Original URL: http://www.theregister.co.uk/2009/01/12/dziuba_twitter_hack/

Web 2.0rhea hack mistaken for end of universe

Much aTwitter about nothing

By Ted Dziuba

Posted in Security, 12th January 2009 13:02 GMT

Fail and You Kids these days. Used to be, when you were mad at your parents or your professors, you'd write an email worm in Visual Basic and spread it around via Outlook clients.

Hacks like that didn't take a lot of talent, but they had some comic value. As a tech person, it's entertaining to watch someone who's not savvy work a machine that they think is "infected with a virus." The more industrious evildoers wrote self-propagating worms that exploited vulnerabilities in common services, like the SQL Slammer worm that slowed internet traffic to a crawl on a Friday night when I was in college. Many of us nerds had to go outside and party instead of playing video games until 4AM. I know of several pregnancies that were a direct result of this vulnerability in Microsoft SQL Server.

Hell, even Hacked by Chinese was funny because it was so prolific.

But this generation's biggest accomplishment thus far is last week's hack on Twitter. After guessing the password to an administrative account with a dictionary attack, one hacker started handing out account credentials. Barack Obama, Britney Spears, Fox News, and several others were compromised, and the evildoers went so far as to post some fake messages to these accounts. Ph33r.

As a result, there's been no shortage of criticism for Twitter. Not having implemented any rate-limiting for login attempts, they kind of had this coming. As a pundit, though, I can tell you that making fun of Twitter's feeble attempt at engineering is pointless. Yes, Twitter failed, but that joke is old. What's far better? The collateral failure of the hackers and the media.

The hero of our story, an anonymous leet haxor, figured out that you could use curl and a text file of words to launch a dictionary attack against a web login form. This technique is far less advanced than the methods of yore: finding improper usage of strcpy and the like, coming up with executable shellcode, and figuring out the function return address memory offset. Back in the day, that shit was hard, so good hacks were generally reserved for people who really knew what they were doing. Incidentally, people who knew what they were doing usually had a plan for what to do after the hack was successful.

What happened to the next iteration of hackers? I blame generational pussification - things like the everybody-is-a-winner attitude and Coldplay are making our children soft. As the Twitter invader proves, it doesn't take much to be a "hacker" these days. Great fuckin' job, Mitnick. Give a kid a good asskicking and make him listen to Frank Zappa. He'll be able to dissect a stack frame.

Perhaps there's some leeway here: Twitter ain't exactly fortified. If you're going to impersonate Twitter users, come up with some better shit than posting “Breaking: Bill O Riley is gay” to the Fox News stream, and at least learn how to spell.

You can impersonate the President-elect of the United States and the best you can do is "get a free gas card"?

You can impersonate Britney Spears, and you tell us how her vagina has razor-sharp teeth? OK, that one was pretty inventive, but overall, fucking fail.

Microblogging as civil liberty

Perhaps the only upswing to this amateur display of hackery is how buttsore some people in the tech media got. Coming from outside of Silicon Valley, I know this can be hard to understand, but try to imagine a world where Twitter is the only communication medium. Twitter is so important that it should be nationalized (which, in fact, might be a good idea because the company can't seem to come up with a business plan other than raising more venture capital), and any intrusion into the microblogging platform is an intrusion on basic civil liberty. As a side note, in this world, hearing the word microblogging does not make your average person pray for a global Ebola pandemic.

Since you're reading about it here, there's a good chance that on Invasion Day, you were busy not caring about Twitter, but here in the Valley, it was pandemonium. The San Francisco airport was closed for two hours and all public transit was shut down until the situation could be righted.

Many bloggers were quick to offer their technical advice to Twitter, that throttling login attempts is a good thing. Others thought that this spelled the end for Twitter, because big companies won't want to risk their brand by having a presence on Twitter. Still others are confident that the authorities will step in to protect the world from this threat.

It's really unfortunate there are people who care so much about Twitter. (Personally, I blame marijuana: it's easier to get and more popular than LSD – and it still allows you to have an opinion about something.) What's best is that the San Francisco rules dictate that the police are able to resolve any situation where somebody has wronged you. TechCrunch failer-in-chief Mike Arrington is confident that arrests will be made.

San Francisco police actually care about Twitter's problems and are, I'm sure, eager to investigate the intrusion. Yes, that borderline-alcoholic detective who ends up eating his gun over a bitter divorce and ensuing custody battle stemming from the psychological damage he suffers at work is going to get right on the case. Indictments are coming any day now. Any day.

What is certain is that the rest of the world will press on - until another hacker breaks into Facebook and lists Barack Obama as "its complicated" with Britney Spears. Or maybe the evil geniuses will crack YouTube and, in a demonstration of original comedic thought, redirect every video to a copy of "Never gonna give you up" by Rick Astley. Ho, that would be quite funny. Whatever it ends up being, the Valley media will have a say in the matter. And by "have a say in the matter," I mean "put space between the ads".

Fuck, the internet got lame. I've tried programming Ruby on Rails, following TechCrunch in my RSS reader, and drinking absinthe. It doesn't work. I'm going back to C, Hunter S. Thompson, and cheap whiskey. ®

Apology

When originally published, this column contained two references to Down's Syndrome that were in poor taste. We have removed them. And we apologize for any offense this may have caused.

Ted Dziuba is a co-founder at Milo.com You can read his regular Reg column, Fail and You, every other Monday.