Mr. Twitter Smartman is putting 2FA behind a paywall.
Except that isn’t exactly the situation. Only SMS 2FA is going behind a paywall, everyone can use a 2FA token generator app (like Google Authenticator). I’m not defending Twitter, I just don’t fully understand the takes that this is going to make Twitter accounts less secure. Maybe people moving away from SMS 2FA will not bother to setup a token generator app and will just go without 2FA? Is there any evidence that is happening or has happened when other services removed SMS 2FA?
People don’t realize what’s actually going on here.
In the US people enjoy lots of free unlimited text messages. This is common sense because it costs the mobile phone services next to nothing to deliver SMS messages.
This is not the case everywhere. Many phone services around the world charge for text messages. If you want to send a text message to a number, and that number is one of their customers, you have to pay a fee to get the text message delivered. This is generally all handled automatically by companies like the struggling Twilio and others.
The companies that are paying to send the text messages, like Twitter, just get an invoice for this every month or quarter or whatever. If they are really big companies, they probably aren’t paying much attention to that invoice even if it’s huge. They just pay it because it’s the cost of doing business.
Elon is a fool, but he is desperate to cut costs right now. A Twitter employee must have noticed that Twitter was paying $60 million a year in text message fees. The reason for this is a well known scam. The scam works like this.
You have an online service.
It is possible for anyone on the Internet to get your service to send a text message.
The user can determine the phone number the text message will be sent to.
The user doesn’t have to pay to get your service to send the text message.
It doesn’t matter if the user can’t control the contents of the text message.
A shady telco company charges a fee for text messages sent to their network.
They setup bots to automatically get your service to send text messages to phone numbers on your telco’s network.
Every time your bot gets their online service to send a text, they charge a tiny fee.
Do this enough, and you can drain Twitter’s bank account.
The real solution to this problem is for Twitter to do a better job of making sure bots can’t make Twitter accounts. They have never, and seemingly will never, succeed at that. Many still assume it’s because it would cause many of their metrics to no longer be falsely inflated.
So they went to the next option. Only allow a user to initiate text messages being sent if that user pays money.
Many people are saying oh no, this is bad for security. Well, yes and no.
We all know that SMS 2FA is vulnerable to SIM hijacking attacks and whatnot. But having SMS 2FA is still better than having nothing. It at least means that the attacker needs to go through the effort of doing the SIM hijack. Is adding an extra pickable lock to the door more secure? Maybe not enough, but it will take the attacker at least a few extra seconds to get inside.
Twitter is still allowing free users to use actually secure non-SMS 2FA. You can secure your account no problem using TOTP. That’s just better anyway. If you’re reading this, you shouldn’t be sad they are taking away SMS 2FA, because you don’t want it anyway.
The problem is that most users who currently have SMS 2FA will not setup TOTP. TOTP is a pain in the butt for normal people. They screw it up and don’t do backup codes properly, etc. Those people are going to be in a situation where someone will guess their shitty password and “hack” their account.
Twitter should require TOTP, passkeys, and/or some other more secure auth mechanism. They won’t. The reason they won’t is because although it would vastly increase security, it will not be a net benefit for them in the wallet. The support issues, the lazy/ignorant users who will get mad, etc. will just cost them. People getting “hacked” doesn’t cost them nearly as much.
He’s (trying to?) not pay rent, I wonder if he’d just stiff the SMS providers they use. “Oh fraudulent activity blah blahblah”
Idea popped into my head following your outline of this scam telco: if Scott ran a business it would be called RubiNet.
It’s one more reason why SMS should never be used for 2FA.
I have heard some people bring up some valid points as to why SMS 2FA should exist (Abuse situations where you may not be able to keep arbitrary apps on your phone without “someone” asking uncomfortable questions, screen readers, can’t afford a smartphone), but if you’re capable of using non-SMS 2FA, I agree you should.
An SMS code sent to the phone would be just as “suspicious” as an authenticator app.
Even email 2FA is infinitely more secure (and can be done without a smartphone) than SMS. SMS has unique problems and unique flaws.
Jack Dorsey has launched his new Twitter clone/successor.
