[HN Gopher] A Saudi prince's attempt to silence critics on Twitter
___________________________________________________________________
A Saudi prince's attempt to silence critics on Twitter
Author : leoschwartz
Score : 231 points
Date : 2020-09-01 15:37 UTC (7 hours ago)
(HTM) web link (www.wired.com)
(TXT) w3m dump (www.wired.com)
| hellofunk wrote:
| Very thrilling read, and the last paragraph sent chills up
| through my back.
| yboris wrote:
| Last paragraph copy/paste:
|
| "In May 2017, President Donald Trump made his first overseas
| visit, a trip to Riyadh. Not long after his arrival, the
| president toured King Salman's new anti-terrorism center, which
| focused on tracking extremists on Twitter. Afterward, the
| president, his wife, the king, and Abdel-Fattah el-Sisi of
| Egypt gathered around an illuminated orb at the center of the
| room and posed for a photo. Standing just outside the frame was
| the kingdom's new social media specialist, Ali Alzabarah."
| hellofunk wrote:
| Sigh. I wondered if someone would come in here and do that.
| The entire reason I did not paste it myself is because this
| paragraph has a much different effect on the reader after
| they have read the rest of the article and understand the
| backstory.
|
| Edit: Thanks for all the upvotes. I'm glad some in the HN
| crowd appreciate quality over shortcuts and spoilers. (I was
| starting to get discouraged!)
| sneak wrote:
| Meanwhile, if you create a new Twitter account today from a VPN
| and follow 30 people, it will lock you out until you verify a
| non-VoIP phone number.
|
| Removing the number instantly re-locks the account.
|
| It's really immoral that they demand identity-linked PII while
| running such a loose ship, where anyone with enough money can buy
| their way in to obtain that PII, track you down, and maybe cut
| you up with a bone saw.
|
| Twitter is complicit in this abuse, considering their explicit
| technical steps taken to ensure that you _cannot use Twitter_
| without exposing yourself to these sorts of criminals in the
| governments of foreign countries, as well as similar ones in the
| government of Twitter's own jurisdiction.
|
| > _And while Alzabarah's job entailed maintaining systems to keep
| Twitter working properly, his position at the company did allow
| him access to the private information of many users, including
| their phone numbers, email addresses, and IP addresses. That
| meant that in some instances, Alzabarah could not only help
| unmask an anonymous regime critic, but also pinpoint the person's
| location._
| save_ferris wrote:
| > where anyone with enough money can buy their way in to obtain
| that PII, track you down, and maybe cut you up with a bone saw.
|
| TBF, I think that the vast majority of companies out there are
| vulnerable to this. I've worked for 8 tech companies in my
| career, none of which did anything beyond a basic background
| check.
|
| Truly mitigating the problem you're touching on requires a
| level of vetting and surveillance that you'd typically see
| applied to intelligence operatives. I think this is similar to
| how we view infosec generally: those with sufficient resources
| will be able to penetrate a network, regardless of the design
| or execution of network security.
| johnyzee wrote:
| This is letting Twitter off the hook. It is not impossible to
| protect users personal information, even within a company, to
| a very limited set of people who actually need it, with
| audits on when and how they are accessing it, and periodic
| reviews of everyone's access levels. Mature organizations
| follow specific standards for this kind of stuff. For a
| company like Twitter, where the privacy of this information
| literally can mean life or death, it is unforgiveable to not
| have a better grip on it (cue some non-technical regional
| bizdev guy having deep access, as per the article).
| akira2501 wrote:
| > while running such a loose ship
|
| Which would be bad enough if it was just a few rogue engineers
| without oversight, but that they actively fought against the
| FBI's efforts is galling.
| upofadown wrote:
| The larger the organization, the more likely that it will leak
| information...
| mastazi wrote:
| In 2019 there was a massive exodus of Saudi dissidents from
| Twitter to Parler. I wonder if those people had some intuition of
| what was going on behind the scenes at Twitter
| https://www.thedailybeast.com/about-200000-saudi-arabian-use...
