[HN Gopher] Twitter shakes up its security team ___________________________________________________________________ Twitter shakes up its security team Author : djrogers Score : 113 points Date : 2022-01-21 16:52 UTC (6 hours ago) (HTM) web link (www.nytimes.com) (TXT) w3m dump (www.nytimes.com) | mercy_dude wrote: | This guy really irks me. For one, since he took over it really | seems Twitter is heading towards a direction to suit activist | investor demands. I used to be able to browse Twitter posts of | people I tend to respect (mainly scientific and academic people) | without having to login and it is getting increasingly difficult | without doing so lately as they keep showing me the login screen. | | This guy has a toxic history of narcissistic behavior as reported | in several local Indian social Media and he would only seem to | suck up to corporate demand and make Twitter more suffocating. | paxys wrote: | He took over as CEO a month and a half ago. I really doubt he | has been able to change the company culture or user experience | to the extent that people can form opinions on his tenure. | rrix2 wrote: | he's been the CTO since 2017 | olliej wrote: | What are the activist investor issues? (I haven't been paying | attention to "activist investor" behaviour for a while as so | many seemed to just be pushing for "make me rich in the short | term regardless of cost") | uoaei wrote: | That definition seems at odds with the core concepts involved | in the term "activist investor". | HillRat wrote: | Traditionally, the "activist" in "activist investor" simply | means "an investor who is actively pushing for specific | policies," generally to increase the return on their | investment. | | "Financial activists" like Carl Icahn or Starboard | frequently take > 5% stakes in order to pressure companies | to sell themselves to competitors, break themselves apart | in order to shed lower-performing divisions, funnel cash to | shareholders through dividends or stock buybacks, or | reverse policies they see as injurious to the bottom line | | CEOs naturally hate this, and activist investors have a | reputation -- arguably often well-deserved -- for improving | the profitability of their portfolios at the cost of the | companies they target. Sometimes this can force companies | to walk away from suboptimal strategies -- did AOL _really_ | think Patch was going to be a market maker? -- but in many | cases their activism simply results in the company 's | acquisition, aggressive offshoring or deindustrialization, | or just straight-up bankruptcy. Icahn, for example, took a | heavy position in Blockbuster and was instrumental in | forcing them to reinstate late fees and drop plans to enter | the streaming market, which left them exceedingly | vulnerable when Netflix introduced streaming (the dueling | HBR articles on this are well worth reading). | | Over the past few decades "social activist investors" have | become more common, especially amongst large public sector | and union pension plans who have both financial throw- | weight and a need to answer to causes somewhat beyond their | immediate bottom lines, but in general they are much | smaller, and less effective, groups than the usual hedge | fund suspects. For example, an organization of | decarbonization activists have been trying for years to | force ExxonMobil to diversify its energy base beyond | hydrocarbons (as other petrochemical firms have done), but | they've had notably zero effect on XOM's strategy, despite | having an argument based on economics as much as ecology. | vorpalhex wrote: | An activist investor is someone who buys into a company with | the intent of reforming or changing it. | | Maybe you really hate twitter, so you buy into it for $200 | million and then use your power on the board to vote down | anything good for twitter and vote for anything that is | harmful. | | Activist investors often don't act in line with financial | interest, instead focusing on "activism" even if it costs | money. | sjtindell wrote: | Do you have any examples of activist investors who actually | wanted to do harm to a company? I'm incredulous. What a | waste of time and money. I usually hear about ones who | think they can turn it around. | riskable wrote: | Here you go: https://www.businessinsider.com/tim-cook- | versus-a-conservati... | xibalba wrote: | This entire comment needs citation, but especially: | | > "heading towards a direction to suit activist investor | demands" | | and | | > "This guy has a toxic history of narcissistic behavior" | pram wrote: | All the popups blocking content and telling you to log in is | reaching Pinterest levels of hostility. Truly dire. | nostromo wrote: | I'm glad that he and I seemingly share the same goals. That is: | the downfall of Twitter. Firing everyone in sight and deploying | dark patterns for short-term revenue seem like good first | steps. | jgalt212 wrote: | I agree with both of you. Twitter is so good, and so bad in | so may ways. | oneepic wrote: | I think Twitter started having those "login screen" issues