Twitter Whistleblower Peiter 'Mudge' Zatko Testifies To Congress (npr.org) 55
Just before shareholders voted to approve a $44 billion deal with Elon Musk to buy the company, Twitter whistleblower Pieter Zatko was in Washington testifying before the Senate Judiciary Committee about alleged security flaws. NPR highlights the main takeaways from the hearing: Twitter executives put profits ahead of security, leaving the door open to infiltration by foreign agents and hackers, the company's former head of security told Congress on Tuesday. "Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors," Peiter Zatko testified during a Senate Judiciary Committee hearing. "The company's cybersecurity failures make it vulnerable to exploitation, causing real harm to real people." [...] In Tuesday's hearing, which ran for more than two hours, Zatko painted a portrait of a company plagued by widespread security issues and unable to control the data it collects. Calm and measured, he stuck closely to his expertise, unpacking technical details of Twitter's systems with real-world examples of how information held by the company could be misused. "It's not far-fetched to say that an employee inside the company could take over the accounts of all of the senators in this room," he warned.
Zatko alleged the company is highly vulnerable to abuse by foreign intelligence agents -- but is unable or unwilling to root them out. A week before his firing in January, he testified, the FBI told Twitter's security team that at least one agent from China's Ministry of State Security was on the company's payroll. [...] Zatko also alleged that the Indian government had placed an agent inside Twitter. He testified that Twitter struggled to identify potential infiltration by foreign agents and typically was only able to do so when notified by outside agencies.
Zatko placed the blame for Twitter's vulnerabilities squarely on a leadership team that he described as reactive, incompetent, and motivated by profit over safety. Executives, he alleged, ignored warnings from him and other employees over Twitter's security flaws because they "lacked the competency to understand the scope of the problem." Zatko described a company culture that avoided negativity and alleged executives presented selectively favorable information to the board. He accused leadership of prioritizing business over security, quoting writer Upton Sinclair: "It is difficult to get someone to understand something when his salary depends on him not understanding something."
When Zatko joined Twitter, he said, he was struck that the company kept having recurring security lapses -- "the same amount, year after year." The root cause, he told senators, is that Twitter doesn't understand how much data it collects, why it collects it, and how it's supposed to be used. That includes users' phone numbers, IP addresses, emails, the devices they use, their locations and other identifying information. What's more, he said, around half the employees at Twitter have access to that data. "It doesn't matter who has keys if you don't have any locks on the doors," he said. "The concern there is anybody with access inside Twitter...could go rooting through and find this information and use it for their own purposes." Zatko said that also raised red flags that Twitter may not be complying with its 2011 agreement with the FTC over misuse of email addresses that it told users it was collecting for security reasons, but then used for marketing. (In May, the FTC fined Twitter $150 million for violating that agreement.) "How come we keep making these same mistakes?" Zatko said. "What is it that we are telling the FTC as Twitter that is incorrect?"
Zatko alleged the company is highly vulnerable to abuse by foreign intelligence agents -- but is unable or unwilling to root them out. A week before his firing in January, he testified, the FBI told Twitter's security team that at least one agent from China's Ministry of State Security was on the company's payroll. [...] Zatko also alleged that the Indian government had placed an agent inside Twitter. He testified that Twitter struggled to identify potential infiltration by foreign agents and typically was only able to do so when notified by outside agencies.
Zatko placed the blame for Twitter's vulnerabilities squarely on a leadership team that he described as reactive, incompetent, and motivated by profit over safety. Executives, he alleged, ignored warnings from him and other employees over Twitter's security flaws because they "lacked the competency to understand the scope of the problem." Zatko described a company culture that avoided negativity and alleged executives presented selectively favorable information to the board. He accused leadership of prioritizing business over security, quoting writer Upton Sinclair: "It is difficult to get someone to understand something when his salary depends on him not understanding something."
When Zatko joined Twitter, he said, he was struck that the company kept having recurring security lapses -- "the same amount, year after year." The root cause, he told senators, is that Twitter doesn't understand how much data it collects, why it collects it, and how it's supposed to be used. That includes users' phone numbers, IP addresses, emails, the devices they use, their locations and other identifying information. What's more, he said, around half the employees at Twitter have access to that data. "It doesn't matter who has keys if you don't have any locks on the doors," he said. "The concern there is anybody with access inside Twitter...could go rooting through and find this information and use it for their own purposes." Zatko said that also raised red flags that Twitter may not be complying with its 2011 agreement with the FTC over misuse of email addresses that it told users it was collecting for security reasons, but then used for marketing. (In May, the FTC fined Twitter $150 million for violating that agreement.) "How come we keep making these same mistakes?" Zatko said. "What is it that we are telling the FTC as Twitter that is incorrect?"
Operating in GDPR zone? (Score:1)
Re: Operating in GDPR zone? (Score:1)
Not really, it would be hearsay at best. Does Twitter have a nexus in Europe? Would be pretty stupid given their track record.
