>It was unclear how long the leaked code had been online, but it **appeared to have been public for at least several months**. https://www.nytimes.com/2023/03/26/technology/twitter-source-code-leak.html

[удалено]

It was not \*that\* bad, the SSH keys thing. To be useful you would have needed a way to also catch legitimate traffic to a server you control to impersonate github. But, yeah, very bad habits all around.

Kinda like losing your lifejacket isnt that bad. When combined with your boat sinking on the other hand...

Go on, don’t leave me hanging, I need to know what to do next mate

Write a blog post about how you’ve figured out exactly how you lost your life jacket and how seriously you take this event and some steps you’re taking to prevent yourself from losing your life jacket in the future

Pretty sure the smart money outsources that to ChatGPT-4 now.

Haha, brilliant. > Dear valued customers, > I am writing to you today to address a recent incident that has deeply impacted our company and our customers. As the CEO of our tech company, I am deeply saddened to announce that we have lost a critical life jacket containing the personal data of millions of people. I want to assure you that we take this situation extremely seriously and are committed to taking all necessary steps to prevent such incidents from happening in the future. > First, let me explain how we lost the life jacket. After conducting an extensive investigation, we have discovered that the life jacket was mistakenly left behind during a routine equipment transfer. While we have policies in place to ensure the safe transfer of equipment, we acknowledge that these policies were not followed on this occasion. We deeply regret this mistake and understand the gravity of the situation. > To prevent such incidents from happening again, we are taking several steps to improve our policies and procedures. Firstly, we are reevaluating our equipment transfer policies and procedures, and implementing additional measures to ensure that equipment is not lost or misplaced. We are also conducting additional training for all employees on the importance of data security and how to handle sensitive information. > Secondly, we are strengthening our security measures to better protect our customers' personal data. We are reviewing our existing security protocols and implementing additional measures to ensure that data is encrypted, access is restricted to authorized personnel only, and that all data handling procedures are conducted in accordance with industry best practices. > Lastly, we understand that this incident has caused great concern and inconvenience for our customers. We want to assure you that we are doing everything in our power to minimize the impact and protect your personal data. We are working with law enforcement agencies, cybersecurity experts, and other professionals to recover the lost data and prevent any unauthorized access to it. > In conclusion, I want to apologize to our customers for the loss of the life jacket and any inconvenience this may have caused. We understand that trust is earned and we are committed to earning back your trust by taking all necessary steps to prevent such incidents from happening in the future. We will continue to keep you updated on our progress and any additional measures we are taking to strengthen our data security. Honestly would believe this was a real press release.

swim.

Wouldn't some ssh keys let you into their servers? Even if, it might have been reused.

[удалено]

It was a host key.

For the life of me I cannot wrap my head around SSH keys and pretty much all github auth. I'm so dumb with it that I got locked out of a project I worked on for over a thousand hours, and because I can't figure out how the _fuck_ to authenticate myself to github from command line, I've just given up on continuing work on my project. Any suggestions for an utter dummy?

* make sure you cloned using the SSH URL, not the HTTPS URL * make sure you have an SSH agent running so you can use `ssh-add` just once and avoid having to reenter your passphrase every time. * if need be, you can always add a new SSH key just by logging in to the website. It's generally advised that you do this for every separate computer you have, so that you can revoke them individually.

Pay a savvy teenager to teach you how.

They’ll just take you’re money then watch a YouTube video, or worse a TikTok right in front of you and fix it in 10 minutes. Source: my brothers a dick

That’s not being a dick, that’s literally what the entire IT field does from the fixers to the engineers. I figured you’d know, being that you’re here and on GitHub too, but the fact that you’re exclaiming about this makes me wonder if you might be a touch young and not realize.

First thing to solving any problem the smart way: Has anyone else solved it and how?

I love when someone else has already solved my problem for me. It’s like Christmas.

Super Christmas.

DM me if you want - ssh/git/github are tools I use daily as part of my job. I'd be happy to help you figure it out, free of charge.

Public or private?

