emptywheel
Q: If Elmo believes that 2FA is "bloatware," what does that say about the security of Teslas?
Nov 14, 2022 at 10:45pmWeb
Show threademptywheelNov 14, 2022

A number of people asking, "what's 2FA" while I've gone off on an infosec and auto side tangent.

It's a good time to learn about 2FA. It's basically a second key, of sorts, to use before you access your accounts. Here's how MSFT describes it.
https://www.microsoft.com/en-ie/security/business/security-101/what-is-two-factor-authentication-2fa

There are 3 main kinds:
SMS (better than nothing)
Authenticator (better than SMS)
Dongles

Twitter just fucked up the way their SMS 2FA works along with other stuff Elmo considers "bloatware."

What is two-factor authentication (2FA)? | Microsoft Security

Two-factor authentication (2FA) is an identity and access management security method that requires two forms of identification to access resources and data.

Show threadharrycampb3llNov 14, 2022
@emptywheel what did twitter just do to 2fa? im OOTL
Show threadComfortably NumbNov 14, 2022
@emptywheel Oh boy https://twitter.com/atomicthumbs/status/1032939617404645376
walking mirage on Twitter

“A former Tesla employee, who worked on their IT infrastructure, is posting in a subforum of a subforum, a little-known place for funy computer forgotten by time. His NDA has expired. He has such sights to show us. Join me and I will be your silent guide into a world of horror.”

Twitter
Show threadLadybugNov 15, 2022
@ygalanter @emptywheel This is a development nightmare.
Show threadJ.R. OrciNov 14, 2022
@emptywheel
So who's excited for those brain implants?! 🤯
Show threadKeith 🇺🇸🇪🇺🇮🇪🇺🇦Nov 15, 2022

@orci @emptywheel

duh nobody logs out of their brain implant so there won't be a problem

Show threadLance Taylor 💾Nov 15, 2022
@orci @emptywheel Nope!
Show threadDennis JernbergNov 15, 2022
@orci @emptywheel If Teslas can be remotely hacked, imagine what a hacker can do with someone Neuralink-implanted...
Show threadLukeNov 14, 2022
@emptywheel I have no idea what 2FA is but I’m boosting this because you clearly do and it sounds important!
Show threadLong TruongNov 14, 2022
@Satchpiglet @emptywheel https://en.m.wikipedia.org/wiki/Multi-factor_authentication
Multi-factor authentication - Wikipedia

Show threadGreendale68Nov 14, 2022

@Satchpiglet Two-factor authentication 🙂​

It seems this broke for some Twitter users today.

Show threadnadezhdaNov 14, 2022
@Satchpiglet
You really should set up you login on Mastodon (or any site that offers 2FA) using 2FA. It’s available in the settings. You need to use the Google Authenticator app. So download that to your phone first.
Show threadOscarNov 14, 2022

@Satchpiglet @emptywheel If I can give you one information security advice you should follow it’s this: get familiar with two factor authentication and use it everywhere.

https://www.techtarget.com/searchsecurity/definition/two-factor-authentication

What is Two-Factor Authentication (2FA) and How Does It Work?

Two-factor authentication adds an extra layer of security to identity and access management programs. Learn about 2FA benefits, use cases and products.

