All Episodes
Previous Next
July 16, 2020 - Clif High
26:39
2020 07 16 critical thinking - #me_twoo
| Copy link to current segment

Time Text
Hello.
It's 10 30, it's um 10 30 a.m. on July 16, 2020.
Uh here to say a few words about the uh uh Twitter hack.
It's basically the same thing that had occurred to my first Twitter account, my primary Twitter account.
So I'll explain this and I'll draw what actually happened.
My old account was at Cliff Underbar High.
I have a new account.
It was my alternate account, the alternate account was used to access the Twitter feed for some software I wrote where we used uh PGP software and it not to get into it, but uh I took words off the Twitter feed and and did a real-time analysis for advertising purposes.
Um but this was the the my primary account for years, it had like maybe 49k followers or something, I don't know, something like that.
Uh but here's how here's how your authentication stuff works.
Uh they have a database.
Uh there's actually uh probably two separate databases if they're smart rather than two tables within a single database.
Uh one is the admin.
This is all part of the two-factor authentication, and um uh what happens is your password is in your ID unique ID number account here in the one primary database that also has uh the other information about you, you know, your location and all the stuff they collect that describes you as a person relating to their account.
And you know, it'll ultimately may include how many times you log in and in a given week, how active you are, the number of tweets, all the analytics stuff that you can see on your Twitter account by going to the analytics.
And all of that stuff is kept over here, and this can be thought of as your um your personal master record within the Twitter uh system.
Over on this other database, they're gonna have your phone number.
And that phone number is used by their software to send you a message, a text, uh, that provides a code that you have to respond to in order to have that code trigger a piece of software here.
And so when you when you receive this code, and actually it's not that, when you uh respond to it.
So you you respond to that code and you send off a message which is received back via the software here, and that response is logging in and replying and re-feeding this code back into the software.
Um so this is two-factor authentication in the sense that you have to have both the password being input as well as having to receive having received the code.
Now, having received the code depends obviously on the phone number that's stored in this database.
And so here's where it gets really tricky for us because uh it's it's beautiful system because if people can't crack into this database, they can't get that phone number or change it and take over your account, as has happened with this latest Twitter hack.
Uh but if you've got somebody inside there, they can just open up the database with an admin tool, make a change to that phone number, and then when the when the software requests two factor authentication To prove who you are in order to allow something to happen, that code is sent to you.
So if you also have the password, you are that account from that point forward.
And if you make a change and you cause this phone number to change, as well as the password on the account, then Twitter was in deep trouble.
Anyone who would be an admin would be in deep trouble trying to retrieve and take that account back over.
Because your software is actually set up to prov your security system is set up to prevent changes to both except through authorized channels.
And basically, you need to have those in order to prove that you have the authority to make changes to them.
So just having them.
So it's like it's a very sort of an elegant hack, but it requires somebody inside.
Or there is another far-out, far-fetched possibility that I actually ran into once in real life, okay, in a much more limited system that used a similar two-factor phone-based authentication system.
In that case, I was involved with uh I was a software subcontractor and technology subcontractor and system designer and network analyst and all of that kind of shit for a number of years, a great number of years, uh 25 or 30 years actively, and uh did a lot of contracts.
Uh one of them involved a company that had access to uh the back channel post office interbanking system through which maybe a billion dollars a year was transferred for people.
And uh so there, as you can imagine, there's tight security on that.
Uh when I took over the job uh without going into too much detail, uh, within the first day and a half, it it became known to me because I always sweep to find out what I'm you know, go through the machines and look at what how it's all set up just to figure out what I'm dealing with.
Um it I became aware of the fact that there were these open ports uh on a Unix-based uh Sun Spark system, actually.
And I um so I shut the ports off and uh did the usual cleanup on it and stuff.
There was nothing really amiss I could see, uh, but I didn't like the fact that there were just uh these access ports that were unmonitored and and so forth, especially on such a sensitive system.
And so what occurred was I came back a couple of days later.
So that happened like on a Tuesday, and then the following Monday I came back in because of the nature of how I'd been hired and all of this kind of stuff.
There was a little gap there over the weekend.
I come back in to find that those ports are open again, and I and I popped a cork and discovered that uh the back the backup had been used, a backup tape.
