Twitter Hit With Second Worm In a Week

← Back to Stories (view on slashdot.org)

Twitter Hit With Second Worm In a Week

Posted by CmdrTaco on Monday September 27, 2010 @04:55AM from the security-is-hard dept.

adeelarshad82 writes "Days after a site update unleashed a Twitter cross-site scripting attack, the micro-blogging site was again hit with a bug that spread via questionable links. The offending messages appeared on a user's Twitter feed with 'WTF:' followed by a link. If you clicked on that link, you were taken to a blank page, but behind the scenes, the worm would post vulgar messages on your account that discussed, well, sex involving goats."

97 comments

Min score:

Reason:

Sort:

where is that goatsex link when you need it? by ehack · 2010-09-27 04:57 · Score: 1, Funny

where is that goatsex link when you need it?

--
This is not a signature.
1. Re:where is that goatsex link when you need it? by ShaunC · 2010-09-27 05:03 · Score: 5, Informative
  
  WTF: Goatse
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
2. Re:where is that goatsex link when you need it? by Anonymous Coward · 2010-09-27 05:07 · Score: 5, Funny
  
  Now I've seen everything!
  A link to goatse is at "+2 Insightful" as I type this.
  A historical day at slashdot to be sure
3. Re:where is that goatsex link when you need it? by AnonymousClown · 2010-09-27 05:11 · Score: 2, Funny
  
  That's because goatse is on topic and appropriate in this case. It's also on topic whenever anything to do with Congress comes up.
  Geeze!
  
  --
  RIP America
  July 4, 1776 - September 11, 2001
4. Re:where is that goatsex link when you need it? by Anonymous Coward · 2010-09-27 05:22 · Score: 0
  
  That's because goatse is on topic and appropriate in this case.
  
  You can now get goatse from teh Twatter?
  Kewl......
5. Re:where is that goatsex link when you need it? by Anonymous Coward · 2010-09-27 05:43 · Score: 0
  
  It's like a classic British mistake: The UK military wanted to go with the times and registered a site on the internet called getfitta, after their training routine Get FitTA.... what they didn't realize was the in Swedish, getfitta is a rude name for goat genitalia.
6. Re:where is that goatsex link when you need it? by Jedi+Alec · 2010-09-27 07:19 · Score: 3, Informative
  
  Next up: Twitter worms that discuss Natalie Portman naked and petrified, GNAA trolls and of course the classic penis bird.
  
  --
  
  People replying to my sig annoy me. That's why I change it all the time.
7. Re:where is that goatsex link when you need it? by adavies42 · 2010-09-27 10:37 · Score: 1
  
  we already had our on-topic GNAA comments when their affiliates goatse security hacked at&t.
  
  --
  Media that can be recorded and distributed can be recorded and distributed.
  -kfg
8. Re:where is that goatsex link when you need it? by mahoney.d.82 · 2010-09-29 00:34 · Score: 0
  
  OK, I know I shouldn't be clicking on anything with the word "Goatse" in it, so it's kinda my fault... But what about a big freakin NSFW beside that link?
Goatse Worm? by WrongSizeGlass · 2010-09-27 04:57 · Score: 3, Insightful

It's no surprise that you could get worms from having sex, well, with goats.
1. Re:Goatse Worm? by Anonymous Coward · 2010-09-27 07:38 · Score: 0
  
  Yeah, moral of the story: don't French kiss goats before having sex with them.
2. Re:Goatse Worm? by stdarg · 2010-09-27 09:35 · Score: 1
  
  I have never gotten worms from having sex with goats. Maybe vacuosly true maybe not...
I guess this script is baaaad for you. by Even+on+Slashdot+FOE · 2010-09-27 04:58 · Score: 1

And I'm still not as bad as the Twit-head who lets scripts like that gets Twitted in the first place.
Twit.
1. Re:I guess this script is baaaad for you. by Bill,+Shooter+of+Bul · 2010-09-27 05:04 · Score: 4, Informative
  
  No. This is a Cross site Request Forgery attack. The Script in this case, was on the linked site, not in the tweet.
  
  For those not in the know:
  
  OWASP Cross Site Request Forgery Prevention sheet Sheet
  
  --
  Well.. maybe. Or Maybe not. But Definitely not sort of.
2. Re:I guess this script is baaaad for you. by Anonymous Coward · 2010-09-27 05:43 · Score: 0
  
  Could standards be created to prevent these types of attacks from occurring? It seems this is a problem worthy of a fix. I know there are work-arounds and design patterns for application developers, but couldn't this attack be prevented if we add another layer to the HTTP protocol to prevent this from occurring in the first place?
  What about HTTPA:// for authorized?
3. Re:I guess this script is baaaad for you. by nacturation · 2010-09-27 05:50 · Score: 4, Informative
  
  This post explains it quite well: http://www.andrewnacin.com/2010/09/26/csrf-twitter/
  Essentially, just create one or more iframes, with the iframe source set to http://twitter.com/share/update?status=WTF+PAYLOAD
  As long as you're logged into Twitter via the web, it will auto-post that update without any request for permission from you.
  
