Was Rep. Weiner’s Account Hacked? The Question is Irrelevant
Slate’s Christopher Beam has an article today titled, “Weinergate: Was Anthony Weiner’s Twitter account hacked? The evidence for and against.”
And this is emblematic of the rest of the media, because Beam is totally missing a crucial point — there was absolutely no need to “hack” Rep. Weiner’s account. As we demonstrated beyond a shadow of a doubt yesterday, it’s possible to send a picture to a user’s yfrog account and at the same time post an automatic tweet on Twitter, without ever hacking into an account. This is possible because of yfrog’s MMS posting feature, which is indisputably insecure.
I should say it was possible, because in a clear sign that yfrog knows they have a problem, they’ve now disabled the MMS posting feature completely.
And the simple fact is that yfrog’s email “secret codes” are extremely easy to guess; they’re based on a limited set of characters, and as “ElCapitanAmerica” demonstrated, duplicates occur quite frequently.
Some right wingers trying to keep the attack on Weiner alive have said that yfrog “locks out” accounts after three tries, but they’re simply making this up. The only way they could possibly know that is if they actually tried it themselves. And what “account” could be locked? These attempts would be semi-random — it would not be possible to tie them to a specific account with certainty. So yfrog could very easily lock out the wrong user, and that doesn’t seem like a very sound strategy, does it?
In any case, it isn’t possible to test this now because as mentioned above, yfrog has disabled this feature. But before the feature went away, ElCapitanAmerica did try more than three false account attempts — and there was no lock-out.
Auto-locking an account after a certain number of tries is a technique used to prevent password-guessing scripts, but this is not even close to the same thing. When a script is trying to guess someone’s password it will use the same username repeatedly, and only vary the password — so it’s a simple matter to discern which account is under attack. And even if this technique is used, the account would only be locked for a few minutes, to prevent inconveniencing legitimate users who make mistakes. Yfrog is not a bank; it would be counter-productive in the extreme for them to use these kinds of ultra-secure techniques.
Note that I’m not just making this stuff up; I’ve written code to defeat password-guessing scripts, right here at LGF.
Why are the media ignoring this strongly exculpatory evidence, and continuing to focus on the likelihood of “hacking” Rep. Weiner’s password? Is this too technical for them to understand?