twitter登陆安全问题
My first reaction when I saw the news about the Twitter hack earlier this month was: “these good people, in terms of security, are a disaster waiting to happen.”
当我看到本月初有关Twitter黑客事件的消息时,我的第一React是:“就安全性而言,这些好人正在等待灾难的发生。”
And as more information about what happened emerges, it looks like I was right: it turns out that Twitter not only had tools that allowed its users’ accounts to be manipulated, but also that those tools were in the hands of no less than a thousand people in the organization. From this point of view, it is not surprising that the company has been trying to hire a Chief Information Security Officer (CISO) for months: no security professional in their right mind would want to work for a company like this!
随着有关发生的事情的更多信息的出现 ,我似乎是对的:事实证明, Twitter不仅具有允许操纵其用户帐户的工具 , 而且 这些工具掌握在组织中的至少一千人手中 。 从这个角度来看,该公司几个月来一直试图聘请首席信息安全官(CISO)并不奇怪:没有任何安全专家在他们的正确想法下愿意为这样的公司工作!
When more than a thousand people have the keys to your front door, it’s safe to assume that at some point, someone is going to break in and do what they shouldn’t. It is impossible to maintain minimally reasonable security practices when it turns out that a thousand people not only have access to a tool that allows them to take over that account. The analogy here is that Twitter is full of monkeys with machine guns.
当一千多人拥有通往您前门的钥匙时,可以肯定地认为某个时刻有人会闯入并做他们不应该做的事情。 事实证明,只有成千上万的人不仅可以使用允许他们接管该帐户的工具,而且无法维持最低限度的合理安全实践。 这里的比喻是,推特上充斥着机枪的猴子 。
Where is the benefit to Twitter of creating a tool that allows a thousand people to update a user account? Obviously, when users breach the company’s terms of use, an administrator should be able to deactivate the account, prevent access or delete a post. So far, so good: if we are hacked, someone will be able to close some accounts or remove some tweets. But being able to write an update as if it were something written by the user is beyond imagination.
创建允许数千人更新用户帐户的工具对Twitter的好处在哪里? 显然,当用户违反公司的使用条款时,管理员应该能够停用帐户,阻止访问或删除帖子。 到目前为止,一切都很好:如果我们被黑客入侵,那么某人将能够关闭一些帐户或删除一些推文。 但是,能够像用户编写的那样编写更新,这超出了我们的想象。
What then happened is that some of those thousand or so employees made up incidents in order to access the accounts of some of their idols. It’s not much of a step from that to a hack that has destroyed Twitter’s credibility. I truly love Twitter from its very inception, and that makes all this hurt even more.
然后发生的事情是,成千上万的员工中的一些人为了访问某些偶像的账户而制造了事件 。 从那一步到破坏Twitter信誉的骇客仅一步之遥 。 我从一开始就非常喜欢Twitter,这使所有这些伤害更加严重。
This latest hack shows what happens when an organization completely neglects its security practices. In fact, the company was extremely fortunate that those who set out to access these accounts were not professionals, but mere amateurs, because everything from the hack itself to the company’s reactions shows how disastrous the situation was.
最新的黑客攻击表明了组织完全忽视其安全实践时会发生什么。 实际上,该公司非常幸运,那些打算访问这些帐户的人不是专业人士,而是业余爱好者 ,因为从黑客入侵到公司React的一切,都表明情况是多么灾难性的 。
That more than a thousand people have access to a management tool that should never have been created in the first place shows that Twitter has no idea what is going on in the company. The least we as users can expect is that the senior management knows who has access to our accounts. Otherwise, when something goes wrong, nobody knows what to do, as was woefully shown earlier this month. And the problem, in this case, is not so much the personal information of its users, of which Twitter has very little, but their public image.
一千多人可以使用最初不应该创建的管理工具,这表明Twitter不知道公司中正在发生什么。 作为用户,我们至少可以期望的是,高级管理层知道谁可以访问我们的帐户。 否则,当出现问题时,没人知道该怎么办,就像本月早些时候悲惨地表明的那样。 在这种情况下,问题不仅仅在于其用户的个人信息(Twitter的用户很少),而是他们的公众形象。
If you have a Twitter account and think hard about what you tweet, if your image depends on it, or if it is a corporate account, then you might as well start thinking what you’re going to do when this happens again, which it will. A company doesn’t change its security culture overnight. Twitter’s security is a danger. Now we know the full extent of that danger.
如果您拥有Twitter帐户并认真思考您的推文,图像是否依赖于推特,或者它是否是公司帐户,那么您不妨开始考虑再次发生这种情况时要做什么。将。 公司不会一夜之间改变其安全文化。 Twitter的安全性是一种危险。 现在我们知道了这种危险的全部范围。
(En español, aquí)
( Enespañol , aquí )
翻译自: https://medium.com/enrique-dans/twitters-security-who-s-got-the-keys-3d75522181b1
twitter登陆安全问题
