Ex-Twitter Exec Blows the Whistle, Alleging Reckless and Negligent Cybersecurity Policies (arstechnica.com) 50
An anonymous reader quotes a report from CNN: Twitter has major security problems that pose a threat to its own users' personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post. The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform's central controls and most sensitive information without adequate oversight. It also alleges that some of the company's senior-most executives have been trying to cover up Twitter's serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.
The whistleblower, who has agreed to be publicly identified, is Peiter "Mudge" Zatko, who was previously the company's head of security, reporting directly to the CEO. Zatko further alleges that Twitter's leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users' data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don't have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk's attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk's claims).
Zatko was fired by Twitter in January for what the company claims was poor performance. According to Zatko, his public whistleblowing comes after he attempted to flag the security lapses to Twitter's board and to help Twitter fix years of technical shortcomings and alleged non-compliance with an earlier privacy agreement with the Federal Trade Commission. Zatko is being represented by Whistleblower Aid, the same group that represented Facebook whistleblower Frances Haugen. John Tye, founder of Whistleblower Aid and Zatko's lawyer, told CNN that Zatko has not been in contact with Musk, and said Zatko began the whistleblower process before there was any indication of Musk's involvement with Twitter. After this article was initially published, Alex Spiro, an attorney for Musk, told CNN, "We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding." "Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance," the Twitter spokesperson said. "What we've seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be."
Zatko also alleges that the Indian government forced Twitter to put a government agent on the payroll, giving them access to sensitive user data. "Twitter is engaged in a legal challenge against the Indian government after it asked a local court in July to overturn some government orders to remove content from the social media platform, and alleged abuse of power by officials," adds Reuters.
The whistleblower, who has agreed to be publicly identified, is Peiter "Mudge" Zatko, who was previously the company's head of security, reporting directly to the CEO. Zatko further alleges that Twitter's leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users' data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don't have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk's attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk's claims).
Zatko was fired by Twitter in January for what the company claims was poor performance. According to Zatko, his public whistleblowing comes after he attempted to flag the security lapses to Twitter's board and to help Twitter fix years of technical shortcomings and alleged non-compliance with an earlier privacy agreement with the Federal Trade Commission. Zatko is being represented by Whistleblower Aid, the same group that represented Facebook whistleblower Frances Haugen. John Tye, founder of Whistleblower Aid and Zatko's lawyer, told CNN that Zatko has not been in contact with Musk, and said Zatko began the whistleblower process before there was any indication of Musk's involvement with Twitter. After this article was initially published, Alex Spiro, an attorney for Musk, told CNN, "We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding." "Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance," the Twitter spokesperson said. "What we've seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be."
Zatko also alleges that the Indian government forced Twitter to put a government agent on the payroll, giving them access to sensitive user data. "Twitter is engaged in a legal challenge against the Indian government after it asked a local court in July to overturn some government orders to remove content from the social media platform, and alleged abuse of power by officials," adds Reuters.
Sounds like an "as designed" resolution. (Score:3, Insightful)
Even at its best, Twitter is nothing more than a platform for self-important narcissists to shout their most inane and banal brain-droppings to whatever mouth-breathing defectives can be impressed by the level of nuance that can be contained in 140 characters. If you're posting there in the first place, it's because you've already decided that you want every stupid little detail broadcast to the four winds. Or, I guess, it's great for training your AI to be a nazi, if that's your thing. In any event, it's nowhere you'd ever go if you have even the smallest care for discretion, civility, to privacy. And that's hardly anything new.
Seriously, aside from not being run by what I'm sure is either a Fallout synth or a body-snatched pod person, is there any way that twitter isn't already even worse a festering cesspool than Facebook?
Re: (Score:1)
Re: (Score:2)
You aren't using Twitter right. If you follow the right people Twitter can offer interesting insight and support your hobbies. For example, I follow people who refurbish old computers, stuff from the 60s and 70s. Sometimes I help them out by replying with my own knowledge. Same with electronics hobby stuff.
Re: (Score:2)
Re: (Score:2)
Twitter has more than one purpose. The main purpose that concerns the rest of us is that it is the echo chamber for the media, including legacy media and new media, where they find out what they are supposed to think, and what to tell the rest of us what to think.
The secondary purpose of assholes spouting is only partially related.
Mudge (Score:5, Informative)
For anybody not paying close attention, this is Mudge making the claim about Twitter's security.
https://slashdot.org/index2.pl... [slashdot.org]
Parag Agrawal fired him for 'not performing well' on security.
It's almost certain that Mudge insisted on doing it right and Parag said no, we don't do that here.
I suppose the next step is finding out why Twitter has purposefully and knowingly poor system security. Seems like that's gonna come out at trial.
Re: (Score:3)
So twitter systems are just as mickey mouse as the Meta/FB ones then?
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:3, Interesting)
This is just hero worship.
Other security people that worked under him have already claimed that some of the problems he's calling out were problems he created; eg, he ordered them to de-emphasize keeping the operating systems up to date, and then after he was fired he blew the whistle on the operating systems being out of date.
