If you have a heuristic used to apply additional scrutiny to traffic coming from certain locations you shouldn't have: IF it's from a bad source AND it's not in the whitelist of allowed bad sources...
Treat them as possibly malicious and handle it like risky traffic: Throw difficult captchas at your users and don't deny login or require password changes. Let users turn off logic for IP-based 'hack' attempt detection. -Travis On Sun, Jun 8, 2014 at 5:58 PM, Jacob Appelbaum <[email protected]> wrote: > I've had my twiter account locked half a dozen times (web client, > using Tails) in the last few weeks. It seems to be some new security > heuristic where one is still able to login to change the password but > the account is locked from generating new public (or DM) events. > > It is a super annoying "security feature" to say the least. > > I think some Twitter security folks are on this list - if so, I'd love > to discuss the issue in detail. It seems like the issue is when Tor > circuits rotate. So when I've logged in from say, a US Tor exit node, > all is fine. After a while, I'll be exiting the Tor network through > Germany. It appears that say, over the course of a day, I'll jump > through ten countries. At some point, Twitter decides that this is > abuse or evidence of hacking or something. It doesn't appear to know > that I'm using Tor though. So while actually, I'm just consistantly > using Tor, the GeoIP is constantly rotating. I suspect this is what > trips the security feature in question. > > It would be nice if Twitter was a bit more intelligent about Tor > usage. I wrote the BulkExitList feature on check.torproject.org for > Wikipedia. They ironically use it to block edits from Tor. Twitter > could use that export of data or a similar one to have a list of all > current (updated per hour with the network consensus) exit nodes and > then do something better than Wikipedia. > > All the best, > Jacob > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > [email protected]. > -- Twitter <https://twitter.com/tbiehn> | LinkedIn <http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn> | TravisBiehn.com <http://www.travisbiehn.com> | Google Plus <https://plus.google.com/+TravisBiehn>
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
