Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Twitter

Ex-Twitter Exec Blows the Whistle, Alleging Reckless and Negligent Cybersecurity Policies (arstechnica.com) 50

An anonymous reader quotes a report from CNN: Twitter has major security problems that pose a threat to its own users' personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post. The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform's central controls and most sensitive information without adequate oversight. It also alleges that some of the company's senior-most executives have been trying to cover up Twitter's serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

The whistleblower, who has agreed to be publicly identified, is Peiter "Mudge" Zatko, who was previously the company's head of security, reporting directly to the CEO. Zatko further alleges that Twitter's leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users' data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don't have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk's attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk's claims).

Zatko was fired by Twitter in January for what the company claims was poor performance. According to Zatko, his public whistleblowing comes after he attempted to flag the security lapses to Twitter's board and to help Twitter fix years of technical shortcomings and alleged non-compliance with an earlier privacy agreement with the Federal Trade Commission. Zatko is being represented by Whistleblower Aid, the same group that represented Facebook whistleblower Frances Haugen. John Tye, founder of Whistleblower Aid and Zatko's lawyer, told CNN that Zatko has not been in contact with Musk, and said Zatko began the whistleblower process before there was any indication of Musk's involvement with Twitter. After this article was initially published, Alex Spiro, an attorney for Musk, told CNN, "We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding."
"Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance," the Twitter spokesperson said. "What we've seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be."

Zatko also alleges that the Indian government forced Twitter to put a government agent on the payroll, giving them access to sensitive user data. "Twitter is engaged in a legal challenge against the Indian government after it asked a local court in July to overturn some government orders to remove content from the social media platform, and alleged abuse of power by officials," adds Reuters.
This discussion has been archived. No new comments can be posted.

Ex-Twitter Exec Blows the Whistle, Alleging Reckless and Negligent Cybersecurity Policies

Comments Filter:
  • by SvnLyrBrto ( 62138 ) on Tuesday August 23, 2022 @05:16PM (#62815747)

    Even at its best, Twitter is nothing more than a platform for self-important narcissists to shout their most inane and banal brain-droppings to whatever mouth-breathing defectives can be impressed by the level of nuance that can be contained in 140 characters. If you're posting there in the first place, it's because you've already decided that you want every stupid little detail broadcast to the four winds. Or, I guess, it's great for training your AI to be a nazi, if that's your thing. In any event, it's nowhere you'd ever go if you have even the smallest care for discretion, civility, to privacy. And that's hardly anything new.

    Seriously, aside from not being run by what I'm sure is either a Fallout synth or a body-snatched pod person, is there any way that twitter isn't already even worse a festering cesspool than Facebook?

    • Comment removed based on user account deletion
    • by AmiMoJo ( 196126 )

      You aren't using Twitter right. If you follow the right people Twitter can offer interesting insight and support your hobbies. For example, I follow people who refurbish old computers, stuff from the 60s and 70s. Sometimes I help them out by replying with my own knowledge. Same with electronics hobby stuff.

    • Twitter has more than one purpose. The main purpose that concerns the rest of us is that it is the echo chamber for the media, including legacy media and new media, where they find out what they are supposed to think, and what to tell the rest of us what to think.

      The secondary purpose of assholes spouting is only partially related.

  • Mudge (Score:5, Informative)

    by bill_mcgonigle ( 4333 ) * on Tuesday August 23, 2022 @05:16PM (#62815749) Homepage Journal

    For anybody not paying close attention, this is Mudge making the claim about Twitter's security.

    https://slashdot.org/index2.pl... [slashdot.org]

    Parag Agrawal fired him for 'not performing well' on security.

    It's almost certain that Mudge insisted on doing it right and Parag said no, we don't do that here.

    I suppose the next step is finding out why Twitter has purposefully and knowingly poor system security. Seems like that's gonna come out at trial.

    • by ls671 ( 1122017 )

      So twitter systems are just as mickey mouse as the Meta/FB ones then?

    • Yes, if this had been almost anyone else I might have some doubts. But Mudge is as OG as it gets in internet security circles and seems to have always been a straight shooter.
      • I saw a WaPo interview that makes it sound somewhat like a grudge. He claimed he was never given info on I think it was bots. He said he repeatedly asked. Then they interviewed several people that attended some board meeting where it was discussed. Mudge was present at the meeting. The reporter said who knows, maybe mudge was drifted off during the topic at the board meeting. Several employees also reported the guy was a know it all about stuff he clearly wasn't. Personally, I think this white knight for El
    • Re: (Score:3, Interesting)

      by Aighearach ( 97333 )

      This is just hero worship.

