[HN Gopher] Ex-Twitter exec blows the whistle, alleging reckless... ___________________________________________________________________ Ex-Twitter exec blows the whistle, alleging reckless cybersecurity policies Author : razin Score : 841 points Date : 2022-08-23 10:36 UTC (12 hours ago) (HTM) web link (www.cnn.com) (TXT) w3m dump (www.cnn.com) | pphysch wrote: | > FOREIGN THREATS: Twitter is exceptionally vulnerable to foreign | government exploitation in ways that undermine US national | security, and the company may even have foreign spies currently | on its payroll, the disclosure alleges. | | This is a very strange article to me. When I think of Twitter and | government influence, I think of the overwhelming pro-Washington | bias. | | I think of the "state-affiliated media" tags that somehow don't | apply to RFE/RL and BBC. | | I think of the countless heterodox/dissident accounts that have | been banned or silenced on the platform. | | I think of the "hacked materials" warning label that was invented | to discredit a particularly damning story about a covert | disinformation campaign involving Reuters and BBC. | | I think of Twitter's complete tolerance of the obvious platform | abuse by the textbook troll farm known as "NAFO". | | I think of the revolving door between the federal government and | policy/compliance positions at large tech companies including | Twitter, of which Mudge is one of many. | | My tinfoil hat is whispering that this story is part of a broader | campaign to put pressure on Twitter to be even more compromised | by the federal government and intelligence agencies. I just don't | see how this "foreign threat" narrative lines up with the reality | of how effectively managed Twitter has become over the past few | years. | | Realistically though, Mudge probably just has a huge hacker ego | and is butthurt that he was caught slackin'. | brundolf wrote: | There's been at least one Saudi spy found working at Twitter | and convicted: https://nypost.com/2022/08/09/ex-twitter- | employee-ahmad-abou... | | > Saudi citizen Ali Alzabarah, who worked as an engineer at | Twitter, used their positions to access confidential Twitter | data about users, their email addresses, phone numbers and IP | addresses, the latter of which be used to identify a user's | location | | Internal data security practices could probably have helped | limit his access | nym375 wrote: | Read the report of the problems he was trying to surface: | https://www.washingtonpost.com/technology/interactive/2022/t... | | This doesn't seem like he was "butthurt and caught slackin'." | The tone of the report seems like he's frustrated that he was | hired to do a job, and not given the resources / authority to | make the necessary sweeping changes. Perhaps someone with a | more political approach could have influenced leadership | better. But they hired an extremely technical person, not an | extremely political person. | kornhole wrote: | What more pressure do you think intelligence agencies would | want to enforce? https://www.mintpressnews.com/twitter-hiring- | alarming-number... | ChrisMarshallNY wrote: | I've been hearing about Mudge for _decades_. It 's actually a bit | ... _heartbreaking_ ... to see him looking so corporate, but we | all age, don 't we? | | I doubt he was fired for being bad at his job. But I'll bet he | was fired for getting in people's faces. That was basically his | calling card for _years_. Why is anyone surprised? | | I guess Twitter thought they could hire the cachet, without | hiring the man. | | I remember an Apple WWDC, way back when. It may have been in the | 1980s, as it was in San Jose. | | They hired Ken Kesey to drive his bus to San Jose, and give a | speech. The party theme was "Hippies," so he fit right in. | | So they thought. | | He got up on stage, and started talking about taking acid, and | counterculture. | | The shepherd's crook came right out, and yanked him off the | stage. | | I heard they had a big fight with him, because they wanted him to | leave his Magic Bus, parked in the courtyard. | | He drove off in it. | | Smart people that make waves are not easy to control. If you are | used to herding around mediocre sheep, you'll probably have a | hard time with the wolves. | dehrmann wrote: | > I doubt he was fired for being bad at his job. But I'll bet | he was fired for getting in people's faces. | | As head of X, maintaining good relationships _is_ part of your | job. It 's actually the biggest part of your job. | Kalium wrote: | When you make someone head of security, there are a handful | of ways they can go about it: | | * They can be utterly ineffectual, ideally while looking good | in the press and maintaining good relations across the | company. The latter is easy when you never have to ask anyone | to do anything. | | * They can be effective, which requires the ability to draw | on and coordinate resources far beyond security. Their | ability to do this is reliant entirely on the support and | backing they get from the top. This _will_ make people angry, | because it 's inevitably going to lead to reshuffling | priorities and making choices people dislike. It's possible | to maintain good relationships while doing this, if you have | strong backing and you at need to convincingly be empathetic | about people's feeling while they do what you security and | privacy demand. | | * They can be ineffectual while trying work across the org | and negotiate without backing. Eventually this just pisses | people off because you're constantly asking for things and | they just want you to go away. | | As a security leader, your ability to maintain good | relationships while being effective is contingent on how much | backing you get. If you're not backed sufficiently, you | cannot do both, and then you have to make awkward choices. | a_puppy wrote: | There's a common anti-pattern that goes like this: | | 1. A higher-ranked person (e.g. Agrawal) is screwing up in | some way (e.g. not addressing security issues) | | 2. A lower-ranked person (e.g. Mudge) tries to get the | problem fixed (e.g. addressing the security issues) | | 3. The higher-ranked person refuses, and it turns into a | conflict | | 4. The lower-ranked person gets blamed for "not maintaining | good relationships" or "being hard to work with" or something | like that. | | See this article: https://lethain.com/hard-to-work-with/ | | To be clear, maintaining good relationships is very | important. Good relationships are the lubricant that keeps | the machine running smoothly; if someone has poor social | skills or doesn't make an effort to maintain good | relationships, they'll cause unnecessary friction, and | they'll end up wasting time and effort on a conflict when | they could have solved by problem by maintaining a better | relationship. | | But, not every conflict is an unnecessary conflict that could | have been solved by maintaining a better relationship! | Sometimes people refuse to fix problems, and the only options | are to apply pressure to them or let the problem go unfixed. | Sometimes "lack of lubricant" isn't the reason the machine is | broken. | | (One way to see this is to note that Agrawal did not maintain | a good relationship with Mudge. If maintaining good | relationships is part of the job, did Agrawal fail at his | job? Or do you think only the lower-ranked person is | responsible for maintaining good relationships?) | ChrisMarshallNY wrote: | Yes and no. | | There's many facets to these types of jobs, and these types | of teams. | | I suspect that he was a "known quantity," when he was hired, | and acted as he was expected to act, by the person that hired | him. | | Jack Dorsey had his own issues, and pleasing him may not have | counted for much, after the new folks took over. | | I do have issues with declaring that someone at that level is | being fired "with cause," especially someone that knows where | the bodies are buried. This goes double, for someone well- | known for doing well in other environments. Usually, there's | some kind of "golden handcuffs," and the firee simply "leaves | to spend more time with their family." | | Regardless of his faults, they set themselves up for this. | From here, it appears to be a rather petty personality spat | that may end up hurting a whole bunch of folks. | | So yes, you are correct, but the person at fault may not be | Mudge. | sleepybrett wrote: | The ceo might want you to be a doormat in order to make them | look competent. The board, and the users, might disagree. | strictnein wrote: | > It's actually a bit ... heartbreaking ... to see him looking | so corporate, but we all age, don't we? | | He's stated that you can work to change the system from the | outside or from within and he chose the latter. | [deleted] | hn_throwaway_99 wrote: | I don't think your comparison is apt. Mudge isn't some loose | cannon. He worked for the US government as a program manager | for DARPA from 2010-2013, then for Google from 2013-2020. You | think he looks "corporate" now, just look at his government | portrait on his Wikipedia page from a decade ago. | | Point being, Mudge is a very well respected cyber security | professional, not some "hippy hacker" from years past. Which | makes me even more willing to give his accusations weight, | because this is not a case of someone who doesn't "get" | corporate environments. | ChrisMarshallNY wrote: | I didn't mean that he was a "hippy hacker." Maybe you | misinterpreted that, from my story (BTW: Ken Kesey was no | slouch, either). My apologies for being unclear. | | But he has _definite_ history of being quite willing to speak | truth to power. Not having had any personal interactions with | him, I can only go on the [many] stories I 've heard. | psyc wrote: | It looks like you're reading several things into GP's comment | that he did not write. At least I read it completely | differently. I.e. that perhaps Mudge's alleged failure was | "not playing ball" regardless of what the particular game | might have been in that corporate environment, at that | particular time, under/beside those particular execs. | ShroudedNight wrote: | I also only have public information, but the sense I've gotten | was that Twitter had an embarrassing problem, with high-profile | accounts being compromised, and Jack personally hired Mudge to | fix it, with Mudge reporting directly to Jack. This set up | Mudge to essentially be the parental supervision for Parag, | which chafed / pissed Parag off. Then, when Parag became CEO, | Mudge was out, having not accomplished much because Parag was | actively hostile to the interference. | | Again, conjecture based on what I could extract from the froth, | but mundane enough for me that alternatives (shocking displays | of X) start requiring extraordinary evidence. | grouchomarx wrote: | This. Parag's retaliation for having his toes stepped on | tschellenbach wrote: | Zatko reported directly to the CEO, as a senior leader you need | to take responsibility for your own work. Does anyone believe | that in an organization as large as Twitter he didn't have enough | resources to solve this? I imagine his budget ran in the tens of | millions. | ctrlmeta wrote: | I can very much believe it. A CEO can, if they play their cards | right, block the CTO from accomplishing what the CTO set out to | do. Budget is not the problem. Approvals and alignment with | board members are the problems. And if the CTO still decides to | push forward, the CEO can still fire the CTO for | underperformance which is exactly what you see in this story. | [deleted] | tschellenbach wrote: | They could. But if someone has a cost effective plan to | improve security, that's feasible to execute, why would they | block it? It doesn't make sense, security issues are | important and can cause damage to the business. Their CEO is | an engineer, he knows this. | | It seems more probable that this security leader failed to | get buy in from the engineering teams, or that there was some | technical debt that he couldn't get past. | crow_t_robot wrote: | When is mudge going to audit tesla/spacex for "non-compliant | kernels", "encryption at rest", etc, etc? | | Everyone in this shameful industry knows that literally any | company in the US would get shredded in such a vigorous audit and | the silliest part is that twitter is a fucking shitposting | platform that doesn't have my SSN or financial data so equating | it to equifax in any way is absolutely laughable. | honkler wrote: | It does have your phone number though. | josephh wrote: | Please speak for yourself. | [deleted] | vagabund wrote: | I wish CNN would just air their interview in full instead of | splicing his answers into 5 second soundbites with editorialized | voiceover framing. I'm infinitely less interested in CNN's | reporter's summation of the issue than that of the veteran | security analyst at the heart of the story. | agentultra wrote: | I still think liability is the tool that will change how we | approach security. | | Right now breaches don't cost much and cause a lot of harm. | Companies have no incentive to drive the speed limit and listen | to their engineers. | Simon_O_Rourke wrote: | OK, so their security is a mess, as many commenters have pointed | out, they are one of many companies. | | What I can't figure out is what's this guy's beef that he went | revealing all this? Was he fired or demoted or something and | thought to get his own back? | detaro wrote: | Look at Mudge's track record. He didn't become a security | legend by staying quiet about problems, and if Twitter wasn't | willing to address it internally... | carvking wrote: | "Zatko says, he believes he is doing the job he was hired to | do for a platform he says is critical to democracy. "Jack | Dorsey reached out and asked me to come and perform a | critical task at Twitter. I signed on to do it and believe | I'm still performing that mission," he said." | | Seems like a legit answer. | aliqot wrote: | Everyone should watch L0phts congressional testimony. | criddell wrote: | Why assume the whistleblowing was done for negative reasons? | stuckinhell wrote: | The bots problem is absolutely nightmare issue for a social | network. I can't imagine what I'd do if I discovered my network | was fake. The whole point of my network is building professional | connections and gaining skills for work. | | Also seeing various weird topics on twitter like kpop or other | random things always made me wonder how much artificial bot | boosting was done for those who had money to pay the bot net. | debacle wrote: | I run a relatively large social media group. We have a | following of about 10k. | | Even with FB's automated tools (which are surprisingly good), | we still have to "prune" ~10 bot accounts per day. | | If we weren't strict about this, in a year 25% of our group | would be bot accounts. | the_lonely_road wrote: | FYI Kpop is "very" popular in some segments of American culture | that you just might not cross over with. I experience it | frequently in the "Team Fight Tactics" ecosystem which is an | E-Sport run by Riot Games (of League of Legends fame) that for | some reason contains a very large Asian American population (in | relation to their % of the population) and all of them | frequently stream Kpop to large audiences. The largest streamer | for this game "K3Soju" is one of the top 10 streamers on Twitch | frequently pulling in over 20,000 viewers. All of these people | are very active on Twitter. I point this out because I doubt | things like this going viral on Twitter are necessarily the | result of bot networks instead of just the result of corners of | the internet that we don't encounter. | upupandup wrote: | what I find peculiar about the kpop crowd is how they | seemingly appear out of nowhere and on-demand on in political | topics to drown out/cancel people who don't like them or | share their values. | | In Korea a blogger was able to see how BTS fans or "bots" | were able to game the music ranking. What's interesting to me | is how they seemingly correlate with wumaos as well. | | I don't have solid evidence but it appears that much of the | "stan" (kpop mob on social media) are very much politically | aware and push a certain side of the spectrum. | | All of this makes for some bizarre dynamics and I'm afraid | that youngsters who are caught up in the craze don't know | that they are being manipulated by very large crowd that | behaves in bot like behavior or are herded into specific | political flashpoints without understanding the underlying | nuances. | the_lonely_road wrote: | Is this not a generic phenomenon though with no specific | relation to Kpop? I was involved in campus recruiting a | decade ago and remember distinctly all of the deep | discussions the students were having about Kony2012 and | what they should do about it during the recruiting dinners. | How and why these political flash mobs form online doesn't | seem well understood and will no doubt spawn dozens to | hundreds of papers over the next few decades examining it. | PuppyTailWags wrote: | I think youngsters are very nuanced, actually, but their | political tactics are adapted to a full acknowledgement of | an algorithm as a player in the political landscape game. | Take the teenager who took being dunked on by a republican | politician for being fat and used it to make herself viral | in raising like 700k for abortion. That's not a kid who is | caught up in a craze-- that's a kid who is fully aware of | how social media functions and is using it to politically | outmaneuver opponents. I think they look bizarre, but | that's because the landscape they have to "win" in is | bizarre. The incentives are twisted and the genz know it. | upupandup wrote: | hmmm I don't know about those particular examples, seem | pretty clear cut, and I recognize that they are aware of | how to play the game. But what I mean is that certain | special interest groups that overlaps with foreign | interests seem to be able to continue the youngest and as | you put it, the most "apt" userbase to proliferate | messaging and goals of that collective. | | For example, tiktok was recently outed to run keyloggers, | and those genz who are "stanning" are also likely sending | back all these crucial data points. This is not a | conspiracy theory but the very reality that we are | dealing with that those who do not share our values and | way of life are able to not only cast a wide surveillance | of its most vulnerable demographic but manipulate reality | for them in all sorts of ways to identify "enemies of the | movement" and overwhelm them. | | What disturbs me most is that there is this disjointed, | water-and-oil dynamism between the two political | spectrums engaged in this toxic social media warfare | aimed at sowing discord and turning its masses to feel | ill, with society, stability and question everything we | have. | | It is this unwitting participation by the genz of the | grander ulterior motives and agendas highlighted by | special interest groups that have overlapping values with | foreign states that know what strings to pull and the | silence in response that worries me. | | America's hostile nations know they cannot beat it | militarily and they have developed very imaginative and | creative asymmetric solutions to subvert and sabotage it | from within, and the current state of this side vs that | side makes it impossible to formulate a collective | bipartisan response to steer the ship in the right | direction. | | We are not taking this issue of weaponized social media | seriously and we see this first hand by how little | enforcement/recourse there is for data privacy breach. We | know that privacy of the individual is one of THE key | pillars of open society and unfortunately the waters are | murky and there is no guidance anymore. | | In a few decades we will see what the result of this | trojan horse experiment is but the current trajectory is | not looking good. Gen Z suffer from the highest rate of | mental health issues, have access to unprecedented amount | of information and foreign subversion. When I realized | your own flag is becoming a symbol of hatred, we reached | a potentially irreversible stage of complexity and with | that only increases risks. | winternett wrote: | People don't do that unless they are paid somehow. It's | organized activity if you search properly under each time | it trends... One or a few accounts will post a keyword or | phrase, and then all the subsequent accounts will | constantly post with the words spelled exactly the same. | Twitter suppresses coordinated activity from many other | accounts, and it's against their rules, but somehow they | allow it to go on regularly for certain topics like KPOP | and BTS, and it results in a lot of streams and album sales | only for whoever is trending. | | This is also likely why Twitter makes it very hard to | scroll to tweets at the beginning of when a trend started, | and why timestamps are not really shown for the beginning | of a trend to the public. | klausa wrote: | This is the most tinfoil hat way to misunderstand young | people I've ever seen. | | People absolutely do that, just because they think it's | fun. | winternett wrote: | The KPOP spam is regularly littered with bot accounts posting | the same comments regularly. | | If you have a platform as prominent as Twitter, making it onto | the trending timeline can be very profitable for musicians. The | same major industry artists regularly trend on Twitter because | they command most of the profit, and then often use a | percentage of that for paid and bot promotion. It's just my | opinion, but Twitter facilitates and permits that bad behavior | regularly because they profit off of the activity too. | | There is not much more frustrating than being a creator or | artist and competing with major industry forces that have | unlimited funding and internal contacts within Twitter that | ensure that trending is on rails daily. It's not only bots, | it's the sponsored and sanctioned control of what trends that | is a hallmark of the platform. | solarkraft wrote: | > The whole point of my network is building professional | connections and gaining skills for work | | And you're afraid of getting interesting insights from and | interacting with bots ... ? | stuckinhell wrote: | Well if a Bot could recommend me for a job, I'd feel | different. | latchkey wrote: | Amazing how little has changed in 20 years... | | https://www.cnn.com/videos/business/2022/08/23/peiter-mudge-... | Signez wrote: | This excerpt is frightening: | | > About half of the company's 500,000 servers run on outdated | software that does not support basic security features such as | encryption for stored data or regular security updates by vendors | sylens wrote: | I think it's also important to recognize how much of a "check | the box" security control encryption at rest has become for | many vendors/GRC teams. A lot of times, the encryption at rest | control only has the capability to prevent somebody from | physically detaching the disk and trying to mount it with their | own machine and access the data that way. In a world where many | companies now run their workloads on public cloud providers who | keep their hardware in distributed cages in secure datacenters, | this isn't the security control many assume it is. | | If you're trying to prevent