SearchSecurity
Show threadHelchoseNov 14, 2022
@Satchpiglet @emptywheel 2FA = Two-Factor Authentication, the thing that texts you a code or pops up a notification in an Authenticator app to confirm you are who you say you are. Prevents people from hacking your accounts.
Show threadFenix🔥 Resistance Starts NOWNov 14, 2022
@emptywheel Teslas are shit
Show threadMatt BlazeNov 14, 2022
@emptywheel it’s one step away from “anything I don’t personally understand or use is superfluous”, an attitude that the less powerful are all too familiar with.
Show threadClipper Chip Nov 14, 2022
@mattblaze @emptywheel Let's be fair, it's not like that. The 2FA microservice is still working it's just the service that was responsible for sending out the messages got nuked. I strongly assume that was collateral damage when purging whatever other microservices and wasn't intended.
Show threadMatt BlazeNov 14, 2022
@clipperchip @emptywheel that seems like a distinction without much of a difference here. It’s clear he doesn’t think 2FA is very important, or they would have rolled back VERY urgently (assuming they know how to).
Show threadClipper Chip Nov 14, 2022
@mattblaze @emptywheel That's a dubious assumption, though. This might be more difficult than one would think, especially if it was some custom module. You could be right, but I believe it's more likely that this was not intended. I mean, it's certainly not in Twitters best interest to lock 30% (or whatever) of the userbase out of their accounts.
Show threadMatt BlazeNov 14, 2022
@clipperchip @emptywheel I believe they didn’t intend to break it. But I can’t think of any reputable large scale service in which restoring an accidentally broken 2FA login service wouldn’t be a 3 alarm fire.
Show threadMatt BlazeNov 14, 2022
@clipperchip @emptywheel like, WTF?
Show threadClipper Chip Nov 14, 2022
@mattblaze @emptywheel I like to think the fire alarm is screaming for a while now but everyone who's responsible for it has been fired :)
Show threademptywheelNov 14, 2022
@mattblaze @clipperchip I'm a bit interesting in the cognitive model we think we're dealing with. Maybe I'm overly generous with Elmo, but I have to believe HE knows the value of 2FA. But his advisors are so inappropriate to the task. And he's surrounded by sycophants, who may not know or want to tell him he just threw away the locks on the most sensitive accounts he hosts.
Show threadClipper Chip Nov 14, 2022
@emptywheel @mattblaze The comedy is already pretty good from afar but man, I wish I could be a fly on the wall where these decisions and actions are being made and taken, it must be hilarious.
Show threadNatanael ⚠️Nov 15, 2022
@emptywheel @mattblaze @clipperchip it seems like a form of persistence-less reactionary thinking mixed with hubris and lack of introspection. He runs with whatever thought came up first and consider any detail he didn't think of himself as insignificant, because he's always been shielded from consequence in the past and never had to re-learn anything. (very similar to Trump, as some have noted already)
Show threadClipper Chip Nov 15, 2022
@Natanael_L @emptywheel @mattblaze I think it also has to do with the fact that until Twitter, Musk never ran a company that he didn't build from scratch by himself. With Tesla, SpaceX and Boring Company he knows the ins and outs. That simply is not the case with Twitter.
Show threademptywheelNov 14, 2022
@clipperchip @mattblaze Have to love getting into a convo with Matt Blaze and someone I don't think I know who uses the moniker "Clipper Chip."
Show threadClipper Chip Nov 14, 2022
@emptywheel @mattblaze That hurts. I've been on Twitter for 12 years and followed, but you never even noticed me :(
Show threademptywheelNov 14, 2022

@clipperchip @mattblaze Shit.

Well, I have 5% of the followers here than I did there, and probably the most interesting ones. Fixed!

Show threadClipper Chip Nov 14, 2022
@emptywheel @mattblaze I know your account on Twitter was quite popular so no offense taken. It's not that I replied to most of your tweets, only very occasionally.
Show threademptywheelNov 14, 2022
@clipperchip @mattblaze The Mastodon migration is so exciting. Like being a teenager again.
Show threadClipper Chip Nov 14, 2022
@emptywheel @mattblaze Indeed. It feels a bit like the old Internet. Mostly geeks joining in and having a fun time. It's the golden time to build a circle here before more and more people join after Twitter has burned down (which looks more and more likely with every day).
Show threadKeith 🇺🇸🇪🇺🇮🇪🇺🇦Nov 15, 2022

@clipperchip @emptywheel @mattblaze

I remember the old internet. Then aol email addresses started appearing in newsgroups and the fun was over.

Show threadClipper Chip Nov 15, 2022
@kdvncm @emptywheel @mattblaze The early days of AOL were super fun, to be honest. Not only was it free since we could generate the 40h trial account codes but we also had toll free dialup numbers (reserved for AOL field technicians). And the chat rooms were a blast. Good times.
Show threadmarthews 🏴Nov 14, 2022
@emptywheel @clipperchip @mattblaze same!
Show threadPaul ClarkeNov 14, 2022

@clipperchip @mattblaze @emptywheel

There's a few important points to consider:

1) Why are "microservices" being switched off in production, without testing in a preprod or dev environment first?

2) Who, in their right mind, would assume you could remove 80% of "microservices", with no adverse impact?

3) Why would anyone knowledgeable assume removing "microservices" would improve performance, when the performance issues highlighted are almost certainly caused by infra issues?

Show threadClipper Chip Nov 14, 2022

@Clarkeeeeee1980 @mattblaze @emptywheel

I know the answer to 1): It seems that Twitter never had a development or staging system. They *always* introduce changes directly into the production system. This came out a few days ago. And it actually explains why Twitter was always so buggy and often unreliable.

Show threadPaul ClarkeNov 14, 2022

@clipperchip @mattblaze @emptywheel

Wow, hadn't seen that. As you say, explains a lot! Even more concerning is the fact Musk has spent his first couple of weeks pratting around, rather than implenting a testing platform.

Show threadJLab8Nov 15, 2022

@mattblaze @emptywheel try functioning #GDPR / #CCPA data requests...

Here's the full data from a 13-year old, active account. Even better, requesting the data triggered a seemingly permanent account lockout.

Show threadnothingmuchNov 15, 2022
@mattblaze akshually, Elmo is "actually very familiar with [privacy and security], he said so himself: https://twitter.com/mmasnick/status/1590992955028176896
Mike Masnick on Twitter

“Wait. Wait. Did we already know that Tesla apparently stores everywhere that people drive *other* than the last half mile or so?”

