[liberationtech] when you are using Tor, Twitter will blocked your acc
Travis Biehn
tbiehn at gmail.com
Sun Jun 8 16:33:23 PDT 2014
If you have a heuristic used to apply additional scrutiny to traffic coming
from certain locations you shouldn't have:
IF it's from a bad source AND it's not in the whitelist of allowed bad
sources...
Treat them as possibly malicious and handle it like risky traffic: Throw
difficult captchas at your users and don't deny login or require password
changes.
Let users turn off logic for IP-based 'hack' attempt detection.
-Travis
On Sun, Jun 8, 2014 at 5:58 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> I've had my twiter account locked half a dozen times (web client,
> using Tails) in the last few weeks. It seems to be some new security
> heuristic where one is still able to login to change the password but
> the account is locked from generating new public (or DM) events.
>
> It is a super annoying "security feature" to say the least.
>
> I think some Twitter security folks are on this list - if so, I'd love
> to discuss the issue in detail. It seems like the issue is when Tor
> circuits rotate. So when I've logged in from say, a US Tor exit node,
> all is fine. After a while, I'll be exiting the Tor network through
> Germany. It appears that say, over the course of a day, I'll jump
> through ten countries. At some point, Twitter decides that this is
> abuse or evidence of hacking or something. It doesn't appear to know
> that I'm using Tor though. So while actually, I'm just consistantly
> using Tor, the GeoIP is constantly rotating. I suspect this is what
> trips the security feature in question.
>
> It would be nice if Twitter was a bit more intelligent about Tor
> usage. I wrote the BulkExitList feature on check.torproject.org for
> Wikipedia. They ironically use it to block edits from Tor. Twitter
> could use that export of data or a similar one to have a list of all
> current (updated per hour with the network consensus) exit nodes and
> then do something better than Wikipedia.
>
> All the best,
> Jacob
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
--
Twitter <https://twitter.com/tbiehn> | LinkedIn
<http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn>
| TravisBiehn.com <http://www.travisbiehn.com> | Google Plus
<https://plus.google.com/+TravisBiehn>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140608/849351bd/attachment.html>
More information about the liberationtech
mailing list