  --
  Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
4. Re:I guess this script is baaaad for you. by thePowerOfGrayskull · 2010-09-27 05:55 · Score: 0
  
  So... um... don't click the link without verifying it with the sender?
  This is a basic common sense fail of the variety that keeps anti-virus vendors in business. In fact, I'm sure that right now AV companies are cooking up great Extended Plus products that will Protect you from the Evils of Twitter.
5. Re:I guess this script is baaaad for you. by miffo.swe · 2010-09-27 06:21 · Score: 3, Insightful
  
  The fucking point of the internet is klicking on links. Playing whack a mole with stuff like antivirus, antispam, antiwhatever suggests your operating system is broken. If you have to verify every damn link you could as well just go for chess by physical mail and penpals instead of the internet.
  The user uses the internet as intended, the developers, not so much.
  
  --
  HTTP/1.1 400
6. Re:I guess this script is baaaad for you. by Anonymous Coward · 2010-09-27 06:24 · Score: 3, Insightful
  
  So you're saying that every single time a friend posts a link, you phone or email them and ask if you actually posted a link, and want a description of the page linked to?
  Wow... you're a douche. If you were my friend, I'd have long since put you into a group that can't see my updates, or just de-friended you altogether.
7. Re:I guess this script is baaaad for you. by Yvan256 · 2010-09-27 06:51 · Score: 2, Interesting
  
  What about stopping that stupid cross-domain mess and only allow subdomains to be used? Sure it's going to break a lot of things (including banners...), but it would solve a lot of problems.
8. Re:I guess this script is baaaad for you. by Plekto · 2010-09-27 07:17 · Score: 1
  
  Playing whack a mole with stuff like antivirus, antispam, antiwhatever suggests your operating system is broken.
  Correct. The two most common operating systems are truly broken at this point and need a full re-write with security as their primary goal. Apple does a bit better, but it's a security joke right of the box. Windows is a mass of Swiss cheese that has a welcome sign up. And you're right, playing whack-a-mole never works. And, no, Linux also is no magic cure, either. It just has too few users to be a target of botnets and the like.
  We need a new generation of operating systems that do it right and are designed from the beginning with the idea that your machine WILL be attacked and it WILL be online and vulnerable unless it's designed to make it difficult for hackers.
9. Re:I guess this script is baaaad for you. by thePowerOfGrayskull · 2010-09-27 07:54 · Score: 1
  
  No, I'm saying that if my friend posts a link and also posts to discuss his carnal relations with barnyard animals, yer damned skippy I'm gonna check with him first.
  
  Wow... you're a douche. If you were my friend, I'd have long since put you into a group that can't see my updates, or just de-friended you altogether.
  So you're saying you DO enjoy carnal relations with barnyard animals? Oops, my bad...
10. Re:I guess this script is baaaad for you. by thePowerOfGrayskull · 2010-09-27 08:21 · Score: 2, Interesting
  
  And as I said above... if I see a link that's immediately followed by some spam about leisure activities with barnyard animals, I'm gonna question that link.
  
  Playing whack a mole with stuff like antivirus, antispam, antiwhatever suggests your operating system is broken
  I agree that all of the above are a waste of time - you can't keep up. But you also can't blame the OS because it's no more capable of keeping up (unless it's a true walled garden - which works well for some people.) than OS vendors are. My point - and I don't see how it was missed - was that "security" vendors will jump on this bandwagon claiming that they can "fix" this problem when it's a problem that can only be solved via user education.
  (What I didn't say is that's also no solution at all. Users - rightfully I feel - don't want to be educated extensively in security practices when to their perspective they're using a simple tool. )
  
  The user uses the internet as intended, the developers, not so much.
  I agree. This exploit could just as easily be done without XSS. Someone clicks a link that says "check this out"; which in turn does an HTTP redirect to a GET URL that does the exact same thing. No script required.
  But there's also no OS currently in existence that can prevent this. Users click links, often blindly. Just because it's not fair that they need to do so intelligently doesn't change the fact that they must be responsible for what they click on.
11. Re:I guess this script is baaaad for you. by thePowerOfGrayskull · 2010-09-27 08:56 · Score: 1
  
