
How Saudi Arabia Infiltrated Twitter - blatherard
https://www.buzzfeednews.com/article/alexkantrowitz/how-saudi-arabia-infiltrated-twitter
======
duxup
I worked on a support team for a company that that had some major financal
institutions as a customer.

We had remote access to their networks at times. My very first day I was
amazed how much access I had at will.

One day it was announced that a customer had come to us and demanded everyone
had to meet X requirements to be able to work on their networks.

Not long after another financal institution made a similar request.

Some folks inside the company were a bit riled up by the requirements
(background checks, some other things). They felt the requirements were
absurd.

Considering the access we had I thought they weren't strict enough. As just a
lowly support dude hired during the dot com boom because the company needed
warm bodies (who could do some independent thinking / troubleshooting) ... I
had a lot of access.

I don't know if they were thinking about spying like this, but I'm always
amazed how much access people have to data and etc just from a technical
support perspective (forget developers...).

Later the company outsourced support to other countries... I'm not even sure
you need spies in the US / would know anyone was spying under those
circumstances.

Support teams are probabbly a hell of a lot cheaper / easier to infiltrate /
they get little / poor management / oversight. I saw tons of strange choices
by our outsourced technical support staff, every single time I raised concerns
it was discarded by something to the effect of "yeah they suck".

And that doesn't account for all the financial institutions who outsourced
their own direct ops teams to other countries ... I'd call them and if they
ever were capable of following instructions 9x out of 10 they'd open up the
wrong network / modems / etc.

~~~
carlmcqueen
This is a very common answer to these stories on hackernews but this one is
from a humble point of view that truly brings home the point.

My side is that I worked for a bank on the brokerage side for ten years in
different positions. What always struck me was that my access was very
carefully controlled, I was a background checked employee and had to meet with
compliance once a year, etc etc.

However when a law firm asked for anything or consultants said they needed
more data they just sent massive data dumps to the network admin guy, no
questions further asked. At least not at my pay grade.

As I've consulted I ask for only what I need to keep my own risk down but it
is always a surprise to my clients I don't want PII I don't need and only the
data that my model will help enhance.

~~~
duxup
Yeah I had a similar experience in terms of security being strong in one
place. .. and non existant (as I describe) elsewhere.

Some of our customers did have pretty strong proesses in some places... but
then zero when a process changes or something like that.

Lots of: "Oh no we can't do that because <security>".

Ok makes sense. It's a hassle but it is a good policy.

"But you can..."

All sense out the window, everything is undone.

~~~
Zenst
It's a tale that plays out in many forms. In the early 80's I worked for a
goverment entity and had tough physical security to enter the building -
however, monthly fire drill would see this large building empty onto the open
carpark that was easily accessible as no perimeter fence and with that and the
aspect that when re entering the building after the fire-drill, there was
always one fire door open to circumvent the bottleneck at reception and with
that - no security checks then.

Though many instances of weak links in process due to human nature that get
overlooked and only come to light once there is an incident.

Which is the crux, incidents cause things to change, yet if you see that
potential flaw the gravatas you have in flagging that issues is often
dismissed because it hasn't happened. That is sadly often a pattern we see
play out time and time again in many forms.

~~~
murph-almighty
Literally yesterday we had an issue with someone trying to piggyback into the
office behind an employee who had badged in. Said person was intoxicated and
removed his pants in the elevator, so it was immediately apparent there was a
problem, but what happens when it's someone more nondescript?

~~~
grimjack00
About two years after my company was bought by a larger one, I was the first
person at the office one morning, only to find someone waiting outside the
doors. Before I could ask, he introduced himself as an employee from an out-
of-town office, and produced a company ID, so I let him in with me.

We had been told to expect some visitors from that office, but I was almost
hoping he was not legit, since most of us at my location still do not have a
company ID, so I couldn't really say if his was real or not.

------
baybal2
I'd also remind that Twitter is surprisingly leaky for Chinese using it, even
for people who can get foreign simcards to register an account.

API leak is one hypothesis, another one is that they got a mole there too.

The same goes to Facebook. A number of FB users got detained in China with no
better explanation than MSS getting access to FB's internal information like
phone ID and IMSI data in user database.

The most probable explanation people have crafted is following:

1\. Using internal or external tips, MSS gets user account info of a person of
interest

2\. Their mole accesses the user database for info on cookies, IMSI,
advertising ID and such

3\. MSS than cross-references the data with data on the open market, like IMSI
databases sold by mobile advertising companies

4\. One way ticket to Heilongjiang is issued the next day, once the identity
of the person is confirmed using logs of phone companies or ISPs.

