This week on Gadget Lab, WIRED security writer Lily Hay Newman joins the show to talk about what could happen if Twitter gets breached by hackers. Read Lily’s story about the problems with Twitter’s SMS two-factor authentication. Read all of WIRED’s recent Twitter coverage. Lily recommends Wicked protein bars, specifically the maple flavor. Lauren recommends Andy Greenberg’s book Tracers in the Dark. (WIRED has published a few excerpts.) Mike recommends the show The Sandman on Netflix. Lily Newman can be found on Twitter @lilyhnewman. Lauren Goode is @LaurenGoode. Michael Calore is @snackfight. Bling the main hotline at @GadgetLab. The show is produced by Boone Ashworth (@booneashworth). Our theme music is by Solar Keys. You can always listen to this week’s podcast through the audio player on this page, but if you want to subscribe for free to get every episode, here’s how: If you’re on an iPhone or iPad, open the app called Podcasts, or just tap this link. You can also download an app like Overcast or Pocket Casts, and search for Gadget Lab. If you use Android, you can find us in the Google Podcasts app just by tapping here. We’re on Spotify too. And in case you really need it, here’s the RSS feed. Michael Calore: Lauren. Lauren Goode: Mike. Michael Calore: Lauren, have you tried to download your Twitter archive yet? Lauren Goode: No, because in the words of the poet Mary Oliver, “When the time comes to let it go, you just have to let it go.” You just have to tweet like your life depends on it, hold it close to you, and then let it go. Lauren Goode: I had this thought recently when I was at Blackwater Pond. Michael Calore: Really? You went to Blackwater Pond? Lauren Goode: I was. I was actually there. But no, I guess if I’m being truthful, as a journalist and as a professional keeper of the historical record, I probably should download my archive. Have you done it yet? Michael Calore: Not in years, no. Lauren Goode: Have you deleted all of your super secret DMs on Twitter? Michael Calore: I’ve deleted some of them, but I’m not sure that I actually deleted them. Lauren Goode: OK. We need to talk about this. [Gadget Lab intro theme music plays] Michael Calore: Let’s do it. Hi, everyone. Welcome to Gadget Lab. I am Michael Calore. I’m a senior editor at WIRED. Lauren Goode: And I’m Lauren Goode. I’m a senior writer at WIRED. Michael Calore: We are also joined by WIRED security writer Lily Hay Newman. Hi, Lily. Welcome back. Lily Hay Newman: Hello. Thanks for having me. Michael Calore: As always, it’s a pleasure to have you here. So look, we know we’ve been talking about Twitter a lot on the show recently, and sure, we are journalists and journalists are obsessed with Twitter. But for today’s show, we want to talk about Twitter one more time but specifically because Twitter is currently suffering some security issues that have wide implications. Since the new boss over there, Elon Musk, laid off roughly 3,700 employees two weeks ago, many people have been keeping close watch over Twitter to see what kind of chaos might erupt. Security professionals and data privacy wonks are watching, and they’re probably sighing a lot, but hackers and attackers and scammers are circling the platform as well. Lily, it is always fun to have you on the show, even if when you’re here we always end up talking about these doom and havoc situations. But I guess the first question about the security situation at Twitter we have to ask you is this, what is going on inside the company that we know? With the recent layoffs and resignations, how stretched is Twitter’s security staff? Lily Hay Newman: Yes. This is an important question, and there isn’t a ton that we know super specifically, but first of all, half of the workforce was laid off. We just know that broadly. We know that Elon Musk currently is actually encouraging even more people to leave if they’re not willing to commit to a super intense, work-all-the-time approach. They have until today, I believe, Thursday, to consent to Mega Death Twitter or something. We’ve also seen Musk conduct public firings via tweets, just in recent days. And two and a half weeks ago or so, at the beginning of this whole regime change, we saw Musk broadly fire many executives of the company or have them step down, including some who work on privacy and trust and identity issues within the company. So just all of that paints a picture of an internal situation where there just aren’t probably going to be enough warm bodies to do everything that was happening a month ago. For security, that’s always a big issue because security is all about monitoring, it’s all about constant vigilance, always improving, always investing more. So this is just a climate that is not going to be conducive to strong cybersecurity defenses broadly. Lily Hay