  You're aware that there is only ONE way to make this secure OS you speak of, right? THe walled garden. You must only allow access to carefully hand selected applications. You must not allow any interpreted language to execute (including javascript) unless you can vet the code. You must not allow updates to be received from any source but the True Source, after manual review for approval.
  Sound familiar? Except even Apple doesn't go far enough - the source code itself must be reviewed for every app in the garden in order for true security. No client app may be permitted to execute instructions originating from an external system (including , for example, an HTTP redirect). Your reviewers must also be subject to strict scrutiny, and your reviewer-reviewers and....
  In other words, there is no technical solution to this problem. The walled garden presents a reasonable compromise (for people willing to accept it), but there is no true solution when you have an end user with control over his own machine connected to the Internet.
12. Re:I guess this script is baaaad for you. by vadim_t · 2010-09-27 09:15 · Score: 1
  
  No, the walled garden is just as flawed. It fails as soon whoever maintains it lets the wrong thing in.
  The real security approach is more like SELinux, where any random application is prevented from the system from accessing more than it's supposed to be able to. So for instance, a secure MP3 player is only capable of playing music, even if exploited via a buffer overflow, because the process itself has no ability to do anything but reading MP3 files and outputting sound.
  The problem with with Twitter is that the web moved from static content to combining code and data, so any input needs to be carefully sanitized. The fix is making sure that any input sent to Twitter is properly escaped so that it can never, ever reach outside its bounds and execute. There's no need to manually vet, or use an antivirus-like approach then.
13. Re:I guess this script is baaaad for you. by miffo.swe · 2010-09-27 09:52 · Score: 1
  
  While Linux arent a magic cure it has been and continue to be well ahead of Windows. Coupled with SELinux i would dare to say its pretty darn secure. If viruses becomes a problem im 100% sure the solution on Linux wont be antivirus as its a flawed and utterly stupid kind of action that does not address the underlying problem.
  My fav security OS right now is Chrome, mostly because it regards the user himself a security risk and dont trow an UAC tantrum pushing any security related issue over onto the users shifting the blame away.
  
  --
  HTTP/1.1 400
14. Re:I guess this script is baaaad for you. by thePowerOfGrayskull · 2010-09-27 15:25 · Score: 1
  
  I agree re: walled garden (hence my final comment about "no technical solution") for exactly the reason you state.
  But SELinux can't do it either - if you think about it, it's just another kind of walled garden. *somebody* has to decide what apps are allowed what permissions.
  As far as the twitter issue - it' s more insidious than that. Because a tweet can be posted via a GET URL, anything that causes the browser to redirect to a static URL (even a standard HTTP 302 redirect) can cause this; it's not a case of sanitizing inputs, because the inputs are all valid. And because the request comes from a user who remains logged in via preference... twitter has *no* way of knowing if the request is real or not.
  The problem is more insidious than it seems. It's not specific to GET requests(even though this hasn't been discussed yet - people are still blaming the RESTful nature of Twitter end points) - though GET requests do make it so that javascript is not required to perform the exploits. A script could just as easily silently POST the same data.
  The only change I can see working in a foolproof fashion is to require a random unique ID from any browser-based request that's single-use and provided by twitter in the posting form. Ideally you'd also move service requests to a new host that requires credentials to be included with every request.
15. Re:I guess this script is baaaad for you. by Plekto · 2010-09-27 17:47 · Score: 1
  
  SELinux, while flawed, is a massive step in the right direction, though. I'd liken it to at least putting up security cameras and reinforced plexi-glass at the local bank. It won't stop real hardened thieves, but it will deter the random criminal most of the time. As it is, on my Windows box, I have to have the following running:
  Registry locker. Massive oversight by MS that I have to ADD back in.
  Firewall to lock all unused ports and sharing/connections *by default*. Also a massive oversight that I have to effectively add back into the OS.
  Popup Blocker - because most browsers still assume, wrongly so, that the default state is happy and nice and trusting. Especially where Java is concerned.
  AV software - because the security is still a massive headache.
  DNS blocker - because this also was not part of the system by default.(it does exist, but it's useless garbage)
  5 programs just to get online. And it's only going to get worse until the OS makers get rightfully paranoid and distrustful.
16. Re:I guess this script is baaaad for you. by vadim_t · 2010-09-28 04:34 · Score: 1
  
  SELinux, while flawed, is a massive step in the right direction, though. I'd liken it to at least putting up security cameras and reinforced plexi-glass at the local bank. It won't stop real hardened thieves, but it will deter the random criminal most of the time. As it is, on my Windows box, I have to have the following running:
  Why not? How do you think they'll get around it?
  