an actor who has gained a foothold | on a box/network from seeing plaintext data that is actually in | use by the actual production system at that very moment, you're | looking for a much stronger type of control - probably some | sort of client-side encryption or obfuscation/tokenization | tppiotrowski wrote: | I wonder if they're running Ubuntu on 32-bit hardware | raverbashing wrote: | or RHEL 6 | taf2 wrote: | RHEL5 more likely based on when twitter was founded | discodave wrote: | Hahahaha... | | Wait until you hear about the large cloud provider running | RHEL5... (I worked at said provider). | imron wrote: | I wish this was a joke. I know of systems running | multibillion dollar companies that are still using rhel6. | kerng wrote: | I wish companies generally would be more transparent - I'd | imagine this be the norm at most companies. | secondcoming wrote: | Why bother hacking Twitter when it'd be cheaper to bribe an | employee to get all the information you want: | | > allows too many of its staff access to the platform's central | controls and most sensitive information without adequate | oversight | | It'd be even easier if you find an employee who's on the same | political team as you. | Mindwipe wrote: | The likelihood is that bad actors do. | | It's one of the reasons I disliked Twitter forcing the use of | mobile numbers for 2FA, they're just not sufficiently | trustworthy. And I have an account under my real name! If I | were a political dissident etc that just feels like an insane | idea. | rightbyte wrote: | It is also frightening that they need half a million servers. | jonahbenton wrote: | The JVM is a hungry beast. | qualudeheart wrote: | This is why smart people use C. | hunter-gatherer wrote: | C has such a bad wrap with the HN crowd... | memling wrote: | > C has such a bad wrap with the HN crowd... | | why? | docandrew wrote: | Can only patch so many buffer overflows, off-by-one | errors, format string vulnerabilities, integer overflows, | race conditions, use-after-free errors, etc, before it | gets to be a bit tiring. Safer alternatives exist. | hn_throwaway_99 wrote: | It really doesn't. After all, many (most?) other | languages like Java and JavaScript are implemented | primarily in C and/or C++. | | Where it gets deserved opprobrium is that it has no | memory safety features, and thus inherently contributes | to gobs of security vulnerabilities, and there are safer | alternatives now, like Rust. | | C is basically "portable assembly", and it's rarely the | right tool for the job these days. | encryptluks2 wrote: | swores wrote: | I think a comment of "smart people use <any language>" | would be downvoted. | UncleMeat wrote: | An interesting statement in a thread about widespread | security weaknesses. | encryptluks2 wrote: | First, servers generally run on operating systems. No one with | any serious knowledge would use the phrase run on software. | Second, does this guy have any actual tech knowledge at all? He | doesn't list what operating system they are running or what | security updates he is expecting. It doesn't sound great but I | assure you I've probably seen worse on systems used by the | literal federal government to conduct official business and | store sensitive information on. All government cares about is | having remediation plans in place. | WatchDog wrote: | Operating systems are software. | thedougd wrote: | My first thought was the hypervisor layer. | vngzs wrote: | > Second, does this guy have any actual tech knowledge at | all? He doesn't list what operating system they are running | or what security updates he is expecting. | | "This guy": https://en.wikipedia.org/wiki/Peiter_Zatko | encryptluks2 wrote: | Then he should be in an even better position to specify | what the actual issues are in details and not some abstract | garbage. You could summarize the information there as.. | "Momma, servers bad. Need encryption. Need updates." | koheripbal wrote: | They are intentionally vague for legal and security | reasons. | encryptluks2 wrote: | What legal and security reasons exactly? | batch12 wrote: | Publishing a detailed report of infrastructure and | specific CVEs would be irresponsible and malicious. If | that is off the table the only thing left is ambiguity. | Also, the audience is important. They are going for | maximum outrage, not glassy eyes. | jonahbenton wrote: | The "does not support basic security features such as | encryption for stored data" unquoted line of reporting is | almost certainly not what Mudge wrote and is likely not | literally true. | | That 500k servers in Twitter infra are missing patches | certainly is true and what was likely in the original was a | statement that stored data that should have been encrypted at | rest was not, and/or that acceptable standards for data at rest | encryption, a relatively rapidly moving freight train, were not | maintained. | akkartik wrote: | No need to speculate, thanks to the links provided by mzs at | https://news.ycombinator.com/item?id=32562815#32564900 | | From https://www.washingtonpost.com/technology/interactive/20 | 22/t..., page 6: | | _"..more than half of Twitter 's 500,000 servers are running | out-of-date operating systems so out of date that many do not | support basic privacy and security features and lack vendor | support. More than quarter of the 10,000 employee computers | have software updates disabled! More than half of Twitter | employees have access to Twitter's production environment -- | unheard of in a company the age and importance of Twitter, | where nearly all employees have access to systems or data | they should not. At Twitter engineers work on live data when | building and testing software because Twitter lacks testing | and stage environments; work is conducted instead in | production and with live data.._ | | _" This did not happen overnight. To get where Twitter is | today took.. many years.. required repeated downplaying of | problems, selective reporting, and leadership ignorance | around basic security expectations and practices."_ | hn_throwaway_99 wrote: | I have discovered that there are vastly different definitions | of "encryption for stored data" that can mean critically | different things for security. | | One definition is "the underlying disk is encrypted". This is | true, by default, of virtually all cloud environments these | days. But it really only protects you against physical access | to the storage media, which actually is far from the top | threat. | | The other, more useful/meaningful definition, is "we encrypt | everything at the application layer _before_ it is placed | into the DB, and all decryption requests are logged by user | ". For example, using an envelope encryption scheme to | encrypt data before it is stored in a DB, and upon retrieval | decrypting the data with a call to something like KMS. In | that environment you can literally give readonly DB access to | all your developers and not have to worry about PII being | exposed. If hackers somehow got access to your DB, they | wouldn't be able to read sensitive data, and if they also | managed to get access to your KMS credentials, any attempts | to decrypt the data would be tracked and logged. | | My point is that when many companies say "we encrypt your | data", they are usually just talking about the first thing, | but that doesn't really provide that much additional | security. The second definition is really what you should be | doing. | antegamisou wrote: | Wasn't it them that had a bug that exposed users' passwords in | plain text a few years back? | netsharc wrote: | Just do it the Zuck way: "If you make an FB app, you can read | all user's data and their friends' data, but click here to | promise that you won't do that and you won't use the data to | subvert democracies...". | adrianmsmith wrote: | To be fair this hasn't been the case for many years. | m3kw9 wrote: | Does Musk know Mudge? | thesuperbigfrog wrote: | "Twitter has hidden negligent security practices, misled federal | regulators about its safety, and failed to properly estimate the | number of bots on its platform, according to testimony from the | company's former head of security, the legendary hacker-turned- | cybersecurity-expert Peiter "Mudge" Zatko." | | "Zatko was fired by Twitter in January and claims that this was | retaliation for his refusal to stay quiet about the company's | vulnerabilities. Last month, he filed a complaint with the | Securities and Exchange Commission (SEC) that accuses Twitter of | deceiving shareholders and violating an agreement it made with | the Federal Trade Commission (FTC) to uphold certain security | standards. His complaints, totaling more than 200 pages, were | obtained by CNN and The Washington Post and published in redacted | form this morning." | | What a bombshell! Maybe Elon Musk's complaints about Twitter have | more merit than anyone expected. | | What might the SEC and shareholders do in response? | paulpauper wrote: | _What a bombshell! Maybe Elon Musk 's complaints about Twitter | have more merit than anyone expected._ | | Anything Elon or crypto related is still being spammed heavily | with giveaway/impersonation bots. Nothing has changed. The | spam/bot problem is as bad now as it has ever been, and likely | is worse than assumed, because it includes not just obvious | spam accounts, but legit accounts that have been taken over by | spammers or repurposed for spamming. So there is a % of | accounts which are obvious bots and than another % accounts | that exhibit bot-like behavior. Given how much time Elon spends | on twitter and his first-hand experience with scammers using | his name and spamming his comments, I think his assessment is | probably more accurate compared to what twitter is claiming. | zimpenfish wrote: | > Maybe Elon Musk's complaints about Twitter have more merit | than anyone expected. | | Not the bot complaints, anyway, because "failed to properly | estimate the number of bots on its platform" has been covered | off by Twitter's consistent "this is how we estimate by | sampling, it's a finger in the air guess, could be right, could | be miles off, there's no standard methodology for this" stance | in their SEC filings since 2013 (which no-one has questioned | until now, mind.) | jdhn wrote: | >What might the SEC and shareholders do in response? | | If shareholders believe this, they can do a variety of things | such as sell the stock (smaller holders), or demand answers | from leadership that go beyond "Yeah, we're secure" (bigger | holders such as Saudi Arabia). | mrex wrote: | Some options that shareholders would have in the situation | where investors were knowingly deceived by false disclosures | of a publicly traded company are missing from this response. | cj wrote: | Namely, the ability for shareholders to sue Twitter. | sroussey wrote: | Their disclosures are similar to this: we check for bots, | use a process, the process could be wrong. | mrex wrote: | Mudge alleges that their disclosures were a less than | good faith attempt to gauge the figure. | | Mudge also raises a number of allegations not pertaining | to bots, including that Twitter has deliberately failed | to abide by the terms of a federal consent decree. If | proven out, that fact alone would constitute material | adverse affect. | philipov wrote: | His complaints don't hold merit because he entered into a | binding agreement to buy Twitter after waiving due diligence | rights. Zatko was fired in January. Musk had and waived his | chance to discover these things. It's too late now. | mrex wrote: | >waiving due diligence rights | | Pop legal quiz - does "waving due diligence rights" during an | acquisition remove the other party's liability for fraud | they've committed against the prospective buyer? | silent_cal wrote: | I think this is spot on - it's still possible to make the | contract voidable if you misrepresent what you're selling. | zimpenfish wrote: | > the other party's liability for fraud | | What fraud though? | mrex wrote: | The fraud that Mudge alleges in this article, for | instance? | KerrAvon wrote: | We're missing the connection to Musk here. Care to | enlighten us about your theory? | [deleted] | mrex wrote: | There seems to be the impression that "waiving due | diligence" in an acquisition is some license for the | seller to defraud the potential buyer without recourse. | | If Mudge's allegations are true that Twitter has been | defrauding the public in their reporting, failing to | abide by the terms of a federal consent decree, and | generally turning a blind eye to real problems to prop up | their image, then "waived due diligence" or not, Musk has | an out from the acquisition, and cause for a significant | tort claim. | KerrAvon wrote: | Pop legal quiz - define << fraud >>. | | Musk literally tweeted about the << bot problem >> on | Twitter before the acquisition. | mrex wrote: | "All multifarious means which human ingenuity can devise, | and which are resorted to by one individual to get an | advantage over another by false suggestions or | suppression of the truth. It includes all surprises, | tricks, cunning or dissembling, and any unfair way which | another is cheated." | philipov wrote: | So is Musk guilty of defrauding twitter by using | aggressive acquisition tactics as a pretense to get | access to internal nonpublic information to use against | them? | mrex wrote: | The only honest answer I can give there is, "I don't | know". So far as I'm aware, Twitter hasn't alleged that, | no evidence has been presented supporting such an | allegation, and generally it seems a heavy burden to | present a court with convincing evidence of a | conspiratorial theory like that, but I can't | categorically say what Elon Musk's motives weren't. | sroussey wrote: | Not only that, it seemed like a reason he wanted to buy | Twitter. | golemotron wrote: | Why is CNN doing investigatory journalism now? | jwogrady wrote: | saagarjha wrote: | Seems like Twitter loves going through the cycle of getting | hacked-hiring good talent and focusing on security-losing people | and focus-relaxing their stance-getting hacked :( | LatteLazy wrote: | Im starting to think social media might not be the best system to | store my personal data, maintain our democracy and protect | national security... | winternett wrote: | Honestly, can you really trust anything about major social media | sites any more? | | Has Twitter ever been in the news for properly making even a | thousand people successful from scratch really ever in the | product's life? | | They have pipelines of exploitation for everyone that gets | "discovered" into contractual nightmare deals, they require tons | of free labor and costly hurdles just to become notable and | visible on the platform, they extort people promoting their | independent work for ad money, they don't protect anyone's | privacy, they are VERY MANIPULATIVE in multiple (psychological) | ways, they offer very little support or fairness when accounts | are compromised, hijacked, or stolen, and they impose a | stranglehold on information through lobbies and suppression of | independent art and music. | | Social media took over the Internet after they wooed everyone | into the ideal that they would operate fairly. Now that they have | captured full attention, they have turned on users and they offer | very little to anyone who doesn't pay, and can't offer reliable | security to anyone. There are some serious "God Complexes" going | on with having access to the personal data these systems harvest | ON EVERYONE in conjunction with mobile devices. | | I really hate to say it would actually probably make me feel | better if most of the large data monitoring sites/apps went away | rather than stayed in place, because they make almost every | aspect of the Internet work against us all. | | Twitter has had several opportunities to fix how it operates. The | platform also generates tons in annual revenue to fix how it | operates. Twitter has lots of employees that could fix how it | operates. Twitter has also had numerous security breaches, and it | regularly causes tons of stress for users. Twitter continues to | focus on only pleasing it's sponsors, investors, and execs year | after year and repeatedly stretching the promises it was built | upon. | | I can't say I want to see this whale fail, but I won't miss it if | it does. | djbusby wrote: | > only pleasing it's sponsors, investors, and execs | | Yea, that's the game. They are a for profit business. This | situation will happen every time. Profits over people, line | must go up! | the_doctah wrote: | Yes and part of the profits are generated by their fake MAU | numbers (bots). They are fraudulent above all else. | survirtual wrote: | I think it is clear we need more public regulation over these | companies, and a lot of the mechanisms need to be embedded in a | non-profit / social utility system, given they DIRECTLY impact | politics. Anything that democracy is reliant upon should not be | subject to private, opaque control. | | In the case of data harvesting, data is the most valuable | resource. You can control what people want using data. No | entity should have unfettered access to data -- it is | undeniably evil in the truest sense of the word. Which, in the | context of my use, means to decay forward progress or to | increase aggregated suffering. | | They will not fix these issues until the public makes it so | painful not to, that they must. As an example, how is Experian | still in business after what they've done? They should have had | a $100 billion+ fine levied against them, and that fine should | pierce through limited liability to the extent that the board | of directors and C-level staff are liable for it. The company | and any owners of it should be bankrupted and living in poverty | after what they've done. | | Until we make PEOPLE liable for the evils they induce on | others, this will keep happening. I don't get limited liability | if I went out and murdered someone, why should the PEOPLE | running companies have limited liability when they murder | millions with pollution, or with financial terrorism? Answer: | they shouldn't. | TeeMassive wrote: | If it impacts politics then it is one more reason not to be | regulated by politicians. | winternett wrote: | Government regulation spans further than just rules | engineered by a few politicians, it can be publicly voted | upon, and it can dictate minimum standards that are upheld | across private business for everyone's safety, which in | this case is highly warranted. | | It's the best chance we have to stop this horrible trend. | Companies have shown repeatedly that they are not trust- | worthy nor responsible enough to self regulate. | TeeMassive wrote: | > Government regulation spans further than just rules | engineered by a few politicians, it can be publicly voted | upon | | You're making a distinction without making a difference. | Regulating public forums for their content outside of | illegal content has never been not abused. The UK is | learning this the hard way with the police "checking the | thinking" of netizens. | | If you think companies are bad, then imagine politicians. | I can switch off to another social media but I can't | switch out to another state. | mschuster91 wrote: | > They have pipelines of exploitation for everyone that gets | "discovered" into contractual nightmare deals, they require | tons of free labor and costly hurdles just to become notable | and visible on the platform | | For what it's worth, as someone running a high-five-digits | account, it is possible to get notable on Twitter - you just | have to put in a ton of work to make quality content people are | actually interested in. | winternett wrote: | Sure... In order to build a house, you just need to bring | your motivation... And lots of time... And money... to hire | an architect and an entire home building company... Without | having any income the whole time... | | Hard work for free does not make sense in this type of post- | pandemic world we live in... It's too "Marie Antoinette- | esque" of people to say it's anywhere near reasonable. | jdminhbg wrote: | > Twitter continues to focus on only pleasing it's sponsors, | investors, and execs year after year | | I mean, it's not really doing a good job of any of that either. | Beldin wrote: | > _Has Twitter ever been in the news for properly making even a | thousand people successful from scratch really ever in the | product 's life?_ | | There was the Arab Spring | (https://en.m.wikipedia.org/wiki/Arab_Spring), where it played | a significant role. | kmeisthax wrote: | The Arab Spring should have been looked at as a warning sign, | but everyone in America was still in full-on neoconservative | "we will be welcomed as liberators" mode. No private company | should have the power to overthrow governments. | BeFlatXIII wrote: | > no private company should have the power to overthrow | governments | | Go tell that to Raytheon and Blackwater as well. | speeder wrote: | I wouldn't consider that as the success op means... | | I mean, surely, it some people were successful, but success | of warlords intending to genocide blacks in Lybia or starting | a new violent caliphate or kidnapping boys en masse to be | child soldiers is not the sort or success I want to be | enabled with technology. | [deleted] | NickC25 wrote: | > Honestly, can you really trust anything about major social | media sites any more? | | Could you ever trust them? Honest question. | winternett wrote: | Sure you could! (Back when they were new and they wanted to | woo you as a user, and when features and functionality worked | as expected)... Hah. | rhexs wrote: | From Wikipedia: "He was the most prominent member of the high- | profile hacker think tank the L0pht." | | That's quite a generous take. There were plenty of excellent | hackers in the 90s, but "L0pht" just seemed like the PR friendly | one that could go on good morning America. | | Can't tell if this is real or just a 90s security person trying | to stay relevant after being fired. | [deleted] | eatonphil wrote: | Whether or not it was high profile before they went on talk | shows and before congress... it's definitely a high profile | (historic) group now because they went on talk shows and before | congress. :) | | High profile doesn't mean best it just means high profile. | bogomipz wrote: | If this is true this would be particularly damning | | >Zatko's complaint says he believed the Indian government had | forced Twitter to put one of its agents on the payroll, with | access to user data at a time of intense protests in the country. | The complaint said supporting information for that claim has gone | to the National Security Division of the Justice Department and | the Senate Select Committee on Intelligence. Another person | familiar with the matter agreed that the employee was probably an | agent.