| koheripbal wrote:
| I'm surprised it took that long when news of Saudi $300MM
| investment in Twitter came out in 2015.
|
| If someone gives you $300MM, you don't say No to them. Indeed,
| you've likely already said yes.
| cscurmudgeon wrote:
| The big news here is that this could still be happening at
| Twitter (or other places).
| mabbo wrote:
| This highlights more than ever that whatever customer data your
| employees have access to, you need to log every single access to
| it, and have automatic audits- who should be accessing what? What
| accesses are surprising?
|
| Seems like something one could build a SaaS business around- send
| them reports that <user> accessed <fields> about <customer ID> on
| <date>, along with a copy of attributes and roles about each
| user. Service could offer deep dives, querying, reporting, along
| with ML or rule-based flagging to say "That seems odd".
|
| If Twitter can't build the infrastructure needed to do that, I
| can't imagine how few small companies can do it themselves
| either.
| evgen wrote:
| For quite a long time (and probably still today but I have no
| idea) there was at least as much monitoring and security
| infrastructure built around watching and auditing what Facebook
| employees did to data as there was around what third-parties
| might be trying to do to Facebook infra and corp networks.
| dathinab wrote:
| It already exists it part of the process mining+ monitoring
| box.
|
| This kind of system are already used to both optimize business
| processes and conformance check then by organizations like
| banks and hospitals.
|
| Through tools are currently focused mainly on the use case for
| process optimization and regulation conformance checking less
| so for irregularity detection but tools like that exists to. I
| think to remember SAP has some form of self
| learning/calibrating irregularity detection "service"/tool.
|
| So it's less about creating it then about spending Mony on it
| and from scratch up analysing your internal thread model.
|
| It's quite expensive, some of this software is sold for higher
| 5 digit numbers even for "small" use-cases.
| mabbo wrote:
| > It's quite expensive, some of this software is sold for
| higher 5 digit numbers even for "small" use-cases.
|
| "Your margin is my opportunity" - Jeff Bezos
|
| A simple version of this could be done cheaply, and not cost
| much. API to push events, website to host reports, pay-for-
| use add-ons for alerts, etc.
| tmpz22 wrote:
| You're misidentifying the real problem which is not in the
| software itself. The real problem is that data needs to be
| accessed by marketing, analytics, sales, executive, HR, and
| other parts of the company all the time. It's a human
| problem managing the impedance of data access blocks... and
| guess what at most companies the block is seen as a
| significant cost far greater then the "cost" of PII
| violations, leaks, or hacks...
|
| But go ahead and find a random group of 3 ex-googlers with
| no domain experience to raise ~$2MM and chase it anyways.
| Then when you burn through the money you can go back to
| your FANNG job with a nice raise.
| toomuchtodo wrote:
| Bolting tools on to an org doesn't fix its culture.
| kbash9 wrote:
| Yes, full role-based access control and audibility is key. This
| also highlights the need for data masking built into these DB
| systems. If data is gold, you need vaults to protect it.
| kitteh wrote:
| Telcos have this level of monitoring of accounts because
| employees routinely would abuse this access to find details of
| exs, family members, friends and celebrities (billing info,
| call detail records, etc.). The problem was there was no
| proactive monitoring - it was all reaction based upon
| complaints that would kick off the investigation. I asked why
| this wasn't automatic to detect clear abuse and the answer was
| "do you know how many people we'd have to fire if we went
| looking for abuse?".
| 3pt14159 wrote:
| I know for a fact that The Canadian Revenue Agency has this
| type of system in place and it isn't reactive to a complaint.
| It's proactive. If you try to pull up, say, Wayne Gretzky's
| tax information the system is able to detect whether or not
| you have a likely need for the information. If not, you're
| temporarily denied access until your access is evaluated by
| humans that are capable of asking why you need access. "For
| funsies" is not an acceptable response.