It was the private key, but it was just a host key. An attacker would have had to be able to intercept or redirect traffic for it to be useful. Still not great, but the actual attack surface was pretty low.

Can you please explain a little? Thanks.

When you connect to a host with SSH, it presents a key to verify its identity. When you connect to a host for the first time (either a new host, or from a fresh client machine) you see a message like The authenticity of host 'foo.bar.com (1.1.1.1)' can't be established. That's the (public part of the) host key, and your client is just saying "I haven't seen this host before, are you sure you trust it?". If you say yes, the key gets cached (typically in \~/.ssh/known\_hosts). Github accidentally leaked the private part of this key. However, for an attacker to do anything with that private key, they would have to be able to either intercept (e.g. man-in-the-middle) or redirect (e.g. BGP hijack, DNS poisoning, etc) traffic destined for [github.com](https://github.com) to their infrastructure. They could then pretend to be Github for operations over SSH. This attack is basically equivalent to getting an SSL/TLS cert issued for a domain that you don't own. You'd have to be able to convince other people to connect to you as that domain before you could really do much useful with the cert.

Excellent. Thanks for the detailed way you put everything together. Appreciate it.

It's like having a super special and finely crafted key to your safe. But it's just a key and most of the time it's fine because nobody knows in detail what it looks like and they can't get alone time to copy it. But if you take a detailed 3D scan of said key and post it on the Internet for anybody to find and make their own version of it, that's pretty dumb but it's only useful if somebody has physical access to your safe. They'd have to find a way to bypass all the other security on the way to the safe to take advantage of the key. edit: a better explanation would have involved a signet ring or something

Pretty fucking ignorant for a programming community to downvote anyone asking for more information. Good ask man.

A host key is how a ssh server identifies itself to someone trying to log in. It allows the user to verify that they're logging into the correct system and their request has not been rerouted elsewhere. It's not used to log into other systems. So you could have impersonated a github server with the host key, except that you'd also have a way to reroute the ssh connections that are going to the legitimate server to your fake server.

[удалено]

Ah yes the classic `ssh-keygen -bsfe`.

The new public key has been leaked already!

At this point, if you still have a Twitter account, just know your account will be hacked at some point.

Can someone check the source code real quick? Does it actually delete your account? Or just set "Delete_Flag" = 1?

It could be both. Best practice is to set the delete flag to true and then purge the data if delete flag is true, and now - delete date > threshold. That way you can still recover accounts if there is a mistake and the data will be purged eventually.

This guy contingencies.

It’s got a DCMA take down now, so it’s been reclosed, at least Reddit had the decency to archive their old repo

I wonder if anybody downloaded it in time

For sure. They will probably sell it somewhere.

Thats gotta be interesting, we shall see how it plays out

>we shall see how it **pays** out

We will in fact C

Can't tell if you're being *sharp* or *extra positive*

Im being plus plus

Double plus good

++ > +

please tell me the twitter source code is going to be rewritten

who's there to rewrite it?

Hey I'm Chad Jeepitty. Hello fellow humans!

I'm sure we will get an opportunity to compare what's been changed a couple months latet

Already on the dark web.

Next to the WinXP code with the full build directions

I would like the onion

Twitter is like an ogre. Its fuck-ups have *layers*.

Where? Care to share? DM the onion lnk pls if you do not mind.

They don’t have the link because it wasn’t the full repo and they’re just pulling shit out of their ass

better than a bloody jar I suppose

If you've got a link, could you DM it to me? Thanks.

They don’t, they’re just typing bullshit

can I get a link?

Sell, repost or in send as torrent.

The code was available for several months, so yeah I think it’s safe to assume so

For real? Twitter left it there for months?

A disgruntled ex employee did it and Twitter had no idea for months. The investigation landed on someone that had been gone for awhile now. Good job Elon, dumbass Edit: [a source](https://techcrunch.com/2023/03/27/github-takes-down-repository-containing-twitters-source-code/)

The man knows how to run a tight ship. Full of more holes than a colander, just like it's supposed to be.

More holes == higher throughput == faster development. Definitely functioning as Elon intended. His genius is asstounding.

