The story behind Twitter’s massive breach on Wednesday is taking more strange turns. On Friday the New York Times published a report based on interviews with people from the “OGUsers” forum where someone sold access to the internal tools that could take over anyone’s account.
No one identified “Kirk,” the person behind the scheme. Their story is that he claimed to be a Twitter employee but may be someone who got into its internal Slack channels and found login information for the admin tools there.
Devindra and Cherlynn look at Apple Silicon and the challenges that might be in the company’s way as it makes its two-year transition to ARM. Will an ARM-based Macbook be powerful enough for the most demanding users? Then, as usual, they share what they’ve been working on and relaxing with, and offer entertainment recommendations you should check out.
Lenovo’s next gaming phone has a camera that pops out of its side
Alright, now we’ve seen everything.
Lenovo
The Legion smartphone packs a 20-megapixel pop-up selfie camera located on the side, smack in the middle. That could make it easier to stream yourself while gaming in landscape mode or just be the first on the block with a weird new feature. We’ll have a better idea after it launches in China on July 22nd. Continue reading.
The best deals we found this week: 16-inch MacBook Pro, Echo Show and more
And Fitbit’s summer sale.
Engadget
This week, anyone looking for a deal on an Apple laptop or Amazon’s Echo devices should check this roundup out. Both the 16-inch MacBook Pro ($300 off at $2,099) and the MacBook Air ($50 off at $949) are on sale — not quite as cheap as they were earlier in the week, but still two good deals Also, DJI’s Osmo Action camera is a worthy rival to the devices that GoPro has been making for years, and right now it’s on sale for $250 at both Amazon and Best Buy.
Valentina Palladino has the full rundown for you here, and for more updates on Twitter, be sure to follow the @EngadgetDeals account. Continue reading.
I’m assuming (or just hoping) you’ve managed to get some of your textbooks in PDF form — those are the easiest to mark up with the right software. If you get an e-textbook from, say, Amazon’s Kindle platform, expect to work with more limited annotation tools. Meanwhile, textbook vendors like Chegg have their own e-reader apps, and the quality of their note-taking tools can vary pretty wildly. So yeah, find those PDFs if you can.
When I was in college, I once tried to get through a finance class with a digital textbook saved on a second-generation Kindle because it was massively cheaper than a physical copy. The caveat? Turns out that trying to skim through incredibly dry, dense writing on a screen the size of a small paperback was the one of the stupider ideas I’ve ever had. What I’m getting at is that, if you’re dead set on using something like a tablet to read and annotate your texts, go with the biggest thing you can.
Even better, iPadOS has a wealth of very highly regarded apps for marking up PDFs: LiquidText’s clever approach to note taking, linking and organization has won it plenty of fans, and students can get it at a discount. MarginNote also has an active, thriving fanbase — this video from YouTube Paperless X does a great job of running through the differences.
If Android is more your speed, Samsung’s tablets are probably the safest bet, and two of them — the Galaxy Tab S6 and Tab S6 Lite — come with their own S Pens right in the box. Tablet apps on Android have historically been hit-or-miss, but there are few that might work out well for this specific situation. INKredible Pro and SquidNotes seem to excel at general note taking, but you can use them both to mark up PDFs all the same. We also like Microsoft’s classic OneNote, if for no other reason than it’s likely to be supported for a long time.
But if you’re looking for something that replicates the look and feel of paper — or something that tries, anyway — the ReMarkable 2 might be just the ticket. It hasn’t been released yet, but it’s a gorgeous e-ink tablet that’s incredibly light, syncs notes to the cloud and packs a battery that should last longer than your average tablet. And if its pen is anything like the one the shipped with the original model, writing with it should feel delightful.
In the meantime, you may be tempted by the original ReMarkable, and it’s certainly still a great tool if writing and note-taking are your biggest priorities. The thing is, its 1GHz FreeScale processor was already pretty wimpy when the tablet launched in 2017. Take it from me: I’ve tried marking up the occasional PDF on one, and it was so sloooooow that I can’t even imagine trying to write on top of an entire textbook.
Google is amping up its fight against coronavirus—related misinformation by banning ads that “[contradict] authoritative scientific consensus” about the pandemic. That means websites and apps can no longer make money from running advertisements promoting debunked conspiracy theories about COVID-19. Those include claims that the virus was created in a Chinese lab, that the pandemic is a hoax and that Bill Gates was behind it.
According to Bloomberg, Google will start enforcing the new rule next month. And in addition to blocking advertisers from creating new ads, it will use human and machine reviewers to find and take action against publishers and advertisers who break the rule. It will also ban those who repeatedly violate its new policy from using its ad platform. As a Google spokesperson explained, the new rule expands the company’s policy against harmful health claims, such as miracle health cures and things that promote anti—vaccination ideas, on the internet:
Our investigation and cooperation with law enforcement continues, and we remain committed to sharing any updates here. More to come via @TwitterSupport as our investigation continues.
