[HN Gopher] How Saudi Arabia Infiltrated Twitter
___________________________________________________________________
How Saudi Arabia Infiltrated Twitter
Author : blatherard
Score : 248 points
Date : 2020-02-20 11:39 UTC (11 hours ago)
(HTM) web link (www.buzzfeednews.com)
(TXT) w3m dump (www.buzzfeednews.com)
| komali2 wrote:
| I remember serious concerns about Australian citizens suddenly
| being legally required to be spies for the Australian government
| regardless of where in the world they're working due to a new
| anti encryption law sometime in 2016. That and Twitter somehow
| being caught with their pants down regarding user phone numbers
| and other personal information makes it all the more important
| that all the engineers and product people on this site make it
| very clear to management that the systems must be set up in a way
| that simply doesn't allow people to access that information. It's
| morally good and it might prevent you from making the papers as a
| host of a bunch of spies that got your Chinese, Saudi Arabian, or
| Turkish users assassinated or jailed.
| BryantD wrote:
| I was wondering if it was an SRE when the original story came
| out.
|
| I'd be interested in seeing perspectives on how you avoid this
| scenario. While you could isolate data access by team in many
| models, you're still going to have engineers who have access to
| valuable data. Random access audits? But what about the scenario
| where your database lives on someone else's hardware?
|
| I guess you could always decide you want to use your cloud
| providers FedRAMP-compliant offerings.
| dgellow wrote:
| > At 5:17 p.m. he called a handler, identified as Associate-1 in
| the FBI complaint, who arrived in a white SUV two hours later.
| Driving around Alzabarah's neighborhood, the two men called
| "Foreign Official-l" -- al-Asaker, according to the Washington
| Post -- at 7:20 p.m., and again at 7:22 p.m. and 7:31 p.m. They
| then called Dr. Faisal Al Sudairi, the Saudi consul general in
| Los Angeles, at 8:30 p.m., 8:38 p.m., and 9:26 p.m. Shortly after
| midnight, the consul general called Alzabarah back and spoke with
| him for three minutes.
|
| Slightly off-topic: I feel that gives a good idea of how much
| information can be extracted from very simple metadata (here
| timestamp and number called) in that kind of context.
| grandridge wrote:
| They bought a huge chunk?
| Synaesthesia wrote:
| More like, there were Saudi spies within twitter, the company,
| telling the govt about dissidents.
| Shivetya wrote:
| so my question is simple, did twitter engage the FBI or an
| auditing company to verify the rest of the staff who have
| access to sensitive data?
|
| It would seem to be a concern they would have to follow up
| on. You can put in all the procedures you want and declare
| compliance to auditors but it only serves to make paper
| pushers happy.
| pferde wrote:
| I wonder - would such audit be in their interest? Perhaps
| it's easier for Twitter if foreign dissidents know that
| Twitter is not safe to use for them, and go elsewhere.
| Twitter then does not have a risk of politically charged
| situations, and can peacefully exist by serving the usual
| harmless inane chatter of general population.
| Natsu wrote:
| Why is this downvoted? It's true:
|
| https://qz.com/519388/this-saudi-prince-now-owns-more-of-twi...
|
| "Prince Alwaleed Bin Talal Bin Abdulaziz Alsaud, who in 2011
| invested $300 million in the social network, now owns 34.9
| million shares of Twitter's common stock, according to a new
| regulatory filing (pdf)."
|
| That is from 2015, but as far as I know he still owns a huge
| stake in the company. It would seem relevant when discussing
| SA's influence on Twitter, but I don't see it mentioned in the
| article for some reason.
| slim wrote:
| je was arrested when MBS came to power in 2017
|
| https://www.nytimes.com/2017/11/04/world/middleeast/saudi-
| ar...
|
| he does not seem to be part of the "saudi intelligence
| community"
| duxup wrote:
| The downvotes are because the "infiltrated twitter" in the
| story has nothing to do with the investment.
| Natsu wrote:
| Why should we focus exclusively on low level henchmen when
| there's a huge Saudi influence on Twitter like that one?
|
| Why should we believe that owning the single largest stake
| --one even larger than the Jack's--isn't relevant when
| discussing how they influence Twitter to get what they
| want?
