I'm very heartened by Twitter taking this approach to protect their users, but it comes about a week after I was very disappointed by the process of signing up for a Twitter account through Tor. I wanted an account that wasn't linked to me personally -- it was at least partially an experiment in anonymity, but it failed completely when Twitter blocked my signup until I provided a verifiable phone number.
Twitter denies this in the article, of course:
>(Twitter has denied blocking Tor. In September, Twitter spokesperson Nu Wexler told Motherboard, “Twitter does not block Tor, and many Twitter users rely on the Tor network for the important privacy and security it provides. Occasionally, signups and logins may be asked to phone verify if they exhibit spam-like behavior. This is applicable to all IPs and not just Tor IPs.”)
I get why they want to keep suspicious actors out of their ecosystem, but the only suspicious thing I did was try to be anonymous. If protecting people from "state-sponsored attack" was actually a priority, they'd figure out ways to enable people to protect themselves.
If you used tor then your IP came out of a Tor exit node, which is almost certainly associated with someone else's concurrent bad/spammy behavior. How could they know your aren't the bad guy?
I wonder why IP based blocking is still a thing (e.g. Wikipedia). With the IPv4 exhaustion and IPv6 non-adoption, many people who are not associated at all share a single public IPv4 address. How could a blocking policy based on IP ever going to have lower enough false positive rate?
Permanent IP blocks rarely target particular person and rather target IP ranges to ban whole regions, people cannot easily spoof their IP range, unless they use a VPN (or similar service) which in most cases is a high enough barrier that if it can be crossed, most other barriers can be crossed too.
Temporary IP blocks just work to block that person for that session (in sense of time) in cases where login is not required or can easily be created (like wikipedia). In most cases the people are incapable (through willingness or technical restriction) of changing their IP address and they move on. Short term IP blocks work wonderfully for this.
At least for services like wikipedia which do not require registration for making changes, (which is a great usp), temp IP bans are the best and possibly only solution except for browser fingerprinting.
Other services that require an account creation, like twitter can easily block users and require something like a phone number for known problematic IPs. As can be seen here.
- There might be a bigger uproar if they started doing this than twitter asking for a phone number if you are on a blacklisted IP.
There are perfectly legitimate reasons to ip block.
I block connections from most of the world to my various network resource admin points because only I am going to be connecting to them and I'm not going to be connecting from China or Nigeria or Romania. And if I am, I unblock them temporarily.
You can get an anonymous phone number in the US by buying a prepaid cellphone. Last I tried Tracphone for example the only piece of information you needed to give them to activate the phone was a zip code (which could be any zip code you choose) which was used to pick an appropriate area code for your assigned phone number. Entry level models were about $10. This was several years ago.
Somewhat anonymous... they probably have you on camera buying the phone (not sure if they link that data yet but it would be possible). It definitely would be better if Twitter wouldn't require a phone number for signup and instead block the actual spammy behavior.
I imagine the challenge is that there are plenty of people who would use Tor to create hundreds, if not thousands accounts not personally linked to them, if they are able.
Whereas if you wanted just one anonymous Twitter account badly enough, you could get a burner prepaid cell phone using cash (make sure to not turn it on at home or at work).
Someone keeps track of which IMEIs go to which stores.
The stores keep track of which bar codes have which IMEI.
And of course the register keeps a log of when and what is sold.
I read this in a police report. The police went to the store and got video of the person buying the phone. I wouldn't be surprised if long term video storage was a requirement for selling prepaid phones.
The Twitter could charge bitcoins for those who want to remain anonymous. It would prevent creating accounts by the hundred, or Twitter could find other ideas if it's just about checking spam.
Get some Bitcoin. Use mixing services in Whonix instances to anonymize them. Lease a VPS via Tor, paying with anonymized Bitcoin. Install Tor on the VPS, and setup an OpenVPN server (TCP mode) as an onion service. Connect to the VPN in Whonix. Now you have a private pseudonymous IP to use for Twitter etc. Enjoy.
Note that several services will detect that your IP is from a hosting provider netblock and ban/restrict you/require phone verification anyway.
To make completely sure you are not mistreated, you might need to anonymously obtain access to an IP from a residential or mobile ISP; finding out how to do so is left as an exercise for the reader.
Twitter's statement is consistent with your experience, given the empirical reality that Tor IPs generally "exhibit spam-like behavior" way more often than the average Internet user's IP. Note that Twitter's statement says nothing about anonymity as an end-to-end goal, only the technical ability to use Tor. And, as always, you can buy a burner phone.
What would a good solution for this be? Any anonymous proxy would quickly be used by people who want to spam Twitter. (So, among other things, this means that Twitter running a hidden service isn't directly useful.) Could a proof-of-work or rate-limiting system allow building a proxy that couldn't be practically used by spammers?
VPNs don't give you anonymity, the company behind it knows everything about your connection. And paying just helps connect your account with your identity.
Well,nothing ever gives full online anonymity. Only raises the cost to get to you.
