldn't put past insertion of code chunks into there. | |
| So they may have had part of this be an insertion attack while all the rest of the garbage is going on, while you've got all the big brew ha-ha, you're polluting their entire system and basically putting in ports and opening up back doors for later on. | |
| And unless they go through thousands, potentially thousands of lines of code to sweep for such, they may not know it until it happens again. | |
| You know, thus is the fate of the network admin and the security guys. | |
| They've got to get it be working for fucking months on this shit. | |
| Now, so they've also got to come through here and check and validate the database somehow or throw it out and decide to rebuild it, cut their losses, any number of potential solutions because it depends on how far and wide within the database the damage extends. | |
| You have to assume it's all taken, but you have to assume that every single password and every single phone number was taken out of Twitter. | |
| And let me explain what actually happened to me. | |
| When they hacked my account, I came back in to discover that I'd violated overnight without having done any tweets, I'd violated Twitter's terms of service. | |
| How this occurred was that someone had come on in and they had changed the phone number. | |
| So they'd come on in and compromised my two-factor authentication with a phone number that was not mine. | |
| So when I tried to log in and deal with Twitter, I discovered that I couldn't reset my password. | |
| My password was not being accepted because it kept sending this code to a phone number that I didn't have. | |
| So I was never going to be able to get that code and respond. | |
| And without that code, the Twitter software, the Twitter system, wouldn't allow me to interact with it. | |
| It took weeks for me to finally get around to getting emails through to Twitter, and they didn't respond because as far as they were concerned, here's what happened. | |
| I came on in, they told me. | |
| I came on in and changed my phone number. | |
| So whoever came on in had my password. | |
| Okay, so they also compromised my password. | |
| And then I, at that point, almost instantly, after changing this phone number, and it wasn't me, of course, this was all happening while I was asleep. | |
| I then took one of my tweets and spammed people with it according to the definition of Twitter. | |
| It was like, wait a second, you know, which was sending the same tweet over and over and over again to a widening group of people. | |
| And it was like, wait a second, guys, I didn't do any of that. | |
| That occurred at a timeframe relative to me that I was sacked out. | |
| Not that they could know that, not that I can prove that, but it's not my usual habit to tweet. | |
| They can check that. | |
| They can check and see how often have I ever tweeted between 10 p.m. and midnight and how often have I ever done a phone number change. | |
| Never done a phone number change ever. | |
| And so, and all this was done at a time that I was asleep. | |
| And so, in my opinion, it had to have been done from the inside because it meant that they had the password and the original phone number, which is required to change to a new phone number. | |
| And they had to have the password to do both. | |
| So they were logged in as me. | |
| Whether they were physically on site or not, it sure appeared like it was an inside job. | |
| Now, getting back to Twitter in a general sense, the two-factor authentication is now buggered all to hell. | |
| And they have this issue of, was there an insertion attack at the same time? | |
| Is all of their software compromised? | |
| They have to assume that the entire database is compromised, that it's been taken. | |
| They have to assume that the hack level went that far if they're assuming it's an inside kind of a thing. | |
| Because you're not going to be able to find network traces. | |
| Usually, you could do packet analysis, but that would take you forever. | |
| And it would assume you had a really good and giant history of all activity. | |
| And then you could determine probably if, you know, but it would take forever or you'd have to really automate the sweep on it, have to have some really sophisticated tools. | |
| But this is why the MeTwo title here, because they use the same kind of structure of taking over the phone number so that when Twitter issued a two-factor response mechanism here, it automatically reinforced the hacker's position relative to the ownership of those IDs. | |
| The fact that they had them and the fact that you can go out on the, I think it's probably even on the open internet now, but you can go out on the deep web and have a look at the admin software for dealing with Twitter's database, which looks to be a variant of common structures like cPanel and Windows Host Manager kind of stuff, right? | |
| What's that? | |
| Active server stuff that Microsoft produces, the same kind of admin panels. | |
| Anyway, so whoever had done this has done a relatively thorough job of screwing over Twitter. | |
| Now, here's the other aspect of this. | |
| Okay, so let's say that you don't know that it's an insertion attack or not. | |
| You've got to find out. | |
| You do know your database is screwed, and so you've got to scrub and deal with that. | |
| You do know that you can't rely on your security system at the level of data anymore, and you may not even be able to rely on it at the level of code. | |
| So all this has to be reworked and so on. | |
| Then there's the other aspect, not the PR, not the egg in the face, not any of that kind of stuff, right? | |
| Now you have to worry about if it was actually an inside job, you've got to worry about somebody putting packet squirrels or pen testing land turtle kind of devices on the network and Continuing to cause problems because you're not aware that after you've made all these changes while you're making all these changes and doing all your work, | |