| duxup wrote:
| Well to start the actual information in the story is
| about the folks involved... and they got all that done
| without any overarching conspiracy from ownership.
|
| So is the risk here some unproven ownership influence, or
| the something any given dude can just go and do if he can
| get a job?
| pseingatl wrote:
| Sure. Nothing at all. Except that Prince Walid surrendered
| his investment to the same people who ran moles at Twitter.
| Nothing to see here. It's just a coincidence. Move along.
| j-c-hewitt wrote:
| They didn't really need the investment to plant the
| spies. He just applied for a job and got it. Any foreign
| spy can do the same and nothing will change.
| Natsu wrote:
| This seems to me like focusing on the trees instead of
| the forest. I would think that when discussing Saudi
| control over a company, we might be interested in more
| than just some low-level henchmen, but maybe the Saudi
| prince who owns a third of the company.
|
| To hear some other people talk, this is "conspiracy"
| territory now. But c'mon, we're supposed to believe that
| some nobody henchmen are solely responsible for this and
| ignore the fact that the Saudis own a third of the
| company.
| duxup wrote:
| >we're supposed to believe that some nobody henchmen are
| solely responsible for this and ignore the fact that the
| Saudis own a third of the company
|
| Without proof for your second part... yes.
| duxup wrote:
| The story likely plays out just the same regardless...
|
| I get what you're saying but the whole "it's a conspiracy
| here is some unrelated thing I can't connect but I'm
| suspicious" thing is such an easy to do, the internet is
| full of it... I don't think it adds anything, or is even
| accurate.
|
| And let's say somehow that thing with the investment
| doesn't happen.... I don't think that changes the story
| or the lessons from it.
| grandridge wrote:
| I'm amazed at how naive people are on this site about how
| the world works.
|
| And go ahead and quote my reply with the > and tell me
| awkshuwaly how wrong I am.
| duxup wrote:
| You're awkshuwaly wrong in the sense that the whole story
| doesn't need any kind of conspiracy regarding owning
| twitter to occur.
| grandridge wrote:
| My original comment was sarcasm but it's pretty funny
| watching so many get so butthurt on this site. And there
| is no conspiracy either, it's pretty straightforward. The
| two don't need to be related, but they are. But obviously
| you are all espionage experts on top of being experts on
| everything else
| duxup wrote:
| >The two don't need to be related, but they are
|
| There's nothing to indicate they are.
| wpietri wrote:
| I think that's a very strong claim. What's your evidence
| for it?
|
| I'm not saying the two things are related. But I'm happy to
| say that if I wanted to unduly influence a company, buying
| a significant part of it would be one of the things I'd
| look at.
| duxup wrote:
| > What's your evidence for it?
|
| Evidence for ... the investment being irrelevant?
|
| Can't prove a negative but there's nothing about the
| story that required any kind of investment to accomplish
| any of the events described.
| duxup wrote:
| I worked on a support team for a company that that had some major
| financal institutions as a customer.
|
| We had remote access to their networks at times. My very first
| day I was amazed how much access I had at will.
|
| One day it was announced that a customer had come to us and
| demanded everyone had to meet X requirements to be able to work
| on their networks.
|
| Not long after another financal institution made a similar
| request.
|
| Some folks inside the company were a bit riled up by the
| requirements (background checks, some other things). They felt
| the requirements were absurd.
|
| Considering the access we had I thought they weren't strict
| enough. As just a lowly support dude hired during the dot com
| boom because the company needed warm bodies (who could do some
| independent thinking / troubleshooting) ... I had a lot of
| access.
|
| I don't know if they were thinking about spying like this, but
| I'm always amazed how much access people have to data and etc
| just from a technical support perspective (forget developers...).
|
| Later the company outsourced support to other countries... I'm
| not even sure you need spies in the US / would know anyone was
| spying under those circumstances.
|
| Support teams are probabbly a hell of a lot cheaper / easier to
| infiltrate / they get little / poor management / oversight. I saw
| tons of strange choices by our outsourced technical support
| staff, every single time I raised concerns it was discarded by
| something to the effect of "yeah they suck".