| mabbo wrote:
| > "do you know how many people we'd have to fire if we went
| looking for abuse?"
|
| I think they make the mistake of presuming this has to go up
| to 11 on day 1.
|
| Tell the employees you're going to be proactively auditing.
| Choose a threshold. Interview and potentially fire those
| employees going over the threshold. Do this until you're done
| firing people, then increase the threshold and repeat. You
| will have to fire people, or threaten to, but employees will
| get the message that the PII-party is over.
| kitteh wrote:
| The challenge was that depending on the role, the union was
| involved. When that came into the picture there was a long,
| dragged out grievance process where someone would have to
| violate the policy x amount of times in y months before
| they'd be terminated. It was not unusual from what I've
| seen for folks to abuse this for years.
|
| To be honest tho - this is the contract that both the
| company and union agreed to, so bad on the company for
| being okay and not making this a more serious infraction.
| I've talked to some of the union stewards about this and
| they basically said they wanted this data locked down
| harder. They said it's too easy to access and super temping
| and wished the company would put more protection around it.
| Go figure.
| Red_Leaves_Flyy wrote:
| If they're abusing their position they don't deserve to keep
| their job. The companies complicity makes them party to
| whatever these staff do. Whether a lawyer can prove that or
| not depends on the depth of the aggrieveds bank account.
| mc32 wrote:
| The same problem existed in patient data prior to HIPAA. It
| still happens, but the unauthorized disclosures have gone
| down due to automated trips. It used to be your check in
| clerk could run any reports on whomever they wanted without
| giving it a second thought.
| ticmasta wrote:
| So when I worked for the cable company straight out of uni
| and we would look up famous local people to see what
| packages they subscribed to, we should have all been fired?
| I guess technically, but that's pretty draconian. Are you
| also no mercy, hard on crime, 1-strike and you're out
| person, or more progressive in that area?
| dboreham wrote:
| > we should have all been fired?
|
| Yes.
| neolog wrote:
| Would you have done it if you knew you would definitely
| get caught and be fired immediately?
| CyberDildonics wrote:
| You should not have been able to do it in the first
| place.
| Giornito wrote:
| It has mostly been reactionary because the cost of being
| proactive and that most of the active work would likely be
| associated with national security, which is often outside the
| public eyes.
| paulpan wrote:
| My thoughts exactly, though it seems the incident happened a
| few years ago when the mentality of "move fast and break
| things" mentality was much more acceptable.
|
| I'd be very concerned if there still aren't processes and
| technical barriers to prevent the majority employees from
| accessing user data. IP address, phone number, etc. should
| require top-level authorization to access - not something an
| engineer or even marketing/sales person can just look up.
| sneak wrote:
| I wonder if tokenizing all PII for storage, with a special
| lookup server accessible only to a small group, would reduce
| the threat of these kinds of attacks.
|
| Obviously some things like SMS or sending of email need to
| manipulate this data, but rx/tx of eg sms given a placeholder
| token could also be similarly siloed, so most technical staff
| would never have or need access to raw PII like IP, phone, or
| email.
|
| Unfortunately geolocation for ad targeting and other
| customization features is still probably going to make a "what
| country is this user in right now?" possible for most
| devs/SREs, which is itself a bit of a physical location change
| traffic leak, but making it near-impossible for most devs or
| SREs to view untokenized user PII would probably be a huge step
| in the right direction.
| dylan604 wrote:
| >Seems like something one could build a SaaS business around-
| send them reports that <user> accessed <fields> about <customer
| ID> on <date>, along with a copy of attributes and roles about
| each user. Service could offer deep dives, querying, reporting,
| along with ML or rule-based flagging to say "That seems odd".
|
| Wouldn't that just expose user data to an even wider group of
| people while doing this reporting?
