[HN Gopher] Ex-Twitter exec blows the whistle, alleging reckless...
___________________________________________________________________
Ex-Twitter exec blows the whistle, alleging reckless cybersecurity
policies
Author : razin
Score : 841 points
Date : 2022-08-23 10:36 UTC (12 hours ago)
(HTM) web link (www.cnn.com)
(TXT) w3m dump (www.cnn.com)
| pphysch wrote:
| > FOREIGN THREATS: Twitter is exceptionally vulnerable to foreign
| government exploitation in ways that undermine US national
| security, and the company may even have foreign spies currently
| on its payroll, the disclosure alleges.
|
| This is a very strange article to me. When I think of Twitter and
| government influence, I think of the overwhelming pro-Washington
| bias.
|
| I think of the "state-affiliated media" tags that somehow don't
| apply to RFE/RL and BBC.
|
| I think of the countless heterodox/dissident accounts that have
| been banned or silenced on the platform.
|
| I think of the "hacked materials" warning label that was invented
| to discredit a particularly damning story about a covert
| disinformation campaign involving Reuters and BBC.
|
| I think of Twitter's complete tolerance of the obvious platform
| abuse by the textbook troll farm known as "NAFO".
|
| I think of the revolving door between the federal government and
| policy/compliance positions at large tech companies including
| Twitter, of which Mudge is one of many.
|
| My tinfoil hat is whispering that this story is part of a broader
| campaign to put pressure on Twitter to be even more compromised
| by the federal government and intelligence agencies. I just don't
| see how this "foreign threat" narrative lines up with the reality
| of how effectively managed Twitter has become over the past few
| years.
|
| Realistically though, Mudge probably just has a huge hacker ego
| and is butthurt that he was caught slackin'.
| brundolf wrote:
| There's been at least one Saudi spy found working at Twitter
| and convicted: https://nypost.com/2022/08/09/ex-twitter-
| employee-ahmad-abou...
|
| > Saudi citizen Ali Alzabarah, who worked as an engineer at
| Twitter, used their positions to access confidential Twitter
| data about users, their email addresses, phone numbers and IP
| addresses, the latter of which be used to identify a user's
| location
|
| Internal data security practices could probably have helped
| limit his access
| nym375 wrote:
| Read the report of the problems he was trying to surface:
| https://www.washingtonpost.com/technology/interactive/2022/t...
|
| This doesn't seem like he was "butthurt and caught slackin'."
| The tone of the report seems like he's frustrated that he was
| hired to do a job, and not given the resources / authority to
| make the necessary sweeping changes. Perhaps someone with a
| more political approach could have influenced leadership
| better. But they hired an extremely technical person, not an
| extremely political person.
| kornhole wrote:
| What more pressure do you think intelligence agencies would
| want to enforce? https://www.mintpressnews.com/twitter-hiring-
| alarming-number...
| ChrisMarshallNY wrote:
| I've been hearing about Mudge for _decades_. It 's actually a bit
| ... _heartbreaking_ ... to see him looking so corporate, but we
| all age, don 't we?
|
| I doubt he was fired for being bad at his job. But I'll bet he
| was fired for getting in people's faces. That was basically his
| calling card for _years_. Why is anyone surprised?
|
| I guess Twitter thought they could hire the cachet, without
| hiring the man.
|
| I remember an Apple WWDC, way back when. It may have been in the
| 1980s, as it was in San Jose.
|
| They hired Ken Kesey to drive his bus to San Jose, and give a
| speech. The party theme was "Hippies," so he fit right in.
|
| So they thought.
|
| He got up on stage, and started talking about taking acid, and
| counterculture.
|
| The shepherd's crook came right out, and yanked him off the
| stage.
|
| I heard they had a big fight with him, because they wanted him to
| leave his Magic Bus, parked in the courtyard.
|
| He drove off in it.
|
| Smart people that make waves are not easy to control. If you are
| used to herding around mediocre sheep, you'll probably have a
| hard time with the wolves.
| dehrmann wrote:
| > I doubt he was fired for being bad at his job. But I'll bet
| he was fired for getting in people's faces.
|
| As head of X, maintaining good relationships _is_ part of your
| job. It 's actually the biggest part of your job.
