Millenials and GenZ may have no idea who Mudge is. I, however, almost lost my first job out of college at a bank because I ran l0phtcrack against our Windows NT 4 server to see if it could crack passwords. I showed my boss, and he pulled me aside into another room and tore my head off for irresponsibly running this tool against a production server. He said I could have been fired if this got out, but he covered my ass, sent out an email requesting everyone reset their passwords, and let me continue working. I learned a good lesson because even though my intentions were good, and it did expose security issues, it was a bit immature and should have been done in a more controlled manner along with the proper clearances.
Mudge knows the implications of "whistleblowing". He has been a security consultant and even testified to Congress. He's not some noob that doesn't understand security or how systems work together to provide services like disclosure to FTC. The idea that Twitter PR can pooh-pooh away his concerns is shockingly stupid.
I met Mudge once in my career early on (I was at VA Linux systems circa 1999ish) and I found him intense, an apex intellect, but absolutely affable and self-aware.
He never struck me then, or in any interview or write up since, that he's impulsive, or prone to taking actions like what he's done to Twitter, in a cavalier way. He saw something bad and thinks something should be done to address it.
He likely made that decision because the culture at Twitter is as bolloxed as he states (maybe worse), and that it's one thing to fire a guy, but to do so to hide damning truths, and expect that person to just accept their fate AND let you get away with it without a cost is in this day and age, a farcical hope. Your "Mudge knows the implications of "whistleblowing". He has been a security consultant and even testified to Congress. He's not some noob that doesn't understand security or how systems work together to provide services like disclosure to FTC. The idea that Twitter PR can pooh-pooh away his concerns is shockingly stupid." is spot-on.
Yeah - comparing mudge's history with the email the Twitter CEO sent to internal employees and the situation seems crazy? Always hard to know from the outside, but this paired with Jack leaving seemingly frustrated with the board looks really bad.
I know people have thought Twitter was mismanaged for a while, but seems like it's a lot worse than I thought it was (and the CEO seems more vindictively bad than I would have guessed).
Plus the total lack of principles around speech and just doing whatever Russia, India, or KSA wants? Including hiring foreign agents? Also covering up bad security issues in reporting? It'll be interesting to see what happens from here as more comes out.
I'm no fan of Musk (he's truly worked very hard to be the most provacatively pustulent punkass of tech) but that doesn't mean that Twitter leadership is any better. Just not as well PR'd.
Dorsey himself was mostly an imbecile who drank too much of his own Kool Aid. Twitter has for years been the standard bearer for the most opaque, and incoherent content management; from user feedback to bots, just a village with only idiots. It was eventually going to catch up to them, the question now is to whom does the bulk of the suffering land on, not whether it lands or not.
I’m a huge musk fan, but I still think his trying to get out of the Twitter deal is lame buyer's remorse and his arguments are weak. I see it as mostly unrelated to this mudge issue.
Never been a "fan" of a personality, but I used to really like Tesla and SpaceX, but after hearing a little about how their critical software is...not developed like critical software...I am very wary of what kind of engineering is going over there. With Musk deciding to amp up his celebrity with Twitter antics, I just can't respect him any more.
Without getting into details, AFAICT they do not use any typical high-assurance software stacks, such as Ada or Spark or such that might be typical in avionics, like Airbus software. The use off-the-shelf tools like C++ and LLVM.
You don't know what kind of tools they've developed internally and Ada/Spark is far from the end-all be-all of high assurance programming.
High assurance comes from the overall systems design and testing, not the software itself. Afterall, radiation can cause any piece of software, including those written in Ada, to completely skip instructions.
There's obviously a lot of legacy Ada out there, but would you say it's 'typical' for new code being written? I don't have that sense. There's probably more MISRA C/++ code floating around at this point. I have no idea how compliant SX is, but I've heard mentions of Power of 10 rules and JPL standards. For what it's worth, their track record doesn't seem concerning nowadays.
I think commercial avionics is the only place you still find ada. Cars have been c or c++ even for safety critical for many years. Even defense abandoned ada well over a decade ago, and they invented it right? And medical jumped right on the windows ce bandwagon as soon as it popped up... I feel like a good pipelene with lots of static analysis asan, and really good tests is probably the best you can expect out of safety critical stuff these days. The days of provably safe software, and certified compilers are probably gone. And if you told me tesla was using folders with dates in the names for version control, and they preferred to test in production, I wouldn't ne surprised. Horrified, but not surprised.
Not to rain on your parade, but neither do any of the other automotive companies. Ada and SPARK is amazing, but I don't think I've seen it used outside aerospace/defence.
Yeah - but that's dumb bullshit. He can't legally pull out because of that.
He waived all of that to force Twitter to agree to the deal (because it'd be basically impossible for the board to reject it). This made sense at the time, because the board was looking for ways to weasel out of it because (imo) they politically don't like Musk. Then the market crashed and suddenly he was overpaying a ton for Twitter, then he complains about bots (this isn't new information from when he made the deal).
Whether or not the bots thing is true isn't even relevant based on the deal he put forward.
I think he earnestly wanted to buy Twitter for principled reasons around speech which I agree with. He structured the deal in such a way where Twitter's board couldn't reject it (because it was so favorable to shareholders). Then when the market tanked the deal way overpriced Twitter, but he had already committed to it so he's trying everything to get out of it. I suspect he actually believes the things he's arguing (he's always seemed pretty earnest to me), I just think he's wrong in this case and it's mostly driven by motivated reasoning.
That doesn't mean Twitter isn't a disaster, just that they're in the right with regard to him having to close the deal.
>I think he earnestly wanted to buy Twitter for principled reasons around speech which I agree with. He structured the deal in such a way where Twitter's board couldn't reject it (because it was so favorable to shareholders). Then when the market tanked the deal way overpriced Twitter, but he had already committed to it so he's trying everything to get out of it.
That's not how business valuations work (it's how speculation works). If Twitter was fairly valued by Elon Musk before the crash then it would be fairly valued now - the fundamentals of the business haven't changed.
I mean, okay. But it's not like he had $44B in cash lying around.
Implicitly, this was always, "I'm going to trade X% of Tesla for 100% of Twitter." Then the valuation of both Twitter and Tesla dropped, so to the extent that you think the "value" of a business is wholly determined by its fundamentals, then okay, they're both still the same "value" but now have lower prices.
Except that he hadn't sold the Tesla yet, so he was trading Tesla (at new lower price) for Twitter (at old higher price), and if you previously thought that X% of Tesla was worth Twitter, and Twitter is still worth the same thing, it's now X+Y% of Tesla.
Of course, it's not like the fundamentals of Twitter didn't change. Twitter's revenue comes from advertising, and it's entirely reasonable to believe that it was actually materially affected by the economic downturn, not just in terms of the speculation of the stock, but by how the business functions.
(None of this is to take the position that Musk ought to be able to back out of the deal: if the market had gone even hotter and now Musk could've traded less than X% of Tesla for the agreed upon, now conservative price for Twitter, it's not like the deal would've been renegotiated.)
One could argue that the value of a company is the sum of net present value of the future free cash flows it can produce. If the market crash is because of peope realizing there is a recession coming for example, it makes sense to update your expectations about the net present value of future cash flows - probably in sum a bit lower than before probably.
"If Twitter was fairly valued by Elon Musk before the crash then it would be fairly valued now"
That's a big if - I think a lot of this stuff is more speculation than any sort of fundamental cash flow valuation. A lot Twitter's actual value (its network effect and influence) is hard to measure anyway.
> That's not how business valuations work (it's how speculation works). If Twitter was fairly valued by Elon Musk before the crash then it would be fairly valued now - the fundamentals of the business haven't changed.
Some "fundamentals" of a business like twitter's value are:
1. Product/market fit, finances, etc. What you mean by "fundamentals" I think.
2. How easy it is for them to raise money (i.e. the "public sentiment" of VC towards their company and the industry)
3. How likely it is for regulation to stifle their growth, which is a derivative of public sentiment.
4. How much shares can be sold for, i.e. the public sentiment about how much it's worth.
5. Predicted future sentiment of their users and of advertisers, both of which impact expected future revenue.
2-5 all change with public sentiment, and a market crash changes public sentiment of many companies at once.
It's self-evident that elon musk is overpaying more now than before unless you insist that twitter's value is not actually related to 2-5 above, or 2-5 above should have been trivially predictable 100% accurately already as part of its "fundamentals", both of which seem obviously silly.
Right? Elon was pretty much insinuating, before the deal, that he thought the bot problem on twitter was much bigger than what Twitter officially stated. And now he's trying to get out of the deal by claiming that the bot problem on twitter was much bigger than what Twitter officially stated.
He is trying to get out of the deal because he's about to lose billions of dollars buying a pretty crappy company. All this stuff about bots is dishonest nonsense. He could have chosen to do due diligence, and chose not to.
>Profoundly dumb people have been heads of state, CEOs etc. So why not the richest person in the world?
It's simple to explain away - other people have appointed heads of state. And I have not heard of an idiot (in medical sense) top20 Forbes list CEO who's also been there since day 1 (i.e. the founder, not some figurehead appointed by a board for an arbitrary reason).
Can you appoint yourself the strongest person in the world or the fastest 100m runner in the world?
[0]While someone like the Saudi king or Putin can in theory allocate their respective states' funds to themselves and thus become the richest, that would simply be converting power into money, and not a result of some kind of entrepreneurial ability.
>If 5 billion people flip coins all day long one of them will eventually flip only heads all day.
This argument is flawed since that would assume a person would win some money every time they flipped correctly, when in reality nobody is going to pay anyone for succeeding in a flip. And applying that directly to business also breaks down because it is self-evident that the ways to lose money greatly outnumber the ways to gain money.
The man injected himself into an ongoing crisis he had little insight into, and when rejected, his ego was so hurt that he used his influence to accuse individuals he knew nothing about if pedophilia, all while they were in the midst of trying to rescue a dozen children from imminent death.
That’s not a “major error in judgement”. That’s the behavior of a completely deranged individual.
> Musk was butthurt and lashed out. That does not equal "completely deranged individual"
Lashed out in a way where, given his influence, he could easily ruin the person's life. Which is bad in and of itself. But he did it while the man was actively involved in trying to save a dozen children from immediate death. And then doubled down later.
"Musk was butthurt and lashed out. That does not equal "completely deranged individual" "
When you have the kind of audience and pull he has, unless you are totally daft to it (which he shows no sign of) then yes it's very abusively deranged.
lmao the extent to which the tech crowd will defend all of his stupidity and let him get away with a slap on his wrist. He had a megalomaniac ego moment and called some of the greatest heroes to have ever existed pedophiles for being the only people capable of pulling of a rescue like that. One of them died in the rescue efforts. Musk is all the way up his own ass, and this needs to be acknowledged regardless of his supposed "genius".
> Plus the total lack of principles around speech and just doing whatever Russia, India, or KSA wants?
Twitter is most definitely not doing whatever Russia wants. It's markedly hostile to Russia and frequently removes "pro-Russia" acocunts, which speaks to your initial point, that it has a total lack of principles around speech.
A) an old hand and doesn’t know how to run a security program with the tech today
B) a strong tech hire who can’t lead a program.
But Mudge is still… Mudge, and he’s also proven his ability to collaborate so if he was a bull in a china shop a twitter, that would be surprising.
There’s also a broader trend here of well known security leads that originate from that time working at social media and leaving quickly, like Alex Stamos, who also u-turned out of Facebook.
So are the odds higher that Mudge did a bad job, or this set of companies are not great internally and old guard security leads are pointing it out? The twitter CEO letter framing him as a bad employee doesn’t address this context.
I read the full whistle-blower complaint, and the whole story from his perspective (and the crazy statement from Agrawal) looks like it's not B. Instead, it looks like it was a culture clash with his manager.
He seems to have tried to escalate things to people above Agrawal nearly constantly. He was hired by Jack Dorsey, and felt accountable to him and to the board, but he reported to Agrawal, who believed that Mudge had a responsibility to follow the chain of command very rigidly.
I have previously had managers who want you to rigidly follow the chain of command, and if you are a "hacker" type, they are a shock (and you are a shock to them). They are often very interested in controlling information that goes upward and how mandates flow downward through them (both to control their reputation and make sure everyone gets information in "proper context"), to the point that they see it as an attack on their position to even speak with their manager. A "hacker" would rather put the information in front of the people who need it, instead of filtering it through the hierarchy.
At the first opportunity Agrawal had to clean house, he cleaned out Mudge because he didn't want to work with him. House cleaning is normal for a new CEO. From Agrawal's perspective, Mudge did a terrible job, since he wanted to circumvent Agrawal.
I wouldn't paint with too broad of a brush in this instance, however. Yes, mudge is the ur-hacker, but also: he worked at BBN and DARPA (where he was extremely effective) and elsewhere. He probably has the most experience of any technical/hacker on the planet of working with executives in large organizations.
Agrawal's memo, in contrast, reeks of insecurity. The combination of how he's treated mudge and Rishi Sunak and the potential consequences of this complaint (particularly if FTC investigates and finds Twitter has not been following the consent decree) boxes him into a corner -- he won't be able to recruit the talent to solve these security problems and will be seen as an impediment to compliance/mitigation. I could easily see the FTC et al insisting on his resignation as part of a settlement. It's an own-goal.
I have spoken to a few DARPA program managers before, and they are usually amazingly smart people who are great at corporate politics. This doesn't sound like someone who is bad at corporate politics, just someone who underestimated the humility with which his manager would approach his job. No disrespect at all to Mudge, I think he did the right thing. Unfortunately, he didn't "manage up" very well in this instance.
> He was hired by Jack Dorsey, and felt accountable to him and to the board, but he reported to Agrawal, who believed that Mudge had a responsibility to follow the chain of command very rigidly.
With $10mm cash bonuses on the table it’s extremely obvious why Agrawal would insist on being MITM
The content of the complaint is all that matters, and it should be judged on its own merits. It never matters who said what, and attempting to make it matter is ad hominem fallacy; it is what is said that matters.
That said, I can't quite fathom why Twitter's cybersecurity matters any more than the cybersecurity of any of the myriad of online forums, HN included: the "data" simply isn't all that important; it is all public, it is all talk, and talk, as we know, is cheap. Say Twitter is completely overrun by foreign state actors who delete everything. The outrage is going to be minimal. "Dang, I really enjoyed mouthing off on Twitter. Oh, well."
The algorythms are not public, and as the public square of present, Twitter essentially drives public discourse... especially when a large portion of the legacy media has been reduced to sourcing their stories and directly quoting from Twitter.
Secondly, private messages between people are not public either. Opening that data up or allowing it to be read or manipulated by other entities will drive a lot of outrage and the data contained within is important!
+1. Additionally IP addresses, email and phone numbers can be extremely sensitive if leaked, so security is absolutely paramount. Case in point: imagine the risk to activists or journalists in heavily censored countries.
Sure, when popular social media influencers have their IP leaked they get DDoS'ed and are not able to earn a living until they get a new IP. For some ISPs this requires them to lodge a support ticket.
When gaming services leak IPs, they too can get DDoS'ed. E.g. during tournaments or when someone is losing their match.
Seriously, so what? Twitter's IP does not affect national security.
>and as the public square of present, Twitter essentially drives public discourse...
This is being awfully kind to a platform that 77% of Americans have absolutely nothing to do with.
>especially when a large portion of the legacy media has been reduced to sourcing their stories and directly quoting from Twitter.
Ah, legacy media, conservative politispeak for CBS, NBC, ABC, CNN, etc. Can't get away from Twitter on the major networks anymore, it's Twitter all the time? Just what in the heck are you talking about? Turn the news on sometime. The only reason for Twitter to be in the news is Elon Musk (previously, Trump). Or, you know, give one example of a major news outlet using Twitter as source for a story. Real journalists do not do that. They use legitimate sources.
> Secondly, private messages between people are not public either. Opening that data up or allowing it to be read or manipulated by other entities will drive a lot of outrage and the data contained within is important!
Absurd. No one cares what you say in private to a complete stranger you'll never meet.
Governments and their respective departments (at all levels: federal, state, local, etc.) communicate with their constituents via social media, Twitter in particular as well as via the media outlets that will report on said statements from Twitter.
Change the algorythm such that those messages no longer reach people and you can bet the respective countries will pass legislation and puninitive measures against Twitter.
>This is being awfully kind to a platform that 77% of Americans have absolutely nothing to do with
Except I outlined some of the other ways people interact with Twitter, even without accounts. You seem to be incredulous that other forms of media rely on Twitter... You should look a bit closer next time you turn the TV on.
I just did and there was a segment about Russia playing titled "'Slower burn' of Russia's economy has begun". Guess where almost all of the footage they aired came from? Twitter. Guess how the reporters are finding people on the ground to interview? Twitter. Guess how analysts are keeping abreast of military developments (e.g. troop movement, statements released by governments, etc.)? Twitter.