|
| And that doesn't account for all the financial institutions who
| outsourced their own direct ops teams to other countries ... I'd
| call them and if they ever were capable of following instructions
| 9x out of 10 they'd open up the wrong network / modems / etc.
| BiteCode_dev wrote:
| Currently reading snowden book, "Permanent record". At one
| point he says that private companies do a huge amount of work
| for the NSA & Co, and have ridiculous level of access to vast
| arrays of personal data, which they proceed to give to their
| employees or subcontractors for processing.
|
| I expect FAANGS to do the same.
| Aachen wrote:
| > My very first day I was amazed how much access I had at will.
|
| Another branch where you might expect security awareness is
| anti virus companies. I'm a pentester and in smallish companies
| everyone knows everyone, but nobody knows me, yet most days I
| can tailgate into the office without question. This morning a
| lady asked suspiciously "are you looking for someone?" and I
| just replied that I know where to go, thanks. I walked on and
| she didn't pursue. Free rein.
|
| I don't have to mention any specific company, this happens
| everywhere. Helpful, trusting that everything will be alright,
| clicking links... Vulnerabilities help but they are optional.
| dwild wrote:
| A few months ago in Quebec we got a big cooperative bank
| "hacked" that way by an employee that got offered money by some
| insurance reseller.. He was able to export the data of 4.5
| millions persons out and sell it to them. We recently found out
| that they were offering 40k$ to get it. Sure you could
| infiltrate them, but seems like even buying the data is quite
| accessible too.
| carlmcqueen wrote:
| This is a very common answer to these stories on hackernews but
| this one is from a humble point of view that truly brings home
| the point.
|
| My side is that I worked for a bank on the brokerage side for
| ten years in different positions. What always struck me was
| that my access was very carefully controlled, I was a
| background checked employee and had to meet with compliance
| once a year, etc etc.
|
| However when a law firm asked for anything or consultants said
| they needed more data they just sent massive data dumps to the
| network admin guy, no questions further asked. At least not at
| my pay grade.
|
| As I've consulted I ask for only what I need to keep my own
| risk down but it is always a surprise to my clients I don't
| want PII I don't need and only the data that my model will help
| enhance.
| gowld wrote:
| > I was a background checked employee and had to meet with
| compliance once a year,
|
| That doesn't protect you from accessing and leaking data.
| harry8 wrote:
| Note the difference:
|
| Senior managers don't need to control the servants' access
| because they won't take your job, they're lesser beings in
| the caste system. The control is there for those who might
| take your job or customers because they are caste
| equivalents.
|
| At no stage are customers' concerns so much as considered.
| Control is not of the data, it's the vital control of peers
| and rivals. If you're not a rival, who cares?
| duxup wrote:
| Yeah I had a similar experience in terms of security being
| strong in one place. .. and non existant (as I describe)
| elsewhere.
|
| Some of our customers did have pretty strong proesses in some
| places... but then zero when a process changes or something
| like that.
|
| Lots of: "Oh no we can't do that because <security>".
|
| Ok makes sense. It's a hassle but it is a good policy.
|
| "But you can..."
|
| All sense out the window, everything is undone.
| Zenst wrote:
| It's a tale that plays out in many forms. In the early 80's
| I worked for a goverment entity and had tough physical
| security to enter the building - however, monthly fire
| drill would see this large building empty onto the open
| carpark that was easily accessible as no perimeter fence
| and with that and the aspect that when re entering the
| building after the fire-drill, there was always one fire
| door open to circumvent the bottleneck at reception and
| with that - no security checks then.
|
| Though many instances of weak links in process due to human
| nature that get overlooked and only come to light once
| there is an incident.
|
| Which is the crux, incidents cause things to change, yet if
| you see that potential flaw the gravatas you have in
| flagging that issues is often dismissed because it hasn't
| happened. That is sadly often a pattern we see play out
| time and time again in many forms.
| murph-almighty wrote:
| Literally yesterday we had an issue with someone trying
| to piggyback into the office behind an employee who had
| badged in. Said person was intoxicated and removed his
| pants in the elevator, so it was immediately apparent
| there was a problem, but what happens when it's someone
| more nondescript?