[1] | | [1] | https://www.washingtonpost.com/technology/interactive/2022/t... | kornhole wrote: | This should get the attention of politicians who are probably the | most active users of Twitter. Having their contacts, coms, and | metadata such as phone location exposed and collected by | adversaries is probably a concern for them and our entire | political system. Recall how J Edgar Hoover was collecting dirt | of every politician to blackmail them to keep his agency funded | without oversight. Twitter would have been a wet dream for him. | tdeck wrote: | I did wonder about this ever since the Ahmad Abouammo story | broke. How did a media partnerships manager have access to so | many random users' private info? That stank of poor access | controls: | | https://www.justice.gov/opa/pr/former-twitter-employee-found... | keepquestioning wrote: | This guy is obviously paid off by Elon | dehrmann wrote: | After the Peter Thiel/Hulk Hogan incident, and especially | considering Musk and Thiel are both Paypal mafiosi, it's quite | possible. | seydor wrote: | Twitter is like, the 7th season of "Silicon Valley" | kyrofa wrote: | Is it just me, or does some of this feel less whistleblower-y and | more petty? For example: | | > The company also lacks sufficient redundancies and procedures | to restart or recover from data center crashes, Zatko's | disclosure says, meaning that even minor outages of several data | centers at the same time could knock the entire Twitter service | offline, perhaps for good. | | That said, this is Mudge. I have a lot of respect for the guy, | and I believe what he says. I'll chalk the pettiness up to this | article being a summary of a more complete document that I'd like | to read at some point. | MuffinFlavored wrote: | It doesn't help that he's a "disgruntled employee who was | fired". | | I added that "disgruntled" part but... who gets fired for poor | performance and doesn't become at least slightly disgruntled? | Sebb767 wrote: | Someone who's happy with his employer is not going to become | a whistleblower, so this isn't really an argument against him | but more so against whisteleblowers overall. And it's quite | save to say that we had a lot of important facts uncovered by | whisteleblowers. | chipgap98 wrote: | > The company also lacks sufficient redundancies and procedures | to restart or recover from data center crashes, Zatko's | disclosure says, meaning that even minor outages of several | data centers at the same time could knock the entire Twitter | service offline, perhaps for good. | | I mean if it were true that seems pretty negligent. If that | were the entire extent of the whistleblower complaint (not sure | if complaint is the right term?), I would agree, but it seems | as though there are some significant issue raised in the rest | of the report. | kyrofa wrote: | I dunno, pointing out that something has a poor architecture | and pointing out that something has severe, known, and | ignored security issues feels different. | jnwatson wrote: | Availability is the A in the CIA triad. DR and resilience | in general is part of security. | mzs wrote: | Knocking-out twitter (used by journalists and govs) during | a crisis IS a security concern. | yupper32 wrote: | A security concern for the governments, not twitter. It's | not twitter's fault that governments are using it as a | primary form of communication, nor should it be their | responsibility to have amazing uptime just because | governments are using their platform. | Willish42 wrote: | It's a national security concern (and international?) if | Twitter can be compromised by nefarious actors and/or | brought down via said compromised access. The idea that | this isn't worthy of whistleblowing because Twitter is a | corporation is insane. There are countless examples in | the last year of Twitter being used for communication | during a crisis. | riffic wrote: | for a company that likes to speak of itself as being a valuable | piece of communication infrastructure (it isn't, Twitter's a | website), this is pretty concerning and shows a lack of | seriousness compared to oh, say, the Bell System. | | Gov (a term that ranges from your head of state down your | county dog-catcher,) needs to get off these services asap. | Twitter, TikTok, Instagram, FB are all modern versions of your | old AOL Keyword. | | Today we have ActivityPub, a W3C recommendation, which would be | a great alternative. | maximilianburke wrote: | I don't think it's petty; availability of data and systems is a | core component of security design. | Tainnor wrote: | It's important not to forget that certain Twitter users share | incredibly sensitive data over Twitter, increasingly including | nudity and sexual acts (sometimes on private profiles or in DMs, | so they're not meant to be public). | | While one may (not wrongly) think that this is a bad idea in | general (unless you subscribe to post-privacy), I think it is our | duty as a society to protect those who don't have a full grasp on | the implications of bad IT security. | | In my opinion, fines for cyber security violations should be | swift and harsh (GDPR goes in the right direction in terms of how | high the fines are, but it is barely enforced). From my POV that | is the only thing that will force companies to actually invest in | cybersecurity. Maybe there should even be a law mandating | security reviews if you handle any PII. | boomboomsubban wrote: | >one or more current employees may be working for a foreign | intelligence service. | | I don't doubt this, but the source is someone with fairly deep | ties to the US intelligence services. Why should he be allowed a | job and not people with ties to foreign agencies? | throwaway0asd wrote: | Conflict of interest violations. Such violations are absolved | through disclosure of known relationships, which cannot occur | if persons are keeping ties to foreign intelligence services | secret. | boomboomsubban wrote: | Is maintaining ties with US intelligence services a conflict | of interest? | hibikir wrote: | I don't believe that what Mudge is saying there is all that | well quoted or explained. The argument I've heard him make, in | other settings, is that companies that are interesting enough | will get job applicants that are really moles for intelligence | agencies. This is very difficult to stop, and once your company | has enough employees, downright impossible. His recommendation | however is not to make it impossible for people with ties to | foreign agencies to join the company. Instead, it's to minimize | the access than any individual mole might have. This would also | apply if you consider US intelligence an attacker! | | TLDR; Someone like Twitter, Google or Facebook should have | 'some of our employees are malicious and sophisticated' as part | of their threat model. | criddell wrote: | > companies that are interesting enough will get job | applicants that are really moles for intelligence agencies | | Or they will use money or kompromat to turn existing | employees. | blitzar wrote: | > Someone like Twitter, Google or Facebook should have 'some | of our employees are malicious and sophisticated' as part of | their threat model. | | I would estimate there is a 100% chance that every one of | those companies listed, has multiple employees who work for | or are sources for US domestic and foreign intelligence | services. | | It should be expected and part of their internal systems that | people only have access to the shared drives they are meant | to. | edgyquant wrote: | >estimate there is a 100% chance that every one of those | companies listed, has multiple employees who work for or | are sources for US domestic and foreign intelligence | services | | What are you basing this on? | lkjwlk wrote: | jrm4 wrote: | Ah yes, came for the obvious response which I essentially do see | here. Cybersecurity is awful at twitter, but that's because | cybersecurity is awful everywhere. | [deleted] | Hamuko wrote: | How long before Musk weaponises this in his lawsuit against | Twitter? | michaelwilson wrote: | It may appear that this may get Musk off the hook for buying | Twitter because "Look how bad they are!" but, as I recall, | Musk's problem is that his offer with without contingency - | e.g. "Yah, I'll buy it, whatever". | | So it may just be another event which will drive Twitter's | price down even further and make it a _worse_ deal for him. | | From Bloomberg "The buyers could only back out of the agreement | in the case of a material adverse effect, a high bar that | excludes issues like market volatility or industry challenges." | (https://www.bloomberg.com/news/newsletters/2022-07-13/elon-m.. | .). | | I suppose one could argue that the Whistleblower's report is | "material adverse affect", something I'm sure will come out in | the trial. | nudpiedo wrote: | I think it is time to go a bit Meta here, bit I start to | subspect that many HN posts are to influence such things, | including popular replies to @pmarca etc... when one says | Netflix falls because it is not a tech company, the next day at | HN comes an article saying how cool and techie it is, etc. | | The reach of HN on the tech world is highly influential, and | for sure it is weaponized in "communication wars" across actors | with different interests. | | EDIT: that doesn't mean that the given information is | necessarily false, it is just presented at the right time, to | promote one view of the world. Also when Twitter hit bottom | some years ago several HN submissions remind us how they | declined being purchased by Facebook etc, and social network | giants have a large track of understanding how such information | flows and influences people. | lapcat wrote: | October 17 | boffinAudio wrote: | How long before people start conflating this story with Musk in | an attempt to discredit both, you mean? | beeboop wrote: | The modern equivalent of Godwin's law is mentioning either | Tr*mp or El*n in any circumstance possible. | bombcar wrote: | https://twitter.com/deitaone/status/1562069657582018560 | | So about a few hours. | | *Walter Bloomberg @DeItaone ELON MUSK'S LEGAL TEAM HAS | SUBPOENAED PEITER "MUDGE" ZATKO, TWITTER'S FORMER HEAD OF | SECURITY - CNN 8:30 AM * Aug 23, 2022*TweetDeck | bastardoperator wrote: | If it's your job to address specific issues and you fail to do | that, how is that whistleblowing? If this person can't prove they | were blowing whistles before termination, well, that's a lot of | egg to wear on ones face. | [deleted] | purpleblue wrote: | Millenials and GenZ may have no idea who Mudge is. I, however, | almost lost my first job out of college at a bank because I ran | l0phtcrack against our Windows NT 4 server to see if it could | crack passwords. I showed my boss, and he pulled me aside into | another room and tore my head off for irresponsibly running this | tool against a production server. He said I could have been fired | if this got out, but he covered my ass, sent out an email | requesting everyone reset their passwords, and let me continue | working. I learned a good lesson because even though my | intentions were good, and it did expose security issues, it was a | bit immature and should have been done in a more controlled | manner along with the proper clearances. | | Mudge knows the implications of "whistleblowing". He has been a | security consultant and even testified to Congress. He's not some | noob that doesn't understand security or how systems work | together to provide services like disclosure to FTC. The idea | that Twitter PR can pooh-pooh away his concerns is shockingly | stupid. | | I think Twitter is in real trouble here. | Consultant32452 wrote: | That's a funny story. I have a similar anecdote where I was | asked to crack a zip file in a saga related to a dispute with a | vendor who gave us a password protected zip file with the | deliverables but not the password. | | Those were wild times. | ChrisArchitect wrote: | l0phtcrack? "Now that's a name I've not heard in a long time." | Wow I thought the name Mudge seemed slightly familiar. | shagie wrote: | I think it was '96? I was working at Taos Mountain at the time. | At that time, Taos had a reasonably close relation to Randal | Schwartz ( https://www.oreilly.com/library/view/learning- | perl-6th/97814... ) and he gave a talk for contractors which | was titled "Just Another (convicted) Perl Hacker". | | In that talk he told of his time at Intel and running crack on | a shiny new sparc and all the problems that caused. | | The focus of it was a "how not to get into trouble as a | contractor". | | Somewhere, I've still got my pink camel book with duct taped | edges (for durability) with his signature on the inside title | page. | webdoodle wrote: | > I ran l0phtcrack against our Windows NT 4 server to see if it | could crack passwords. | | Lol, did the same thing for a government entity I was working | for, also without prior permission. It showed 1/4 of the people | used the name of the entity as there password, including 2 | users with domain admin credentials. Both of the domain admins | weren't even IT people, there were the director and his | assistant, who demanded to be admins, because they were 'admin' | within the org. | | In my case, I didn't get scolding, but probably should have. As | you're prior boss said, it was not good to do it on a running | production server. Now a restored backup running on a private | network... | datavirtue wrote: | It's Twitter. What possible serious security implications could | possibly warrant everyone in Washington getting into a frenzy? | | All you do is make public comments that have zero value. | | And if this is indeed serious, where the fuck have we landed? | btown wrote: | A well-timed set of tweets from compromised government and | private-sector accounts, coordinated with real stock market | activity planned by the attacker such that investors _cannot_ | ignore the rumors, could cause a geopolitically significant | market panic. This already happened in 2013, and that was | with just a single account being compromised: | https://business.time.com/2013/04/24/how-does-one-fake- | tweet... | nradov wrote: | In the long run that would be a good thing. It would be an | object lesson that investors shouldn't believe anything | they read on social media. | | Investors always have the option to ignore rumors. | Sebb767 wrote: | But investors also need to be quick to react if they want | to make (serious) money. Ignoring a tweet from a verified | account about a disastrous event is not reasonable at all | in 99.9% of cases. | | What I'm trying to say is, you might be able to discredit | Twitter, but you won't fix investors trying to invest | ahead of the news. | datavirtue wrote: | OK, Twitter needs regulated then. Hardly a private going | concern if you are right. | gopher_space wrote: | This won't fix the fragility of our economy. It would | start a weird exit model for social platforms, though. | Get big enough that the US buys you out. | datavirtue wrote: | Our economy is not fragile. | k099 wrote: | I can think of a few accounts that, with a single tweet, | could move markets, inflame tensions, or kick off multiple | cycles of misinformation. For many of these large, | influential accounts, Twitter is effectively the same as an | official press release. | enumjorge wrote: | The last US President used Twitter as his primary way to | communicate with the world. That on its own has serious | security implications. | | I agree with you that we have landed in not a great place. | SV_BubbleTime wrote: | > The last US President used Twitter as his primary way to | communicate with the world. | | Without it sounding like an endorsement or defense of the | guy... I never would have believed without seeing it, just | how furious this made the media and other politicians. That | you have a guy come in who said forget the system, I'm | going talk to the people directly (and say some dumb things | now and then). | | I still attest that _some_ of the Trump hate is solely | because groups of people that control the narrative in the | US were excluded from creation and forced to be on | narrative-adjustment. | | Agreed, this isn't a good place. One platform should not | have this level of influence. | smsm42 wrote: | It wasn't the platform. As you can see, it took some | time, but Trump found a way to do the same without | Twitter. Despite all the efforts of Big Tech to control | the access to public discussion, they still can't make it | airtight, and contain somebody of Trump's caliber. | Arguably, they have more luck with people of the smaller | caliber though. And that's definitely not a good place. | It's not about the specific guy, it's about how eager the | Big Social turned out to be to control what we think and | what we are allowed to talk about. | slowmovintarget wrote: | I hope we get to a place where we all agree that a sitting | U.S. President should not "tweet." The White House | maintains a Press Secretary for a reason. Granted, the | current person holding the job is no C.J. Craig. | jacobolus wrote: | Both Psaki and Jean-Pierre have been excellent press | secretaries. C.J. Craig is a fictional character written | to be superhumanly prescient and witty in response to | fictional crises. | nradov wrote: | I don't agree. The US president (and other politicians) | should have a convenient way to communicate directly with | the public, without the message being distorted by media | organizations. Ideally though it should be a service that | can't be censored; Twitter frequently censors users based | on the arbitrary whims of their employees. | raarts wrote: | Like traditional secretaries, the WH Press Secretary may | have become obsolete. | robotnikman wrote: | Considering a journalist was murdered and dismembered due to | their lax security not to long ago, I would consider it | definitely worth looking into. | enraged_camel wrote: | >> It's Twitter. What possible serious security implications | could possibly warrant everyone in Washington getting into a | frenzy? | | Considering how widely used Twitter is, at this point we can | comfortably assume that most politicians and political | operatives, even high profile ones, must have very sensitive | information in their Twitter DM inboxes. | raxxorraxor wrote: | > must have very sensitive information in their Twitter DM | inboxes. | | I doubt that, and if they really do, they should be either | trained or exposed pronto. Twitter is an entertainment | platform. | jcims wrote: | You've described the way it ostensibly should be. | | My guess is that the reality is almost perfectly in | opposition to what you've described. Anything that | introduces plausible deniability is going to be of a | major benefit. | wiz21c wrote: | ah ah ah so they trust twitter ? the situation is improving | at minus light speed... | smsm42 wrote: | I won't be surprised that they do. Most politicians are | very thoroughly technically ignorant, and have little | time or patience to spend on learning technically complex | things, and really safe communication means aren't | usually very user-friendly. | datavirtue wrote: | Whew, I would assume no one is using Twitter DMs. If they | are, these should be 100% personal and unimportant. If not, | those people should be investigated, not Twitter. | | I'm not defending Twitter, I don't engage with it at all. | Scoundreller wrote: | I'd also add the opportunity for provocateurs to cause | problems: e.g. inducing vaccine hesitancy (back when the | covid vaccines worked, but let's not focus too much on | that). | | My feed is still filled with how all of our public service | problems must be caused by the 1-2% that were put on unpaid | leave for refusing to disclose their vaccination status. | I'm sure the 1-2% could help, but the issues are much | larger than that. | dboreham wrote: | I may be _too old_ to know who Mudge is, but I know one of the | previous Twitter CISOs, and I believe he quit Twitter, which is | a canary sign to me. | choppaface wrote: | Actions speak louder than words. For him to file this complaint | now, _after_ Musk pulled out of his Twitter purchase, makes any | truthful statements pretty low value to Musk's case. Does | Twitter need better security? Yeah. Will Twitter get | embarrassed? Yeah? | | Will this testimony show Musk completely miffed his due | diligence while building up a huge loan package that would have | sent most of Twitter's revenue to debt service? The timeline is | what matters. | rvz wrote: | Twitter Inc. is indeed in very serious trouble if you have | someone like Mudge whistleblowing. | | Now looking at the chaos, damage control and the PR disaster | that is happening at Twitter HQ after this, I have zero | confidence in whatever Twitter HQ and the CEO is saying other | than admitting their total incompetency towards how they handle | information security at the company. All attempts to make this | disaster disappear will not only fail, but will eventually | backfire. | | So what else was Twitter lying about? | winternett wrote: | Well, it's not even trending on Twitter, which is not really | surprising. | | There is nothing more evident about the fatal flaws in social | media than when news concerning a platform is suppressed on | the cited platform. | | It highlights the failure of democracy they always purport, | and it shows that they really shouldn't display a social | "trending" page, because it is subject constantly to the | politics and profit making of each platform. | | Twitter's trending timeline had long been regarded as an | accurate beacon of real life trends, but that really needs to | be reevaluated by everyone as the company has regularly | displayed "somewhat questionable" behavior in how they manage | timelines alone. There is no real way this wouldn't trend | somehow on Twitter in my opinion, as it's been on the front | page of CNN and many other sites for a long time now. | | The security breaches are factual, they have published many | incidences of it themselves over years... Their actual | reputation for lax security is what works against them most, | but it's all on record. | nr2x wrote: | You really think just after paying an FTC fine, staring | down SEC actions, and a huge legal fight with | Musk...Twitter is going to "suppress" the content to keep | this a secret? | | Sure. | smsm42 wrote: | I don't have any factual evidence on the either side (I | don't use Twitter at all, I even have Nitter extension to | never visit that site even when linked to) - but I | absolutely can believe they'd go for "all in" strategy, | and keep messing with the feeds even in light of all | that. If they felt they have the right and responsibility | to control the information and shape the discussion on | the Internet, they'd still feel that now, despite all the | "mistakes were made" - in fact, they'd probably feel more | urge to control things as they feel more threatened. And | why not reduce the "misinformation" about their supposed | wrongdoings - when all the most truest information about | it has been already disseminated by them, why allow | "irresponsible parties" to "misinform" the public? Surely | it should be stopped. It's the way they always have been | thinking, why would they change now? | winternett wrote: | Yea. It works as damage control for credibility, which is | under threat not only by the musk suit, but because of | the last huge data breach they had. | | Just an opinion mind you, but not from a hater or a | "dunce". | | This is a huge story of significant relevance to Twitter | and all users on the platform. | | "Suppressing unfavorable news" these days is just as big | and profitable an industry as disinformation is. | wpietri wrote: | > There is nothing more evident about the fatal flaws in | social media than when news concerning a platform is | suppressed on the