Late Friday night, Twitter confirmed that its investigation shows attackers exported the data on “up to eight of the accounts involved,” without specifying which ones (in a later tweet, the company indicated that none of the eight were Verified accounts). Of the 130 that it had previously said were targeted, Twitter now says the attackers performed a password reset and were able to access 45 of them, but did not specify why they may not have done so on the the others.
There is a lot speculation about the identity of these 8 accounts. We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts.
Multiple reports, including one on Friday afternoon from the New York Times, have featured accounts from posters on the “OGUsers” gray market forum where high-profile accounts are sometimes traded. By the accounts of their sources, an unknown person going by the name of “Kirk” claimed to be a Twitter employee and offered takeovers on any account, working at times via middle men, and collecting money via the same address advertised in the tweets. According to some of the customers and middlemen from the incident, they apparently believe Kirk access Twitter’s internal Slack channels, and found credentials for accessing its internal admin tools there.
According to Twitter’s own accounting of the incident “The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.”
On Monday the Washington football team announced that after years of insisting on using a racial slur as its name, it will rebrand ahead of the upcoming season. While establishing a new name and logo for a pro sports team in just a few months is already a gargantuan task, it also impacts the next release of EA’s Madden NFL game.
In a statement given first to Kotaku, the company confirmed “Changes to the name and logo will come via title updates that will download automatically.” They won’t be able to change every instance of the name right away, but the first changes should tweak the game’s commentary, uniforms, stadium art and similar areas.
When it comes to most video game communities, they’re lucky if their favorite title gets a couple of years of developer support. After all, not every game can be an Age of Empires II or a StarCraft: Brood War. The group of people that still 1999’s Worms Armageddon is one of those lucky fanbases. On Friday, Team17, the game’s developer, quietly released a major update for the title. In all, the patch includes 370 fixes, 45 changes and 61 new features.
Some of the more notable enhancements include the integration of RubberWorm, a popular mod players could install to change the game’s physics. The update also adds more than 70 new settings you can enable to change how a matches play out. For example, one premutation allows you to set it so that your worms can fire more than one weapon per turn. Team17 has also tweaked the game’s engine to allow for smoother animations. Another technical enhancement is the addition of a windowed mode. Despite all the new tweaks, the studio says the game is still compatible with Windows 95 and other old operating systems.
Cloudflare has acknowledged there is an issue, and said “a fix is being implemented.” Some have reported being able to access Discord again already, but we’re still seeing plenty of error pages.
Engadget
Cloudflare:
Cloudflare is investigating issues with Cloudflare Resolver and our edge network in certain locations.
Customers using Cloudflare services in certain regions are impacted as requests might fail and/or errors may be displayed.
Cloudflare is investigating issues with Cloudflare Resolver and our edge network in certain locations. Updates will be available here: https://t.co/4ZKXVdaN5F
The text may also indicate they’ll include active noise cancellation (ANC), a first for Samsung’s Galaxy Buds lineup. If ANC is something these headphones feature, it will be interesting to see how they counteract ambient sounds without silicone ear tips; none of the leaked photos we’ve seen of the Galaxy Buds Live suggest they come with any kind of tips. That’s an important detail because nearly every pair of ANC in-ear headphones you can buy at the moment comes with silicone ear tips since they help create a physical seal between your ear and the outside world. It’s when you have that seal that the technology works best.
There have been suggestions the Galaxy Buds Live will be as affordable as the $150 Galaxy Buds+. If they do end up coming with ANC, they’ll be very competitive against headphones like the $249 AirPods Pro and $239 Sony WF-1000XM3.
WalkingCat
Besides the clip, WalkingCat shared two official-looking images of the Galaxy Buds Live. The first gives us a look at the earbuds’ underside, something we hadn’t seen before. The other photo provides a sense of how the kidney-shaped headphones will look in your ears. In short, not a disaster. We expect Samsung will announce the Galaxy Buds Live alongside the Note 20 at its upcoming Unpacked event on August 5th.
Just hackers burning up 0day like it’s a fire sale
Imagine getting the keys to the Twitter kingdom — access to all the account admin panels in the world. What would you do? You could grab high-value accounts and sell them on the black market. You could extract unimaginably valuable blackmail material from DMs. Or maybe you’d wait until an event like the upcoming US election to launch an evil plan of some kind.
But if you’re any kind of seasoned attacker, you wouldn’t blow your own cover by tweeting from the world’s biggest accounts — for a bitcoin scam. Sure, some have posited that the cryptocurrency spam tweets were a distraction for something bigger going on in the background. Maybe the attackers already did their sneaky stuff and are ready to do what’s called “burning your 0day.”
