About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve » Developers Workshop

Twitter's Holy Bug Story (2)

Quite the story. Lots of holes. Hit the road, Jack.

Get It

Try It

DONKEYTOWN (Rixstep) — The furore over this past week's revelations about Twitter's dodgy activities has mostly died down, and Jack and his friends must be very grateful.

[Click here for part one in this series.]

Now a look at what technologies were in place at Twitter, then a look at what may be behind it all.


Twitter used cryptographic algorithms from the OpenBSD project. OpenBSD, founded by Theo de Raadt, is the perhaps most secure Unix project going, where the word 'bulletproof' often comes to mind.

bcrypt was first presented at the 1999 USENIX conference, in a paper entitled 'A Future-Adaptable Password Scheme', submitted by Niels Provos and David Mazières.


The advantage of bcrypt over previous systems was that it had 'adjustable cost', where 'cost' is the time and expense needed to encrypt (or crack). Previous systems had a static cost, but bcrypt's could be scaled upwards as computer hardware and cracking methods improved.

The paper is not at all hard to understand.

And, in all respects, the analysis from the previous article, here, an analysis shared by most who've commented, stands. For there's simply no conceivable way a 'glitch' like that could have happened. And no, for the umpteenth time, it was not a 'glitch'. And certainly not an accident either.

The questions remain: why do such a thing, and how carry it out?

Kim Dotcom

Kim knows what he's talking about. And, like most people who aren't asleep all their lives, he wants answers.

Kim also has an online poll about his proposal for class action:


User '@Calikid2017' asks a very relevant question right from the get-go, namely how many users are afraid to respond, due to possible retaliation by the Twitter of Jack Dorsey?

For Twitter has certainly (and dramatically) changed under him, most noticeably in the 2016 election campaign and now onward. Corporations are supposed to remain nonpartisan and apolitical for their own good. Jack Dorsey seems so obsessed that he can't keep that in mind.

To get an appreciation for just how 'out of touch' Jack Dorsey is, check this tweet of his, pinned since 1 March this year. Check the tweet, then check the comments. They slaughter him.

Consider - and this is but a teaser:

  • Milo (@Nero) was 'unverified', then permanently banned, on a pretense.
  • Julian Assange (yes the Julian Assange) was told explicitly he would not get a 'verified' tag from Jack.
  • Jack lets Assange troll accounts proliferate to further dilute Julian's 'impact' at the site.
  • Remember what Project Veritas revealed only this year - how staff at Twitter admit they engage in the controversial 'shadow banning', and how they have teams that pry into people's private messages.
  • Jack suspended Courtney Love because she'd filed a lawsuit against Twitter.
  • Guccifer 2.0 was suspended for posting info on the DNC.
  • PewDiePie was suspended when he joked about being a member of ISIS.
  • Alt-right accounts have been banned 'en masse', whilst openly jihadi accounts thrive.
  • President Donald J Trump was suspended by a member of Twitter staff they cutely describe as 'rogue'. (But how many in Jack's company can flick that switch?)
  • Swedish NMR - which no one frankly likes. But as the great Sakine Madone has pointed out on more than one occasion: 'censorship is not the answer'. Jack rubbed 'em out.
  • The three Rixstep Twitter accounts, the third of which Twitter staff set up a year ago, two of which were dormant, were suspended simultaneously, two permanently, after responding to a poll on the credibility of the official 'Skripal narrative'.
  • Twitter allegedly censored Occupy Wall Street (see link below).

What's It All About?

Although it's clear the Twitter privacy breach was not a 'hack', and not a 'glitch', it's not clear what it's all about. Kim has a few suggestions.


'We can only speculate why @twitter proactively admitted that they stored user passwords in clear text. A threat from a former employee? A pending lawsuit? Another imminent NSA leak? We don't know, yet. What we can all agree on is that this wasn't an 'error' or an honest mistake.'

Or it was done intentionally, on orders from the top, but something got out of hand, and the 'log' got 'into the wild'?

For how do they explain having this log 'for several months' yet never noticing what was happening? They have a log THAT BIG and no one even looks at it? And what precisely were they logging? All login attempts? Over several months? Do they have enough secondary storage for that? The boggle minds.

David Razin has a scary theory:


'A careless (or altruistic) employee deleted the log, so they lost everyone's password...the easiest and quickest way to rebuild it was to activate logging and tell all users to update their passwords.'

Kim's original suspicion was that it was done for the NSA, but, barring additional intrusions, this may have been difficult.

