[HN Gopher] Twitter shakes up its security team
___________________________________________________________________
Twitter shakes up its security team
Author : djrogers
Score : 113 points
Date : 2022-01-21 16:52 UTC (6 hours ago)
(HTM) web link (www.nytimes.com)
(TXT) w3m dump (www.nytimes.com)
| mercy_dude wrote:
| This guy really irks me. For one, since he took over it really
| seems Twitter is heading towards a direction to suit activist
| investor demands. I used to be able to browse Twitter posts of
| people I tend to respect (mainly scientific and academic people)
| without having to login and it is getting increasingly difficult
| without doing so lately as they keep showing me the login screen.
|
| This guy has a toxic history of narcissistic behavior as reported
| in several local Indian social Media and he would only seem to
| suck up to corporate demand and make Twitter more suffocating.
| paxys wrote:
| He took over as CEO a month and a half ago. I really doubt he
| has been able to change the company culture or user experience
| to the extent that people can form opinions on his tenure.
| rrix2 wrote:
| he's been the CTO since 2017
| olliej wrote:
| What are the activist investor issues? (I haven't been paying
| attention to "activist investor" behaviour for a while as so
| many seemed to just be pushing for "make me rich in the short
| term regardless of cost")
| uoaei wrote:
| That definition seems at odds with the core concepts involved
| in the term "activist investor".
| HillRat wrote:
| Traditionally, the "activist" in "activist investor" simply
| means "an investor who is actively pushing for specific
| policies," generally to increase the return on their
| investment.
|
| "Financial activists" like Carl Icahn or Starboard
| frequently take > 5% stakes in order to pressure companies
| to sell themselves to competitors, break themselves apart
| in order to shed lower-performing divisions, funnel cash to
| shareholders through dividends or stock buybacks, or
| reverse policies they see as injurious to the bottom line
|
| CEOs naturally hate this, and activist investors have a
| reputation -- arguably often well-deserved -- for improving
| the profitability of their portfolios at the cost of the
| companies they target. Sometimes this can force companies
| to walk away from suboptimal strategies -- did AOL _really_
| think Patch was going to be a market maker? -- but in many
| cases their activism simply results in the company 's
| acquisition, aggressive offshoring or deindustrialization,
| or just straight-up bankruptcy. Icahn, for example, took a
| heavy position in Blockbuster and was instrumental in
| forcing them to reinstate late fees and drop plans to enter
| the streaming market, which left them exceedingly
| vulnerable when Netflix introduced streaming (the dueling
| HBR articles on this are well worth reading).
|
| Over the past few decades "social activist investors" have
| become more common, especially amongst large public sector
| and union pension plans who have both financial throw-
| weight and a need to answer to causes somewhat beyond their
| immediate bottom lines, but in general they are much
| smaller, and less effective, groups than the usual hedge
| fund suspects. For example, an organization of
| decarbonization activists have been trying for years to
| force ExxonMobil to diversify its energy base beyond
| hydrocarbons (as other petrochemical firms have done), but
| they've had notably zero effect on XOM's strategy, despite
| having an argument based on economics as much as ecology.
| vorpalhex wrote:
| An activist investor is someone who buys into a company with
| the intent of reforming or changing it.
|
| Maybe you really hate twitter, so you buy into it for $200
| million and then use your power on the board to vote down
| anything good for twitter and vote for anything that is
| harmful.
|
| Activist investors often don't act in line with financial
| interest, instead focusing on "activism" even if it costs
| money.
| sjtindell wrote:
| Do you have any examples of activist investors who actually
| wanted to do harm to a company? I'm incredulous. What a
| waste of time and money. I usually hear about ones who
| think they can turn it around.
| riskable wrote:
| Here you go: https://www.businessinsider.com/tim-cook-
| versus-a-conservati...
| xibalba wrote:
| This entire comment needs citation, but especially:
|
| > "heading towards a direction to suit activist investor
| demands"
|
| and
|
| > "This guy has a toxic history of narcissistic behavior"
| pram wrote:
| All the popups blocking content and telling you to log in is
| reaching Pinterest levels of hostility. Truly dire.
| nostromo wrote:
| I'm glad that he and I seemingly share the same goals. That is:
| the downfall of Twitter. Firing everyone in sight and deploying
| dark patterns for short-term revenue seem like good first
| steps.
| jgalt212 wrote:
| I agree with both of you. Twitter is so good, and so bad in
| so may ways.