>Absurd. No one cares what you say in private to a complete stranger you'll never meet.
Many service providers conduct customer service via DMs these days. My ISP's preffered lines of contact are Twitter and WhatsApp. Even if we take a step back, do you truly believe that there are no people sharing sensitive information between each other via private messages?
> Say Twitter is completely overrun by foreign state actors who delete everything.
That's not what's dangerous.
Instead, dangerous things include manipulating the algorithms so that "news" of ones choice get lots of visibility. Then a foreign state can influence the elections
> Then a foreign state can influence the elections
I think this is bollocks. 23% of Americans say they use Twitter. 61% of Americans voted in the last Presidential election. So with my bad math, say a foreign state somehow gets every possible Twitter users vote going their way, at best it's going bamboozle 14% of weak-minded Americans. That's at best, the perfect and unbeatable score. The reality is that most Twitter users are not obsessed with the platform, and most Americans are not on the fence with their votes. This concern is not really supportable.
I was kind of curious about this as well, though I suppose if a politician’s account was compromised it could cause some pretty major embarrassment or maybe even conflict. Are DMs a thing on Twitter? Having those compromised might be pretty serious too.
Actually, this already happened,[1] and we were doomed because of it. Fetishes are fine, but those people need to look away from Twitter sometimes and get a grip.
I worked with Mudge (not super close, but enough to see how he worked across teams etc) and can certainly say this is not the case. At least when I saw him Mudge was excellent at the program leadership aspect of his role. At one point he ended up a DARPA PM. You can't go from L0pht to DARPA without getting really good at working with other people and leading projects.
While he was always a notable presence, he was also never prone to drama, and very good at having ego when it was important but never letting it get in the way.
Additionally all of the details sound like every KPI chasing consumer facing tech company I've ever worked with. I think we all know a few very competent people who have stood up to leadership at insane tech companies and ultimately gotten fired for it.
I agree with everything you said, but I'd like to play devil's advocate here. Mudge has worked:
* L0pht / @stake: security research, red teaming, and source code auditing, IIRC.
* BBN: research.
* NFR: technical advisory board.
* DARPA: Managing a program that provided grants for new security products and tools.
* Google ATAP: Google's "invention studio".
* CyberUL: Testing of security products.
None of these jobs really suggest a background in building a security program. I've worked with some large companies in a similar space to Twitter building their security programs and you can spend the first 6-12 months just trying to justify the new budget. Often that money has to come from another team or teams and he would have to justify that. He was apparently only there roughly a year.
Again, I don't doubt Mudge's bonafides. I don't doubt his security knowledge. But this job was nothing like any he's had in the past.
I also don't doubt his claims. Everything he's stated is almost certainly true. It does take more than a year to fix most of these problems and I wonder if he just got frustrated with the political battles that occur in these situations.
Well, you can devils-advocate anyone into an incompetent.
Decades of experience as a rebellious hacker? Well, that's not commercial experience. Founded a security consultancy? Too small, they just don't know how to operate in a large bureaucracy. Worked at a secretive company as an individual contributor? They've been completely silent in public, clearly they haven't achieved anything interesting in years. Working elsewhere as an individual contributor? They just don't know how to build a team. Decades as a senior manager at a huge multinational corporation? Out of touch bullshitter, stale coding skills, doesn't know how we really do things these days.
The subject of security consultants, security departments, and whistleblowing seems to me to be of particular concern.
I mean, if an auditor publicly reports an audit finding that is ignored by the company and his ethics demand its reporting, is he branded a "whistleblower"? I do not think so, instead it is an "auditor finding". Why does that not apply here?
It kind of dovetails with how pathetically organized IT in general is from a professional standpoint. Lawyers, Doctors, ... ?Accountants? and the like have centuries-codified procedures, principles, and the like for ethics. You generally don't get to hire one of those and tell them how to breach ethics (now, there are a lot of corrupt lawyers and a lot of corrupt accountants see: Arthur Andersen).
The exploit industry has the 0day and x days of forewarning process, so there is that, but the fact a security consultant/professional gets accused of whistleblowing when... um, isn't that sort of the point? You hire a security consultant kind of like an auditor. And if auditors find major failings and they aren't addressed, aren't they supposed to report them?
I'm pretty sure the security IT industry does not have even accountant levels of professional conduct and organizations.
As IT subsumes and infiltrates, now to the point that fundamental bill of rights / human rights are dependent on secure and functioning IT systems, it gets... a bit more important. Arguably more important than the ethics around accountants and doctors. Lawyers, because they deal with the law, are probably more important still, but it shows that IT security may be rising in import to that level.
That's not really how auditors work. Auditors either give the client a letter saying what the client wants it to say[0] or decline to provide the client with that letter. They do not go public with their reasons.
[0] Companies want the letter to say whatever their regulators and/or contractual obligations demand that it say.
If a public company gets an accounting audited and they find irregularities it is not subject to public disclosure requirements?
Twitter is a publicly held company.
I'm sure there are conflicts of interest and some degree of confidentiality for auditors and clients, but there is a fundamental public interest of disclosure, at a minimum to the government, in the event of irregularities.
From the SEC:
"In addition, we will continue to focus on auditors. As the Supreme Court noted nearly 30 years ago in U.S. v. Arthur Young & Co., 465 U.S. 805 (1984), auditors play a crucial role in the financial reporting process by serving as the “public watchdog.” So, it is important that we carefully monitor their work and ensure that they fully comply with their professional obligations. If there is a significant restatement or if we learn about improper accounting from a whistleblower, our proactive efforts, or the media, then you can expect that we will scrutinize not only the CEO, CFO and Controller, but also the engagement partner, engagement quality reviewer, and the auditing firm as a whole. We are going to probe the quality of the audit and determine whether the auditors missed or ignored red flags, whether they have proper documentation, and whether they followed professional standards.
And it is important to remember that our ability to bring Rule 102(e) bars against auditors extends beyond instances where there are accounting irregularities at a public company. Our Rule 102(e) program is remedial in nature and meant to protect the integrity of the Commission’s processes. As a result, we can and have investigated auditors when their audits fail to meet the most basic standards, regardless of whether there was an actual problem with the auditing client. By pursuing actions over these bad audits, we can fully leverage the Division’s resources and close off access to those who shirk their responsibilities as gatekeepers to the securities markets."
-------
From there you can see legal and institutional gravitas, ethics, and expectations of accountants and auditors of public companies. That's kind of what I'm getting at re: elevating security and certain IT roles to higher responsibility and codification.
Now, is this a smear attempt by Jack Dorsey in relation to the Elon Musk lawsuit? Eh, maybe.
If a public company's auditors find irregularities they work with the company's management to resolve them. If, eventually, the auditors decide there are irreconcilable differences, they will resign, and provide reasons for their resignation in the resignation letter to the company. At that point, it is up to the company to decide whether or not those findings are significant enough that they need to be released to the public. The SEC will consider any auditor resignation for cause to be significant enough that it has to be disclosed, but that doesn't mean that companies will actually do it, as you can see by a bunch of enforcement actions relating to exactly that:
The SEC quote is about requiring auditors to meet their professional standards. Those standards require them to follow certain processes, things like needing to see evidence for certain things, and not both preparing the books and auditing them, and require that they not issue letters they don't actually agree with. Those standards do not require informing the public or regulators about problems they find.
There's certainly something to be said for having some codified professional standards for infosec professionals, but if public or regulator notice is something you think is important to be in those standards you shouldn't model them off of the standards for auditors, because auditors have no such professional responsibility.
I think it was '96? I was working at Taos Mountain at the time. At that time, Taos had a reasonably close relation to Randal Schwartz ( https://www.oreilly.com/library/view/learning-perl-6th/97814... ) and he gave a talk for contractors which was titled "Just Another (convicted) Perl Hacker".
In that talk he told of his time at Intel and running crack on a shiny new sparc and all the problems that caused.
The focus of it was a "how not to get into trouble as a contractor".
Somewhere, I've still got my pink camel book with duct taped edges (for durability) with his signature on the inside title page.
In any case your own chief of security coming out and saying your security is crap would be devastating for any company. But when it's a person with credentials list like Mudge's - one can be quite sure he's not just doing it because some disagreement about salary and vacation days, and it would be impossible to dismiss this as "disgruntled employee issue". Twitter would probably try anyway, but it won't work.
Twitter is going to be in a lot of hot water now, and I can't imagine Musk isn't going to milk this to the last drop.
> I ran l0phtcrack against our Windows NT 4 server to see if it could crack passwords.
Lol, did the same thing for a government entity I was working for, also without prior permission. It showed 1/4 of the people used the name of the entity as there password, including 2 users with domain admin credentials. Both of the domain admins weren't even IT people, there were the director and his assistant, who demanded to be admins, because they were 'admin' within the org.
In my case, I didn't get scolding, but probably should have. As you're prior boss said, it was not good to do it on a running production server. Now a restored backup running on a private network...
Twitter Inc. is indeed in very serious trouble if you have someone like Mudge whistleblowing.
Now looking at the chaos, damage control and the PR disaster that is happening at Twitter HQ after this, I have zero confidence in whatever Twitter HQ and the CEO is saying other than admitting their total incompetency towards how they handle information security at the company. All attempts to make this disaster disappear will not only fail, but will eventually backfire.
Well, it's not even trending on Twitter, which is not really surprising.
There is nothing more evident about the fatal flaws in social media than when news concerning a platform is suppressed on the cited platform.
It highlights the failure of democracy they always purport, and it shows that they really shouldn't display a social "trending" page, because it is subject constantly to the politics and profit making of each platform.
Twitter's trending timeline had long been regarded as an accurate beacon of real life trends, but that really needs to be reevaluated by everyone as the company has regularly displayed "somewhat questionable" behavior in how they manage timelines alone. There is no real way this wouldn't trend somehow on Twitter in my opinion, as it's been on the front page of CNN and many other sites for a long time now.
The security breaches are factual, they have published many incidences of it themselves over years... Their actual reputation for lax security is what works against them most, but it's all on record.
> There is nothing more evident about the fatal flaws in social media than when news concerning a platform is suppressed on the cited platform.
I just looked at the Trending panel and "Mudge" is #12 for me, with 4333 tweets. #11 is "Taco Tuesday", with 4172 tweets. #7 is "Virgo" with 98,500 tweets. So I'm not seeing a lot of evidence of suppression. I think it's just a pretty niche story. I think the allegations are important and worth investigating, but the specific nature of them looks way more interesting to tech insiders than general-audience users.
Everyone has a different trending timeline on Twitter which is now more based on who they follow. The trending timeline is "baked" and dictated also by moderators and paid promotion often... It's why topics like "K-POP" trend so much, even for people that don't even listen to it at all.
If you follow tech personalities, there's a higher chance you'll see the news.
On my music account on Twitter, I don't follow tech personalities and tech news outlets, but I do follow CNN Breaking News, and nothing about this major story has popped up all day long.
This is how the Twitter trending timeline is artificially baked... This story is a very big deal for everyone on Twitter, yet only a fraction of its user base will see the story. Privacy is important to every user on the platform, you'd think Twitter leadership at least would be trying to get a grip on the story first within the platform in a very public manner.
It happens on every major social platform at key points too, highlighting the conflict in their ability to maintain proper social credibility as platforms that report on trends that news channels and other institutions regularly cite.
Given that you understand Twitter ranks based on interests, what's your evidence that this was "suppressed"? Rather than just ranked according to people's interests?
You seem to be saying that people should be interested in this story. I'm not sure I agree, but I definitely believe most Twitter users won't be. Is it a good headline? Sure. But does it have much direct and immediate relevance to their personal lives? Not for most Twitter users.
You really think just after paying an FTC fine, staring down SEC actions, and a huge legal fight with Musk…Twitter is going to “suppress” the content to keep this a secret?
I don't have any factual evidence on the either side (I don't use Twitter at all, I even have Nitter extension to never visit that site even when linked to) - but I absolutely can believe they'd go for "all in" strategy, and keep messing with the feeds even in light of all that. If they felt they have the right and responsibility to control the information and shape the discussion on the Internet, they'd still feel that now, despite all the "mistakes were made" - in fact, they'd probably feel more urge to control things as they feel more threatened. And why not reduce the "misinformation" about their supposed wrongdoings - when all the most truest information about it has been already disseminated by them, why allow "irresponsible parties" to "misinform" the public? Surely it should be stopped. It's the way they always have been thinking, why would they change now?
I don't because I'm not seeing an organization that will hold them accountable.
- This Congress is ill-equipped to understand tech, much less hold it accountable. As long as the people are happy, Congress is happy.
- Lord knows the people are ill-equipped to get how bad this is. They already watched this company allow a rogue employee to shut off the account of the President of the United States (before they chose to do it as policy; https://www.washingtonpost.com/news/the-switch/wp/2017/11/02...) and watched this company deploy a username-to-telephone lookup service publicly where they'd intended to deploy a security protocol (https://www.ghacks.net/2022/08/08/twitter-confirms-that-a-da...). The public doesn't understand why they should care.
- The only group who could really hold Twitter accountable are shareholders, but why should they care if the public and Congress don't? The money will roll in either way.
Unless they've managed to commit an SEC violation (in which case, slap on the wrist incoming), there are no consequences for this kind of bad behavior until someone powerful gets seriously hurt. I'm glad Mudge is doing the right thing, but extremely pessimistic much will come of it. My recommendation is to shed Twitter as a user.
> - This Congress is ill-equipped to understand tech, much less hold it accountable. As long as the people are happy, Congress is happy.
There's an article I was introduced to yesterday: Do We Need a New Digital Regulatory Agency in the U.S.?
It argues that it it is the agencies and the experts within the agencies that need to become more technologically literate to be able to advise creation and implement the laws that have tech impacts.
Congress isn't supposed to be experts on subjects, they're supposed to be the representatives of their people with occasional domain knowledge in certain areas of importance to their constituents. We can't (and shouldn't) expect every member of congress to be an IT expert.
I never understood why tech people have such a strange enamor towards Twitter. Can’t be an industry power dev without it. Can’t start a company without it. Having a healthy Twitter following is often more important than having actual users—even to investors. Twitter is digital hype.
I agree. It’s time to replace Twitter. The only question is what exactly is it that anchors people to the platform? Even though it’s hard to imagine, we know that news motivates people (it happened with the WhatsApp -> Signal exodus). Where’s the “Signal for Twitter” we can all migrate to?
If the key is not just creating a social platform, but also a hype engine, maybe what a competitor needs to realize is that hype doesn’t happen in a vacuum. You have to do silly algorithmic things so that content can go viral. Maybe the secret is to be open about how you manufacture hype rather than do it behind closed doors? Maybe in a way that people can verify it was done fairly?
Main problem is that journalists uses Twitter, as long as they are there Twitter will remain the most relevant political forum. It is mandatory for most journalist jobs to be active on Twitter, and since all the journalists are there anyone who wants publicity will also post on Twitter.
> The only question is what exactly is it that anchors people to the platform
If I had to take a stab, it's a combination of networking effects (obviously), simplicity and the short text limit, which forces authors to mostly be concise and optimize for a 140 character attention span. This is also supercharged by the fact that you can (mostly) access everything anonymously - if I'm linked to Twitter, I know I can read/watch it and it will mostly be concise. I don't even bother clicking a link to FB, for example.
I generally agree that it's unlikely we'll see any serious accountability. However:
> - The only group who could really hold Twitter accountable are shareholders, but why should they care if the public and Congress don't? The money will roll in either way.
This might be what does it because is it true that the money is and will keep really rolling in? Twitter doesn't pay a dividend and is it reasonable to expect that the company's stock value should increase that much going forward?
Twitter's gross profit numbers aren't as large as you'd think given the household name recognition of the brand. You might be as surprised as I was to discover that meme-stocks like AMC and GameStop are approximately the same size as Twitter in terms of gross profit. Perhaps Twitter is just as much of a big name but ailing dinosaur as those businesses? Or if you want to make comparisons within social media, isn't it surprising that Snap's ~$2.8 billion cap gross profit is right up there with Twitter's ~$3.2 billion. How did that happen? It is also interesting that snap's market cap is only 2/3rds of Twitters despite a much closer delta between the two companies reported profits.
On the whole, things aren't looking too good for the social media right now, take for example facebook losing active users YoY. I often wonder what zeitgeist web properties are going to be remembered as a BIG thing that receded in popularity in the course of about a decade, say like bell-bottom denim jeans from the 60s or disco music from the 70s. Could it be social media for the 2010s?
Anyhow if they aren't paying dividends and they aren't able to keep growing at pace with expectations what exactly are they delivering in terms of value to shareholders?
Given that the allegations are about defrauding shareholders by actively deceiving them and sweeping things under the rug. Twitter's shareholders might be better off revolting against the current leadership to recoup their loses than to look the other way and let this slide.
