My Farsi sucks (non-existent) but I can understand the text at the bottom of the following image to mean: "This is a warning to the United States for interfering with our internal matters".
The rest is an scripture quote ("The partisans of God shall prevail", or literally, "Hezbollah will win" ;-) and what seems like a stanza from a nationalist poem.
If it was indeed a DNS attack, Twitter is damn lucky it was just a defacement (assuming it was just a defacement). The attackers very easily could have phished anyone who logged in on twitter.com without https.
Even worse, any Twitter client which used Basic Auth without SSL would silently be compromising people's passwords when they auto-refreshed.
Indeed. If your site is down because of the user's error, but they can still get to your competitor's site, then that's bad for you. It might not be your fault, but you still missed out on a potential sale.
All I can say is that I am glad I do not make money from the availability of websites :)
Post a status update and get the resulting status back as JSON: curl -u username:password -d status="your message here" http://twitter.com/statuses/update.json
what it doesn't tell you is that it sends the pw in the clear (unless you count base64 as crypto!)
Use SSL. Make sure the cert is valid. And hope nobody comes up with yet-another SSL vuln. edit And hope that they haven't gotten a new valid cert by hijacking mail for the domain, too. edit Or, hard-code the domains and IPs in your hosts file.
It's easy to obtain a free but legal CA if you have control of a DNS. Only very few users would notice the change via the hash. Even your browser's SSL detection wouldn't yell anything.
... which is something i hate about most browsers. why don't they cache the cert indefinitely and wave a big red flag any time it changes at all? the occasional false alarm due to renewal would be a fair cost for the gain of more notice to unauthorized changes.
When a browser pops up too many false-alarm warnings like that, users start to regard the browser as broken.
And given that commercial certs change fairly frequently (they expire every year or two, in most cases), you would have a lot of false alarms for each actual DNS hijacking. The vast majority of the times users saw such a message would be for the wrong reasons, and they'd be well-trained to ignore it long by the time an actual hijack attempt caused it to display.
Also, consider the case of multiple HTTPS servers, each with its own valid server certificate, in round-robin configuration, serving the same domain. Each time a user went from one server to another, the cert would change (but still be valid). They'd get errors all the time -- and my understanding is that this setup (separate certs and private keys for each server, rather than copying the same cert and private key across multiple machines) is considered best practice.
The real problem is that CA-based security relies on the CAs to not hand out certificates stupidly. Yet that's exactly what they do, when they use DNS (in the form of MX records, by sending email) to verify ownership of a site and issue a valid certificate.
You're correct that browser developers have the power here, but their power lies in threatening to drop shady CAs from the trusted root list (which would put a CA instantly out of business -- if your certs cause errors in a major browser, you're dead meat as a CA), not building in more warnings that will just give users bad habits.
IMO, any CA that is doing domain "verification" via DNS records (rather than going through WHOIS or, better yet, the domain's registrar and contacting the domain's owner of record) ought to be dumped from the trusted root list.
There needs to be a much stricter auditing and enforcement/removal system for bad and sloppy, lazy CAs. They are supposed to be the keystone of X.509 PKI, but in reality strike me as being closer to its Achilles Heel.
Normal Internet users know shit about SSL and stuff. Perhaps they would call the broadband company when saw that.
I always think browsers should be developed in two versions and can be switched by one key, one like MSN Explorer, one for advanced geeks with a console.
True story: the ISP I use was acquired by Tiscali and shortly afterwards their cert expired. I called them up to tell them and they told me to turn my anti-virus software off and try again.
just to clarify: they could obtain a new valid cert by redirecting the MX to their own mail server and requesting a new one via e-mail, right? or is there another way?
Comments like yours are just so tired. Not only does the stream of seemingly trivial information accumulate into an intimate portrait of the lives of your friends, but twitter, facebook, and other services were used to straight up protest a sham election in a totalitarian state.
What the fuck else do you want to see twitter do before you think twice about one line joke comments that hurt this community?
Really, the one-liners are a reaction to the inflated importance people assign to a service which, to my best knowledge, doesn't even have any real plan to make a sustainable amount of money. Would a serious cyber-terrorist really choose Twitter to establish themselves as a credible threat?
I'd argue that the lampooning of such breathless awe, far from being some malevolent outside influence which is "hurting" the community, is a part of the community.
Sorry, your comment wasn't witty or original. Sniping, contentless comments don't belong here, and I'm surprised you're even disagreeing. It's plain to see your comment wasn't additive.
Twitter is making many millions from their search deals. They may not be worth a billion dollars, but I'd bet with the current business configuration, they could become profitable if they focused on it.
What part of "we're focusing on product and growth, not on making money" is hard to understand? Do you not believe them? Think they're actually pushing out ad sales and content licensing as hard as they can? Or, more likely, you're just ignorant of how their business is actually run. Ignorance is actually a generous term - you might know they're already making money and willfully ignore it.
I actually agree that twitter's image is inflated. But the US government was the first to make a move here. They didn't ask facebook to try to stay up (they didn't need to). I think this response by cyber terrorists (if it isn't some teenage in ohio) is rational.
It isn't what you were saying that I reacted to particularly, but how you said it. It would be the equivalent to my just responding "you're obviously an idiot who doesn't know anything about twitter".
Mmmm, delicious flamebait. Without wasting too much time, I'll just point out that such a severe response to a throwaway joke only underscores the original point I was making.
For all the money invested in twitter and all the people backing it you would think it would have high enough security measures that this couldn't happen.
Or at the very least they would be monitoring for such intrusions and be able to stop them quickly.
Yeah, I have no idea how to tell my friends what's going on or find out if they've heard anything without twitter. I've taken to randomly IMing people.