| oneepic wrote:
| I think Twitter started having those "login screen" issues even
| before he took over. Like at least a month or 2 beforehand.
| stefan_ wrote:
| Before the site was just fake-broken. Now it basically
| doesn't work at all; entirely unusable. I use Nitter now but
| that has some issues, unfortunately.
| riffic wrote:
| Around August:
|
| https://www.google.com/search?q=login+wall+site:https://www..
| ..
|
| https://www.google.com/search?q=Twitter+login+wall+site:http.
| ..
| curious_cat_163 wrote:
| > This guy has a toxic history of narcissistic behavior as
| reported in several local Indian social Media...
|
| Don't follow. What does that have to do with anything about the
| original post?
| [deleted]
| slg wrote:
| Remember like a year and half ago when some of the most powerful
| people on the planet had their Twitter accounts hacked in some
| bitcoin scam and then the story just sort of went away without
| any real discussion about how dangerous that could have been if
| the hackers had different motivations (EDIT: there was an implied
| "and how to prevent that in the future" here)?
| jchw wrote:
| Twitter is not even dealing with hacked accounts anymore.
| There's a lot of blatantly hacked accounts that haven't been
| recovered and never will be.
|
| https://twitter.com/terupancake/status/1484555471054946307
| staticassertion wrote:
| Not really. I remember it being a pretty huge deal and everyone
| talking about how it could have been so much worse.
|
| What more did you want?
| ct0 wrote:
| How would we even know if someone has pulled this off again
| with an entirely different motive and hasn't been discovered
| as a hack?
| staticassertion wrote:
| If Twitter knows about it they're legally obligated to
| report it.
| mrguyorama wrote:
| Pretty sure they were implying we never got the _how_ they
| were hacked.
|
| It seemed very unlikely to be credential stuffing or other
| common things. It seemed more like a rogue inside person or
| back office hack.
| aharris6 wrote:
| I think this was answered:
| https://www.wired.com/story/inside-twitter-hack-election-
| pla...
| staticassertion wrote:
| I know how it happened but I don't remember if it's public
| knowledge or not. I'm pretty sure at least some details
| made it out.
| jjulius wrote:
| >Pretty sure they were implying we never got the how they
| were hacked.
|
| >The Twitter incident began when the hackers connected last
| year in an online forum focused on buying and selling rare
| user names, some of the individuals involved told The New
| York Times at that time. They then broke into Twitter's
| systems by tricking employees into providing login
| information, according to legal filings. The hackers used
| an administrative tool to take over accounts belonging to
| political figures and celebrities, including former
| President Barack Obama, Kanye West and Elon Musk, using the
| accounts to conduct a Bitcoin scam, the filings said.
|
| https://www.nytimes.com/2021/07/21/technology/twitter-
| tiktok...
| slg wrote:
| I guess I phrased that poorly. Yes, there was some discussion
| about how it could have been worse. However I wanted that
| discussion to be more than us shrugging our shoulders and
| saying "we dodged a bullet". There was no real discussion
| either about standards in the tech industry or political
| discussions regarding legislative changes in order prevent
| that worse version from happening in the future. We didn't
| seem to learn anything from it.
| azinman2 wrote:
| What legislative changes could have prevented this or
| something worse in the future? Every security breach is
| different and often nuanced.
| slg wrote:
| I wanted a discussion about it. I'm just a random
| developer who doesn't have the perfect answer. Yet some
| obvious things that might help would be to increase
| penalties for breaches and potentially require more
| stringent security auditing for companies of a certain
| size.
| azinman2 wrote:
| I think the reality is security is really hard, and you
| only need 1 weakness for someone to drive a truck
| through. The biggest weakness time and time again is
| humans, and that's exactly what was attacked here with
| Twitter via social engineering. You can put all the
| penalties you want, but ultimately business needs and
| reality will make it so certain humans have powers that
| are high-up, which then creates unavoidable weaknesses.
| Just look at what happened with Ubiquiti and their head
| of cloud basically blackmailing the company in secret...
| they were attacked from within. How could that have been
| prevented assuming the person passes background checks
| and has years of relevant experience?
