A lot of people (well certain people) have been fussing about Twitter co-founder Jack Dorsey returning to the company as it’s new CEO. While I think he’ll easily be better than his predecessor Dick Costolo, I see no cause to celebrate.
The magic in Twitter has always been the connections between people and the ability to grow and connect communities of people. The Arab Spring is the most famous and impactful example of this, but “Black Twitter” is a more current illustration. It’s a large and decentralized community which is having a real impact on people’s lives through connection, cultural critique, and shining a light on police brutality via #BlackLivesMatter.
Today I followed a link posted by a friend from back when there were only handful of us on Twitter. It was a collection of reactions of “Twitter influencers” to Jack’s return. They were all white, a couple were my friends. Responses ranged from “we’ll see” to “Jack is my BFF.” There was not a single concern raised. It should come as no surprise that all of the white, male CEOs of Twitter were hired by a board which is itself nearly all white men (with the exception of a few Asian men and one very powerful woman.
Twitter has been making moves to try to compete with media companies (and Facebook) by pushing big news and events, memes that trend via their mysterious algorithm, and celebrity tweeters. This ground has been covered and there will always be someone who does that better than them. Twitter’s unique value proposition is the ability to find and directly connect with real people who you don’t already know but who add value to your life. To be a participant in a movement (whether it’s for democracy or your favorite TV show) rather than just a consumer. I have rarely seen Twitter’s corporate policies show that they understand or appreciate this value. In addition, their continuing lack of interest in doing anything serious about the pervasive abuse of women online further shows that they just don’t care about us, the users that give their platform meaning.
So I wrote a few tweets about this, but it’s hard to convey the complexity and the importance of this in 140 characters so I wanted to expand in this blog post. If you share my concerns, I’d appreciate a retweet or other show of solidarity.
I have finally finished compiling my detailed timeline of how I got hacked and then unhacked myself. It includes the exact times that I received password reset messages, when I wrote to support, when they wrote back to help, when they gave me the finger, etc.
I’ve got it all in a spreadsheet. Now, how can I display this publicly? I’d love to make a timeline like this http://www.simile-widgets.org/timeline/ Or is there a Google widget I could connect to a Google Doc Spreadsheet?
This would also make great fodder for any reporter who wants to help people understand and avoid this, and/or to write about how shockingly unresponsive certain companies can be (cough, Twitter) when their own services are compromised.
So, on Monday I attended an historic protest at the North Carolina General Assembly. My phone was in-hand nearly the entire time (see goofy pic), as my main goal was documenting the civil disobedience and arrests of five elected officials from Orange County, NC. However, I found myself only able to retweet others from the Hootsuite app I use on my Android phone. I could post with other apps like Instagram, but my tweets (as @ruby and as @orangepolitics) just sat in Hootsuite’s outbox.
In the chaos of the day I chalked this up to the ongoing tangle left by last week’s hacking, so today while I was at a computer I made sure to fully authorize Hootsuite using the 2-step verification that I enabled for @ruby about a week ago. It seemed to work. This evening I tried again to use Hootsuite from my phone and found that I still can’t send from any of my Twitter accounts. So I asked @hootsuite, and amazingly, they said:
We are unable to guarantee full functionality with Twitter 2-step verification at this time. ^TF
Now I know that Twitter only enabled this feature less than 2 weeks ago, but here I am – a paying customer of Hootsuite (through work) – and now that I have enabled better security on ONE of my accounts, I can no longer post tweets from ANY of my accounts from my phone.
Amazed again that huge companies that rely on their web services don’t seem to care much about the security of their accounts. They should be pushing US (customers/products) to get more secure, not the other way around!
So right after my Twitter account was hacked I learned that Twitter had finally implemented 2-step authentication just days earlier. I have now turned it on, of course.
But the really gigantic part of getting hacked was losing control over my entire Dreamhost account including several websites, e-mail addresses, and domain names. Today I learned that Dreamhost also offers 2-step authentication. But they are not doing much to encourage people to use it. I Googled and was able to find these instructions and am so relieved to have this in place now.
I already had this enabled for Google and Facebook, but now that I’m looking at it, there are many other services that offer 2-step (a.k.a. 2-factor) authentication, including Dropbox and Paypal. LinkedIn just started using it this week. I’m a little annoyed that I had to go looking to find out about many of these.
So here’s my list so far who supports 2-step:
Did I forget any? The best way to find out if your favorite web service supports this is to Google “2-step” and the name of the service.
I think this makes it pretty clear how seriously Twitter takes their security: The guy who hacked my account is still happily tweeting away about the latest social engineering methods and how it was my fault that he hacked into my personal accounts so he could try to sell @Ruby on hackerforum.net.
Better late than never, Twitter added two-step authentication for accounts last month, but it’s clear they aren’t really concerned about their users when they do nothing to help protect users like me or @Mat, even when we know people are targeting us, and let genuine security risks chill out indefinitely.
Please share this post if you agree that Twitter should take action against “Isolate” and any users who are known to have hacked other people’s Twitter accounts in the past.
I’m not going to post everything that has been going on yesterday and today (yet) as the hackers are reading my Tumblr. I have to share some amusing and quite public links.
Meet my hacker “Isolate.” This is the person who hacked most of my digital life so he could try to sell @ruby for $80. I alerted Twitter about his account this over an hour ago. It’s obviously fine with them to hack other people’s accounts AND brag about it with their service.
Poor guy is concerned that I am giving some clueless teenager credit for his brilliant social engineering hack. Don’t worry d00d, it’s pretty obvious when you read the conversations at Hack Forums where Isolate first asks what it’s worth (the page has been removed, but I saved it), then trades it to —— J —— (Jacob Glickman) for a YouTube ID. Then —— J —— tries to sell it even though the other hackers are telling him that it belongs to someone else (me) and even tell him to read my Tumblr.
Jacob then contacted me offering to get me back the account. He even tried to get me to e-mail him by putting his address in my Twitter bio. Not only was it not his to give, he would never have been able to restore my posts and followers, as Twitter eventually rightfully did.
Here is the best of all, —— J —— now files a complaint against Isolate for ripping him off! Have fun, you guys!
Last night at about 12:30 am I recovered access to my web hosting account at Dreamhost. This contains personal and professional websites and e-mail accounts for me, and several former clients and employers. Importantly, this allowed me to get back the only address through which Twitter would talk to me.
So early this morning I was able to recover access to @ruby, hurrah. There’s a little bug where on my profile I have no followers nor following:
But on my followers page, I see all the correct numbers:
Hopefully this will all be cleared up soon. I cannot strongly enough express my gratitude to all the people that spoke out and even fought for me in the last couple of days.
Stay tuned for future posts about the losers who did this. I have some really funny e-mails and things to share.
I am back into my account! I think the social pressure helped, so thanks to EVERYONE who has been sharing my story.
Next up, restoring my Twitter profile, including the content. This looks promising:
A few people now have contacted me about the hacker forum where my Twitter name (with no tweets and no followers) is now available for the low, low price of $70!
You have to register on the forum to see it, but the URL is http://www.hackforums.net/showthread.php?tid=3508538 in case you’re curious.
My friend Christina actually logged in. She says the person selling it presents as a 17 year old male form NY, and he says the person who hacked me traded the ID to him. Then my friend Jackson also logged in to the forum and took these amazing screenshots:
You don’t think you can do anything about this? Cause you’re not sure if the account maybe doesn’t belong to the person in control of it? Really???
Thanks to Travis C for the tip about the new Twitter bio.
In case anyone is curious, I’m not going to buy my own account back from some juvenile criminal. Twitter needs to do right and restore this account properly.