
A Saudi prince's attempt to silence critics on Twitter - leoschwartz
https://www.wired.com/story/mohammed-bin-salman-twitter-investigation/
======
nlh
Great story and a great read! I googled the characters afterwards, and there
are some interesting addendums & updates:

Looks like Ahmad Abouammo (Twitter’s former head of Middle East partnerships)
was arrested in Seattle in Nov 2019, but Ali Alzabarah's escape to Saudi
Arabia was successful (at least in terms of being arrested by the US
government):

[https://www.justice.gov/opa/pr/two-former-twitter-
employees-...](https://www.justice.gov/opa/pr/two-former-twitter-employees-
and-saudi-national-charged-acting-illegal-agents-saudi-arabia)

BUT, as of a month ago, a filing was made to drop the charges (?!):

[https://www.theverge.com/2020/7/28/21345794/twitter-
employee...](https://www.theverge.com/2020/7/28/21345794/twitter-employees-
saudi-arabia-spies-charges-dropped-case-dismissed)

Fascinating case...

~~~
siwatanejo
> BUT, as of a month ago, a filing was made to drop the charges (?!):

And I guess the reason for this might be very related with the last paragraph
of the Wired's article...

~~~
milofeynman
The Wooing of Jared Kushner: How the Saudis Got a Friend in the White House

[https://www.nytimes.com/2018/12/08/world/middleeast/saudi-
mb...](https://www.nytimes.com/2018/12/08/world/middleeast/saudi-mbs-jared-
kushner.html)

~~~
indigodaddy
Haven’t the Saudis had a “friend” in the White House for decades?

~~~
blaser-waffle
aka multiple Bush presidents

------
sneak
Meanwhile, if you create a new Twitter account today from a VPN and follow 30
people, it will lock you out until you verify a non-VoIP phone number.

Removing the number instantly re-locks the account.

It’s really immoral that they demand identity-linked PII while running such a
loose ship, where anyone with enough money can buy their way in to obtain that
PII, track you down, and maybe cut you up with a bone saw.

Twitter is complicit in this abuse, considering their explicit technical steps
taken to ensure that you _cannot use Twitter_ without exposing yourself to
these sorts of criminals in the governments of foreign countries, as well as
similar ones in the government of Twitter’s own jurisdiction.

> _And while Alzabarah’s job entailed maintaining systems to keep Twitter
> working properly, his position at the company did allow him access to the
> private information of many users, including their phone numbers, email
> addresses, and IP addresses. That meant that in some instances, Alzabarah
> could not only help unmask an anonymous regime critic, but also pinpoint the
> person’s location._

~~~
save_ferris
> where anyone with enough money can buy their way in to obtain that PII,
> track you down, and maybe cut you up with a bone saw.

TBF, I think that the vast majority of companies out there are vulnerable to
this. I’ve worked for 8 tech companies in my career, none of which did
anything beyond a basic background check.

Truly mitigating the problem you’re touching on requires a level of vetting
and surveillance that you’d typically see applied to intelligence operatives.
I think this is similar to how we view infosec generally: those with
sufficient resources will be able to penetrate a network, regardless of the
design or execution of network security.

~~~
johnyzee
This is letting Twitter off the hook. It is not impossible to protect users
personal information, even within a company, to a very limited set of people
who actually need it, with audits on when and how they are accessing it, and
periodic reviews of everyone's access levels. Mature organizations follow
specific standards for this kind of stuff. For a company like Twitter, where
the privacy of this information literally can mean life or death, it is
unforgiveable to not have a better grip on it (cue some non-technical regional
bizdev guy having deep access, as per the article).

~~~
save_ferris
That’s a really good point, reducing access would help here.

If you’re a nation state with the resources of Saudi Arabia, it still wouldn’t
be impossible to bribe or blackmail an employee who has prod access because
companies don’t have much of an eye on employees private lives. They would
have the resources and theoretically the incentive to really dig into the
social engineering/coercion side of things. You’d be amazed how many people
that make incredible salaries are in fairly significant amounts of debt. It’s
pretty common in western culture, and that’s a prime opportunity for those
kinds of operations.

~~~
sneak
“prod access” should not be a single large group or access boundary.

Access to non-tokenized PII data stores or the small set of systems that
require touching untokenized PII should be a very small compartment, with
extremely tight min-two-person deployment/introspection controls and minimal
change frequency.

------
liability
Why hasn't Twitter banned Mohammed bin Salman from their website yet? Surely
he has violated their terms of use many times at this point. Do Twitter's
rules not apply to him because he's insanely rich?

~~~
mixologic
Do rules apply to anybody who is insanely rich anymore?