  5 programs just to get online. And it's only going to get worse until the OS makers get rightfully paranoid and distrustful.
  And that reminds me why I don't use Windows anymore. Not good out of the box, lots of third party software required that slows the system down to a crawl and constantly wants attention, and which eventually is almost guaranteed to do something fishy or outright against your interests.
  Examples:
  Zone Alarm, which makes it sound like it's saying you've got a virus (unless you read very carefully) and suggests to pay money.
  Antivirus companies, for instance Symantec, which worked closely with the maker to avoid reporting the Sony rootkit.
  No, this is most definitely the entirely wrong way to do security. Not only it misses things, sometimes it actually sides with the very thing it's supposed to protect from.
Great - more 4Chan? by Algorithmnast · 2010-09-27 04:59 · Score: 1

As funny as this could be, I certainly wouldn't want people to see these things coming from me.
Of course, I don't USE twitter.
Any un-protected protocol is a viable route for hacking, and a single vulnerability can allow someone to do whatever they want with your computer. Is it so ridiculous to suggest that software shouldn't just be puked out by anyone that can type?
1. Re:Great - more 4Chan? by Dancindan84 · 2010-09-27 05:05 · Score: 2, Insightful
  
  You have to use twitter and be the type of person who clicks on questionable links without regard. This worm sounds like watching Darwinism in action in the digital age.
  
  --
  "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
2. Re:Great - more 4Chan? by neumayr · 2010-09-27 05:13 · Score: 1
  
  Uh, I can see it now, hysterical activists rallying to stop general purpose computers from executing non-certified code. After all, who knows what they could put in there. I heard there was profanity in source code!! Can't somebody, for once, please think of the children?!
  
  What're you're asking for is ridiculous, yes. Please don't go around giving people any ideas of that sort..
  
  --
  Truth arises more readily from error than from confusion. -Francis Bacon
3. Re:Great - more 4Chan? by Algorithmnast · 2010-09-27 05:24 · Score: 1
  
  Ah - proof by insinuation.
  Note that in my post I didn't ask for anything.
  I only said, "software shouldn't be puked out by just anyone". I didn't say anything about certifying code, or implanting a chip in your goat, or anything else.
  But for one, I'm tired of the crap code pumped out by the masses, which then leads to an easy exploit and - unlike this joke - can lead to real problems.
4. Re:Great - more 4Chan? by AvitarX · 2010-09-27 05:28 · Score: 1
  
  questionable is a friend saying WTF: though.
  Trusted source, something someone may regularly do. As far as dubious links go it is quite well formed.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
5. Re:Great - more 4Chan? by fishexe · 2010-09-27 05:37 · Score: 1
  
  Is it so ridiculous to suggest that software shouldn't just be puked out by anyone that can type?
  Yes. It makes you an elitist. Why don't you come down from your ivory tower now and then, huh?
  
  --
  "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
6. Re:Great - more 4Chan? by fishexe · 2010-09-27 05:39 · Score: 1
  
  This worm sounds like watching Darwinism in action in the digital age.
  I wish. If only worms like this knocked people off the internet permanently.
  
  --
  "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
7. Re:Great - more 4Chan? by amicusNYCL · 2010-09-27 05:53 · Score: 4, Insightful
  
  You have to use twitter and be the type of person who clicks on questionable links without regard.
  Which of these links is "questionable":
  http://tinyurl.com/2tx
  http://bit.ly/heezy
  http://xrl.us/bh2p3m
  That's what all of the links on Twitter look like, which are OK and which are questionable? How does one distinguish?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
8. Re:Great - more 4Chan? by nacturation · 2010-09-27 05:55 · Score: 1
  
  You have to use twitter and be the type of person who clicks on questionable links without regard. This worm sounds like watching Darwinism in action in the digital age.
  Clicking the link is not necessary for this attack to work. All that's needed is visiting a compromised webpage. If a prominent website were hacked, every Twitter user who was logged in and visited that site would have been affected. Twitter's heavy reliance on stupid shortened "surprise links" (and the gullibility of those who click on them) doesn't help things, of course. But this attack would not have succeeded had Twitter followed basic web security practices.
  
  --
  Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
9. Re:Great - more 4Chan? by neumayr · 2010-09-27 05:55 · Score: 1
  
  Of course you didn't say anything of the sort.
  But pray tell, how do you stop people from writing code, or, failing that, how do you stop code from being run?
  