| Kalium wrote:
| When you make someone head of security, there are a handful
| of ways they can go about it:
|
| * They can be utterly ineffectual, ideally while looking good
| in the press and maintaining good relations across the
| company. The latter is easy when you never have to ask anyone
| to do anything.
|
| * They can be effective, which requires the ability to draw
| on and coordinate resources far beyond security. Their
| ability to do this is reliant entirely on the support and
| backing they get from the top. This _will_ make people angry,
| because it 's inevitably going to lead to reshuffling
| priorities and making choices people dislike. It's possible
| to maintain good relationships while doing this, if you have
| strong backing and you at need to convincingly be empathetic
| about people's feeling while they do what you security and
| privacy demand.
|
| * They can be ineffectual while trying work across the org
| and negotiate without backing. Eventually this just pisses
| people off because you're constantly asking for things and
| they just want you to go away.
|
| As a security leader, your ability to maintain good
| relationships while being effective is contingent on how much
| backing you get. If you're not backed sufficiently, you
| cannot do both, and then you have to make awkward choices.
| a_puppy wrote:
| There's a common anti-pattern that goes like this:
|
| 1. A higher-ranked person (e.g. Agrawal) is screwing up in
| some way (e.g. not addressing security issues)
|
| 2. A lower-ranked person (e.g. Mudge) tries to get the
| problem fixed (e.g. addressing the security issues)
|
| 3. The higher-ranked person refuses, and it turns into a
| conflict
|
| 4. The lower-ranked person gets blamed for "not maintaining
| good relationships" or "being hard to work with" or something
| like that.
|
| See this article: https://lethain.com/hard-to-work-with/
|
| To be clear, maintaining good relationships is very
| important. Good relationships are the lubricant that keeps
| the machine running smoothly; if someone has poor social
| skills or doesn't make an effort to maintain good
| relationships, they'll cause unnecessary friction, and
| they'll end up wasting time and effort on a conflict when
| they could have solved by problem by maintaining a better
| relationship.
|
| But, not every conflict is an unnecessary conflict that could
| have been solved by maintaining a better relationship!
| Sometimes people refuse to fix problems, and the only options
| are to apply pressure to them or let the problem go unfixed.
| Sometimes "lack of lubricant" isn't the reason the machine is
| broken.
|
| (One way to see this is to note that Agrawal did not maintain
| a good relationship with Mudge. If maintaining good
| relationships is part of the job, did Agrawal fail at his
| job? Or do you think only the lower-ranked person is
| responsible for maintaining good relationships?)
| ChrisMarshallNY wrote:
| Yes and no.
|
| There's many facets to these types of jobs, and these types
| of teams.
|
| I suspect that he was a "known quantity," when he was hired,
| and acted as he was expected to act, by the person that hired
| him.
|
| Jack Dorsey had his own issues, and pleasing him may not have
| counted for much, after the new folks took over.
|
| I do have issues with declaring that someone at that level is
| being fired "with cause," especially someone that knows where
| the bodies are buried. This goes double, for someone well-
| known for doing well in other environments. Usually, there's
| some kind of "golden handcuffs," and the firee simply "leaves
| to spend more time with their family."
|
| Regardless of his faults, they set themselves up for this.
| From here, it appears to be a rather petty personality spat
| that may end up hurting a whole bunch of folks.
|
| So yes, you are correct, but the person at fault may not be
| Mudge.
| sleepybrett wrote:
| The ceo might want you to be a doormat in order to make them
| look competent. The board, and the users, might disagree.
| strictnein wrote:
| > It's actually a bit ... heartbreaking ... to see him looking
| so corporate, but we all age, don't we?
|
| He's stated that you can work to change the system from the
| outside or from within and he chose the latter.
| [deleted]
| hn_throwaway_99 wrote:
| I don't think your comparison is apt. Mudge isn't some loose
| cannon. He worked for the US government as a program manager
| for DARPA from 2010-2013, then for Google from 2013-2020. You
| think he looks "corporate" now, just look at his government
| portrait on his Wikipedia page from a decade ago.
|
| Point being, Mudge is a very well respected cyber security
| professional, not some "hippy hacker" from years past. Which
| makes me even more willing to give his accusations weight,
| because this is not a case of someone who doesn't "get"
| corporate environments.
