In December 2023 Jon_HQ of BoringSecDAO posted a great guide on setting up what's called a "cold Twitter account". Here's the guide itself:

As you can see, it's one page packed with a ton of useful information that Jon was kind enough to create a distribute so that others in the community can engage with their Twitter communities in the most safe and secure way possible. So, if everything is right there to be had, why write this post? I wanted to walk through this guide myself, step-by-step, and implement what he discusses to see how it works. I figured I'd post about it in case anyone wanted to follow along as well.

This section outlines the goal and lays out what risks you are mitigating by following this strategy. The Twitter account will exist on a device specifically used just for that Twitter account. This means the device won't be used for:

• Talking to anyone

• Running any other apps

• General web browsing

This device obviously is not air gapped from a network, as you need to interact with your thousands of followers on Twitter! But it does limit the risk you are exposing your Twitter account to by never using the device for anything other than Twitter. This extends out to never clicking links on Twitter, never leaving the domain itself from the app, etc. Ideally, you'd be running Twitter from the app on a mobile device, as this lowers your risk even further. The general risks you may run into from the day-to-day operation of a Twitter account are:

• Phishing

• Malware

• General compromise of the account

He includes a warning about issues hosting spaces as well, so just be aware of that.

Figure out who's going to be responsible for the Twitter account. This is now the "owner" and "operator" of the account. They should be trained on how to handle the account, and the information that this is the owner of the account should be documented and distributed to the project's team along with emergency contact information for the account owner.

Here it is said that the account owner will need a clean and separate device. There are a few ways of going about this, and I'd like to provide some alternatives as well. Each of these has tradeoffs though, so just keep that in mind.

The first option is simple and easy for most to manage; a clean and separate device. This can be any old device (phone, tablet, laptop), but Jon recommends a new chromebook. This is a great suggestion, as new chromebooks can be had for as little as $120 and they run ChromeOS, which enables the account owner to install the Twitter Android app and perform all of their duties from there. It's also good because ChromeOS is a much less targeted platform for malware, unlike Windows. I'm biased towards the Apple ecosystem though, so I'd probably go with a simple iPad, which can be had for $350 new. Of course these items can always be bought used, just ensure that a full-wipe has been performed on them before they are used for anything.

Using a device that has a mobile operating system has several benefits:

• Access to apps from app stores

• More locked-down / secure

• Less utility to run different file types

• Targeted by malware campaigns less

All of these things combined create a smaller risk profile. The access to apps from app stores is good because in stores like Apple's the app has to go through an official approval process to be listed on the store, and the developer has to maintain a good standing with Apple or else their app will be pulled. In most cases you are able to see the permissions and files the app requires in order to operate as well. Here is Twitter's information from the App Store:

As another warning, to be fully sure the device you are using it secure before setting it up, it should be fully wiped, even if it is new. And if a "Discord Cold Admin" setup is being done, this device can be utilized for it as well.

On the new device the account owner should download the Twitter app and create the account. Ideally the account would be a new one created on this "fully secure" device, but if not that's totally a-okay, just go ahead and log into a previously existing account.

If you created a new account, ensure you choose a secure password. If logging into a previously existing account, change the password to a secure password. Changing the password to a Twitter account will revoke anyone else's access to that Twitter account, logging them out. A question you may ask is:

What is a secure password?

And I can let NIST (National Institute of Standards and Technology) answer that question here. Essentially the password needs to be:

• Focused on length, the longer the better (16 character minimum)

• Rotated every 365 days

But what about password complexity? Shouldn't I have uppercase, lowercase, and special character requirements?

The article goes further into this but it's been found these requirements promote bad user behavior, and a focus on length over these things is preferred. But overall, it doesn't hurt having them in there and increases the complexity, so I'd say go for it as long as you are confident you can securely keep track of the password.

As far as tracking passwords goes, Jon recommends writing it down on a piece of paper. If you wanted to go as far as using a password manager such as bitwarden and using a unique password for that as well, you could have a multi-layered solution where the bitwarden password is the one you store on paper and the Twitter password is stored in bitwarden, but this is also overly complex and gets in the way of the account owner's ease of use, without offering that much more risk mitigation.

Along with these things, set up a new email account for the Twitter account on the device, and perform similar actions to getting the Twitter account setup. Choose a unique email address that won't be used for anything other than managing this Twitter account. Choose a unique password for this email account, and store it on the paper password backup as well.

Now go and change the 2FA settings for the account. These can be reached by going to:

Hamburger Menu -> Settings & Privacy -> Security & Account Access -> Two-Factor Authentication

Once there you'll see an option for "Security Key", select this one and proceed to set it up. A Ledger can be used as a security key, but there are other options out there as well such as a YubiKey if you wanted a hardware security key that is strictly dedicated to the 2FA of the Twitter account for a price that is cheaper than a Ledger ($30 vs $80). Just remember the YubiKey is strictly there to be a hardware security key, they cannot handle any types of crypto transactions. Ensure that whatever option ends up being chosen is compatible with the device it is being used.

Do not use text message 2FA under any circumstances, and the "Authentication App" option should only be utilized if you can't or don't want to use a hardware security key. In the case that an authentication app is chosen instead (if the team is willing to accept the risk), apps like Authy can be used. If there are backup keys/codes, make sure these are stored on your paper backup. Not using text message 2FA is recommended due to many potential attacks that allow an attacker to gain access to the related phone number. Having a hardware security key is the primary option because it is self-custodial, which means only the person with it has access to it, unlike a phone number, where your telecommunication company also has access to it and can control/change it.

At this point Jon recommends reviewing the following items:

• Connected Apps

• Sessions

• Logged-in Devices

• Connected Accounts

Remove and revoke access to everything. No extra apps, sessions, devices, or accounts should be allowed access to this account moving forward. Just the lone session, from the singular app on this specific device should exist. These can all be found in the "Security & Account Access" area of the options discussed previously.

This option is also accessible through the "Security & Account Access" area of the Twitter settings. It is where the account owner will be able to delegate members to post on behalf of the project's Twitter account. Inside of the menu is an option titled "Members You've Delegated" which is where you can invite members. If there are any users that have already been delegated, make sure to remove them and start from scratch.

Now that the device is fully setup and configured, it is the only cold device with full access to the project's account. There is a simple rule Jon recommends following regarding the cold device:

• Do not use it to communicate with people over DMs

Remember that this account solely exists as the backbone of the project's Twitter presence. It is present to act as infrastructure to delegate the actual usage to specific individuals on the project's team. At this point, the individuals that need to post as the project's account should have been added through the delegation settings and they will be able to post as the project account through their personal account.

Personal accounts can still be breached too, so ensure to have each project member's personal account secured as well. The above steps for creating the project's Twitter account stops any attackers from retaining access to the project's Twitter account. This way if delegate's account is compromised, the project account owner can revoke that delegate's access to the project account and the incident can be handled quickly and cleanly.

In terms of permissions, Jon recommends leaving most team members as a "Contributor", but specific individuals (core team members or those responsible for security) can be granted "Admin" in order to remove contributors if their accounts are compromised.

And that's all! A big shoutout goes to Jon and BoringSecDAO, they provide some awesome training and I really enjoyed walking through this guide.