| grimjack00 wrote:
| About two years after my company was bought by a larger
| one, I was the first person at the office one morning,
| only to find someone waiting outside the doors. Before I
| could ask, he introduced himself as an employee from an
| out-of-town office, and produced a company ID, so I let
| him in with me.
|
| We had been told to expect some visitors from that
| office, but I was almost hoping he was not legit, since
| most of us at my location still do not have a company ID,
| so I couldn't really say if his was real or not.
| mc32 wrote:
| Companies who offshore also run across this dilemma. This is
| how companies can lose IP to competitors.
|
| Let's say an IC designer offshores some work, that company has
| other clients as well and the off shore company has access to a
| lot of the R&D of the client company. Lots of things can happen
| in that situation and does happen.
| onetimemanytime wrote:
| Not being a smart ass but how do background checks work for
| foreign persons? Say for a former student that came to USA 5
| years ago and is 23 years old? Odds are that he will look clean
| in every way. Even if he's a spy all traces are covered.
|
| My other comment was sent to oblivion because it is politically
| incorrect, but the reality is that a lot students have
| loyalties to the old country. Also when you add the family back
| there and corruption being a normal way of getting things done,
| these things are bound to happen. I don't suggest to freeze
| them out, just don't be surprised.
| Aachen wrote:
| Your other comment says different things though. I think it's
| a fair question "how do background checks work for foreign
| persons" vs "IMO, it's wayyy much easier to corrupt people
| from second or even third world countries, there corruption
| is the norm".
| onetimemanytime wrote:
| It is wayyyyyyy much easier, I'll repeat. To get things
| done corruption is used and the government can make or
| break, virtually everything in your life. Or your
| families'.
|
| A lot of things are broken in USA but it's light years away
| in that department compared to a lot of countries.
| lkbm wrote:
| I worked at a charter school for a while, and had access to the
| test scores and demographic data (including dob and ssn) not
| just for our students, but for every public school student in
| Texas, past and present.
|
| Data security is a myth.
| duxup wrote:
| School's in particular are horrible.
|
| The knowledge level on those staff's is often near 0, they
| operate with wonky budgets (here is a gazillion dollars for
| ipads... no money to maintain them or the rest fo the
| systems), and are just making do the best they can.
|
| The IT staff at one complained to me the librarian at one
| elementary school kept changing things on them. In reality
| she had a clue and they couldn't even operate rudimentary
| role based access type system to stop her.
| Loughla wrote:
| This is a function of how schools are funded in the US.
| This is the system you asked for through voting and tax
| policy (maybe not you, but you being the broad citizen).
|
| Living inside the beast for my entire career - We have just
| enough funding to keep the doors open, and remain staffed
| at a minimal level. Additional funding, above what we can
| raise through local taxes, ALWAYS comes with an asterisk.
|
| So we can get access to $50,000 supplemental funding this
| year, awesome. But we have to buy I-pads. Nevermind that
| literally every other piece of technology in the building
| is windows based. Oh, and we cannot spend that on
| infrastructure upgrades to the wi-fi system to support the
| extra capacity. And it has to be spent in six months or you
| lose it.
|
| It's the way we're funded in the US. It isn't necessarily a
| function of the schools or the staff therein. Those people
| are generally trying to do their best.
|
| It's the shit system and it needs to be burnt to the
| ground.
| simonw wrote:
| That thing where US schools are paid for by property
| taxes is so gross. Talk about a policy designed to
| maintain inequality.
| reaperducer wrote:
| It's not a U.S. thing. It's a state thing. Not every
| state funds its schools through real estate taxes.
|
| Nevada, for example, is funded by sales taxes, ad valorem
| property taxes ("property" as in things, not houses and
| land), gambling taxes, federal money, estate taxes, and
| mining taxes.
|
| http://ftp.ccsd.net/directory/budget-
| finance/pdf/Funding_K-1...
| beauzero wrote:
| ...and don't forget Erate dollars. Can't fund redundant
| systems, etc.
| https://www.fcc.gov/consumers/guides/universal-service-
| progr...
