[HN Gopher] How Saudi Arabia Infiltrated Twitter ___________________________________________________________________ How Saudi Arabia Infiltrated Twitter Author : blatherard Score : 248 points Date : 2020-02-20 11:39 UTC (11 hours ago) (HTM) web link (www.buzzfeednews.com) (TXT) w3m dump (www.buzzfeednews.com) | komali2 wrote: | I remember serious concerns about Australian citizens suddenly | being legally required to be spies for the Australian government | regardless of where in the world they're working due to a new | anti encryption law sometime in 2016. That and Twitter somehow | being caught with their pants down regarding user phone numbers | and other personal information makes it all the more important | that all the engineers and product people on this site make it | very clear to management that the systems must be set up in a way | that simply doesn't allow people to access that information. It's | morally good and it might prevent you from making the papers as a | host of a bunch of spies that got your Chinese, Saudi Arabian, or | Turkish users assassinated or jailed. | BryantD wrote: | I was wondering if it was an SRE when the original story came | out. | | I'd be interested in seeing perspectives on how you avoid this | scenario. While you could isolate data access by team in many | models, you're still going to have engineers who have access to | valuable data. Random access audits? But what about the scenario | where your database lives on someone else's hardware? | | I guess you could always decide you want to use your cloud | providers FedRAMP-compliant offerings. | dgellow wrote: | > At 5:17 p.m. he called a handler, identified as Associate-1 in | the FBI complaint, who arrived in a white SUV two hours later. | Driving around Alzabarah's neighborhood, the two men called | "Foreign Official-l" -- al-Asaker, according to the Washington | Post -- at 7:20 p.m., and again at 7:22 p.m. and 7:31 p.m. They | then called Dr. Faisal Al Sudairi, the Saudi consul general in | Los Angeles, at 8:30 p.m., 8:38 p.m., and 9:26 p.m. Shortly after | midnight, the consul general called Alzabarah back and spoke with | him for three minutes. | | Slightly off-topic: I feel that gives a good idea of how much | information can be extracted from very simple metadata (here | timestamp and number called) in that kind of context. | grandridge wrote: | They bought a huge chunk? | Synaesthesia wrote: | More like, there were Saudi spies within twitter, the company, | telling the govt about dissidents. | Shivetya wrote: | so my question is simple, did twitter engage the FBI or an | auditing company to verify the rest of the staff who have | access to sensitive data? | | It would seem to be a concern they would have to follow up | on. You can put in all the procedures you want and declare | compliance to auditors but it only serves to make paper | pushers happy. | pferde wrote: | I wonder - would such audit be in their interest? Perhaps | it's easier for Twitter if foreign dissidents know that | Twitter is not safe to use for them, and go elsewhere. | Twitter then does not have a risk of politically charged | situations, and can peacefully exist by serving the usual | harmless inane chatter of general population. | Natsu wrote: | Why is this downvoted? It's true: | | https://qz.com/519388/this-saudi-prince-now-owns-more-of-twi... | | "Prince Alwaleed Bin Talal Bin Abdulaziz Alsaud, who in 2011 | invested $300 million in the social network, now owns 34.9 | million shares of Twitter's common stock, according to a new | regulatory filing (pdf)." | | That is from 2015, but as far as I know he still owns a huge | stake in the company. It would seem relevant when discussing | SA's influence on Twitter, but I don't see it mentioned in the | article for some reason. | slim wrote: | je was arrested when MBS came to power in 2017 | | https://www.nytimes.com/2017/11/04/world/middleeast/saudi- | ar... | | he does not seem to be part of the "saudi intelligence | community" | duxup wrote: | The downvotes are because the "infiltrated twitter" in the | story has nothing to do with the investment. | Natsu wrote: | Why should we focus exclusively on low level henchmen when | there's a huge Saudi influence on Twitter like that one? | | Why should we believe that owning the single largest stake | --one even larger than the Jack's--isn't relevant when | discussing how they influence Twitter to get what they | want? | duxup wrote: | Well to start the actual information in the story is | about the folks involved... and they got all that done | without any overarching conspiracy from ownership. | | So is the risk here some unproven ownership influence, or | the something any given dude can just go and do if he can | get a job? | pseingatl wrote: | Sure. Nothing at all. Except that Prince Walid surrendered | his investment to the same people who ran moles at Twitter. | Nothing to see here. It's just a coincidence. Move along. | j-c-hewitt wrote: | They didn't really need the investment to plant the | spies. He just applied for a job and got it. Any foreign | spy can do the same and nothing will change. | Natsu wrote: | This seems to me like focusing on the trees instead of | the forest. I would think that when discussing Saudi | control over a company, we might be interested in more | than just some low-level henchmen, but maybe the Saudi | prince who owns a third of the company. | | To hear some other people talk, this is "conspiracy" | territory now. But c'mon, we're supposed to believe that | some nobody henchmen are solely responsible for this and | ignore the fact that