Slashdot Mirror
Twitter To Establish Information Security Program
An anonymous reader writes "Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information, marking the 30th case the FTC has brought targeting faulty data security, and the agency's first such case against a social networking service. Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers."
Twitter must also donate five nickels to five charities. At least three of those charities must be entirely independent of Twitter. Maybe the message is: if you marginally screw with the President, we marginally screw with you.
Shouldn't they be permanently barred from misleading their customers?
Well, gee, I'm glad they'll be able to resume misleading consumers in 2030.
Twitter doesn't seem to hide the fact that pretty much everything you do on the site is public. Why don't they go after facebook for deceiving people and constantly changing their privacy policy?
I was just about comment about how they should be hounding Facebook for all shit they pull.
Constantly changing options and putting them by default onto the most open setting? That's maliciously hoping that people are either too lazy or stupid to change them back.
Hiding the delete option for FB accounts and implementing it in such a fucking retarded way, forcing the account holders to search out and delete every comment, photo, tag, and other info they put in instead of just having a delete button? Utter bullshit.
Barred for 20 years? Reviewed after 10 years? Twitter is a fad that will be passé by 2012... what the hell makes them think Twitter will still exist as a viable company in 20 years?!?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Fortunately, there is absolutely zero chance that twitter will be a relevant company or technology twenty years from now.
Corporations have feelings and a whole crop of shareholders at home, needing to be fed. It would be inhumane to punish them as harshly as those degenerate potheads and copyright infringers.
The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain administrative control of Twitter,
The privacy policy posted on Twitter’s website stated that “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”
Does NOT seem to be a misrepresentation. If they employ any measures at all.
it failed to take reasonable steps to prevent unauthorized administrative control of its system, including:
The FTC's ideas of what "reasonable steps" are sure does make me laugh... I am sure as hell glad the FTC's job is NOT to dictate proper IT security policies. They are clearly carrying around some pretty whacky notions of what security measures are basic and reasonable.
Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
Wait. "Hard to guess" and "Not used for other programs" are separate criteria.
It is not necessary to require that last bit, to have strong security against intruders. It is not reasonable to expect that users of a computer network memorize a separate strong password for each service, change it frequently. The whole notion of "strong password" is a direct contradiction of "remembered (but not written) password". Any password that is not weak, by current security standards, is not able to be memorized by a human.
Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days
It is well demonstrated that this does not improve security. Instead, it encourages people to choose weaker passwords, or write them down. Password expiration only helps if an account has been compromised, but (for some reason) the hacker has not used the password yet.
The likelihood of this is slim, the security improvement is practically ZERO, and the cost is very high.
Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts
It is not necessary to 'prohibit employees from storing admin passwords in plain text'. To have security
Your admins must know better. Chances are your company doesn't have a specific policy that says "Admins may not write their passwords on giant signs and carry them down the hall. At a certain point, it's just ridiculous (and doesn't improve security) to say "But you didn't prohibit X?!"
Suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts
This does not improve security. Actually, it increases the chance that an administrative account could be disabled by an attacker, making it more difficult to determine the nature of or respond to an ongoing attack.
A strong password will be secure, even in the face of a brute force attack. A brute force attack can be mitigated using less disruptive techniques, such as automatically banning any IP address for 10 minutes, if a certain number of failed logins are attempted.
Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users
This is only more secure, if you assume that an administrative login is known, and compromised.
An additional web page for admin logins just creates another potential point of exposure to attack, has to be secured separately from the main login page, and the result is likely a less overall secure system.
Compromise of individual users' Twitter accounts leaks private information, just as badly as a compromise of an administrative login...
Particularly if the use of administrative logins is monitored carefully, and a co
Comment removed based on user account deletion
IANALBIFWI, "Twitter will be barred for 20 years ..." does NOT mean that twenty years from now they have the right to mislead. It means that if the Government finds out they're misleading within the next 20 years it does not need to have a trial to take action - they can just slam them as violating the existing ruling. This is, functionally, a suspended sentence (thus third party review of their new security measures).
It's legal language. They aren't saying they were permitted before or permitted afterwards. They're saying that Twitter is basically on probation for the next 20 years, and now if they do it again the FTC can fine them since they've now warned them.
It'd be like say (ignore all other laws for a moment), a store advertising 20$ iPhones and they're 400$ when you get in the store. They would be told that they can't mislead customers for another 20 years, or else face heavy fines.
"We need to get over this notion, that, for Apple to win... Microsoft must lose." - Steve Jobs, 1997
Dang, i should have known. The signs were there. My co-workers often knew word-by-word what i published on twitter.