So not only are they going to find a vulnerability on twitter’s backend that allows them to remotely execute code on the Twitter servers, but then they’re also going to find some vulnerability in the app that is accessible from the previous vulnerability on the backend that allows them to execute arbitrary code on my phone, without pushing any sort of app update to the Apple store, and then they’re going to use that vulnerability in the app to deploy some 0day that gets around all the protections in iOS?
I'm more worried about cold path logs. Like, what if Twitter just randomly has the past year's worth of geolocation data on so-and-so, and it happens to be exposed in an SQL query, and that query happens to get run and the results exfiltrated.
It depends a lot on what Twitter keeps and for how long, but e.g. consider American soldiers being used to pinpoint nuclear silos, for example.
Imagine being able to map where every journalist is in the world. Now imagine being able to do that for every minute of every day for the past decade.
Objectively, this is an enormous geopolitical risk at just the wrong time, but I have no interest in panicking so aside from mentioning it here, I'm letting it be somebody else's problem
Before anyone asks: the cold path is long-term logging and storage, as opposed to the hot path, i.e. real-time telemetry. (Or at least that's what we called them at the last CloudCo I worked at).
Generally, you try to keep PII (personally identifiable information) and other stuff out of the cold path, but the data still has to be somewhere, right? So there's the hot path.
The overall effect is that stuff that is only logged 'on the hot path' gets effectively forgotten after a while, so you don't have to worry about the management and stewardship of that data.
But you could, for example, force a compromised system to log PII (incl GPS coordinates, radiotelemetry, accelerometer) to the cold path and then come back and get it later.
For bonus points, do stego so it looks innocent.
That is one of the scenarios I'm worried is playing out over there. One of many worries, to be honest, but this one just seems like the kind of breach we'd find out about years later, if at all, under the new regime.
Meanwhile, people in this or that far-off place just... disappear.
The parent isn't talking about aggregate overview of journalists. They are talking about targeted tracking. We already know the saudis were doing their damndest to have access to twitter for basically that exact purpose, and they keep telling me to ignore the hacksaws they brought.
You can use Twitter with a third party app. In this regard Twitter stands out from the likes of Facebook, Instagram, Tiktok etc. and is the reason I use it and none of the others.
This is why I have been saying even if you don't log off from twitter completely at least do houseclean your old tweets with tweetdelete.net (or something IDK).
I do not trust Elon to use my posting history responsibly, period.
At the moment, that request might still be handled by a microservice written by the old staff that does the right thing. If that microservice is still up.
> At the moment, that request might still be handled by a microservice written by the old staff that does the right thing.
That's being optimistic. The old microservice was written before GDPR took effect. When data management was "get everything, keep everything, storage is cheap, we (or some 3 letters agency) may find a use for it 10 years from now".
That might be true, but in any case, if you don’t trust the new owner to do the right thing, then the present state is still preferable over any future state.
its better than leaving it out there, also there are compliance laws like GDPR in some jurisdictions (similar in California) where they have to be more careful with data. overall I'd rather ask them to delete it & have them try to jump through hoops to resurrect it.
further as GP mentioned, this should provide some protection from unintentional breaches. push come to shove I am prepared to delete the account and ask my friends to follow me on mastodon, its really not that much of lock-in with twitter.
I'm using Firefox but if you are that paranoid you should be using Chrome. Firefox is a child play compared to Chrome in term of security (but not privacy).
All one has to confirm is look into the privacy/system privilege that a Twitter app consumes to say "oh, yeah; website-version of Twitter is a safer thing to use".
So wait, we've had all these exploits and no one raised those concerns until Elon took over? How come it wasn't on national news before Elon bought the company?
Everything has exploits waiting to get discovered and used. They just get worked on under normal circumstances and patched. With all the chaos there's no one to patch or monitor
Check out hacker one and look at what gets disclosed everyday major companies have little issues popping up
The longer they remain in a code freeze, inevitably the outdated codebase will develop vulns. And they’re not gonna be able to patch vulns and 0days during a freeze..
Now, I need you to consider the following proposition: that eyeballs are to codebases, dashboards and telemetry as floss is to tooth and gum.
Then, I need you to go to your phone and uninstall Twitter.
Also, when you do visit it, visit it in Firefox.
Use a Firefox Container.