Tweet Signatures: a simple solution for thwarting forged tweets

tweet_signatures.md

A Simple Solution for Faked Tweets

Recently, a somewhat large selection of my timeline was shocked by the discovery that it's simple to make a fake-looking tweet on the web. Some feared it would be only a matter of time before some news organization is suckered by a fake tweet that seems to come from a real source.

Luckily, the solution already exists, and it's something you already use constantly: GNU PrivacyGuard signatures Here is an approach for verifying a tweet is authentic and hasn't been tampered with that is so simple even @KimKardashian could figure it out. To get started, we just need to do a little setup first:

1. Of course, you have already installed GnuPG for your own use, generated a keypair and uploaded it to a keyserver so that other people can look it up. Its email address must be publicly listed in your twitter profile.
2. Then, you must collect the public keys of the people you follow in your twitter timeline. Some of your friends might not post a public key on a keyserver. That's certainly their right; but ask yourself how much they value you following them if they won't even take these basic steps to ensure the integrity of their tweets.
3. Of course, if you are really serious about this, you have attempted to contact those people you follow and verified your keys matches their key's fingerprint. You could skip this step, but really?

Okay, that ony took a few days. How do we use it to safeguard the integrity of our tweets? GPG allows users to generate digital signatures for any file. These signatures are used to confirm that the message was sent by a specific user and that the message contents have not been altered in any way. In other words, it not only protects against web spoofs, but it even helps to reveal when someone has hacked into your twitter account. Here is an example of how it works on the command line

echo "Paw & Order: Squeaktoy Victims Unit" | gpg --clearsign

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paw & Order: Squeaktoy Victims Unit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJRWOW1AAoJELX8l1ZllqgrgVsQAK7Dr8p2lzIG6hSjezMCt2vX
Gsk7nMTJX7ZEXHnJ+mxNkd+EzultJQFFVHLPy48B3QhO/3gjGw9mLG6ePHQX1ArE
83Fh9osgR1FCC7zA0aOhd6ATTSW4tgaoG16M+RUWSonW4fWyDErbsE1fEvTIN+m1
2XEaFU6xdu5Uqa2wwvZuJzE9xSacBKyS+zrsBLNP1y+v30mcBJU7p1+hdZ4TBHWh
cll58jqlelCB1D5UJj63gJeE/6pDatptDV/DRUjsGjsk1OcCkxwPvv12rnLCaQLW
1CvcIDA9XDnT+MWzrVQ0nLB7l7A80h5/67m2Q1K0/yXJE59pD2FaKMlSmiMR7E7g
OhAaWRayDS5B8FTWYVZxiM+SMnntK/SM4QwPo6JLkp0XQxylhOfgGZKUiWKE1m93
iGNW0IsY7scO7JkzCTkZyHLnpX3dayAdzTHuH6vQqgoaQqrhQMtxE8tXR79PXoBx
9zLCIFejEQf7QPPdhJqqvNs5wYqDXIGWXNIbr75PffqUmeS6PH62vyJMlgSW3zAZ
IZS13EEYCH8podaT9UJoFCl/ylFN99t6SJ3HommSaW8HFVS+gjlqaNGqJ7QvrgcS
fUTKL/6Fq2Wmx40hPL5AsNbGGRc2iqTTj4j2ctBeKjhM9SVXG917SqVfciYFAMbZ
PLdV5IC79hqX0lSH3JEw
=2TPw
-----END PGP SIGNATURE-----

All we have to do to safeguard tweets is to digitally sign the message and post the digital signature alongside the tweet. But, wait, that's way too much text to fit in a single tweet! We could link to a separate site for verification, but that would mean [http://www.dirmgr.com/blog/2011/6/14/the-problems-with-twitters-automatic-url-shortening.html](using t.co), and that's a bad idea. But, who says we have to do a single tweet? In 2010, I invented TweetFTP, a revolutionary new method for transmitting files directly within twitter. No more messing around with cloud services; you can send that photo directly to Grandma in only 35,000 tweets!

Surprisingly, TweetFTP did not have a lot of users. But its patent portfolio can live on applied to a new project here: embedding the digital signature for every tweet within twitter itself. The algorithm is pretty simple:

1. Before posting the tweet, compute the signature
2. Post the tweet to twitter and get the ID of the tweet back (eg, 318523770702815233)
3. Post each line of the signature prepended with "SIG", the ID of the tweet you're verifying, and the part – eg, 11/16 – it is out of the signature.
4. To verify, the script on the other end simply stitches together the signature and looks up the the tweet author's public key. It then uses this to validate the signature and confirm that the tweet is legit.