Twitter signed a consent decree with the FTC years ago. This complaint could result in the FTC investigating deeply whether the consent decree is being upheld. If not, there's likely sufficient regulatory force to hold Twitter accountable.
I agree that, generally, it would be better for the US to have a better regulatory mechanism for large tech companies, but the consent decree is likely a strong tool in this particular case.
Yup. I've used that with my normal "last name backwards" company name before. I tend to send Christmas and Birthday gifts to siblings with the company field filled in. "Kinetics," "Orbital Bombardment Division," "Relativistic Research," and assorted other things have made their way in, but "Heavy Industries" just has such a nice ring to it.
I did the same thing on a server for a major department store chain in the '90s. I booted a Linux diskette and copied the SAM file to it. I also ran l0phtcrack, or John the Ripper on a 486 (?) PC in my apartment. I think I bought a rainbow table and something else to expand the iterations it would use on the hashes. I let it run for over a week and had a couple of thousand clear passwords. This was for every store west of the Mississippi and included most of the "big-wigs" in our chain.
I was going to send the information to our security people in another state but decided it probably wouldn't be a wise thing to do.
I come across the HDD where I have this stuff archived every now and then and it makes me smile. This was also in the "Free Kevin" days.
That's a funny story. I have a similar anecdote where I was asked to crack a zip file in a saga related to a dispute with a vendor who gave us a password protected zip file with the deliverables but not the password.
A well-timed set of tweets from compromised government and private-sector accounts, coordinated with real stock market activity planned by the attacker such that investors cannot ignore the rumors, could cause a geopolitically significant market panic. This already happened in 2013, and that was with just a single account being compromised: https://business.time.com/2013/04/24/how-does-one-fake-tweet...
But investors also need to be quick to react if they want to make (serious) money. Ignoring a tweet from a verified account about a disastrous event is not reasonable at all in 99.9% of cases.
What I'm trying to say is, you might be able to discredit Twitter, but you won't fix investors trying to invest ahead of the news.
Bullshit. By many measures Warren Buffett is the most successful investor of our time. He is famous for being slow to react, and he has made some serious money. So I think you don't understand investing.
And if some investors lose money then so what? That is an acceptable outcome. Let them suffer, I have zero sympathy.
I hope we get to a place where we all agree that a sitting U.S. President should not "tweet." The White House maintains a Press Secretary for a reason. Granted, the current person holding the job is no C.J. Craig.
I don't agree. The US president (and other politicians) should have a convenient way to communicate directly with the public, without the message being distorted by media organizations. Ideally though it should be a service that can't be censored; Twitter frequently censors users based on the arbitrary whims of their employees.
Both Psaki and Jean-Pierre have been excellent press secretaries. C.J. Craig is a fictional character written to be superhumanly prescient and witty in response to fictional crises.
> The last US President used Twitter as his primary way to communicate with the world.
Without it sounding like an endorsement or defense of the guy… I never would have believed without seeing it, just how furious this made the media and other politicians. That you have a guy come in who said forget the system, I’m going talk to the people directly (and say some dumb things now and then).
I still attest that some of the Trump hate is solely because groups of people that control the narrative in the US were excluded from creation and forced to be on narrative-adjustment.
Agreed, this isn’t a good place. One platform should not have this level of influence.
It wasn't the platform. As you can see, it took some time, but Trump found a way to do the same without Twitter. Despite all the efforts of Big Tech to control the access to public discussion, they still can't make it airtight, and contain somebody of Trump's caliber. Arguably, they have more luck with people of the smaller caliber though. And that's definitely not a good place. It's not about the specific guy, it's about how eager the Big Social turned out to be to control what we think and what we are allowed to talk about.
>> It's Twitter. What possible serious security implications could possibly warrant everyone in Washington getting into a frenzy?
Considering how widely used Twitter is, at this point we can comfortably assume that most politicians and political operatives, even high profile ones, must have very sensitive information in their Twitter DM inboxes.
Whew, I would assume no one is using Twitter DMs. If they are, these should be 100% personal and unimportant. If not, those people should be investigated, not Twitter.
I'm not defending Twitter, I don't engage with it at all.
My guess is that the reality is almost perfectly in opposition to what you've described. Anything that introduces plausible deniability is going to be of a major benefit.
I won't be surprised that they do. Most politicians are very thoroughly technically ignorant, and have little time or patience to spend on learning technically complex things, and really safe communication means aren't usually very user-friendly.
I’d also add the opportunity for provocateurs to cause problems: e.g. inducing vaccine hesitancy (back when the covid vaccines worked, but let’s not focus too much on that).
My feed is still filled with how all of our public service problems must be caused by the 1-2% that were put on unpaid leave for refusing to disclose their vaccination status. I’m sure the 1-2% could help, but the issues are much larger than that.
I can think of a few accounts that, with a single tweet, could move markets, inflame tensions, or kick off multiple cycles of misinformation. For many of these large, influential accounts, Twitter is effectively the same as an official press release.
There's a simpler explanation. He is doing this for profit. I don't buy all the speculation that he approached the SEC out of some professional obligation or simply to spite the Twitter leadership. As a former executive he most likely still holds stock and having the price plunge is not exactly in his interest unless the pay-off from whistleblowing is high enough. Given his high profile, he just burned all bridges career-wise at big tech. The expected whistleblower payout here must be enormous.
You've not really made an argument that it's a simpler explanation, just listed a bunch of reasons it's unlikely he'll profit from this, topped with pure speculation that he will anyway.
I know it's easy being cynical in this day and age, but there are people out there that still operate under a manner of principles. I'd like to think that mudge is one of them.
I don't think you understand what it means to burn all bridges. He is literally unhireable right now in any corporate context. You are naive if you believe he is doing this out of some hacker ethos.
In the private sector he is not going to find employment any time soon at a major corporation. You can downvote as much as you want but any management who hires whistleblowers deserve to be immediately fired by the board. It's basic corporate governance 101.
Actions speak louder than words. For him to file this complaint now, after Musk pulled out of his Twitter purchase, makes any truthful statements pretty low value to Musk’s case. Does Twitter need better security? Yeah. Will Twitter get embarrassed? Yeah?
Will this testimony show Musk completely miffed his due diligence while building up a huge loan package that would have sent most of Twitter’s revenue to debt service? The timeline is what matters.
I learned a lot about Mudge by reading "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World."
For anyone wanting to explore 90's security nostalgia, it's worth a read. For anyone wanting to learn where hacktivism comes from, it's worth a read. For anyone wanting to learn about how security consulting has evolved over the years, it's worth a read.
Mudge is a very cool and capable individual. I am slightly surprised that Twitter would ignore someone of his talent and respect, and choose to air their dirty laundry in this manner. It's as if they have no idea who they hired. That, or C-levels think they can outpay $$$ any PR against Twitter to control the narrative. Either way, if Mudge is whistleblowing, there's probably some bad shit going down.
The whistleblowing case is a new dimension. To me as an outsider it implies Agrawal may have also been the manager in his previous technical role for a lot of the tech problems Zatko identified, and what made Agrawal CEO was his ability to leverage these problems to play ball with all the interests in that company and board, while sustaining through neglect some of those concerning practices within the organization. Twitter's product isn't technology, it's an uncertified slot machine that pays out in political influence, and there are a lot of big interests depending on their cut of it. They needed a steady hand who wouldn't be vulnerable to being swayed by principle, and that's the one thing you don't keep hackers around for, imo.
If I were betting, nothing is ever really systemically broken in large orgs, it just works for someone you can't see. This is a factor everywhere and not necessarily at Twitter. Shitty process? Cui bono. Unverifiable systems? Cui bono. Deniable and unaccounted-for access to God-mode data? Cui bono. Repudiable numbers reporting? Cui bono. Bizarre political posturing? Cui bono, etc.
Part of the allegation seems to be that the beneficiaries may be foreign state actors who have infiltrated the organization.
Not particularly shocking as they'd have to be incompetent to not try to infiltrate a major communications platform, and if the internal controls are as bad as alleged (and has exposed in some of the prior hacks, e.g. the control panel screenshots) they'd have to be incompetent to fail.
A friend I trust quit after being at twitter only a few weeks specifically because of the atrocious lack of internal security controls. When I spoke to them the first thought I had was “this sounds like a gold mine for spies”, so this story today makes perfect sense to me.
Is it just me, or does some of this feel less whistleblower-y and more petty? For example:
> The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko's disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.
That said, this is Mudge. I have a lot of respect for the guy, and I believe what he says. I'll chalk the pettiness up to this article being a summary of a more complete document that I'd like to read at some point.
> The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko's disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.
I mean if it were true that seems pretty negligent. If that were the entire extent of the whistleblower complaint (not sure if complaint is the right term?), I would agree, but it seems as though there are some significant issue raised in the rest of the report.
I dunno, pointing out that something has a poor architecture and pointing out that something has severe, known, and ignored security issues feels different.
That's never actually the case in an org chart, though. A CISO may require that a DR plan exists, but they're not the ones in charge of implementing it.
Also, if they can handle a primary datacenter outage, they have a working DR plan. If I was working on an infrastructure team and was told I needed to handle multiple, simultaneous datacenter outages, I'd start looking for another job.
A security concern for the governments, not twitter. It's not twitter's fault that governments are using it as a primary form of communication, nor should it be their responsibility to have amazing uptime just because governments are using their platform.
It's a national security concern (and international?) if Twitter can be compromised by nefarious actors and/or brought down via said compromised access. The idea that this isn't worthy of whistleblowing because Twitter is a corporation is insane. There are countless examples in the last year of Twitter being used for communication during a crisis.
That's ridiculous. If I created a service and the government happened to start using it, my service being taken down should not be labeled a national security issue against me. The national security issue would be the government deciding to rely on my service.
For all the first amendment protectors out there - the government forcing a private company to comply with some mythical security / uptime standard so it can propagandise its population - that is an actual violation.
Quite a few parts of it are petty, and honestly feel like he was at war with most of the leaders.
He wasn't responsible for disaster recovery, or reliability, yet he was reporting to the board (going above his reporting chain), telling them that the company wasn't doing enough because it can't handle _multiple_ data center outages at once? Very, very few companies could handle that. If twitter can handle their primary datacenter failing, then they do have a working DR plan. They aren't lying. Is the DR plan to Mudge's liking? Obviously not, but his idea of a DR plan is out of line with what the vast majority of the industry considers a reasonable DR plan.
Similarly, mDAU vs user/bot numbers aren't lies. The company switched their reporting metric. They're accurately reporting their growth metric to the board, and to the shareholders. The raw user numbers could actually matter to the board/shareholders, but the board could have required them to report them and didn't. Just because they aren't reporting the metric you'd prefer them to report doesn't mean they're lying to anyone.
There are a number of legitimate complaints in the disclosure related to poor security practices, but many of them feel like internal problems that don't rise to the level of crimes. Sadly, he may have had a hard time moving the needle on those issues because he was spending his time fighting everyone.
He's a gifted engineer, and may even be a gifted leader, but that doesn't mean he was doing a good job in the culture he was working in. I read the whole document, and the majority feels like someone running headfirst into bad cultural issues and burning out while making enemies.
Someone who's happy with his employer is not going to become a whistleblower, so this isn't really an argument against him but more so against whisteleblowers overall. And it's quite save to say that we had a lot of important facts uncovered by whisteleblowers.
for a company that likes to speak of itself as being a valuable piece of communication infrastructure (it isn't, Twitter's a website), this is pretty concerning and shows a lack of seriousness compared to oh, say, the Bell System.
Gov (a term that ranges from your head of state down your county dog-catcher,) needs to get off these services asap. Twitter, TikTok, Instagram, FB are all modern versions of your old AOL Keyword.
Today we have ActivityPub, a W3C recommendation, which would be a great alternative.
Where do you see that info in the Verge article? All I can see is "he filed last month" (which would be July 2022) - the month Musk "officially" backed out and at least a month after he started doing the "I don't want Twitter any more" dance.
> John Tye, founder of Whistleblower Aid and Zatko's lawyer, told CNN that Zatko has not been in contact with Musk, and said Zatko began the whistleblower process before there was any indication of Musk's involvement with Twitter.
>Nobody at the Valley's unicorns seemed too concerned with security. (I asked Jack Dorsey that year whether he worried about the fact that hackers were continually pointing out holes in Twitter and in his new pay-ment start-up, Square. "Those guys like to whine a lot," he replied.)
Thanks for posting this. Anyone commenting in this thread really needs to read the report as it paints the picture of their security hygiene. When I read things like 30% of all their endpoints have automatic updates disabled, and 40% reporting out of compliance, I'm picturing a real immature cowboy culture of arrogant developers that think they're above security policies, and no one at the helm to rope them into line. Sounds like they have no security culture, just policies. Security is something that begins with the individual.
Page 9/84 in the "whistleblower_disclosure.pdf" are about Elon Musk's claims of fake twitter accounts and bots. Good lord, this does not look pretty for Twitter.
Having skimmed that section, it hurts, not helps Musk. It's basically complaining that Twitter is prioritizing accurate, quantifiable metrics that directly impact finances over woolly, unquantifiable "platform health." Worse, executives are motivated to be honest about their metrics!
He's complaining that Twitter isn't measuring what he wants it to measure, which doesn't help, because it isn't saying that Twitter is actually lying about its metrics (and, as noted, it's indirectly implying that Twitter isn't lying).
To me that part is pretty weak compared to the security disclosures. The "lie" is about whether or not Twitter executives are incentivized to delete bots (later on he says that Twitter is incentivized to keep bots out of mDAU because they don't click on ads so they'd tank the clickthrough rate, kind of blows a whole in Elon Musk's whole thing). In reality I'm sure there are multiple overlapping and contradictory incentives at play, but it's not really a falsifiable statement so not really something you can "lie" about.
The way it's framed ("Twitter lied to Elon Musk about bots") makes me suspicious of the whistleblowers' motives here. I know he's some kind of legend around these parts but I've never heard of him, so I'm just going by what I've learned today. Seems like propaganda to me, intended to maximally damage twitter and/or curry favor with Musk.
It wasn't just about incentives. The disclosure also says that while Musk asked for [spam bot accounts / total active acccounts], Agrawal's response didn't really address the question and was pretty misleading [estimated spam bots among mDAU accounts / total mDAU accounts < 5%].
("Argawal's reasoning might appear a bit circular since, by definition, mDAU is more or less Twitter's best approximation of the set of accounts that aren't bots. And Agrawal is not exactly trying to help readers understand the bait-and-switch nature of his answer." - page 13/84)
God Mode, from my understanding, allows a Twitter employee to have access to an account and allows for a post to be made, under that account's id, without the account being notified or seeing the post show up in their own timeline.
Is this an accurate statement?
If so, why did nearly 1000 employees (12% of the workforce) have access to this mode before it was restricted, and what's the business case for that?
Yeah I’m not sure the “just” is justified, and it’s not good but it’s certainly different than being able to send tweets as a particular user. IPMI access was typically only given to SREs.
It's common in lots of software - a form of a "su" command that lets you assume all aspects of a particular user.
Usually developed for testing purposes (easiest way to reproduce a problem, after all) and prevents password-sharing. But it can obviously be used for evil, and so it should be heavily logged and flagged.
But the comment says that users wouldn't even see posts from the Twitter employee assuming their account in their own timeline. What legitimate purpose would that serve?
Why would this be a production data "tool"? Makes no sense at all unless Twitter DGAF about it's users privacy... Ok, answered my own question there didn't I.
I worked in finance and we are brick-walled from real production data. There's obviously a way around it, but it is not a function you can pull out the company toolbox.
This is a clear breach of infosec if there's a $#%*# su to post as Waldo and Waldo can't see that post.
In fact it seems ONLY possible to do _evil_ with that feature.
Now think about the implications with respect to Twitter DMs that show up in criminal investigations.
For instance, consider the Twitter DMs exchanged by Donald Trump, Jr and WikiLeaks. In that particular case, the communication was acknowledged by the party in question, but imagine the two possibilities thousands of employees being able to act on the part of users opens up:
1. Twitter employees could fabricate a criminal conspiracy by creating messages between multiple Twitter accounts.
2. A criminal conspiracy can now use the "Wasn't me, must have been some random Twitter employees" defense.
This seems like a huge win for the defense in a case using DMs or Tweets as evidence.
It would be quite easy to argue that a highly-politicized org like Twitter _might_ alter tweets or DMs to implicate someone in the opposing party. That’s reasonable doubt that at least some jurors would buy.
Usually these sorts of systems have very detailed logs and those logs are kept for a long time for things like lawsuits. In the hypothetical scenario you're describing the other party would subpoena Twitter and they would corroborate whether or not someone logged as that user or not.