the Saudis own a third of the | company. | duxup wrote: | >we're supposed to believe that some nobody henchmen are | solely responsible for this and ignore the fact that the | Saudis own a third of the company | | Without proof for your second part... yes. | duxup wrote: | The story likely plays out just the same regardless... | | I get what you're saying but the whole "it's a conspiracy | here is some unrelated thing I can't connect but I'm | suspicious" thing is such an easy to do, the internet is | full of it... I don't think it adds anything, or is even | accurate. | | And let's say somehow that thing with the investment | doesn't happen.... I don't think that changes the story | or the lessons from it. | grandridge wrote: | I'm amazed at how naive people are on this site about how | the world works. | | And go ahead and quote my reply with the > and tell me | awkshuwaly how wrong I am. | duxup wrote: | You're awkshuwaly wrong in the sense that the whole story | doesn't need any kind of conspiracy regarding owning | twitter to occur. | grandridge wrote: | My original comment was sarcasm but it's pretty funny | watching so many get so butthurt on this site. And there | is no conspiracy either, it's pretty straightforward. The | two don't need to be related, but they are. But obviously | you are all espionage experts on top of being experts on | everything else | duxup wrote: | >The two don't need to be related, but they are | | There's nothing to indicate they are. | wpietri wrote: | I think that's a very strong claim. What's your evidence | for it? | | I'm not saying the two things are related. But I'm happy to | say that if I wanted to unduly influence a company, buying | a significant part of it would be one of the things I'd | look at. | duxup wrote: | > What's your evidence for it? | | Evidence for ... the investment being irrelevant? | | Can't prove a negative but there's nothing about the | story that required any kind of investment to accomplish | any of the events described. | duxup wrote: | I worked on a support team for a company that that had some major | financal institutions as a customer. | | We had remote access to their networks at times. My very first | day I was amazed how much access I had at will. | | One day it was announced that a customer had come to us and | demanded everyone had to meet X requirements to be able to work | on their networks. | | Not long after another financal institution made a similar | request. | | Some folks inside the company were a bit riled up by the | requirements (background checks, some other things). They felt | the requirements were absurd. | | Considering the access we had I thought they weren't strict | enough. As just a lowly support dude hired during the dot com | boom because the company needed warm bodies (who could do some | independent thinking / troubleshooting) ... I had a lot of | access. | | I don't know if they were thinking about spying like this, but | I'm always amazed how much access people have to data and etc | just from a technical support perspective (forget developers...). | | Later the company outsourced support to other countries... I'm | not even sure you need spies in the US / would know anyone was | spying under those circumstances. | | Support teams are probabbly a hell of a lot cheaper / easier to | infiltrate / they get little / poor management / oversight. I saw | tons of strange choices by our outsourced technical support | staff, every single time I raised concerns it was discarded by | something to the effect of "yeah they suck". | | And that doesn't account for all the financial institutions who | outsourced their own direct ops teams to other countries ... I'd | call them and if they ever were capable of following instructions | 9x out of 10 they'd open up the wrong network / modems / etc. | BiteCode_dev wrote: | Currently reading snowden book, "Permanent record". At one | point he says that private companies do a huge amount of work | for the NSA & Co, and have ridiculous level of access to vast | arrays of personal data, which they proceed to give to their | employees or subcontractors for processing. | | I expect FAANGS to do the same. | Aachen wrote: | > My very first day I was amazed how much access I had at will. | | Another branch where you might expect security awareness is | anti virus companies. I'm a pentester and in smallish companies | everyone knows everyone, but nobody knows me, yet most days I | can tailgate into the office without question. This morning a | lady asked suspiciously "are you looking for someone?" and I | just replied that I know where to go, thanks. I walked on and | she didn't pursue. Free rein. | | I don't have to mention any specific company, this happens | everywhere. Helpful, trusting that everything will be alright, | clicking links... Vulnerabilities help but they are optional. | dwild wrote: | A few months ago in Quebec we got a big cooperative bank | "hacked" that way by an employee that got offered money by some | insurance reseller.. He was able to export the data of 4.5 | millions persons out and sell it to them. We recently found out | that they were offering 40k$ to get it. Sure you could | infiltrate them, but seems like even buying the data is quite | accessible too. | carlmcqueen wrote: | This is a very common answer to these stories on hackernews but | this one is from a humble point of view that truly brings home | the point. | | My side is that I worked for a bank on the brokerage side for | ten years in different positions. What always struck me was | that my access was very carefully