~~~
j-c-hewitt
Why would a serious government not walk through the open door and take what
they needed while their agents collect two salaries? It's just a win-win for
foreign intelligence. They would be negligent in their duties to NOT
infiltrate US companies with open doors and permissive, trusting internal
policies about user data.

Then the company can do the liability minimization dance when the FBI comes
and points out that they are running a cheap data service for foreign spies.
"We, uh, had no idea..."

~~~
meowface
Absolutely. It's their job to do this.

But what should large tech companies do? Avoid hiring people from certain
countries/heritages? Obviously that's not fair and not a good look. Same for
putting extra monitoring on them. This is independent of Twitter apparently
trying to downplay this and cover it up, which of course is wrong. It just
seems like preventing this is really tough unless you state "we won't hire
anyone who's lived in, was born in, or whose parents are from China, Iran,
Saudi Arabia, or Russia", which is untenable.

~~~
mc32
Instead of targeted monitoring monitor everyone who has certain level of
access regardless of origin? It's not like it's not scalable, obviously they
are capable of widescale automation.

~~~
meowface
It's really not that easy to monitor for every possible
violation/exfiltration, especially at that scale. Of course those need to be
monitored for, but they're never perfect. NSA obviously had mechanisms to
detect this, but it didn't work for Snowden.

They likely have already had such monitoring in place for years, and are
probably augmenting it now. It just didn't work.

------
loup-vaillant
> _Ali Alzabarah was panicked. His heart raced as he drove home from Twitter’s
> San Francisco headquarters in the early evening on Dec. 2, 2015._

Ok, how could you possibly know that? That's a pretty good _guess_ , but
writing it like it was the start of a novel… fells like read bait, really.
Especially given the following:

> _Alzabarah, Abouammo, and al-Asaker did not respond to requests for
> comment._

~~~
herendin2
In the same article, the FBI quotes his private messages from his email
account that same year.

------
mc32
I don’t know why they started the blue checkmark.

It’s not to verify identity. It’s more like imprimatur (anointed by Twitter as
whatever). And that is stupid because it’s basically up to the whims of the
company and becomes open to abuse internally and externally.

~~~
goatinaboat
It originally was to verify identity. Then they started withdrawing it from
controversial figures, as if those people stopped being who they really were
overnight. Nowadays it just means “this persons views are endorsed by Twitter
staff”.

~~~
SpicyLemonZest
That's surely not true. Lots of people have blue checks even though Twitter
staff would never endorse their views - Ben Shapiro, Steven Crowder, Candace
Owens, and so on.

~~~
wpietri
You're correct that it's generally not true. But the grain of truth is that
they did punish some notable jerks by removal of verified status:
[https://money.cnn.com/2017/11/15/technology/twitter-
verifica...](https://money.cnn.com/2017/11/15/technology/twitter-verification-
remove-new-policy/index.html)

IMHO these were pretty clear anti-abuse actions. But of course those people
claim that they were being punished for their views.

~~~
mc32
I think the claim is a little more nuanced. Basically yes those people went
over a line and got punished but at least some claim that others also go over
that line but don’t get punished (as often).

I don’t know how true that rings.

