[HN Gopher] A Saudi prince's attempt to silence critics on Twitter ___________________________________________________________________ A Saudi prince's attempt to silence critics on Twitter Author : leoschwartz Score : 231 points Date : 2020-09-01 15:37 UTC (7 hours ago) (HTM) web link (www.wired.com) (TXT) w3m dump (www.wired.com) | hellofunk wrote: | Very thrilling read, and the last paragraph sent chills up | through my back. | yboris wrote: | Last paragraph copy/paste: | | "In May 2017, President Donald Trump made his first overseas | visit, a trip to Riyadh. Not long after his arrival, the | president toured King Salman's new anti-terrorism center, which | focused on tracking extremists on Twitter. Afterward, the | president, his wife, the king, and Abdel-Fattah el-Sisi of | Egypt gathered around an illuminated orb at the center of the | room and posed for a photo. Standing just outside the frame was | the kingdom's new social media specialist, Ali Alzabarah." | hellofunk wrote: | Sigh. I wondered if someone would come in here and do that. | The entire reason I did not paste it myself is because this | paragraph has a much different effect on the reader after | they have read the rest of the article and understand the | backstory. | | Edit: Thanks for all the upvotes. I'm glad some in the HN | crowd appreciate quality over shortcuts and spoilers. (I was | starting to get discouraged!) | sneak wrote: | Meanwhile, if you create a new Twitter account today from a VPN | and follow 30 people, it will lock you out until you verify a | non-VoIP phone number. | | Removing the number instantly re-locks the account. | | It's really immoral that they demand identity-linked PII while | running such a loose ship, where anyone with enough money can buy | their way in to obtain that PII, track you down, and maybe cut | you up with a bone saw. | | Twitter is complicit in this abuse, considering their explicit | technical steps taken to ensure that you _cannot use Twitter_ | without exposing yourself to these sorts of criminals in the | governments of foreign countries, as well as similar ones in the | government of Twitter's own jurisdiction. | | > _And while Alzabarah's job entailed maintaining systems to keep | Twitter working properly, his position at the company did allow | him access to the private information of many users, including | their phone numbers, email addresses, and IP addresses. That | meant that in some instances, Alzabarah could not only help | unmask an anonymous regime critic, but also pinpoint the person's | location._ | save_ferris wrote: | > where anyone with enough money can buy their way in to obtain | that PII, track you down, and maybe cut you up with a bone saw. | | TBF, I think that the vast majority of companies out there are | vulnerable to this. I've worked for 8 tech companies in my | career, none of which did anything beyond a basic background | check. | | Truly mitigating the problem you're touching on requires a | level of vetting and surveillance that you'd typically see | applied to intelligence operatives. I think this is similar to | how we view infosec generally: those with sufficient resources | will be able to penetrate a network, regardless of the design | or execution of network security. | johnyzee wrote: | This is letting Twitter off the hook. It is not impossible to | protect users personal information, even within a company, to | a very limited set of people who actually need it, with | audits on when and how they are accessing it, and periodic | reviews of everyone's access levels. Mature organizations | follow specific standards for this kind of stuff. For a | company like Twitter, where the privacy of this information | literally can mean life or death, it is unforgiveable to not | have a better grip on it (cue some non-technical regional | bizdev guy having deep access, as per the article). | akira2501 wrote: | > while running such a loose ship | | Which would be bad enough if it was just a few rogue engineers | without oversight, but that they actively fought against the | FBI's efforts is galling. | upofadown wrote: | The larger the organization, the more likely that it will leak | information... | mastazi wrote: | In 2019 there was a massive exodus of Saudi dissidents from | Twitter to Parler. I wonder if those people had some intuition of | what was going on behind the scenes at Twitter | https://www.thedailybeast.com/about-200000-saudi-arabian-use... | koheripbal wrote: | I'm surprised it took that long when news of Saudi $300MM | investment in Twitter came out in 2015. | | If someone gives you $300MM, you don't say No to them. Indeed, | you've likely already said yes. | cscurmudgeon wrote: | The big news here is that this could still be happening at | Twitter (or other places). | mabbo wrote: | This highlights more than ever that whatever customer data your | employees have access to, you need to log every single access to | it, and have automatic audits- who should be accessing what? What | accesses are surprising? | | Seems like something one could build a SaaS business around- send | them reports that <user> accessed <fields> about <customer ID> on | <date>, along with a copy of attributes and roles about each | user. Service could offer deep dives, querying, reporting, along | with ML or rule-based flagging to say "That seems odd". | | If Twitter can't build the infrastructure needed to do that, I | can't imagine how few small companies can do it themselves | either. | evgen wrote: | For quite a long time (and probably still today but I have no | idea) there was at least as much monitoring and security | infrastructure built around watching and auditing what Facebook | employees did to data as there was around what third-parties | might be trying to do to Facebook infra and corp networks. | dathinab wrote: | It already exists it part of the process mining+ monitoring | box. | | This kind of system are already used to both optimize business | processes and conformance check then by organizations like | banks and hospitals. | | Through tools are currently focused mainly on the use case for | process optimization and regulation conformance checking less | so for irregularity detection but tools like that exists to. I | think to remember SAP has some form of self | learning/calibrating irregularity detection "service"/tool. | | So it's less about creating it then about spending Mony on it | and from scratch up analysing your internal thread model. | | It's quite expensive, some of this software is sold for higher | 5 digit numbers even for "small" use-cases. | mabbo wrote: | > It's quite expensive, some of this software is sold for | higher 5 digit numbers even for "small" use-cases. | | "Your margin is my opportunity" - Jeff Bezos | | A simple version of this could be done cheaply, and not cost | much. API to push events, website to host reports, pay-for- | use add-ons for alerts, etc. | tmpz22 wrote: | You're misidentifying the real problem which is not in the | software itself. The real problem is that data needs to be | accessed by marketing, analytics, sales, executive, HR, and | other parts of the company all the time. It's a human | problem managing the impedance of data access blocks... and | guess what at most companies the block is seen as a | significant cost far greater then the "cost" of PII | violations, leaks, or hacks... | | But go ahead and find a random group of 3 ex-googlers with | no domain experience to raise ~$2MM and chase it anyways. | Then when you burn through the money you can go back to | your FANNG job with a nice raise. | toomuchtodo wrote: | Bolting tools on to an org doesn't fix its culture. | kbash9 wrote: | Yes, full role-based access control and audibility is key. This | also highlights the need for data masking built into these DB | systems. If data is gold, you need vaults to protect it. | kitteh wrote: | Telcos have this level of monitoring of accounts because | employees routinely would abuse this access to find details of | exs, family members, friends and celebrities (billing info, | call detail records, etc.). The problem was there was no | proactive monitoring - it was all reaction based upon | complaints that would kick off the investigation. I asked why | this wasn't automatic to detect clear abuse and the answer was | "do you know how many people we'd have to fire if we went | looking for abuse?". | 3pt14159 wrote: | I know for a fact that The Canadian Revenue Agency has this | type of system in place and it isn't reactive to a complaint. | It's proactive. If you try to pull up, say, Wayne Gretzky's | tax information the system is able to detect whether or not | you have a likely need for the information. If not, you're | temporarily denied access until your access is evaluated by | humans that are capable of asking why you need access. "For | funsies" is not an acceptable response. | mabbo wrote: | > "do you know how many people we'd have to fire if we went | looking for abuse?" | | I think they make the mistake of presuming this has to go up | to 11 on day 1. | | Tell the employees you're going to be proactively auditing. | Choose a threshold. Interview and potentially fire those | employees going over the threshold. Do this until you're done | firing people, then increase the threshold and repeat. You | will have to fire people, or threaten to, but employees will | get the message that the PII-party is over. | kitteh wrote: | The challenge was that depending on the role, the union was | involved. When that came into the picture there was a long, | dragged out grievance process where someone would have to | violate the policy x amount of times in y months before | they'd be terminated. It was not unusual from what I've | seen for folks to abuse this for years. | | To be honest tho - this is the contract that both the | company and union agreed to, so bad on the company for | being okay and not making this a more serious infraction. | I've talked to some of the union stewards about this and | they basically said they wanted this data locked down | harder. They said it's too easy to access and super temping | and wished the company would put more protection around it. | Go figure. | Red_Leaves_Flyy wrote: | If they're abusing their position they don't deserve to keep | their job. The companies complicity makes them party to | whatever these staff do. Whether a lawyer can prove that or | not depends on the depth of the aggrieveds bank account. | mc32 wrote: | The same problem existed in patient data prior to HIPAA. It | still happens, but