| ChrisMarshallNY wrote:
| I didn't mean that he was a "hippy hacker." Maybe you
| misinterpreted that, from my story (BTW: Ken Kesey was no
| slouch, either). My apologies for being unclear.
|
| But he has _definite_ history of being quite willing to speak
| truth to power. Not having had any personal interactions with
| him, I can only go on the [many] stories I 've heard.
| psyc wrote:
| It looks like you're reading several things into GP's comment
| that he did not write. At least I read it completely
| differently. I.e. that perhaps Mudge's alleged failure was
| "not playing ball" regardless of what the particular game
| might have been in that corporate environment, at that
| particular time, under/beside those particular execs.
| ShroudedNight wrote:
| I also only have public information, but the sense I've gotten
| was that Twitter had an embarrassing problem, with high-profile
| accounts being compromised, and Jack personally hired Mudge to
| fix it, with Mudge reporting directly to Jack. This set up
| Mudge to essentially be the parental supervision for Parag,
| which chafed / pissed Parag off. Then, when Parag became CEO,
| Mudge was out, having not accomplished much because Parag was
| actively hostile to the interference.
|
| Again, conjecture based on what I could extract from the froth,
| but mundane enough for me that alternatives (shocking displays
| of X) start requiring extraordinary evidence.
| grouchomarx wrote:
| This. Parag's retaliation for having his toes stepped on
| tschellenbach wrote:
| Zatko reported directly to the CEO, as a senior leader you need
| to take responsibility for your own work. Does anyone believe
| that in an organization as large as Twitter he didn't have enough
| resources to solve this? I imagine his budget ran in the tens of
| millions.
| ctrlmeta wrote:
| I can very much believe it. A CEO can, if they play their cards
| right, block the CTO from accomplishing what the CTO set out to
| do. Budget is not the problem. Approvals and alignment with
| board members are the problems. And if the CTO still decides to
| push forward, the CEO can still fire the CTO for
| underperformance which is exactly what you see in this story.
| [deleted]
| tschellenbach wrote:
| They could. But if someone has a cost effective plan to
| improve security, that's feasible to execute, why would they
| block it? It doesn't make sense, security issues are
| important and can cause damage to the business. Their CEO is
| an engineer, he knows this.
|
| It seems more probable that this security leader failed to
| get buy in from the engineering teams, or that there was some
| technical debt that he couldn't get past.
| crow_t_robot wrote:
| When is mudge going to audit tesla/spacex for "non-compliant
| kernels", "encryption at rest", etc, etc?
|
| Everyone in this shameful industry knows that literally any
| company in the US would get shredded in such a vigorous audit and
| the silliest part is that twitter is a fucking shitposting
| platform that doesn't have my SSN or financial data so equating
| it to equifax in any way is absolutely laughable.
| honkler wrote:
| It does have your phone number though.
| josephh wrote:
| Please speak for yourself.
| [deleted]
| vagabund wrote:
| I wish CNN would just air their interview in full instead of
| splicing his answers into 5 second soundbites with editorialized
| voiceover framing. I'm infinitely less interested in CNN's
| reporter's summation of the issue than that of the veteran
| security analyst at the heart of the story.
| agentultra wrote:
| I still think liability is the tool that will change how we
| approach security.
|
| Right now breaches don't cost much and cause a lot of harm.
| Companies have no incentive to drive the speed limit and listen
| to their engineers.
| Simon_O_Rourke wrote:
| OK, so their security is a mess, as many commenters have pointed
| out, they are one of many companies.
|
| What I can't figure out is what's this guy's beef that he went
| revealing all this? Was he fired or demoted or something and
| thought to get his own back?
| detaro wrote:
| Look at Mudge's track record. He didn't become a security
| legend by staying quiet about problems, and if Twitter wasn't
| willing to address it internally...
| carvking wrote:
| "Zatko says, he believes he is doing the job he was hired to
| do for a platform he says is critical to democracy. "Jack
| Dorsey reached out and asked me to come and perform a
| critical task at Twitter. I signed on to do it and believe
| I'm still performing that mission," he said."
|
| Seems like a legit answer.
| aliqot wrote:
| Everyone should watch L0phts congressional testimony.
