Tonight on GeekNights, we consider the (largely unwise) idea of bug bounties, as well as the questions and concerns around responsible disclosure of bugs and exploits in software and services. We did talk about this once back in 2009, but times have changed.
It’s working for me. I think Libsyn is just slow at making the episode live. It goes live on our site as soon as the upload to Libsyn is complete, but it’s 404 until they finish processing or whatever.
If I was a nefarious state actor, I would use a hack like this to get full twitter DM history and other private data, then pass it off as an incompetent bitcoin scam.
There is very little of value in Twitter private DMs unless someone is sending very sensitive information in there, and that is very unlikely. They are useless for blackmail purposes because there’s no way to prove they are legitimate if you leak them.
Can you sue someone for defamation if it happened in a private communication that was leaked?
If we fabricate defamatory leaked Twitter DMs using a combination of machine learning and educated guessing, how likely are we to score a “hit” and fabricate a dangerous DM that matches a real one? I guess we could get the content right, but it would be next to impossible to get the time and date correct as well.
Maybe twitter DMs was a bad call. But you know, when I see a big hack like this, I’m always impressed the perpetrators are aiming so low! To me, it would make more sense if the small (but explicable) gains are there to shield someone way more nefarious.
You look at a bike rack on the street. You got 5 bikes. 4 of them got double U-locks and heavy chain. One has a cable lock. Guess which one gets stolen?
Twitter is the cable locked bike. Actual banks are the other four. People would love to break into those, they just don’t have the capability to do it and get away with it.
If I’d had this access and were a nefarious actor, I’d keep it secret until the day of a major election and start tweeting from certain high profile accounts plausible but destabilizing statements.
Time it to coincide with just before peak voting time periods based on historical data. The debunking and response would take long enough to possibly affect the outcome.
I’d just buy stocks way in advance. Then do tweets that make them move up and sell. I bought them so far in advance, nobody will think I was insider trading.