But part of what this article calls out from the whistleblower's POV is that the logging and auditing systems that would be needed to do that don't exist at Twitter. That users can activate God Mode or get into production systems without any logging or accountability
Perfidy could still happen in a tightly controlled system, where only a small number of people could view or modify user data, in a way that requires multiple individuals to sign off on it, and both the access and the modifications were internally logged and audited.
But that turns into "there was a sizeable conspiracy to fabricate evidence", as opposed to "a random person out of 2000 got bored, had a grudge, decided to have a laugh, and was acting alone".
Yeah, at the bare minimum what you want to see is:
1. No employees have direct, immediate access to user accounts or data.
2. Only a small number of employees should ever be able to gain access to user accounts or data, for the purpose of resolving issues directly affecting said accounts or data.
3. Access is only granted to one specific user account at a time, and only for a limited amount of time.
4. Access to a user account requires at least one other person to sign off on the access-grant.
5. Every operation performed upon a user account -- viewing a field, modifying a field -- is logged in a place the people from #2 and #4 do not have access to.
6. Access logs are routinely audited for perfidy.
7. Gaining accesses to user accounts or interacting with them in a way that is not necessary or attempting to circumvent the above process must be a don't-bother-cleaning-out-your-desk-we'll-do-it-for-you offense.
With policies in place like that, you reduce the insider risk to user accounts. You need multiple people directly involved in secretly accessing or taking over a user account, and you potentially need dozens of others (the potential auditors) to be complicit. The more people you have involved, the more likely it is someone shuts it down, or at least blows the whistle on it when shit hits the fan.
If someone can just get drunk one night, open up a user account, tweet something, then SSH over to the audit server and drop the rows from the access log indicating what they did, and there's no way to even prove something happened, let alone who did it.
> A criminal conspiracy can now use the "Wasn't me, must have been some random Twitter employees" defense.
I could see this being billed as a feature of a privacy-forward chat platform. Messages are slipped into conversations without either party having actually sent them and no way to tell whether they were real or not.
I’ve heard of similar things to this being discussed…
Eg. simple things like tracking-busters where it randomly clicks links in headless chrome to fool the algorithm, p2p vpns where you use a random user’s IP address to randomize who made what request, etc.
There is also a school of thought that you should periodically publish private keys for plausible deniability (“was it me, or did someone sign that after I published the key”).
The "whistleblower" is Mudge? Ok, I didn't care before, but if Mudge is putting his reputation on the line, this is probably actually serious and legit.
Literally the entire security community knows and looks up to Mudge. If anyone finds out that anything he said was bullshit, it will get blasted from the rooftops and he'll become a laughing stock. He would have to want the rest of his career to be working for morons and be ostracized from his friends and community to make this shit up.
It is rather disconcerting how a platform that is apparently rather integral to the discourse of today is in the hands of a single private company. It doesn't matter who owns it, if it's Musk or someone else, the fact that it's at the whims of a private company, is the primary channel for discourse, and is something legislatures cannot even comprehend because of their age, should have alarm bells going off. Coupled with the fact that there is lacking IT education about hardware/software means that there is an environment that is ripe for the encroachment of digital rights, as we've been seeing this past decade.
Primary for whom? If you polled 50 people on the streets of NYC, I bet fewer than 3 would say they actively use twitter. Now do the same for Des Moines, IA and you maybe get 1?
I think that Twitter is very much the tail that wags the dog. Sure, 1 out of 50 normal people may use it, but nearly 1 out of 1 reporters use it. Those reporters often quote opinions on it as if they are representative of the larger public, even if the tweet they quote is by someone with 10 followers and no stars.
The fun thing about social media is that reporters can back up any narrative they want. “People are upset about X”, “Gen Z is doing X”, “Millenails are killing X”. Find two people and it's a confirmed trend!
I saw this happen live and I couldn't believe it. There was this Netflix movie last year called "Kate" that has a white female assassin killing a lot of asian people (it takes place in Tokyo). There were a handful of articles (first in places like Yahoo news and then sites like Slate.com) written about how this is racist and they all quoted people on twitter. Since I was following this movie heavily, I saw the tweets come in real time and the subsequent articles written a day later. In the end it all started from one tweet from a random user which then spread into a small handful other people making a similar comment and then leaving it at that. These tweets then got turned into multiple articles. I could not believe how crazy the whole thing was.
The original tweet author did not give permission for her thoughts to be published in so many articles and apparently endured a lot of harassment(She indicated this on subsequent tweets). She eventually deleted the tweet.
This was the original tweet: "Shame on Netflix for this. After this past year especially, to then release a film that is literally white people murdering Asian people based on stereotypes and fetishization??? Hard pass.”
If you google that quote you'll see how many articles quote that tweet.
There were no winners in this whole saga. The movie takes place in Tokyo so of course asian men are going to be the bad guys. So Netflix endured negative press for nothing. The press didn't actually change anything about the film, it obviously pissed off enough people that it caused them to start looking for the tweet author to harass her and finally she deleted her tweet. Who were the winners? The site owners making the money I guess. The whole thing really shows how much of a joke online media is. When regular establishment press is not that good either, what are people to do?
There might be a huge wave of people just ignoring online news and deleting social media(ie. disconnecting). That could very well be the end state for many people. In the above example, if the tweet authors had restricted their account visibility to people only they know, then possibly the articles would never have been written. If enough people get burned out they might just walk away.
Ironically the white female actress who plays the assassin in the film: Mary Elizabeth Winstead was herself a victim of massive online targeting and harassment.
She had already once deleted her public accounts in protest after the famous iCloud hacks in the early 10s because people were ogling her private nude photos and then harassing her about it after she scolded "the internet". She came back a few years later only to delete everything all over again in 2017 when she got non stop barrage after she went through a bad divorce. Its tough for actors who are in the business of selling themselves to just walk away from all public social media.
I think people who weren't into tech and who came of age before the internet became mainstream might be the first people to disconnect from this social media nonsense. She was early 80s and homeschooled to focus all her waking moments on becoming an actress. Gen-Z/Alpha might never disconnect. Have they ever known anything different? It will be interesting to see what happens.
Except, one person telling someone else "I don't like <thing>" and other people responding with "Hey yeah I don't like <thing> too!" is literally how it has worked forever, even before computers. Newspapers have been running "<THING> BAD" or "<THING> GOOD" headlines with no or weak backing for literal centuries.
I saw a reddit post today that "Disney fans are furious that Avatar was temporarily pulled from Disney Store" and the top 500 comments were like "No one is furious".
Here, I'll give it a go: "Environmentalists are furious that Bill Gates kills mosquitos"
I did a quick Twitter search, and unfortunately your story isn't supported by any tweets I can find. Good news: you get to write a story about conspiracy theories about Gates and mosquitoes instead though! https://twitter.com/lorijean333/status/1561224522166067201?s...
It annoys me to see this. Quoting tweets is the laziest form of journalism. But to be fair to journalists, finding a couple of real world people and quoting their opinions as if they are representative of the larger public isn’t any more rigorous.
And it’s possible to cherry-pick people to push any narrative you want. Like the NYT talking about how GenZ is very pro-life, quoting several pro-life youngsters. Meanwhile buried somewhere in that long article is the lede - only 20% of GenZ is pro-life.
I'm involved in a community advocacy organisation that uses Twitter, Facebook and Instagram for public engagement.
Facebook is a great platform for actually getting normal people to see our content and invite them along to our meetings and such. Twitter, on the other hand, has a far more niche audience - but I know for a fact that the niche audience includes several state legislators who follow us and interact with our tweets, and we've gotten several press stories via contacts we've made with journalists over Twitter.
If you've got a message to get out there, it's a highly strategic platform.
Except that a lot of those 50 people instead consume all kinds of other "news media" who by now regularly use Twitter as a source, so they are still indirectly affected by Twitter even if they don't actively use it.
The three are the elites of society, blue checkmarks - journalists, politicians, propagandists, influencers. For the society as whole they have way more influence where it's going than average Joe in front of corner shop.
If you're in any community that is popular/new enough to not use forums, but not large enough to talk outside of twitter, it definitely controls a lot.
Ahh they typical brigade is definitely in effect even above this post... A bunch of comments to suppress the real ones made, just like what happens on Twitter regularly.
I had to scroll down past the posts dismissing the issues to get to this one. The news at this point is also conveniently not trending on Twitter even though I am pretty sure a lot more people are Tweeting about it than about Doja Cat right now (who is trending).
I also didn't even see the article, tweeted by CNN, even though I follow them on Twitter.
We're officially chest deep in the era where nothing popular on the Internet is trustworthy nor credible, and where nothing works as expected.
My solution is the same as it always has been... Never respect them enough to enter your real (government) name, and never post anything that you can't afford to have compromised. There is no end to what modern data greed will use your data for.
> It is rather disconcerting how a platform that is apparently rather integral to the discourse of today is in the hands of a single private company.
Unpopular opinion: I think it's awesome that a private company has created a platform like Twitter. It's kind of like comparing a private amusement park with a public park: one has roller coasters, water slides and an arcade... the other has a swingset and a nice field of dried up grass.
> the fact that it's at the whims of a private company
How is this worse than at the whims of the crown?
> there is an environment that is ripe for the encroachment of digital rights
I love that were even talking about having digital rights.
That's because decentralized networks are expensive and can't handle spam unless you make receiving messages opt-in, and then you can't @ people like you can on Twitter.
We had, and still have, standards to deal with crossplatform messaging, like Jabber or Matrix.
What prevents that from catching on at scale is, the "big boys", like MS, FB or Google, mostly not playing ball and never implementing these in their own messaging platforms, to keep their gardens neatly walled from each other.
As intraplatform exchange is not really in-line with what most of these platforms are striving for these days; Interactions with their own platforms and the advertisers on it.
> a platform that is apparently rather integral to the discourse of today
Not true. If anything Twitter is a cancer on our discourse that should be disdained, not something that should be enshrined as a fixture into our lives.
> About half of the company's 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors
The "does not support basic security features such as encryption for stored data" unquoted line of reporting is almost certainly not what Mudge wrote and is likely not literally true.
That 500k servers in Twitter infra are missing patches certainly is true and what was likely in the original was a statement that stored data that should have been encrypted at rest was not, and/or that acceptable standards for data at rest encryption, a relatively rapidly moving freight train, were not maintained.
"..more than half of Twitter's 500,000 servers are running out-of-date operating systems so out of date that many do not support basic privacy and security features and lack vendor support. More than quarter of the 10,000 employee computers have software updates disabled! More than half of Twitter employees have access to Twitter's production environment -- unheard of in a company the age and importance of Twitter, where nearly all employees have access to systems or data they should not. At Twitter engineers work on live data when building and testing software because Twitter lacks testing and stage environments; work is conducted instead in production and with live data..
"This did not happen overnight. To get where Twitter is today took.. many years.. required repeated downplaying of problems, selective reporting, and leadership ignorance around basic security expectations and practices."
I have discovered that there are vastly different definitions of "encryption for stored data" that can mean critically different things for security.
One definition is "the underlying disk is encrypted". This is true, by default, of virtually all cloud environments these days. But it really only protects you against physical access to the storage media, which actually is far from the top threat.
The other, more useful/meaningful definition, is "we encrypt everything at the application layer before it is placed into the DB, and all decryption requests are logged by user". For example, using an envelope encryption scheme to encrypt data before it is stored in a DB, and upon retrieval decrypting the data with a call to something like KMS. In that environment you can literally give readonly DB access to all your developers and not have to worry about PII being exposed. If hackers somehow got access to your DB, they wouldn't be able to read sensitive data, and if they also managed to get access to your KMS credentials, any attempts to decrypt the data would be tracked and logged.
My point is that when many companies say "we encrypt your data", they are usually just talking about the first thing, but that doesn't really provide that much additional security. The second definition is really what you should be doing.
I think the good comparison that people encounter day-to-day is full disk encryption. It's the default on macOS, the only option on iOS, (those are the two platforms I use), and I assume the case on windows and android.
The thing is FDE essentially only protects your data when your machine is powered off. Once your machine is booted and you've logged in any block level encryption ceases to be relevant, because to get to the point of running your machine has to have loaded in the relevant key material to decrypt. From that point on user space code no longer sees a difference between encrypted and decrypted drives. In other words FDE is not relevant is you lose a powered on device (post login if relevant to the platform), and you're the kind of person people are actively targeting (I recall recently? the content of someone's phone or such being dumped by the FBI because they grabbed it while it was being used).
That's why modern OS's have different key classes, there's the lowest level which is just FDE, but you can have higher levels where requesting key material essentially just gives you a handle to that material. Then the OS, or preferably hardware with a much less complex OS, manages those handles and invalidates them according to policy rules. e.g you may want your phone to have access to your address book while your phone is locked, which does not mean you need your call history available as well.
The policies provided by OSs tend to be fairly simple because it's better to have an easy to understand API that is easy to use and hard to screw up than a more "powerful" API that is easy to screw up and hard to use (the latter resulting in people simply not encrypting things at all). e.g iOS/macOS only has the following file protections when you create files: "NSFileProtectionComplete", "NSFileProtectionCompleteUnlessOpen", "NSFileProtectionCompleteUntilFirstUserAuthentication", "NSFileProtectionNone", but they're very easy to understand.[1]
I tried to find the android equivalent but I don't know the terminology that's used and I just get linked to instructions on using AES, so if someone could link the correct doc I'd appreciate it.
I think it's also important to recognize how much of a "check the box" security control encryption at rest has become for many vendors/GRC teams. A lot of times, the encryption at rest control only has the capability to prevent somebody from physically detaching the disk and trying to mount it with their own machine and access the data that way. In a world where many companies now run their workloads on public cloud providers who keep their hardware in distributed cages in secure datacenters, this isn't the security control many assume it is.
If you're trying to prevent an actor who has gained a foothold on a box/network from seeing plaintext data that is actually in use by the actual production system at that very moment, you're looking for a much stronger type of control - probably some sort of client-side encryption or obfuscation/tokenization
Finally, someone points out the emperor has no clothes. When customers first started requesting encryption at rest, it didn’t make any sense to me — the threats it mitigates aren’t worth worrying about if you’re using public cloud.
Big tech was taken over by bean counters long ago, the fact that it’s all running on duct tape and popsicle sticks under the hood will come back to bite us when we have a digital Pearl Harbor event.
China will invade Taiwan and the first shot won’t be physical, it will be activating the 30 years of assets they grew in AWS/GCP/cloudfare/level3/AT&T/Etc
Most of their HR/engineering departments are completely retarded. They’ll hire any H1B who passes l33t code that accepts $50k under market rate then give them repo access in a few weeks. Our soulless megacorps are beyond easy to penetrate by hostile intelligence.
The CIA/NSA/FBI, you know the groups who we pay billions per year for and they take half my income to fund will of course not catch any of this.
The FBI is too busy manufacturing domestic terrorist, the NSA is too busy hacking American companies, and the CIA is too busy importing drugs to actually secure our country from foreign attack. Why? Because it’s been so long since we were actually attacked they believe it can’t happen so why not loot Rome in the mean time?
We observe very clearly that teams consistently fail to write vuln-free C applications of any meaningful technical or organizational complexity. Following various guidelines empirically does not solve the problem.
It really doesn't. After all, many (most?) other languages like Java and JavaScript are implemented primarily in C and/or C++.
Where it gets deserved opprobrium is that it has no memory safety features, and thus inherently contributes to gobs of security vulnerabilities, and there are safer alternatives now, like Rust.
C is basically "portable assembly", and it's rarely the right tool for the job these days.
Can only patch so many buffer overflows, off-by-one errors, format string vulnerabilities, integer overflows, race conditions, use-after-free errors, etc, before it gets to be a bit tiring. Safer alternatives exist.
It's one of the reasons I disliked Twitter forcing the use of mobile numbers for 2FA, they're just not sufficiently trustworthy. And I have an account under my real name! If I were a political dissident etc that just feels like an insane idea.
Just do it the Zuck way: "If you make an FB app, you can read all user's data and their friends' data, but click here to promise that you won't do that and you won't use the data to subvert democracies...".
First, servers generally run on operating systems. No one with any serious knowledge would use the phrase run on software. Second, does this guy have any actual tech knowledge at all? He doesn't list what operating system they are running or what security updates he is expecting. It doesn't sound great but I assure you I've probably seen worse on systems used by the literal federal government to conduct official business and store sensitive information on. All government cares about is having remediation plans in place.
> Second, does this guy have any actual tech knowledge at all? He doesn't list what operating system they are running or what security updates he is expecting.
Then he should be in an even better position to specify what the actual issues are in details and not some abstract garbage. You could summarize the information there as.. "Momma, servers bad. Need encryption. Need updates."
Publishing a detailed report of infrastructure and specific CVEs would be irresponsible and malicious. If that is off the table the only thing left is ambiguity. Also, the audience is important. They are going for maximum outrage, not glassy eyes.
For a solid and genuine technical person considering a CISO or CISO-like role, I've had the impression that they have to be very selective where they go.