  --
  Truth arises more readily from error than from confusion. -Francis Bacon
10. Re:Great - more 4Chan? by Dancindan84 · 2010-09-27 05:55 · Score: 5, Insightful
  
  All of them. I don't click on shortened URLs. Nor should anyone who isn't a Rick Astley or Goatse fan.
  
  --
  "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
11. Re:Great - more 4Chan? by thePowerOfGrayskull · 2010-09-27 06:02 · Score: 1
  
  Noo.... questionable is a friend saying WTF, providing a link, then posting another update talking about goat sex ;)
12. Re:Great - more 4Chan? by Anonymous Coward · 2010-09-27 06:04 · Score: 0
  
  Is it so ridiculous to suggest that software shouldn't just be puked out by anyone that can type?
  Sure. We'll start with you.
13. Re:Great - more 4Chan? by TheLink · 2010-09-27 06:04 · Score: 1
  
  You can turn preview mode on for tinyurl, so you can tell that link goes to google.com without having to actually go there.
  
  As for the rest, good luck :).
  --
  
  Too many replies beneath your current threshold
14. Re:Great - more 4Chan? by Qzukk · 2010-09-27 06:06 · Score: 1
  
  Note that in my post I didn't ask for anything.
  Won't someone rid me of this meddlesome slashdot poster?
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
15. Re:Great - more 4Chan? by John+Hasler · 2010-09-27 06:12 · Score: 1
  
  > Yes. It makes you an elitist.
  There is, unfortunately, nothing ridiculous about that (it is ironic, though, as most elitists are not elite in any sense).
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
16. Re:Great - more 4Chan? by icebraining · 2010-09-27 06:15 · Score: 4, Informative
  
  Or you could install this GM script which expands them to the real URL without actually loading it.
  
  --
  Dilbert RSS feed
17. Re:Great - more 4Chan? by Algorithmnast · 2010-09-27 07:11 · Score: 1
  
  Rather than show you my resume, I'll merely point out that Proof-by-ad-hominem is not a valid method of proof.
18. Re:Great - more 4Chan? by Culture20 · 2010-09-27 07:16 · Score: 1
  
  Could you change your bit.ly link in your sig to a tinyurl link please? kthxby
19. Re:Great - more 4Chan? by Algorithmnast · 2010-09-27 07:17 · Score: 1
  
  To quote Stroustrup from here
  
  RM:
  "Do you think education is the answer to developing better software and that somehow we get out from the 'we must do it first no matter how buggy it is' way of thinking?"
  BS:
  "Education is part the answer, an essential part, but 'education' itself is not a solution. We need an education for software developers that combine principles from science and engineering with practical skills. Most likely, we will need several specializations, hopefully with a common base. Unfortunately, I am not at all sure that the fields of computer science, software engineering, IT, whatever, are mature enough to agree on such a principled common base and specialisations. I also suspect that such a degree would be a master's rather than a bachelor's.
  Currently, we have another problem: students often leave educational establishments with a set of skills that are seriously misaligned to what the industry needs. We can argue that maybe industry should ask for something different, but there is a lot of hasty re-training and un-learning going on at the handover from education to industry. I think this is really bad for both sides. It discourages industry from relying on more than basic skills and puts an emphasis on tools and techniques that can be used by relatively unskilled labour. Students know that and therefore pay less attention to higher-level skills and some of the best students chose what they perceive as more challenging fields, such as physics and biology.
  
  Perhaps his decades of experience in not only teaching, but writing software will get your ear in a way that my decades of experience in both writing, evaluating, and teaching software hasn't.
20. Re:Great - more 4Chan? by neumayr · 2010-09-27 07:39 · Score: 1
  
  Okay, so we improve education and have the industry actually value and make use of those advanced skills.
  So what's with code from people that don't have any formal education in software engineering?
  
  --
  Truth arises more readily from error than from confusion. -Francis Bacon
21. Re:Great - more 4Chan? by lul_wat · 2010-09-27 08:03 · Score: 2
  
  http://unshorten.com/
  
  That said, I don't even bother clicking shortened links or unshortening them.
  
  --
  Divide a cake by zero. Is it still a cake?
22. Re:Great - more 4Chan? by TheLink · 2010-09-27 08:12 · Score: 1
  
  OK done... Better now? :)
  --
  
  Too many replies beneath your current threshold
23. Re:Great - more 4Chan? by Dancindan84 · 2010-09-27 08:16 · Score: 2, Insightful
  
  So people send a URL to a shortening service and receive a shortened URL they can post/send to me, and I can use a GreaseMonkey script that contacts the service and caches results to decode that shortened URL into the original URL they shortened... I understand we're not in the days of memory being measured in KB or 9600 baud modems, but this is retarded. Most phones aren't even bound by a character limit in SMS anymore. If a URL is stupidly long due to variables being sent, it's not hard to shorten a link without a stupid 3rd party service. Is it?
  