Newman: Right. Certainly, I don’t, at least, have a sense in the new world order of anything about team structures or things like that—of how many resources and how many people are going to be dedicated to those things. Keep in mind that IT is also a highly intersecting department with security in any organization, and things can be structured differently at different places. But just running an organization’s devices and servers correctly is a security issue inherently. Michael Calore: Speaking of that, we’ve already seen some things break down from the outside, right? Earlier this week, there was an issue with the SMS two-factor authentication system on Twitter. Lily Hay Newman: Yeah. I did a story about how users were reporting that they couldn’t receive authentication codes for logging in or for things like downloading their Twitter archive. They couldn’t receive those codes via SMS, and when we tested it internally at WIRED, not everyone was having the problem, but some of us were. In one case, someone received a code on a delay—they got the SMS text message many hours later, which was strange. The Twitter comms department is currently either nonexistent or much reduced, so there isn’t a good way to get official comment right now about these types of things. So we don’t even have a clear sense of how those texts get sent or used to be sent—or is it an integration with a third-party service, as is often the case, where another company will provide the SMS infrastructure? Or is it something Twitter does in-house? Who knows? I also took one for the team, meaning all of you listeners and WIRED readers out there, and tweeted at Musk directly to ask him— Lauren Goode: I was going to ask if you had done this yet. OK. Lily Hay Newman: Yeah. I am clearly still on the podcast to tell the tale. So I’m doing all right, thanks for checking in, but I didn’t get a reply because there’s just so many pressing issues for him to tweet about right now. Lauren Goode: Are you telling us that Elon has not yet fired you from WIRED? He does not yet have the ability to do that? Lily Hay Newman: Someone did note that perhaps I would cause a real problem by causing him to acquire WIRED just so he could fire me. So hopefully, that does not happen. Lauren Goode: In all the futures I’ve envisioned for WIRED, I have to say being owned by Elon Musk was not one of them. Lauren Goode: Is it a nightmare or a dream? Michael Calore: Well, no comment. Lauren Goode: If Musk sent out a missive to the WIRED folks right now and is like, “Are you hardcore or are you not?” What would you do? Michael Calore: I would take the severance. Lauren Goode: OK. Fair enough. Michael Calore: I talked to my union rep. Lauren Goode: Yeah. Oh, there you go. Well played. Well played. OK. So we have seen a breakdown in SMS two-factor authentication. We’ve also seen some big entities affected by this new verification scheme, which keeps changing because some people have been creating fake accounts but getting blue checks, which make them look valid or legit. And then they’re tweeting things that are affecting, say, the share price of giant pharmaceutical companies. What’s the worst-case scenario for a really, really major security meltdown though, rather than a verification meltdown? Are all of our DMs exposed? Is our personal and private info used to hack us across other websites? Is there a heightened conflict across nation states? What’s really the worst-case scenario here? Lily Hay Newman: There are a few things that I think we should talk about. Certainly, one of them is a massive data breach. The data that Twitter holds, they don’t have social security numbers or government identification information. They don’t have health records broadly. They don’t have financial data broadly, though people who signed up for Twitter Blue, I guess, needed to provide a credit card to do that, so they have those numbers. But they still have a lot of information about all their users. So as you said, the contents of direct messages are not end-to-end encrypted and are therefore accessible and could be compromised in a data breach. They have phone numbers, email addresses, things like that. And then also, the social graph of who has communicated with whom over the years and who people associate with, that type of information can be really sensitive and is a privacy issue, especially for users who are activists, journalists, dissidents, and operate in countries under repressive regimes. There can be very real safety issues to having social media data out publicly. But then also, as always, identity theft, harassment, any personal details that cybercriminals can get about people can fuel digital crime and scams, so all the data that would be in a massive Twitter breach has implications in that sense. But then