Twitter
Show threadGreendale68Nov 14, 2022
@emptywheel Airbags = literal bloatware
Show threadnomemoryNov 14, 2022
@emptywheel without taking anything from the security aspects, 2FA is a nightmare for privacy. People are willingly sharing their phone numbers with companies, a practice that makes profiling easier in the long run.
Show threadDinoNov 14, 2022
@nomemory @emptywheel What do you think of things that generate one-time codes like Google Authenticator? Seems better than having companies know your phone but I'm no expert. I use it whenever possible though.
Show threadNatanael ⚠️Nov 15, 2022

@dino @nomemory @emptywheel it's fine if you're careful with how you use the codes.

WebAuthn / FIDO2 security keys have better resistance to things like phishing attacks.

Show threadBrendan SwiderNov 14, 2022
@nomemory
Fair, if people choose their phone number for 2fa. Fortunately, they offer an authentication app as an option. Much more secure than phone.
@emptywheel
Show threadKeith 🇺🇸🇪🇺🇮🇪🇺🇦Nov 15, 2022

@nomemory @emptywheel

it's terrible from a security perspective too and it's better not to use SMS.

It's been shown time and again that's easy to trick a telephone operator into transferring a phone number to a different person. Once a hacker has a target's phone number, the hacker transfers the number to himself and then receives the 2fa code.

Show threadDavidNov 15, 2022
@nomemory @emptywheel That's why you give them your Google Voice number instead.
Show threadNatanael ⚠️Nov 15, 2022
@nomemory @emptywheel WebAuthn / FIDO2 security keys are both more secure then one time codes (both SMS and TOTP variants) and also better for privacy than SMS.
Show threadBarry Schwartz Nov 14, 2022
@emptywheel Can I boost this tweet mega instead of just regular boost?
Show threadMarkus TackerNov 14, 2022

@emptywheel Puts this in a completely different light: https://www.teslarati.com/tesla-toyota-profit-margin-8-times-q3-2022/

"Nikkei Asia’s analysis shows Tesla made $9,570 per vehicle during Q3, enough to make Tesla more profitable per vehicle than any other manufacturer on the planet. However, the report states this is unconfirmed. Toyota made only around $1,200 per vehicle."

Tesla makes $9,500 per car, eight times as much as Toyota

Tesla's profit margin per unit was 8 times that of Toyota in Q3 2022, despite making more than 7 times less vehicles than the Japanese automaker.

TESLARATI
Show threadCarpeDiemT3ch Nov 14, 2022

@emptywheel I wonder if the next time login on Twitter if I won’t be able to to due to issues with 2FA not working 🤷‍♀️ it’s such a feature adding to bloat and not really necessary…but when your CISO and privacy folks resign maybe all security is considered bloat

More info: https://twitterisgoinggreat.com/

Twitter is Going Great!

Twitter is Going Great is a project inspired by Web3 is Going Just Great to track the latest examples of how Twitter is actively falling to pieces thanks to its current owner Elon Musk (with special guests Jack Dorsey and the Saudi Arabian royal family).

Show threadw4tsn ~> Nov 14, 2022

@emptywheel probably that air bags are bloatware too  

I see myself out

Show threadJim ParsonsNov 14, 2022
@emptywheel: also wondering, what's this say about #privacy at #Tesla? "The Radical Scope of Tesla’s Data Hoard" - IEEE Spectrum
https://spectrum.ieee.org/tesla-autopilot-data-scope
The Radical Scope of Tesla’s Data Horde

In a series of articles, IEEE Spectrum is examining exactly what data Tesla vehicles collect, how the company uses them to develop its automated driving systems, and whether owners or the company are in the driver’s seat when it comes to accessing and exploiting that data.

IEEE Spectrum
Show threadTakelNov 14, 2022
@emptywheel that it's no worse than most cars, honestly
Show threadThat Anonymous CowardNov 14, 2022

@emptywheel
I ponder something like this earlier...

*thinking TAC meme*

Maybe they keep running into semi's because the guy writing that section of code got mad & said something that offended the overlord so he was fired....

Show threadPincheNov 14, 2022
@emptywheel considering his cars randomly catch on fire, I doubt it's high up on the list of priorities at Muskla
Show threadHeinerNov 14, 2022
@emptywheel I want to believe that Tesla, spacex and neuralink employees more than politely ask him to stay afk..
Show threadShrikeTron🔠💉x5Nov 14, 2022

@emptywheel Fairly sure he didn't do due diligence on what happens if he turned things OFF. 🙄 His style is to turn it all off and see what's broken.

That's fine in a dev/staging / experimental environment. It's NOT FINE doing it LIVE on a public facing system.

It's like experimenting on people while they're driving, 🤔.

Show threadGrandma’s High Again 🙄Nov 14, 2022
@emptywheel So happy you’re here!