~~~
duncan_bayne
Anymore?

[https://en.wikipedia.org/wiki/Chappaquiddick_incident](https://en.wikipedia.org/wiki/Chappaquiddick_incident)

[https://en.wikipedia.org/wiki/Henry_VIII](https://en.wikipedia.org/wiki/Henry_VIII)

[https://en.wikipedia.org/wiki/Pope_John_XII](https://en.wikipedia.org/wiki/Pope_John_XII)

Wealth and power have insulated those who possess them from the consequences
of their actions since forever.

~~~
srazzaque
Yep, I once heard a quote: "rules and laws are like spiderwebs. They are sure
to catch insects that cause trouble, but larger animals will just pass on
through."

~~~
082349872349872
[http://www.perseus.tufts.edu/hopper/text?doc=Perseus:text:20...](http://www.perseus.tufts.edu/hopper/text?doc=Perseus:text:2008.01.0063:chapter=5&highlight=laws)

------
mastazi
In 2019 there was a massive exodus of Saudi dissidents from Twitter to Parler.
I wonder if those people had some intuition of what was going on behind the
scenes at Twitter [https://www.thedailybeast.com/about-200000-saudi-arabian-
use...](https://www.thedailybeast.com/about-200000-saudi-arabian-users-
suddenly-flood-parler-a-pro-trump-twitter-alternative)

~~~
koheripbal
I'm surprised it took that long when news of Saudi $300MM investment in
Twitter came out in 2015.

If someone gives you $300MM, you don't say No to them. Indeed, you've likely
already said yes.

~~~
smabie
Why not? What leverage do the Saudis have against twitter besides not giving
them more money?

------
mabbo
This highlights more than ever that whatever customer data your employees have
access to, you need to log every single access to it, and have automatic
audits- who should be accessing what? What accesses are surprising?

Seems like something one could build a SaaS business around- send them reports
that <user> accessed <fields> about <customer ID> on <date>, along with a copy
of attributes and roles about each user. Service could offer deep dives,
querying, reporting, along with ML or rule-based flagging to say "That seems
odd".

If Twitter can't build the infrastructure needed to do that, I can't imagine
how few small companies can do it themselves either.

~~~
kitteh
Telcos have this level of monitoring of accounts because employees routinely
would abuse this access to find details of exs, family members, friends and
celebrities (billing info, call detail records, etc.). The problem was there
was no proactive monitoring - it was all reaction based upon complaints that
would kick off the investigation. I asked why this wasn't automatic to detect
clear abuse and the answer was "do you know how many people we'd have to fire
if we went looking for abuse?".

~~~
Red_Leaves_Flyy
If they're abusing their position they don't deserve to keep their job. The
companies complicity makes them party to whatever these staff do. Whether a
lawyer can prove that or not depends on the depth of the aggrieveds bank
account.

~~~
ticmasta
So when I worked for the cable company straight out of uni and we would look
up famous local people to see what packages they subscribed to, we should have
all been fired? I guess technically, but that's pretty draconian. Are you also
no mercy, hard on crime, 1-strike and you're out person, or more progressive
in that area?

~~~
Red_Leaves_Flyy
You answered your own question. Seems you're having trouble taking
responsibility for the fact that you acted unprofessionally by lashing out
with presumptive attacks on my beliefs, which are incorrect. The culture of
that workplace is a mitigating factor for the lower ranked staff, conversely
it is a compounding factor for the senior staff that failed to put an end to
it and discipline those involved.

Should you have been fired? Depends on how much you abused your privilege and
what you did with that information. Your comparison to 1 strike laws and
greater crime is pretty rich given the information you improperly accessed
could be used to blackmail others, or whatever. It's important to treat such
information with the utmost respect. Your cavalier attitude and inability to
accept responsibility in this regard may be very common within the tech
industry, but such attitudes are also why there is a growing movement to; take
data out of the hands of companies, and to harshly punish companies who fail
to protect the data on one hand while vacuuming up as much as possible with
the other.