He's famous for finding exploits. This job was not finding exploits, but managing a security team to make improvements in the areas he's complaining about. There is no reason to presu
Re:Mudge (Score:5, Informative)
> There is no reason to presume that he's an expert executive, or even basically competent in that role.
Yeah, that's why he was kicked out of DARPA after only three years as...oh. Project manager for at least three DoD programs.
Oh, well, it must have been why he was totally unsuccessful at Stripe, where he was just a lowly um...Head of Security. Oh.
Never mind, I'm sure his time at Google will show just how useless he is at any sort of management. What's that? Deputy Director of the Advanced Technology and Projects division. For two years, you say?
Huh. Yeah, totally unqualified.
Re: (Score:2)
I don't do hero worship. Mudge has a track record that speaks for itself.
Re: (Score:2)
Project manager can be a wide variety of roles. You're just derping on yourself. He worked on three different DARPA projects and then ended up at twitter? You think that proves he's a great corporate leader? A lot of tech people get on an important project at DARPA and spend decades on it. Why did he wash out 3 times in such a short time period?
He was head of security at some place important... but then he wasn't anymore. And was at twitter. Where he got fired. Hmm.
totally unqualified
Your straw man is on fire. You might want
Well good news (Score:2)
Musky's going to buy twitter and fix all the problems like he promised!
Re: (Score:1)
Free speech absolutist indeed.
https://apnews.com/article/elo... [apnews.com]
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Its ok, Twitter is headed the direction of myspace, tribe and friendster...
https://www.pewresearch.org/in... [pewresearch.org]
(Yes, I posted this on another thread, but it bears repeating.)
Re: (Score:2)
Oh wait. They've been doing that all along at Twitter and it never gets better. Oh well,,,
Good for Mudge (Score:4, Informative)
Re: (Score:2)
Re: Absolute bullshit (Score:1)
But does he tell/is he telling the truth? I do remember the name early in the relationship with twitter and musk was in the middle of it then too. It seemed like there were several companies this person was to "working" for and twitter was where he officially landed...
Re: (Score:1)
But he isn't.
Re: (Score:2)
Absolute bullshit and it makes me wonder if he was paid.
What you're feeling is called cognitive dissonance. Mudge isn't on anyone's payroll, dude.
Re: (Score:2)
Mudge isn't on anyone's payroll, dude.
Strange comment, but accurate. When you're fired from your job, you technically are no longer on anyone's payroll.
Re: (Score:2)
Pretty much the precise response I would expect from a San Francisco tech journalist in 2022: carefully missing the point, ignorant of context, oblivious to the important highlights, entirely focused on fitting with the modern journalism formula:
story contradicts target demographic biases = enable cognitive dissonance & offer alternative narrative
story confirms target demographic biases = enable gloating & reinforce main narrative
I don't even have to look at your publication history, post history he
Re: Absolute bullshit, right on.... (Score:1)
As we all know "hackers" from the 90s' don't strike lame poses while standing in ankle deep bullshit....only the "man" does that...
Eternal September is early this year (Score:2)
Oh, Mudge is a bullshitter? Wow, you must have some really strong evidence to level that accusation. Otherwise, it would really call into question your motives in assuming bad faith on the part of one of the most trusted, proven, unquestionably skilled names in the entire field of cybersecurity - so skilled in fact that he was personally pursued and recruited to the role of Twitter's Head of Security by the founder of Twitter himself.
Until you can show me that evidence, however, I'm going to continue to bel
Re: (Score:2)
If Twitter's security problems weren't already known since way before Musk proposed a buyout, I'd be inclined to think he had something to do with it, too. But even if these weren't already known problems, I would find it completely believable that Twitter was suffering from them.
Clueless executives (Score:3)
and that one or more current employees may ... (Score:2)
Re: (Score:2)
Way more common than made out to be (Score:4, Insightful)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
I would imagine a company like Twitter to have proper DBAs with knowledge on audit trails, ethics abuse reporting, security incident reporting in line with state and federal law, etc, which are required by their agreements with the FTC that they signed, etc. Otherwise those signatures are something close to perjury, no?
The tricky part may not be the database but the applications built on top of it.
There may also be a disagreement about the definition of "deleted". For instance, you wipe the user's from the Live DB but it lives on in the backups which is probably legal [itgovernance.eu] though maybe not if the backed up data is particularly accessible (and if they're not properly notifying users of that).
It is also often the case with stuff like this that the lawyers have looked closely and given the thumbs up to something that contradicts
Re: (Score:2)
user information (Score:2)
Look, if you're dumb enough to input your ACTUAL user information or personally identifying information into twitter, you kinda deserve what happens next.
Cue the EU (Score:3)
Brussels is not going to be amused by ' it has misled regulators about whether it deletes the data as it is required to do'. Given how annoying Twitter is to our lords and masters, the prospect of extracting billions for the citizens of the EU will be very attractive...
where's the anti-musk slant? (Score:2)
come on, establishment press doesn't do a story where musk might be involved without shitting all over him in some rabid fashion.
Imagine how young you need to be to refer to Mudge (Score:2)