And boy, did they burn that perfectly good 0day hot, bright, and fast.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
Twitter’s response — a worrying five hours later — was to do something few knew the company had the power to do: lock every verified account across the globe. Unfortunately this is akin to discovering a burglar is in your house because they started blasting music in your living room, and your response is to turn off all the lights.
Except freezing the “blue checks” is actually worse, because many essential emergency services around the world use Twitter as a critical communication channel. Like the National Weather Service, which found itself suddenly unable to tweet weather warnings.
The account freezes appeared to be a decision governed by panic. Twitter seemed to have no idea what was happening or how to stop it. And wow, do we have questions about the who, what, why, and future implications of it all.
In a tweet thread posted during and after the hack attack, Twitter wrote: “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
The verified account freeze also impacted those users’ ability to reset their passwords.
We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.
Twitter bracketed the thread with a caveat that its investigation is “ongoing.”
Don’t worry the rich celebrities will be okay
The compromised accounts included Jeff Bezos, Bill Gates, Elon Musk, Bill Gates, Barack Obama, Apple, Kanye West, Joe Biden, Uber, Mike Bloomberg, Floyd Mayweather, Wiz Khalifa, and others. Twitter updated its ongoing incident report support thread Thursday evening to state that 130 accounts were affected by the attack.
Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.
The problem is that the tweets looked normal to anyone following Kanye or Elon Musk, who basically tweet out John McAfee-style crazy claptrap on the regular, and a significant number of people fell for the scam. As we reported yesterday, the haul equaled around $118,000 and “At the time of writing, all but $114 of that $118,000 haul has been transferred to other wallets.”
That’s a paltry amount of money, especially when, according to Glassdoor, the lower end of what most engineers at Twitter make $131,403 a year. This was an intrusion with enormous impact, the potential for extreme scope, and a serious amount of damage.
You’d assume the attackers wanted more than what it takes to eat and sleep in the poor parts of San Francisco. But again, even though the attack began with a slightly different bitcoin scam, the perpetrators went public immediately, guaranteeing they’d be found out and shut down right away.
Of course, one very strong possibility is that the attackers were just really bad at crime.
Many observers immediately assumed that these high-profile accounts must have lax security standards, or don’t have two-factor enabled. However, Reuters reported that “Several users with two-factor authentication — a security procedure that helps prevent break-in attempts — said they were powerless to stop it.”
Motherboard / Vice
Motherboard obtained anonymous comment from sources at Twitter who said the account takeovers were done via access to an internal account management tool; Vice published screenshots of the tool (while anyone on Twitter publishing the same screenshots got put in Twitter jail real quick).
If Twitter was trying to stop the spread of those images, this is the internet after all. They spread quickly to news sites and forums. The hack’s forbidden screencaps revealed the presence of “blacklist” buttons on individual account pages. Many now want to know, is that evidence of shadowban and blacklisting we see?
Twitter users who work in and around human sexuality have for years made a case that they are being “shadowbanned” by Twitter, the practice of silencing accounts by hiding them in various ways. Only recently have far-right conspiracy theorists co-opted the shadowban concept to “play the [censorship] refs” in their favor. Now Twitter will be facing direct questions it has struggled to avoid confronting head-on.
When reached for comment about “blacklist” buttons seen on account pages in Twitter’s compromised management tool, Tthe company’s spokesperson did not directly address the question. Instead, they said via email, “Since July 2018 we’ve made clear that we do not shadowban.”
Twitter’s rep included a boilerplate listing Twitter policy on Trends content inclusion and exclusion, content newsworthiness, trending topic hashtag exclusion policy, and search rules and restrictions.
A different source told Motherboard the allegedly compromised Twitter employee was paid for their participation in the low-rent bitcoin scheme. “A Twitter spokesperson told Motherboard that the company is still investigating whether the employee hijacked the accounts themselves or gave hackers access to the tool,” Vice wrote.
Turns out having an unregulated cartoon crime currency and policy conducted by planetary internet chatroom had some easily forseeable drawbacks
Since the tool allowed account management, this confirmed early speculation that the attackers not only had the ability to change account emails and reset passwords, but that it also granted them access to the targeted users’ direct messages (DMs). That is a breathtaking problem, considering that many people — including celebrities and politicians — don’t understand that Twitter DMs are not protected with end-to-end encryption, and are not particularly secure.
Senator Ed Markey (D-MA) addressed exactly that in a statement saying Twitter must fully disclose what happened and what it is doing to ensure this never happens again”. This was in addition to Senator Josh Hawley (R-MO) firing off an angry letter to Jack Dorsey, and Senator Ron Wyden (D-OR) issuing a similar statement, adding “this is a vulnerability that has gone on too long.”
POOL New / Reuters
Which is an interesting point to make, if the “vulnerability” in question was a paid-off employee — the vulnerability was human. That means the attack wasn’t necessarily as technical as it was a pretty capital feat of social engineering. This would most likely be a quid pro quo social engineering attack, where the human vulnerability is offered something in exchange for the access, information, or credentials the attacker wants.