| reaperducer wrote:
| _This is a function of how schools are funded in the US._
|
| Not just schools. A lot of government-related sectors.
|
| Transit is a big one. Back when I used to follow this
| sort fo thing, I would see a lot of municipalities
| turning down federal grants because the money could only
| be spent on buses, trains, an related infrastructure; and
| the towns and cities didn't have the money to pay for the
| people involved.
|
| Maybe when self-driving vehicles become common, this
| won't be so much of a problem anymore.
| chaostheory wrote:
| Years ago, the key code to one of the back doors of a very
| large and well known financial institution in SF was extremely
| simple and consequetive and 4 digit sequence that everyone
| including contractors knew. I wonder if they ever fixed it?
| onetimemanytime wrote:
| People from certain countries are different, they have different
| values and some loyalties to the old country. IMO, it's wayyy
| much easier to corrupt people from second or even third world
| countries, there corruption id the norm.
|
| Money is not an issue for a nation state and then they can fix
| things for family back home etc etc so they are bound to find
| people that say yes.
| loup-vaillant wrote:
| > _Ali Alzabarah was panicked. His heart raced as he drove home
| from Twitter's San Francisco headquarters in the early evening on
| Dec. 2, 2015._
|
| Ok, how could you possibly know that? That's a pretty good
| _guess_ , but writing it like it was the start of a novel...
| fells like read bait, really. Especially given the following:
|
| > _Alzabarah, Abouammo, and al-Asaker did not respond to requests
| for comment._
| herendin2 wrote:
| In the same article, the FBI quotes his private messages from
| his email account that same year.
| saber6 wrote:
| Yet another reason why Twitter should be banished to the depths
| of hell - what a stupid shit-show of a company.
|
| I eagerly anticipate their downfall. Just like I did MySpace. And
| hopefully someday, Facebook. Fuck these parasites.
| tasogare wrote:
| It was never really useful anyway as the noise is exponentially
| more present than few useful tweets.
| dang wrote:
| OK, but please don't post unsubstantive comments to Hacker
| News. Maybe you don't owe shit-shows of companies better, but
| you owe this community better if you're commenting here.
|
| https://news.ycombinator.com/newsguidelines.html
| seemslegit wrote:
| tldr; With money.
| mc32 wrote:
| I don't know why they started the blue checkmark.
|
| It's not to verify identity. It's more like imprimatur (anointed
| by Twitter as whatever). And that is stupid because it's
| basically up to the whims of the company and becomes open to
| abuse internally and externally.
| goatinaboat wrote:
| It originally was to verify identity. Then they started
| withdrawing it from controversial figures, as if those people
| stopped being who they really were overnight. Nowadays it just
| means "this persons views are endorsed by Twitter staff".
| chrisseaton wrote:
| > Nowadays it just means "this persons views are
| representative of Twitter staff".
|
| For example both Sanders and Trump have a blue tick. They
| obviously can't simultaneously be representative of a
| majority of Twitter's staff's views, can they? And I'd
| estimate Trump isn't representative of a substantial number
| of these west-coast tech workers at all. So that doesn't seem
| to hold up.
| mc32 wrote:
| Trump is a special case in that Twitter said that they
| would treat heads of state (both foreign and domestic)
| differently. They might have something internal for
| accounts with large followings (Kardashians).
|
| Assange is an interesting case in that despite renown and
| following they refuse to give him a check mark and
| suspended the WL account as well.
| chrisseaton wrote:
| Ok, excluding heads of state, and even other politicians,
| are for example the views of Jordan Peterson
| representative of Twitter employees? Seems unlikely.
| [deleted]
| goatinaboat wrote:
| I expect his is a holdover from before and it will be
| revoked as soon as they notice.
|
| PS I tweaked my comment after you started to write your
| reply but before I saw it; the wording is better now but
| the meaning is basically the same. Sorry!
| danbolt wrote:
| I haven't researched it, but I'd assume that Donald Trump
| had a blue checkmark back when he was widely known as a
| media personality and landlord.
| SpicyLemonZest wrote:
| That's surely not true. Lots of people have blue checks even
| though Twitter staff would never endorse their views - Ben
| Shapiro, Steven Crowder, Candace Owens, and so on.