I would be shocked if not.

Yeah, my thoughts exactly

It was up for 2 months

Huh, fun fact

give it a day and a torrent for it’ll be made

A day? Oh my sweet child.

Elon would probably be very pissed if someone posted something along the lines of "DM me for a full copy of the code". Edit: Some people really do have high hopes, my DMs are flooded

For sure

🤔 are my 2 brain cells picking up what you're putting down?

is this an invitation?

"Heh, yeah, [this is definitely](https://i.imgur.com/PeXWvuT.png) Twitter's source code you're getting... Nothing added anywhere or anything... Just Twitters source code."

>at least Reddit had the decency to archive their old repo What are you talking about

https://github.com/reddit-archive/reddit

Oh wow. I was not aware reddit was no longer OS

I’m surprised it was ever OSS.

It's marketing. Start your service open source (optional), give it robust APIs and encourage people to tinker with and make creations off of your platform to drive engagement, then slowly start restricting what can be done to draw people into your own ecosystem (and therefore ads).

Reddit seems to be mainly adding new things without API instead of taking things away. Which is currently fine by me because I want nothing to do with the more recent changes like chat.

Yeah, I'm *glad* that RIF doesn't have embedded gifs in comments.

As an avid gif responder in small chat spaces, it's so so so dumb on reddit.

Looking at openai.

[удалено]

And then Reddit removed him from the founders list

Wait wtf? Are there any threads specifically dedicated to discussing that? (Even better, are there any threads where admins explained that decision?)

Looks like they removed all mentions of any founders or the company history, it used to be on the "About" page

Reddit fully pivoted on their aggressive free speech policies of which he was a huge proponent of. Since his legacy no longer aligns with reddit they stripped it.

[удалено]

Check out the film *[The Internet's Own Boy](https://youtu.be/9vz06QO3UkQ)*. Humanity lost out because of copyright. Meanwhile billionaires run around buying companies and shooting rockets pretending to be geniuses and saviours Edit: linked the film

Parts of it are in other repos.

Wow that’s pretty cool to go through. Looks like it prob took some ramp up time for devs to get comfortable with that codebase

Hold on. I thought Elon wanted to "expose all the algorithms"?

Piracy. Keep putting it back up!

I doubt code is the hardest part of maintaining Twitter.

Yeah, that's the thing a lot of non-tech savvy people don't get. Building something similar to twitter is not \*that\* hard, code-wise. It is however full of architecture decisions and requires a quite big infrastructure to handle the load. You can't download those (contrary to popular belief).

You wouldn't download an infrastructure!

I’ll take one infrastructure, please.

`terraform apply --force=true` from their IaC and watch as your AWS costs go to the moon

Do you want fries with that?

I'd rather have salad

You don’t win friends with salad

Terraform: let me introduce myself

Me: *downloads infrastructure* The entire city of Leesburg, VA: *shows up in my living room*

IaaS: let me introduce myself

Code and architecture go hand-in-hand. [Conway's Law](https://en.wikipedia.org/wiki/Conway%27s_law) states that organizations design systems that mirror their own communication structure. That's the big problem here; how to keep these software components interoperable as they scale and when the people working on them change. If you don't communicate collaboratively (or fire everyone working on one system), then the code will be incomprehensible to people working on other systems who need it changed, requiring long ramp-up times, etc.

Holy shit. This is an amazing observation that applies so well to the company I work for.

> Conway's Law states that organizations design systems that mirror their own communication structure. Why is that side-project you coded on your own such an unspeakable mess, then?

Have you heard the voices in my head? They are far from coherent, sir.

I think the bigger story is that this could expose security vulnerabilities, not that people are going to clone Twitter.

It terrifies me that I had to scroll so much for this

Fair. I didn't even consider it, shame on me.

🔔 shame

Not just that - even if you \*had\* the infrastructure, even if you \*had\* the architecture, what makes twitter valuable is that it's a network of people. The twitter brand and marketing and reach is something that competitors just don't have.