controlled, I was a | background checked employee and had to meet with compliance | once a year, etc etc. | | However when a law firm asked for anything or consultants said | they needed more data they just sent massive data dumps to the | network admin guy, no questions further asked. At least not at | my pay grade. | | As I've consulted I ask for only what I need to keep my own | risk down but it is always a surprise to my clients I don't | want PII I don't need and only the data that my model will help | enhance. | gowld wrote: | > I was a background checked employee and had to meet with | compliance once a year, | | That doesn't protect you from accessing and leaking data. | harry8 wrote: | Note the difference: | | Senior managers don't need to control the servants' access | because they won't take your job, they're lesser beings in | the caste system. The control is there for those who might | take your job or customers because they are caste | equivalents. | | At no stage are customers' concerns so much as considered. | Control is not of the data, it's the vital control of peers | and rivals. If you're not a rival, who cares? | duxup wrote: | Yeah I had a similar experience in terms of security being | strong in one place. .. and non existant (as I describe) | elsewhere. | | Some of our customers did have pretty strong proesses in some | places... but then zero when a process changes or something | like that. | | Lots of: "Oh no we can't do that because <security>". | | Ok makes sense. It's a hassle but it is a good policy. | | "But you can..." | | All sense out the window, everything is undone. | Zenst wrote: | It's a tale that plays out in many forms. In the early 80's | I worked for a goverment entity and had tough physical | security to enter the building - however, monthly fire | drill would see this large building empty onto the open | carpark that was easily accessible as no perimeter fence | and with that and the aspect that when re entering the | building after the fire-drill, there was always one fire | door open to circumvent the bottleneck at reception and | with that - no security checks then. | | Though many instances of weak links in process due to human | nature that get overlooked and only come to light once | there is an incident. | | Which is the crux, incidents cause things to change, yet if | you see that potential flaw the gravatas you have in | flagging that issues is often dismissed because it hasn't | happened. That is sadly often a pattern we see play out | time and time again in many forms. | murph-almighty wrote: | Literally yesterday we had an issue with someone trying | to piggyback into the office behind an employee who had | badged in. Said person was intoxicated and removed his | pants in the elevator, so it was immediately apparent | there was a problem, but what happens when it's someone | more nondescript? | grimjack00 wrote: | About two years after my company was bought by a larger | one, I was the first person at the office one morning, | only to find someone waiting outside the doors. Before I | could ask, he introduced himself as an employee from an | out-of-town office, and produced a company ID, so I let | him in with me. | | We had been told to expect some visitors from that | office, but I was almost hoping he was not legit, since | most of us at my location still do not have a company ID, | so I couldn't really say if his was real or not. | mc32 wrote: | Companies who offshore also run across this dilemma. This is | how companies can lose IP to competitors. | | Let's say an IC designer offshores some work, that company has | other clients as well and the off shore company has access to a | lot of the R&D of the client company. Lots of things can happen | in that situation and does happen. | onetimemanytime wrote: | Not being a smart ass but how do background checks work for | foreign persons? Say for a former student that came to USA 5 | years ago and is 23 years old? Odds are that he will look clean | in every way. Even if he's a spy all traces are covered. | | My other comment was sent to oblivion because it is politically | incorrect, but the reality is that a lot students have | loyalties to the old country. Also when you add the family back | there and corruption being a normal way of getting things done, | these things are bound to happen. I don't suggest to freeze | them out, just don't be surprised. | Aachen wrote: | Your other comment says different things though. I think it's | a fair question "how do background checks work for foreign | persons" vs "IMO, it's wayyy much easier to corrupt people | from second or even third world countries, there corruption | is the norm". | onetimemanytime wrote: | It is wayyyyyyy much easier, I'll repeat. To get things | done corruption is used and the government can make or | break, virtually everything in your life. Or your | families'. | | A lot of things are broken in USA but it's light years away | in that department compared to a lot of countries. | lkbm wrote: | I worked at a charter school for a while, and had access to the | test scores and demographic data (including dob and ssn) not | just for our students, but for every public school student in | Texas, past and present. | | Data security is a myth. | duxup wrote: | School's in particular are horrible. | | The knowledge level on those staff's is often near 0, they | operate with wonky budgets (here is a gazillion dollars for | ipads... no money to maintain them or the rest fo the | systems), and are just making do the best they can. | | The IT staff at one complained to me the librarian