I’m not touching that with a thousand foot pole. Jack is not a good person, and he’s deep into crypto bullshit. This has “blockchain scam” written all over it: just give it time.
2 Likes
Who would’ve guessed messing with a company and making it worse could somehow devalue it?
I’d bet two things:
1)That he’s only valuing it at 20 billion because he’s offering equity to employees, and he thinks that it’s worth a lot more. This is primarily because he’s a self-involved idiot.
2)That it’s actually worth closer to half that, at best, and sinking. They’ve lost the overwhelming majority of their ad buy, their users are still leaving in droves with every new Head-ass decision Elon makes, they have regular engineering issues, multiple lawsuits pointed at them, and many more things that would make investors shy away, and that devalue the company.
1 Like
And what does Musk do in response?
He replaces Twitter’s blue bird icon with doge.
Twitter is rebranding. R.I.P. Twitter
Google already has a company called X, though. I wonder if there’ll be a lawsuit down the line.
1 Like
Why can’t Twitter and TikTok be easily replaced? Something called ‘network effects’
Frankly, I think it’s simpler: Whoever does it first, wins. Myspace and Vine are mentioned in the article, but I think they were destroyed by mismanagement. Fox Entertainment let dozens of shows fail, Fox News only exists to further the GOP agenda, so of course Murdoch buying MySpace would fail. Vine was sabotaged after its “stars” attempted to “Unionize”, for lack of a better word.
This is not true at all. Sure enough there is some sort of advantage in the world of business in being first. It gives you time to grab market share without competition. But time and time again we see that it’s only somewhat common for the first company to do something to actually win out in the end.
The first mover advantage does not last very long. Given time for other players to enter the field, the inventors of a thing are frequently out-competed and bowled over. Like a big mountain eventually eroded by rain, it’s just a matter of time.
The biggest example of this is the biggest company, Apple. Almost nothing they did was first. They weren’t the first PC. They weren’t the first smartphone. They weren’t the first MP3 player. There’s almost nothing they were first at.
We could go on all day looking at other market categories and see how rarely the founding or inventing company is even still relevant.
Twitter and TikTok can die very very swiftly and be replaced just as swiftly. TikTok itself is proof of that. Six years ago TikTok started with nothing and grew like wildfire. At any time something else can repeat that. Just takes luck.
1 Like
The network effect is so strong that the best way to gain the network is to “export” it from an existing network. Instagram got its start by people sharing their filtered images on Twitter, and gained users and followers for months until Twitter stopped letting Instagram share to Twitter with embedded images and instead just links.
Twitter is going through the same thing now with Substack. At least, I guess that’s what’s happening but I try to avoid Twitter drama these days.
Tangential. Anyone else turned off by substack? I know a cool person could set up a blog there, but the whole place just gives me vibes like it’s… not cool people.
3 Likes
Substack covers the entire gambit of the internet, both left and right. I take them at the value of the web in find what you like ignore what you don’t.
1 Like
Substack is just a blog platform, essentially no different than WordPress or any other. Every blog on there is independent of the others, so it’s not like it’s some toxic community. It feels wrong to try to blame the platform for the content that’s on there, as long as they moderate and choose not to host those who are truly vile.
That said, Substack has two key features. The e-mail newsletter feature and the subscribe for money feature. These aren’t unique to the platform, but they are on by default. Those two features are the reason that a writer would choose Substack over the other billion different blogging apps out there. They are also the features that will influence what kind of things the authors choose to publish there.
YouTube, Twitch, etc. have the capitalist incentive as well, but they don’t have nearly as many competitors. If you want to stream or upload video, there aren’t other choices. Doing it yourself is next to impossible for most people. Those platforms enjoy a mix of content. Some from those who are hustling and some from those who just need a way to share their audio/video content.
Substack has competition from the aformentioned billion different blogging apps. If someone does not have the capitalist incentive, there’s no reason to choose Substack. Such people will go elsewhere. And so what you get with Substack is much like how YouTube would be if the only people uploading were the people trying to hustle for likes and subscribes with all the sincere videos removed.
The end result is, if I see the substack domain in the URL my expectations and patience are greatly reduced, and most often justifiably so.
3 Likes