|
| Many sectors (finance, health care, etc) have all kinds
| of auditing requirements. I've helped answer some of
| these audits. It's largely just a bunch of checkboxes for
| obvious stuff, and in general, isn't how anyone would
| attack a company that's moderately competent. I've seen
| and fixed security vulnerabilities in startups that no
| one else recognized where there, despite passing all
| these 3rd party audits. I don't know what more could have
| been done without extremely knowledgeable people look at
| every aspect of your business in absolute depth that in
| part only comes from actually working/building it in the
| first place. Such experts are rare finds, yet the number
| of companies with computers attached is far greater.
|
| I'm not against legislation, and I think good legislation
| would look like taking companies such as Equifax out of
| business. We don't need total incompetence continuing to
| be central to society's function. But we also need to be
| realistic about what can be achieved.
| slg wrote:
| You can never eliminate the possibility of a security
| incident, but there are easy steps that can be made to
| reduce the risk. Clearly Twitter didn't do enough of
| them. For example, they had too many people with too wide
| permissions which increased their surface area for a
| social engineering attack. They didn't have an enhanced
| security policy for highly targeted users such as
| requiring approval from multiple people which would
| reduce the success rate of social engineering attacks.
| They also didn't have the proper monitoring of these high
| permissioned accounts to quickly identify the source of
| the breach and therefore they couldn't easily stop it
| after it begun. These might just sound like "checkboxes
| for obvious stuff", but they would have helped if Twitter
| checked those boxes.
| azinman2 wrote:
| What audit has checkboxes for 'do you require approval
| from multiple people for basic profile manipulation of
| highly targeted users?' I've never seen one on any
| security compliance that I was apart of, and the reason
| being is that this is so specific to Twitter and very few
| other companies. Every product will end up being like
| this -- their own domain and product offering will create
| their own checkboxes that simply don't apply to the vast
| majority of other companies.
| slg wrote:
| Regulation that requires signoff from multiple
| individuals is nothing new. The only piece that is unique
| is the "highly targeted users" callout, but that can be
| generalized too. For example, there could be heightened
| requirements for social media accounts based off their
| reach. A million followers, subscribers, fans, patrons,
| or whatever term you use and that account now requires
| heightened security.
|
| But either way, you are getting too bogged down in the
| specifics of my hypotheticals. Like I said originally I
| don't have the answer on the perfect solution, but the
| fact that we didn't use this incident as motivation to
| have a discussion about potential solutions is
| disappointing. Can you at least agree with that?
| staticassertion wrote:
| That's true of almost every breach though.
| slg wrote:
| Should we stop calling out a bad thing just because it
| isn't the first bad thing of its kind to happen?
| staticassertion wrote:
| I guess if your statement is intended to be broad, sure.
| It seemed targeted to this breach, which yeah I think
| it's sort of wrong to call out one breach for being
| exactly like all other breaches.
| basisword wrote:
| How is this a tech issue? The issue is powerful politicians
| using private social media companies as a means of
| communicating with the public. Politicians and other can
| instantly prevent the risk by only communicating through
| official means.
| slg wrote:
| Government communication has no value if it doesn't reach
| it audience. They need to be where the people are.
|
| This also isn't a problem limited to governments and
| politicians. It calls into question the authenticity of
| every account on Twitter and that includes other
| important accounts which can cause damage if compromised
| such as journalists and news organizations.
| BeFlatXIII wrote:
| Good. Trust nothing you see. It's all kayfabe.
| [deleted]
| riffic wrote:
| Hacked Twitter accounts[0] are incredibly common. Twitter has
| been asleep at the wheel.
|
| [0]
| https://www.google.com/search?q=hacked+site:https://www.redd...
| dewey wrote:
| Some credential stuffing attack is way less scary and well
| known than what happened at Twitter where "Verified" accounts
| with 2FA got hacked because they were able to take them over
| with internal tools.
| riffic wrote:
| third-party apps are incredibly common and usually have
| unrestricted access to post or alter profiles.
|
| I'm not sure if I buy the internal tool angle here.
| dewey wrote:
| Yes, but there's a big difference between random account
| getting hacked and verified world leader account getting
| taken over by compromising an internal Twitter system?
| riffic wrote:
| I don't think Twitter ever disclosed whether an internal
| system was compromised or not (if they were, please
| inform!)
|
| Third party app developers are more likely to have been.
| It's also likely for a third-party dev to have bad
| intentions.
|
| I periodically review and make sure to disable third-
| party app access to my Twitter accounts. Who's to say
| your average celeb is likely to do that?
| dewey wrote:
| https://www.theverge.com/2020/7/15/21326656/twitter-hack-
| exp...
