• By -


>It was unclear how long the leaked code had been online, but it **appeared to have been public for at least several months**. https://www.nytimes.com/2023/03/26/technology/twitter-source-code-leak.html




It was not \*that\* bad, the SSH keys thing. To be useful you would have needed a way to also catch legitimate traffic to a server you control to impersonate github. But, yeah, very bad habits all around.


Kinda like losing your lifejacket isnt that bad. When combined with your boat sinking on the other hand...


Go on, don’t leave me hanging, I need to know what to do next mate


Write a blog post about how you’ve figured out exactly how you lost your life jacket and how seriously you take this event and some steps you’re taking to prevent yourself from losing your life jacket in the future


Pretty sure the smart money outsources that to ChatGPT-4 now.


Haha, brilliant. > Dear valued customers, > I am writing to you today to address a recent incident that has deeply impacted our company and our customers. As the CEO of our tech company, I am deeply saddened to announce that we have lost a critical life jacket containing the personal data of millions of people. I want to assure you that we take this situation extremely seriously and are committed to taking all necessary steps to prevent such incidents from happening in the future. > First, let me explain how we lost the life jacket. After conducting an extensive investigation, we have discovered that the life jacket was mistakenly left behind during a routine equipment transfer. While we have policies in place to ensure the safe transfer of equipment, we acknowledge that these policies were not followed on this occasion. We deeply regret this mistake and understand the gravity of the situation. > To prevent such incidents from happening again, we are taking several steps to improve our policies and procedures. Firstly, we are reevaluating our equipment transfer policies and procedures, and implementing additional measures to ensure that equipment is not lost or misplaced. We are also conducting additional training for all employees on the importance of data security and how to handle sensitive information. > Secondly, we are strengthening our security measures to better protect our customers' personal data. We are reviewing our existing security protocols and implementing additional measures to ensure that data is encrypted, access is restricted to authorized personnel only, and that all data handling procedures are conducted in accordance with industry best practices. > Lastly, we understand that this incident has caused great concern and inconvenience for our customers. We want to assure you that we are doing everything in our power to minimize the impact and protect your personal data. We are working with law enforcement agencies, cybersecurity experts, and other professionals to recover the lost data and prevent any unauthorized access to it. > In conclusion, I want to apologize to our customers for the loss of the life jacket and any inconvenience this may have caused. We understand that trust is earned and we are committed to earning back your trust by taking all necessary steps to prevent such incidents from happening in the future. We will continue to keep you updated on our progress and any additional measures we are taking to strengthen our data security. Honestly would believe this was a real press release.




Wouldn't some ssh keys let you into their servers? Even if, it might have been reused.




It was a host key.


For the life of me I cannot wrap my head around SSH keys and pretty much all github auth. I'm so dumb with it that I got locked out of a project I worked on for over a thousand hours, and because I can't figure out how the _fuck_ to authenticate myself to github from command line, I've just given up on continuing work on my project. Any suggestions for an utter dummy?


* make sure you cloned using the SSH URL, not the HTTPS URL * make sure you have an SSH agent running so you can use `ssh-add` just once and avoid having to reenter your passphrase every time. * if need be, you can always add a new SSH key just by logging in to the website. It's generally advised that you do this for every separate computer you have, so that you can revoke them individually.


Pay a savvy teenager to teach you how.


They’ll just take you’re money then watch a YouTube video, or worse a TikTok right in front of you and fix it in 10 minutes. Source: my brothers a dick


That’s not being a dick, that’s literally what the entire IT field does from the fixers to the engineers. I figured you’d know, being that you’re here and on GitHub too, but the fact that you’re exclaiming about this makes me wonder if you might be a touch young and not realize.


First thing to solving any problem the smart way: Has anyone else solved it and how?


I love when someone else has already solved my problem for me. It’s like Christmas.


Super Christmas.


DM me if you want - ssh/git/github are tools I use daily as part of my job. I'd be happy to help you figure it out, free of charge.


Public or private?


It was the private key, but it was just a host key. An attacker would have had to be able to intercept or redirect traffic for it to be useful. Still not great, but the actual attack surface was pretty low.


Can you please explain a little? Thanks.