------
aphroz
It seems to be something quite common at Twitter to give information from its
users, I have seen interviews where people openly admit that you can find the
identity of an account holder if you have friends working there. After the
last "hack" it looks like once you are inside their system, there are not many
safeguards or auditing.

~~~
jacquesm
It would be good if this were an exception but it isn't. The easiest way to
gain access to lots of privileged information is to work as support worker for
a bank or insurance company.

------
Kednicma
> A millenial himself, [MBS] spent his youth eating fast food, playing Age of
> Empires and first-person shooter games, and keeping up with friends on the
> internet, according to people who’ve known him since childhood.

It's worth remembering that dictators are not inhuman, and they are not so
different from us.

> Asaker would pay more than $300,000 to Abouammo, deposited in a Lebanese
> bank account that Abouammo had a relative open for him. “Proactive and
> reactively we will delete evil, my brother,” Abouammo texted Asaker just
> before one deposit of $9,911.

They structured [0] the bribes to avoid SARs; structuring really does happen.

> A third, a Saudi, was “a professional” who used encryption to conceal his
> identity, though once he signed in without encryption, and Alzabarah was
> able to track his IP address.

> [Alzabarah] spoke with Asaker on an open phone line and communicated via
> email.

> So rather than follow the FBI’s request to keep things quiet to assist the
> case, Twitter lawyers brought Alzabarah in the following afternoon, accused
> him of improperly accessing user accounts, and told him he was temporarily
> suspended.

Operational security is hard. Just one slip-up can doom the entire scheme, and
here we see those slip-ups from everybody; from the folks being targeted by
MBS, from MBS's goons, and from Twitter.

[0]
[https://en.wikipedia.org/wiki/Structuring](https://en.wikipedia.org/wiki/Structuring)

~~~
erostrate
> It's worth remembering that dictators are not inhuman, and they are not so
> different from us.

It's also worth remembering we're talking about someone who assassinates his
critics and cuts them up into pieces. I would say the "bone saw" aspect
outweighs the "playing AoE" aspect and he is very different from us.

~~~
scandox
The point is that in his situation we don't know how many apparently "normal"
people will start sending bone-saws out into the world.

~~~
jl6
100% this. It’s also important not to dehumanise history’s bad guys, because
that leads to a culture of complacency whereby people think “it could never
happen here, because they were monsters and we are not”.

~~~
croissants
There might be two slightly different definitions of "humanize" at work here.
Both of these are from the Cambridge dictionary [1]:

1) "to make something that is not human seem like a person"

2) "to make something less unpleasant and more suitable for people"

With dictators, I think we should try to do 1) but not 2).

[1]
[https://dictionary.cambridge.org/dictionary/english/humanize](https://dictionary.cambridge.org/dictionary/english/humanize)

------
hellofunk
Very thrilling read, and the last paragraph sent chills up through my back.

------
DevKoala
I don't understand why Twitter didn't want to comply with the immediate
request from the FBI. Straight up evil.

~~~
wyxuan
feds sometimes come with less straightforward cases, so I wouldn't say evil,
more incompetent

------
rmrfstar
Remember when Saudi Arabia tried to convince Moxie to help them intercept
people's Twitter traffic? [1]

[1] [https://moxie.org/2013/05/13/saudi-
surveillance.html](https://moxie.org/2013/05/13/saudi-surveillance.html)

------
ticmasta
if he played age of empires as religiously as I did, he should have realized
nothing beats the long bows of the Britons...

~~~
marlo88
goth's huskarl unit? They eat arrows.

------
upofadown
The larger the organization, the more likely that it will leak information...

------
jimbob45
I don’t like this article because it omits some crucial details that could
lead readers down a specific path of thinking.

It’s unclear if the inside men, Alzabarah or Abouammo, are living on H-1Bs,
full American citizens, or are in the process of immigrating. Depending on the
answer to that question, Twitter may need to block the employment of
immigrants or citizens to stop this sort of industrial sabotage in the future.
Otherwise, every country will try to have their own inside man and Twitter
will be forced to overdedicate resources to countering them.

If they’d made his citizenship status clear, the solution would be far clearer
to readers.

~~~
_jal
In what way is passport color a reliable predictor of trustworthiness?

~~~
jimbob45
Individuals are more likely to want to commit espionage for another state if
they were born in or are a citizen of that state.

~~~
_jal
Individuals are more likely to want to commit espionage when they have money
troubles. Why not hire only the already-wealthy?

Individuals are more likely to want to commit espionage when they are tempted
with sex. Why not demand evidence of membership in closed religious
communities to address that?

~~~
awinder
On the former, that's absolutely a thing with all sorts of levels to it. Base
level is that most companies run background checks including a credit pull.
Next level is use of elite academic credentialing, i.e., "we only like to hire
from ___".

On the latter, because lol that is not going to have the effect you're looking
for.

~~~
_jal
On the former, I'm quite aware of that. What I'm not aware of is this sort of
loyalty screening for low-level employees, as suggested.

On the latter, you're getting closer to the point I'm making.