| Xavdidtheshadow wrote:
| If I'm following the suggestion, then it's just logs which
| keys were accessed:
|
| "employee id 1234 accessed "email, password hash, location,
| birthday" about customer id 6789 on 2020-09-01"
|
| nothing particularly sensitive in there, but makes it easy to
| audit and check for abnormalities.
| dylan604 wrote:
| Nothing sensitive about what you just described? Seems like
| with that info you can start making intelligent answers to
| security questions or possible rainbow table look ups.
| wizzwizz4 wrote:
| It's the column headings, though.
| dylan604 wrote:
| Ahhh, I'm a dolt. I read that as variables in your
| comment rather than that is literally the data that is
| returned. Thanks for clarifying
| Kednicma wrote:
| > A millenial himself, [MBS] spent his youth eating fast food,
| playing Age of Empires and first-person shooter games, and
| keeping up with friends on the internet, according to people
| who've known him since childhood.
|
| It's worth remembering that dictators are not inhuman, and they
| are not so different from us.
|
| > Asaker would pay more than $300,000 to Abouammo, deposited in a
| Lebanese bank account that Abouammo had a relative open for him.
| "Proactive and reactively we will delete evil, my brother,"
| Abouammo texted Asaker just before one deposit of $9,911.
|
| They structured [0] the bribes to avoid SARs; structuring really
| does happen.
|
| > A third, a Saudi, was "a professional" who used encryption to
| conceal his identity, though once he signed in without
| encryption, and Alzabarah was able to track his IP address.
|
| > [Alzabarah] spoke with Asaker on an open phone line and
| communicated via email.
|
| > So rather than follow the FBI's request to keep things quiet to
| assist the case, Twitter lawyers brought Alzabarah in the
| following afternoon, accused him of improperly accessing user
| accounts, and told him he was temporarily suspended.
|
| Operational security is hard. Just one slip-up can doom the
| entire scheme, and here we see those slip-ups from everybody;
| from the folks being targeted by MBS, from MBS's goons, and from
| Twitter.
|
| [0] https://en.wikipedia.org/wiki/Structuring
| erostrate wrote:
| > It's worth remembering that dictators are not inhuman, and
| they are not so different from us.
|
| It's also worth remembering we're talking about someone who
| assassinates his critics and cuts them up into pieces. I would
| say the "bone saw" aspect outweighs the "playing AoE" aspect
| and he is very different from us.
| BeetleB wrote:
| It's worth remembering that even normal people can do this.
|
| I often hear people say "I cannot imagine X (person I know)
| can do Y." They have a poor imagination.
| afterburner wrote:
| A lot of people can't understand just how often people,
| including their friends, lie; yes even to them! People
| think they will be able to detect any lie.
|
| People are delusional.
| scandox wrote:
| The point is that in his situation we don't know how many
| apparently "normal" people will start sending bone-saws out
| into the world.
| spaetzleesser wrote:
| This is super important. A lot of people think that bad
| guys always behave like monsters and you can easily
| recognize them. In reality you would probably be positively
| impressed by a lot of them if you met them and didn't know
| their background. Hitler was able to convince a lot of
| smart people to follow him and I have read he was very
| personable. Bernie Madoff could convince .
| Trump/Obama/Clinton haters would probably be surprised how
| nice these people are when meeting in person.
| jl6 wrote:
| 100% this. It's also important not to dehumanise history's
| bad guys, because that leads to a culture of complacency
| whereby people think "it could never happen here, because
| they were monsters and we are not".
| joecool1029 wrote:
| >It's also important not to dehumanise history's bad guys
|
| Too late for one group. Go check how much Nazi vampire
| zombie media exists today.
| croissants wrote:
| There might be two slightly different definitions of
| "humanize" at work here. Both of these are from the
| Cambridge dictionary [1]:
|
| 1) "to make something that is not human seem like a
| person"
|
| 2) "to make something less unpleasant and more suitable
| for people"
|
| With dictators, I think we should try to do 1) but not
| 2).