cited platform. | | I just looked at the Trending panel and "Mudge" is #12 for | me, with 4333 tweets. #11 is "Taco Tuesday", with 4172 | tweets. #7 is "Virgo" with 98,500 tweets. So I'm not seeing | a lot of evidence of suppression. I think it's just a | pretty niche story. I think the allegations are important | and worth investigating, but the specific nature of them | looks way more interesting to tech insiders than general- | audience users. | winternett wrote: | Everyone has a different trending timeline on Twitter | which is now more based on who they follow. The trending | timeline is "baked" and dictated also by moderators and | paid promotion often... It's why topics like "K-POP" | trend so much, even for people that don't even listen to | it at all. | | If you follow tech personalities, there's a higher chance | you'll see the news. | | On my music account on Twitter, I don't follow tech | personalities and tech news outlets, but I do follow CNN | Breaking News, and nothing about this major story has | popped up all day long. | | This is how the Twitter trending timeline is artificially | baked... This story is a very big deal for everyone on | Twitter, yet only a fraction of its user base will see | the story. Privacy is important to every user on the | platform, you'd think Twitter leadership at least would | be trying to get a grip on the story first within the | platform in a very public manner. | | It happens on every major social platform at key points | too, highlighting the conflict in their ability to | maintain proper social credibility as platforms that | report on trends that news channels and other | institutions regularly cite. | wpietri wrote: | Given that you understand Twitter ranks based on | interests, what's your evidence that this was | "suppressed"? Rather than just ranked according to | people's interests? | | You seem to be saying that people _should_ be interested | in this story. I 'm not sure I agree, but I definitely | believe most Twitter users won't be. Is it a good | headline? Sure. But does it have much direct and | immediate relevance to their personal lives? Not for most | Twitter users. | icelancer wrote: | Yeah I kinda glossed over the headline and figured, whatever. | | Then I clicked through and saw it was Mudge. | | Ah jeez. | smsm42 wrote: | In any case your own chief of security coming out and saying | your security is crap would be devastating for any company. But | when it's a person with credentials list like Mudge's - one can | be quite sure he's not just doing it because some disagreement | about salary and vacation days, and it would be impossible to | dismiss this as "disgruntled employee issue". Twitter would | probably try anyway, but it won't work. | | Twitter is going to be in a lot of hot water now, and I can't | imagine Musk isn't going to milk this to the last drop. | dogman144 wrote: | I agree. I grant It's possible Mudge is | | A) an old hand and doesn't know how to run a security program | with the tech today | | B) a strong tech hire who can't lead a program. | | But Mudge is still... Mudge, and he's also proven his ability | to collaborate so if he was a bull in a china shop a twitter, | that would be surprising. | | There's also a broader trend here of well known security leads | that originate from that time working at social media and | leaving quickly, like Alex Stamos, who also u-turned out of | Facebook. | | So are the odds higher that Mudge did a bad job, or this set of | companies are not great internally and old guard security leads | are pointing it out? The twitter CEO letter framing him as a | bad employee doesn't address this context. | time_to_smile wrote: | > B) a strong tech hire who can't lead a program. | | I worked with Mudge (not super close, but enough to see how | he worked across teams etc) and can certainly say this is | _not_ the case. At least when I saw him Mudge was excellent | at the program leadership aspect of his role. At one point he | ended up a DARPA PM. You can 't go from L0pht to DARPA | without getting really good at working with other people and | leading projects. | | While he was always a notable presence, he was also never | prone to drama, and very good at having ego when it was | important but never letting it get in the way. | | Additionally all of the details sound like every KPI chasing | consumer facing tech company I've ever worked with. I think | we all know a few very competent people who have stood up to | leadership at insane tech companies and ultimately gotten | fired for it. | latchkey wrote: | Even 20 years ago, extremely well spoken and has worked at | high political levels... | | https://www.cnn.com/videos/business/2022/08/23/peiter- | mudge-... | AtlasBarfed wrote: | The subject of security consultants, security departments, | and whistleblowing seems to me to be of particular concern. | | I mean, if an auditor publicly reports an audit finding | that is ignored by the company and his ethics demand its | reporting, is he branded a "whistleblower"? I do not think | so, instead it is an "auditor finding". Why does that not | apply here? | | It kind of dovetails with how pathetically organized IT in | general is from a professional standpoint. Lawyers, | Doctors, ... ?Accountants? and the like have centuries- | codified procedures, principles, and the like for ethics. | You generally don't get to hire one of those and tell them | how to breach ethics (now, there are a lot of corrupt | lawyers and a lot of corrupt accountants see: Arthur | Andersen). | | The exploit industry has the 0day and x days of forewarning | process, so there is that, but the fact a security | consultant/professional gets accused of whistleblowing | when... um, isn't that sort of the point? You hire a | security consultant kind of like an auditor. And if | auditors find major failings and they aren't addressed, | aren't they supposed to report them? | | I'm pretty sure the security IT industry does not have even | accountant levels of professional conduct and | organizations. | | As IT subsumes and infiltrates, now to the point that | fundamental bill of rights / human rights are dependent on | secure and functioning IT systems, it gets... a bit more | important. Arguably more important than the ethics around | accountants and doctors. Lawyers, because they deal with | the law, are probably more important still, but it shows | that IT security may be rising in import to that level. | bink wrote: | I agree with everything you said, but I'd like to play | devil's advocate here. Mudge has worked: * | L0pht / @stake: security research, red teaming, and source | code auditing, IIRC. * BBN: research. * NFR: | technical advisory board. * DARPA: Managing a program | that provided grants for new security products and tools. | * Google ATAP: Google's "invention studio". * | CyberUL: Testing of security products. | | None of these jobs really suggest a background in building | a security program. I've worked with some large companies | in a similar space to Twitter building their security | programs and you can spend the first 6-12 months just | trying to justify the new budget. Often that money has to | come from another team or teams and he would have to | justify that. He was apparently only there roughly a year. | | Again, I don't doubt Mudge's bonafides. I don't doubt his | security knowledge. But this job was nothing like any he's | had in the past. | | I also don't doubt his claims. Everything he's stated is | almost certainly true. It does take more than a year to fix | most of these problems and I wonder if he just got | frustrated with the political battles that occur in these | situations. | michaelt wrote: | Well, you can devils-advocate anyone into an incompetent. | | Decades of experience as a rebellious hacker? Well, | that's not _commercial_ experience. Founded a security | consultancy? Too small, they just don 't know how to | operate in a _large_ bureaucracy. Worked at a secretive | company as an individual contributor? They 've been | completely silent in public, clearly they haven't | achieved anything interesting in years. Working elsewhere | as an individual contributor? They just don't know how to | build a team. Decades as a senior manager at a huge | multinational corporation? Out of touch bullshitter, | stale coding skills, doesn't know how we really do things | these days. | mthomasmw wrote: | You left out that he built the security program at | Stripe. | spudlyo wrote: | He led the Security team at Stripe for a time, but it was | a functioning team before he arrived. | pclmulqdq wrote: | I read the full whistle-blower complaint, and the whole story | from his perspective (and the crazy statement from Agrawal) | looks like it's not B. Instead, it looks like it was a | culture clash with his manager. | | He seems to have tried to escalate things to people above | Agrawal nearly constantly. He was hired by Jack Dorsey, and | felt accountable to him and to the board, but he reported to | Agrawal, who believed that Mudge had a responsibility to | follow the chain of command very rigidly. | | I have previously had managers who want you to rigidly follow | the chain of command, and if you are a "hacker" type, they | are a shock (and you are a shock to them). They are often | very interested in controlling information that goes upward | and how mandates flow downward through them (both to control | their reputation and make sure everyone gets information in | "proper context"), to the point that they see it as an attack | on their position to even _speak_ with their manager. A | "hacker" would rather put the information in front of the | people who need it, instead of filtering it through the | hierarchy. | | At the first opportunity Agrawal had to clean house, he | cleaned out Mudge because he didn't want to work with him. | House cleaning is normal for a new CEO. From Agrawal's | perspective, Mudge did a terrible job, since he wanted to | circumvent Agrawal. | pueblito wrote: | > He was hired by Jack Dorsey, and felt accountable to him | and to the board, but he reported to Agrawal, who believed | that Mudge had a responsibility to follow the chain of | command very rigidly. | | With $10mm cash bonuses on the table it's extremely obvious | why Agrawal would insist on being MITM | pclmulqdq wrote: | When you think your job is to tell your boss's boss (and | their promotion committee) why your boss is doing a bad | job, you're not in for a happy time. | barking_biscuit wrote: | Which sucks because plenty of times it's true. | Maursault wrote: | > I read the full whistle-blower complaint | | The content of the complaint is all that matters, and it | should be judged on its own merits. It never matters who | said what, and attempting to make it matter is ad hominem | fallacy; it is what is said that matters. | | That said, I can't quite fathom why Twitter's cybersecurity | matters any more than the cybersecurity of any of the | myriad of online forums, HN included: the "data" simply | isn't all that important; it is all public, it is all talk, | and talk, as we know, is cheap. Say Twitter is completely | overrun by foreign state actors who delete everything. The | outrage is going to be minimal. "Dang, I really enjoyed | mouthing off on Twitter. Oh, well." | docandrew wrote: | I was kind of curious about this as well, though I | suppose if a politician's account was compromised it | could cause some pretty major embarrassment or maybe even | conflict. Are DMs a thing on Twitter? Having those | compromised might be pretty serious too. | leaflets2 wrote: | > Say Twitter is completely overrun by foreign state | actors who delete everything. | | That's not what's dangerous. | | Instead, dangerous things include manipulating the | algorithms so that "news" of ones choice get lots of | visibility. Then a foreign state can influence the | elections | jonstewart wrote: | I wouldn't paint with too broad of a brush in this | instance, however. Yes, mudge is the ur-hacker, but also: | he worked at BBN and DARPA (where he was extremely | effective) and elsewhere. He probably has the most | experience of any technical/hacker on the planet of working | with executives in large organizations. | | Agrawal's memo, in contrast, reeks of insecurity. The | combination of how he's treated mudge and Rishi Sunak _and_ | the potential consequences of this complaint (particularly | if FTC investigates and finds Twitter has not been | following the consent decree) boxes him into a corner -- he | won 't be able to recruit the talent to solve these | security problems and will be seen as an impediment to | compliance/mitigation. I could easily see the FTC et al | insisting on his resignation as part of a settlement. It's | an own-goal. | crb wrote: | What's the story with Rishi Sunak? Assuming you mean the | candidate for Conservative Party leader and thus UK PM, I | wasn't aware of such a connection. | groby_b wrote: | Rinki Sethi. OP meant Rinki Sethi. (CISO of Twitter until | January, left at the same time as Mudge) | ginger2016 wrote: | Thank you for the clarification, this got me confused | too! | jonstewart wrote: | Oh, yes, thank you! I can't edit my comment anymore, but, | yes, Rinki Sethi, apologies for the confusion. | pclmulqdq wrote: | I have spoken to a few DARPA program managers before, and | they are usually amazingly smart people who are great at | corporate politics. This doesn't sound like someone who | is bad at corporate politics, just someone who | underestimated the humility with which his manager would | approach his job. No disrespect at all to Mudge, I think | he did the right thing. Unfortunately, he didn't "manage | up" very well in this instance. | colechristensen wrote: | A security lead who didn't try to raise major issues | around a bad boss would be doing a bad job. | [deleted] | gjs278 wrote: | shadowgovt wrote: | I don't because I'm not seeing an organization that will hold | them accountable. | | - This Congress is ill-equipped to understand tech, much less | hold it accountable. As long as the people are happy, Congress | is happy. | | - Lord knows the people are ill-equipped to get how bad this | is. They already watched this company allow a rogue employee to | shut off the account of the President of the United States | (before they chose to do it as policy; | https://www.washingtonpost.com/news/the- | switch/wp/2017/11/02...) and watched this company deploy a | username-to-telephone lookup service publicly where they'd | intended to deploy a security protocol | (https://www.ghacks.net/2022/08/08/twitter-confirms-that-a- | da...). The public doesn't understand why they should care. | | - The only group who could really hold Twitter accountable are | shareholders, but why should they care if the public and | Congress don't? The money will roll in either way. | | Unless they've managed to commit an SEC violation (in which | case, slap on the wrist incoming), there are no consequences | for this kind of bad behavior until someone powerful gets | seriously hurt. I'm glad Mudge is doing the right thing, but | extremely pessimistic much will come of it. My recommendation | is to shed Twitter as a user. | jonstewart wrote: | Twitter signed a consent decree with the FTC years ago. This | complaint could result in the FTC investigating deeply | whether the consent decree is being upheld. If not, there's | likely sufficient regulatory force to hold Twitter | accountable. | | I agree that, generally, it would be better for the US to | have a better regulatory mechanism for large tech companies, | but the consent decree is likely a strong tool in this | particular case. | ska wrote: | > This Congress is ill-equipped to understand tech, ... | | "This" congress? There are institutional level problems, | here. | doesnotexist wrote: | I generally agree that it's unlikely we'll see any serious | accountability. However: | | > - The only group who could really hold Twitter accountable | are shareholders, but why should they care if the public and | Congress don't? The money will roll in either way. | | This might be what does it because is it true that the money | is and will keep really rolling in? Twitter doesn't pay a | dividend and is it reasonable to expect that the company's | stock value should increase that much going forward? | | Twitter's gross profit numbers aren't as large as you'd think | given the household name recognition of the brand. You might | be as surprised as I was to discover that meme-stocks like | AMC and GameStop are approximately the same size as Twitter | in terms of gross profit. Perhaps Twitter is just as much of | a big name but ailing dinosaur as those businesses? Or if you | want to make comparisons within social media, isn't it | surprising that Snap's ~$2.8 billion cap gross profit is | right up there with Twitter's ~$3.2 billion. How did that | happen? It is also interesting that snap's market cap is only | 2/3rds of Twitters despite a much closer delta between the | two companies reported profits. | | On the whole, things aren't looking too good for the social | media right now, take for example facebook losing active | users YoY. I often wonder what zeitgeist web properties are | going to be remembered as a BIG thing that receded in | popularity in the course of about a decade, say like bell- | bottom denim jeans from the 60s or disco music from the 70s. | Could it be social media for the 2010s? | | Anyhow if they aren't paying dividends and they aren't able | to keep growing at pace with expectations what exactly are | they delivering in terms of value to shareholders? | | Given that the allegations are about defrauding shareholders | by actively deceiving them and sweeping things under the rug. | Twitter's shareholders might be better off revolting against | the current leadership to recoup their loses than to look the | other way and let this slide. | dcow wrote: | > My recommendation is to shed Twitter as a user. | | I never understood why tech people have such a strange enamor | towards Twitter. Can't be an industry power dev without it. | Can't start a company without it. Having a healthy Twitter | following is often more important than having actual users-- | even to investors. Twitter is digital hype. | | I agree. It's time to replace Twitter. The only question is | what exactly is it that anchors people to the platform? Even | though it's hard to imagine, we know that news motivates | people (it happened with the WhatsApp -> Signal exodus). | Where's the "Signal for Twitter" we can all migrate to? | | If the key is not just creating a social platform, but also a | hype engine, maybe what a competitor needs to realize is that | hype doesn't happen in a vacuum. You have to do silly | algorithmic things so that content can go viral. Maybe the | secret is to be open about how you manufacture hype rather | than do it behind closed doors? Maybe in a way that people | can verify it was done fairly? | Sebb767 wrote: | > The only question is what exactly is it that anchors | people to the platform | | If I had to take a stab, it's a combination of networking | effects (obviously), simplicity and the short text limit, | which forces authors to mostly be concise and optimize for | a 140 character attention span. This is also supercharged | by the fact that you can (mostly) access everything | anonymously - if I'm linked to Twitter, I know I can | read/watch it and it will mostly be concise. I don't even | bother clicking a link to FB, for example. | Jensson wrote: | Main problem is that journalists uses Twitter, as long as | they are there Twitter will remain the most relevant | political forum. It is mandatory for most journalist jobs | to be active on Twitter, and since all the journalists are | there anyone who wants publicity will also post on Twitter. | shagie wrote: | > - This Congress is ill-equipped to understand tech, much | less hold it accountable. As long as the people are happy, | Congress is happy. | | There's an article I was introduced to yesterday: Do We Need | a New Digital Regulatory Agency in the U.S.? | | It argues that it it is the agencies and the experts within | the agencies that need to become more technologically | literate to be able to advise creation and implement the laws | that have tech impacts. | | Congress isn't _supposed_ to be experts on subjects, they 're | supposed to be the representatives of their people with | occasional domain knowledge in certain areas of importance to | their constituents. We can't (and shouldn't) expect every | member of congress to be an IT expert. | | https://techpolicy.press/do-we-need-a-new-digital- | regulatory... ( https://news.ycombinator.com/item?id=32555365 | ) | melony wrote: | There's a simpler explanation. He is doing this for profit. I | don't buy all the speculation that he approached the SEC out of | some professional obligation or simply to spite the Twitter | leadership. As a former executive he most likely still holds | stock and having the price plunge is not exactly in his | interest unless the pay-off from whistleblowing is high enough. | Given his high profile, he just burned all bridges career-wise | at big tech. The expected whistleblower payout here must be | enormous. | nr2x wrote: | You don't understand the value of reputation. | melony wrote: | I don't think you understand what it means to burn all | bridges. He is literally unhireable right now in any | corporate context. You are naive if you believe he is doing | this out of some hacker ethos. | strictnein wrote: | The idea that he is "unhireable" in the security space | because of this is rather amusing. | zenlf wrote: | You talk like part of the problem. | andrewflnr wrote: | You've not really made an argument that it's a simpler | explanation, just listed a bunch of reasons it's unlikely | he'll profit from this, topped with pure speculation that he | will anyway. | hermitdev wrote: | I know it's easy being cynical in this day and age, but there | are people out there that still operate under a manner of | principles. I'd like to think that mudge is one of them. | zeruch wrote: | I met Mudge once in my career early on (I was at VA Linux | systems circa 1999ish) and I found him intense, an apex | intellect, but absolutely affable and self-aware. | | He never struck me then, or in any interview or write up since, | that he's impulsive, or prone to taking actions like what he's | done to Twitter, in a cavalier way. He saw something bad and | thinks something should be done to address it. | | He likely made that decision because the culture at Twitter is | as bolloxed as he states (maybe worse), and that it's one thing | to fire a guy, but to do so to hide damning truths, and expect | that person to just accept their fate AND let you get away with | it without a cost is in this day and age, a farcical hope. Your | "Mudge knows the implications of "whistleblowing". He has been | a security consultant and even testified to Congress. He's not | some noob that doesn't understand security or how systems work | together to provide services like disclosure to FTC. The idea | that Twitter PR can pooh-pooh away his concerns is shockingly | stupid." is spot-on. | fossuser wrote: | Yeah - comparing mudge's history with the email the Twitter | CEO sent to internal employees and the situation seems crazy? | Always hard to know from the outside, but this