These are what the 14 tweets that would be sent out for one example message would look like

Paw & Order: Squeaktoy Victims Unit
SIG 318523770702815233 1/13 iQIcBAEBAgAGBQJRWOW1AAoJELX8l1ZllqgrgVsQAK7Dr8p2lzIG6hSjezMCt2vX
SIG 318523770702815233 2/13 Gsk7nMTJX7ZEXHnJ+mxNkd+EzultJQFFVHLPy48B3QhO/3gjGw9mLG6ePHQX1ArE
SIG 318523770702815233 3/13 83Fh9osgR1FCC7zA0aOhd6ATTSW4tgaoG16M+RUWSonW4fWyDErbsE1fEvTIN+m1
SIG 318523770702815233 4/13 2XEaFU6xdu5Uqa2wwvZuJzE9xSacBKyS+zrsBLNP1y+v30mcBJU7p1+hdZ4TBHWh
SIG 318523770702815233 5/13 cll58jqlelCB1D5UJj63gJeE/6pDatptDV/DRUjsGjsk1OcCkxwPvv12rnLCaQLW
SIG 318523770702815233 6/13 1CvcIDA9XDnT+MWzrVQ0nLB7l7A80h5/67m2Q1K0/yXJE59pD2FaKMlSmiMR7E7g
SIG 318523770702815233 7/13 OhAaWRayDS5B8FTWYVZxiM+SMnntK/SM4QwPo6JLkp0XQxylhOfgGZKUiWKE1m93
SIG 318523770702815233 8/13 iGNW0IsY7scO7JkzCTkZyHLnpX3dayAdzTHuH6vQqgoaQqrhQMtxE8tXR79PXoBx
SIG 318523770702815233 9/13 9zLCIFejEQf7QPPdhJqqvNs5wYqDXIGWXNIbr75PffqUmeS6PH62vyJMlgSW3zAZ
SIG 318523770702815233 10/13 IZS13EEYCH8podaT9UJoFCl/ylFN99t6SJ3HommSaW8HFVS+gjlqaNGqJ7QvrgcS
SIG 318523770702815233 11/13 fUTKL/6Fq2Wmx40hPL5AsNbGGRc2iqTTj4j2ctBeKjhM9SVXG917SqVfciYFAMbZ
SIG 318523770702815233 12/13 PLdV5IC79hqX0lSH3JEw
SIG 318523770702815233 13/13 =2TPw

There you have it. Some of your followers might complain that these signature tweets are clogging up their timeline, but that's a probable indicator that their account has been hacked or they are spambots. Others might feel these tweets are ugly, but you should ask them then why they hate mathematics. Together, we can stop the problem of faked tweets before they start. Every tweet can be verified, even if their auhors aren't. So easy!

The first link in your Gist appears to be compromised.
It leads to some website wanting me to install a chrome add-on. They even have a voice telling me to "click add extension".
Consider changing it.

In terms of "safer" compression: couldn't one encode/compress the signature (a-Z09+/=-) into either UTF-8 or even emojis? That way it would still be text that can be copied around but must shorter.

The problem would be to find a two-way encoding between ASCII (128 characters) to emojis (currently 3,304 of them available).

What do you think?

EDIT: 128 characters would be 7bits, while 3304 is contained in 12bits. So we can compress by a factor of 0.58333333333. Not enough to fit in a single tweet (original signature: 741 - down to 432) but it would take 1.5 tweets (rounded to 2) instead of 2.5 (rounded to 3), saving us 1 tweet.

Can we do better than that?

EDIT2: I made a little script to convert the pgp signature above into a compressed message. I found more luck by sliding into chinese characters:

慢団吊唷叇厬吚圻屌尳厦掳啁岞扳嶐抩悶悟敊厰况擒搄抲囌兰嫒忶塘斔晽嘫戕捒嬛岝嵮岩捏乕朻戸串栥抬场喟寡堁枊列倲惼争悮嘯务埸六妉姽
佚據刍喼劣敛娿喜呩柶休奀彘厹嬤尶斿幛嗳党丿完嫗捜傦山哖擲放佺啦嬚墬拗俕啑單冀徍僾撍俯曺嶙坞唳杀幏吔枤乢攃吕壉侍乞倖拿吓孱搃乐
彷備向屠张扷刺撘忨呯佝僾坎充悓忆二搑幠搼哧井婞懣嘢敟佨廼扌曙暖佐擾埴幂堈作暃囉厣岥捙为屲擫姚捑吅批厢优僝光拘姛垂仅岫唯劤哈喵
垚抐挅塧冶凓奀叁屏幥哤僫创嬨崛嶜慞乀塾捴垁媺傖曙掤圵扄伍娘枸惼恇嘗垢慨垒侁剱慘壐仾敒凟弈冻扎咁戳枙堚搥偀幥叄栉嚑噜晶撓揅娑擸
姲旐唲斵婅劉峋吼劮埴囋忦商怡姵妠惷撝晳攳曢摵岪嘔岯团擑價恆撆持媨妉兄暙圶抟嫄偖县囟媣倦啎呵剀揈幅劎坓喜扱枸喧剷斘媷倩揑拴幈初
喯媠悮抩帿嘩圥娖擷弌怺嬜埥兓摨履朦优妍僪敇府嘏廰慽嬥憮憬弨吩垲惺劌寱嗻何嫙寺弝崋厲庯妍彳僲呩劜撉伜媵倫啧匸嬡也

That's 365 chars, as opposed to 741. That's better than the initial plan, around 0.49%. I didn't perform any compression on the data yet.