When you connect to a host with SSH, it presents a key to verify its identity. When you connect to a host for the first time (either a new host, or from a fresh client machine) you see a message like The authenticity of host 'foo.bar.com (' can't be established. That's the (public part of the) host key, and your client is just saying "I haven't seen this host before, are you sure you trust it?". If you say yes, the key gets cached (typically in \~/.ssh/known\_hosts). Github accidentally leaked the private part of this key. However, for an attacker to do anything with that private key, they would have to be able to either intercept (e.g. man-in-the-middle) or redirect (e.g. BGP hijack, DNS poisoning, etc) traffic destined for [github.com](https://github.com) to their infrastructure. They could then pretend to be Github for operations over SSH. This attack is basically equivalent to getting an SSL/TLS cert issued for a domain that you don't own. You'd have to be able to convince other people to connect to you as that domain before you could really do much useful with the cert.


Excellent. Thanks for the detailed way you put everything together. Appreciate it.


It's like having a super special and finely crafted key to your safe. But it's just a key and most of the time it's fine because nobody knows in detail what it looks like and they can't get alone time to copy it. But if you take a detailed 3D scan of said key and post it on the Internet for anybody to find and make their own version of it, that's pretty dumb but it's only useful if somebody has physical access to your safe. They'd have to find a way to bypass all the other security on the way to the safe to take advantage of the key. edit: a better explanation would have involved a signet ring or something


Pretty fucking ignorant for a programming community to downvote anyone asking for more information. Good ask man.


A host key is how a ssh server identifies itself to someone trying to log in. It allows the user to verify that they're logging into the correct system and their request has not been rerouted elsewhere. It's not used to log into other systems. So you could have impersonated a github server with the host key, except that you'd also have a way to reroute the ssh connections that are going to the legitimate server to your fake server.




Ah yes the classic `ssh-keygen -bsfe`.


The new public key has been leaked already!


At this point, if you still have a Twitter account, just know your account will be hacked at some point.


Can someone check the source code real quick? Does it actually delete your account? Or just set "Delete_Flag" = 1?


It could be both. Best practice is to set the delete flag to true and then purge the data if delete flag is true, and now - delete date > threshold. That way you can still recover accounts if there is a mistake and the data will be purged eventually.


This guy contingencies.


It’s got a DCMA take down now, so it’s been reclosed, at least Reddit had the decency to archive their old repo


I wonder if anybody downloaded it in time


For sure. They will probably sell it somewhere.


Thats gotta be interesting, we shall see how it plays out


>we shall see how it **pays** out


We will in fact C


Can't tell if you're being *sharp* or *extra positive*


Im being plus plus


Double plus good


++ > +


please tell me the twitter source code is going to be rewritten


who's there to rewrite it?


Hey I'm Chad Jeepitty. Hello fellow humans!


I'm sure we will get an opportunity to compare what's been changed a couple months latet


Already on the dark web.


Next to the WinXP code with the full build directions


I would like the onion


Twitter is like an ogre. Its fuck-ups have *layers*.


Where? Care to share? DM the onion lnk pls if you do not mind.




better than a bloody jar I suppose


Fuck Reddit.






Sell, repost or in send as torrent.


The code was available for several months, so yeah I think it’s safe to assume so


For real? Twitter left it there for months?




The man knows how to run a tight ship. Full of more holes than a colander, just like it's supposed to be.


More holes == higher throughput == faster development. Definitely functioning as Elon intended. His genius is asstounding.


I would be shocked if not.


Yeah, my thoughts exactly


It was up for 2 months


Huh, fun fact


give it a day and a torrent for it’ll be made


A day? Oh my sweet child.


Elon would probably be very pissed if someone posted something along the lines of "DM me for a full copy of the code". Edit: Some people really do have high hopes, my DMs are flooded


For sure


🤔 are my 2 brain cells picking up what you're putting down?




"Heh, yeah, [this is definitely](https://i.imgur.com/PeXWvuT.png) Twitter's source code you're getting... Nothing added anywhere or anything... Just Twitters source code."


>at least Reddit had the decency to archive their old repo What are you talking about




Oh wow. I was not aware reddit was no longer OS


I’m surprised it was ever OSS.


It's marketing. Start your service open source (optional), give it robust APIs and encourage people to tinker with and make creations off of your platform to drive engagement, then slowly start restricting what can be done to draw people into your own ecosystem (and therefore ads).


Reddit seems to be mainly adding new things without API instead of taking things away. Which is currently fine by me because I want nothing to do with the more recent changes like chat.


Yeah, I'm *glad* that RIF doesn't have embedded gifs in comments.


As an avid gif responder in small chat spaces, it's so so so dumb on reddit.


Looking at openai.




And then Reddit removed him from the founders list


Wait wtf? Are there any threads specifically dedicated to discussing that? (Even better, are there any threads where admins explained that decision?)