there’s a lot of other types of things to think about if we really want to get into worst-case scenario, and we’re not saying that this has happened or there’s evidence that this is happening. But if we view Twitter as being very much in chaos or in crisis and that we’re just thinking here about things that could emerge out of that, the Twitter app is a trusted app on users’ phones if they’ve downloaded it. A rogue entity that compromises Twitter’s infrastructure could, at least for a brief period, potentially weaponize the Twitter app to do bad things. As you said, verification gets into these questions about account takeovers. That’s already been a problem for Twitter in the past. So I think it’s just conceptually the idea that there’s both the data and there’s the trusted infrastructure, and either could be compromised. What’s interesting about doing this thought experiment is that this isn’t just true of Twitter, this is true of any entity that has centralized a lot of our data and where we trust their software on our devices, things like that. This type of digital infrastructure can be weaponized. It’s not uniquely a Twitter thing. Lauren Goode: On that uplifting note. Michael Calore: Yeah. [Break] Michael Calore: All right. Lily, as you’ve mentioned, Twitter is in this vulnerable position right now. So as users of Twitter, how worried should we be about our accounts getting taken over or getting locked out or our DMs being exposed? Lily Hay Newman: Well, I really don’t want to flip anyone out because there’s no special knowledge here, we’re all just hanging out, chatting. I don’t know that there is a totally looming, tomorrow-type threat, but I think the big concern and the reason we’re doing this thought experiment is, again, the chaos and confusion of this moment within the company definitely has the potential to create even more vulnerability and expose things even more. Lauren Goode: So I’m really curious about DMs, in particular. When you go to delete a DM on Twitter, you get a pretty clear message that says it’s been deleted for you but it hasn’t been deleted for the person or people on the other end of that message thread. Twitter also notoriously doesn’t have end-to-end encrypted messaging. It seems like it’s pretty insecure as far as those things go. Lily, how exactly does that work? Is there any way to actually delete your Twitter DMs? Lily Hay Newman: So it’s a very good question. I do not know the answer, and I don’t think the answer is really known, partly because of the comms department breakdown in this current moment, but partly, it’s been unclear for a long time. I think people have been asking this for a long time. I also have been trying to ask Twitter about this for a while. Your best shot is to get yourself and the other party or parties that were in the chat to all delete the messages in question so it’s deleted on all the ends, as we call it. Whether or not that actually results in Twitter on its own servers permanently deleting the data after a period of time we just don’t know, and I don’t think anyone has been able to find out. Lauren Goode: Mm-hmm. Michael Calore: Right. Lauren Goode: That’s incredibly reassuring. Yeah. I think 70 percent of my DMs are probably, “Hi! It was really nice to meet you at fill-in-the-blank conference. Let’s stay in touch,” and then that was seven years ago. Michael Calore: And they never wrote back. Lauren Goode: Or they did and then we were like, “Yeah. Let’s stay in touch,” and then maybe, I don’t know, you see them in another conference three years later. I don’t think I have a lot of stuff in DMs, but Elon Musk owns our DMs now, folks. Michael Calore: Yeah. It is sobering to think about. I know that when you delete your account, when you say, “I would like to not have a Twitter account anymore” and you delete everything, if you don’t log in for 30 days, the company says that it’s going to erase all of your information, which includes your DMs, all your tweets, all your profile information, all your location information, and your social graph, like who your friends were on Twitter. But that’s what they say, we don’t really know what their actual data retention practices are. We just know what their data retention policies are. Lily Hay Newman: Yeah. That’s a really important thing to point out because Twitter’s policy on account deactivation says, “If you do not log back into your account for the 30 days following the deactivation, your account will be permanently deactivated. Once permanently deactivated, all information associated with your account is no longer available in our production tools.” Lauren Goode: What does that mean? Lily Hay Newman: So the word delete never once is there. Michael Calore: Right. Lauren Goode: It’s no longer available— Michael Calore: In our production