Re: (Score:2)
GDPR doesn't require having the server in the EU, if the user is an EU citizen. This is mentioned in basically every single piece of training media about GDPR. If an EU citizen contacts you about their personal data, and their "right to be forgotten" then you must delete their data.
Re: (Score:3)
Or else what?
Re: (Score:2)
Or else what?
Or you could be subject to fines by the EU. Which matters if and only if you have a business presence in the EU. Otherwise, you can probably just ignore it.
Malice or ignorance (Score:1)
Re: (Score:3)
Probably neither. Just "We don't give a fuck as long as we make money."
Which I suppose you could also define as "Both" Heh.
Re: (Score:2)
As far as I know, Twitter has never made money till date.
So doesn't seem to have worked.
Re: (Score:1)
As far as I know, Twitter has never made money till date.
So doesn't seem to have worked.
Don't confuse company profitability with executive compensation. While Twitter may be constantly burning cash, the folks at the top are pocketing seven- or eight-figure paychecks and stock options. So long as they're making money, the rest doesn't bother them too much.
Re: (Score:2)
They don't care because nobody is going to punish them in any meaningful way.
I am also going to go right ahead and assume that Tesla chap will somehow try to shoehorn this stuff into his attempt to back out of purchasing Twitter.
From what I've been reading on site like Techdirt it's not going to help him though.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
I am still not quite sure if all of this malice or ignorance, but this is beyond damning.
MBAs?
I suspect a lot of startups hit the point where they decide to let the "grownups" be in charge, basically professional executives who go from company to company and know how all the organizational stuff is supposed to work.
It's not a bad idea to have those folks around, but they don't necessarily understand or respect what made the startup succeed. And if those secondary things like "security" and "code quality" don't make an impact on the balance sheet they can get neglected.
Re: (Score:2)
Your last paragraph reads as though security and code quality are the things which make startups succeed. Don't the past two decades teach us that skipping security and code quality in order to be first to market is what makes startups succeed?
Re: (Score:2)
Your last paragraph reads as though security and code quality are the things which make startups succeed. Don't the past two decades teach us that skipping security and code quality in order to be first to market is what makes startups succeed?
Hmm, I guess an obsession with the user experience is what makes startups succeed.
So through that lens you'd be correct as code quality and particularly security are afterthoughts.
However, I think successful startups are also serviced by an obsession with the product, so once they succeed I'd expect them to start circling back to addressing code quality and security. Perhaps this is what's lost through the early transition to the executive class.
Re: (Score:2)
Ok so for example: "He testified that Twitter struggled to identify potential infiltration by foreign agents and typically was only able to do so when notified by outside agencies."
How else would Twitter handle this? An internal private counterintelligence agency? Twitter is not the CIA. I think it makes more sense to accept it as a relatively open institution that is definitely susceptible to many influences.
Re: (Score:2)
This particular part was in reference to EMPLOYEES of Twitter being actual foreign intelligence agents, and using their unfettered (and unmonitored) access to Twitter's user data for nefarious purposes. (eg identifying and locating the person behind anti-government posts so that they can be killed.)
Re: (Score:2)
Re: Malice or ignorance (Score:2)
They have control over the "let any random employee access all data" part. In the EU this would get them fined out of existence in short order.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That depends. What is the security guy's job?
My understanding of that job in most companies, and where I work is that the security person identifies problems. They aren't usually the person who resolves the issue, and are not usually given the authority to do so.
The most he could have done in the case of the intelligence infiltration is notify HR. He also wouldn't likely have anything to do with any kind of background checks that might be able to identify intelligence agents.
Re: (Score:2)
A part is certainly incompetence. but do you count greed that does not care whether it harms others as malice? I would. And yes, exceptionally damning, especially lying to the board and the FTC. That should land people in prison IMO, fines are not going to do a thing.
Career Choices (Score:2)
...Twitter whistleblower Pieter Zatko was in Washington testifying before the Senate Judiciary Committee...
Sure must be nice to be high and dry enough to burn every bridge past present and future. Even if he is right why would any new employer hire him?
Re: (Score:3)
Really? You see it that way? His job was literally cyber-security and he's pointing out all the ways they failed to do things properly. Seems like exactly the kind of person I'd want to hire at a company intent on actually fixing issues.
Re: Career Choices (Score:2)
OP is right that this limits his market. But mostly to companies that are serious in fixing security, which seems like a good match for both sides.
Re: (Score:2)
There is a real market for competent IT security people. With tighter regulation, that market is going to grow. Hiring him can also be used as a nice act of corporate virtue-signalling.
Re: (Score:2)
Re: (Score:2)
If nothing else, he'll do just fine at one of the big audit firms. This guy is basically spilling a gap report onto the floor of Congress, likely after Twitter had plenty of time to work on gap-filling. You really can't fault the guy. Twitter has too much mind-share to not be looked at as a threat to the proper operation of society should it be compromised.
Re: (Score:3)
...Twitter whistleblower Pieter Zatko was in Washington testifying before the Senate Judiciary Committee...