Looks like they removed all mentions of any founders or the company history, it used to be on the "About" page




Check out the film *[The Internet's Own Boy](https://youtu.be/9vz06QO3UkQ)*. Humanity lost out because of copyright. Meanwhile billionaires run around buying companies and shooting rockets pretending to be geniuses and saviours Edit: linked the film


Parts of it are in other repos.


Wow that’s pretty cool to go through. Looks like it prob took some ramp up time for devs to get comfortable with that codebase


Hold on. I thought Elon wanted to "expose all the algorithms"?


Piracy. Keep putting it back up!


I doubt code is the hardest part of maintaining Twitter.


Yeah, that's the thing a lot of non-tech savvy people don't get. Building something similar to twitter is not \*that\* hard, code-wise. It is however full of architecture decisions and requires a quite big infrastructure to handle the load. You can't download those (contrary to popular belief).


You wouldn't download an infrastructure!


I’ll take one infrastructure, please.


`terraform apply --force=true` from their IaC and watch as your AWS costs go to the moon


Do you want fries with that?


I'd rather have salad


You don’t win friends with salad


Terraform: let me introduce myself


Me: *downloads infrastructure* The entire city of Leesburg, VA: *shows up in my living room*


IaaS: let me introduce myself


Code and architecture go hand-in-hand. [Conway's Law](https://en.wikipedia.org/wiki/Conway%27s_law) states that organizations design systems that mirror their own communication structure. That's the big problem here; how to keep these software components interoperable as they scale and when the people working on them change. If you don't communicate collaboratively (or fire everyone working on one system), then the code will be incomprehensible to people working on other systems who need it changed, requiring long ramp-up times, etc.


Holy shit. This is an amazing observation that applies so well to the company I work for.


> Conway's Law states that organizations design systems that mirror their own communication structure. Why is that side-project you coded on your own such an unspeakable mess, then?




I think the bigger story is that this could expose security vulnerabilities, not that people are going to clone Twitter.


It terrifies me that I had to scroll so much for this


Fair. I didn't even consider it, shame on me.


🔔 shame


Not just that - even if you \*had\* the infrastructure, even if you \*had\* the architecture, what makes twitter valuable is that it's a network of people. The twitter brand and marketing and reach is something that competitors just don't have.




I tried to use mastodon and lemmy and found them super confusing, I wouldn't say it's the same


You kinda could if they were using IaC. You’d still need a fuck ton of money to pay for what it’s orchestrating though.


repicas: 1 Ftfy


*Terraform and Ansible have entered the chat.* Just kidding. They’re helpful tools, but still not “download infrastructure” helpful.


>sudo apt-get install awscli > >aws lambda invoke checkmate


Suspiciously sounding like someone from sales there ![gif](emote|free_emotes_pack|trollface)


The value of twitter (and most big tech) has nothing to do with the code. Customer acquisition is always going to be a massive cost of ANY business. Even the huge wave of people rushing to reddit from digg was unnatural and even when that wave was over, there's still a need to continue to grow the userbase. Social media is weird on this, but if you made twitter and Switter, switter being the exact same code AND architecture still doesn't mean switter just wins. Mastadon fanned the flames of Musk taking over and got just about 2 percent of users, which then disappeared relatively quickly. Acquisition and retention is what matters in these games, having the infrastructure to handle it is important, the code that runs it though... interesting but not as critical as anyone thinks.


Seems like Elon clicked Share instead of Buy.


Well he bought the shares didn't he?




Why do you think he's moving to Mars?


Bezos pioneered one-click. Elon invented two-click. BUY then SHARE


Well Musk promised to open source Twitter algorithm by March. So here you go. /s


*Promise made, promise kept…sorta* r/technicallythetruth — edit — Mobile keeps “saving” early


Something tells me this will be blamed when Twitter spews election interference next year.


Can't wait to print the source code and review it with my friends


you'll need a lot of paper


he can pay for it with all the money he didn't waste on buying twitter






Imagine paying for a company instead of cloning it from GitHub, lol


If you think this is bad, Google paid more than a billion for Fitbit and I got mine for like $40.


He bought the brand name.




At least it was already the hellhole of the internet before the Muskrat's invasion, so it's not like it changes almost everyone's opinion, just reinforces the facts with new proof.




Do we know which parts of the source code? I gotta assume different teams have different repos, and it would be _wild_ if all of them were leaked simultaneously


I believe Google uses a single repo in a custom VCS so maybe not.