at one | elementary school kept changing things on them. In reality | she had a clue and they couldn't even operate rudimentary | role based access type system to stop her. | Loughla wrote: | This is a function of how schools are funded in the US. | This is the system you asked for through voting and tax | policy (maybe not you, but you being the broad citizen). | | Living inside the beast for my entire career - We have just | enough funding to keep the doors open, and remain staffed | at a minimal level. Additional funding, above what we can | raise through local taxes, ALWAYS comes with an asterisk. | | So we can get access to $50,000 supplemental funding this | year, awesome. But we have to buy I-pads. Nevermind that | literally every other piece of technology in the building | is windows based. Oh, and we cannot spend that on | infrastructure upgrades to the wi-fi system to support the | extra capacity. And it has to be spent in six months or you | lose it. | | It's the way we're funded in the US. It isn't necessarily a | function of the schools or the staff therein. Those people | are generally trying to do their best. | | It's the shit system and it needs to be burnt to the | ground. | simonw wrote: | That thing where US schools are paid for by property | taxes is so gross. Talk about a policy designed to | maintain inequality. | reaperducer wrote: | It's not a U.S. thing. It's a state thing. Not every | state funds its schools through real estate taxes. | | Nevada, for example, is funded by sales taxes, ad valorem | property taxes ("property" as in things, not houses and | land), gambling taxes, federal money, estate taxes, and | mining taxes. | | http://ftp.ccsd.net/directory/budget- | finance/pdf/Funding_K-1... | beauzero wrote: | ...and don't forget Erate dollars. Can't fund redundant | systems, etc. | https://www.fcc.gov/consumers/guides/universal-service- | progr... | reaperducer wrote: | _This is a function of how schools are funded in the US._ | | Not just schools. A lot of government-related sectors. | | Transit is a big one. Back when I used to follow this | sort fo thing, I would see a lot of municipalities | turning down federal grants because the money could only | be spent on buses, trains, an related infrastructure; and | the towns and cities didn't have the money to pay for the | people involved. | | Maybe when self-driving vehicles become common, this | won't be so much of a problem anymore. | chaostheory wrote: | Years ago, the key code to one of the back doors of a very | large and well known financial institution in SF was extremely | simple and consequetive and 4 digit sequence that everyone | including contractors knew. I wonder if they ever fixed it? | onetimemanytime wrote: | People from certain countries are different, they have different | values and some loyalties to the old country. IMO, it's wayyy | much easier to corrupt people from second or even third world | countries, there corruption id the norm. | | Money is not an issue for a nation state and then they can fix | things for family back home etc etc so they are bound to find | people that say yes. | loup-vaillant wrote: | > _Ali Alzabarah was panicked. His heart raced as he drove home | from Twitter's San Francisco headquarters in the early evening on | Dec. 2, 2015._ | | Ok, how could you possibly know that? That's a pretty good | _guess_ , but writing it like it was the start of a novel... | fells like read bait, really. Especially given the following: | | > _Alzabarah, Abouammo, and al-Asaker did not respond to requests | for comment._ | herendin2 wrote: | In the same article, the FBI quotes his private messages from | his email account that same year. | saber6 wrote: | Yet another reason why Twitter should be banished to the depths | of hell - what a stupid shit-show of a company. | | I eagerly anticipate their downfall. Just like I did MySpace. And | hopefully someday, Facebook. Fuck these parasites. | tasogare wrote: | It was never really useful anyway as the noise is exponentially | more present than few useful tweets. | dang wrote: | OK, but please don't post unsubstantive comments to Hacker | News. Maybe you don't owe shit-shows of companies better, but | you owe this community better if you're commenting here. | | https://news.ycombinator.com/newsguidelines.html | seemslegit wrote: | tldr; With money. | mc32 wrote: | I don't know why they started the blue checkmark. | | It's not to verify identity. It's more like imprimatur (anointed | by Twitter as whatever). And that is stupid because it's | basically up to the whims of the company and becomes open to | abuse internally and externally. | goatinaboat wrote: | It originally was to verify identity. Then they started | withdrawing it from controversial figures, as if those people | stopped being who they really were overnight. Nowadays it just | means "this persons views are endorsed by Twitter staff". | chrisseaton wrote: | > Nowadays it just means "this persons views are | representative of Twitter staff". | | For example both Sanders and Trump have a blue tick. They | obviously can't simultaneously be representative of a | majority of Twitter's staff's views, can they? And I'd | estimate Trump isn't representative of a substantial number | of these west-coast tech workers at all. So that doesn't seem | to hold up. | mc32 wrote: | Trump is a special case in that Twitter said that they | would treat heads of state (both foreign and domestic) | differently. They might have something internal for | accounts with large followings (Kardashians). | | Assange is an interesting case in that