|
| [1] https://dictionary.cambridge.org/dictionary/english/h
| umanize
| vkou wrote:
| Normal people don't personally send bone-saws out into the
| world, but look at the rhetoric surrounding the recent
| protests in the US and Hong Kong. Plenty of normal people
| (many mainlanders, many persons of a particular political
| party affiliation) are cheer-leading the rabble to get
| dispersed with the maximum possible application of force -
| and most of them don't even have _any_ stake in either the
| issue being protested, or the impact of the protests
| themselves!
|
| And assuming the police are normal people too, they are all
| too happy to carry this out.
|
| Normal people are quite happy to endorse or inflict
| violence against the enemy. Most of us just aren't in a
| position of power to do anything about it, though, other
| than post on Facebook, and write angry letters to the
| editor.
|
| But give that normal person power over other people and
| freedom from consequences... And, well, you get something
| quite repulsive.
| erostrate wrote:
| The idea that morality is a function of situation more than
| character is called "situationism" in philosophy, I just
| looked it up, see [1][2]. Experimental psychology does find
| that character is fairly weak in most people and that under
| external pressure people will often behave inhumanely
| (Stanford prison experiment, Milgram obedience experiment,
| etc).
|
| I still believe it is important to not be overly cynical.
| My mental model is that most people are neutral or good. It
| might be proved wrong say 5% of the time, when people are
| indeed put in MBS-like position. But the vast majority of
| the time it will be correct, and it will be much more
| useful than the cynical model where your normal friends are
| potential murderers that just lack opportunity. A more
| correct mental model is not always more useful.
|
| [1] https://en.wikipedia.org/wiki/Situationism_(psychology)
| [2] https://plato.stanford.edu/entries/moral-
| character/#MorChaEm...
| Kednicma wrote:
| My mental model is that humans are pieces of shit, each
| and every last one. There is no such thing as a good
| human.
|
| By insisting that MBS is some sort of specially evil
| person, I feel that you are devaluing the importance of
| genuine ethical consideration. I do not disagree with
| your specific points about his misbehaviour, but I want
| to emphasize that it is the throne and crown which
| empower him to do so much harm, and not any sort of
| blackened and hateful heart.
| Causality1 wrote:
| Indeed. It's easy to forget that very different behavioral
| rulesets can create similar conduct in some situations but
| radically different conduct in others. For example, your dog
| doesn't operate on the same moral code you do. It may love
| you, enjoy seeing you, would never harm a hair on your head,
| and enjoys all the same activities as you. It might also
| catch a squirrel, slowly pull all its limbs off, and spend
| the afternoon frolicking with its corpse. Don't mistake
| someone sometimes acting like you for someone who thinks like
| you.
| iaw wrote:
| There are two failings here:
|
| 1) Twitter immediately revealing to the employee that they were
| under investigation
|
| 2) The FBI not considering #1 and being prepared to detain
| Alzabarah if he attempted to flee.
|
| I'm not surprised by twitter but a little disappointed in the
| FBI.
| awinder wrote:
| I get the impression that Twitter has become a much smarter
| organization through really painful growing pains like this.
| I still wonder how I would play it if I became knowledgable.
| How long does this go on, do you just keep moving the person
| along on their career ladder? It seems like you'd need help
| from the FBI in how to maintain the charade if it were to go
| on for too long. But fascinating, I'm sure it comes up.
| liability wrote:
| Prisons are full of murderers who've also done ordinary things
| like play video games. This isn't novel and shouldn't impress
| you.
| nlh wrote:
| Great story and a great read! I googled the characters
| afterwards, and there are some interesting addendums & updates:
|
| Looks like Ahmad Abouammo (Twitter's former head of Middle East
| partnerships) was arrested in Seattle in Nov 2019, but Ali
| Alzabarah's escape to Saudi Arabia was successful (at least in
| terms of being arrested by the US government):
|
| https://www.justice.gov/opa/pr/two-former-twitter-employees-...