------
komali2
I remember serious concerns about Australian citizens suddenly being legally
required to be spies for the Australian government regardless of where in the
world they're working due to a new anti encryption law sometime in 2016. That
and Twitter somehow being caught with their pants down regarding user phone
numbers and other personal information makes it all the more important that
all the engineers and product people on this site make it very clear to
management that the systems must be set up in a way that simply doesn't allow
people to access that information. It's morally good and it might prevent you
from making the papers as a host of a bunch of spies that got your Chinese,
Saudi Arabian, or Turkish users assassinated or jailed.

~~~
jacques_chester
> _regardless of where in the world they 're working_

I don't think this is correct. The legislation as drafted didn't seem to claim
extra-territoriality and courts will basically never interpret legislation as
being extra-territorial without an explicit clause.

There's also the point that if you are overseas and refuse to comply with a
request by ASIO or whathaveyou, they can't legally arrest you outside of
Australia. In theory they'd need to ask for your extradition, but that
requires equivalent laws to be in operation in the country you're extraditing
from. But you'd be at risk of arrest upon returning to Australia.

That doesn't stop it from being a terrible law. And it also doesn't stop me
from not being a lawyer who isn't giving legal advice.

------
dgellow
> At 5:17 p.m. he called a handler, identified as Associate-1 in the FBI
> complaint, who arrived in a white SUV two hours later. Driving around
> Alzabarah’s neighborhood, the two men called “Foreign Official-l” — al-
> Asaker, according to the Washington Post — at 7:20 p.m., and again at 7:22
> p.m. and 7:31 p.m. They then called Dr. Faisal Al Sudairi, the Saudi consul
> general in Los Angeles, at 8:30 p.m., 8:38 p.m., and 9:26 p.m. Shortly after
> midnight, the consul general called Alzabarah back and spoke with him for
> three minutes.

Slightly off-topic: I feel that gives a good idea of how much information can
be extracted from very simple metadata (here timestamp and number called) in
that kind of context.

------
BrandoElFollito
Shit happens (a spy makes his way to your organization). In large companies,
especially such as Twitter, there are processes to handle such cases.

The process does not include firing the employer first thing in the morning.
It includes calling the equivalent of the FBI for your country.

The way Twitter failed to handle this case is staggering.

------
grandridge
They bought a huge chunk?

~~~
Natsu
Why is this downvoted? It's true:

[https://qz.com/519388/this-saudi-prince-now-owns-more-of-
twi...](https://qz.com/519388/this-saudi-prince-now-owns-more-of-twitter-than-
jack-dorsey-does/)

"Prince Alwaleed Bin Talal Bin Abdulaziz Alsaud, who in 2011 invested $300
million in the social network, now owns 34.9 million shares of Twitter’s
common stock, according to a new regulatory filing (pdf)."

That is from 2015, but as far as I know he still owns a huge stake in the
company. It would seem relevant when discussing SA's influence on Twitter, but
I don't see it mentioned in the article for some reason.

~~~
duxup
The downvotes are because the "infiltrated twitter" in the story has nothing
to do with the investment.

~~~
pseingatl
Sure. Nothing at all. Except that Prince Walid surrendered his investment to
the same people who ran moles at Twitter. Nothing to see here. It's just a
coincidence. Move along.

~~~
j-c-hewitt
They didn't really need the investment to plant the spies. He just applied for
a job and got it. Any foreign spy can do the same and nothing will change.

~~~
Natsu
This seems to me like focusing on the trees instead of the forest. I would
think that when discussing Saudi control over a company, we might be
interested in more than just some low-level henchmen, but maybe the Saudi
prince who owns a third of the company.

To hear some other people talk, this is "conspiracy" territory now. But c'mon,
we're supposed to believe that some nobody henchmen are solely responsible for
this and ignore the fact that the Saudis own a third of the company.

~~~
duxup
>we're supposed to believe that some nobody henchmen are solely responsible
for this and ignore the fact that the Saudis own a third of the company

Without proof for your second part... yes.

------
BryantD
I was wondering if it was an SRE when the original story came out.

I'd be interested in seeing perspectives on how you avoid this scenario. While
you could isolate data access by team in many models, you're still going to
have engineers who have access to valuable data. Random access audits? But
what about the scenario where your database lives on someone else's hardware?

I guess you could always decide you want to use your cloud providers FedRAMP-
compliant offerings.

------
seemslegit
tldr; With money.

------
saber6
Yet another reason why Twitter should be banished to the depths of hell - what
a stupid shit-show of a company.

I eagerly anticipate their downfall. Just like I did MySpace. And hopefully
someday, Facebook. Fuck these parasites.

~~~
dang
OK, but please don't post unsubstantive comments to Hacker News. Maybe you
don't owe shit-shows of companies better, but you owe this community better if
you're commenting here.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
onetimemanytime
People from certain countries are different, they have different values and
some loyalties to the old country. IMO, it's wayyy much easier to corrupt
people from second or even third world countries, there corruption id the
norm.

Money is not an issue for a nation state and then they can fix things for
family back home etc etc so they are bound to find people that say yes.