      Other security people that worked under him have already claimed that some of the problems he's calling out were problems he created; eg, he ordered them to de-emphasize keeping the operating systems up to date, and then after he was fired he blew the whistle on the operating systems being out of date.

      He's famous for finding exploits. This job was not finding exploits, but managing a security team to make improvements in the areas he's complaining about. There is no reason to presu

      • Re:Mudge (Score:5, Informative)

        by BoogieChile ( 517082 ) on Tuesday August 23, 2022 @09:31PM (#62816325)

        > There is no reason to presume that he's an expert executive, or even basically competent in that role.

        Yeah, that's why he was kicked out of DARPA after only three years as...oh. Project manager for at least three DoD programs.

        Oh, well, it must have been why he was totally unsuccessful at Stripe, where he was just a lowly um...Head of Security. Oh.

        Never mind, I'm sure his time at Google will show just how useless he is at any sort of management. What's that? Deputy Director of the Advanced Technology and Projects division. For two years, you say?

        Huh. Yeah, totally unqualified.

        • pwnt. Well done.

          I don't do hero worship. Mudge has a track record that speaks for itself.
        • Project manager can be a wide variety of roles. You're just derping on yourself. He worked on three different DARPA projects and then ended up at twitter? You think that proves he's a great corporate leader? A lot of tech people get on an important project at DARPA and spend decades on it. Why did he wash out 3 times in such a short time period?

          He was head of security at some place important... but then he wasn't anymore. And was at twitter. Where he got fired. Hmm.

          totally unqualified

          Your straw man is on fire. You might want

  • Musky's going to buy twitter and fix all the problems like he promised!

  • Good for Mudge (Score:4, Informative)

    by divide overflow ( 599608 ) on Tuesday August 23, 2022 @05:24PM (#62815779)
    Social media is only as good as its management and moderation. Twitter would benefit if both were to improve. Thanks to Peiter "Mudge" Zatko for making the effort to report on Twitter's internal failings.
  • by SchroedingersCat ( 583063 ) on Tuesday August 23, 2022 @05:58PM (#62815859)
    Some his claims sound plausible: "Twitter executives don't have the resources to fully understand..."
  • "and that one or more current employees may be working for a foreign intelligence service" There are a lot of tax payers around the world should be demanding a rebate if there isn't * * may or may not apply to US citizens as your lot can just compel them with a secret court order.
  • by bubblyceiling ( 7940768 ) on Tuesday August 23, 2022 @06:14PM (#62815881)
    All web-apps use databases. Anyone with access to the DB can do whatever they want. This is standard across companies, and a lot of people including Developers, DevOps, Managers have access to the "Live" app in an average company. Now while DBs have logs and backups, so one can detect & recover if someone does some major changes. But small changes are made constantly and unless designed for DB security from the ground up, it is almost impossible to fix this for most companies. It will require a lot of process, tooling & other changes.
    • Comment removed based on user account deletion
      • What incident reporting law? Back in the day companies used to have DBAs. Now it's all DevOps.
      • I would imagine a company like Twitter to have proper DBAs with knowledge on audit trails, ethics abuse reporting, security incident reporting in line with state and federal law, etc, which are required by their agreements with the FTC that they signed, etc. Otherwise those signatures are something close to perjury, no?

        The tricky part may not be the database but the applications built on top of it.

        There may also be a disagreement about the definition of "deleted". For instance, you wipe the user's from the Live DB but it lives on in the backups which is probably legal [itgovernance.eu] though maybe not if the backed up data is particularly accessible (and if they're not properly notifying users of that).

        It is also often the case with stuff like this that the lawyers have looked closely and given the thumbs up to something that contradicts

    • None of what you said is true. It is "standard across companies" that access to production databases be severely limited for obvious reasons.
  • Look, if you're dumb enough to input your ACTUAL user information or personally identifying information into twitter, you kinda deserve what happens next.

  • by Bruce66423 ( 1678196 ) on Tuesday August 23, 2022 @06:54PM (#62815977)

    Brussels is not going to be amused by ' it has misled regulators about whether it deletes the data as it is required to do'. Given how annoying Twitter is to our lords and masters, the prospect of extracting billions for the citizens of the EU will be very attractive...

  • come on, establishment press doesn't do a story where musk might be involved without shitting all over him in some rabid fashion.

  • Ex-twitter exec. Lol. How seriously young or so far removed from the roots do you need to be before you refer to Mudge as "ex-twitter exec" The dead cow is absolutely rolling in it's grave now, at least the cult is there to support it.

To stay youthful, stay useful.

Working...