despite renown and | following they refuse to give him a check mark and | suspended the WL account as well. | chrisseaton wrote: | Ok, excluding heads of state, and even other politicians, | are for example the views of Jordan Peterson | representative of Twitter employees? Seems unlikely. | [deleted] | goatinaboat wrote: | I expect his is a holdover from before and it will be | revoked as soon as they notice. | | PS I tweaked my comment after you started to write your | reply but before I saw it; the wording is better now but | the meaning is basically the same. Sorry! | danbolt wrote: | I haven't researched it, but I'd assume that Donald Trump | had a blue checkmark back when he was widely known as a | media personality and landlord. | SpicyLemonZest wrote: | That's surely not true. Lots of people have blue checks even | though Twitter staff would never endorse their views - Ben | Shapiro, Steven Crowder, Candace Owens, and so on. | wpietri wrote: | You're correct that it's generally not true. But the grain | of truth is that they did punish some notable jerks by | removal of verified status: | https://money.cnn.com/2017/11/15/technology/twitter- | verifica... | | IMHO these were pretty clear anti-abuse actions. But of | course those people claim that they were being punished for | their views. | mc32 wrote: | I think the claim is a little more nuanced. Basically yes | those people went over a line and got punished but at | least some claim that others also go over that line but | don't get punished (as often). | | I don't know how true that rings. | chrisseaton wrote: | > It's not to verify identity. | | I think that is precisely the purpose. If you're looking for | Donald Trump's Twitter profile the idea is the blue tick helps | you find the right one rather than a parody. | i_am_nomad wrote: | Except the blue check can be and has been revoked for reasons | that have nothing to do with identity. | uk_programmer wrote: | IIRC it was originally to verify celebs real accounts. Then | they said anyone with more than a certain number of followers | and now it seems to be just a status symbol. | wpietri wrote: | The original purpose was definitely to verify identity. Since | parody accounts are allowed, it's valuable to be able to tell | the real X from a parody X. This was especially true early on | in Twitter's history. It was also useful in encouraging famous | people to get on Twitter. "Look, if you start you own account, | we'll clearly distinguish it for you. No more fakes!" And | having famous people on Twitter was hugely valuable to | encouraging growth. | | Unfortunately, there's a strong correlation between "useful to | verify" and "important", so pretty quickly it became a status | symbol, especially for marginally notable people. And some | people really like status! It's very similar to the problem | Wikipedia has, where they daily have to delete a lot of BS | biographies from the would-be famous. | | This means that the program has been a headache for Twitter for | a long time. I know when I worked there in 2017 they announced | that they were suspending the program pending a major revamp of | how it works. As far as I know nothing came of that; I think | they quietly started giving out blue checkmarks again a while | back. | | Personally, what I'd like to happen is that they make it much | broader and roll it up in a "Premium Twitter" feature. I pay | them $50/year, they verify that I'm who I say I am, get rid of | ads, and throw in a few other features. But I doubt that will | happen, as IMHO Twitter is incredibly bad at getting anything | done. | mc32 wrote: | I agree with your take and suggestions. They probably feel it | would dilute the value. As you suggest, they could add | "Premium" or "Pro" labels to distinguish people who pay for | status. Maybe charge them by audience or reach as well. | baybal2 wrote: | I'd also remind that Twitter is surprisingly leaky for Chinese | using it, even for people who can get foreign simcards to | register an account. | | API leak is one hypothesis, another one is that they got a mole | there too. | | The same goes to Facebook. A number of FB users got detained in | China with no better explanation than MSS getting access to FB's | internal information like phone ID and IMSI data in user | database. | | The most probable explanation people have crafted is following: | | 1. Using internal or external tips, MSS gets user account info of | a person of interest | | 2. Their mole accesses the user database for info on cookies, | IMSI, advertising ID and such | | 3. MSS than cross-references the data with data on the open | market, like IMSI databases sold by mobile advertising companies | | 4. One way ticket to Heilongjiang is issued the next day, once | the identity of the person is confirmed using logs of phone | companies or ISPs. | j-c-hewitt wrote: | Why would a serious government not walk through the open door | and take what they needed while their agents collect two | salaries? It's just a win-win for foreign intelligence. They | would be negligent in their duties to NOT infiltrate US | companies with open doors and permissive, trusting internal | policies about user data. | | Then the company can do the liability minimization dance when | the FBI comes and points out that they are running a cheap data | service for foreign spies. "We, uh, had no idea..." | freepor wrote: | LOL @ "a mole." China has at least a dozen moles inside | Twitter. At least a hundred inside Google. ___________________________________________________________________ (page generated 2020-02-20 23:00 UTC)