Conversation

Notices

1. Embed this notice
   Jorge Caballero, MD (datadrivenmd@fedified.com)'s status on Saturday, 18-Feb-2023 20:34:56 JST Jorge Caballero, MD

   If Elon's goal is to make it as easy as possible for foreign adversaries to spy on journalists and US politicians, then he's doing a fantastic job

   • Embed this notice
     Jorge Caballero, MD (datadrivenmd@fedified.com)'s status on Saturday, 18-Feb-2023 20:34:39 JST Jorge Caballero, MD

     in reply to

     If the person(s) who wrote this announcement are actually in charge of security at Twitter, I guarantee that there are already several state-sponsored threat actors making themselves at home inside Twitter's systems－ which makes the text-based 2FA move a pathetic attempt to squeeze $8 out of users for a false sense of security. This reads like someone asked Bing Search “What are the pros/cons of the various multi-factor authentication methods?”

     Amateur hour.

     https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter

   • Embed this notice
     Jorge Caballero, MD (datadrivenmd@fedified.com)'s status on Saturday, 18-Feb-2023 20:34:42 JST Jorge Caballero, MD

     in reply to

     TL; DR: Absent an alternative solution that he's yet to announce, Elon's move makes it more difficult for high-profile/high-value targets to secure their accounts. Elon's latest attempt to squeeze money out of Twitter users will end in a very predictable way: one or more high-profile accounts will get hacked. Let's hope that it won't be anyone whose life is endangered as a result (e.g. political exile, outspoken dissident).

     If you value your privacy, you should *not* be using Twitter. Full stop

     Børge repeated this.
   • Embed this notice
     Jorge Caballero, MD (datadrivenmd@fedified.com)'s status on Saturday, 18-Feb-2023 20:34:45 JST Jorge Caballero, MD

     in reply to

     The other option is something known as a passkey which is somewhere between a software and hardware token, but with zero-click exploits being used to install spyware on devices around the world, passkeys aren't that much better than text-based multi-factor authentication (that's my opinion, others are free to disagree)

   • Embed this notice
     Jorge Caballero, MD (datadrivenmd@fedified.com)'s status on Saturday, 18-Feb-2023 20:34:48 JST Jorge Caballero, MD

     in reply to

     And, while many in the information security (InfoSec) space would love to see broader adoption of hardware-based multi-factor authentication (MFA), the fact of the matter is that usage across all industries is a paltry 4%*

     *according to one market analysis, see https://www.alliedmarketresearch.com/multi-factor-authentication-market-A13118

   • Embed this notice
     Jorge Caballero, MD (datadrivenmd@fedified.com)'s status on Saturday, 18-Feb-2023 20:34:52 JST Jorge Caballero, MD

     in reply to

     Text-message multi-factor authentication (MFA) is less secure, but at least there's a virtual paper trail of when the codes were triggered. This is important because:
     1) Twitter only issues 1 software MFA token per account
     2) Many notable persons, especially politicians, have a team of social media managers that share access to a single account. Giving multiple people access to the MFA token's seed phrase increases the attack surface to DMs and other potentially sensitive information.