|
| BUT, as of a month ago, a filing was made to drop the charges
| (?!):
|
| https://www.theverge.com/2020/7/28/21345794/twitter-employee...
|
| Fascinating case...
| ticmasta wrote:
| if he played age of empires as religiously as I did, he should
| have realized nothing beats the long bows of the Britons...
| liability wrote:
| Why hasn't Twitter banned Mohammed bin Salman from their website
| yet? Surely he has violated their terms of use many times at this
| point. Do Twitter's rules not apply to him because he's insanely
| rich?
| mixologic wrote:
| Do rules apply to anybody who is insanely rich anymore?
| koheripbal wrote:
| Saudi Arabia is a major Twitter shareholder.
| jimbob45 wrote:
| I don't like this article because it omits some crucial details
| that could lead readers down a specific path of thinking.
|
| It's unclear if the inside men, Alzabarah or Abouammo, are living
| on H-1Bs, full American citizens, or are in the process of
| immigrating. Depending on the answer to that question, Twitter
| may need to block the employment of immigrants or citizens to
| stop this sort of industrial sabotage in the future. Otherwise,
| every country will try to have their own inside man and Twitter
| will be forced to overdedicate resources to countering them.
|
| If they'd made his citizenship status clear, the solution would
| be far clearer to readers.
| komali2 wrote:
| > Depending on the answer to that question, Twitter may need to
| block the employment of immigrants or citizens to stop this
| sort of industrial sabotage in the future.
|
| Seems to be a bad test. American citizens left to join ISIS,
| American citizens have formed cults, American citizens have
| mailed bombs to people. If a Saudi Arabian prince plopped a
| Hublot into some random kid's hands and said "give me an
| email," do you think their patriotism would prevent it? I don't
| think so, actually, didn't the recent crypto scam involve 2
| Americans?
|
| What you're suggesting sounds like some kind of throwing out
| the baby with the bathwater, but even more nonsensical.
|
| I think a better conclusion is that companies should architect
| with the assumption that there's a mole, not engage in some
| kind of border-control nationalist purge.
| 8note wrote:
| That's only a bad test if American citizens should be trusted
| as hires? I think what he was saying is that twitter should
| avoid Americans and hire h1bs
|
| That way the American government has done some trustworthy
| checks for you
| _jal wrote:
| In what way is passport color a reliable predictor of
| trustworthiness?
| jimbob45 wrote:
| Individuals are more likely to want to commit espionage for
| another state if they were born in or are a citizen of that
| state.
| _jal wrote:
| Individuals are more likely to want to commit espionage
| when they have money troubles. Why not hire only the
| already-wealthy?
|
| Individuals are more likely to want to commit espionage
| when they are tempted with sex. Why not demand evidence of
| membership in closed religious communities to address that?
| awinder wrote:
| On the former, that's absolutely a thing with all sorts
| of levels to it. Base level is that most companies run
| background checks including a credit pull. Next level is
| use of elite academic credentialing, i.e., "we only like
| to hire from ___".
|
| On the latter, because lol that is not going to have the
| effect you're looking for.
| _jal wrote:
| On the former, I'm quite aware of that. What I'm not
| aware of is this sort of loyalty screening for low-level
| employees, as suggested.
|
| On the latter, you're getting closer to the point I'm
| making.
| [deleted]
| elygre wrote:
| This does not feel very important to me. Twitter will need to
| focus on their process, not their people.
| wefarrell wrote:
| It says in the article that Abouammo is an Egyptian American,
| so born in the US.
| mcphage wrote:
| > If they'd made his citizenship status clear, the solution
| would be far clearer to readers.
|
| This is a complicated problem. I don't think encouraging
| readers to imagine that there is a simple solution does anybody
| any favors.
___________________________________________________________________
(page generated 2020-09-01 23:01 UTC)