Even in what I'd guess is an "ideal" situation, of tractable technical&process problems, and genuine buy-in from the C-suite for solving/improving them, there's still going to be dynamics/politics to navigate.
I also hear of a lot of much-less-than-ideal situations.
I hate being asked to hand over my phone number for 2FA or similar protections. Or facing the choice between deleting all my DMs or risking them being compromised on account no E2E support. Then again, even if you delete something, there's no knowing what their data retention handling is.
I think it's safe to assume most anything you delete from a web app gets a deleted boolean or timestamp field set and the content persists in the database indefinitely.
In my experience I've found it rare that user content is ever actually permanently deleted for various reasons.
I assume that storage has gotten so cheap now that storing everything forever is feasible for companies? I always knew they had to retain content for X period of time, to comply with laws about data retention for criminal investigations, but I always assumed (from reading about it 10+ years ago) that because of how much extra storage space all the "deleted" content would take up, that it wouldn't be feasible for them to do it long-term for everything. I knew that would become a moot point eventually, and I suppose that is now.
It is. I recall seeing some documentary about Facebook for the exact same thing - that it was cheaper to buy new hard drives and inactivate old content than it is to try to permanently scrub old content, and that was probably 10 years ago.
Yeah that's how most of them work. On some platforms (e.g. Reddit) if you do a full data request you'll see all your deleted comments as it's still there in the database, just hidden from public view.
Seems like Twitter loves going through the cycle of getting hacked→hiring good talent and focusing on security→losing people and focus→relaxing their stance→getting hacked :(
By the CNN piece it seems like twitter hired a community figure - which is a common mistake that leads to bad performance evaluation. Public figures are trained on being public figures, they not necessarily are the best folks to build a security organization. OTOH there seems to be some frustration from both sides regarding performance and if it gets public our hackerman will have a rough time being exposed. I don't think that was a good idea (reporting to SEC would work better IMO).
I commented on this elsewhere, but Mudge was a program manager at DARPA from 2010-2013 and worked at Google from 2013-2020. This narrative that "Twitter hired a long-haired hippy and he didn't know how to build a security org or work in a corporate environment" ignored the past decade plus of his experience.
Building a successful security organization is very easy, it just starts higher up the food chain than whatever experts you hire to do it. Security is a cultural practice, it's not a feature, it's not a bolt-on. To the extent that your security organization influences and receives buy-in from your corporate culture, becoming a part of your organization's identity, it will be successful.
I think this is key. If you don't have a good security culture, where people understand and have ingrained proper security practices, you're toast, no matter who else you hire.
Google has good security practices, can implement those in any big corp as they are very straightforward. Mudge previously worked at Google so I'd assume he was hired to help Twitter security get better by implementing some practices from Google. But maybe he was just hired to look like Twitter cared and they didn't really want to change anything.
Google also has a very good ingrained security culture. They understand that they hold on to people's most private and critical data, and rock-solid security has to be a cornerstone of their business.
If this is true this would be particularly damning
>Zatko’s complaint says he believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country. The complaint said supporting information for that claim has gone to the National Security Division of the Justice Department and the Senate Select Committee on Intelligence. Another person familiar with the matter agreed that the employee was probably an agent.[1]
This should get the attention of politicians who are probably the most active users of Twitter. Having their contacts, coms, and metadata such as phone location exposed and collected by adversaries is probably a concern for them and our entire political system. Recall how J Edgar Hoover was collecting dirt of every politician to blackmail them to keep his agency funded without oversight. Twitter would have been a wet dream for him.
Eh, you could take out Twitter and insert many other company names and it'll still hold true. And those companies hold so much more sensitive data about you than Twitter.
I know of insurance companies that have help desk employees with domain admin access. And all crippling ransomware attacks take advantage lax permissions.
Cybersecurity is one of my roles I suppose (small place with an operations team of approximately 2.5), and I have to say that I have no idea what proper security is supposed to mean today; it's very hard for me to tell the marketing from best practice now. It seems like what most products really are is an ass covering service so you can tell your leadership and your customers that you did the right things.
Basically we work on keeping everything patched and try not to create any obvious issues. Honestly, I think the best thing we have going for us is obscurity.
Eval yourselves with the NIST Cybersecurity Framework and you’ll get a good idea of where to work on. It’s useful to guide an early stage security program doing all the things.
Also, build a risk matrix of security risks the company can face by impact vs likelihood of the risk happening. Get someone senior to sign off on it.
Use the NIST CSF and the risk registry with senior leadership support to guide the work you do.
Itll be easier if you think about security as understanding your risk posture as an org, and that risk is either fixed at your level, carefully escalated to outside your teams for a fix, or labeled and accepted risk. security teams should never be the ones to accept risk, so get a a manager to see and acknowledge in writing whenever it’s decided to just roll with a known vuln you’re
Unable to fix without more time/money/tech. Try to fix as many risks as possible at your level as to not build an alarmist rep. Then, that leaves space to escalate into cross-team fixes (and you can point to the NIST CSF and the risk register with a senior leader’s sit side as a baseline reason for why they need to fix it).
I think the commenter brings up an interesting point that China more effectively regulates industries that commit wrong [1]. I wouldn't reduce their point to being tantamount to fascism; rather, I read @gsatic as arguing for equal application of the law. This seems fundamental to the US constitution vis à vis John Locke: people (corporations in this case) cede rights for security. If we give corporations regulatory fines that pale in comparison to revenue as a result of malfeasance, are we allowing companies to enjoy our society's benefits, without having to sacrifice the same rights others do?
[1] - Of course, this isn't the complete picture: China has a penchant for arbitrarily dealing a heavy hand to law-abiding companies/persons.
I’m a security engineer and nobody knows what’s best practice. Everyone is making it up at this point, and security is still a nascent field. Most companies don’t even have a security team.
I think it’s still not clear how you should build a security org, and if you should at all (should security be part of normal workstreams of your devs?)
There is a best practice... but the issue is that the "best practice" is something that gets abused for cargo culting and stopping at the discovery of the best practice.
Some time back, I got a copy of "A Practical Guide for Policy Analysis: The Eightfold Path to More Effective Problem Solving" so that I could properly quote back the use of best practices.
With most times people are looking at best practices, they skip to the decide step without defining the problem - that's even been done here. Is there a best practice for non-cybersecurity at private business? Well, yes - but first, what is the problem that is trying to be solved? There's no "get this book of everything to do and you're good". On the other hand a "we have customer data that includes PII data, we need to secure the data and prevent casual examination of it in house" is a problem that can be looked at and a best practice can be found.
The best practices involve a survey of looking at other organizations and seeing what they have done - what worked and what didn't.
> Part IV "Smart (Best) Practices" Research - Understanding and Making Use of Whatlook Like Good Ideas from Somewhere Else
> It is only sensible to see what kinds of solutions have been tried in other jurisdictions, agencies, or locales. You want to look for those that appear to have worked pretty well, try to understand exactly how and why they may have worked, and evaluate their applicability to your own situation. IN many circles, this is known as "best practices" research. Simple and commonsensical as this process sounds, it represents many methodological and practical pitfalls. The most important of these is relying on anecdotes and on very limited empirical observations for your ideas. To some extent, these are - one hopes - supplemented by smart theorizing. This method is never perfectly satisfactory, but in the real world the alternative is not usually more empiricism but, rather, no thoughtless theorizing.
> Develop Realistic Expectations
> Semantic Tip First, don't be mislead by the word best in so-called best practice research. Rarely will you have any confidence that some helpful-looking practice is actually the best among all those that address the same problem or opportunity. The extensive and careful research needed to document a claim of best will almost never have been done. Usually, you will be looking for what, more modestly, might be called "good practices."
---
A "here is a list of all the best practices, follow these" is the wrong way to try to use best practices but rather relabeled cargo cult security.
I've recently gotten a lot of good guidance on security best practice from a new boss. A great place to start is the CIS 18 critical security controls. They cover most things for protecting an organization.
Walk through the controls list, see where you compare to the controls and sub-controls and then start to establish a path forward.
>It seems like what most products really are is an ass covering service
You do have a pretty good idea then. Sadly, this is exactly what it looks like at the moment: because business decisions are made by clueless dummies, there’s no way to sell a proper product; to make money you need to focus on snake oil instead.
1) Like a car mechanic, these people get paid to sell you solutions and they are incentivized to sell you more.
2) Plenty or honest people have biases because of what they do. If you spend all day thinking about security you might be overly concerned about things that are actually not that risky.
This isn’t to say that there aren’t great people working in the field. But it’s daunting from an outsiders perspective.
Develop sufficient in-house subject matter expertise so that you're not depending on sales consultants to do your cyber program for you.
Develop an empirical understanding of risk management. While we can't predict the future, through well established techniques and adequate resourcing, professionals can achieve consistent results that are far better than random guessing. Risk management principles drive not just corporate stragegy writ large, but entire industries like banking and insurance.
To answer points 1 & 2, you're more than permitted to think for yourself and establish if their recommendations are worth perusing. You could even get multiple opinions and see if there are any recurring themes that might suggest areas to look at first.
With the example of the doctor you run into the nocebo effect - you can spend a lot of time tracking down things that turn out to be of very low value which ends up causing more harm than good. To painfully extend the metaphor you could have an overly aggressive password policy and end up having users reusing passwords or writing them down.
Cynically, because it's twitter, and it's trendy amongst a certain subset of the population to bash social media in general and twitter in particular. And I think your point is fair.
(FWIW, I think social media has if not caused, then certainly exacerbated, some major problems at individual, societal, and global levels, but by no means do I think twitter is the biggest contributor. I don't think we'd see the kind of unconstructive political polarisation we're seeing in the US and UK and perhaps, to a lesser extent, within the EU, without it.)
My reasoned mind says it's due to the recent disclosure in Twitter due to linking of phone numbers to people, while my other mind says it's Elon finding anything to make Twitter give up their case.
> in Twitter due to linking of phone numbers to people
Except like the linkedin "hack" which was just a scrape of peoples profiles, the twitter "hack" was someone running phone numbers through the "upload you contacts and find your friends account" feature.
They are both barely stories, except to remind people that posting stuff publicly is public.
>..the twitter "hack" was someone running phone numbers through the "upload you contacts and find your friends account" feature.
>They are both barely stories, except to remind people that posting stuff publicly is public.
The reoccurring issue is that Twitter and other companies are convincing (and often forcing) you to do something unsafe like linking your phone number, while telling you that your data will be kept private and at the same time opting you in by default, or aggressively marketing, an option that compromises your security.
I'm sure you may be smart enough to know this compromises your anonymity, allows stalkers to find your phone number, etc. but the 99% of users wont.
Linking everything to a phone number is a major dark pattern that benefits the corporations while compromising the user. So rightfully, these malicious and harmful practices should be called out.
Additionally, Twitter collected PII and then did a bad job protecting it. We don't see a phone-numbers-leaked story like this out of Google, which has had 2FA with phone number deployed for years.
Twitter has some 200+ million daily active users and should act like it.
Decide whether people who have your email address or phone number can find and connect with you on Twitter. If you select yes, then someone with l33t skills can "hack" twitter and type in your email / phone number and get your twitter handle (or just put it in their contacts and click a button in the twitter app aka l33t hax0r skills)
The reason there isnt "leak" from google is because they dont offer the functionality to look up your account by your phone number.
For sure, the phone numbers issue definitely won't have helped, but the whole Elon/Twitter situation is definitely up there. Plus, as I say, it's been sort of trendy to bash them for a while: they're either not doing enough to protect people from harmful content, or they're subverting freedom of speech by, for example, banning Trump, and applying permanent, temporary, or shadowbans to other accounts. I'm not that sympathetic, but they sort of can't win.
I think you are referring to corporate and state controlled social media. There is a big difference between those platforms and the fediverse instances I am running on a RPI sitting on my desk.
I don't think you understand how poorly attacking Mudge's character or insinuating that he's driven by some unethical ulterior motive is going to work out. Mudge is... he's Mudge. He's a known quantity, and one everyone wishes we had more of. When he says something like this, smart people listen intently.
Twitter is under a consent agreement with the FTC about its security practices. Part of the allegations here is that they've been lying to those regulators.
Well, it's on the front page of CNN right now for starters, so that means it's probably significant to a lot of people...
If you have a business, you most likely need to promote it on Twitter, or to at least reserve an account there so that someone else won't impersonate you. You also need to do that on almost all other major social platforms.
If you have a business or personal account on Twitter, your direct messages, the data the system generates about your preferences and interests, your geo-coordinates, and everything you post, including control of how your account works can apparently be accessed by too many people within the company.
It's a pretty big deal for anyone that uses the platform citing all that... Not something that should just be "left to it's own devices" because everyone else is doing the same. All cases of data abuse/misuse should be addressed, but addressing one this big would also be a pretty big deal.
Did you actually read it? The story isn't some handwaving about companies in general having bad security. It's that Twitter's former head of security is blowing the whistle on "reckless and negligent cybersecurity policies" including deliberately misleading government regulators and its own board about various issues, and concerns about foreign espionage and disinformation.
If you don't know how that's a story I don't know how to explain it to you, I can only assure you many people will find it extremely newsworthy.
I hear you. All of that is a big deal and should not be taken lighten.
Maybe I'm a bit jaded by what I've seen, but that doesn't seem too far off from normal American business culture. Deflection and manipulation seem to be par for the course. It's why lobbyist exist. Companies want permission to do/not do the things they're not currently allowed/required to do.
The ones that get caught are normally a few bad actors that whistle blow. The companies where it's ingrained in their culture get away with it. Of course...this is all my own experience :)
Because it's CNN and they like to make headlines with some bogus whistleblower that is concerned that some die-hard trumpers are going to hack top companies and create some kind of mass hysteria. Just the usual fear mongering in the news media to get views.
Because people with a lot of money are inflating this story to get back at Twitter. It sounds like a conspiracy, but that's the most plausible explanation I have for why this specific whistleblower gets amplified by the media.
Not a lot of companies get infiltrated by foreign agents or assets. Access to Twitter, in particular, can help unmasking anonymous sources, sensitive DMs, dissidents - and their locations.
I don't claim Mudge was infiltrating Twitter, nor that his claims to bad security are false, nor that it is not dangerous to use Twitter if you value privacy. Bad security at Twitter, or any other social media is a given. Remember they're in the business of selling personal data.
My claim is that this specific story which is most likely true but in no way surprising gets amplified right now because some specific powerful people wanted it so.
Or the current Twitter drama is precisely why it is an interesting story for the media.
That said, given foreign influence campaigns in the news in the last 6 years, this would’ve been news then too. I’m sure it was news back in 2010 when the FTC ordered it to fix the problems.
Or maybe, you know, the media finds this story interesting because this is an extremely visible company with tons of influence on narratives around the world.
Who are these "powerful people"? And why do they care about Twitter so much? Most powerful people aren't even ON Twitter.
I know about a certain person who has been doing very unorthodox moves towards the acquisition of Twitter since earlier this year; this person, as well as all the wealthy stakeholders who have a lot to lose if the deal goes through in an unprofitable way, would certainly gain a lot by amplifying this story with a few grands in the pockets of the CNN business editors.
Not necessarily the man specifically. Anyone with a high stake in Tesla/SpaceX/long-termist companies and an arm in the media machine who would benefit from this press release.
I wish CNN would just air their interview in full instead of splicing his answers into 5 second soundbites with editorialized voiceover framing. I'm infinitely less interested in CNN's reporter's summation of the issue than that of the veteran security analyst at the heart of the story.
Sure the article focuses on Mudge because the's blowing the whistle, but Mudge and Rinki Sethi (ex-CISO) were fired at the same time.
When you fire both your chief of security and your CISO months after you hire them, it's weird. Even if your chief of security had personal failings, why fire his boss? If the boss falls on her sword for direct, that certainly makes me think to take what their saying seriously.
> The complaint from former head of security Peiter Zatko, a widely admired hacker known as “Mudge,” depicts Twitter as a chaotic and rudderless company beset by infighting, unable to properly protect its 238 million daily users including government agencies, heads of state and other influential public figures.
this is a fun read. I've long said that government agencies, heads of state and other influential public figures are obvious candidates for running their own ActivityPub installations (or in paying competent people to do that, which shockingly Twitter, Inc. could be in the business of hosting/selling).
Mudge is a very credible source. Interesting to see where this goes. Twitter has gone through more security heads than any high tech company should. Not surprised it’s a chaotic environment.
No he's not. He's literally on the CIA payroll along with the rest of CDC.
He has a track record of making up ridiculous stories that serve his task masters. Remember the "Hong Kong Blondes"? Oh right it turned out to be completely fake.
> FOREIGN THREATS: Twitter is exceptionally vulnerable to foreign government exploitation in ways that undermine US national security, and the company may even have foreign spies currently on its payroll, the disclosure alleges.