paired with | Jack leaving seemingly frustrated with the board looks really | bad. | | I know people have thought Twitter was mismanaged for a | while, but seems like it's a lot worse than I thought it was | (and the CEO seems more vindictively bad than I would have | guessed). | | Plus the total lack of principles around speech and just | doing whatever Russia, India, or KSA wants? Including hiring | foreign agents? Also covering up bad security issues in | reporting? It'll be interesting to see what happens from here | as more comes out. | | The internal Twitter email: https://twitter.com/austen/status | /1562150058727919616?s=21&t... | zeruch wrote: | Yeah, I think we're in lockstep here. | | I'm no fan of Musk (he's truly worked very hard to be the | most provacatively pustulent punkass of tech) but that | doesn't mean that Twitter leadership is any better. Just | not as well PR'd. | | Dorsey himself was mostly an imbecile who drank too much of | his own Kool Aid. Twitter has for years been the standard | bearer for the most opaque, and incoherent content | management; from user feedback to bots, just a village with | only idiots. It was eventually going to catch up to them, | the question now is to whom does the bulk of the suffering | land on, not whether it lands or not. | fossuser wrote: | I'm a huge musk fan, but I still think his trying to get | out of the Twitter deal is lame buyer's remorse and his | arguments are weak. I see it as mostly unrelated to this | mudge issue. | zeruch wrote: | Oh they are unrelated, but he will leverage the Mudge | moment for all it can be. | titzer wrote: | Never been a "fan" of a personality, but I used to really | like Tesla and SpaceX, but after hearing a little about | how their critical software is...not developed like | critical software...I am very wary of what kind of | engineering is going over there. With Musk deciding to | amp up his celebrity with Twitter antics, I just can't | respect him any more. | raarts wrote: | Musk posted a meme explaining why he pulled out. | | https://twitter.com/elonmusk/status/1546344529460174849 | sanderjd wrote: | He is trying to get out of the deal because he's about to | lose billions of dollars buying a pretty crappy company. | All this stuff about bots is dishonest nonsense. He could | have chosen to do due diligence, and chose not to. | colinmhayes wrote: | He literally said he was buying it to fix the bot | problem. It's not like he was unaware that bots existed | on twitter. | shapefrog wrote: | If Musk actually believes this represents anything it | puts his IQ in the single digit - low double digits | range. | fossuser wrote: | Yeah - but that's dumb bullshit. He can't legally pull | out because of that. | | He waived all of that to force Twitter to agree to the | deal (because it'd be basically impossible for the board | to reject it). This made sense at the time, because the | board was looking for ways to weasel out of it because | (imo) they politically don't like Musk. Then the market | crashed and suddenly he was overpaying a ton for Twitter, | then he complains about bots (this isn't new information | from when he made the deal). | | Whether or not the bots thing is true isn't even relevant | based on the deal he put forward. | | I think he earnestly wanted to buy Twitter for principled | reasons around speech which I agree with. He structured | the deal in such a way where Twitter's board couldn't | reject it (because it was so favorable to shareholders). | Then when the market tanked the deal way overpriced | Twitter, but he had already committed to it so he's | trying everything to get out of it. I suspect he actually | believes the things he's arguing (he's always seemed | pretty earnest to me), I just think he's wrong in this | case and it's mostly driven by motivated reasoning. | | That doesn't mean Twitter isn't a disaster, just that | they're in the right with regard to him having to close | the deal. | hammock wrote: | >I think he earnestly wanted to buy Twitter for | principled reasons around speech which I agree with. He | structured the deal in such a way where Twitter's board | couldn't reject it (because it was so favorable to | shareholders). Then when the market tanked the deal way | overpriced Twitter, but he had already committed to it so | he's trying everything to get out of it. | | That's not how business valuations work (it's how | speculation works). If Twitter was fairly valued by Elon | Musk before the crash then it would be fairly valued now | - the fundamentals of the business haven't changed. | szundi wrote: | One could argue that the value of a company is the sum of | net present value of the future free cash flows it can | produce. If the market crash is because of peope | realizing there is a recession coming for example, it | makes sense to update your expectations about the net | present value of future cash flows - probably in sum a | bit lower than before probably. | fossuser wrote: | "If Twitter was fairly valued by Elon Musk before the | crash then it would be fairly valued now" | | That's a big if - I think a lot of this stuff is more | speculation than any sort of fundamental cash flow | valuation. A lot Twitter's actual value (its network | effect and influence) is hard to measure anyway. | TheDong wrote: | > That's not how business valuations work (it's how | speculation works). If Twitter was fairly valued by Elon | Musk before the crash then it would be fairly valued now | - the fundamentals of the business haven't changed. | | Some "fundamentals" of a business like twitter's value | are: | | 1. Product/market fit, finances, etc. What you mean by | "fundamentals" I think. | | 2. How easy it is for them to raise money (i.e. the | "public sentiment" of VC towards their company and the | industry) | | 3. How likely it is for regulation to stifle their | growth, which is a derivative of public sentiment. | | 4. How much shares can be sold for, i.e. the public | sentiment about how much it's worth. | | 5. Predicted future sentiment of their users and of | advertisers, both of which impact expected future | revenue. | | 2-5 all change with public sentiment, and a market crash | changes public sentiment of many companies at once. | | It's self-evident that elon musk is overpaying more now | than before unless you insist that twitter's value is not | actually related to 2-5 above, or 2-5 above should have | been trivially predictable 100% accurately already as | part of its "fundamentals", both of which seem obviously | silly. | vkou wrote: | The why doesn't matter, he explicitly waived the ability | to back out of the deal for any of the reasons he's | cited. | | Twitter is a tyre pyre, but he should have thought about | that before putting ink on that deal. | caycep wrote: | granted, I'm not entirely certain Musk wants to pull out | vs. getting a better price/discount on the purchase... | last_responder wrote: | Ah yes, Lopht Heavy Industries. Indispensable tools at the | time. | bombcar wrote: | Always been a fan of "Heavy Industries". | Syonyk wrote: | Yup. I've used that with my normal "last name backwards" | company name before. I tend to send Christmas and Birthday | gifts to siblings with the company field filled in. | "Kinetics," "Orbital Bombardment Division," "Relativistic | Research," and assorted other things have made their way | in, but "Heavy Industries" just has such a nice ring to it. | sbf501 wrote: | It's a 0, not an 'o'. | bobabob wrote: | mrex wrote: | Just to clarify for those who don't catch it in the article: | Mudge's whistleblower complaint predates the Musk/Twitter feud | entirely. | tacker2000 wrote: | This is an important point, but why is the media picking it up | just now? I guess both sides are starting the usual shit- | flinging... | zimpenfish wrote: | Where do you see that info in the Verge article? All I can see | is "he filed last month" (which would be July 2022) - the month | Musk "officially" backed out and at least a month after he | started doing the "I don't want Twitter any more" dance. | [deleted] | jyrkesh wrote: | > John Tye, founder of Whistleblower Aid and Zatko's lawyer, | told CNN that Zatko has not been in contact with Musk, and | said Zatko began the whistleblower process before there was | any indication of Musk's involvement with Twitter. | mrex wrote: | "Zatko was fired by Twitter in January and claims that this | was retaliation for his refusal to stay quiet about the | company's vulnerabilities." | zimpenfish wrote: | That doesn't cover whether or not he had contact with Musk | and when he started the whistleblowing process. | riffic wrote: | he got canned right after the Jack departure. | tyjen wrote: | "The whistleblower also says Twitter executives don't have the | resources to fully understand the true number of bots on the | platform, and were not motivated to." | | I imagine this hurts Twitter's defense against Musk from pulling | out of the takeover deal, or, is this whistleblower's account | inadmissible? | mrpopo wrote: | I am willing to take a shot in the dark on this story, and say | that this is the whole point. I don't see why this story would | get shared and amplified so much otherwise. | nullc wrote: | Musk needs twitter to have willfully misrepresented and | concealed, not merely to have had estimates that they admitted | were nothing more than estimates. | mzs wrote: | This aspect of the story was entirely predictable: | | >Musk lawyer Alex Spiro said they want to talk to Twitter | whistleblower. "We have already issued a subpoena for Mr. | Zatko, and we found his exit and that of other key employees | curious in light of what we have been finding." | | https://twitter.com/donie/status/1562056198425288704 | zimpenfish wrote: | > I imagine this hurts Twitter's defense against Musk from | pulling out of the takeover deal | | Not really because they have _consistently_ said "this is what | we do, it's a finger in the air estimate based on sampling, it | might be right, it might be wildly wrong, there's no agreed | methodology for this". | | For someone to then go "they don't fully understand the true | number of bots! GOTCHA!" is dumb because it's literally just | pointing out exactly what they've said in their SEC filings | _since 2013_. | lapcat wrote: | The really damning part of the whistleblower's statements | isn't about the bots, it's about Twitter executives | misleading the board of directors and stockholders. That's | what could aid Musk at trial. | [deleted] | jfoster wrote: | The problem I have in assigning credibility to Twitter's | position on bots is that they seem to have held multiple | seemingly inconsistent positions (all paraphrased): | | 1. "Finger in the air estimate based on sampling", aka. | "don't read too much into it" | | 2. "Not more than 5%" | | 3. "Methodology can't be understood externally" | dd36 wrote: | So many people don't understand this. It's not even clear if | Musk does. | Cederfjard wrote: | Of course he does. He's just grasping at straws to get out | of the mess he's created for himself. | bpodgursky wrote: | If the executives did not make a meaningful effort to count | them, that is fairly damning, given how much the stock price | swings on the count. | | Nobody said it was easy, but it's certainly harder if you | don't try. | zimpenfish wrote: | > If the executives did not make a meaningful effort to | count them | | They've been filing their methodology for bot counting with | the SEC since 2013. | | If they're not making a "meaningful effort" and it | materially affected the stock price in some way, either the | SEC or a shareholder would have gone "HOLD ON SHENANIGANS | O'CLOCK", surely? | | It can't be that the entire world was A-OK with Twitter's | bot counting until June 2022 when a man claiming to want to | buy Twitter to fix the bot problem got cold feet on a | market drop... | bpodgursky wrote: | The "methodology" is that people look at 100 accounts a | day and determine whether they are bots. They have never | disclosed any of the signals that go into this | determination. You have a lot of faith in the immediately | efficient market here. | Cederfjard wrote: | The point is that they have not claimed anything | regarding this in their filings that isn't true, not | whether or not you think they've been clear and detailed | enough to answer the question properly. | | And to give Musk an out, which is what this tangent is | about, not only do they need to have actually lied, the | lies need to have had a VERY substantial effect on the | price of the company. | | The bot thing simply does not help Musk get out of the | deal he's made. That is not the same thing as "Twitter | are great at dealing with bots and have been very | transparent about how they do it", but that's not the bar | that has to be cleared here. | frumper wrote: | Shenanigans can go on for a lot longer than 9 years | without anyone noticing. | the_doctah wrote: | How is it any harder than giving users a captcha? | happyopossum wrote: | > They've been filing their methodology for bot counting | with the SEC since 2013. | | No, they haven't. They describe at a very high level the | amount of sampling they do (100 accounts a day? Really, | that's it?), but don't discuss the methodology used, such | as what they use as signals and indicators of botness. | That's not "filing their methodology", it's covering | their arses. | _null_ wrote: | Also, Musk repeatedly said publicly that he wanted to buy the | platform specifically to address the issue of bot accounts. | HillRat wrote: | Twitter's always hedged their bot stats with the MDAU caveat | (e.g., "we're not estimating all the bots who log into Twitter, | just the ones that are meaningful for advertising and revenue | purposes"), so while these allegations are not at all helpful, | they're not necessarily a serious blow to Twitter's position | (Mudge is a hacker, not a contracts attorney, and a lot of the | allegations he makes regarding regulatory law aren't | necessarily supported by his evidence). | | However, there's enough here, provided by a highly-credible | technical expert, and under consideration by the US Congress, | that Musk's litigation team has a strong opportunity to find at | least _something_ that holds up as a material | misrepresentation, even if relatively minor, and then link it | to the broader effect of this document, which could very well | rise to the level of a material adverse effect. | | So, where bots are concerned, bad but not disastrous; for | everything else -- well, let's just say that Musk's litigation | team are burning incense to the gods this morning, while a | whole bunch of Twitter execs are going to be spending the next | few weeks getting grilled by their own retained counsel, at an | even more exorbitant hourly rate than they were paying before. | lapcat wrote: | Why would it be inadmissible? | | Mudge could be subpeonaed, just like Jack was just subpeonaed. | paulgb wrote: | Indeed, he just was. | https://twitter.com/deitaone/status/1562069657582018560 | | (That account tweets bloomberg alerts) | lapcat wrote: | Wow, that was quick! | [deleted] | lifeinthevoid wrote: | It's probably not coincidence that that piece is in there ... | dehrmann wrote: | Unless the bot problem regularly gets in users' way, this | isn't really what you want to blow the whistle on--hard | problems are hard. You bring this up to damage Twitter. | hn_throwaway_99 wrote: | I read some good commentary on this that I agree with. | | From a purely _legal_ perspective, this really shouldn 't | matter much. As has been pointed out many times, Musk | _explicitly waived due diligence_ when he signed the contract. | Also, it 's still laughable to think that Musk's real reason | for wanting to get out of the deal is the bot problem (instead | of the obvious reason of the market tanking), when Musk | _himself_ made the argument that a big benefit of him buying | Twitter is that he would be able to clean up the bot problem in | the first place. | | From the court-of-public-opinion, though, I think it does give | Musk more leverage for a negotiated settlement to get out of | the deal, which is really what he wants. I don't think Musk | really thinks he can win in Delaware, but the longer he drags | things out and the more pain he causes Twitter the more | incentive they have to negotiate cancelling the deal. | ethnt wrote: | It truly doesn't matter, given Musk waived due diligence. | Unless the number of bots is enormous (think 75% or more) then | it won't make a material difference. | freeflight wrote: | Not wanting to defend Twitter, but I'm pretty sure the situation | is very similar across a whole lot of companies, even those that | make security their main business, i.e. FireEye. | | Because investing in IT security usually has no apparent profit | incentives, so most companies leadership will consider it | something of very little importance funding wise. | | Particularly in the current climate where even minor hacks, and | simple ransomware infections, are regularly made out as some kind | of "act of God"/allegedly done by some super advanced "state | actor", to create the narrative how it just wasn't preventable | with the resources of a private company. | | Which outsources all the responsibility to ominous intangible | parties based on wonky, and often politically motivated, | attribution, while holding nobody responsible for running outdate | software in exploitable combinations, thus creating the problem | in the very first place. | lkjwlk wrote: | mzs wrote: | Twitter CEO's response to employees which denies none of the | claims made by CNN & WaPo* | | https://twitter.com/donie/status/1562069281545900033 | | * https://www.washingtonpost.com/technology/interactive/2022/t... | | edit: the PDFs from * | | https://www.washingtonpost.com/technology/interactive/2022/t... | | https://www.washingtonpost.com/technology/interactive/2022/t... | | https://www.washingtonpost.com/technology/interactive/2022/t... | | cover letter: | https://s3.documentcloud.org/documents/22161666/twitter-whis... | | latest reaction from Capitol Hill: | https://www.washingtonpost.com/technology/2022/08/23/twitter... | | >Nobody at the Valley's unicorns seemed too concerned with | security. (I asked Jack Dorsey that year whether he worried about | the fact that hackers were continually pointing out holes in | Twitter and in his new pay-ment start-up, Square. "Those guys | like to whine a lot," he replied.) | | https://twitter.com/nicoleperlroth/status/156204856902836633... | assttoasstmgr wrote: | Thanks for posting this. Anyone commenting in this thread | really needs to read the report as it paints the picture of | their security hygiene. When I read things like 30% of all | their endpoints have automatic updates disabled, and 40% | reporting out of compliance, I'm picturing a real immature | cowboy culture of arrogant developers that think they're above | security policies, and no one at the helm to rope them into | line. Sounds like they have no security culture, just policies. | Security is something that begins with the individual. | systemvoltage wrote: | Page 9/84 in the "whistleblower_disclosure.pdf" are about Elon | Musk's claims of fake twitter accounts and bots. Good lord, | this does not look pretty for Twitter. | weeblewobble wrote: | To me that part is pretty weak compared to the security | disclosures. The "lie" is about whether or not Twitter | executives are incentivized to delete bots (later on he says | that Twitter is incentivized to keep bots out of mDAU because | they don't click on ads so they'd tank the clickthrough rate, | kind of blows a whole in Elon Musk's whole thing). In reality | I'm sure there are multiple overlapping and contradictory | incentives at play, but it's not really a falsifiable | statement so not really something you can "lie" about. | | The way it's framed ("Twitter lied to Elon Musk about bots") | makes me suspicious of the whistleblowers' motives here. I | know he's some kind of legend around these parts but I've | never heard of him, so I'm just going by what I've learned | today. Seems like propaganda to me, intended to maximally | damage twitter and/or curry favor with Musk. | OMGWTF wrote: | It wasn't just about incentives. The disclosure also says | that while Musk asked for [spam bot accounts / total active | acccounts], Agrawal's response didn't really address the | question and was pretty misleading [estimated spam bots | among mDAU accounts / total mDAU accounts < 5%]. | | ("Argawal's reasoning might appear a bit circular since, by | definition, mDAU is more or less Twitter's best | approximation of the set of accounts that aren't bots. And | Agrawal is not exactly trying to help readers understand | the bait-and-switch nature of his answer." - page 13/84) | icelancer wrote: | Agrawal's internal statement about Zatko is insane. My | goodness. | mzs wrote: | I know right! Was the last CEO who wasn't a monster Bill | Hewlett? | riffic wrote: | copy and paste my comment from an earlier post which failed to | see HN traction (https://news.ycombinator.com/item?id=32562747): | | > The complaint from former head of security Peiter Zatko, a | widely admired hacker known as "Mudge," depicts Twitter as a | chaotic and rudderless company beset by infighting, unable to | properly protect its 238 million daily users including government | agencies, heads of state and other influential public figures. | | this is a fun read. I've long said that government agencies, | heads of state and other influential public figures are obvious | candidates for running their own ActivityPub installations (or in | paying competent people to do that, which shockingly Twitter, | Inc. could be in the business of hosting/selling). | mikkergp wrote: | "as a chaotic and rudderless company beset by infighting," | | Sounds like a match made in heaven for "government agencies, | heads of state and other influential public figures." | 1970-01-01 wrote: | Good job mudge! For those that don't know him, Mudge is kind of a | big deal in cybersecurity: | | https://en.wikipedia.org/wiki/Peiter_Zatko | elesbao wrote: | By the CNN piece it seems like twitter hired a community figure - | which is a common mistake that leads to bad performance | evaluation. Public figures are trained on being public figures, | they not necessarily are the best folks to build a security | organization. OTOH there seems to be some frustration from both | sides regarding performance and if it gets public our hackerman | will have a rough time being exposed. I don't think that was a | good idea (reporting to SEC would work better IMO). | hn_throwaway_99 wrote: | I commented on this elsewhere, but Mudge was a program manager | at DARPA from 2010-2013 and worked at Google from 2013-2020. | This narrative that "Twitter hired a long-haired hippy and he | didn't know how to build a security org or work in a corporate | environment" ignored the past decade plus of his experience. | markwisde wrote: | Nobody seems to know how you can build a successful security | org | jonstewart wrote: | Yeah, like l0pht, @stake, DARPA... | mrex wrote: | Building a successful security organization is very easy, it | just starts higher up the food chain than whatever experts | you hire to do it. Security is a cultural practice, it's not | a feature, it's not a bolt-on. To the extent that your | security organization influences and receives buy-in from | your corporate culture, becoming a part of your | organization's identity, it will be successful. | hn_throwaway_99 wrote: | I think this is key. If you don't have a good security | culture, where people understand and have ingrained proper | security practices, you're toast, no matter who else you | hire. | Jensson wrote: | Google has good security practices, can implement those | in any big corp as they are very straightforward. Mudge | previously worked at Google so I'd assume he was hired to | help Twitter security get better by implementing some | practices from Google. But maybe he was just hired to | look like Twitter cared and they didn't really want to | change anything. | hn_throwaway_99 wrote: | Google also has a very good ingrained security culture. | They understand that they hold on to people's most | private and critical data, and rock-solid security has to | be a cornerstone of their business. | solarkraft wrote: | Yeah, but Elon knew all of it. | TheBlight wrote: | These days whenever the media bestows "whistleblower" status on | someone I become instantly suspicious. | markwisde wrote: | Considering the stories you can read in the security engineer | handbook[1] written by FAANG security engineers I'm willing to | believe that. | | [1]: https://securityhandbook.io/ | [deleted] | pigtailgirl wrote: | -- I've always (since the 90s) used the rule of thumb treat | everything on the internet as if it's compromised - I employ low | personal security - however i also employ low trust - wouldn't go | so far as to blame the users or the platforms - i'd blame both | equally - user education is low - false sense of security is high | - as the years have gone by - adjustments have been made on my | side: comments sections are probably misinformation - emails from | people I know may or may not be real - emails from people I don't | know are probably not real - use pen and paper for things that | need to stay relatively confidential - this is how I was taught | to use the internet in the early days - still use it this way | today -- | bogomipz wrote: | You would think that Twitter might have a coherent strategy in | place for dealing with the media on this but no. They are trying | to discredit Peiter Zatko by stating that he was terminated for | performance reasons and yet their spokesperson goes onto to make | these completely conflicting statements: | | From Twitter spokeswoman Rebecca Hahn: | | Hahn said that Twitter fired Zatko after 15 months "for poor | performance and leadership." | | Hahn added that Twitter has tightened up security extensively | since 2020, that its security practices are within industry | standards, and that it has specific rules about who can access | company systems.