| criddell wrote:
| Why assume the whistleblowing was done for negative reasons?
| stuckinhell wrote:
| The bots problem is absolutely nightmare issue for a social
| network. I can't imagine what I'd do if I discovered my network
| was fake. The whole point of my network is building professional
| connections and gaining skills for work.
|
| Also seeing various weird topics on twitter like kpop or other
| random things always made me wonder how much artificial bot
| boosting was done for those who had money to pay the bot net.
| debacle wrote:
| I run a relatively large social media group. We have a
| following of about 10k.
|
| Even with FB's automated tools (which are surprisingly good),
| we still have to "prune" ~10 bot accounts per day.
|
| If we weren't strict about this, in a year 25% of our group
| would be bot accounts.
| the_lonely_road wrote:
| FYI Kpop is "very" popular in some segments of American culture
| that you just might not cross over with. I experience it
| frequently in the "Team Fight Tactics" ecosystem which is an
| E-Sport run by Riot Games (of League of Legends fame) that for
| some reason contains a very large Asian American population (in
| relation to their % of the population) and all of them
| frequently stream Kpop to large audiences. The largest streamer
| for this game "K3Soju" is one of the top 10 streamers on Twitch
| frequently pulling in over 20,000 viewers. All of these people
| are very active on Twitter. I point this out because I doubt
| things like this going viral on Twitter are necessarily the
| result of bot networks instead of just the result of corners of
| the internet that we don't encounter.
| upupandup wrote:
| what I find peculiar about the kpop crowd is how they
| seemingly appear out of nowhere and on-demand on in political
| topics to drown out/cancel people who don't like them or
| share their values.
|
| In Korea a blogger was able to see how BTS fans or "bots"
| were able to game the music ranking. What's interesting to me
| is how they seemingly correlate with wumaos as well.
|
| I don't have solid evidence but it appears that much of the
| "stan" (kpop mob on social media) are very much politically
| aware and push a certain side of the spectrum.
|
| All of this makes for some bizarre dynamics and I'm afraid
| that youngsters who are caught up in the craze don't know
| that they are being manipulated by very large crowd that
| behaves in bot like behavior or are herded into specific
| political flashpoints without understanding the underlying
| nuances.
| the_lonely_road wrote:
| Is this not a generic phenomenon though with no specific
| relation to Kpop? I was involved in campus recruiting a
| decade ago and remember distinctly all of the deep
| discussions the students were having about Kony2012 and
| what they should do about it during the recruiting dinners.
| How and why these political flash mobs form online doesn't
| seem well understood and will no doubt spawn dozens to
| hundreds of papers over the next few decades examining it.
| PuppyTailWags wrote:
| I think youngsters are very nuanced, actually, but their
| political tactics are adapted to a full acknowledgement of
| an algorithm as a player in the political landscape game.
| Take the teenager who took being dunked on by a republican
| politician for being fat and used it to make herself viral
| in raising like 700k for abortion. That's not a kid who is
| caught up in a craze-- that's a kid who is fully aware of
| how social media functions and is using it to politically
| outmaneuver opponents. I think they look bizarre, but
| that's because the landscape they have to "win" in is
| bizarre. The incentives are twisted and the genz know it.
| upupandup wrote:
| hmmm I don't know about those particular examples, seem
| pretty clear cut, and I recognize that they are aware of
| how to play the game. But what I mean is that certain
| special interest groups that overlaps with foreign
| interests seem to be able to continue the youngest and as
| you put it, the most "apt" userbase to proliferate
| messaging and goals of that collective.
|
| For example, tiktok was recently outed to run keyloggers,
| and those genz who are "stanning" are also likely sending
| back all these crucial data points. This is not a
| conspiracy theory but the very reality that we are
| dealing with that those who do not share our values and
| way of life are able to not only cast a wide surveillance
| of its most vulnerable demographic but manipulate reality
| for them in all sorts of ways to identify "enemies of the
| movement" and overwhelm them.
|
| What disturbs me most is that there is this disjointed,
| water-and-oil dynamism between the two political
| spectrums engaged in this toxic social media warfare
| aimed at sowing discord and turning its masses to feel
| ill, with society, stability and question everything we
| have.
