Slashdot Mirror
Twitter To Establish Information Security Program
An anonymous reader writes "Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information, marking the 30th case the FTC has brought targeting faulty data security, and the agency's first such case against a social networking service. Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers."
Twitter must also donate five nickels to five charities. At least three of those charities must be entirely independent of Twitter. Maybe the message is: if you marginally screw with the President, we marginally screw with you.
Shouldn't they be permanently barred from misleading their customers?
Well, gee, I'm glad they'll be able to resume misleading consumers in 2030.
Someone please tell me that this is a bad summary: "Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers."
So as punishment, they have to avoid lying to customers. Only for 20 years, though, so it's fine again in 2031.
Twitter doesn't seem to hide the fact that pretty much everything you do on the site is public. Why don't they go after facebook for deceiving people and constantly changing their privacy policy?
I was just about comment about how they should be hounding Facebook for all shit they pull.
Constantly changing options and putting them by default onto the most open setting? That's maliciously hoping that people are either too lazy or stupid to change them back.
Hiding the delete option for FB accounts and implementing it in such a fucking retarded way, forcing the account holders to search out and delete every comment, photo, tag, and other info they put in instead of just having a delete button? Utter bullshit.
...including the measures it takes to prevent authorized access to information...
So they only have to prevent authorized access? That seems silly. Boy, if I prevented authorized access at work and only allowed unauthorized access I think I would be fired pretty quickly.
Barred for 20 years? Reviewed after 10 years? Twitter is a fad that will be passé by 2012... what the hell makes them think Twitter will still exist as a viable company in 20 years?!?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
So Twitter is barred for twenty years from misleading customers, after which.... ?
Twitter will be barred for 20 years from misleading consumers
What kind of a deal is that? It seems to be saying that after the twenty year period it will be OK for them to mislead customers. And if it is not saying that, then what is the point of the 20 years or the deal in the first place? How does a company that betrays public trust get away with saying "OK, for our punishment we agree to follow the law for a limited period of time" ???
I'm an American. I love this country and the freedoms that we used to have.
The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain administrative control of Twitter,
The privacy policy posted on Twitter’s website stated that “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”
Does NOT seem to be a misrepresentation. If they employ any measures at all.
it failed to take reasonable steps to prevent unauthorized administrative control of its system, including:
The FTC's ideas of what "reasonable steps" are sure does make me laugh... I am sure as hell glad the FTC's job is NOT to dictate proper IT security policies. They are clearly carrying around some pretty whacky notions of what security measures are basic and reasonable.
Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
Wait. "Hard to guess" and "Not used for other programs" are separate criteria.
It is not necessary to require that last bit, to have strong security against intruders. It is not reasonable to expect that users of a computer network memorize a separate strong password for each service, change it frequently. The whole notion of "strong password" is a direct contradiction of "remembered (but not written) password". Any password that is not weak, by current security standards, is not able to be memorized by a human.
Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days
It is well demonstrated that this does not improve security. Instead, it encourages people to choose weaker passwords, or write them down. Password expiration only helps if an account has been compromised, but (for some reason) the hacker has not used the password yet.
The likelihood of this is slim, the security improvement is practically ZERO, and the cost is very high.
Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts
It is not necessary to 'prohibit employees from storing admin passwords in plain text'. To have security
Your admins must know better. Chances are your company doesn't have a specific policy that says "Admins may not write their passwords on giant signs and carry them down the hall. At a certain point, it's just ridiculous (and doesn't improve security) to say "But you didn't prohibit X?!"
Suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts
This does not improve security. Actually, it increases the chance that an administrative account could be disabled by an attacker, making it more difficult to determine the nature of or respond to an ongoing attack.
A strong password will be secure, even in the face of a brute force attack. A brute force attack can be mitigated using less disruptive techniques, such as automatically banning any IP address for 10 minutes, if a certain number of failed logins are attempted.
Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users
This is only more secure, if you assume that an administrative login is known, and compromised.
An additional web page for admin logins just creates another potential point of exposure to attack, has to be secured separately from the main login page, and the result is likely a less overall secure system.
Compromise of individual users' Twitter accounts leaks private information, just as badly as a compromise of an administrative login...
Particularly if the use of administrative logins is monitored carefully, and a co
"Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers."
So in 20 years they'll again be permitted to mislead consumers?
I think I need to RTFA. That can't be right.
Twitter will be barred for 20 years from misleading consumers
Ummm shouldn't that be a given? Why only 20 years? Why is it even in question?
---- Booth was a patriot ----
Comment removed based on user account deletion
Maybe it is something like the punishment they should have received for this will be visited upon them if they are found to mislead customers again in the future, in addition to whatever punishment they get for that crime? Seems odd to me, but IANAL for just that reason.
IANALBIFWI, "Twitter will be barred for 20 years ..." does NOT mean that twenty years from now they have the right to mislead. It means that if the Government finds out they're misleading within the next 20 years it does not need to have a trial to take action - they can just slam them as violating the existing ruling. This is, functionally, a suspended sentence (thus third party review of their new security measures).
It's legal language. They aren't saying they were permitted before or permitted afterwards. They're saying that Twitter is basically on probation for the next 20 years, and now if they do it again the FTC can fine them since they've now warned them.
It'd be like say (ignore all other laws for a moment), a store advertising 20$ iPhones and they're 400$ when you get in the store. They would be told that they can't mislead customers for another 20 years, or else face heavy fines.
"We need to get over this notion, that, for Apple to win... Microsoft must lose." - Steve Jobs, 1997
you need to be aware that the business interests behind Twitter, Facebook, et al, are playing with the public perception of their "services". Be concerned. Be aware.
Trying to prevent all authorized access has worked wonders for the mpaa members
Persistent XSS on Twitter.com - http://praetorianprefect.com/archives/2010/06/persistent-xss-on-twitter-com/
Dang, i should have known. The signs were there. My co-workers often knew word-by-word what i published on twitter.
Well, obviously now they do it, that the Russian president got an account with them and Obama said that from now on that's how they'll communicate!
You can't handle the truth.
Shouldn't a big company like Twitter not mislead there customers what kind of company purposely misleads there customers. Twitter is a cool service but I think this is a slap on the wrist to them.
http://www.thetechnologygeek.org
Does this mean they are hiring?
"Persistence is annoying success." - ghee22 11:28:1999 - 10:53:PM
I think it's misleading language.