the unauthorized disclosures have gone | down due to automated trips. It used to be your check in | clerk could run any reports on whomever they wanted without | giving it a second thought. | ticmasta wrote: | So when I worked for the cable company straight out of uni | and we would look up famous local people to see what | packages they subscribed to, we should have all been fired? | I guess technically, but that's pretty draconian. Are you | also no mercy, hard on crime, 1-strike and you're out | person, or more progressive in that area? | dboreham wrote: | > we should have all been fired? | | Yes. | neolog wrote: | Would you have done it if you knew you would definitely | get caught and be fired immediately? | CyberDildonics wrote: | You should not have been able to do it in the first | place. | Giornito wrote: | It has mostly been reactionary because the cost of being | proactive and that most of the active work would likely be | associated with national security, which is often outside the | public eyes. | paulpan wrote: | My thoughts exactly, though it seems the incident happened a | few years ago when the mentality of "move fast and break | things" mentality was much more acceptable. | | I'd be very concerned if there still aren't processes and | technical barriers to prevent the majority employees from | accessing user data. IP address, phone number, etc. should | require top-level authorization to access - not something an | engineer or even marketing/sales person can just look up. | sneak wrote: | I wonder if tokenizing all PII for storage, with a special | lookup server accessible only to a small group, would reduce | the threat of these kinds of attacks. | | Obviously some things like SMS or sending of email need to | manipulate this data, but rx/tx of eg sms given a placeholder | token could also be similarly siloed, so most technical staff | would never have or need access to raw PII like IP, phone, or | email. | | Unfortunately geolocation for ad targeting and other | customization features is still probably going to make a "what | country is this user in right now?" possible for most | devs/SREs, which is itself a bit of a physical location change | traffic leak, but making it near-impossible for most devs or | SREs to view untokenized user PII would probably be a huge step | in the right direction. | dylan604 wrote: | >Seems like something one could build a SaaS business around- | send them reports that <user> accessed <fields> about <customer | ID> on <date>, along with a copy of attributes and roles about | each user. Service could offer deep dives, querying, reporting, | along with ML or rule-based flagging to say "That seems odd". | | Wouldn't that just expose user data to an even wider group of | people while doing this reporting? | Xavdidtheshadow wrote: | If I'm following the suggestion, then it's just logs which | keys were accessed: | | "employee id 1234 accessed "email, password hash, location, | birthday" about customer id 6789 on 2020-09-01" | | nothing particularly sensitive in there, but makes it easy to | audit and check for abnormalities. | dylan604 wrote: | Nothing sensitive about what you just described? Seems like | with that info you can start making intelligent answers to | security questions or possible rainbow table look ups. | wizzwizz4 wrote: | It's the column headings, though. | dylan604 wrote: | Ahhh, I'm a dolt. I read that as variables in your | comment rather than that is literally the data that is | returned. Thanks for clarifying | Kednicma wrote: | > A millenial himself, [MBS] spent his youth eating fast food, | playing Age of Empires and first-person shooter games, and | keeping up with friends on the internet, according to people | who've known him since childhood. | | It's worth remembering that dictators are not inhuman, and they | are not so different from us. | | > Asaker would pay more than $300,000 to Abouammo, deposited in a | Lebanese bank account that Abouammo had a relative open for him. | "Proactive and reactively we will delete evil, my brother," | Abouammo texted Asaker just before one deposit of $9,911. | | They structured [0] the bribes to avoid SARs; structuring really | does happen. | | > A third, a Saudi, was "a professional" who used encryption to | conceal his identity, though once he signed in without | encryption, and Alzabarah was able to track his IP address. | | > [Alzabarah] spoke with Asaker on an open phone line and | communicated via email. | | > So rather than follow the FBI's request to keep things quiet to | assist the case, Twitter lawyers brought Alzabarah in the | following afternoon, accused him of improperly accessing user | accounts, and told him he was temporarily suspended. | | Operational security is hard. Just one slip-up can doom the | entire scheme, and here we see those slip-ups from everybody; | from the folks being targeted by MBS, from MBS's goons, and from | Twitter. | | [0] https://en.wikipedia.org/wiki/Structuring | erostrate wrote: | > It's worth remembering that dictators are not inhuman, and | they are not so different from us. | | It's also worth remembering we're talking about someone who | assassinates his critics and cuts them up into pieces. I would | say the "bone saw" aspect outweighs the "playing