It was on digital um one-inch digital uh high-speed tape, uh DST backup, and uh had been used over the weekend to restore uh because uh an image to a machine because there had one of the servers because there had been a uh a hitch hitch in the get along, right, in one of the software things, and somebody had really buggered it up and they had to restore.
There was a lot of this stuff I didn't control.
I was just on the uh IT system admin security part of things.
And so it's like I didn't control the customer software or you know, the internal uh software used by the uh the workers there in servicing the clients and so on.
I just had this particular role, and I was only going to be there for a few months anyway, but I had to have control of the system in order to do what I needed to do, so I got a little bit out of shape about this, and then went in and looked and and uh through uh of maybe a week and a half of uh uh serious uh analysis discovered that nobody in that office had ever authorized these two ports to be open, and yet they were open and they were continually open, and I found them on every single one of the backups.
That that's normal in the sense if you open up some ports on a machine and then you scan that machine for all the software settings, dump it to tape, and they stay open, it's always going to be on every backup, and if you have a backup cycling that you know uses uh 72748 or 128 or whatever number of tapes to accommodate uh a year's worth of backup, you might find that this pollution in the sense of these two open ports is on any number of these backups.
And it's not really possible to edit them out, so you have to have a log of corrections you need to make, and you make a patch tape that you have to run against the thing after every restore, and it becomes quite tedious to deal with.
Well, that may have occurred here on Twitter, but that's highly unlikely, okay?
It's highly unlikely.
Now, the reason that, by the way, it was determined later on, maybe a year and a half after I left the job.
I get a query from local law or from federal law enforcement about this, explained to them what I had done.
I had some of my uh notes and stuff I gave them at the time they were investigating some shit, and learned that uh what they discovered was that somebody was actually actively hacking the backup tapes, that the one of the places in the storage or on the way to the storage, all the tapes from this and a number of other places were being messed with.
And and this was decades ago.
Um anyway, so uh that's how things that's what I'm assuming is that they were actually just going through and putting these open ports in these machines trying to compromise this system.
And this was decades ago.
I had no uh under I I don't know what ever happened to the issue or how it was all resolved.
Anyway, so um so Twitter at the moment has some serious issues, very serious issues.
Not only just the software hack and the potential compromise of an inside person, right?
Uh they have all kinds of other ramifications to this as a result of what's happened already, and what may yet have have to happen as a result of the compromise of their system because their system has been 100% compromised from from uh we'll go into it.
Okay, so uh the security software that allows you to log in has now been has now been uh taken over uh because the data upon which it relies cannot be trusted anymore, and thus these accounts were able to be seized uh by parties unknown, presumably parties unknown.
Okay, so this whole software system, now the software itself uh might be um uh uncompromised, but you don't know.
You've got to go through and check it.
Uh especially if you're running on an actively uh on an active kernel like a Linux system or a Unix system where the kernel itself can be altered while it's running and images thereafter also polluted.
So you have to check that software.
You have to go through and you have to check the entire database in an automated fashion with AI, with something that's outside this system that had potentially hasn't been compromised itself, because that hackers frequently, in order to scrub out their uh footprint of what they're doing,
will instantly compromise the security services and microservices on the systems they're attacking in order that if those things are run against them, is because someone might discover a half a second after you started or two seconds or five minutes and start running uh security uh routines against you, those are already deadened, uh hardened off uh so that they can't see you, right?
It's a common uh commonly employed technique just to buy you more time and and uh make life easier for you once you've penetrated the system.
Uh so they now have to worry about the any potential alteration of their own internal software systems by something from the outside.
And this sounds sophisticated enough that I wouldn't put past insertion insertion of uh code chunks into their so they may have had uh part of this be an insertion attack while all the rest of the garbage is going on,
while you've got all the big brew haha, you're you're polluting their entire system and basically uh uh putting in ports and opening up back doors for later on.
And unless they go through thousands, potentially thousands of lines of code uh to sweep for such uh they may not know it until it happens again.
Uh, you know, thus is the fate of the of the network admin and the security guys.
They gotta get it be working for fucking months on this shit.
Um, so they've also got to got to come through here and check and validate the database somehow, or throw it out and decide to rebuild it, cut their losses, any number of uh potential solutions because it depends on how far and and wide within the database the damage extends.