One designs her own anonymity according to one's relevant threat model. For practical reasons, one can reasonably aim at evading global surveillance by not standing among the low hanging fruits, but aiming at staying out of reach of a state sponsored probe is an altogether different matter, think edward snowden different.
Then again some VPN providers exist where they can legally operate without collecting and retaining data about their clients. In any case, be sure to check your VPN provider for the level of anonymity it provides[1].
My point is that we have no means of ensuring that those VPN providers actually provide any anonymity; for all I know, all of those who claim they don't log could actually be logging and selling all that data, making their use worse for my privacy than directly connecting to the Internet.
OK, and what distinguishes this VPN service from complete snake oil, or worse, something that actively tracks you? Remember that a VPN is by definition a MITM: all your traffic in both directions goes through it.
cryptostorm[1] is by far the best on this aspect, along with how billing is handled separately (from a different organization based on Sovereign First Nation Territory!) from your connection details (which they don't log).
Besides r3bl's point, if the FBI had demanded a copy of the SSL/TLS key from them, as they did with Lavabit, their claim "we don't log" would still be true.
They also require a mobile number for account activation.
I believe all accounts require a phone number to verify, and that number can only be used once. Certainly I've always had it from any machine I've tried to sign up from for the past year and a half when attempting to create accounts for testing with.
Isn't this phone verification for all new accounts anyway these days? Regardless of your ip/tor/vpn? For sure it is when you want to get an api key - boohoo.
Easy to bypass tho. I just use a call forwarding service, that lets me have a DID number in any country, and FW the calls to SIP. This fails with SMS, but works with voice call verifications (which are usually an option).
Costs a few bucks per number.
I use https://didlogic.com/, but they don't accept bitcoin. Some others do. You'll have to test a few, since sometimes the numbers are re-used and thus banned in the top few services (like Google).
It seems that working publicly on information privacy tools (and especially the Tor Project) increasingly makes you a target for nation-state-level adversaries. I'm very curious who the actor was, and what they expected to gain of value from Twitter accounts.
I find it extremely unlikely for this attack to have been perpetrated by the United States; after all, Twitter is an American company and a three-letter could just NSL them for the data they wanted on these "activists".
I received one of these alerts from Gmail years ago, and frankly... it was completely useless to me.
Telling someone they're being attacked doesn't provide much value, what are you supposed to do? I ended up wasting loads of time going through all of my account logs and searching through months worth of emails trying to find signs of this supposed attack... and discovered nothing at all.
Although, props to twitter for recommending Tor. That's significantly better than nothing, although of little use since you are in for a bad time trying to use twitter over Tor.
Don't assume twitter, or any other gateway centralized websites, is trustworthy. For example, they could have been gamed into putting pressure on a selection of people, diverting their mind from their activities.
What I'm saying is that to consider the larger and deeper than the framed picture.
Attribution is generally hard in these types of things, and some guy with IR experience can probably explain more than I can.
However, some of these attack groups follow specific patterns, use specific IP addresses, domains, emails, etc. because there is no real consequence to them doing so. Kaspersky, Mandiant et al [1] often have great writeups on these types of things that are often posted to their own blogs and to netsec-related mailing lists that show some of these common attack patterns.
On top of this, Twitter could have been tipped off by law enforcement or intelligence.
Right, specific attribution is often challenging, but tactics, techniques, and procedures often have signatures or fingerprints common to the level of sophistication of the actor. Of course this also opens the opportunity to spoof attack vectors, but who knows.
With the inside visibility of the traffic across their network Twitter would be able to estimate (whether with their own internal security experts or an outside service) the sophistication of the attacker.
Would expect that at this point there was some discussion with FBI as well. Also, as pointed out, very common for a tech company to be notified by FBI/NSA/police in these situations.
I work with one of the people interviewed in the article, we've been having some fun on Slack with it :)
Well, it's good to know that I basically got it right. I don't work in incident response, so I had to make an educated guess at what signatures I'd assume IR people would use to respectably say "this is a nation-state."
> I work with one of the people interviewed in the article, we've been having some fun on Slack with it
Ooh boy. I don't think there's much you can do about something like this other than laugh it off, and also maybe recognize that hey, you're probably doing something of influence. (And probably make lots of jokes about APTs.)
I think it's really neat how they put the article together so that, by the end, it makes this sound like a revival of COINTELPRO despite a total and complete absence of anything even remotely resembling evidence in that direction.
Twitter denies this in the article, of course:
>(Twitter has denied blocking Tor. In September, Twitter spokesperson Nu Wexler told Motherboard, “Twitter does not block Tor, and many Twitter users rely on the Tor network for the important privacy and security it provides. Occasionally, signups and logins may be asked to phone verify if they exhibit spam-like behavior. This is applicable to all IPs and not just Tor IPs.”)
I get why they want to keep suspicious actors out of their ecosystem, but the only suspicious thing I did was try to be anonymous. If protecting people from "state-sponsored attack" was actually a priority, they'd figure out ways to enable people to protect themselves.