AoE" aspect | and he is very different from us. | BeetleB wrote: | It's worth remembering that even normal people can do this. | | I often hear people say "I cannot imagine X (person I know) | can do Y." They have a poor imagination. | afterburner wrote: | A lot of people can't understand just how often people, | including their friends, lie; yes even to them! People | think they will be able to detect any lie. | | People are delusional. | scandox wrote: | The point is that in his situation we don't know how many | apparently "normal" people will start sending bone-saws out | into the world. | spaetzleesser wrote: | This is super important. A lot of people think that bad | guys always behave like monsters and you can easily | recognize them. In reality you would probably be positively | impressed by a lot of them if you met them and didn't know | their background. Hitler was able to convince a lot of | smart people to follow him and I have read he was very | personable. Bernie Madoff could convince . | Trump/Obama/Clinton haters would probably be surprised how | nice these people are when meeting in person. | jl6 wrote: | 100% this. It's also important not to dehumanise history's | bad guys, because that leads to a culture of complacency | whereby people think "it could never happen here, because | they were monsters and we are not". | joecool1029 wrote: | >It's also important not to dehumanise history's bad guys | | Too late for one group. Go check how much Nazi vampire | zombie media exists today. | croissants wrote: | There might be two slightly different definitions of | "humanize" at work here. Both of these are from the | Cambridge dictionary [1]: | | 1) "to make something that is not human seem like a | person" | | 2) "to make something less unpleasant and more suitable | for people" | | With dictators, I think we should try to do 1) but not | 2). | | [1] https://dictionary.cambridge.org/dictionary/english/h | umanize | vkou wrote: | Normal people don't personally send bone-saws out into the | world, but look at the rhetoric surrounding the recent | protests in the US and Hong Kong. Plenty of normal people | (many mainlanders, many persons of a particular political | party affiliation) are cheer-leading the rabble to get | dispersed with the maximum possible application of force - | and most of them don't even have _any_ stake in either the | issue being protested, or the impact of the protests | themselves! | | And assuming the police are normal people too, they are all | too happy to carry this out. | | Normal people are quite happy to endorse or inflict | violence against the enemy. Most of us just aren't in a | position of power to do anything about it, though, other | than post on Facebook, and write angry letters to the | editor. | | But give that normal person power over other people and | freedom from consequences... And, well, you get something | quite repulsive. | erostrate wrote: | The idea that morality is a function of situation more than | character is called "situationism" in philosophy, I just | looked it up, see [1][2]. Experimental psychology does find | that character is fairly weak in most people and that under | external pressure people will often behave inhumanely | (Stanford prison experiment, Milgram obedience experiment, | etc). | | I still believe it is important to not be overly cynical. | My mental model is that most people are neutral or good. It | might be proved wrong say 5% of the time, when people are | indeed put in MBS-like position. But the vast majority of | the time it will be correct, and it will be much more | useful than the cynical model where your normal friends are | potential murderers that just lack opportunity. A more | correct mental model is not always more useful. | | [1] https://en.wikipedia.org/wiki/Situationism_(psychology) | [2] https://plato.stanford.edu/entries/moral- | character/#MorChaEm... | Kednicma wrote: | My mental model is that humans are pieces of shit, each | and every last one. There is no such thing as a good | human. | | By insisting that MBS is some sort of specially evil | person, I feel that you are devaluing the importance of | genuine ethical consideration. I do not disagree with | your specific points about his misbehaviour, but I want | to emphasize that it is the throne and crown which | empower him to do so much harm, and not any sort of | blackened and hateful heart. | Causality1 wrote: | Indeed. It's easy to forget that very different behavioral | rulesets can create similar conduct in some situations but | radically different conduct in others. For example, your dog | doesn't operate on the same moral code you do. It may love | you, enjoy seeing you, would never harm a hair on your head, | and enjoys all the same activities as you. It might also | catch a squirrel, slowly pull all its limbs off, and spend | the afternoon frolicking with its corpse. Don't mistake | someone sometimes acting like you for someone who thinks like | you. | iaw wrote: | There are two failings here: | | 1) Twitter immediately revealing to the employee that they were | under investigation | | 2) The FBI not considering #1 and being prepared to detain | Alzabarah if he attempted to flee. | | I'm not surprised by twitter but a little disappointed in the | FBI. | awinder wrote: | I get the impression that Twitter has become a much smarter | organization through really painful growing pains like this. | I still wonder how I would play it if I became knowledgable. | How long does this go on, do you just keep moving the person | along on their career ladder? It seems like you'd need help | from the FBI in how to maintain the charade if it were to go | on for too long. But fascinating, I'm sure it comes up. | liability wrote: | Prisons are full of murderers who've also done ordinary things | like play video games. This isn't novel and shouldn't impress | you. | nlh wrote: | Great story and a great read! I googled the characters | afterwards, and there are some interesting addendums & updates: | | Looks like Ahmad Abouammo (Twitter's former head of Middle East | partnerships) was arrested in Seattle in Nov 2019, but Ali | Alzabarah's escape to Saudi Arabia was successful (at least in | terms of being arrested by the US government): | | https://www.justice.gov/opa/pr/two-former-twitter-employees-... | | BUT, as of a month ago, a filing was made to drop the charges | (?!): | | https://www.theverge.com/2020/7/28/21345794/twitter-employee... | | Fascinating case... | ticmasta wrote: | if he played age of empires as religiously as I did, he should | have realized nothing beats the long bows of the Britons... | liability wrote: | Why hasn't Twitter banned Mohammed bin Salman from their website | yet? Surely he has violated their terms of use many times at this | point. Do Twitter's rules not apply to him because he's insanely | rich? | mixologic wrote: | Do rules apply to anybody who is insanely rich anymore? | koheripbal wrote: | Saudi Arabia is a major Twitter shareholder. | jimbob45 wrote: | I don't like this article because it omits some crucial details | that could lead readers down a specific path of thinking. | | It's unclear if the inside men, Alzabarah or Abouammo, are living | on H-1Bs, full American citizens, or are in the process of | immigrating. Depending on the answer to that question, Twitter | may need to block the employment of immigrants or citizens to | stop this sort of industrial sabotage in the future. Otherwise, | every country will try to have their own inside man and Twitter | will be forced to overdedicate resources to countering them. | | If they'd made his citizenship status clear, the solution would | be far clearer to readers. | komali2 wrote: | > Depending on the answer to that question, Twitter may need to | block the employment of immigrants or citizens to stop this | sort of industrial sabotage in the future. | | Seems to be a bad test. American citizens left to join ISIS, | American citizens have formed cults, American citizens have | mailed bombs to people. If a Saudi Arabian prince plopped a | Hublot into some random kid's hands and said "give me an | email," do you think their patriotism would prevent it? I don't | think so, actually, didn't the recent crypto scam involve 2 | Americans? | | What you're suggesting sounds like some kind of throwing out | the baby with the bathwater, but even more nonsensical. | | I think a better conclusion is that companies should architect | with the assumption that there's a mole, not engage in some | kind of border-control nationalist purge. | 8note wrote: | That's only a bad test if American citizens should be trusted | as hires? I think what he was saying is that twitter should | avoid Americans and hire h1bs | | That way the American government has done some trustworthy | checks for you | _jal wrote: | In what way is passport color a reliable predictor of | trustworthiness? | jimbob45 wrote: | Individuals are more likely to want to commit espionage for | another state if they were born in or are a citizen of that | state. | _jal wrote: | Individuals are more likely to want to commit espionage | when they have money troubles. Why not hire only the | already-wealthy? | | Individuals are more likely to want to commit espionage | when they are tempted with sex. Why not demand evidence of | membership in closed religious communities to address that? | awinder wrote: | On the former, that's absolutely a thing with all sorts | of levels to it. Base level is that most companies run | background checks including a credit pull. Next level is | use of elite academic credentialing, i.e., "we only like | to hire from ___". | | On the latter, because lol that is not going to have the | effect you're looking for. | _jal wrote: | On the former, I'm quite aware of that. What I'm not | aware of is this sort of loyalty screening for low-level | employees, as suggested. | | On the latter, you're getting closer to the point I'm | making. | [deleted] | elygre wrote: | This does not feel very important to me. Twitter will need to | focus on their process, not their people. | wefarrell wrote: | It says in the article that Abouammo is an Egyptian American, | so born in the US. | mcphage wrote: | > If they'd made his citizenship status clear, the solution | would be far clearer to readers. | | This is a complicated problem. I don't think encouraging | readers to imagine that there is a simple solution does anybody | any favors. ___________________________________________________________________ (page generated 2020-09-01 23:01 UTC)