Many Twitter users have witnessed how they're at times asked for their contact email address, something done normally if the Twitter servers see a connection from a radically different IP range. Rogue actors logging into the accounts of unsuspecting users could of course cause this. But the same would have to apply for the rogue actors when they want to access the accounts - unless of course Twitter could change the code somewhat.

But putting together a database of 330 million users, and complementing it with their login passwords, is not at all impossible. But it takes time - a lot of time.

The Inquisitr piece, linked below, is worth a read, although there are a few misrepresentations. Such as:

'The revelation surprised many (especially tech experts) since storing user passwords unmasked in plain text means that all of the Twitter passwords were not being encrypted.'

That can't be a techie writing that. Passwords aren't masked or unmasked, whatever that's supposed to mean. It's not like the 'dots' you see over a password entry field. And the 'encryption' isn't really encryption either: it's a message digest, a number of fixed length (no matter the length of the input password) that's hopefully unique and consistent. The unencrypted password is useless on the remote system - it's only the encrypted version that's of any benefit, which makes it all remarkable that Twitter could even have that data for a 'legit' purpose.

'Any malicious hackers which may have known about the Twitter password 'bug' could have hacked any of the accounts owned by the 330 million or so Twitter users throughout the world.'

Uh... NO. It's NOT a bug. Again: it's NOT a bug. And none of this, ceteris paribus, was exposed to the Internet. It's a log file.

So why make the announcement? The farther out theory is they wanted passwords. Twitter can already see everything. Given a few chops, they could make it possible for other players to see everything too. If the NSA can see everything on Facebook from a cable in Bude...

Clay Haynes

Then there was that Twitter senior network security engineer talking to Project Veritas a while back, when he said:

'What we can do on our side is actually very terrifying. We have full access to every single person's account, every single direct message, deleted direct messages, deleted tweets. I can tell you who exactly logged in from where, what username and password, when they changed their password. It's very, very dangerous. Also, very, very, very creepy. Big Brother-ish.'

Jack Dorsey

Kit Dotcom is right. Users need answers. They also need a CEO who has his head screwed on right, not someone using the platform for crass political gain, to coddle crooks and terrorists, and harass people who simply speak their minds.

This should not blow over: it's going to spook people for a long long time, unless drastic action is taken.

  1. Jack and company come clean, explain what really happened, why.
  2. A third-party auditing team are brought in to inspect the Twitter code.
  3. Twitter CTO Parag Agrawal sells his stock and resigns immediately.
  4. Twitter CEO Jack Dorsey sells his stock and resigns immediately.

Censorship is ugly, Jack. You censor (shadow-ban, suspend) people who think things you don't like. You're bent, Jack. Take some time off and get unbent.

Other platforms have no censorship at all (as the country Denmark, since 1968). So how do they survive? Your corporate policy's been political (some would say fascist) since Day One. Time for a little rest and recreation.

Hit the road, Jack.

About Rixstep

Stockholm/London-based Rixstep are a constellation of programmers and support staff from Radsoft Laboratories who tired of Windows vulnerabilities, Linux driver issues, and cursing x86 hardware all day long. Rixstep have many years of experience behind their efforts, with teaching and consulting credentials from the likes of British Aerospace, General Electric, Lockheed Martin, Lloyds TSB, SAAB Defence Systems, British Broadcasting Corporation, Barclays Bank, IBM, Microsoft, and Sony/Ericsson.

Rixstep and Radsoft products are or have been in use by Sweden's Royal Mail, Sony/Ericsson, the US Department of Defense, the offices of the US Supreme Court, the Government of Western Australia, the German Federal Police, Verizon Wireless, Los Alamos National Laboratory, Microsoft Corporation, the New York Times, Apple Inc, Oxford University, and hundreds of research institutes around the globe. See here.

All Content and Software Copyright © Rixstep. All Rights Reserved.

John Cattelin
Media Contact
ACP/Xfile licences

See Also
Rixstep: Glimmerglass
Wikipedia: Twitter suspensions
Wikipedia: Censorship at Twitter
RT: Censored: #occupywallstreet
Rixstep: Twitter's Holy Bug Story (1)
Wikipedia: WikiLeaks-related Twitter court orders
Twitter: Announcing the Twitter Trust & Safety Council
Daily Dot: How users manipulate Twitter to silence foes
Inquisitr: Kim Dotcom: Twitter Password Hack 'Deliberate'

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.