[1] | | 2020 was of course the year that Zatko was hired by former CEO | Dorsey. So security tightened up "extensively" on Zatko's watch | but he was fired for "for poor performance and leadership"? | | This only seems to support Zatko's(and many others) assertion | that Twitter is a giant shit show of chaos. | | [1] | https://www.washingtonpost.com/technology/interactive/2022/t... | riffic wrote: | Twitter has a comms department but there has been a revolving | door of ineffective comms leadership. | | I can't even get someone from Twitter Comms to pop into the | Twitter subreddit to engage with users there. | | Rebecca Hahn doesn't even have a Twitter account afaik. | bogomipz wrote: | That is rich. From July: | | >"Details: The communications lead role has been vacant since | last November, but it's been led by Twitter CMO Leslie | Berland on an interim basis for the past seven months. Hahn, | who technically started last week, will report to | Berland."[1] | | The VP of Global Communications at Twitter role was vacant | for 7 months and the person finally hired doesn't seem to | have a visible Twitter presence after 6 weeks on the job? At | a time when the company is practically a daily news story? | You couldn't make this shit up. | | [1] https://www.axios.com/2022/07/12/twitter-rebecca-hahn- | commun... | shrubble wrote: | God Mode, from my understanding, allows a Twitter employee to | have access to an account and allows for a post to be made, under | that account's id, without the account being notified or seeing | the post show up in their own timeline. | | Is this an accurate statement? | | If so, why did nearly 1000 employees (12% of the workforce) have | access to this mode before it was restricted, and what's the | business case for that? | dbbk wrote: | What scenario would justify that feature existing though? Why | would they need to make posts from arbitrary accounts? | bombcar wrote: | It's common in lots of software - a form of a "su" command | that lets you assume all aspects of a particular user. | | Usually developed for testing purposes (easiest way to | reproduce a problem, after all) and prevents password- | sharing. But it can obviously be used for evil, and so it | should be heavily logged and flagged. | [deleted] | ALittleLight wrote: | But the comment says that users wouldn't even see posts | from the Twitter employee assuming their account in their | own timeline. What legitimate purpose would that serve? | eastbound wrote: | That explains why some people apologize for things they said | would never apologize... | | Thing is, now that it's possible for Twitter, Twitter can never | brush off this suspicions again. | | We're literally not sure, by using Twitter, that we see the | speech of that person. | saalweachter wrote: | Now think about the implications with respect to Twitter DMs | that show up in criminal investigations. | | For instance, consider the Twitter DMs exchanged by Donald | Trump, Jr and WikiLeaks. In that particular case, the | communication was acknowledged by the party in question, but | imagine the two possibilities thousands of employees being able | to act on the part of users opens up: | | 1. Twitter employees could fabricate a criminal conspiracy by | creating messages between multiple Twitter accounts. | | 2. A criminal conspiracy can now use the "Wasn't me, must have | been some random Twitter employees" defense. | BeFlatXIII wrote: | > A criminal conspiracy can now use the "Wasn't me, must have | been some random Twitter employees" defense. | | I could see this being billed as a feature of a privacy- | forward chat platform. Messages are slipped into | conversations without either party having actually sent them | and no way to tell whether they were real or not. | bequanna wrote: | This seems like a huge win for the defense in a case using | DMs or Tweets as evidence. | | It would be quite easy to argue that a highly-politicized org | like Twitter _might_ alter tweets or DMs to implicate someone | in the opposing party. That's reasonable doubt that at least | some jurors would buy. | saalweachter wrote: | Perfidy could still happen in a tightly controlled system, | where only a small number of people could view or modify | user data, in a way that requires multiple individuals to | sign off on it, and both the access and the modifications | were internally logged and audited. | | But that turns into "there was a sizeable conspiracy to | fabricate evidence", as opposed to "a random person out of | 2000 got bored, had a grudge, decided to have a laugh, and | was acting alone". | minhazm wrote: | Usually these sorts of systems have very detailed logs and | those logs are kept for a long time for things like | lawsuits. In the hypothetical scenario you're describing | the other party would subpoena Twitter and they would | corroborate whether or not someone logged as that user or | not. | jyrkesh wrote: | But part of what this article calls out from the | whistleblower's POV is that the logging and auditing | systems that would be needed to do that don't exist at | Twitter. That users can activate God Mode or get into | production systems without any logging or accountability | robotnikman wrote: | From what the article mentions it sounds like Twitter | could very well be lacking those detailed logs and | checks... | MuffinFlavored wrote: | > 1. Twitter employees could fabricate a criminal conspiracy | by creating messages between multiple Twitter accounts. | | Could be thwarted by some kind of "source" database | column/field/value that says "this is a tweet made by God | mode" | | Whether Twitter has that field, if it is internal only, and | if they would share it with the public/a court of law, I have | no clue | saalweachter wrote: | Yeah, at the bare minimum what you want to see is: | | 1. No employees have direct, immediate access to user | accounts or data. | | 2. Only a small number of employees should ever be able to | gain access to user accounts or data, for the purpose of | resolving issues directly affecting said accounts or data. | | 3. Access is only granted to one specific user account at a | time, and only for a limited amount of time. | | 4. Access to a user account requires at least one other | person to sign off on the access-grant. | | 5. Every operation performed upon a user account -- viewing | a field, modifying a field -- is logged in a place the | people from #2 and #4 do not have access to. | | 6. Access logs are routinely audited for perfidy. | | 7. Gaining accesses to user accounts or interacting with | them in a way that is not necessary or attempting to | circumvent the above process must be a don't-bother- | cleaning-out-your-desk-we'll-do-it-for-you offense. | | With policies in place like that, you reduce the insider | risk to user accounts. You need multiple people directly | involved in secretly accessing or taking over a user | account, and you potentially need dozens of others (the | potential auditors) to be complicit. The more people you | have involved, the more likely it is someone shuts it down, | or at least blows the whistle on it when shit hits the fan. | | If someone can just get drunk one night, open up a user | account, tweet something, then SSH over to the audit server | and drop the rows from the access log indicating what they | did, and there's no way to even prove something happened, | let alone who did it. | ntonozzi wrote: | If you read the document "Security Chief's Final Report to | Twitter" on the Washington Post article (https://www.washington | post.com/technology/interactive/2022/t...), you will see that | 'god mode' just means they have IPMI access to servers. | modeless wrote: | "just"? What percentage of Google engineers do you think have | IPMI access to servers? | dnakxnc wrote: | bkq wrote: | It is rather disconcerting how a platform that is apparently | rather integral to the discourse of today is in the hands of a | single private company. It doesn't matter who owns it, if it's | Musk or someone else, the fact that it's at the whims of a | private company, is the primary channel for discourse, and is | something legislatures cannot even comprehend because of their | age, should have alarm bells going off. Coupled with the fact | that there is lacking IT education about hardware/software means | that there is an environment that is ripe for the encroachment of | digital rights, as we've been seeing this past decade. | SpaceL10n wrote: | A world-wide, decentralized, communications platform sounds | lovely. Oh wait... | jonas-w wrote: | Oh wait? | freeflight wrote: | Oh wait, we already had that, and then we centralized and | monopolized the hell out of it [0] | | [0] https://staltz.com/the-web-began-dying-in-2014-heres- | how.htm... | astrange wrote: | That's because decentralized networks are expensive and | can't handle spam unless you make receiving messages opt- | in, and then you can't @ people like you can on Twitter. | indymike wrote: | > It is rather disconcerting how a platform that is apparently | rather integral to the discourse of today is in the hands of a | single private company. | | Unpopular opinion: I think it's awesome that a private company | has created a platform like Twitter. It's kind of like | comparing a private amusement park with a public park: one has | roller coasters, water slides and an arcade... the other has a | swingset and a nice field of dried up grass. | | > the fact that it's at the whims of a private company | | How is this worse than at the whims of the crown? | | > there is an environment that is ripe for the encroachment of | digital rights | | I love that were even talking about having digital rights. | xg15 wrote: | _> the fact that it 's at the whims of a private company | | How is this worse than at the whims of the crown?_ | | The tiny detail that we're not having a crown anymore. | root_axis wrote: | > _a platform that is apparently rather integral to the | discourse of today_ | | Not true. If anything Twitter is a cancer on our discourse that | should be disdained, not something that should be enshrined as | a fixture into our lives. | core-utility wrote: | > the primary channel for discourse | | Primary for whom? If you polled 50 people on the streets of | NYC, I bet fewer than 3 would say they actively use twitter. | Now do the same for Des Moines, IA and you maybe get 1? | Cederfjard wrote: | People with outsized influence over politics, for example. | newaccount2021 wrote: | paulgb wrote: | The people who those people watch on TV (or read in | newspapers) use twitter, though. | ageitgey wrote: | I think that Twitter is very much the tail that wags the dog. | Sure, 1 out of 50 normal people may use it, but nearly 1 out | of 1 reporters use it. Those reporters often quote opinions | on it as if they are representative of the larger public, | even if the tweet they quote is by someone with 10 followers | and no stars. | ajdlinux wrote: | I'm involved in a community advocacy organisation that uses | Twitter, Facebook and Instagram for public engagement. | | Facebook is a great platform for actually getting normal | people to see our content and invite them along to our | meetings and such. Twitter, on the other hand, has a far | more niche audience - but I know for a fact that the niche | audience includes several state legislators who follow us | and interact with our tweets, and we've gotten several | press stories via contacts we've made with journalists over | Twitter. | | If you've got a message to get out there, it's a highly | strategic platform. | paulgb wrote: | The fun thing about social media is that reporters can back | up any narrative they want. "People are upset about X", | "Gen Z is doing X", "Millenails are killing X". Find two | people and it's a confirmed trend! | beeboop wrote: | I saw a reddit post today that "Disney fans are furious | that Avatar was temporarily pulled from Disney Store" and | the top 500 comments were like "No one is furious". | | Here, I'll give it a go: "Environmentalists are furious | that Bill Gates kills mosquitos" | mcintyre1994 wrote: | I did a quick Twitter search, and unfortunately your | story isn't supported by any tweets I can find. Good | news: you get to write a story about conspiracy theories | about Gates and mosquitoes instead though! https://twitte | r.com/lorijean333/status/1561224522166067201?s... | root_axis wrote: | > _and unfortunately your story isn 't supported by any | tweets I can find_ | | If there's no evidence for my claim it must be evidence | of censorship, because certainly I can't be wrong. | nebula8804 wrote: | I saw this happen live and I couldn't believe it. There | was this Netflix movie last year called "Kate" that has a | white female assassin killing a lot of asian people (it | takes place in Tokyo). There were a handful of articles | (first in places like Yahoo news and then sites like | Slate.com) written about how this is racist and they all | quoted people on twitter. Since I was following this | movie heavily, I saw the tweets come in real time and the | subsequent articles written a day later. In the end it | all started from one tweet from a random user which then | spread into a small handful other people making a similar | comment and then leaving it at that. These tweets then | got turned into multiple articles. I could not believe | how crazy the whole thing was. | | The original tweet author did not give permission for her | thoughts to be published in so many articles and | apparently endured a lot of harassment(She indicated this | on subsequent tweets). She eventually deleted the tweet. | | This was the original tweet: "Shame on Netflix for this. | After this past year especially, to then release a film | that is literally white people murdering Asian people | based on stereotypes and fetishization??? Hard pass." | | If you google that quote you'll see how many articles | quote that tweet. | | There were no winners in this whole saga. The movie takes | place in Tokyo so of course asian men are going to be the | bad guys. So Netflix endured negative press for nothing. | The press didn't actually change anything about the film, | it obviously pissed off enough people that it caused them | to start looking for the tweet author to harass her and | finally she deleted her tweet. Who were the winners? The | site owners making the money I guess. The whole thing | really shows how much of a joke online media is. When | regular establishment press is not that good either, what | are people to do? | nindalf wrote: | It annoys me to see this. Quoting tweets is the laziest | form of journalism. But to be fair to journalists, finding | a couple of real world people and quoting their opinions as | if they are representative of the larger public isn't any | more rigorous. | | And it's possible to cherry-pick people to push any | narrative you want. Like the NYT talking about how GenZ is | very pro-life, quoting several pro-life youngsters. | Meanwhile buried somewhere in that long article is the lede | - only 20% of GenZ is pro-life. | lapcat wrote: | Ironically, social media has played a big role in the | rise of cheap clickbait journalism. | indymike wrote: | > I think that Twitter is very much the tail that wags the | dog. | | Twitter has a lot of journalist users so, yes, it does tend | to move the whole dog. | Dma54rhs wrote: | The three are the elites of society, blue checkmarks - | journalists, politicians, propagandists, influencers. For the | society as whole they have way more influence where it's | going than average Joe in front of corner shop. | freeflight wrote: | Except that a lot of those 50 people instead consume all | kinds of other "news media" who by now regularly use Twitter | as a source, so they are still indirectly affected by Twitter | even if they don't actively use it. | alexb_ wrote: | If you're in any community that is popular/new enough to not | use forums, but not large enough to talk outside of twitter, | it definitely controls a lot. | winternett wrote: | Ahh they typical brigade is definitely in effect even above | this post... A bunch of comments to suppress the real ones | made, just like what happens on Twitter regularly. | | I had to scroll down past the posts dismissing the issues to | get to this one. The news at this point is also conveniently | not trending on Twitter even though I am pretty sure a lot more | people are Tweeting about it than about Doja Cat right now (who | is trending). | | I also didn't even see the article, tweeted by CNN, even though | I follow them on Twitter. | | We're officially chest deep in the era where nothing popular on | the Internet is trustworthy nor credible, and where nothing | works as expected. | | My solution is the same as it always has been... Never respect | them enough to enter your real (government) name, and never | post anything that you can't afford to have compromised. There | is no end to what modern data greed will use your data for. | vlan0 wrote: | Eh, you could take out Twitter and insert many other company | names and it'll still hold true. And those companies hold so much | more sensitive data about you than Twitter. | | I know of insurance companies that have help desk employees with | domain admin access. And all crippling ransomware attacks take | advantage lax permissions. | | This is rampant. How is this a story? | [deleted] | mrex wrote: | >This is rampant. How is this a story? | | Bro. It's not every day that literally Mudge, who has -no | doubt- seen his fair share of shit-shows, whistleblows on an | employer. | dehrmann wrote: | But was he fired by any of those shit shows? | mrex wrote: | I don't think you understand how poorly attacking Mudge's | character or insinuating that he's driven by some unethical | ulterior motive is going to work out. Mudge is... he's | Mudge. He's a known quantity, and one everyone wishes we | had more of. When he says something like this, smart people | listen intently. | bartread wrote: | > How is this a story? | | Cynically, because it's twitter, and it's trendy amongst a | certain subset of the population to bash social media in | general and twitter in particular. And I think your point is | fair. | | (FWIW, I think social media has if not caused, then certainly | exacerbated, some major problems at individual, societal, and | global levels, but by no means do I think twitter is the | biggest contributor. I don't think we'd see the kind of | unconstructive political polarisation we're seeing in the US | and UK and perhaps, to a lesser extent, within the EU, without | it.) | zinekeller wrote: | My reasoned mind says it's due to the recent disclosure in | Twitter due to linking of phone numbers to people, while my | other mind says it's Elon finding anything to make Twitter | give up their case. | blitzar wrote: | > in Twitter due to linking of phone numbers to people | | Except like the linkedin "hack" which was just a scrape of | peoples profiles, the twitter "hack" was someone running | phone numbers through the "upload you contacts and find | your friends account" feature. | | They are both barely stories, except to remind people that | posting stuff publicly is public. | BlueGh0st wrote: | >..the twitter "hack" was someone running phone numbers | through the "upload you contacts and find your friends | account" feature. | | >They are both barely stories, except to remind people | that posting stuff publicly is public. | | The reoccurring issue is that Twitter and other companies | are convincing (and often forcing) you to do something | unsafe like linking your phone number, while telling you | that your data will be kept private and at the same time | opting you in by default, or aggressively marketing, an | option that compromises your security. | | I'm sure you may be smart enough to know this compromises | your anonymity, allows stalkers to find your phone | number, etc. but the 99% of users wont. | | Linking everything to a phone number is a major dark | pattern that benefits the corporations while compromising | the user. So rightfully, these malicious and harmful | practices should be called out. | shadowgovt wrote: | Additionally, Twitter collected PII and then did a bad | job protecting it. We don't see a phone-numbers-leaked | story like this out of Google, which has had 2FA with | phone number deployed for years. | | Twitter has some 200+ million daily active users and | should act like it. | blitzar wrote: | _Decide whether people who have your email address or | phone number can find and connect with you on Twitter._ | If you select yes, then someone with l33t skills can _" | hack"_ twitter and type in your email / phone number and | get your twitter handle (or just put it in their contacts | and click a button in the twitter app aka l33t hax0r | skills) | | The reason there isnt "leak" from google is because they | dont offer the functionality to look up your account by | your phone number. | bartread wrote: | For sure, the phone numbers issue definitely won't have | helped, but the whole Elon/Twitter situation is definitely | up there. Plus, as I say, it's been sort of trendy to bash | them for a while: they're either not doing enough to | protect people from harmful content, or they're subverting | freedom of speech by, for example, banning Trump, and | applying permanent, temporary, or shadowbans to other | accounts. I'm not _that_ sympathetic, but they sort of can | 't win. | kornhole wrote: | I think you are referring to corporate and state controlled | social media. There is a big difference between those | platforms and the fediverse instances I am running on a RPI | sitting on my desk. | NelsonMinar wrote: | Twitter is under a consent agreement with the FTC about its | security practices. Part of the allegations here is that | they've been lying to those regulators. | | https://www.ftc.gov/news-events/news/press-releases/2011/03/... | hotpotamus wrote: | Cybersecurity is one of my roles I suppose (small place with an | operations team of approximately 2.5), and I have to say that I | have no idea what proper security is supposed to mean today; | it's very hard for me to tell the marketing from best practice | now. It seems like what most products really are is an ass | covering service so you can tell your leadership and your | customers that you did the right things. | | Basically we work on keeping everything patched and try not to | create any obvious issues. Honestly, I think the best thing we | have going for us is obscurity. | dogman144 wrote: | Eval yourselves with the NIST Cybersecurity Framework and | you'll get a good idea of where to work on. It's useful to | guide an early stage security program doing all the things. | | Also, build a risk matrix of security risks the company can | face by impact vs likelihood of the risk happening. Get | someone senior to sign off on it. | | Use the NIST CSF and the risk registry with senior leadership | support to guide the work you do. | | Itll be easier if you think about security as understanding | your risk posture as an org, and that risk is either fixed at | your level, carefully escalated to outside your teams for a | fix, or labeled and accepted risk. security teams should | never be the ones to accept risk, so get a a manager to see | and acknowledge in writing whenever it's decided to just roll | with a known vuln you're Unable to fix without more | time/money/tech. Try to fix as many risks as possible at your | level as to not build an alarmist rep. Then, that leaves | space to escalate into cross-team fixes (and you can point to | the NIST CSF and the risk register with a senior leader's sit | side as a baseline reason for why they need to fix it). | mellavora wrote: | It is also about governance. | | Do you have runbooks for your systems? (describes how to | operate the system normally.) | | What about playbooks? (how to handle errors) | | Have you game-day-ed various failures? How long does it take | you to restore everything from backup? What order do you | bring your systems up? | | What level of monitoring do you have on your systems? Can you | spot unusual activity? How quickly? | | What sorts of firewalls? Say "system X" is compromised. How | far could damage spread from there? | | Obscurity won't protect you when cybercrime is a business | model. | nannal wrote: | Consult with a security firm or specialist and they should be | able to steer you in the right direction. | chadash wrote: | Two problems with this: | | 1) Like a car mechanic, these people get paid to sell you | solutions and they are incentivized to sell you more. | | 2) Plenty or honest people have biases because of what they | do. If you spend all day thinking about security you might | be overly concerned about things that are actually not that | risky. | | This isn't to say that there aren't great people working in | the field. But it's daunting from an outsiders perspective. | mrex wrote: | Develop sufficient in-house subject matter expertise so | that you're not depending on sales consultants to do your | cyber program for you. | | Develop an empirical understanding of risk management. | While we can't predict the future, through well | established techniques and adequate resourcing, | professionals can achieve consistent results that are far | better than random guessing. Risk management principles | drive not just corporate stragegy writ large, but entire | industries like banking and insurance. | analyst74 wrote: | It's still comes down to a matter of urgency or value | perception. | | You don't want your doctor to overlook any problems just | because they are rare because your health is really | valuable. | SketchySeaBeast wrote: | With the example of the doctor you run into the nocebo | effect - you can spend a lot of time tracking down things | that turn out to be of very low value which ends up | causing more harm than good. To painfully extend the | metaphor you could have an overly aggressive password | policy and end up having users reusing passwords or | writing them down. | infosecSnowman wrote: | I've recently gotten a lot of good guidance on security best | practice from a new boss. A great place to start is the CIS | 18 critical security controls. They cover most things for | protecting an organization. | | Walk through the controls list, see where you compare to the | controls and sub-controls and then start to establish a path | forward. | markwisde wrote: | I'm a security engineer and nobody knows what's best | practice. Everyone is making it up at this point, and | security is still a nascent field. Most companies don't even | have a security team. | | I think it's still not clear how you should build a security | org, and if you should at all (should security be part of | normal workstreams of your devs?) | | Btw I wrote about my experience in | https://securityhandbook.io/ | dd36 wrote: | Is there even best practice for non-cyber security at | private businesses? | shagie wrote: | There is a best practice... but the issue is that the | "best practice" is something that gets abused for cargo | culting and _stopping_ at the discovery of the best | practice. | | Some time back, I got a copy of "A Practical Guide for | Policy Analysis: The Eightfold Path to More Effective | Problem Solving" so that I could properly quote back the | use of best practices. | | https://en.wikipedia.org/wiki/Best_practice | | With most times people are looking at best practices, | they skip to the decide step without defining the problem | - that's even been done here. Is there a best practice | for non-cybersecurity at private business? Well, yes - | but first, what is the problem that is trying to be | solved? There's no "get this book of everything to do and | you're good". On the other hand a "we have customer data | that includes PII data, we need to secure the data and | prevent casual examination of it in house" is a problem | that can be looked at and a best practice can be found. | | The best practices involve a survey of looking at other | organizations and seeing what they have done - what | worked and what didn't. | | > Part IV "Smart (Best) Practices" Research - | Understanding and Making Use of Whatlook Like Good Ideas | from Somewhere Else | | > It is only sensible to see what kinds of solutions have | been tried in other jurisdictions, agencies, or locales. | You want to look for those that appear to have worked | pretty well, try to understand exactly how and why they | may have worked, and evaluate their applicability to your | own situation. IN many circles, this is known as "best | practices" research. Simple and commonsensical as this | process sounds, it represents many methodological and | practical pitfalls. The most important of these is | relying on anecdotes and on very limited empirical | observations for your ideas. To some extent, these are - | one hopes - supplemented by smart theorizing. This method | is never perfectly satisfactory, but in the real world | the alternative is not usually more empiricism but, | rather, no thoughtless theorizing. | | > Develop Realistic Expectations | | > _Semantic Tip_ First, don 't be mislead by the word | _best_ in so-called best practice research. Rarely will | you have any confidence that some helpful-looking | practice is actually the best among all those that | address the same problem or opportunity. The extensive | and careful research needed to document a claim of best | will almost never have been done. Usually, you will be | looking for what, more modestly, might be called "good | practices." | | --- | | A "here is a list of all the best practices, follow | these" is the wrong way to try to use best practices but | rather relabeled cargo cult security. | gsatic wrote: | Corporate robots don't care. | | They have gotten away with so much for so long, they live in | their own disconnected reality. | | When things break some of them cash out. Others find someone | to blame. They don't pay a price at all. And the cycle | continue. | | In China atleast people are scared of the govt. In the west | its a total joke how no one is ever held responsible. | 12many wrote: | Yikes, I wouldn't boast about being scared of a govt. | That's on the cusp of being fascist. | reitanqild wrote: | Isn't the ideal something like: | | Citizens should respect Government, and Government should | fear citizens? | | I think we are straying away from both of these at the | moment. | kvathupo wrote: | I think the commenter brings up an interesting point that | China more effectively regulates industries that commit | wrong [1]. I wouldn't reduce their point to being | tantamount to fascism; rather, I read @gsatic as arguing | for equal application of the law. This seems fundamental | to the US constitution vis a vis John Locke: people | (corporations in this case) cede rights for security. If | we give corporations regulatory fines that pale in | comparison to revenue as a result of malfeasance, are we | allowing companies to enjoy our society's benefits, | without having to sacrifice the same rights others do? | | [1] - Of course, this isn't the complete picture: China | has a penchant for arbitrarily dealing a heavy hand to | law-abiding companies/persons. | coliveira wrote: | dd36 wrote: | Right. Democracy is fake... | [deleted] | 12many wrote: | Because it's CNN and they like to make headlines with some | bogus whistleblower that is concerned that some die-hard | trumpers are going to hack top companies and create some kind | of mass hysteria. Just the usual fear mongering in the news | media to get views. | throwawaylinux wrote: | Did you actually read it? The story isn't some handwaving about | companies in general having bad security. It's that Twitter's | former head of security is blowing the whistle on "reckless and | negligent cybersecurity policies" including deliberately | misleading government regulators and its own board about | various issues, and concerns about foreign espionage and | disinformation. | | If you don't know how that's a story I don't know how to | explain it to you, I can only assure you many people will find | it extremely newsworthy. | vlan0 wrote: | I hear you. All of that is a big deal and should not be taken | lighten. | | Maybe I'm a bit jaded by what I've seen, but that doesn't | seem too far off from normal American business culture. | Deflection and manipulation seem to be par for the course. | It's why lobbyist exist. Companies want permission to do/not | do the things they're not currently allowed/required to do. | | The ones that get caught are normally a few bad actors that | whistle blow. The companies where it's ingrained in their | culture get away with it. Of course...this is all my own | experience :) | [deleted] | thomassmith65 wrote: | It is certainly rampant. Amazon, for example: | https://www.wired.com/story/amazon-failed-to-protect-your-da... | | That said, all these stories are important to the public. | mrpopo wrote: | Because people with a lot of money are inflating this story to | get back at Twitter. It sounds like a conspiracy, but that's | the most plausible explanation I have for why this specific | whistleblower gets amplified by the media. | jonstewart wrote: | This specific whistleblower also happens to be mudge. It's | funny how the initial top comments here don't seem to have | any clue about who mudge is. | papito wrote: | Not a lot of companies get infiltrated by foreign agents or | assets. Access to Twitter, in particular, can help unmasking | anonymous sources, sensitive DMs, dissidents - and their | locations. | | And, oh yeah - there is no "conspiracy". | mrpopo wrote: | I don't claim Mudge was infiltrating Twitter, nor that his | claims to bad security are false, nor that it is not | dangerous to use Twitter if you value privacy. Bad security | at Twitter, or any other social media is a given. Remember | they're in the _business_ of selling personal data. | | My claim is that this specific story which is most likely | true but in no way surprising gets amplified right now | because some specific powerful people wanted it so. | papito wrote: | Or maybe, you know, the media finds this story | interesting because this is an extremely visible company | with tons of influence on narratives around the world. | | Who are these "powerful people"? And why do they care | about Twitter so much? Most powerful people aren't even | ON Twitter. | mrpopo wrote: | I know about a certain person who has been doing very | unorthodox moves towards the acquisition of Twitter since | earlier this year; this person, as well as all the | wealthy stakeholders who have a lot to lose if the deal | goes through in an unprofitable way, would certainly gain | a lot by amplifying this story with a few grands in the | pockets of the CNN business editors. | papito wrote: | I think you are overestimating the influence of Elon Musk | on American media, my friend. | | Are they enamored with him - for sure, are they in his | actual pocket? Doubt it. | mrpopo wrote: | Not necessarily the man specifically. Anyone with a high | stake in Tesla/SpaceX/long-termist companies and an arm | in the media machine who would benefit from this press | release. | dd36 wrote: | Or the current Twitter drama is precisely why it is an | interesting story for the media. | | That said, given foreign influence campaigns in the news | in the last 6 years, this would've been news then too. | I'm sure it was news back in 2010 when the FTC ordered it | to fix the problems. | encryptluks2 wrote: | At least you get it. I've seen worse on actual government | systems. | winternett wrote: | > This is rampant. How is this a story? | | Well, it's on the front page of CNN right now for starters, so | that means it's probably significant to a lot of people... | | If you have a business, you most likely need to promote it on | Twitter, or to at least reserve an account there so that | someone else won't impersonate you. You also need to do that on | almost all other major social platforms. | | If you have a business or personal account on Twitter, your | direct messages, the data the system generates about your | preferences and interests, your geo-coordinates, and everything | you post, including control of how your account works can | apparently be accessed by too many people within the company. | | It's a pretty big deal for anyone that uses the platform citing | all that... Not something that should just be "left to it's own | devices" because everyone else is doing the same. All cases of | data abuse/misuse should be addressed, but addressing one this | big would also be a pretty big deal. | trombone5000 wrote: | > This is rampant. How is this a story? | | Because it's being publicly revealed. | | If the lax security you describe at other companies were also | revealed, maybe more would be done to fix it. | someonehere wrote: | The previous head of security to Zatko talked about fixing these | problems. I remember distinctly after the FTC crackdown there | were all hands where the discussion came up. I guess these | problems were never fixed. | mzs wrote: | >If you are wondering if the stuff about Twitter security being | lapse is just one person complaining, you might be interested | to know that, 18 months after being let go from the company, | I've not been removed from their employees GitHub | commiters[sic] group. | | ... | | >I can see private repos, yes. | | ... | | >A Twitter employee, Chris Banes, has claimed "that nothing | internal or private is hosted on GitHub. It's all just open | source code.". Here is a picture of a private, active, repo I | had access to until about 50 minutes ago. Chris's statement is | incorrect. | | https://twitter.com/alsutton/status/1562152606096658432 | | https://twitter.com/alsutton/status/1562116259357024257 | rossdavidh wrote: | It's not just this, but a long series of Twitter-related | debacles, that are starting to look less like a company in | trouble, and more like a company circling the drain. Do we have | any real reason to think Twitter might not be able to survive all | this? No one seems to think they're profitable, not even when ad | revenue generally was a lot better than the economic environment | we're going into. No one who's capable of buying it seems to want | to buy it; the reason the poison pill vs. Elon Musk's initial | purchase attempt was dropped, is that they checked around and got | no other buyers. It's not just the legal and PR problems, it's | that there's no $$$ on the other side to make it worth those | problems, and we're heading into a "you need to make money" | environment. I think they might be circling the drain... | jonathankoren wrote: | Sure the article focuses on Mudge because the's blowing the | whistle, but Mudge _and_ Rinki Sethi (ex-CISO) were fired at the | same time. | | When you fire both your chief of security and your CISO months | after you hire them, it's weird. Even if your chief of security | had personal failings, why fire his boss? If the boss falls on | her sword for direct, that certainly makes me think to take what | their saying seriously. | mupuff1234 wrote: | boffinAudio wrote: | The article states he has had no contact with Musk and that the | whistleblowing started before Musk attempted his takeover of | Twitter .. | chalst wrote: | It's tinfoil hat territory, but the connection could run the | other way in principle: the ex-exec could have been shopping | for someone to injure Twitter and cooked up a plot in which | Twitter was an innocent victim and Musk a double-crossed | coconspirator. | | Why, it explains Musk's confidence that Twitter was up to | something with its fake-account stats... It _must_ be true! | [deleted] | zimpenfish wrote: | On the other hand, if you want to fan the conspiracy flames, | he does have strong ties to Dorsey (via Stripe and Twitter) | and Dorsey has always been Team Musk, especially re: the | takeover. | PedroBatista wrote: | While I'm sure Twitter and every social network internal politics | suck and are full of sleazy people who hold themselves in very | high regard, these accusations seem weak. | | He appears to indicate precisely what it's public, like the 5% | bots but then goes to into the usual obscure "I know it's not | that number and the structure is incentivized in the wrong way.." | | Obviously he has an axe to grind and I wouldn't be shocked if | Elon was directly involved with this, but I'm not sure this | vagueness holds in court.. | kmfrk wrote: | I hate being asked to hand over my phone number for 2FA or | similar protections. Or facing the choice between deleting all my | DMs or risking them being compromised on account no E2E support. | Then again, even if you delete something, there's no knowing what | their data retention handling is. | strict9 wrote: | I think it's safe to assume most anything you delete from a web | app gets a deleted boolean or timestamp field set and the | content persists in the database indefinitely. | | In my experience I've found it rare that user content is ever | actually permanently deleted for various reasons. | digitallyfree wrote: | Yeah that's how most of them work. On some platforms (e.g. | Reddit) if you do a full data request you'll see all your | deleted comments as it's still there in the database, just | hidden from public view. | beeboop wrote: | > various reasons | | advertising, controlling executives, and government spying | thepasswordis wrote: | Or devs who fear some runaway bug. | DangitBobby wrote: | Or a disgruntled employee or a hack or any of the other | reasons you might want deletes to be reversible. | DaftDank wrote: | I assume that storage has gotten so cheap now that storing | everything forever is feasible for companies? I always knew | they had to retain content for X period of time, to comply | with laws about data retention for criminal investigations, | but I always assumed (from reading about it 10+ years ago) | that because of how much extra storage space all the | "deleted" content would take up, that it wouldn't be feasible | for them to do it long-term for everything. I knew that would | become a moot point eventually, and I suppose that is now. | imchillyb wrote: | Mudge = Competent advisor, Cybersecurity expert, Senate special | witness. | | Twitter board = Incompetent, Liars, Corporate cronies. | | Which of these two sources do _YOU_ believe is more reliable? | Yeah. That 's gonna be the general consensus. | | Mudge-1 / Twitter-0 | neilv wrote: | For a solid and genuine technical person considering a CISO or | CISO-like role, I've had the impression that they have to be very | selective where they go. | | Even in what I'd guess is an "ideal" situation, of tractable | technical&process problems, and genuine buy-in from the C-suite | for solving/improving them, there's still going to be | dynamics/politics to navigate. | | I also hear of a lot of much-less-than-ideal situations. | donohoe wrote: | So the CNN article lacks any detail really. There are things on | the surface that sound bad but without context its impossible | tell. | | Has any one gong through the Washington Post story and the PDFs | and found the real issueS? | SilverBirch wrote: | I think it's a pretty open secret that Twitter is a fairly broken | company. It's no surprise that their security practices are bad, | because _all_ their practices are bad. It 's also very difficult | to view this in isolation when you have the timeline of (1): | Fired in January, nothing happens. (2) Musk makes offer for | twitter then reneges. (3) Months before the lawsuit gets decided | re-emerges with accusations. | | What happened that caused him to suddenly start whistleblowing | now, and not in January? Was it the same thing that caused Ken | Paxton in Texas to start investigating Twitter? | | This just looks like pretty plain mud-slinging from Musk's team | to be honest. Especially since the Whistleblower seems to | basically be blowing the whilst on himself. | carvking wrote: | Mudge: "Jack Dorsey reached out and asked me