This is a very strange article to me. When I think of Twitter and government influence, I think of the overwhelming pro-Washington bias.
I think of the "state-affiliated media" tags that somehow don't apply to RFE/RL and BBC.
I think of the countless heterodox/dissident accounts that have been banned or silenced on the platform.
I think of the "hacked materials" warning label that was invented to discredit a particularly damning story about a covert disinformation campaign involving Reuters and BBC.
I think of Twitter's complete tolerance of the obvious platform abuse by the textbook troll farm known as "NAFO".
I think of the revolving door between the federal government and policy/compliance positions at large tech companies including Twitter, of which Mudge is one of many.
My tinfoil hat is whispering that this story is part of a broader campaign to put pressure on Twitter to be even more compromised by the federal government and intelligence agencies. I just don't see how this "foreign threat" narrative lines up with the reality of how effectively managed Twitter has become over the past few years.
Realistically though, Mudge probably just has a huge hacker ego and is butthurt that he was caught slackin'.
Most people seem to assume that mainstream news is just an independent journalistic organization beholden only to itself, that truth is important, and delivering the news to the viewers are priorities. Something that is wildly untrue for almost all of them. Their corporate owned and those corporations have their own agendas that aren't aligned with the average American in the slightest.
>I think of the countless heterodox/dissident accounts that have been banned or silenced on the platform.
> Saudi citizen Ali Alzabarah, who worked as an engineer at Twitter, used their positions to access confidential Twitter data about users, their email addresses, phone numbers and IP addresses, the latter of which be used to identify a user’s location
Internal data security practices could probably have helped limit his access
> When I think of Twitter and government influence, I think of the overwhelming pro-Washington bias.
And I think of AWS announcing a massive data loss, Kim-Jong Un tweeting "Nukes have been launched" and the US president tweeting about an impeding Yellowstone explosion. If you want to really f up the country in a big way, Twitter is a great way. With how much verification some journalists do, the news will have secondary 'sources' outside Twitter within minutes for free.
Even without going to such lengths, the activities and rough locations of US officials will already be massively valuable to any foreign power. Facebook had papers where they managed to guess an individuals health based on their typing patterns, just imagine what you could do with all of the Twitter analytics.
Trump's presidency should have made it very very clear that relying on a tweet for anything at all is a monumentally stupid idea, and the only reason someone isn't currently taking advantage of that reliance is that they don't think it's worth it to attack you in that way.
This doesn't seem like he was "butthurt and caught slackin'." The tone of the report seems like he's frustrated that he was hired to do a job, and not given the resources / authority to make the necessary sweeping changes. Perhaps someone with a more political approach could have influenced leadership better. But they hired an extremely technical person, not an extremely political person.
You would think that Twitter might have a coherent strategy in place for dealing with the media on this but no. They are trying to discredit Peiter Zatko by stating that he was terminated for performance reasons and yet their spokesperson goes onto to make these completely conflicting statements:
From Twitter spokeswoman Rebecca Hahn:
Hahn said that Twitter fired Zatko after 15 months “for poor performance and leadership.”
Hahn added that Twitter has tightened up security extensively since 2020, that its security practices are within industry standards, and that it has specific rules about who can access company systems.[1]
2020 was of course the year that Zatko was hired by former CEO Dorsey. So security tightened up "extensively" on Zatko's watch but he was fired for "for poor performance and leadership"?
This only seems to support Zatko's(and many others) assertion that Twitter is a giant shit show of chaos.
>"Details: The communications lead role has been vacant since last November, but it's been led by Twitter CMO Leslie Berland on an interim basis for the past seven months. Hahn, who technically started last week, will report to Berland."[1]
The VP of Global Communications at Twitter role was vacant for 7 months and the person finally hired doesn't seem to have a visible Twitter presence after 6 weeks on the job? At a time when the company is practically a daily news story? You couldn't make this shit up.
I've been hearing about Mudge for decades. It's actually a bit ... heartbreaking ... to see him looking so corporate, but we all age, don't we?
I doubt he was fired for being bad at his job. But I'll bet he was fired for getting in people's faces. That was basically his calling card for years. Why is anyone surprised?
I guess Twitter thought they could hire the cachet, without hiring the man.
I remember an Apple WWDC, way back when. It may have been in the 1980s, as it was in San Jose.
They hired Ken Kesey to drive his bus to San Jose, and give a speech. The party theme was "Hippies," so he fit right in.
So they thought.
He got up on stage, and started talking about taking acid, and counterculture.
The shepherd's crook came right out, and yanked him off the stage.
I heard they had a big fight with him, because they wanted him to leave his Magic Bus, parked in the courtyard.
He drove off in it.
Smart people that make waves are not easy to control. If you are used to herding around mediocre sheep, you'll probably have a hard time with the wolves.
I also only have public information, but the sense I've gotten was that Twitter had an embarrassing problem, with high-profile accounts being compromised, and Jack personally hired Mudge to fix it, with Mudge reporting directly to Jack. This set up Mudge to essentially be the parental supervision for Parag, which chafed / pissed Parag off. Then, when Parag became CEO, Mudge was out, having not accomplished much because Parag was actively hostile to the interference.
Again, conjecture based on what I could extract from the froth, but mundane enough for me that alternatives (shocking displays of X) start requiring extraordinary evidence.
I don't think your comparison is apt. Mudge isn't some loose cannon. He worked for the US government as a program manager for DARPA from 2010-2013, then for Google from 2013-2020. You think he looks "corporate" now, just look at his government portrait on his Wikipedia page from a decade ago.
Point being, Mudge is a very well respected cyber security professional, not some "hippy hacker" from years past. Which makes me even more willing to give his accusations weight, because this is not a case of someone who doesn't "get" corporate environments.
I didn't mean that he was a "hippy hacker." Maybe you misinterpreted that, from my story (BTW: Ken Kesey was no slouch, either). My apologies for being unclear.
But he has definite history of being quite willing to speak truth to power. Not having had any personal interactions with him, I can only go on the [many] stories I've heard.
It looks like you're reading several things into GP's comment that he did not write. At least I read it completely differently. I.e. that perhaps Mudge's alleged failure was "not playing ball" regardless of what the particular game might have been in that corporate environment, at that particular time, under/beside those particular execs.
To be clear, maintaining good relationships is very important. Good relationships are the lubricant that keeps the machine running smoothly; if someone has poor social skills or doesn't make an effort to maintain good relationships, they'll cause unnecessary friction, and they'll end up wasting time and effort on a conflict when they could have solved by problem by maintaining a better relationship.
But, not every conflict is an unnecessary conflict that could have been solved by maintaining a better relationship! Sometimes people refuse to fix problems, and the only options are to apply pressure to them or let the problem go unfixed. Sometimes "lack of lubricant" isn't the reason the machine is broken.
(One way to see this is to note that Agrawal did not maintain a good relationship with Mudge. If maintaining good relationships is part of the job, did Agrawal fail at his job? Or do you think only the lower-ranked person is responsible for maintaining good relationships?)
When you make someone head of security, there are a handful of ways they can go about it:
* They can be utterly ineffectual, ideally while looking good in the press and maintaining good relations across the company. The latter is easy when you never have to ask anyone to do anything.
* They can be effective, which requires the ability to draw on and coordinate resources far beyond security. Their ability to do this is reliant entirely on the support and backing they get from the top. This will make people angry, because it's inevitably going to lead to reshuffling priorities and making choices people dislike. It's possible to maintain good relationships while doing this, if you have strong backing and you at need to convincingly be empathetic about people's feeling while they do what you security and privacy demand.
* They can be ineffectual while trying work across the org and negotiate without backing. Eventually this just pisses people off because you're constantly asking for things and they just want you to go away.
As a security leader, your ability to maintain good relationships while being effective is contingent on how much backing you get. If you're not backed sufficiently, you cannot do both, and then you have to make awkward choices.
There’s many facets to these types of jobs, and these types of teams.
I suspect that he was a “known quantity,” when he was hired, and acted as he was expected to act, by the person that hired him.
Jack Dorsey had his own issues, and pleasing him may not have counted for much, after the new folks took over.
I do have issues with declaring that someone at that level is being fired “with cause,” especially someone that knows where the bodies are buried. This goes double, for someone well-known for doing well in other environments. Usually, there’s some kind of “golden handcuffs,” and the firee simply “leaves to spend more time with their family.”
Regardless of his faults, they set themselves up for this. From here, it appears to be a rather petty personality spat that may end up hurting a whole bunch of folks.
So yes, you are correct, but the person at fault may not be Mudge.
"The whistleblower also says Twitter executives don't have the resources to fully understand the true number of bots on the platform, and were not motivated to."
I imagine this hurts Twitter's defense against Musk from pulling out of the takeover deal, or, is this whistleblower's account inadmissible?
> I imagine this hurts Twitter's defense against Musk from pulling out of the takeover deal
Not really because they have consistently said "this is what we do, it's a finger in the air estimate based on sampling, it might be right, it might be wildly wrong, there's no agreed methodology for this".
For someone to then go "they don't fully understand the true number of bots! GOTCHA!" is dumb because it's literally just pointing out exactly what they've said in their SEC filings since 2013.
Musk has problems with impulse control. That's why he publicly called a literal hero of dying children a "pedophile". If he didn't have money he would likely not be able to keep friendships functional, because he doesn't know how to interact with other people in a healthy way.
I don't understand how you can look at his public behavior and think anything else. The only alternative is that he thought doing shitty things was a rational way to improve his situation, and I personally think that's a worse option
The really damning part of the whistleblower's statements isn't about the bots, it's about Twitter executives misleading the board of directors and stockholders. That's what could aid Musk at trial.
The problem I have in assigning credibility to Twitter's position on bots is that they seem to have held multiple seemingly inconsistent positions (all paraphrased):
1. "Finger in the air estimate based on sampling", aka. "don't read too much into it"
They are completely consistent. They have always said 'no more than 5% according to their sampling' plus a long row of disclaimers and that they sampled based on things like activity and only from monetizeable users, neither of which can be tracked without Twitters internal data on the user.
> If the executives did not make a meaningful effort to count them
They've been filing their methodology for bot counting with the SEC since 2013.
If they're not making a "meaningful effort" and it materially affected the stock price in some way, either the SEC or a shareholder would have gone "HOLD ON SHENANIGANS O'CLOCK", surely?
It can't be that the entire world was A-OK with Twitter's bot counting until June 2022 when a man claiming to want to buy Twitter to fix the bot problem got cold feet on a market drop...
> They've been filing their methodology for bot counting with the SEC since 2013.
No, they haven’t. They describe at a very high level the amount of sampling they do (100 accounts a day? Really, that’s it?), but don’t discuss the methodology used, such as what they use as signals and indicators of botness. That’s not “filing their methodology“, it’s covering their arses.
You have a population of 100 million people. You estimate that the true probability of some statistic is about 5%. What sample size do you need to be 95% sure that you are within 5% of the correct answer? Answer: 73.
(No really, this kind of question is absolutely going to be in a Stats 101 class. And sample sizes really don't need to be that big to be accurate.)
The "methodology" is that people look at 100 accounts a day and determine whether they are bots. They have never disclosed any of the signals that go into this determination. You have a lot of faith in the immediately efficient market here.
The point is that they have not claimed anything regarding this in their filings that isn't true, not whether or not you think they've been clear and detailed enough to answer the question properly.
And to give Musk an out, which is what this tangent is about, not only do they need to have actually lied, the lies need to have had a VERY substantial effect on the price of the company.
The bot thing simply does not help Musk get out of the deal he's made. That is not the same thing as "Twitter are great at dealing with bots and have been very transparent about how they do it", but that's not the bar that has to be cleared here.
I read some good commentary on this that I agree with.
From a purely legal perspective, this really shouldn't matter much. As has been pointed out many times, Musk explicitly waived due diligence when he signed the contract. Also, it's still laughable to think that Musk's real reason for wanting to get out of the deal is the bot problem (instead of the obvious reason of the market tanking), when Musk himself made the argument that a big benefit of him buying Twitter is that he would be able to clean up the bot problem in the first place.
From the court-of-public-opinion, though, I think it does give Musk more leverage for a negotiated settlement to get out of the deal, which is really what he wants. I don't think Musk really thinks he can win in Delaware, but the longer he drags things out and the more pain he causes Twitter the more incentive they have to negotiate cancelling the deal.
Twitter's always hedged their bot stats with the MDAU caveat (e.g., "we're not estimating all the bots who log into Twitter, just the ones that are meaningful for advertising and revenue purposes"), so while these allegations are not at all helpful, they're not necessarily a serious blow to Twitter's position (Mudge is a hacker, not a contracts attorney, and a lot of the allegations he makes regarding regulatory law aren't necessarily supported by his evidence).
However, there's enough here, provided by a highly-credible technical expert, and under consideration by the US Congress, that Musk's litigation team has a strong opportunity to find at least something that holds up as a material misrepresentation, even if relatively minor, and then link it to the broader effect of this document, which could very well rise to the level of a material adverse effect.
So, where bots are concerned, bad but not disastrous; for everything else -- well, let's just say that Musk's litigation team are burning incense to the gods this morning, while a whole bunch of Twitter execs are going to be spending the next few weeks getting grilled by their own retained counsel, at an even more exorbitant hourly rate than they were paying before.
I am willing to take a shot in the dark on this story, and say that this is the whole point. I don't see why this story would get shared and amplified so much otherwise.
This aspect of the story was entirely predictable:
>Musk lawyer Alex Spiro said they want to talk to Twitter whistleblower. “We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding.”
It truly doesn't matter, given Musk waived due diligence. Unless the number of bots is enormous (think 75% or more) then it won't make a material difference.
Musk needs twitter to have willfully misrepresented and concealed, not merely to have had estimates that they admitted were nothing more than estimates.
Unless the bot problem regularly gets in users' way, this isn't really what you want to blow the whistle on--hard problems are hard. You bring this up to damage Twitter.
The previous head of security to Zatko talked about fixing these problems. I remember distinctly after the FTC crackdown there were all hands where the discussion came up. I guess these problems were never fixed.
>If you are wondering if the stuff about Twitter security being lapse is just one person complaining, you might be interested to know that, 18 months after being let go from the company, I've not been removed from their employees GitHub commiters[sic] group.
…
>I can see private repos, yes.
…
>A Twitter employee, Chris Banes, has claimed "that nothing internal or private is hosted on GitHub. It’s all just open source code.". Here is a picture of a private, active, repo I had access to until about 50 minutes ago. Chris's statement is incorrect.
Not wanting to defend Twitter, but I'm pretty sure the situation is very similar across a whole lot of companies, even those that make security their main business, i.e. FireEye.
Because investing in IT security usually has no apparent profit incentives, so most companies leadership will consider it something of very little importance funding wise.
Particularly in the current climate where even minor hacks, and simple ransomware infections, are regularly made out as some kind of "act of God"/allegedly done by some super advanced "state actor", to create the narrative how it just wasn't preventable with the resources of a private company.
Which outsources all the responsibility to ominous intangible parties based on wonky, and often politically motivated, attribution, while holding nobody responsible for running outdate software in exploitable combinations, thus creating the problem in the very first place.
In the next two months we have Elon’s Twitter trial where he’s expected to get railed. Despite waiving due diligence in his commitment to purchase Twitter he’s repeatedly made the claim without evidence that Twitter has made material misrepresentations about bots to him and investors. That would be fraud if true.
So right before the trial a “whistleblower” comes forward and makes claims that support Elon’s narrative. Weird. It’s just a little too convenient for me not to be at least skeptical.
While I'm sure Twitter and every social network internal politics suck and are full of sleazy people who hold themselves in very high regard, these accusations seem weak.
He appears to indicate precisely what it's public, like the 5% bots but then goes to into the usual obscure "I know it's not that number and the structure is incentivized in the wrong way.."
Obviously he has an axe to grind and I wouldn't be shocked if Elon was directly involved with this, but I'm not sure this vagueness holds in court..
I did wonder about this ever since the Ahmad Abouammo story broke. How did a media partnerships manager have access to so many random users' private info? That stank of poor access controls:
-- I've always (since the 90s) used the rule of thumb treat everything on the internet as if it's compromised - I employ low personal security - however i also employ low trust - wouldn't go so far as to blame the users or the platforms - i'd blame both equally - user education is low - false sense of security is high - as the years have gone by - adjustments have been made on my side: comments sections are probably misinformation - emails from people I know may or may not be real - emails from people I don't know are probably not real - use pen and paper for things that need to stay relatively confidential - this is how I was taught to use the internet in the early days - still use it this way today --
The bots problem is absolutely nightmare issue for a social network.
I can't imagine what I'd do if I discovered my network was fake. The whole point of my network is building professional connections and gaining skills for work.
Also seeing various weird topics on twitter like kpop or other random things always made me wonder how much artificial bot boosting was done for those who had money to pay the bot net.
