GeekNights Monday - Bug Bounties and Responsible Disclosure

Tonight on GeekNights, we consider the (largely unwise) idea of bug bounties, as well as the questions and concerns around responsible disclosure of bugs and exploits in software and services. We did talk about this once back in 2009, but times have changed.

In the news, Twitter was hacked for a bitcoin scam, Deep Fakes are getting dangerous quickly, and there are a lot of reasons you should avoid using TikTok.

Things of the Day

Episode Links

Live Stream:

On Patreon:
https://www.patreon.com/posts/39538065

MP3 download isn’t working. The Patreon version works, though.

while reading that whole Verge article: Oh honey, your problem isn’t the implementation, it’s the capitalism

It’s working for me. I think Libsyn is just slow at making the episode live. It goes live on our site as soon as the upload to Libsyn is complete, but it’s 404 until they finish processing or whatever.

It usually is up within 30-60 seconds. Last night, for whatever reason, it took significantly longer.

If I was a nefarious state actor, I would use a hack like this to get full twitter DM history and other private data, then pass it off as an incompetent bitcoin scam.

1 Like

There is very little of value in Twitter private DMs unless someone is sending very sensitive information in there, and that is very unlikely. They are useless for blackmail purposes because there’s no way to prove they are legitimate if you leak them.

Tell that to Roger Stone…

The defense against defamation (in America) is truth. Lawsuits spin up, and then twitter ends up verifying or disproving the DMs during that process.

Can you sue someone for defamation if it happened in a private communication that was leaked?

If we fabricate defamatory leaked Twitter DMs using a combination of machine learning and educated guessing, how likely are we to score a “hit” and fabricate a dangerous DM that matches a real one? I guess we could get the content right, but it would be next to impossible to get the time and date correct as well.

Maybe twitter DMs was a bad call. But you know, when I see a big hack like this, I’m always impressed the perpetrators are aiming so low! To me, it would make more sense if the small (but explicable) gains are there to shield someone way more nefarious.

You look at a bike rack on the street. You got 5 bikes. 4 of them got double U-locks and heavy chain. One has a cable lock. Guess which one gets stolen?

Twitter is the cable locked bike. Actual banks are the other four. People would love to break into those, they just don’t have the capability to do it and get away with it.

If I’d had this access and were a nefarious actor, I’d keep it secret until the day of a major election and start tweeting from certain high profile accounts plausible but destabilizing statements.

Time it to coincide with just before peak voting time periods based on historical data. The debunking and response would take long enough to possibly affect the outcome.

I’d just buy stocks way in advance. Then do tweets that make them move up and sell. I bought them so far in advance, nobody will think I was insider trading.

Funny how the supposedly anonymous bitcoin did not protect them.