even | before he took over. Like at least a month or 2 beforehand. | stefan_ wrote: | Before the site was just fake-broken. Now it basically | doesn't work at all; entirely unusable. I use Nitter now but | that has some issues, unfortunately. | riffic wrote: | Around August: | | https://www.google.com/search?q=login+wall+site:https://www.. | .. | | https://www.google.com/search?q=Twitter+login+wall+site:http. | .. | curious_cat_163 wrote: | > This guy has a toxic history of narcissistic behavior as | reported in several local Indian social Media... | | Don't follow. What does that have to do with anything about the | original post? | [deleted] | slg wrote: | Remember like a year and half ago when some of the most powerful | people on the planet had their Twitter accounts hacked in some | bitcoin scam and then the story just sort of went away without | any real discussion about how dangerous that could have been if | the hackers had different motivations (EDIT: there was an implied | "and how to prevent that in the future" here)? | jchw wrote: | Twitter is not even dealing with hacked accounts anymore. | There's a lot of blatantly hacked accounts that haven't been | recovered and never will be. | | https://twitter.com/terupancake/status/1484555471054946307 | staticassertion wrote: | Not really. I remember it being a pretty huge deal and everyone | talking about how it could have been so much worse. | | What more did you want? | ct0 wrote: | How would we even know if someone has pulled this off again | with an entirely different motive and hasn't been discovered | as a hack? | staticassertion wrote: | If Twitter knows about it they're legally obligated to | report it. | mrguyorama wrote: | Pretty sure they were implying we never got the _how_ they | were hacked. | | It seemed very unlikely to be credential stuffing or other | common things. It seemed more like a rogue inside person or | back office hack. | aharris6 wrote: | I think this was answered: | https://www.wired.com/story/inside-twitter-hack-election- | pla... | staticassertion wrote: | I know how it happened but I don't remember if it's public | knowledge or not. I'm pretty sure at least some details | made it out. | jjulius wrote: | >Pretty sure they were implying we never got the how they | were hacked. | | >The Twitter incident began when the hackers connected last | year in an online forum focused on buying and selling rare | user names, some of the individuals involved told The New | York Times at that time. They then broke into Twitter's | systems by tricking employees into providing login | information, according to legal filings. The hackers used | an administrative tool to take over accounts belonging to | political figures and celebrities, including former | President Barack Obama, Kanye West and Elon Musk, using the | accounts to conduct a Bitcoin scam, the filings said. | | https://www.nytimes.com/2021/07/21/technology/twitter- | tiktok... | slg wrote: | I guess I phrased that poorly. Yes, there was some discussion | about how it could have been worse. However I wanted that | discussion to be more than us shrugging our shoulders and | saying "we dodged a bullet". There was no real discussion | either about standards in the tech industry or political | discussions regarding legislative changes in order prevent | that worse version from happening in the future. We didn't | seem to learn anything from it. | azinman2 wrote: | What legislative changes could have prevented this or | something worse in the future? Every security breach is | different and often nuanced. | slg wrote: | I wanted a discussion about it. I'm just a random | developer who doesn't have the perfect answer. Yet some | obvious things that might help would be to increase | penalties for breaches and potentially require more | stringent security auditing for companies of a certain | size. | azinman2 wrote: | I think the reality is security is really hard, and you | only need 1 weakness for someone to drive a truck | through. The biggest weakness time and time again is | humans, and that's exactly what was attacked here with | Twitter via social engineering. You can put all the | penalties you want, but ultimately business needs and | reality will make it so certain humans have powers that | are high-up, which then creates unavoidable weaknesses. | Just look at what happened with Ubiquiti and their head | of cloud basically blackmailing the company in secret... | they were attacked from within. How could that have been | prevented assuming the person passes background checks | and has years of relevant experience? | | Many sectors (finance, health care, etc) have all kinds | of auditing requirements. I've helped answer some of | these audits. It's largely just a bunch of checkboxes for | obvious stuff, and in general, isn't how anyone would | attack a company that's moderately competent. I've seen | and fixed security vulnerabilities in startups that no | one else recognized where there, despite passing all | these 3rd party audits. I don't know what more could have | been done without extremely knowledgeable people look at | every aspect of your business in absolute depth that in | part only comes from actually working/building it in the | first place. Such experts are rare finds, yet the number | of companies with computers attached is far greater. | | I'm not against legislation, and I think good legislation | would look like taking companies such as Equifax out of | business. We don't need total incompetence continuing to | be central to society's function. But we also need to be | realistic about what can be achieved. | slg wrote: | You can never eliminate the possibility of a security | incident, but there are easy steps that can be made to | reduce the risk. Clearly Twitter didn't do enough of | them. For example, they had too many people with too wide | permissions which increased their surface area for a | social engineering attack. They didn't have an enhanced | security policy for highly targeted users such as | requiring approval from multiple people which would | reduce the success rate of social engineering attacks. | They also didn't have the proper monitoring of these high | permissioned accounts to quickly identify the source of | the breach and therefore they couldn't easily stop it | after it begun. These might just sound like "checkboxes | for obvious stuff", but they would have helped if Twitter | checked those boxes. | azinman2 wrote: | What audit has checkboxes for 'do you require approval | from multiple people for basic profile manipulation of | highly targeted users?' I've never seen one on any | security compliance that I was apart of, and the reason | being is that this is so specific to Twitter and very few | other companies. Every product will end up being like | this -- their own domain and product offering will create | their own checkboxes that simply don't apply to the vast | majority of other companies. | slg wrote: | Regulation that requires signoff from multiple | individuals is nothing new. The only piece that is unique | is the "highly targeted users" callout, but that can be | generalized too. For example, there could be heightened | requirements for social media accounts based off their | reach. A million followers, subscribers, fans, patrons, | or whatever term you use and that account now requires | heightened security. | | But either way, you are getting too bogged down in the | specifics of my hypotheticals. Like I said originally I | don't have the answer on the perfect solution, but the | fact that we didn't use this incident as motivation to | have a discussion about potential solutions is | disappointing. Can you at least agree with that? | staticassertion wrote: | That's true of almost every breach though. | slg wrote: | Should we stop calling out a bad thing just because it | isn't the first bad thing of its kind to happen? | staticassertion wrote: | I guess if your statement is intended to be broad, sure. | It seemed targeted to this breach, which yeah I think | it's sort of wrong to call out one breach for being | exactly like all other breaches. | basisword wrote: | How is this a tech issue? The issue is powerful politicians | using private social media companies as a means of | communicating with the public. Politicians and other can | instantly prevent the risk by only communicating through | official means. | slg wrote: | Government communication has no value if it doesn't reach | it audience. They need to be where the people are. | | This also isn't a problem limited to governments and | politicians. It calls into question the authenticity of | every account on Twitter and that includes other | important accounts which can cause damage if compromised | such as journalists and news organizations. | BeFlatXIII wrote: | Good. Trust nothing you see. It's all kayfabe. | [deleted] | riffic wrote: | Hacked Twitter accounts[0] are incredibly common. Twitter has | been asleep at the wheel. | | [0] | https://www.google.com/search?q=hacked+site:https://www.redd... | dewey wrote: | Some credential stuffing attack is way less scary and well | known than what happened at Twitter where "Verified" accounts | with 2FA got hacked because they were able to take them over | with internal tools. | riffic wrote: | third-party apps are incredibly common and usually have | unrestricted access to post or alter profiles. | | I'm not sure if I buy the internal tool angle here. | dewey wrote: | Yes, but there's a big difference between random account | getting hacked and verified world leader account getting | taken over by compromising an internal Twitter system? | riffic wrote: | I don't think Twitter ever disclosed whether an internal | system was compromised or not (if they were, please | inform!) | | Third party app developers are more likely to have been. | It's also likely for a third-party dev to have bad | intentions. | | I periodically review and make sure to disable third- | party app access to my Twitter accounts. Who's to say | your average celeb is likely to do that? | dewey wrote: | https://www.theverge.com/2020/7/15/21326656/twitter-hack- | exp... | | > We detected what we believe to be a coordinated social | engineering attack by people who successfully targeted | some of our employees with access to internal systems and | tools. | | It was social engineering, but still access to internal | tools which made this bypass possible. | djrogers wrote: | This part really stood out to me: | | "Mr. Agrawal said the "nature of this situation" limited what he | was allowed to share with employees" | | Even when things are a bit contentious, companies and C-level | execs like CISOs usually come to an agreement and have a joint | statement about 'spending time with family' or 'pursuing other | endeavors'. This sounds like it was either very one-sided, or | something very bad was happening... | tyingq wrote: | I can see that happening with a CISO, though, in many | scenarios. Like if they presented a stark picture of current | state and said that work needed to happen that would put | planned revenue generating work on hold. And weren't willing to | back down on the opinion that it was _that_ critical. | | I imagine they wouldn't want to cite differences of opinion on | security posture as the reason for departing. | staticassertion wrote: | It's hard to imagine anyone being that bad of a CISO. No CISO | is going to say "shut down the business while we figure out | security", not one who's been a CISO multiple times at least. | And then for them to not back down or discuss things? | Unlikely. | | More likely they just weren't getting things done fast | enough. CISOs come and go - they're a very short lived | position. | tyingq wrote: | >More likely they just weren't getting things done fast | enough | | I'd be surprised if that warranted the "nature of this | situation" language. | staticassertion wrote: | It could mean so many things tbh. It's true though, it's | a very odd way to phrase it. It certainly doesn't feel | like a typical CISO exit, but idk. | willcipriano wrote: | > No CISO is going to say "shut down the business while we | figure out security" | | I understand why they wouldn't from a personal perspective, | however I can imagine situations where this is the right | call. For Twitter perhaps not, but I hope the CISO who | works at my bank would make this choice if things got bad | enough. | kune wrote: | Somebody told me a few years back that the life time of a | CISO in a larger organisation is not larger than 24 months. | In my organisation that proved to be true so far. Here the | rule applies as well. | saagarjha wrote: | Perhaps they should check to see if they ever denied the | position to Lord Voldemort. | MattPalmer1086 wrote: | A CISO told me that the role was to beg for resources and | then to get fired if something goes wrong. | Phlarp wrote: | It really feels like the CISO role has become less about | the security posture of an organization and more about | being a corporate whipping boy-- Predesignated as the go-to | sacrificial lamb for when a public leak or government | investigation comes knocking. | | Hard to find longevity or stability in a role that exists | to fail | BeFlatXIII wrote: | Once this is known throughout the industry, it also means | that the whipping boys keep getting fired and then taking | up their next tenure at the startup next door until | they're fired again. | tptacek wrote: | To the extent that's true, it sure doesn't seem to stop | high-profile people with lots to lose from taking that | role. | jms703 wrote: | Sounds more like performance and execution problems. | iqanq wrote: | What's this new thing that the nytimes does of ending articles | titles with a full stop? | unethical_ban wrote: | It is occasional, and seems to be in the context of their | "smaller" stories covering various topics in a briefing format. | I bet this is really an H2 heading in a broader "Today's news" | screen. | jer0me wrote: | It's a collection of short business stories from the day. It's | been a thing for at least a few years. | baby wrote: | My crazy wild guess: they had a weird internal tantrum because of | Twitter's PR moves around cryptocurrencies, and they got fired | because they went too far. | tptacek wrote: | Seems like a weird thing to put on Zatko. | toomanyrichies wrote: | https://web.archive.org/web/20220121064005/https://www.nytim... | motohagiography wrote: | I remember commenting when Mudge was hired that Twitter/Jack | needed someone of that profile to offset his massive | organizational weight as a founder, where Zatko would have the | technical and community cred to make decisions for the entire org | without, a) other people going around him and trying to get | Jack's attention, and b) to demonstrate there is no doubt about | the competence of the security team of the platform to satisfy | some regulatory risk. I also thought it sounded like a bit of an | overpowered choice for the role, unless it was _not_ intended to | be long term, and mostly as a tactical near term solution. That | may have forshadowed this development a bit as well. | | Into the territory of startup