You have to assume it's all taken.
But you have to assume that every single password and every single phone number was taken out of Twitter.
And let me explain what actually happened to me.
I when they hacked my account, I I came back in to discover that I'd violated overnight without having done any tweets, I'd violated Twitter's terms of service.
How this occurred was that someone had come on in and they had uh changed the phone number.
So they'd come on in and compromised my two-factor authentication with a phone number that was not mine.
So when I tried to log in and deal with Twitter, I discovered that I couldn't reset my password, my password was not being accepted, because it kept sending this code to a phone number that I didn't have.
So I was never going to be able to get that code and respond.
And without that code, the Twitter software, the Twitter system, wouldn't allow me to interact with it.
It took weeks for me to finally get around to getting emails through to Twitter, and they didn't respond because as far as they were concerned, here's what happened.
They told me I came on in and changed my phone number.
So whoever came on in had my password.
Okay, so they also compromised my password.
And then I, at that point, almost instantly, after changing this phone number, and it wasn't me, of course, this was all happening while I was asleep, I then took one of my tweets and spammed people with it, according to according to the definition of Twitter.
Which was the sending the same tweet over and over and over again to uh a widening group of people.
And it was like, wait a second, guys, I didn't do any of that.
That occurred at a time frame relative to me that I was sacked out.
Not that they could know that, not that I can prove that, but um, but it's not my usual habit to tweet.
They can check that, they could check and see how often have I ever tweeted between you know uh 10 p.m. and midnight uh and how often have I ever done uh a phone number change, never done a phone number change ever.
And so, and all this was done at a time that I was I was asleep.
And so it in my opinion, it had to have been done from the inside because it it meant that they had the password and the original phone number, which is required to change uh to a new phone number.
And they had to have the password to do both.
So they were logged in as me, whether they were physically on site or not, it sure appeared like it was an inside job.
Now, getting back to Twitter in a general sense, the two-factor authentication is now buggered all to hell, and they have this issue of was there an insertion attack at the same time?
Is all of their their software compromised?
They have to assume that the entire database is compromised, that that it's um been taken.
They have to assume that that the hack level went that far if they're assuming it's an inside kind of a thing.
Uh because you're not going to be able to find uh network traces uh usually you could do packet analysis, but that would take you forever, and it would assume you had a really good and giant uh history of all activity.
Um then you could determine probably if you know, but it would it take forever or you'd have to really automate the sweep on it, have to have some really sophisticated tools.
Uh but this is why the me two uh title here, because they use the same kind of structure of taking over the phone number so that when Twitter uh issued a two-factor response mechanism here, it automatically reinforced the hacker's position relative to the ownership of those uh IDs.
The fact that they had them and the fact that you can go out on uh the I think it's probably even on the open internet now, but you can go out on the deep web and um have a look at um uh the admin software for dealing with Twitter's database, which looks to be a variant of you know common structures like cPanel and and uh Windows host manager kind of stuff, right?
Uh what's that um uh active server uh stuff that Microsoft produces, the same kind of uh admin panels.
Um anyway, so whoever had done this has done a uh relatively thorough job of screwing over Twitter.
Now, here's the the other aspect of this.
Okay, so let's say that um that the that you don't know that it's an insertion attack or not.
You gotta find out.
You do know your database is screwed, and so you've got to scrub and deal with that.
You do know that you're you can't rely on your security system at the level of data anymore, and you may not even be able to rely on it at the level of code.
So all this has to be reworked and so on.
Then there's the other aspect, not the PR, not the um egg in the face, not any of that kind of stuff, right?
Now you have to worry about if it was actually an inside job, you've got to worry about somebody at putting packet squirrels or pen testing um uh land turtle kind of uh uh devices on the network and continuing to continuing to cause problems because you're not aware that after you've made all these changes while you're making all these changes and doing all your work, they're watching every damn thing you're doing.
Because you're you just you know, you see these things plugged in and they're plugged in everywhere and they all look alike, and you don't know is that yours, should it be there, and the guys that are working there don't have historical knowledge of what was put on where sometimes you see these things with tape on it that says, do not remove you know, basically we're gonna kill you if you remove it.
And sometimes that's legitimate, but sometimes it's just a trick.