Sure must be nice to be high and dry enough to burn every bridge past present and future. Even if he is right why would any new employer hire him?
Because he has strong ethics?
Besides, if I was a firm looking to signal to customers that I was serious about security there's worse choices than someone who's proven they were willing to call out BS.
Re: (Score:1)
Tell us you know nothing about Mudge's background, standing and reputation in InfoSec, without telling us you know nothing about it.
Re: Career Choices (Score:2)
Oh dear. I hadn't linked his real name to Mudge.
How dumb can you be to hire Mudge and expect that you can buy him off or use him as a cover for bad security? He has his reputation to protect and that is the only thing that really counts for professionals like him.
musk is still on the hook to buy twitter (Score:2)
Re: (Score:3)
Re: (Score:3)
That's not what "due diligence" means or how it works in this context, bots.
Re: (Score:2)
Re: (Score:3)
that's even more not what it should mean when you're buying a house
you need a house to live in
the observed purpose of twitter is to make everyone addicted to political toxicity
Re: (Score:2)
when you do a deal and wave the due diligence part of the deal you get what you pay for (and should be forced to buy what you agreed to)
Possibly.
I think all of his claims up till now were complete BS. But the allegation that senior management was misleading the board (and the FTC) is maybe enough for him to weasel out.
Of course, everything he's done until now has been an obvious pretext to get out of the deal, so it could be the judge figures he shouldn't luck out because of a whistleblower exposing things he probably doesn't care about.
The only factor I think Musk would care about is the expensive engineering effort to make a proper testin
Coinbase is next (Score:2)
Watch this change nothing. (Score:2)
Twitter isn't profitable. It exists because intelligence agencies want it to exist. Everything described here is a feature, not a bug.
Re: (Score:1)
Fair enough.
Just to add that of course the agencies that want Twitter to exist do not all represent the same country or get along in the slightest.
Re: (Score:2)
Twitter not being profitable is a feature, not a bug, as well. It is intentionally done to avoid taxes, as taxes only happen on profit. They are wildly profitable to the people who work there, which is why the company isn't making a profit.
Interesting - but obviously biased (Score:2, Insightful)
All security is a series of trade offs. For IT security access in the obvious (but not only) one,.
Security professionals focus on one side of these trade offs, they are professionally paranoid and provide a very valuable voice in the room. But there is a reason they are just one voice.
Am I shocked that twitter isn't performing national security level background checks into all their staff? And subsequently someone with strong links or loyalty to a government got employed? No. I'd be appalled if they were. T
Re:Interesting - but obviously biased (Score:4, Informative)
Half of twitter's staff have access to that information so that they can potentially use it. Security dude was security dude and tried to restrict access to that information. Company said no.
There's more to it than that. Engineers can romp around in the production system - generally without leaving a trail that could get them in trouble - while doing a LOT more than just looking at web server log files. For example, he pointed out that half the company (some 4000 people) could send tweets from user accounts AS that user, and leave no trail. Multiply egregious stuff like that times dozens of other examples (like .. high level system engineers allowed to work remotely, directly in the production systems, without having to use devices/computers that are patched and up to date, security-wise).
Re: (Score:2)
Hence those "look that person has sent racist tweets in the past!" accusations. Oh and the agencies which want social media profiles so they can check your character. We put far too much faith in the security of stuff which should be treated as corruptible until there's some actual hard evidence that it can be trusted to some degree.
Re: (Score:2)
All security is a series of trade offs. For IT security access in the obvious (but not only) one,.
Security professionals focus on one side of these trade offs, they are professionally paranoid and provide a very valuable voice in the room. But there is a reason they are just one voice.
And the entire job of someone in a leadership role on cybersecurity is to understand where to draw those lines. The judgement call that is required does NOT fall to other executives; this is the entire point of having the role in the first place. Hard choices about these things need to be made by people who understand the risks, both legal and reputational.
I'd argue that half the staff having UNAUDITED access to production is absolutely criminal negligence. It's the most basic, fundamental first step of
Congress will do nothing (Score:2)
Our Congress is owned by China and self-serving billionaires - all of them using Twitter as a propaganda tool. Until we get detailed annual financial audits of Congressmen and term limits, this pork gravy train will continue.
Who would've thought? (Score:2)
I'm shocked, shocked to find that Twitter executives put profits ahead of security.
This guy is a dingus (Score:2)
Re: (Score:1)
He is basically blowing the whistle at himself. He was in charge of security and all this shit went down on his watch.
You misunderstand the situation. He was hired to be in charge of security. He pointed out flaws that needed to be fixed, flaws that required other parts of Twitter to change how they operated. They refused to change, authorize, or implement what he said needed to be done, hence he quit.
I've been there where you're telling a board or executive committee this stuff needs to be done. If they're concerned about legal and reputational risk, they listen (sometimes). If they don't give a shit about it and see
Re: (Score:2)
Except (Score:2)
Except that what went on / goes on at Twitter is probably no different than what goes on in 90% of other companies. It's just that no one has lifted up the rocks they're under yet.