I'm very heartened by Twitter taking this approach to protect their users, but it comes about a week after I was very disappointed by the process of signing up for a Twitter account through Tor. I wanted an account that wasn't linked to me personally -- it was at least partially an experiment in anonymity, but it failed completely when Twitter blocked my signup until I provided a verifiable phone number.
Twitter denies this in the article, of course:
>(Twitter has denied blocking Tor. In September, Twitter spokesperson Nu Wexler told Motherboard, “Twitter does not block Tor, and many Twitter users rely on the Tor network for the important privacy and security it provides. Occasionally, signups and logins may be asked to phone verify if they exhibit spam-like behavior. This is applicable to all IPs and not just Tor IPs.”)
I get why they want to keep suspicious actors out of their ecosystem, but the only suspicious thing I did was try to be anonymous. If protecting people from "state-sponsored attack" was actually a priority, they'd figure out ways to enable people to protect themselves.
If you used tor then your IP came out of a Tor exit node, which is almost certainly associated with someone else's concurrent bad/spammy behavior. How could they know your aren't the bad guy?
You can get an anonymous phone number in the US by buying a prepaid cellphone. Last I tried Tracphone for example the only piece of information you needed to give them to activate the phone was a zip code (which could be any zip code you choose) which was used to pick an appropriate area code for your assigned phone number. Entry level models were about $10. This was several years ago.
I imagine the challenge is that there are plenty of people who would use Tor to create hundreds, if not thousands accounts not personally linked to them, if they are able.
Whereas if you wanted just one anonymous Twitter account badly enough, you could get a burner prepaid cell phone using cash (make sure to not turn it on at home or at work).
Get some Bitcoin. Use mixing services in Whonix instances to anonymize them. Lease a VPS via Tor, paying with anonymized Bitcoin. Install Tor on the VPS, and setup an OpenVPN server (TCP mode) as an onion service. Connect to the VPN in Whonix. Now you have a private pseudonymous IP to use for Twitter etc. Enjoy.
Twitter's statement is consistent with your experience, given the empirical reality that Tor IPs generally "exhibit spam-like behavior" way more often than the average Internet user's IP. Note that Twitter's statement says nothing about anonymity as an end-to-end goal, only the technical ability to use Tor. And, as always, you can buy a burner phone.
What would a good solution for this be? Any anonymous proxy would quickly be used by people who want to spam Twitter. (So, among other things, this means that Twitter running a hidden service isn't directly useful.) Could a proof-of-work or rate-limiting system allow building a proxy that couldn't be practically used by spammers?
I believe all accounts require a phone number to verify, and that number can only be used once. Certainly I've always had it from any machine I've tried to sign up from for the past year and a half when attempting to create accounts for testing with.
Isn't this phone verification for all new accounts anyway these days? Regardless of your ip/tor/vpn? For sure it is when you want to get an api key - boohoo.
It seems that working publicly on information privacy tools (and especially the Tor Project) increasingly makes you a target for nation-state-level adversaries. I'm very curious who the actor was, and what they expected to gain of value from Twitter accounts.
I find it extremely unlikely for this attack to have been perpetrated by the United States; after all, Twitter is an American company and a three-letter could just NSL them for the data they wanted on these "activists".
I received one of these alerts from Gmail years ago, and frankly... it was completely useless to me.
Telling someone they're being attacked doesn't provide much value, what are you supposed to do? I ended up wasting loads of time going through all of my account logs and searching through months worth of emails trying to find signs of this supposed attack... and discovered nothing at all.
Although, props to twitter for recommending Tor. That's significantly better than nothing, although of little use since you are in for a bad time trying to use twitter over Tor.
Don't assume twitter, or any other gateway centralized websites, is trustworthy. For example, they could have been gamed into putting pressure on a selection of people, diverting their mind from their activities.
What I'm saying is that to consider the larger and deeper than the framed picture.
Attribution is generally hard in these types of things, and some guy with IR experience can probably explain more than I can.
