Update from us from speaking to people involved in the hack and obtaining more screenshots: Twitter employee leveraged access to internal tool to help take over accounts today. Hackers paid insider https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos
@matrix That would be such a nice feature!
@matrix And when you have that you can let us quote complete public messages into different Channels with Authors signatures intact?
@matrix signing only moves the problem around.
Now you need a reliable way for other people to figure out which public key is yours.
a) you have a centralized key directory, or
b) you use TOFU/WoT/etc., in which case people will keep losing keys and everyone will get used to public keys changing every so often
In either case, an insider can use a different keypair to impersonate the famous person, and nobody will notice that the public key is different.
@matrix Signing everything I write so it can be pinned to me forever? No thanks.
Especially with the eventually consistent principle used by matrix chat rooms that's just asking for disaster and abuse.
Signing everything can be very bad.
Twitter was just the vessel. That was a social hack.
What would have happened if only devices that had the private key could have sent those tweets?
The attack vector is different, which may make it harder, but it would still have happened.
@tokudan nobody said anything about signing everything(!) - just giving the option to send signed messages using matrix's existing PKI, just like you can with PGP. And yes, if the attacker had compromised keys held on endpoints then they could still have spoofed messages. Which is way way harder than a mere social engineering attack on a twitter employee.
@matrix The hack was "hey, send me money through a service that hides my identity, I'll send back double the amount".
Getting access to those accounts isn't the real issue. It will always happen. in some way or another.
Signing those messages with an invalid key would have probably still caught some people.
@matrix And then port that to Mastodon so toots can be signed as well?
@matrix For future visitors of the thread:
Multiple high profile verified accounts, such as those belonging to Apple, Microsoft Founder Bill Gates, and former United States President Barack Obama, posting links to cryptocurrency scams disguised as charitable endeavors.
Over $50,000 USD across over 200 individual transactions were given to the bitcoin address in Bill Gates' and Elon Musk's Twitter accounts alone.
mastodon.matrix.org is one server in the network