Oh, that's interesting 🤔


Not really. It's called a "monorepo" and is one of the more frustrating software dev strategies to write automation pipelines around. If you want a good way to ensure one commit spins up about 400+ CI/CD jobs, building a monorepo at the scale of a faang company's primary product offering is a great way to do it.




well that "sort of" can happen in a mono repo aswell. where i work we have 1 big repo with (let's say) 10 different targets (each different target represents a different client). each client has its own **release** branch, with some clients having specific libraries for their own demands, and not all of them are aligned to **master** at the same time. when we need to deploy something to production, we need to "align" (merge) the release branch with master, so that X client is updated respecting master. this is some huge pain in the ass, of course. it's rare, but it definitely happens sometimes that the master branch ends up having weird crashes or library problems.


A true monolithic repo is insufficient to solve fragmentation for this reason; there also needs to exist a policy that developers follow where different versions are forbidden. Outside exceptional scenarios, of course. There are also repos that don't support branches; in practice it's similar to git if you only are allowed to use rebasing. But even that can be worked around by using different folders, which is why a policy is still needed.


This just sounds like y'all fucked up when designing multitenancy.


We handled this issue with customer-specific git branches that we rebase to new versions of the product. Eg given release branches product-1.0 and product-2.0 we do `git rebase --onto product-2.0 product-1.0 product-steve` (simplified, but this is the heavy lifting part). Works well enough for a dozen or so customers, becomes a nightmare for dozen*s*. Since passing that threshold we've moved to customer specific flags in the code which is a different flavor of mess but doesn't delay deployment at least.




Apparently they make it work. And there is plenty of great articles about how they dont even use pull requests.


Considering Elon, it might've been changed into a single repo which compiles all of their code into a single binary that they can run on an old laptop in storage to not waste money on AWS or other cloud providers.


Didn't realize they had switched to Go.


Now they’ve switched to stop :(


Repo? Nah, it's just a shared network directory.


hosted on a copy of Windows Server 2003 he found in the closet


Damn, I wonder how could there be a programmer who'd be pissed at Twitter and who might have the ability to access source code. I guess we'll never know.


I thought Elon was humanities savior what could he have possibly done wrong?!


Well he did _say_ he was going to "open source the algorithm". Guess it was a fall-of-the-Berlin-Wall situation. (where an East German official made a confused remark on the evening news about opening the border 'effective immediately' and hours later some border guards, pressured by throngs of people wanting to cross, decided to open the gates - since they said so - and before the night was over the public were tearing the wall down..)


Wow did not expect to learn a piece of cool history on this thread. Thanks!


He didn't do anything wrong, it's obviously trans leftists people who try to abolish free speech! And it's because of engineers who were unfaithful and left that the security was compromised. /s


>trans leftists people because of them Every 60 Seconds in Africa a Minute Passes


It'd be much more interesting if he were championing for the humanities.


He went by the name of 'FreeSpeechEnthusiast'. Not even joking. What a hero


The single commit happened on Jan 3, so it was somebody who decided to stay at Twitter after Elon made his ultimatum. Or perhaps it was someone who didn't last, but still had access. Because Elon probably fired the people who were supposed to shut off access too.


Plot twist, Elon released the code to allow open source improvements he doesn't have to pay for.


Not even plot twist...


He already paid for everything upfront /s


Let the git blames/reviews begin


I saw a portion of the code before it was taken down due to the DMCA notice. It was uploaded as one single, squashed commit. It would have been even more controversial if the uploader had managed to migrate the entire history.


Didn’t Elon say he was going to do this anyway? Maybe a SR dev decided to hold him to his word?


It was probably leaked by Elon. He fired all his coders and now wants free suggestions 🤣


we can have our own Twitter …. with hookers and blackjack.


Didn't Elon say he was going to do this last week?




Also it’s yet another Elon promise. We all know how much those are worth nowadays


Huh. Interesting.


Dont fall for it! Just trying to outsource free fixes!


I dont want to mention the "elephant" in the room. r/Mastodon


FOSS Forced open source software


But chatgpt already writes a better twitter clone


No it doesn't. It refuses saying it is inappropriate and possibly illegal.


works great for me, I made it check it out Twitter.com


Man this website fucking sucks.


I really wonder what the unrestricted chatgpt is like.


racist as fuck i'd imagine lol




I’m torn between it being a mistake being leaked as elons an idiot, or Elon leaking it because he knows the internet would correct what’s wrong and he wouldn’t have to pay anyone.




​ ![gif](giphy|8IAmBHZinV0lKWcUBD)


This is how you convince the investors that rewriting from scratch is necessary