  --
  "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
24. Re:Great - more 4Chan? by Abcd1234 · 2010-09-27 08:25 · Score: 1
  
  So people send a URL to a shortening service and receive a shortened URL they can post/send to me, and I can use a GreaseMonkey script that contacts the service and caches results to decode that shortened URL into the original URL they shortened... I understand we're not in the days of memory being measured in KB or 9600 baud modems, but this is retarded.
  Umm, no, it's not.
  Let's see, Twitter limits the length of the message you can send.
  URL shortening services decrease the length of URLs.
  Do I need to put two and two together for you?
25. Re:Great - more 4Chan? by PPalmgren · 2010-09-27 08:29 · Score: 1
  
  Because of the rediculous character limit on twitter and texts, and the fact that not all sites are created of equal or sensible URL lengths.
26. Re:Great - more 4Chan? by Dancindan84 · 2010-09-27 08:29 · Score: 1
  
  Yes, and Twitter limits the length of the message you can send because of a now mostly defunct cell phone limit on SMS messages. Which I mentioned. So apparently I needed to put two and two together for you.
  
  --
  "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
27. Re:Great - more 4Chan? by amicusNYCL · 2010-09-27 08:32 · Score: 1
  
  That's great, but that's not practical for most people. This comes back to the expected level of (internet) education for internet users, and the fact that most internet users are operating at a lower level than a lot of people like you or I think they should be. For most people, when one of their friends sends them a link on Twitter they're going to click it, it doesn't really matter where it goes.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
28. Re:Great - more 4Chan? by amicusNYCL · 2010-09-27 08:35 · Score: 1
  
  Or you could install this GM script [userscripts.org] which expands them to the real URL without actually loading it.
  What about all of the Twitter users using IE? How do they know what's safe to click on? Should people be expected to install software to expand shortened URLs?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
29. Re:Great - more 4Chan? by amicusNYCL · 2010-09-27 08:38 · Score: 1
  
  The limit for SMS still exists, most phones just automatically wrap it to 2 or more messages for you if you type more than 160 characters. If a single message is longer than that, then it's not SMS (or your phone is smart enough to combine several messages into one, if it wants to wait to see if more than one comes in).
  In the end, it doesn't really matter why Twitter limits the length of their messages as long as they do so. It only matters that they do, not why they do.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
30. Re:Great - more 4Chan? by Dancindan84 · 2010-09-27 08:53 · Score: 1
  People use shortened URLs. Why? A big reason is twitter's character limit, and because of stupidly long URLs (the latter of which is easy to get around)
  So, twitter has a character limit. Why? Because they designed the system with the same limit as cell phone SMS to make integration with cell phones easier
  So, cell phones have an SMS limit... well not so much anymore. A lot of phones have browsers and just use web services like twitter directly, so the limit isn't a problem with them. And out of those that do use SMS, the limit may not be an issue because of the way they can chain multiple SMSs together for ones too large.
  Once you get down to the root, it looks like the limit could be removed with minimal disruption to their end users. Which would remove the handcuffs from their users in terms of message length. Which would remove the need for URL shortening services. Which would eliminate a rather large security/annoyance issue.
  
  I don't use twitter (and as I mentioned earlier refuse to click on shortened URLs because I easily get songs stuck in my head...) so I don't care, but the why is always important if you want things to change.
  --
  "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
31. Re:Great - more 4Chan? by icebraining · 2010-09-27 09:40 · Score: 1
  
  People should be expected to do whatever the hell they want, why should I care? If you don't want to install software don't click on tinyURLs.
  And if some people can't figure out how to install an extension, an expanded URL probably won't be more useful than a tiny one.
  
  --
  Dilbert RSS feed
32. Re:Great - more 4Chan? by icebraining · 2010-09-27 09:45 · Score: 1
  
  I agree with you, and I don't create such URLs, but other people do, hence the GM script.
  Personally, I think Twitter should just strip out URLs before sending them through SMS. If the person doesn't have Web access to read the Twitter updates, the URL will probably be useless anyway.
  