tools. Lauren Goode: Wow. I’m going to say that next time I delete somebody’s number, “They are no longer available in my contact tools.” Lily Hay Newman: In my production tool. Someone also pointed out to me that 30 days is actually not enough time to comply with all the data retention requirements that companies like Twitter would be under. They’re not required to keep data forever, but Twitter may have data retention obligations that go beyond 30 days, which would also make that whole thing confusing or indicate that deactivation is not the same as deletion. Lauren Goode: Separate but related to my question about deleting DMs. In the past, both Jack Dorsey and Elon Musk have talked about creating some kind of end-to-end encryption messaging system for Twitter, what’s the status of that? Lily Hay Newman: Yes. I don’t know the current status of that. Lauren Goode: Once again, Elon has not responded to your tweet. Lily Hay Newman: Right. Though to be fair, I did not specifically tweet at him about that in the recent past. But yeah, I mean, people have said for a while that it might be coming. I support it any time. It’s great. I think as many apps and services as possible as can roll out end-to-end encryption should. It feels to me like right now would not be the moment when Twitter could actually deploy that even if there’s already been a bunch of work on it. But like I said, would love to be wrong and for them to release it at any time, it is possible. It’s just like Twitter, in this moment of crisis, probably wouldn’t be trusted as much. Michael Calore: So for the people with their finger on the pulse of what’s going on at Twitter, a lot of them are just adopting a wait-and-see attitude. Some people are leaving, they’re going to Mastodon. Most Twitter users are just continuing to use Twitter as normal, which is to be expected and is fine. It’s what happens whenever there’s big upheaval. Political intrigue inside of a company doesn’t necessarily trickle down to everybody who is a customer of that company. But what are you doing, Lily? Are you panicking? Are you leaving? Are you hanging out to watch what happens? Lily Hay Newman: When you said finger on the pulse, I thought you were going to say finger on the trigger. OK. Yes, I have not left Twitter. So my first thought is that I haven’t changed a ton about how I’m using Twitter yet. Definitely, don’t leak things that are damaging to Elon Musk to journalists on Twitter DM. Do leak things that are going to be illustrative of what’s going on inside the company to journalists on more secure platforms, such as Signal, but don’t create new problems for yourself. What’s done is done. What you were DMing about that’s embarrassing in 2013 or whatever, it is what it is, but I would be extra vigilant now about not generating new privacy issues for yourself in Twitter DMs or private tweets and things like that. Personally, I would not have signed up for Twitter Blue in recent weeks, or in the past week, whenever that briefly happened. First of all, because I personally didn’t want to or see benefits doing it, but second, because I wouldn’t have wanted to provide more data to Twitter in order to do it, so that’s one thing. Something I haven’t personally done but that you could do if you want to be more paranoid or more aggressive about insulating yourself from risk of potential fallout would be to delete the app from your phone and only use Twitter in a web browser, which would potentially mitigate or would mitigate that potential rogue app situation. But as I said, I haven’t done that yet. I’m not necessarily saying you should, just trying to give people some ideas about the parameters of how to think about these things. Lauren Goode: Your productivity will shoot through the roof too, not having Twitter on your phone. Lily Hay Newman: Yeah. Benefits all around. Lauren Goode: Yeah. Lily Hay Newman: I don’t know. What are you both thinking? Has it been bugging you? Lauren Goode: I mean, I’ve been on Twitter since 2009, I think? Maybe 2008. And so I do have a long history on Twitter, but I don’t really feel like going through all of my old DMs and figuring out what’s what. It seems like there should be an opportunity to batch-delete your DMs but maintain other elements of your Twitter account or go through and delete all the media you’ve ever attached to tweets in case there’s metadata baked into the media but not delete other things, but you can’t. It’s like you have to either just delete Twitter or live with it. Michael Calore: You should submit that request to the features team and see how long it takes for them to implement it. Lauren Goode: That’s great. Do you have their email? Lily Hay Newman: I was going to say, meanwhile, we don’t even know if we can delete any data off of Twitter at all. Lauren