However, some of these attack groups follow specific patterns, use specific IP addresses, domains, emails, etc. because there is no real consequence to them doing so. Kaspersky, Mandiant et al [1] often have great writeups on these types of things that are often posted to their own blogs and to netsec-related mailing lists that show some of these common attack patterns.
On top of this, Twitter could have been tipped off by law enforcement or intelligence.
I think it's really neat how they put the article together so that, by the end, it makes this sound like a revival of COINTELPRO despite a total and complete absence of anything even remotely resembling evidence in that direction.
[+] [-] rev_bird|10 years ago|reply
Twitter denies this in the article, of course:
>(Twitter has denied blocking Tor. In September, Twitter spokesperson Nu Wexler told Motherboard, “Twitter does not block Tor, and many Twitter users rely on the Tor network for the important privacy and security it provides. Occasionally, signups and logins may be asked to phone verify if they exhibit spam-like behavior. This is applicable to all IPs and not just Tor IPs.”)
I get why they want to keep suspicious actors out of their ecosystem, but the only suspicious thing I did was try to be anonymous. If protecting people from "state-sponsored attack" was actually a priority, they'd figure out ways to enable people to protect themselves.
[+] [-] damienkatz|10 years ago|reply
[+] [-] pmorici|10 years ago|reply
[+] [-] cbhl|10 years ago|reply
Whereas if you wanted just one anonymous Twitter account badly enough, you could get a burner prepaid cell phone using cash (make sure to not turn it on at home or at work).
[+] [-] mirimir|10 years ago|reply
[+] [-] geofft|10 years ago|reply
What would a good solution for this be? Any anonymous proxy would quickly be used by people who want to spam Twitter. (So, among other things, this means that Twitter running a hidden service isn't directly useful.) Could a proof-of-work or rate-limiting system allow building a proxy that couldn't be practically used by spammers?
How does Facebook deal with this problem?
[+] [-] mnem|10 years ago|reply
[+] [-] limeyy|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] brianbreslin|10 years ago|reply
[+] [-] adrtessier|10 years ago|reply
I find it extremely unlikely for this attack to have been perpetrated by the United States; after all, Twitter is an American company and a three-letter could just NSL them for the data they wanted on these "activists".
[+] [-] ryanlol|10 years ago|reply
I received one of these alerts from Gmail years ago, and frankly... it was completely useless to me.
Telling someone they're being attacked doesn't provide much value, what are you supposed to do? I ended up wasting loads of time going through all of my account logs and searching through months worth of emails trying to find signs of this supposed attack... and discovered nothing at all.
Although, props to twitter for recommending Tor. That's significantly better than nothing, although of little use since you are in for a bad time trying to use twitter over Tor.
[+] [-] anotheryou|10 years ago|reply
I got the notification too, it was around the time protests in turkey heated up for the first time.
[+] [-] theGimp|10 years ago|reply
I see this as nothing but positive. Could it be better? Sure, but what can't be better.
Kudos to the Twitter team for doing what's right rather than what's easy. Here's hoping others will follow your lead.
[+] [-] bigbugbag|10 years ago|reply
What I'm saying is that to consider the larger and deeper than the framed picture.
[+] [-] comboy|10 years ago|reply
[+] [-] adrtessier|10 years ago|reply
However, some of these attack groups follow specific patterns, use specific IP addresses, domains, emails, etc. because there is no real consequence to them doing so. Kaspersky, Mandiant et al [1] often have great writeups on these types of things that are often posted to their own blogs and to netsec-related mailing lists that show some of these common attack patterns.
On top of this, Twitter could have been tipped off by law enforcement or intelligence.
[1] http://www.mandiant.com/apt1
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] crb3|10 years ago|reply
[+] [-] aaronem|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] rajacombinator|10 years ago|reply
[+] [-] unusximmortalis|10 years ago|reply
[+] [-] fiatjaf|10 years ago|reply
[+] [-] airza|10 years ago|reply