  --
  Dilbert RSS feed
33. Re:Great - more 4Chan? by amicusNYCL · 2010-09-27 09:58 · Score: 1
  
  URL shortening was around before Twitter. That service started in response to things like instant messaging. People just think shorter URLs are more attractive than larger ones. So the only solution is to shorten all real URLs, and that's not really going to happen. URL shortening services are a bad idea in general, if bit.ly or tinyurl.com shuts down or loses their data then all of these links online are now dead, even though the content is still there. But as long as people think brevity is attractive, people will use those services. It doesn't really have much to do with Twitter, that's just a perfect use for them. Some URLs alone are larger than the character limit on Twitter, so sometimes it's necessary.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
34. Re:Great - more 4Chan? by amicusNYCL · 2010-09-27 10:17 · Score: 1
  
  And if some people can't figure out how to install an extension, an expanded URL probably won't be more useful than a tiny one.
  That's right. So tiny URLs are not the issue.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
35. Re:Great - more 4Chan? by Anonymous Coward · 2010-09-27 11:39 · Score: 0
  
  switch to dialup and click stop before it actually loads the page
36. Re:Great - more 4Chan? by Algorithmnast · 2010-09-27 11:45 · Score: 1
  
  I think that Stroustrup's point was that those skills are the baseline, not an advanced level.
  As a nit-pick (for precision, not to really nit-pick), "Software engineering" is more about process than about writing good code. The practical use of SE seems to be "If we use process then the result has to be good! After all, it works in other engineering disciplines!" It's a naive point of view, since "other engineering disciplines" which are "hard sciences" all share a single concept - that their "engineering" discipline (their science) can be modeled with math, and that all of their engineers learn that math.
  How many programmers understand what an invariant is? Or how to program to a contract? [Yes, I repeat myself.]
  And when it comes to C++ [My personal LOC - please no flame wars], how many know that a class should represent a (mathematical) group?
  Or for any programmer, that their types should be an algebra?
  So yeah, education is important, but seeing the math of our discipline is a bare minimum for helping CS be treated and understood as an engineering discipline.
  And for code which comes from people who don't understand that... well how can we trust it to be flawless?
  Yes, flawless is possible. It does require a level of discipline that is ... hard [VERY hard] to achieve without the math.
37. Re:Great - more 4Chan? by fishexe · 2010-09-27 12:30 · Score: 1
  
  Rather than show you my resume, I'll merely point out that Proof-by-ad-hominem is not a valid method of proof.
  What about proof by parody?
  
  --
  "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
38. Re:Great - more 4Chan? by listentoreason · 2010-09-27 14:28 · Score: 1
  
  Just give in and use Shady URL instead. For example, link to this article: http://5z8.info/5waystokillwithamelon_f9j6f_hitler.
39. Re:Great - more 4Chan? by Anonymous Coward · 2010-09-27 17:42 · Score: 0
  
  And how did one visit this compromised web page?
  Not to mention NoScript and such make viewing said page perfectly harmless.
  Users need to follow some basic web security practices as well.
40. Re:Great - more 4Chan? by amicusNYCL · 2010-09-28 06:11 · Score: 1
  
  OK, that's funny. I still don't like the concept of URL redirectors, but that's funny.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
41. Re:Great - more 4Chan? by amicusNYCL · 2010-09-28 06:15 · Score: 1
  
  The Geocities-izer is brilliant.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
42. Re:Great - more 4Chan? by neumayr · 2010-10-01 23:36 · Score: 1
  
  I do not disagree with your point. OTOH, you shouldn't study CS to become a programmer, that'd be like studying physics to become an engineer or maybe studying engineering to become a carpenter..
  
  My point was another one though - there are a lot of hobbyist coders out there implementing really interesting ideas. Of course their code often does not meet the same criteria you would expect from formally engineered software.
  Still, I really like that those programs exist, and that everyone is free to make them.
  Open platforms rock.
  
  --
  Truth arises more readily from error than from confusion. -Francis Bacon
This is why... by thescreg · 2010-09-27 05:00 · Score: 5, Funny

It took me awhile to realize what was going on. This is pretty much what I post about on Twitter anyway.
Sex with goats? by The+Good+Reverend · 2010-09-27 05:02 · Score: 4, Funny

Um, no, actually. That really was me.
Yeah, yeah, yeah by microbee · 2010-09-27 05:11 · Score: 3, Funny

blame the virus, you perverts!
The early bird... by Anne_Nonymous · 2010-09-27 05:19 · Score: 4, Funny

...gets the worm.
1. Re:The early bird... by _PimpDaddy7_ · 2010-09-27 06:47 · Score: 1, Insightful
  
  OMG, I gotta retweet that!
  -Tweet Tweet!
2. Re:The early bird... by Anonymous Coward · 2010-09-27 06:49 · Score: 0
  