Goode: Right. So it just feels like a moot point. It feels like there’s a lot of onus being put on the user right now for what is becoming an increasingly user-hostile experience. Michael Calore: Right. Lauren Goode: What are your thoughts, Mike? Michael Calore: I’m going to wait and see if the time comes when it feels like the right thing to do is to delete everything and bail, I will have no problems doing that. Lauren Goode: When the time comes to let it go, let it go. Michael Calore: Let it go. Life is too short to worry about a Twitter account, that’s what I always say. Lauren Goode: It is. Michael Calore: Always. I say that all the time. Lily Hay Newman: I’ve heard you say it. Michael Calore: All right. Well, Lily, thanks to this invigorating conversation about where this is all headed. Even if we don’t have a lot of detail, it was great to get some good advice, so thanks. Lily Hay Newman: Yeah. I’m always happy to spread the joy. Michael Calore: Let’s take a break, and when we come back, we’ll do our recommendations. [Break] Michael Calore: All right. Lily, you are our guest, so you get to go first. What is your recommendation for the people? Lily Hay Newman: My recommendation this week is a type of protein bar. It’s called Wicked protein bar and— Lauren Goode: Is it from Massachusetts? Lily Hay Newman: I don’t know. I’ve only tried one flavor, and I’m recommending that flavor, but I can’t speak to any of the other flavors, so maybe this is of limited use. But the flavor I want to recommend is maple, and my reason for recommending this is that, I don’t know if anyone else feels this way, it’s very hard to find a protein bar that’s low sugar, has a good amount of protein, doesn’t taste gross but also that I actively like and can eat again and again. Do you all know what I’m talking about? Lauren Goode: Yes. Lily Hay Newman: I usually … I’ll eat a protein bar, and I’m like, “Yeah. Oh, OK. Great. This is good,” and then I go to eat it again, and I’m like, “No, I’m sick of it. I don’t want another one.” Michael Calore: Yeah. Or you eat one and you just think like, “OK, that was sustenance. Now, I can live for another hour.” Lily Hay Newman: Even the Wicked maple protein bars, that’s pretty much all we’re getting to. I wouldn’t say it’s a favorite food, but I can eat them multiple times in whatever, a month or a week or whatever it is, and get through it and not be just like, I don’t know, throwing it out or so fed up with myself for placing myself in the situation. But similar to the last time I was on the show, when I recommended a type of N95 mask and provided the disclosure that the masks are very unattractive, I do feel the need to provide a disclosure this time that other people who have tried the protein bars did not like them. So when I’ve given them to friends or been like, “Oh yeah, these protein bars are so good.” They said they thought the flavor was gross and they don’t understand … because it’s not sweet, that’s the thing. I don’t like when protein bars are super sweet so— Michael Calore: Neither do I. Lily Hay Newman: This is what you get when you have me on the show. My recommendations are a real mixed bag, but for my palate, Wicked Protein Bars in maple, 15 grams of protein, 2 grams of sugar, and I’m seeing here, it says, “Certified clean.” Michael Calore: Well, that’s something I always look for in foods that I’m eating. Lily Hay Newman: Yeah. Michael Calore: Certified clean? What? Like it’s PG? I don’t know. Lily Hay Newman: Right, exactly. I need a G rating for my protein bars. Anyway, that’s my recommendation. Lauren Goode: That’s a pretty good one. Michael Calore: That sounds both delicious and nutritious. Thank you for the recommendation. Lauren, what is your recommendation? Lauren Goode: I just have to say, while Lily was giving her excellent recommendation, I was going through my Twitter inbox and I went all the way back to my very first DM on Twitter. My very first DMs were in 2009, June 2009, and it was just a series of people saying, “Hey, thanks for the follow,” like there’s a— Michael Calore: Old school. Lauren Goode: It’s what people did then. Yeah. Michael Calore: Old school. Lauren Goode: There’s someone with the handle @citizenfreepress and it’s, “Thanks for the follow.” And then, @runnersworld, which I followed, “Thanks for the follow.” That’s it. That’s it, that’s the excitement. Michael Calore: OK, Lauren. What is your recommendation? Lauren Goode: My recommendation this week is Andy Greenberg’s new book, Tracers in the Dark. Andy is a colleague of ours. He works closely with Lily on our security desk, and I have to admit, I have not yet read Andy’s book. It just came out, and I’m hoping that we will have the opportunity to have Andy on the show at some point to talk about it because he’s doing the press