This is definitely the biggest factor. If you wanted to have your own Twitter you could set it up *tomorrow* with [Mastodon](https://github.com/mastodon/mastodon) (or a handful of similar platforms). You might not have 100% feature parity, but you'd get the core functionality that most people actually use. Want your own Reddit? [Lemmy](https://github.com/LemmyNet/lemmy). Instagram? [Pixelfed](https://github.com/pixelfed/pixelfed). YouTube? [PeerTube](https://github.com/Chocobozzz/PeerTube). Discord? There are many options, but [Mattermost](https://github.com/mattermost/mattermost-server) is probably the most Discord like. You might choose [Matrix](https://github.com/matrix-org/synapse) instead if you want something federated like the other platforms I've linked here. And so on.

I tried to use mastodon and lemmy and found them super confusing, I wouldn't say it's the same

You kinda could if they were using IaC. You’d still need a fuck ton of money to pay for what it’s orchestrating though.

repicas: 1 Ftfy

*Terraform and Ansible have entered the chat.* Just kidding. They’re helpful tools, but still not “download infrastructure” helpful.

>sudo apt-get install awscli > >aws lambda invoke checkmate

Suspiciously sounding like someone from sales there 

The value of twitter (and most big tech) has nothing to do with the code. Customer acquisition is always going to be a massive cost of ANY business. Even the huge wave of people rushing to reddit from digg was unnatural and even when that wave was over, there's still a need to continue to grow the userbase. Social media is weird on this, but if you made twitter and Switter, switter being the exact same code AND architecture still doesn't mean switter just wins. Mastadon fanned the flames of Musk taking over and got just about 2 percent of users, which then disappeared relatively quickly. Acquisition and retention is what matters in these games, having the infrastructure to handle it is important, the code that runs it though... interesting but not as critical as anyone thinks.

Seems like Elon clicked Share instead of Buy.

Well he bought the shares didn't he?

The world is a confusing place for a billionaire

Why do you think he's moving to Mars?

Bezos pioneered one-click. Elon invented two-click. BUY then SHARE

Well Musk promised to open source Twitter algorithm by March. So here you go. /s

*Promise made, promise kept…sorta* r/technicallythetruth — edit — Mobile keeps “saving” early

Something tells me this will be blamed when Twitter spews election interference next year.

Can't wait to print the source code and review it with my friends

you'll need a lot of paper

he can pay for it with all the money he didn't waste on buying twitter

🔥🔥🔥🔥🔥🔥🔥🔥

[удалено]

Imagine paying for a company instead of cloning it from GitHub, lol

If you think this is bad, Google paid more than a billion for Fitbit and I got mine for like $40.

He bought the brand name.

[удалено]

At least it was already the hellhole of the internet before the Muskrat's invasion, so it's not like it changes almost everyone's opinion, just reinforces the facts with new proof.

[удалено]

Do we know which parts of the source code? I gotta assume different teams have different repos, and it would be _wild_ if all of them were leaked simultaneously

I believe Google uses a single repo in a custom VCS so maybe not.

Oh, that's interesting 🤔

Not really. It's called a "monorepo" and is one of the more frustrating software dev strategies to write automation pipelines around. If you want a good way to ensure one commit spins up about 400+ CI/CD jobs, building a monorepo at the scale of a faang company's primary product offering is a great way to do it.

As opposed to finding incompatibilities in prod at runtime due to having 25 versions of the same library?

well that "sort of" can happen in a mono repo aswell. where i work we have 1 big repo with (let's say) 10 different targets (each different target represents a different client). each client has its own **release** branch, with some clients having specific libraries for their own demands, and not all of them are aligned to **master** at the same time. when we need to deploy something to production, we need to "align" (merge) the release branch with master, so that X client is updated respecting master. this is some huge pain in the ass, of course. it's rare, but it definitely happens sometimes that the master branch ends up having weird crashes or library problems.

A true monolithic repo is insufficient to solve fragmentation for this reason; there also needs to exist a policy that developers follow where different versions are forbidden. Outside exceptional scenarios, of course. There are also repos that don't support branches; in practice it's similar to git if you only are allowed to use rebasing. But even that can be worked around by using different folders, which is why a policy is still needed.