| they're watching every damn thing you're doing because you just, you know, you see these things plugged in and they're plugged in everywhere and they all look alike and you don't know, is that yours? | |
| Should it be there? | |
| And the guys that are working there don't have historical knowledge of what was put on where. | |
| Sometimes you see these things with tape on it that says, do not remove. | |
| You know, basically, we're going to kill you if you remove it. | |
| And sometimes that's legitimate, but sometimes it's just a trick. | |
| And so you've got these kind of tools and stuff potentially on all your hardware. | |
| So now all the hardware, the network, then there's the network routers. | |
| You know, how deep did the penetration go in terms of the hack? | |
| So anyway, it might have been an absolute, absolute deep, deep, deep penetration to the level where they can't trust anything and they're going to have to basically rebuild this over the next, who knows how long. | |
| So we've all, to some extent, had the Me Two experience. | |
| You can't trust anything coming out on Twitter now. | |
| I'm not particularly worried about it. | |
| You know, it is what it is, just this day and age. | |
| You know, and I'm not in charge anymore of doing that kind of security stuff, thank God. | |
| You know, I just don't want to deal with that, especially at Twitter. | |
| Oh, you've got so many enemies. | |
| Oh. | |
| For security, you want actually the best kind of security jobs, in my opinion, are the ones that are extremely low profile, that you never ever hear about unless there's a major screw-up. | |
| But usually, those are and for small companies that have stuff that's highly valuable. | |
| The reason being that unlike large companies like Twitter, which is highly valuable and so on, but unlike very large companies, with small companies that have high-value assets they're protecting, you know you've got a good cash flow because people want to protect those assets, and you also know you've got basically a limited number of potential enemies and persons that want to cause you difficulties, and so it's much more easy to manage. | |
| Here you're in a situation where everybody may hate Twitter. | |
| You know, even the people that like Twitter may hate Twitter. | |
| So, you know, your potential universe of enemies is very large. | |
| But this was very sophisticated, so that narrows it down quite a bit. | |
| In any event, though, so that was that part of it. | |
| Now, I wanted to get on to just a little bit of quick housekeeping. | |
| Okay, so I'm not in a position anymore to get into magnetics and experiments. | |
| It's going to be a while. | |
| This is because of some success. | |
| I'm having to teach myself 3D modeling software, and I'm taking the nerd approach basically. | |
| I've been reading Boscovich, I'm hitting in some serious good stuff. | |
| The ideas are just popping off like mad. | |
| I'm just like Tesla. | |
| I've decided, okay, I'm going to take this thing and my ideas and smoosh them together and ship them off as patent applications as I refine all of this stuff and test it out. | |
| In order to be efficient at this, I don't want to be spending all my time drawing shit, so I'm going to use 3D modeling software where I can just quickly master it, quickly construct the 3D models required for the purposes of patent illustration, slice them into 2D, print them off, and off we go. | |
| Takes longer on your first one because you've got to stop and learn the software, but thereafter you can just crank them out fairly quick. | |
| Seeing the level of productivity coming out of the Boscovich readings makes me think, okay, I've got to get serious about this because maybe there's 500 patents in the next 200 pages of this book just by the very by the nature of this stuff being being examined. | |
| So, but until I actually get the software there and these things, patent items in process, and the patent application paid for, submitted, received, all of that, it's going to take fucking forever to get any kind of a patent resolution on anything now. | |
| But as soon as I've got that going, then there will be some point to almost potentially abrogating the patent veil to get up to the point of discussing prior art to be able to suggest certain usages so that we can start employing some of these techniques. | |
| And ahead of patents being granted, no point waiting on the government. | |
| If I can get my flying RV off the ground, I'll get it off and fly it around while waiting to get the bugger licensed. | |
| So, you know, until they come up with the laws saying how you can deal with your anti-gravity RV, you know, and put up floating traffic control systems. | |
| You know, it's wide open up there. | |
| So I'll get up there and float around. | |
| Anyway, though, so no more magnet discussions, but not because of lack of progress. | |
| Basically, exactly the reverse of that. | |
| Now having to take the diversion into learning software, which is really cool, actually. | |
| I'd never gotten into 3D animation software. | |
| It was never anything that interested me. | |
| But now I've got the time, especially with the current conditions, to sit down and get into it seriously. | |
| I'm going to jump back into my next lesson on level, I think I'm up to lesson six on level one. | |
| Couple of days, I should have it pretty well understood and know what to get, you know, how to get to the help, basically. | |
| Because then just ask the software, here's what I want to do, you know, what's the keystroke for that. | |
| Anyway, so the Twitter thing, it's, you know, interesting. | |
| I got to go, got to go. | |
| Yep, yep, yep, okay probably back in range | |
| Back in range, yep. | |
| Okay, have to go. |
Export Selection