fanfic, I'd assert from Agrawal's | perspective, he needs his own team, and a top technologist | indexed on engineering competence is overpowered as an individual | at that level - and for the agility the CEO will need for the | next stage of his company. He needs his own people to execute for | him. The company is no longer a startup, and its explosive growth | phase is behind it. Now it's an asset to be managed, and doing | that is an orthogonal set of skills to building and managing | growth, so you need people who operate aligned to a longer | horizon. The previous CEO's tactical super-hire isn't necessarily | going to be the same asset for a new CEO's strategy. | | It's odd to comment on this like its sports writing, but that's | effectively what following these companies is. Knowing very | little about the individuals, I don't need to mind read, as there | are clear external incentives for this that make it a fairly | neutral change. | | When you inherit a powerful asset like that, as CEO that can be | double edged. It's great to have someone that amazing around, but | if they can undermine the momentum in your leadership even | (especially?) unintentionally, while you're driving a massive | organizational change, the choice really makes itself independent | of the individual characteristics of the people involved. | | Ceasing to work at twitter is probably the least interesting | thing Zatko has ever done, so I don't forsee this reflecting on | him at all, but before there are drill downs on personalities and | culture stuff, it's worth looking at it from straight business | incentives. | tptacek wrote: | The CSO role has basically nothing to do with the stuff that | made Zatko famous; it's mostly boring organizational management | stuff, with a sprinkling of being real good in meetings. It's | not surprising to me that a new CEO who had just shaken up the | whole engineering team would also clear the decks on security | as well. For instance: this kind of thing happens when a | company decides it wants security more closely integrated with | engineering --- or the opposite. | | I have no insight into what's happening at Twitter but if you | made me bet, I'd bet against there being any interesting drama | here. | DwnVoteHoneyPot wrote: | I'd bet there is a lot of drama going on. It's not a company | that "decides it wants security more closely integrated with | engineering --- or the opposite", it's one person who wants | that, and he's bring his buddies along now that he's in | power. It's not some logical process. At that level all they | have is their personalities and egos. | tptacek wrote: | The new CEO also fired the head of engineering, and other | senior leadership. You can call it ego or whatever, I'm | just saying, there probably isn't a super interesting story | of why Zatko had to go. "We're scrapping top management and | we want the new team to have the freedom to organize the | security org they way they want to" seems like the most | plausible explanation. | | And, again: high-level organizational management seems like | a weird place to slot Zatko, who seems like he'd be | happiest as like, a senior fellow at CSIS or something. | eganist wrote: | I'm probably drawing early conclusions, but it's not a surprise | hearing an engineering head or ex-CTO type eliminate security | given security is often seen as a roadblock, even in Twitter's | case where their leadership and team often worked to make it a | business enablement function. | asdfsd234234444 wrote: | Let this be a lesson that the business comes first. Security is | important - but the business is more important. | _pdp_ wrote: | It is often failure of the security leadership when security | is not aligned with business goals. | eganist wrote: | > Let this be a lesson that the business comes first. | Security is important - but the business is more important. | | Sound security practices enable good business, e.g giving | teams a paved road | (https://www.slideshare.net/diannemarsh/the-paved-road-at- | net...) that enables rapid _and_ secure releases in place of | gates. | | At least from what few accounts I've heard from engineering | in Twitter, it doesn't sound like Mr. Agrawal has much faith | in this idea, but that just means he'll be the first to go in | the event of the next inevitable breach. | | Watch it be over something dumb like stolen NFTs. | easterncalculus wrote: | After Mudge got the position I had a feeling it wouldn't last, | but I figured it would be later. It's sad to see him go, but I'm | sure he'll continue to do awesome stuff. | fossuser wrote: | Any specific reason? Why did you think it wouldn't last? | baby wrote: | It's very hard to find security people who can keep business | needs in the back of their minds as well. That's why | developers make the best security people, and pure security | people are often too hard headed. (I'm saying that as a pure | security person who learned the hard way.) ___________________________________________________________________ (page generated 2022-01-21 23:00 UTC)