FYI Kpop is "very" popular in some segments of American culture that you just might not cross over with. I experience it frequently in the "Team Fight Tactics" ecosystem which is an E-Sport run by Riot Games (of League of Legends fame) that for some reason contains a very large Asian American population (in relation to their % of the population) and all of them frequently stream Kpop to large audiences. The largest streamer for this game "K3Soju" is one of the top 10 streamers on Twitch frequently pulling in over 20,000 viewers. All of these people are very active on Twitter. I point this out because I doubt things like this going viral on Twitter are necessarily the result of bot networks instead of just the result of corners of the internet that we don't encounter.
what I find peculiar about the kpop crowd is how they seemingly appear out of nowhere and on-demand on in political topics to drown out/cancel people who don't like them or share their values.
In Korea a blogger was able to see how BTS fans or "bots" were able to game the music ranking. What's interesting to me is how they seemingly correlate with wumaos as well.
I don't have solid evidence but it appears that much of the "stan" (kpop mob on social media) are very much politically aware and push a certain side of the spectrum.
All of this makes for some bizarre dynamics and I'm afraid that youngsters who are caught up in the craze don't know that they are being manipulated by very large crowd that behaves in bot like behavior or are herded into specific political flashpoints without understanding the underlying nuances.
I think youngsters are very nuanced, actually, but their political tactics are adapted to a full acknowledgement of an algorithm as a player in the political landscape game. Take the teenager who took being dunked on by a republican politician for being fat and used it to make herself viral in raising like 700k for abortion. That's not a kid who is caught up in a craze-- that's a kid who is fully aware of how social media functions and is using it to politically outmaneuver opponents. I think they look bizarre, but that's because the landscape they have to "win" in is bizarre. The incentives are twisted and the genz know it.
hmmm I don't know about those particular examples, seem pretty clear cut, and I recognize that they are aware of how to play the game. But what I mean is that certain special interest groups that overlaps with foreign interests seem to be able to continue the youngest and as you put it, the most "apt" userbase to proliferate messaging and goals of that collective.
For example, tiktok was recently outed to run keyloggers, and those genz who are "stanning" are also likely sending back all these crucial data points. This is not a conspiracy theory but the very reality that we are dealing with that those who do not share our values and way of life are able to not only cast a wide surveillance of its most vulnerable demographic but manipulate reality for them in all sorts of ways to identify "enemies of the movement" and overwhelm them.
What disturbs me most is that there is this disjointed, water-and-oil dynamism between the two political spectrums engaged in this toxic social media warfare aimed at sowing discord and turning its masses to feel ill, with society, stability and question everything we have.
It is this unwitting participation by the genz of the grander ulterior motives and agendas highlighted by special interest groups that have overlapping values with foreign states that know what strings to pull and the silence in response that worries me.
America's hostile nations know they cannot beat it militarily and they have developed very imaginative and creative asymmetric solutions to subvert and sabotage it from within, and the current state of this side vs that side makes it impossible to formulate a collective bipartisan response to steer the ship in the right direction.
We are not taking this issue of weaponized social media seriously and we see this first hand by how little enforcement/recourse there is for data privacy breach. We know that privacy of the individual is one of THE key pillars of open society and unfortunately the waters are murky and there is no guidance anymore.
In a few decades we will see what the result of this trojan horse experiment is but the current trajectory is not looking good. Gen Z suffer from the highest rate of mental health issues, have access to unprecedented amount of information and foreign subversion. When I realized your own flag is becoming a symbol of hatred, we reached a potentially irreversible stage of complexity and with that only increases risks.
Is this not a generic phenomenon though with no specific relation to Kpop? I was involved in campus recruiting a decade ago and remember distinctly all of the deep discussions the students were having about Kony2012 and what they should do about it during the recruiting dinners. How and why these political flash mobs form online doesn't seem well understood and will no doubt spawn dozens to hundreds of papers over the next few decades examining it.
People don't do that unless they are paid somehow. It's organized activity if you search properly under each time it trends... One or a few accounts will post a keyword or phrase, and then all the subsequent accounts will constantly post with the words spelled exactly the same. Twitter suppresses coordinated activity from many other accounts, and it's against their rules, but somehow they allow it to go on regularly for certain topics like KPOP and BTS, and it results in a lot of streams and album sales only for whoever is trending.
This is also likely why Twitter makes it very hard to scroll to tweets at the beginning of when a trend started, and why timestamps are not really shown for the beginning of a trend to the public.
The KPOP spam is regularly littered with bot accounts posting the same comments regularly.
If you have a platform as prominent as Twitter, making it onto the trending timeline can be very profitable for musicians. The same major industry artists regularly trend on Twitter because they command most of the profit, and then often use a percentage of that for paid and bot promotion. It's just my opinion, but Twitter facilitates and permits that bad behavior regularly because they profit off of the activity too.
There is not much more frustrating than being a creator or artist and competing with major industry forces that have unlimited funding and internal contacts within Twitter that ensure that trending is on rails daily. It's not only bots, it's the sponsored and sanctioned control of what trends that is a hallmark of the platform.
Ah yes, came for the obvious response which I essentially do see here. Cybersecurity is awful at twitter, but that's because cybersecurity is awful everywhere.
"Twitter has hidden negligent security practices, misled federal regulators about its safety, and failed to properly estimate the number of bots on its platform, according to testimony from the company’s former head of security, the legendary hacker-turned-cybersecurity-expert Peiter “Mudge” Zatko."
"Zatko was fired by Twitter in January and claims that this was retaliation for his refusal to stay quiet about the company’s vulnerabilities. Last month, he filed a complaint with the Securities and Exchange Commission (SEC) that accuses Twitter of deceiving shareholders and violating an agreement it made with the Federal Trade Commission (FTC) to uphold certain security standards. His complaints, totaling more than 200 pages, were obtained by CNN and The Washington Post and published in redacted form this morning."
What a bombshell! Maybe Elon Musk's complaints about Twitter have more merit than anyone expected.
What might the SEC and shareholders do in response?
>What might the SEC and shareholders do in response?
If shareholders believe this, they can do a variety of things such as sell the stock (smaller holders), or demand answers from leadership that go beyond "Yeah, we're secure" (bigger holders such as Saudi Arabia).
Some options that shareholders would have in the situation where investors were knowingly deceived by false disclosures of a publicly traded company are missing from this response.
Mudge alleges that their disclosures were a less than good faith attempt to gauge the figure.
Mudge also raises a number of allegations not pertaining to bots, including that Twitter has deliberately failed to abide by the terms of a federal consent decree. If proven out, that fact alone would constitute material adverse affect.
> Maybe Elon Musk's complaints about Twitter have more merit than anyone expected.
Not the bot complaints, anyway, because "failed to properly estimate the number of bots on its platform" has been covered off by Twitter's consistent "this is how we estimate by sampling, it's a finger in the air guess, could be right, could be miles off, there's no standard methodology for this" stance in their SEC filings since 2013 (which no-one has questioned until now, mind.)
What a bombshell! Maybe Elon Musk's complaints about Twitter have more merit than anyone expected.
Anything Elon or crypto related is still being spammed heavily with giveaway/impersonation bots. Nothing has changed. The spam/bot problem is as bad now as it has ever been, and likely is worse than assumed, because it includes not just obvious spam accounts, but legit accounts that have been taken over by spammers or repurposed for spamming. So there is a % of accounts which are obvious bots and than another % accounts that exhibit bot-like behavior. Given how much time Elon spends on twitter and his first-hand experience with scammers using his name and spamming his comments, I think his assessment is probably more accurate compared to what twitter is claiming.
His complaints don't hold merit because he entered into a binding agreement to buy Twitter after waiving due diligence rights. Zatko was fired in January. Musk had and waived his chance to discover these things. It's too late now.
Pop legal quiz - does "waving due diligence rights" during an acquisition remove the other party's liability for fraud they've committed against the prospective buyer?
"All multifarious means which human ingenuity can devise, and which are resorted to by one individual to get an advantage over another by false suggestions or suppression of the truth. It includes all surprises, tricks, cunning or dissembling, and any unfair way which another is cheated."
So is Musk guilty of defrauding twitter by using aggressive acquisition tactics as a pretense to get access to internal nonpublic information to use against them?
The only honest answer I can give there is, "I don't know". So far as I'm aware, Twitter hasn't alleged that, no evidence has been presented supporting such an allegation, and generally it seems a heavy burden to present a court with convincing evidence of a conspiratorial theory like that, but I can't categorically say what Elon Musk's motives weren't.
There seems to be the impression that "waiving due diligence" in an acquisition is some license for the seller to defraud the potential buyer without recourse.
If Mudge's allegations are true that Twitter has been defrauding the public in their reporting, failing to abide by the terms of a federal consent decree, and generally turning a blind eye to real problems to prop up their image, then "waived due diligence" or not, Musk has an out from the acquisition, and cause for a significant tort claim.
It's not just this, but a long series of Twitter-related debacles, that are starting to look less like a company in trouble, and more like a company circling the drain. Do we have any real reason to think Twitter might not be able to survive all this? No one seems to think they're profitable, not even when ad revenue generally was a lot better than the economic environment we're going into. No one who's capable of buying it seems to want to buy it; the reason the poison pill vs. Elon Musk's initial purchase attempt was dropped, is that they checked around and got no other buyers. It's not just the legal and PR problems, it's that there's no $$$ on the other side to make it worth those problems, and we're heading into a "you need to make money" environment. I think they might be circling the drain...
It's important not to forget that certain Twitter users share incredibly sensitive data over Twitter, increasingly including nudity and sexual acts (sometimes on private profiles or in DMs, so they're not meant to be public).
While one may (not wrongly) think that this is a bad idea in general (unless you subscribe to post-privacy), I think it is our duty as a society to protect those who don't have a full grasp on the implications of bad IT security.
In my opinion, fines for cyber security violations should be swift and harsh (GDPR goes in the right direction in terms of how high the fines are, but it is barely enforced). From my POV that is the only thing that will force companies to actually invest in cybersecurity. Maybe there should even be a law mandating security reviews if you handle any PII.
If it's your job to address specific issues and you fail to do that, how is that whistleblowing? If this person can't prove they were blowing whistles before termination, well, that's a lot of egg to wear on ones face.
I think it's a pretty open secret that Twitter is a fairly broken company. It's no surprise that their security practices are bad, because all their practices are bad. It's also very difficult to view this in isolation when you have the timeline of (1): Fired in January, nothing happens. (2) Musk makes offer for twitter then reneges. (3) Months before the lawsuit gets decided re-emerges with accusations.
What happened that caused him to suddenly start whistleblowing now, and not in January? Was it the same thing that caused Ken Paxton in Texas to start investigating Twitter?
This just looks like pretty plain mud-slinging from Musk's team to be honest. Especially since the Whistleblower seems to basically be blowing the whilst on himself.
> Apperantly he started the whistleblowing process before any Musk involvement with twitter.
According to his lawyer as reported by someone on Twitter. IIRC, lawyers make statements that guilty clients are innocent all the time.
If he was working with Musk help him wiggle out of the Twitter deal, it would fatally undermine the goal for to come out publicly about the relationship. I'm skeptical unless they can provide verifiable 3rd party evidence (e.g. some document filed before the deal).
Linking to a Twitter thread is a little indirect, but Kim Zetter is a reporter on the infosec beat, and if you scroll up, you can see the link to the CNN article she's discussing. Also here's a video that includes the lawyer saying it out loud. https://mobile.twitter.com/donie/status/1562020176278716416 (@donie is the first person to talk in the video.)
So instead of taking a statement from the lawyer you think it makes more sense to wildly speculate and make things up? The burden of proof falls on the other side now to prove the whistle blowing started after Musk.
A statement from a lawyer saying "this is older" isn't evidence. Until the lawyer shows an example of any form of whistleblowing predating Musk, this is still on them.
I mean I want to give the guy the benefit of the doubt but is the only evidence that was the case this journalist saying "Mudge totally told me he did this before Musk got here I swear."
Mudge: "Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I'm still performing that mission," he said."
Seems like a legit answer. No need to accuse people of slinging mud.
Jack Dorsey's not there anymore, and the current executives clearly have a different view. So I think the question of "why now and why like this" is still open. Given how many savvy technologists use HN, I'd bet we could put together a list of thousands of companies with concerning-to-reckless security practices. But for better or worse, most of us don't end up getting our concerns on CNN.
If you've worked for any major F500 Enterprise, this is all par for the course. Currently on a contract with a healthcare giant, while security is pretty tight because HIPPA, generally everything else is chaotic. I'm going to speculate that Twitter is probably worse than the mean, but at pretty much every large company that operates massive pieces of software, youre gonna get a ton of chaos by default.
this was my reaction, too. and I'd add: the legal requirement is basically to have 'industry standard' security; no more and no less. there is no legal requirement to have air tight security (which probably isn't even technically possible at a company of this scale anyway).
I seem to read fairly often about security folk (or even plain ol' sysadmins) bemoaning their companies' security, like their presence or oversight is a box checking exercise rather than a real commitment.
He tried to change things and was stopped by people actually in power (CEO, the board). Being head of security means nothing if you aren't allowed to do your job. He was also there for less than 2 years. If you read the article, you'll find that Twitter has had awful security practices since at least 2010.
How do you know that? The only way you'd find out is if there is a lawsuit that exposes said information. Everyone here is assuming because they want to believe Twitter is an evil behemoth. I'm not suggesting they are wrong, but this guy could have done the bare minimum for all we know thinking his status gave him basically a free income to do almost nothing. I would wait until more information comes out before making such generalized assumptions.
I'm not sure why any sizeable portion of the public would know _any_ reputable cyber security experts. Twitter's CEO said the firing was due to "the impact on top priority work", and whistleblowing 6 months later isn't a surprising timeline when you need to have long talks with an attorney and get your own work-life situated.
That's probably the only thing that could lend Twitter any credence. Though, I'm not sure if they published the 200 page complaint, but none of the news outlets have said that he specifically references Musk, just that Twitter employees weren't aware of the amount of bots on the platform and were discouraged from doing so.
I did find one say that the complaint was already in progress before Musk's deal, and Musk rightly tried to subpoena Mudge for his recent exit. It does sound reasonable that the bot comment was added in light of the fiasco with Musk's deal.
He just got fired in January. Preparing a 200-page legal document with references and accounts takes time. It had been submitted some time ago, it's only now that CNN got a hold of a copy.
A 200 page document may take some time, but we don't know how the document is even formatted. Have they even released a copy? It could be 200 pages but only 20 pages of basic accusations with no real details for all we know, just pandering to congress and a bunch of email threads trying to indicate something without any context. I still would advise everyone to withhold judgement at this time.
As others have said, being head of security is meaningless if the people in charge of actually making changes refuse to make the changes you prescribe.
I've been in that situation at a previous job. The infrastructure for our service was set up so that EC2 instances would start up and pull their code from a central repo. But this repo was open to the world and did not require authentication. It was only a matter of time before some malicious user discovered this and our proprietary server code got leaked.
It took weeks of hounding and escalating until something changed, and at first all they did was change the security groups to limit where you could connect from, and even the first patch merely limited it to a few /8 and /16 CIDRs that covered massive swaths of AWS-owned IPs. They still didn't require authentication.
I think the thing about reporting things to the board is extremely open to interpretation. The board doesn't need to know absolutely every skeleton in the closet - especially if you're aware and in the process of fixing something.
It's not his responsibility if someone with more power is sabotaging his work. He tried to do his work, realized it was not possible, and escalated to a higher authority. A bit unusual, but technically a way to maybe solve the problem and still do the job at the end.
To be honest, Twitter didn't manage expectations. If I register on such a platform, I expect my mail/pwd combination to stay reasonably safe. Reasonably, because there is never a guarantee.
The rest of these expectations are entirely on the users. If people take security as seriously as they proclaim, they should not have registered. To now demand meticulous access controls sounds a bit neglectful to me...
You’re ascribing the worst possible motives to someone based on your hatred of Elon Musk. Someone who has no known relationship with Musk, who has claimed publicly they started this process before Musk was involved with twitter, and who is a long standing and well regarded figure in the infosec world.
I think you’re gonna need more than Musk Derangement Syndrome fueled conspiracy theories to make your accusations stick here.
>You’re ascribing the worst possible motives to someone based on your hatred of Elon Musk.
I'm not going to claim some big conspiracy here, but I do find this beyond coincidence.
I don't think that this is coming out now because Mudge is acting on behalf of Elon. I think Elon's Twitter bid (and ensuing drama and upcoming lawsuit) and this revelation are part of the same agenda. For better or worse, it looks like influential powers that be are going to take down/over Twitter.
>it looks like influential powers that be are going to take down/over Twitter
Let them, Twitter can't get any worse.
At the very least, lets get to the bottom of the bot problem and expose these companies who rely on bot activity to drive their MAU numbers and as a result, their inflated valuations.