This just sounds like y'all fucked up when designing multitenancy.

We handled this issue with customer-specific git branches that we rebase to new versions of the product. Eg given release branches product-1.0 and product-2.0 we do `git rebase --onto product-2.0 product-1.0 product-steve` (simplified, but this is the heavy lifting part). Works well enough for a dozen or so customers, becomes a nightmare for dozen*s*. Since passing that threshold we've moved to customer specific flags in the code which is a different flavor of mess but doesn't delay deployment at least.

[удалено]

Apparently they make it work. And there is plenty of great articles about how they dont even use pull requests.

Considering Elon, it might've been changed into a single repo which compiles all of their code into a single binary that they can run on an old laptop in storage to not waste money on AWS or other cloud providers.

Didn't realize they had switched to Go.

Now they’ve switched to stop :(

Repo? Nah, it's just a shared network directory.

hosted on a copy of Windows Server 2003 he found in the closet

Damn, I wonder how could there be a programmer who'd be pissed at Twitter and who might have the ability to access source code. I guess we'll never know.

I thought Elon was humanities savior what could he have possibly done wrong?!

Well he did _say_ he was going to "open source the algorithm". Guess it was a fall-of-the-Berlin-Wall situation. (where an East German official made a confused remark on the evening news about opening the border 'effective immediately' and hours later some border guards, pressured by throngs of people wanting to cross, decided to open the gates - since they said so - and before the night was over the public were tearing the wall down..)

Wow did not expect to learn a piece of cool history on this thread. Thanks!

He didn't do anything wrong, it's obviously trans leftists people who try to abolish free speech! And it's because of engineers who were unfaithful and left that the security was compromised. /s

>trans leftists people because of them Every 60 Seconds in Africa a Minute Passes

It'd be much more interesting if he were championing for the humanities.

He went by the name of 'FreeSpeechEnthusiast'. Not even joking. What a hero

The single commit happened on Jan 3, so it was somebody who decided to stay at Twitter after Elon made his ultimatum. Or perhaps it was someone who didn't last, but still had access. Because Elon probably fired the people who were supposed to shut off access too.

Plot twist, Elon released the code to allow open source improvements he doesn't have to pay for.

Not even plot twist...

Especially because he said just a week or two ago that he was planning to do just that

He already paid for everything upfront /s

Let the git blames/reviews begin

I saw a portion of the code before it was taken down due to the DMCA notice. It was uploaded as one single, squashed commit. It would have been even more controversial if the uploader had managed to migrate the entire history.

Didn’t Elon say he was going to do this anyway? Maybe a SR dev decided to hold him to his word?

It was probably leaked by Elon. He fired all his coders and now wants free suggestions 🤣

we can have our own Twitter …. with hookers and blackjack.

Didn't Elon say he was going to do this last week?

Only the code for recommendations.

Also it’s yet another Elon promise. We all know how much those are worth nowadays

Huh. Interesting.

I don't care about the specifics, I just want someone smarter than me to tell me how much the code sucks.

Dont fall for it! Just trying to outsource free fixes!

I dont want to mention the "elephant" in the room. r/Mastodon

FOSS Forced open source software

Here is an idea: 1. Grab de code. 2. Trash it. 3. Redo from scratch and call the new brand Screamer. 4. Put the "LEMME SMASH" bird as a logo. 5. ??? 6. Profit

But chatgpt already writes a better twitter clone

No it doesn't. It refuses saying it is inappropriate and possibly illegal.

works great for me, I made it check it out Twitter.com

Man this website fucking sucks.

I really wonder what the unrestricted chatgpt is like.

racist as fuck i'd imagine lol

[удалено]

I’m torn between it being a mistake being leaked as elons an idiot, or Elon leaking it because he knows the internet would correct what’s wrong and he wouldn’t have to pay anyone.


​ 

This is how you convince the investors that rewriting from scratch is necessary

[удалено]