| wpietri wrote:
| You're correct that it's generally not true. But the grain
| of truth is that they did punish some notable jerks by
| removal of verified status:
| https://money.cnn.com/2017/11/15/technology/twitter-
| verifica...
|
| IMHO these were pretty clear anti-abuse actions. But of
| course those people claim that they were being punished for
| their views.
| mc32 wrote:
| I think the claim is a little more nuanced. Basically yes
| those people went over a line and got punished but at
| least some claim that others also go over that line but
| don't get punished (as often).
|
| I don't know how true that rings.
| chrisseaton wrote:
| > It's not to verify identity.
|
| I think that is precisely the purpose. If you're looking for
| Donald Trump's Twitter profile the idea is the blue tick helps
| you find the right one rather than a parody.
| i_am_nomad wrote:
| Except the blue check can be and has been revoked for reasons
| that have nothing to do with identity.
| uk_programmer wrote:
| IIRC it was originally to verify celebs real accounts. Then
| they said anyone with more than a certain number of followers
| and now it seems to be just a status symbol.
| wpietri wrote:
| The original purpose was definitely to verify identity. Since
| parody accounts are allowed, it's valuable to be able to tell
| the real X from a parody X. This was especially true early on
| in Twitter's history. It was also useful in encouraging famous
| people to get on Twitter. "Look, if you start you own account,
| we'll clearly distinguish it for you. No more fakes!" And
| having famous people on Twitter was hugely valuable to
| encouraging growth.
|
| Unfortunately, there's a strong correlation between "useful to
| verify" and "important", so pretty quickly it became a status
| symbol, especially for marginally notable people. And some
| people really like status! It's very similar to the problem
| Wikipedia has, where they daily have to delete a lot of BS
| biographies from the would-be famous.
|
| This means that the program has been a headache for Twitter for
| a long time. I know when I worked there in 2017 they announced
| that they were suspending the program pending a major revamp of
| how it works. As far as I know nothing came of that; I think
| they quietly started giving out blue checkmarks again a while
| back.
|
| Personally, what I'd like to happen is that they make it much
| broader and roll it up in a "Premium Twitter" feature. I pay
| them $50/year, they verify that I'm who I say I am, get rid of
| ads, and throw in a few other features. But I doubt that will
| happen, as IMHO Twitter is incredibly bad at getting anything
| done.
| mc32 wrote:
| I agree with your take and suggestions. They probably feel it
| would dilute the value. As you suggest, they could add
| "Premium" or "Pro" labels to distinguish people who pay for
| status. Maybe charge them by audience or reach as well.
| baybal2 wrote:
| I'd also remind that Twitter is surprisingly leaky for Chinese
| using it, even for people who can get foreign simcards to
| register an account.
|
| API leak is one hypothesis, another one is that they got a mole
| there too.
|
| The same goes to Facebook. A number of FB users got detained in
| China with no better explanation than MSS getting access to FB's
| internal information like phone ID and IMSI data in user
| database.
|
| The most probable explanation people have crafted is following:
|
| 1. Using internal or external tips, MSS gets user account info of
| a person of interest
|
| 2. Their mole accesses the user database for info on cookies,
| IMSI, advertising ID and such
|
| 3. MSS than cross-references the data with data on the open
| market, like IMSI databases sold by mobile advertising companies
|
| 4. One way ticket to Heilongjiang is issued the next day, once
| the identity of the person is confirmed using logs of phone
| companies or ISPs.
| j-c-hewitt wrote:
| Why would a serious government not walk through the open door
| and take what they needed while their agents collect two
| salaries? It's just a win-win for foreign intelligence. They
| would be negligent in their duties to NOT infiltrate US
| companies with open doors and permissive, trusting internal
| policies about user data.
|
| Then the company can do the liability minimization dance when
| the FBI comes and points out that they are running a cheap data
| service for foreign spies. "We, uh, had no idea..."
| freepor wrote:
| LOL @ "a mole." China has at least a dozen moles inside
| Twitter. At least a hundred inside Google.
___________________________________________________________________
(page generated 2020-02-20 23:00 UTC)