>> thing that caused Ken Paxton in Texas to start investigating Twitter?
Immediately thought of this item that came up in my Twitter news feed last week [0]
>> "Elon Musk went to Kevin McCarthy’s Party last night in Wyoming—to celebrate Liz Cheney’s loss. While speaking at the MAGA party, Musk asked everyone to deny that he was there. Musk made sure that no press was allowed anywhere near the property — then people started posting selfies"
I'm sure Musk wasn't there to privately insult the Republican leaders by acting like they're the ugly person that they'll date in private but don't want anyone knowing about — he's almost surely seeking some kind of influence/benefit.
Maybe coincidence, but I certainly wonder about the purpose?
Not exactly. The CNN article doesn't say that, and The Verge's piece[1] on this puts it together pretty clearly.
>Zatko was fired by Twitter in January and claims that this was retaliation for his refusal to stay quiet about the company’s vulnerabilities. Last month, he filed a complaint with the Securities and Exchange Commission (SEC) that accuses Twitter of deceiving shareholders and violating an agreement it made with the Federal Trade Commission (FTC) to uphold certain security standards. His complaints, totaling more than 200 pages, were obtained by CNN and The Washington Post and published in redacted form this morning.
So, breaking it down more concisely:
1.) Fired in January
2.) Musk tries to buy Twitter in early April
3.) Complaint filed with SEC in July by Mudge ("way [after] EM entered the picture")
4.) WaPo published redacted, 200-page report today
Edit: This is not an endorsement of mud-slinging, just an attempt to make sure everyone knows what actually happened and when, at least as best we can discern at this point.
> Please note that Mudge began preparing these disclosures in
> early March 2022, well before Mr. Musk expressed any
> interest in acquiring Twitter, and has not communicated
> these disclosures to anyone with a financial interest
> in Twitter.
Why debate what the timelines implied by various articles are when the primary source is available and makes a clear statement on this matter?
>Why debate what the timelines implied by various articles are when the primary source is available and makes a clear statement on this matter?
Probably because most of us in the chain you're replying to didn't have the time to read an 84-page source document in the middle of a work day (note the time of our comments and how late to this particular chain you are), hoping that a nugget of information like that would be dropped pretty early on in it. Hence my edit at the end, which I had hoped would have made it clear that I was open to being corrected.
But thank you so much for that snarky comment while you clarified things. You're so much better than us for finding that, how could we have ever been so daft? Forgive us?
Nah, I think it's my fault. I have realized this week that I'm dealing with a lot of tough shit and haven't been handling it well. I think I've taken to looking for arguments on HN (and other places) as an outlet and, in hindsight, I am pretty sure that was one of those moments.
It's not fair to you, and I'm sorry. Hope ya have a great rest of the week. :)
I read the article, and it doesn't say what you said.
>Zatko began the whistleblower process before there was any indication of Musk’s involvement
Define "Began the whistleblower process". Because that seems like an extremely fuzzy way of saying this. And even if you accept that he was genuinely a whistleblower in good faith trying to do this, which I'm perfectly willing to accept, the fact it's coming out in public now is still convenient timing.
It does say
>The disclosure, sent last month
Which means that the actual firm date we have coincides perfectly with Musk's legal wranglings.
In real life, if you're in the public square shouting your opinions at whomever will listen it's somewhat risky. Twitter are just providing the same digital risk for the modern public square. It's a feature, not a bug.
The specific worry about Net Neutrality was that ISPs would use their monopoly power to censor specific sources and/or self-preference their own businesses. It's something that should have been expanded to large online platforms rather than being disposed of entirely.
As you said, it was a worry, but ending Net Neutrality about enforcing government censorship was never even an argument being made at all by any sides of the issue.
Justice Brett Kavanaugh[0] argued that Net Neutrality specifically violated the 1st Amendment because Comcast should decide what speech they do and don't retransmit.
False. Get your facts straight before misstating established facts in public. The baker in fact refused to make any cake whatsoever for a same-sex wedding. If you are fuzzy on this, watch the interview with the baker himself in this article:
So, in simpler words, they are indeed a pseudo-monopolistic (pseudo means apparent, something very close to but not quite there) social media giant that can indeed censor millions (10% of USA's population is 30 millions) arbitarily and at will ? Ok :)
And whether a bakery serves your gay wedding or not is perhaps the most petty and inconsequential thing to be upset about. There are thousands upon thousands of bakeries in a large city. You can learn how to bake a cake in a weekend and home-bake your wedding cake yourself, or any one of your wedding guests can do this as a wedding gift. You can go to a no-gays-allowed bakery but simply not tell them you're gay, and take a finished cake from them then write your own name and that of the guy you will marry on it yourself. You can not get cake at all and instead get any of the thousand other types of wedding sweets and food.
It's almost like the whole thing is a hilarious non-issue that some people just invented to cry and act like victims about.
There are not thousands of bakeries in any city. Many towns might have none, or one. In that regard, the bakery will have an actual monopoly on baked goods to people living there.
The baker is a person with rights as well, you can't force him to make a special order cake for something he disagrees with. You can force him to sell standard cakes, and they offered to sell standard cakes in the case, but the customers wanted to force him to make a designed cake, that would be against the bakers individual rights.
Large corporations lacks those individual rights for obvious reasons, so large corporations should be forced to provide services to everyone even though individuals shouldn't always be.
On users. Any network is worth a function of the number of nodes in it (typically a quadratic). Social Media are networks that link humans, and there is a finite number of humans (or, more accurately, internet-connected humans with time to spare) that grows very slowly and inevitably will stagnate. That means a social network is in direct zero-sum competition with all the other networks, and a giant like twitter hurts everybody else by concentrating a signficant proportion of users into a single (aweful) place, destroying competition by the lock-in effects of network dynamics.
>There are not thousands of bakeries in any city
There are in my city, actually. Dialing the number down to the hundreds or the high tens doesn't signficantly change the validity and implications of the argument either.
> In that regard, the bakery will have an actual monopoly on baked goods to people living there.
If you can actually prove that in a court, and if you furthermore prove that the complaining party will incur significant costs to themselves if they try to seek another bakery elsewhere (by a resonable legal definition of 'significant'), then you have my full blessing to force people to bake your cake.
Until then, comparing an easily-replacable food product with tons of suppliers and publicly-available recipes to a proprietary service supplied by a corporation with thousands of servers, thousands of employees and tens of millions of users is ideologically motivated bullshit.
It has to be an impressive kind of hypocrisy to panic about individuals refusing to associate with individuals out of their own free will and freak out hysterically about "restrictions on freedom"... then turn around and cheer on massive corporations censoring individuals with no oversight or recourse.
Musk's account was among those that were hacked in the 2020 high profile hack. He made the offer in 2022, he therefore can't claim to not have known that twitter's security isn't 100% and really can't use this in court, I guess
The contract Musk signed was very very one sided, from everything I've been reading there's very little Musk can claim that would let him scuttle the deal.
Honestly, can you really trust anything about major social media sites any more?
Has Twitter ever been in the news for properly making even a thousand people successful from scratch really ever in the product's life?
They have pipelines of exploitation for everyone that gets "discovered" into contractual nightmare deals, they require tons of free labor and costly hurdles just to become notable and visible on the platform, they extort people promoting their independent work for ad money, they don't protect anyone's privacy, they are VERY MANIPULATIVE in multiple (psychological) ways, they offer very little support or fairness when accounts are compromised, hijacked, or stolen, and they impose a stranglehold on information through lobbies and suppression of independent art and music.
Social media took over the Internet after they wooed everyone into the ideal that they would operate fairly. Now that they have captured full attention, they have turned on users and they offer very little to anyone who doesn't pay, and can't offer reliable security to anyone. There are some serious "God Complexes" going on with having access to the personal data these systems harvest ON EVERYONE in conjunction with mobile devices.
I really hate to say it would actually probably make me feel better if most of the large data monitoring sites/apps went away rather than stayed in place, because they make almost every aspect of the Internet work against us all.
Twitter has had several opportunities to fix how it operates. The platform also generates tons in annual revenue to fix how it operates. Twitter has lots of employees that could fix how it operates. Twitter has also had numerous security breaches, and it regularly causes tons of stress for users. Twitter continues to focus on only pleasing it's sponsors, investors, and execs year after year and repeatedly stretching the promises it was built upon.
I can't say I want to see this whale fail, but I won't miss it if it does.
I think it is clear we need more public regulation over these companies, and a lot of the mechanisms need to be embedded in a non-profit / social utility system, given they DIRECTLY impact politics. Anything that democracy is reliant upon should not be subject to private, opaque control.
In the case of data harvesting, data is the most valuable resource. You can control what people want using data. No entity should have unfettered access to data — it is undeniably evil in the truest sense of the word. Which, in the context of my use, means to decay forward progress or to increase aggregated suffering.
They will not fix these issues until the public makes it so painful not to, that they must. As an example, how is Experian still in business after what they’ve done? They should have had a $100 billion+ fine levied against them, and that fine should pierce through limited liability to the extent that the board of directors and C-level staff are liable for it. The company and any owners of it should be bankrupted and living in poverty after what they’ve done.
Until we make PEOPLE liable for the evils they induce on others, this will keep happening. I don’t get limited liability if I went out and murdered someone, why should the PEOPLE running companies have limited liability when they murder millions with pollution, or with financial terrorism? Answer: they shouldn’t.
Government regulation spans further than just rules engineered by a few politicians, it can be publicly voted upon, and it can dictate minimum standards that are upheld across private business for everyone's safety, which in this case is highly warranted.
It's the best chance we have to stop this horrible trend. Companies have shown repeatedly that they are not trust-worthy nor responsible enough to self regulate.
> Government regulation spans further than just rules engineered by a few politicians, it can be publicly voted upon
You're making a distinction without making a difference. Regulating public forums for their content outside of illegal content has never been not abused. The UK is learning this the hard way with the police "checking the thinking" of netizens.
If you think companies are bad, then imagine politicians. I can switch off to another social media but I can't switch out to another state.
The Arab Spring should have been looked at as a warning sign, but everyone in America was still in full-on neoconservative "we will be welcomed as liberators" mode. No private company should have the power to overthrow governments.
I wouldn't consider that as the success op means...
I mean, surely, it some people were successful, but success of warlords intending to genocide blacks in Lybia or starting a new violent caliphate or kidnapping boys en masse to be child soldiers is not the sort or success I want to be enabled with technology.
> They have pipelines of exploitation for everyone that gets "discovered" into contractual nightmare deals, they require tons of free labor and costly hurdles just to become notable and visible on the platform
For what it's worth, as someone running a high-five-digits account, it is possible to get notable on Twitter - you just have to put in a ton of work to make quality content people are actually interested in.
Sure... In order to build a house, you just need to bring your motivation... And lots of time... And money... to hire an architect and an entire home building company... Without having any income the whole time...
Hard work for free does not make sense in this type of post-pandemic world we live in... It's too "Marie Antoinette-esque" of people to say it's anywhere near reasonable.
My point is, a lot of those wannabe "influencers" who complain the most about "boo hoo, Twitter/Instagram are so unfair" are simply putting out mediocre content.
When is mudge going to audit tesla/spacex for "non-compliant kernels", "encryption at rest", etc, etc?
Everyone in this shameful industry knows that literally any company in the US would get shredded in such a vigorous audit and the silliest part is that twitter is a fucking shitposting platform that doesn't have my SSN or financial data so equating it to equifax in any way is absolutely laughable.
From Wikipedia: “He was the most prominent member of the high-profile hacker think tank the L0pht.”
That’s quite a generous take. There were plenty of excellent hackers in the 90s, but “L0pht” just seemed like the PR friendly one that could go on good morning America.
Can’t tell if this is real or just a 90s security person trying to stay relevant after being fired.
Whether or not it was high profile before they went on talk shows and before congress... it's definitely a high profile (historic) group now because they went on talk shows and before congress. :)
High profile doesn't mean best it just means high profile.
On the other hand, if you want to fan the conspiracy flames, he does have strong ties to Dorsey (via Stripe and Twitter) and Dorsey has always been Team Musk, especially re: the takeover.
It's tinfoil hat territory, but the connection could run the other way in principle: the ex-exec could have been shopping for someone to injure Twitter and cooked up a plot in which Twitter was an innocent victim and Musk a double-crossed coconspirator.
Why, it explains Musk's confidence that Twitter was up to something with its fake-account stats... It must be true!
It may appear that this may get Musk off the hook for buying Twitter because "Look how bad they are!" but, as I recall, Musk's problem is that his offer with without contingency - e.g. "Yah, I'll buy it, whatever".
So it may just be another event which will drive Twitter's price down even further and make it a _worse_ deal for him.
From Bloomberg "The buyers could only back out of the agreement in the case of a material adverse effect, a high bar that excludes issues like market volatility or industry challenges." (https://www.bloomberg.com/news/newsletters/2022-07-13/elon-m...).
I suppose one could argue that the Whistleblower's report is "material adverse affect", something I'm sure will come out in the trial.
I think it is time to go a bit Meta here, bit I start to subspect that many HN posts are to influence such things, including popular replies to @pmarca etc... when one says Netflix falls because it is not a tech company, the next day at HN comes an article saying how cool and techie it is, etc.
The reach of HN on the tech world is highly influential, and for sure it is weaponized in "communication wars" across actors with different interests.
EDIT: that doesn't mean that the given information is necessarily false, it is just presented at the right time, to promote one view of the world. Also when Twitter hit bottom some years ago several HN submissions remind us how they declined being purchased by Facebook etc, and social network giants have a large track of understanding how such information flows and influences people.
*Walter Bloomberg
@DeItaone
ELON MUSK’S LEGAL TEAM HAS SUBPOENAED PEITER “MUDGE” ZATKO, TWITTER’S FORMER HEAD OF SECURITY - CNN
8:30 AM · Aug 23, 2022·TweetDeck
>one or more current employees may be working for a foreign intelligence service.
I don't doubt this, but the source is someone with fairly deep ties to the US intelligence services. Why should he be allowed a job and not people with ties to foreign agencies?
Conflict of interest violations. Such violations are absolved through disclosure of known relationships, which cannot occur if persons are keeping ties to foreign intelligence services secret.
I don't believe that what Mudge is saying there is all that well quoted or explained. The argument I've heard him make, in other settings, is that companies that are interesting enough will get job applicants that are really moles for intelligence agencies. This is very difficult to stop, and once your company has enough employees, downright impossible. His recommendation however is not to make it impossible for people with ties to foreign agencies to join the company. Instead, it's to minimize the access than any individual mole might have. This would also apply if you consider US intelligence an attacker!
TLDR; Someone like Twitter, Google or Facebook should have 'some of our employees are malicious and sophisticated' as part of their threat model.
> Someone like Twitter, Google or Facebook should have 'some of our employees are malicious and sophisticated' as part of their threat model.
I would estimate there is a 100% chance that every one of those companies listed, has multiple employees who work for or are sources for US domestic and foreign intelligence services.
It should be expected and part of their internal systems that people only have access to the shared drives they are meant to.
>estimate there is a 100% chance that every one of those companies listed, has multiple employees who work for or are sources for US domestic and foreign intelligence services
Zatko reported directly to the CEO, as a senior leader you need to take responsibility for your own work. Does anyone believe that in an organization as large as Twitter he didn't have enough resources to solve this? I imagine his budget ran in the tens of millions.
I can very much believe it. A CEO can, if they play their cards right, block the CTO from accomplishing what the CTO set out to do. Budget is not the problem. Approvals and alignment with board members are the problems. And if the CTO still decides to push forward, the CEO can still fire the CTO for underperformance which is exactly what you see in this story.
They could. But if someone has a cost effective plan to improve security, that's feasible to execute, why would they block it? It doesn't make sense, security issues are important and can cause damage to the business. Their CEO is an engineer, he knows this.
It seems more probable that this security leader failed to get buy in from the engineering teams, or that there was some technical debt that he couldn't get past.
OK, so their security is a mess, as many commenters have pointed out, they are one of many companies.
What I can't figure out is what's this guy's beef that he went revealing all this? Was he fired or demoted or something and thought to get his own back?
Look at Mudge's track record. He didn't become a security legend by staying quiet about problems, and if Twitter wasn't willing to address it internally...
"Zatko says, he believes he is doing the job he was hired to do for a platform he says is critical to democracy. "Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I'm still performing that mission," he said."
He was fired January last for alleged poor performance. Totally can see now why it's all come to light, less the altruistic urge to make things secure, and more the old case of flipping the bird to a former boss.
Mudge knows the implications of "whistleblowing". He has been a security consultant and even testified to Congress. He's not some noob that doesn't understand security or how systems work together to provide services like disclosure to FTC. The idea that Twitter PR can pooh-pooh away his concerns is shockingly stupid.
I think Twitter is in real trouble here.