|
| > We detected what we believe to be a coordinated social
| engineering attack by people who successfully targeted
| some of our employees with access to internal systems and
| tools.
|
| It was social engineering, but still access to internal
| tools which made this bypass possible.
| djrogers wrote:
| This part really stood out to me:
|
| "Mr. Agrawal said the "nature of this situation" limited what he
| was allowed to share with employees"
|
| Even when things are a bit contentious, companies and C-level
| execs like CISOs usually come to an agreement and have a joint
| statement about 'spending time with family' or 'pursuing other
| endeavors'. This sounds like it was either very one-sided, or
| something very bad was happening...
| tyingq wrote:
| I can see that happening with a CISO, though, in many
| scenarios. Like if they presented a stark picture of current
| state and said that work needed to happen that would put
| planned revenue generating work on hold. And weren't willing to
| back down on the opinion that it was _that_ critical.
|
| I imagine they wouldn't want to cite differences of opinion on
| security posture as the reason for departing.
| staticassertion wrote:
| It's hard to imagine anyone being that bad of a CISO. No CISO
| is going to say "shut down the business while we figure out
| security", not one who's been a CISO multiple times at least.
| And then for them to not back down or discuss things?
| Unlikely.
|
| More likely they just weren't getting things done fast
| enough. CISOs come and go - they're a very short lived
| position.
| tyingq wrote:
| >More likely they just weren't getting things done fast
| enough
|
| I'd be surprised if that warranted the "nature of this
| situation" language.
| staticassertion wrote:
| It could mean so many things tbh. It's true though, it's
| a very odd way to phrase it. It certainly doesn't feel
| like a typical CISO exit, but idk.
| willcipriano wrote:
| > No CISO is going to say "shut down the business while we
| figure out security"
|
| I understand why they wouldn't from a personal perspective,
| however I can imagine situations where this is the right
| call. For Twitter perhaps not, but I hope the CISO who
| works at my bank would make this choice if things got bad
| enough.
| kune wrote:
| Somebody told me a few years back that the life time of a
| CISO in a larger organisation is not larger than 24 months.
| In my organisation that proved to be true so far. Here the
| rule applies as well.
| saagarjha wrote:
| Perhaps they should check to see if they ever denied the
| position to Lord Voldemort.
| MattPalmer1086 wrote:
| A CISO told me that the role was to beg for resources and
| then to get fired if something goes wrong.
| Phlarp wrote:
| It really feels like the CISO role has become less about
| the security posture of an organization and more about
| being a corporate whipping boy-- Predesignated as the go-to
| sacrificial lamb for when a public leak or government
| investigation comes knocking.
|
| Hard to find longevity or stability in a role that exists
| to fail
| BeFlatXIII wrote:
| Once this is known throughout the industry, it also means
| that the whipping boys keep getting fired and then taking
| up their next tenure at the startup next door until
| they're fired again.
| tptacek wrote:
| To the extent that's true, it sure doesn't seem to stop
| high-profile people with lots to lose from taking that
| role.
| jms703 wrote:
| Sounds more like performance and execution problems.
| iqanq wrote:
| What's this new thing that the nytimes does of ending articles
| titles with a full stop?
| unethical_ban wrote:
| It is occasional, and seems to be in the context of their
| "smaller" stories covering various topics in a briefing format.
| I bet this is really an H2 heading in a broader "Today's news"
| screen.
| jer0me wrote:
| It's a collection of short business stories from the day. It's
| been a thing for at least a few years.
| baby wrote:
| My crazy wild guess: they had a weird internal tantrum because of
| Twitter's PR moves around cryptocurrencies, and they got fired
| because they went too far.
| tptacek wrote:
| Seems like a weird thing to put on Zatko.
| toomanyrichies wrote:
| https://web.archive.org/web/20220121064005/https://www.nytim...
| motohagiography wrote:
| I remember commenting when Mudge was hired that Twitter/Jack
| needed someone of that profile to offset his massive
| organizational weight as a founder, where Zatko would have the
| technical and community cred to make decisions for the entire org
| without, a) other people going around him and trying to get
| Jack's attention, and b) to demonstrate there is no doubt about
| the competence of the security team of the platform to satisfy
| some regulatory risk. I also thought it sounded like a bit of an
| overpowered choice for the role, unless it was _not_ intended to
| be long term, and mostly as a tactical near term solution. That
| may have forshadowed this development a bit as well.