He must mean instantiate. Personally it's one of the best things I've ever done. I recommend creating a subclass and overloading some of the methods though particularly spew() and crap().
You might want to mess with a dummy object first to practising instantiating without producing any person objects.
For me it's the exact opposite. If I use twitter I can assume by default it will be checked less frequently than email, so this would be the slowest way to get my message across, if gets across at all.
API is down, as well. Looks like this isn't just the front page/web layer.
Twitter need to really step up: I can't imagine this is something that couldn't have been prevented by paying for some security analysis. Considering their total $155M of funding, I'm shocked this wasn't done. Between their continuing difficulty scaling, their private documents leak, and now this, twitter really needs to get their act together.
I wouldn't be surprised if Twitter intentionally disconnected their servers after discovering the defacement, rather than the hackers having actually gained access to the whole API layer.
Yeah, if I found my boxes had been so totally owned that they could serve arbitrary content I'd take everything down to protect customers, at least in the very short term.
Poor Twitter ops; I'm sure they're having a great evening.
Exactly, in a case like this I'd be pulling Ethernet cables and decomposing the issue without the rest of the Internet seeing the carnage. Regardless, this is bad.
I don't know how many servers twitter has but common sense dictates it's more than would be practical to pull Ethernet cables from in any reasonable amount of time.
Interesting to note that the favicon is still there. If it was a DNS attack, you would assume it wouldn't be there (unless the attackers put it on their box, which seems not very likely).
Given that and the speed at which the service recovered, I'm going to say it does not seem like a DNS attack.
Very possibly. But AFAIR IE is the only notoriously favicon caching browser, the rest of them do a good job of updating it often. And the favicon is showing up in multiple screenshots on both FF and Chrome.
You know, this is just a thought, but this may have nothing to do with Iran at its root. Intellectual honesty requires me to admit that, I have absolutely no hard data to back this up, but please hear me out.
Many people have been wondering, 'Hey, who are these DST guys that are continuously going long on Facebook at ridiculous valuations?'
'They even let employees at places like Facebook and Zynga cash out early!'
'Gosh, Russian businessmen must be nice.'
Now if I had large sums of money that I wanted laundered, the method right up there at the top of my list is venture capital firm investing exclusively in overseas assets. Money is laundered via profitable exits on investments in foreign countries. In fact, strictly speaking, the exit does not even have to be profitable.
Unless you are greedy.
Which brings me back to Russian businessmen. Accusing anyone of anything is not the intention here, but a word of caution to Silicon Valley is in order. In Russia, business is a game played in somewhat less cordial a fashion. Also keep in mind that in Russia . . . you stab with a borrowed knife.
I think we can expect many more attacks on Twitter. From hackers claiming to be 'Chinese', 'Iranian' or 'North Korean'.
I'd put much higher odds on this being some disgruntled teen, who may or may not be Persian and may or may not be in Iran -- you know, like 99.9% of website defacements.
Do you really think the focus of a cyber ops campaign or anti-competitive campaign would be ... to put a stupid message on Twitter's website? There are no doubt cyber ops teams in foreign (and domestic, naturally) intelligence, but they don't waste their time on shit like this.
Well, #iranelection was the #1 most popular news topic on Twitter in 2009, according to their blog (http://blog.twitter.com/search/label/2009), so there is an actual motive available.
Regardless of the presence of motive, the execution (i.e. juvenile website defacement) doesn't exactly imply high-level cyber ops. And an easily fixed DNS hijack isn't really going to "take twitter out of commission" or whatever the purpose of this supposed cyber attack would be.
"Is the Twitter API down?
Not likely: Twitter hasn't had more than a couple minutes of downtime in a while. Requests may lag from time to time, but chances are pretty good we're not down."
this will definitely be interesting to see how it unfolds. Does anyone know if the SMS messaging infrastructure is still working? Is this just limited to the Web interface? Is api.twitter.com still up?
Well, the site isn't running tests to see if the site that we think of as twitter is up, just is something responding at that web address- which if you're seeing the iranian thing, then it is.
Looks like Twitter just took down the entire front page though. Going to be a late night in California...
Except that when I ran the test the site was not responding, and many other services like http://downforeveryoneorjustme.com/ was telling me that the website was down for everybody.
To be fair, it's not clear how hard it is to hack twitter. The site falls over all the time all by itself.
Granted, they briefly managed to serve some content as twitter, so it does look like a genuine hack rather than merely a DDoS or something.
[edit] TechCrunch is reporting it's a DNS redirection attack, so their machines were probably never compromised (your password is safe). It also probably means the site will not be back up for a while, as it will take time for the DNS to propagate everywhere even after they fix it.
[edit 2] ...aaaand it came back up 3 seconds later.
I don't think we can claim that "our passwords are safe". What about twitter clients that store your password to fetch your tweets automatically?
Wouldn't they be posting your account password to http://twitter.com, or twitter only uses HTTPS? If there is any way to login using standard HTTP, the same server that is used to deface the website can be collecting tons of user credentials.
And even if twitter uses only HTTPS, what's the policy of twitter clients in regard to bad certificates?
Go ahead and descramble your cable signal, you will be charged with "hacking". I was just going by the sensationalist label of the act given to it by law-enforcement, media and the political "establishment".
Similar dilution of the term occurs here on a daily basis.
but with all the new deals they got, they are probably going to restart growing soon. And of course there are lies, damn lies and web-statistics-selling companies.
The rest is an scripture quote ("The partisans of God shall prevail", or literally, "Hezbollah will win" ;-) and what seems like a stanza from a nationalist poem.
http://1.bp.blogspot.com/_xpwq_Sv0p98/SysgktMZ9fI/AAAAAAAAAq...