  YEEEEEEEAH!
OH by mattwrock · 2010-09-27 05:20 · Score: 2, Funny

I thought it was posting goatse http://en.wikipedia.org/wiki/Goatse

--
"Ones and zeros were everywhere. I even think I saw a two!" - Bender
Call me hysterical if you will... by Anonymous Coward · 2010-09-27 05:34 · Score: 0

but my browser runs with javascript off (the real thing, not NoScript), just to avoid the risk of running code which might be written by the likes of you ;-D
1. Re:Call me hysterical if you will... by neumayr · 2010-09-27 05:51 · Score: 2, Insightful
  
  Hehe, good choice. But please be aware that you have no idea of knowing how much of my code you're already running ;P
  
  --
  Truth arises more readily from error than from confusion. -Francis Bacon
sex with goats or sex on boats? by Anonymous Coward · 2010-09-27 05:39 · Score: 0

just go watch some good pr0n videos at http://www.hotsex.com/
i don't think you'll find sex with goats ... but then i haven't checked. LOL!
Sigh... by BrokenHalo · 2010-09-27 05:43 · Score: 1

This exploit is no better or worse than any other social engineering attack that would work just as well via email or any other internet channel.

I don't use twitter, facebook or any other social networking site, so my interest is academic. But there is no excuse for people clicking on dodgy links, given the prominent media exposure that such exploits receive. Natural selection at work...
People have the wrong default by Anonymous Coward · 2010-09-27 05:45 · Score: 0

Most people's default: "Hey, I'll run anything from anywhere - I don't need to know what that script or executable is doing to my machine..."
Smarter people's default: "I'll run things I have some valid reason to run".
Guess which group seems to be the one getting in trouble all the time?
Really this kind of thing can be addressed with education. OK, not completely addressed - you can't fix terminally stupid - but most people are not stupid, they just haven't been conditioned to think about the consequences of what they do on their computers. With a little public education, it could get a lot better.
Finally by rudy_wayne · 2010-09-27 05:47 · Score: 4, Funny

the worm would post vulgar messages on your account that discussed, well, sex involving goats
Finally!! Something worthwhile on Twitter.
NoScript by dpolak · 2010-09-27 06:00 · Score: 0

If only everyone used Firefox and had NoScript installed. This would never happen. Then again it's tedious with always granting access to the pages you want buy what value do you put on security?
1. Re:NoScript by Anonymous Coward · 2010-09-27 06:12 · Score: 0
  
  Well, I'd argue it's only tedious for a few days until you grant permanent permission to your bank and this and that. After that, it's takes pretty much zero effort.
  It's just that most people don't actually *care* what their computer does. They'd rather have hours of trouble, maybe lost data, maybe hundreds of dollars for virus removal than they would spend 15 minutes distributed over two weeks time to prevent their machine from run every random crapware and adware it comes into contact with. The wisdom of this escapes me, but it's how 99.5% of everyone is.
2. Re:NoScript by Anonymous Coward · 2010-09-27 07:00 · Score: 0
  
  I'd ask that you read the attack details before posting about noscript. Seeing as how there was no script (haha) being used here... It was simply a "click a web link to a site that uses twitter in a cross domain way" (not javascript). So your protection in this case would not have worked at all.
3. Re:NoScript by Beelzebud · 2010-09-27 07:16 · Score: 1
  
  The solution is even simpler. See Twitter for what it is, and stop using it!
4. Re:NoScript by Abcd1234 · 2010-09-27 08:30 · Score: 1
  
  See Twitter for what it is, and stop using it!
  Broadcast IM.
  So why should people stop using it?
The Revolution by Beelzebud · 2010-09-27 07:15 · Score: 1, Insightful

Will not be Tweeted.
1. Re:The Revolution by evilbessie · 2010-09-27 07:30 · Score: 1
  
  I don't know telling all Twits* to line up against the wall would make the revolution much easier to start...
  *People who use Twitter as Twitterers is unnecessary.
Your code... by Anonymous Coward · 2010-09-27 07:19 · Score: 0

If it's anything different from Javascript I have a chance you know what you are doing ;-)
And no, PHP doesn't count, as it just runs on those of my customer's machines who don't heed my advice, that's selection à la Asimov
I for one... by Anonymous Coward · 2010-09-27 07:30 · Score: 0

would rather have people believe I'm a goatfucker than have them think I'm stupid enough to click on a random link.
Now I have a use for Twitter by mujadaddy · 2010-09-27 10:00 · Score: 1

BRB, signing up...

--
Populus vult decipi, ergo decipiatur...
"Force shits upon Reason's back." - Poor Richard's Almanac