|
| Into the territory of startup fanfic, I'd assert from Agrawal's
| perspective, he needs his own team, and a top technologist
| indexed on engineering competence is overpowered as an individual
| at that level - and for the agility the CEO will need for the
| next stage of his company. He needs his own people to execute for
| him. The company is no longer a startup, and its explosive growth
| phase is behind it. Now it's an asset to be managed, and doing
| that is an orthogonal set of skills to building and managing
| growth, so you need people who operate aligned to a longer
| horizon. The previous CEO's tactical super-hire isn't necessarily
| going to be the same asset for a new CEO's strategy.
|
| It's odd to comment on this like its sports writing, but that's
| effectively what following these companies is. Knowing very
| little about the individuals, I don't need to mind read, as there
| are clear external incentives for this that make it a fairly
| neutral change.
|
| When you inherit a powerful asset like that, as CEO that can be
| double edged. It's great to have someone that amazing around, but
| if they can undermine the momentum in your leadership even
| (especially?) unintentionally, while you're driving a massive
| organizational change, the choice really makes itself independent
| of the individual characteristics of the people involved.
|
| Ceasing to work at twitter is probably the least interesting
| thing Zatko has ever done, so I don't forsee this reflecting on
| him at all, but before there are drill downs on personalities and
| culture stuff, it's worth looking at it from straight business
| incentives.
| tptacek wrote:
| The CSO role has basically nothing to do with the stuff that
| made Zatko famous; it's mostly boring organizational management
| stuff, with a sprinkling of being real good in meetings. It's
| not surprising to me that a new CEO who had just shaken up the
| whole engineering team would also clear the decks on security
| as well. For instance: this kind of thing happens when a
| company decides it wants security more closely integrated with
| engineering --- or the opposite.
|
| I have no insight into what's happening at Twitter but if you
| made me bet, I'd bet against there being any interesting drama
| here.
| DwnVoteHoneyPot wrote:
| I'd bet there is a lot of drama going on. It's not a company
| that "decides it wants security more closely integrated with
| engineering --- or the opposite", it's one person who wants
| that, and he's bring his buddies along now that he's in
| power. It's not some logical process. At that level all they
| have is their personalities and egos.
| tptacek wrote:
| The new CEO also fired the head of engineering, and other
| senior leadership. You can call it ego or whatever, I'm
| just saying, there probably isn't a super interesting story
| of why Zatko had to go. "We're scrapping top management and
| we want the new team to have the freedom to organize the
| security org they way they want to" seems like the most
| plausible explanation.
|
| And, again: high-level organizational management seems like
| a weird place to slot Zatko, who seems like he'd be
| happiest as like, a senior fellow at CSIS or something.
| eganist wrote:
| I'm probably drawing early conclusions, but it's not a surprise
| hearing an engineering head or ex-CTO type eliminate security
| given security is often seen as a roadblock, even in Twitter's
| case where their leadership and team often worked to make it a
| business enablement function.
| asdfsd234234444 wrote:
| Let this be a lesson that the business comes first. Security is
| important - but the business is more important.
| _pdp_ wrote:
| It is often failure of the security leadership when security
| is not aligned with business goals.
| eganist wrote:
| > Let this be a lesson that the business comes first.
| Security is important - but the business is more important.
|
| Sound security practices enable good business, e.g giving
| teams a paved road
| (https://www.slideshare.net/diannemarsh/the-paved-road-at-
| net...) that enables rapid _and_ secure releases in place of
| gates.
|
| At least from what few accounts I've heard from engineering
| in Twitter, it doesn't sound like Mr. Agrawal has much faith
| in this idea, but that just means he'll be the first to go in
| the event of the next inevitable breach.
|
| Watch it be over something dumb like stolen NFTs.
| easterncalculus wrote:
| After Mudge got the position I had a feeling it wouldn't last,
| but I figured it would be later. It's sad to see him go, but I'm
| sure he'll continue to do awesome stuff.
| fossuser wrote:
| Any specific reason? Why did you think it wouldn't last?
| baby wrote:
| It's very hard to find security people who can keep business
| needs in the back of their minds as well. That's why
| developers make the best security people, and pure security
| people are often too hard headed. (I'm saying that as a pure
| security person who learned the hard way.)
___________________________________________________________________
(page generated 2022-01-21 23:00 UTC)