to come and | perform a critical task at Twitter. I signed on to do it and | believe I'm still performing that mission," he said." | | Seems like a legit answer. No need to accuse people of slinging | mud. | wpietri wrote: | Jack Dorsey's not there anymore, and the current executives | clearly have a different view. So I think the question of | "why now and why like this" is still open. Given how many | savvy technologists use HN, I'd bet we could put together a | list of thousands of companies with concerning-to-reckless | security practices. But for better or worse, most of us don't | end up getting our concerns on CNN. | jonstewart wrote: | An important detail: the whistleblower is mudge. I'm at a bit | of a loss for words comparing him to Ken Paxton. | agentultra wrote: | This was my first thought. TFA claims he started the | whistleblower process before the Musk deal was signed. Seems | kind of fishy though. | pb7 wrote: | Maybe, just maybe, Twitter is actually a poorly run company | and it's not a conspiracy. | themitigating wrote: | Poorly run but also being targeted by conservatives who are | using their government positions to destroy a liberal west | coast company that harms their ability to get elected. | TeeMassive wrote: | I don't remember conservatives threatening Twitter to | censor "dangerous" views or "misinformation" or telling | who to ban. | encryptluks2 wrote: | I remember conservatives advocating for business rights | to refuse service when they were asked to bake a cake for | a gay couple. | Banana699 wrote: | Because a random bakery shop is totally like a pseudo- | monopolistic social media giant that can censor millions | arbitarily and at will. | themitigating wrote: | it's not a monopoly because there are alternatives, and | it only has a 10% market share in the US | (https://gs.statcounter.com/social-media- | stats/all/united-sta...). | | The bakery also sets precedent as it did go to the | supreme court, and it was used as a rallying cry by | politicians on the right. | Banana699 wrote: | So, in simpler words, they _are_ indeed a pseudo- | monopolistic (pseudo means apparent, something very close | to but not quite there) social media giant that _can_ | indeed censor millions (10% of USA 's population is 30 | millions) arbitarily and at will ? Ok :) | | And whether a bakery serves your gay wedding or not is | perhaps the most petty and inconsequential thing to be | upset about. There are thousands upon thousands of | bakeries in a large city. You can learn how to bake a | cake in a weekend and home-bake your wedding cake | yourself, or any one of your wedding guests can do this | as a wedding gift. You can go to a no-gays-allowed bakery | but simply not tell them you're gay, and take a finished | cake from them then write your own name and that of the | guy you will marry on it yourself. You can not get cake | at all and instead get any of the thousand other types of | wedding sweets and food. | | It's almost like the whole thing is a hilarious non-issue | that some people just invented to cry and act like | victims about. | pb7 wrote: | Monopoly on what? | | There are not thousands of bakeries in any city. Many | towns might have none, or one. In that regard, the bakery | will have an actual monopoly on baked goods to people | living there. | Jensson wrote: | The baker is a person with rights as well, you can't | force him to make a special order cake for something he | disagrees with. You can force him to sell standard cakes, | and they offered to sell standard cakes in the case, but | the customers wanted to force him to make a designed | cake, that would be against the bakers individual rights. | | Large corporations lacks those individual rights for | obvious reasons, so large corporations should be forced | to provide services to everyone even though individuals | shouldn't always be. | Banana699 wrote: | >Monopoly on what? | | On users. Any network is worth a function of the number | of nodes in it (typically a quadratic). Social Media are | networks that link humans, and there is a finite number | of humans (or, more accurately, internet-connected humans | with time to spare) that grows very slowly and inevitably | will stagnate. That means a social network is in direct | zero-sum competition with all the other networks, and a | giant like twitter hurts everybody else by concentrating | a signficant proportion of users into a single (aweful) | place, destroying competition by the lock-in effects of | network dynamics. | | >There are not thousands of bakeries in any city | | There are in my city, actually. Dialing the number down | to the hundreds or the high tens doesn't signficantly | change the validity and implications of the argument | either. | | > In that regard, the bakery will have an actual monopoly | on baked goods to people living there. | | If you can actually prove that in a court, and if you | furthermore prove that the complaining party will incur | significant costs to themselves if they try to seek | another bakery elsewhere (by a resonable legal definition | of 'significant'), then you have my full blessing to | force people to bake your cake. | | Until then, comparing an easily-replacable food product | with tons of suppliers and publicly-available recipes to | a proprietary service supplied by a corporation with | thousands of servers, thousands of employees and tens of | millions of users is ideologically motivated bullshit. | kmeisthax wrote: | Bigger example: Donald Trump called Net Neutrality | "Obamacare for the Internet", back when the bug-bear was | Comcast rather than FAANG. | TeeMassive wrote: | Ending the enforcement of Net Neutrality was not about | censoring content or subjects. | kmeisthax wrote: | The specific worry about Net Neutrality was that ISPs | would use their monopoly power to censor specific sources | and/or self-preference their own businesses. It's | something that should have been _expanded_ to large | online platforms rather than being disposed of entirely. | TeeMassive wrote: | As you said, it was a worry, but ending Net Neutrality | about enforcing government censorship was never even an | argument being made at all by any sides of the issue. | TeeMassive wrote: | You are making a false comparison. They refused to write | a particular message, not to not serve the customer a | cake. | themitigating wrote: | They push for censorship of pornographic material, which | is less dangerous than misinformation about vaccines. | TeeMassive wrote: | What's the problem with making public pages SFW? | labcomputer wrote: | And they say the Tesla _fans_ are a cult... I 'm at a loss for | words. | jmeister wrote: | Did you read the article before slinging mud yourself? The | whistleblower has been communicating with DC way before EM | entered the picture. | | Media only got its hands on the leaked material now. | SilverBirch wrote: | I read the article, and it doesn't say what you said. | | >Zatko began the whistleblower process before there was any | indication of Musk's involvement | | Define "Began the whistleblower process". Because that seems | like an extremely fuzzy way of saying this. And even if you | accept that he was genuinely a whistleblower in good faith | trying to do this, which I'm perfectly willing to accept, the | fact it's coming out in public now is still convenient | timing. | | It does say | | >The disclosure, sent last month | | Which means that the actual firm date we have coincides | perfectly with Musk's legal wranglings. | jjulius wrote: | Not exactly. The CNN article doesn't say that, and The | Verge's piece[1] on this puts it together pretty clearly. | | >Zatko was fired by Twitter in January and claims that this | was retaliation for his refusal to stay quiet about the | company's vulnerabilities. Last month, he filed a complaint | with the Securities and Exchange Commission (SEC) that | accuses Twitter of deceiving shareholders and violating an | agreement it made with the Federal Trade Commission (FTC) to | uphold certain security standards. His complaints, totaling | more than 200 pages, were obtained by CNN and The Washington | Post and published in redacted form this morning. | | So, breaking it down more concisely: | | 1.) Fired in January | | 2.) Musk tries to buy Twitter in early April | | 3.) Complaint filed with SEC in July by Mudge ("way [after] | EM entered the picture") | | 4.) WaPo published redacted, 200-page report today | | [1]https://www.theverge.com/2022/8/23/23317857/twitter- | whistleb... | | Edit: This is not an endorsement of mud-slinging, just an | attempt to make sure everyone knows what actually happened | and when, at least as best we can discern at this point. | jacooper wrote: | Apperantly he started the whistleblowing process before any | Musk involvement with Twitter. | | https://twitter.com/KimZetter/status/1562061556745089025 | tablespoon wrote: | > Apperantly he started the whistleblowing process before any | Musk involvement with twitter. | | According to his lawyer as reported by someone on Twitter. | IIRC, lawyers make statements that guilty clients are | innocent all the time. | | If he was working with Musk help him wiggle out of the | Twitter deal, it would fatally undermine the goal for to come | out publicly about the relationship. I'm skeptical unless | they can provide verifiable 3rd party evidence (e.g. some | document filed before the deal). | sp332 wrote: | Linking to a Twitter thread is a little indirect, but Kim | Zetter is a reporter on the infosec beat, and if you scroll | up, you can see the link to the CNN article she's | discussing. Also here's a video that includes the lawyer | saying it out loud. | https://mobile.twitter.com/donie/status/1562020176278716416 | (@donie is the first person to talk in the video.) | Larrikin wrote: | So instead of taking a statement from the lawyer you think | it makes more sense to wildly speculate and make things up? | The burden of proof falls on the other side now to prove | the whistle blowing started after Musk. | Arainach wrote: | A statement from a lawyer saying "this is older" isn't | evidence. Until the lawyer shows an example of any form | of whistleblowing predating Musk, this is still on them. | [deleted] | adamsmith143 wrote: | I mean I want to give the guy the benefit of the doubt but is | the only evidence that was the case this journalist saying | "Mudge totally told me he did this before Musk got here I | swear." | criddell wrote: | It doesn't really sound like you want to give him the | benefit of the doubt. | TimCTRL wrote: | Musk's account was among those that were hacked in the 2020 | high profile hack. He made the offer in 2022, he therefore | can't claim to not have known that twitter's security isn't | 100% and really can't use this in court, I guess | rtkwe wrote: | The contract Musk signed was very very one sided, from | everything I've been reading there's very little Musk can | claim that would let him scuttle the deal. | phlhr wrote: | the contract does not allow twitter to commit fraud. Which | they have. | [deleted] | gonzo41 wrote: | In real life, if you're in the public square shouting your | opinions at whomever will listen it's somewhat risky. Twitter | are just providing the same digital risk for the modern public | square. It's a feature, not a bug. | happyopossum wrote: | You're ascribing the worst possible motives to someone based on | your hatred of Elon Musk. Someone who has no known relationship | with Musk, who has claimed publicly they started this process | before Musk was involved with twitter, and who is a long | standing and well regarded figure in the infosec world. | | I think you're gonna need more than Musk Derangement Syndrome | fueled conspiracy theories to make your accusations stick here. | itsoktocry wrote: | > _You're ascribing the worst possible motives to someone | based on your hatred of Elon Musk._ | | I'm not going to claim some big conspiracy here, but I do | find this beyond coincidence. | | I don't think that this is coming out now because Mudge is | acting on _behalf_ of Elon. I think Elon 's Twitter bid (and | ensuing drama and upcoming lawsuit) and this revelation are | part of the same agenda. For better or worse, it looks like | influential powers that be are going to take down/over | Twitter. | the_doctah wrote: | >it looks like influential powers that be are going to take | down/over Twitter | | Let them, Twitter can't get any worse. | | At the very least, lets get to the bottom of the bot | problem and expose these companies who rely on bot activity | to drive their MAU numbers and as a result, their inflated | valuations. | factorialboy wrote: | > Especially since the Whistleblower seems to basically be | blowing the whilst on himself. | | Whistleblowers are by definition insiders. | chihuahua wrote: | Yes, but that's not the point here. | | A typical whistleblower would say "There were security | problems, and the head of security ignored them." | | Here, it's "I was the head of security, and security was | shitty. I was doing a shitty job, and that's a terrible | scandal!" | msh wrote: | Its more like "I was head of security and the CEO blocked | me and tried preventing me reporting the true state of | affairs to the board." | SilverBirch wrote: | I think the thing about reporting things to the board is | extremely open to interpretation. The board doesn't need | to know absolutely every skeleton in the closet - | especially if you're aware and in the process of fixing | something. | Sohcahtoa82 wrote: | As others have said, being head of security is meaningless | if the people in charge of actually making changes refuse | to make the changes you prescribe. | | I've been in that situation at a previous job. The | infrastructure for our service was set up so that EC2 | instances would start up and pull their code from a central | repo. But this repo was open to the world and did not | require authentication. It was only a matter of time before | some malicious user discovered this and our proprietary | server code got leaked. | | It took weeks of hounding and escalating until something | changed, and at first all they did was change the security | groups to limit where you could connect from, and even the | first patch merely limited it to a few /8 and /16 CIDRs | that covered massive swaths of AWS-owned IPs. They still | didn't require authentication. | PurpleRamen wrote: | It's not his responsibility if someone with more power is | sabotaging his work. He tried to do his work, realized it | was not possible, and escalated to a higher authority. A | bit unusual, but technically a way to maybe solve the | problem and still do the job at the end. | pb7 wrote: | He tried to change things and was stopped by people | actually in power (CEO, the board). Being head of security | means nothing if you aren't allowed to do your job. He was | also there for less than 2 years. If you read the article, | you'll find that Twitter has had awful security practices | since at least 2010. | encryptluks2 wrote: | How do you know that? The only way you'd find out is if | there is a lawsuit that exposes said information. | Everyone here is assuming because they want to believe | Twitter is an evil behemoth. I'm not suggesting they are | wrong, but this guy could have done the bare minimum for | all we know thinking his status gave him basically a free | income to do almost nothing. I would wait until more | information comes out before making such generalized | assumptions. | pb7 wrote: | I'm relaying information from the article based on the | 200-page document sent to government agencies. Everything | else is speculation based on nothing. | prophesi wrote: | We're all speculating here. | | But if I were a betting man, I do think both Twitter and | Mudge's respective track records would place me in | Mudge's camp. | josefresco wrote: | I don't know Mudge and neither does 99.9% of the public. | His timing here is suspect. If these problems existed for | so long, why now? | pb7 wrote: | He just got fired in January. Preparing a 200-page legal | document with references and accounts takes time. It had | been submitted some time ago, it's only now that CNN got | a hold of a copy. | prophesi wrote: | I'm not sure why any sizeable portion of the public would | know _any_ reputable cyber security experts. Twitter's | CEO said the firing was due to "the impact on top | priority work", and whistleblowing 6 months later isn't a | surprising timeline when you need to have long talks with | an attorney and get your own work-life situated. | josefresco wrote: | Mudge specifically referenced Musk in his complaint. This | isn't just 6 months of due diligence it's targeted and | timed for maximum damage. | SilverBirch wrote: | Sure, but it's not normally the guy _in charge_ of security | that gets to complain the security isn 't good enough. | zhengyi13 wrote: | I seem to read fairly often about security folk (or even | plain ol' sysadmins) bemoaning their companies' security, | like their presence or oversight is a box checking exercise | rather than a real commitment. | bombcar wrote: | Being in charge of security usually means two things: | | 1. You find out all the problems. 2. You can't fix all of | them (many reasons here, not all malicious) and are setup | to take the fall. | | Rinse and repeat. | alvis wrote: | Looking at @paraga's response over the incidence, I don't see | attacking Mudge Zatko's character does any help here. Does he | know it can backfire? | | https://twitter.com/donie/status/1562069281545900033 | encryptluks2 wrote: | Alleged whistleblower publicly attacks company's | reputation... A okay, I hate big tech companies. | | CEO of company defends organization and says previous | employee has ulterior motives... Not okay, I hate big tech | companies. | | See a trend here? | [deleted] | raxxorraxor wrote: | To be honest, Twitter didn't manage expectations. If I register | on such a platform, I expect my mail/pwd combination to stay | reasonably safe. Reasonably, because there is never a | guarantee. | | The rest of these expectations are entirely on the users. If | people take security as seriously as they proclaim, they should | not have registered. To now demand meticulous access controls | sounds a bit neglectful to me... | _fat_santa wrote: | If you've worked for any major F500 Enterprise, this is all par | for the course. Currently on a contract with a healthcare | giant, while security is pretty tight because HIPPA, generally | everything else is chaotic. I'm going to speculate that Twitter | is probably worse than the mean, but at pretty much every large | company that operates massive pieces of software, youre gonna | get a ton of chaos by default. | [deleted] | johndhi wrote: | this was my reaction, too. and I'd add: the legal requirement | is basically to have 'industry standard' security; no more | and no less. there is no legal requirement to have air tight | security (which probably isn't even technically possible at a | company of this scale anyway). | mcqueenjordan wrote: | It takes time to compile documents and write these things. | toss1 wrote: | >> thing that caused Ken Paxton in Texas to start investigating | Twitter? | | Immediately thought of this item that came up in my Twitter | news feed last week [0] | | >> "Elon Musk went to Kevin McCarthy's Party last night in | Wyoming--to celebrate Liz Cheney's loss. While speaking at the | MAGA party, Musk asked everyone to deny that he was there. Musk | made sure that no press was allowed anywhere near the property | -- then people started posting selfies" | | I'm sure Musk wasn't there to privately insult the Republican | leaders by acting like they're the ugly person that they'll | date in private but don't want anyone knowing about -- he's | almost surely seeking some kind of influence/benefit. | | Maybe coincidence, but I certainly wonder about the purpose? | | [0] | https://twitter.com/FriendEden100/status/1559974086264209414 | awinter-py wrote: | I mean separately from security questions here, it seems not | great that 'public social media' platforms are operating their | own DMs | | DMs should be BYO provider | naltun wrote: | I learned a lot about Mudge by reading "Cult of the Dead Cow: How | the Original Hacking Supergroup Might Just Save the World." | | For anyone wanting to explore 90's security nostalgia, it's worth | a read. For anyone wanting to learn where hacktivism comes from, | it's worth a read. For anyone wanting to learn about how security | consulting has evolved over the years, it's worth a read. | | Mudge is a very cool and capable individual. I am slightly | surprised that Twitter would ignore someone of his talent and | respect, and choose to air their dirty laundry in this manner. | It's as if they have no idea who they hired. That, or C-levels | think they can outpay $$$ any PR against Twitter to control the | narrative. Either way, if Mudge is whistleblowing, there's | probably some bad shit going down. | rossdavidh wrote: | It appears that Dorsey was the one who hired him, and then | Dorsey left, which might explain why they act as if "they have | no idea who they hired". | [deleted] | motohagiography wrote: | The whistleblowing case is a new dimension. To me as an outsider | it implies Agrawal may have also been the manager in his previous | technical role for a lot of the tech problems Zatko identified, | and what made Agrawal CEO was his ability to leverage these | problems to play ball with all the interests in that company and | board, while sustaining through neglect some of those concerning | practices within the organization. Twitter's product isn't | technology, it's an uncertified slot machine that pays out in | political influence, and there are a lot of big interests | depending on their cut of it. They needed a steady hand who | wouldn't be vulnerable to being swayed by principle, and that's | the one thing you don't keep hackers around for, imo. | | If I were betting, nothing is ever really systemically broken in | large orgs, it just works for someone you can't see. This is a | factor everywhere and not necessarily at Twitter. Shitty process? | Cui bono. Unverifiable systems? Cui bono. Deniable and | unaccounted-for access to God-mode data? Cui bono. Repudiable | numbers reporting? Cui bono. Bizarre political posturing? Cui | bono, etc. | nullc wrote: | Part of the allegation seems to be that the beneficiaries may | be foreign state actors who have infiltrated the organization. | | Not particularly shocking as they'd have to be incompetent to | not try to infiltrate a major communications platform, and if | the internal controls are as bad as alleged (and has exposed in | some of the prior hacks, e.g. the control panel screenshots) | they'd have to be incompetent to fail. | sn0w_crash wrote: | Mudge is a very credible source. Interesting to see where this | goes. Twitter has gone through more security heads than any high | tech company should. Not surprised it's a chaotic environment. | ok123456 wrote: | No he's not. He's literally on the CIA payroll along with the | rest of CDC. | | He has a track record of making up ridiculous stories that | serve his task masters. Remember the "Hong Kong Blondes"? Oh | right it turned out to be completely fake. | [deleted] ___________________________________________________________________ (page generated 2022-08-23 23:00 UTC)