It’s also plausible that the attacker used pretexting, where they pretend to be a person with a legitimate need for access, relying on the victim’s trust and gullibility. (“No, I swear, I really need to get in that server closet.”) Another possibility would be baiting, or a bait-and-switch in which the attacker might trick an employee into inserting a malicious USB stick or file into a computer to compromise it.
While this is certainly a huge black eye for Twitter, what might be more interesting to explore is what the attack tells us about who did this, and why. Which is something we’ll most likely find out, based on my colleague’s excellent point that bitcoin is not actually anonymous, and hiding the loot conversion trail is not trivial. Certainly not for hackers who decided to make what could have been the heist of the century into a clumsy bitcoin smash and grab — and didn’t even ban a single Nazi in the process.
Apple’s 16-inch MacBook Pro is $300 off at Amazon. That’s not quite the biggest deal we’ve seen, but it’s still a good price on Apple’s most expensive laptop. You’re getting a powerful machine in this laptop as it has an Intel Core i7 processor, 16GB of RAM, 512GB of storage and Radeon Pro 5300M graphics. We gave it a score of 90 in part for the power it provides at the starting price, as well as its comfortable Magic Keyboard, large Retina display and best-in-class speaker and mic combo. The only caveat is that if you don’t need to buy it immediately, you might want to wait and see if that earlier $400-off deal pops up again in the future.
You can still get the Apple Watch Series 3 on Amazon at its lowest price ever, only $169. It may not be the newest Apple Watch, but the Series 3 is a more than capable wearable that does everything most people need a smartwatch to do, including all-day activity tracking, delivering smartphone alerts to your wrist and letting you interact with on-watch apps. The Series 3 also has a built-in heart rate monitor and GPS, both of which contribute to its excellent workout tracking abilities. We gave it a score of 82 when we first reviewed it thanks to all of those features plus its solid performance and good battery life. But if it were this inexpensive at launch, we probably would have awarded it an even higher score.
The space gray model of the latest MacBook Air is on sale for $949 at Amazon — not the cheapest we’ve seen, but still $50 off its normal price. That’s a solid deal considering this model came out only a few months ago. It has a Core i3 processor, 8GB of RAM and 256GB of storage, as well as Apple’s new Magic Keyboard, which replaces the butterfly keys on the company’s older laptops. We gave the new MacBook Air a score of 87 thanks to this major improvement, plus its sharp Retina display and excellent trackpad. As with the MacBook Pro, just know that Amazon has offered it for as low as $899 — so if you don’t need to order immediately, you might be able to get a better deal in the future.
The Echo Plus smart speaker is still on sale for $80, its lowest price ever, and you can get it bundled with a free Philips Hue smart light bulb at that same sale price, too. The Echo Plus is a good option for those that want to build a smart home since it has a Zigbee home hub built in. That means that any smart devices you get like light bulbs, door locks and more can connect directly to the Echo Plus — no additional hubs necessary. We gave the Echo Plus a score of 86 partially for this reason, but also for its much-improved audio quality and its new stereo audio feature.
Both the Echo Show 5 and the Echo Show 8 remain discounted today. The Show 5 is on sale for $60 and the Show 8 is on sale for $90. While not the lowest prices ever on the two smart displays, these are solid deals for those who have an immediate need for an Echo device with a screen. The Echo Show 5 makes a good smart alarm clock thanks to its compact design and sunrise alarm feature, and the Echo Show 8 could be a capable kitchen display if you often follow along with recipe videos. Amazon’s small Echo Flex adapter is also on sale for $17.49, and it’s worth considering if you have a small room or a confined space in which you’d like to be able to call upon Alexa for help.
Sennheiser Momentum True Wireless Bluetooth Earbuds
Billy Steele / Engadget
Sennheiser’s first-generation Momentum True Wireless earbuds are on sale for $160, a significant discount from their original price of $300. Of course, it’s worth emphasizing that Sennheiser released an updated set of true wireless headphones earlier this year, so you’re not getting the latest. But at that price, you might be able to live with the design quirks we identified in our review. Despite some frustrating touch controls, the first-generation Momentum earbuds offered some of the best sound quality out there. The latest model has active noise canceling and improved battery life, but if you can live without that you’ll save a lot of money.
DJI’s Osmo Action camera is a worthy rival to the devices that GoPro has been making for years, and right now it’s on sale for $250 at both Amazon and Best Buy. When we reviewed the Osmo Action last year, we found it had a great combination of specs for the price point. One of its best features is a front-facing display to help frame yourself in a shot, and support for HDR video and excellent image stabilization help produce great results. It doesn’t have GPS on board, which is a bummer, but at this price we can forgive its omission.