And so uh so you got these kind of tools and stuff uh potentially on all your hardware.
So now all the hardware, the network, then there's the network routers, you know, how deep did the penetration go in terms of the hack.
Um so anyway, it might have been an absolute, absolute um uh uh deep, deep, deep penetration to the level where they can't trust anything, and they're gonna have to basically rebuild this over the next who knows how long.
So uh so we've all to some extent had the me two experience.
You can't trust anything coming out on Twitter now.
Um I'm not particularly worried about it.
Uh you know it's um it is what it is, just this day and age, uh, you know, and I'm not in charge anymore of doing that kind of security stuff, thank God.
You know, I just don't want to deal with that, especially at Twitter.
Oh, you've got so many enemies.
Oh for security, you want actually the best kind of security jobs, in my opinion, are the ones that are extremely low profile, uh, that you never ever hear about unless there's a major screw up, but usually those are uh and and for small small companies that have stuff that's highly valuable.
The reason being that unlike large companies like Twitter, uh, which is highly valuable and so on, but unlike very large companies, with small companies that have uh high value uh assets they're protecting, you know you've got a good cash flow because people want to protect those assets, and you also know you've got basically a limited number of potential enemies and and persons that want to cause you uh difficulties, and so it's much more easy to manage.
Here you're in a situation where everybody may hate Twitter, you know, even the people that like Twitter may hate Twitter.
So, you know, your potential universe of enemies is very large, and uh, but this was very sophisticated, so that narrows it down quite a bit.
Uh in any event though, so uh so that was that part of it.
Now, I wanted to get on to um uh just a little bit of quick housekeeping.
Uh okay, so I'm not in a position anymore to get into uh magnetics and the experiments.
Uh it's gonna be a while.
This is because of some success.
I'm uh having to teach myself um uh 3D modeling software, and I'm taking the nerd approach basically.
I've been reading Boscovich, uh I'm hitting in some serious uh good stuff.
The ideas are just popping off like mad.
The uh I'm just like Tesla.
I've decided okay, I'm gonna take this thing and my ideas and smoosh them together and ship them off as patent applications as I refine all of this stuff and test it out.
In order to be efficient at this, I don't want to be spending all my time drawing shit, so I may use 3D modeling software where I can just quickly write master it, quickly um uh construct the 3D models required for the purposes of uh patent illustration, uh slice them into 2D, print them off, and off we go.
Um takes longer on your first one because you've got to stop and learn the software, but thereafter you can just crank them out fairly quick.
Seeing the level of uh productivity coming out of um the Boskowitz readings uh makes me think okay, I gotta get uh serious about this because um maybe there's 500 patents in the next you know 200 pages of this book uh just by the very uh by the nature of this stuff being being examined.
Um but until I actually get the software there and these things uh patent items in in process and you know the patent application paid for, submitted, received, all of that.
It's gonna take fucking forever to get any kind of a patent resolution on anything now.
Uh but uh as soon as I've got that going, then there will be some point to uh almost potentially abrogating the patent veil uh to get up to the point of discussing prior art to be able to suggest certain usages so that we can start employing some of these techniques and uh in uh ahead of uh patents being granted, no point waiting on the government.
Uh if I can get my flying RV off the ground, uh I'll get it off and fly it around while waiting to get the bugger licensed.
So, you know, until they come up with the organ the um the laws saying how you can deal with your anti-gravity RV, you know, and put up floating um traffic control systems, you know, it's wide open up there, so I'll get up there and float around.
Anyway, though, um, so no more magnet discussions, but not because of um uh lack of progress.
Basically exactly the reverse of that.
Now having to take the diversion into uh learning software, which is really cool actually.
I'd never gotten into 3D animation software.
It was never anything that interested me, but now I've got the time, especially with the current conditions, uh, to sit down and get into it seriously.
I'm gonna jump back into my uh next lesson on level, I think I'm at up to lesson six on level one, a couple of days I should have it uh pretty well um uh understood and and know what to get uh you know how to get to the help basically because it then just ask the software, here's what I want to do, you know, what's the keystroke for that?
Uh anyway, uh so uh the Twitter thing, it's uh you know, um interesting.
I gotta go, gotta go.
Yep, yep, yep.
Okay, probably back in range.
Back in range, yep.
Export Selection