A little after noon on Tuesday, Katelyn Bowden, an artist for hack.xxx and member of the hacker collective Cult of the Dead Cow, tweeted that there seemed to be a major internet outage afoot:
The tweet racked up 638 likes, more than 100 retweets and 18 quote tweets. The replies included jokes — “I’m sorry, I was just really desperate to get Taylor Swift tickets I’ll put the internet back now” — reply-guy mansplaining, and confirmations from multiple states. Before long, security researchers were trading information trying to figure out exactly what was happening.
It was the kind of information sharing that’s played out on Twitter for years that security companies and researchers sometimes rely on for their work and an example of what, for some, could be lost as the platform implodes under the rapid changes forced Elon Musk in the wake of his $44 billion takeover. Musk has reportedly fired half the company’s staff, botched product roll-outs, caused advertisers to hit pause, and pushed cuts to backend software that have caused significant problems, most notably with text-based multi-factor authentication.
The chaos has been good for short-term eyeballs, at least according to Musk, but has pushed a number high-profile security researchers to decamp or reduce their use of their Twitter accounts in ways they had before.
For years infosec Twitter has been a robust community, with all the ups and downs, quality and dreck, you’d find in any online space. Many have moved over to Mastadon, which offers a Twitter-like experience with notable differences by design.
“That’s where infosec is now,” Patrick Gray, the host of the Risky Business podcast, said on his show Wednesday. “It’s absolutely insane how quickly it happened.”
But some worry that the fracturing of infosec Twitter could have profound impacts on not only the community, but the vital exchange about the latest vulnerabilities, researchers’ techniques and tactics and the newest hacks that have collectively helped make the internet more secure — and the people on the frontlines of cybersecurity more informed.
The platform became a replacement for the often private and exclusive channels that security researchers previously relied on share information. Before Twitter, hackers formed communities via internet relay chats, mailing lists and messages boards. Twitter provided a public space where even anonymous researchers could inform other hackers and the public at large about new threats. But if there’s a significant exodus, that global megaphone for security researchers could soon vanish.
Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told CyberScoop that during last week’s Cyberwarcon conference, which brings threat researchers, government officials and others together to share the latest on high-end cyberespionage and threats, a presenter crystallized the problem.
“At the end of one presentation, the presenter shared a slide of 15 works cited as well as references,” DeGrippo said in an email. “She said, ‘I’ll share this list on Twitter later.’ The audience laughed uncomfortably, acknowledging that Twitter was the default sharing vehicle for high value intelligence and information security data — and was likely no longer reliable.”
Information security professionals, DeGrippo said, are constantly sharing information on Twitter. “It is the most used, visible, timely place to exchange and find information. Many threat actors directly drop vulnerabilities and data breach alerts on twitter or others drop it for them.” Additionally, “multiple tools in infosec engineering teams are set up to comb Twitter for IOCs and new vulnerability data so it can be actioned immediately. There are many organizations with automated workflows based on Twitter intel alerting.”
DeGrippo initially shared her concerns in a Nov. 11 tweet:
Replies poured in. While some were skeptical — “We’re all here in this industry because we’re great at finding information” one user said — many felt the same way DeGrippo did.
It’s not just longtime Twitter users’ nostalgia and overwrought angst, as some have claimed. The platform’s real-time information security utility was reflected in the July 11, 2022, Cyber Safety Review Board report on the Log4j open-source vulnerability, first exposed in December 2021.
“Many interviewed stakeholders indicated one of their earliest, if not their first, notifications of the vulnerability came from social media platforms, especially Twitter, where the broader security community shared vulnerability information and emerging indicators of compromise (IOC),” the report said. “Individual accounts also shared exploitation variants, obfuscation and defense evasion techniques, and other trends to enable responders to adjust defensive measures and deter potential attacks. Multiple interviewees told the Board that Twitter was a valuable resource for global events of this type.”
The NSA and the FBI tweeted about Log4j vulnerabilities, and so did Rob Joyce, head of the NSA’s Cybersecurity Directorate.
Major incidents will still get around as quickly as they need to, Amitai Ben Shushan Ehrlich, a threat researcher with SentinelLabs told CyberScoop.
“I still think when something big happens all the big sec companies hurry to push a blog around it, so it will still be available for those who are into it,” he said. “I think the small things will be the ones affected the most, like those tiny incidents or cool research that gets some attention only because it’s passed between researchers on Twitter. The big things not so much.”
Time will tell the full scope the impact “Twitter 2.0” will have on the infosec community. But some may choose to go down with the proverbial ship.
Tonya Riley contributed reporting for this article.