circuit for it now. But his book, Tracers in the Dark, is about the investigators chasing criminals through the very dark crypto underworld. He interviews prosecutors, industry analysts, even some criminals themselves. He writes about how there are these clues in the pseudo-anonymous, decentralized blockchain that are tipping off investigators to these crimes, and it has a lot of bigger implications, I think, for our concepts of privacy and anonymity on the web. Andy is just a really powerful, masterful writer and excellent reporter. And so I look forward to reading it, but I recommend it for everyone else right now, Tracers in the Dark. Lily Hay Newman: Since you were scrolling during my recommendation, I was reading during your recommendation. No, I’m just kidding, but I have read Tracers in the Dark so I just want to provide a testimonial, a reader testimonial, that it is really great and it is not … If you are super into investing and the business of cryptocurrency or something, it’s not about that. But for me, that was a big plus, like what I really wanted to learn about was the technology that underlies the blockchain and why there was this misconception that particularly Bitcoin transactions are untraceable. Why did people think that? Why did criminals think that? And why is it untrue? How can you trace these transactions? That has meant a lot of good things for law enforcement in terms of their ability to track cyber criminals, which Andy details in the book, but he also talks about the potential privacy implications of being able to trace transactions and historically back through time because the blockchain is this indelible record of everything that’s ever happened. So yeah, just wanted to piggyback on just a quick reader recommendation. Lauren Goode: Thanks, Lily. That’s awesome. Michael Calore: I think curious readers can also check out an excerpt of Andy’s book that is currently running on WIRED.com. I think it’s a four-part excerpt? Lauren Goode: Oh, that’s exciting. Lily Hay Newman: It’s so many parts, and it’s so good and so exciting. So it’ll be in the show notes, right? Michael Calore: Yes, it will. Lauren Goode: Mike, what’s your recommendation this week? Michael Calore: My recommendation is a Netflix show called The Sandman, and it is an adaptation of a comic book from the late ’80s/early ’90s written by Neil Gaiman. A very famous comic book. It is a really well-done comic book adaptation, and if you know me at all, then you know that’s not something I say that often, but it’s a great show. I’m really enjoying it. My wife is really enjoying it. It’s a story of these folks who are immortals and they live in the sort of ether realm in and out of reality, and one of them gets trapped by this person who’s an occultist who casts spells to try and trap immortals and is held hostage for 100 years and then escapes and has to reclaim all of the things that he lost, that were stolen from him, that were raided from him. And that sets him off on this series of adventures. I don’t want to say anything more than that. I don’t want to give it away. But it is fun, it’s very emo, it’s very dark, it’s very adult, all the things that you want from a good comic book adaptation on Netflix. So that’s my recommendation, The Sandman. Lauren Goode: Who stars in it? Michael Calore: Nobody that you know. It’s all British people. Although I will say, David Thewlis is in it. David Thewlis, the famous actor? Yeah, you’re shaking your head no. You’ll recognize him if you see him. Michael Calore: Yeah. He’s a dramatist, a really great actor, and he’s quite good in this. He plays a villain. Lauren Goode: So the protagonist is the Sandman? Michael Calore: Yeah. He’s an anti-hero because he’s somebody who’s not really nice to people. He’s kind of a jerk, but he has a crow, and his crow is funny. I think Patton Oswalt does the voice of the crow, so there are two famous people in it. Lauren Goode: Nice. Michael Calore: Yeah. Anyway, that’s my rec. It’s a good one. Lauren Goode: Thank you for that. Michael Calore: Thank you, Lily, for joining us. Lily Hay Newman: Thank you so much for having me. I just scrolled back in my Twitter DMs, and it looks like my first one ever is from The Baltimore Sun welcoming me to Twitter. Michael Calore: Wow. Lauren Goode: Oh. Those were the days. Michael Calore: Wow, The Baltimore Sun. Did David Simon send it? Lily Hay Newman: I hope so. Probably not, but I was living in Baltimore at the time, so I guess that’s the tie-in. But yes, thank you for having me. And everyone, stay safe out there. Michael Calore: Thank you all for listening. If you have feedback, you can find all of us on Twitter, still. Just check the show notes. Our producer is Boone Ashworth. We’ll be back next week. Goodbye. [Gadget Lab outro theme music plays]