|
| It is this unwitting participation by the genz of the
| grander ulterior motives and agendas highlighted by
| special interest groups that have overlapping values with
| foreign states that know what strings to pull and the
| silence in response that worries me.
|
| America's hostile nations know they cannot beat it
| militarily and they have developed very imaginative and
| creative asymmetric solutions to subvert and sabotage it
| from within, and the current state of this side vs that
| side makes it impossible to formulate a collective
| bipartisan response to steer the ship in the right
| direction.
|
| We are not taking this issue of weaponized social media
| seriously and we see this first hand by how little
| enforcement/recourse there is for data privacy breach. We
| know that privacy of the individual is one of THE key
| pillars of open society and unfortunately the waters are
| murky and there is no guidance anymore.
|
| In a few decades we will see what the result of this
| trojan horse experiment is but the current trajectory is
| not looking good. Gen Z suffer from the highest rate of
| mental health issues, have access to unprecedented amount
| of information and foreign subversion. When I realized
| your own flag is becoming a symbol of hatred, we reached
| a potentially irreversible stage of complexity and with
| that only increases risks.
| winternett wrote:
| People don't do that unless they are paid somehow. It's
| organized activity if you search properly under each time
| it trends... One or a few accounts will post a keyword or
| phrase, and then all the subsequent accounts will
| constantly post with the words spelled exactly the same.
| Twitter suppresses coordinated activity from many other
| accounts, and it's against their rules, but somehow they
| allow it to go on regularly for certain topics like KPOP
| and BTS, and it results in a lot of streams and album sales
| only for whoever is trending.
|
| This is also likely why Twitter makes it very hard to
| scroll to tweets at the beginning of when a trend started,
| and why timestamps are not really shown for the beginning
| of a trend to the public.
| klausa wrote:
| This is the most tinfoil hat way to misunderstand young
| people I've ever seen.
|
| People absolutely do that, just because they think it's
| fun.
| winternett wrote:
| The KPOP spam is regularly littered with bot accounts posting
| the same comments regularly.
|
| If you have a platform as prominent as Twitter, making it onto
| the trending timeline can be very profitable for musicians. The
| same major industry artists regularly trend on Twitter because
| they command most of the profit, and then often use a
| percentage of that for paid and bot promotion. It's just my
| opinion, but Twitter facilitates and permits that bad behavior
| regularly because they profit off of the activity too.
|
| There is not much more frustrating than being a creator or
| artist and competing with major industry forces that have
| unlimited funding and internal contacts within Twitter that
| ensure that trending is on rails daily. It's not only bots,
| it's the sponsored and sanctioned control of what trends that
| is a hallmark of the platform.
| solarkraft wrote:
| > The whole point of my network is building professional
| connections and gaining skills for work
|
| And you're afraid of getting interesting insights from and
| interacting with bots ... ?
| stuckinhell wrote:
| Well if a Bot could recommend me for a job, I'd feel
| different.
| latchkey wrote:
| Amazing how little has changed in 20 years...
|
| https://www.cnn.com/videos/business/2022/08/23/peiter-mudge-...
| Signez wrote:
| This excerpt is frightening:
|
| > About half of the company's 500,000 servers run on outdated
| software that does not support basic security features such as
| encryption for stored data or regular security updates by vendors
| sylens wrote:
| I think it's also important to recognize how much of a "check
| the box" security control encryption at rest has become for
| many vendors/GRC teams. A lot of times, the encryption at rest
| control only has the capability to prevent somebody from
| physically detaching the disk and trying to mount it with their
| own machine and access the data that way. In a world where many
| companies now run their workloads on public cloud providers who
| keep their hardware in distributed cages in secure datacenters,
| this isn't the security control many assume it is.
|
| If you're trying to prevent an actor who has gained a foothold
| on a box/network from seeing plaintext data that is actually in
| use by the actual production system at that very moment, you're
| looking for a much stronger type of control - probably some
| sort of client-side encryption or obfuscation/tokenization
| tppiotrowski wrote:
| I wonder if they're running Ubuntu on 32-bit hardware
| raverbashing wrote:
| or RHEL 6
| taf2 wrote:
| RHEL5 more likely based on when twitter was founded
| discodave wrote:
| Hahahaha...
|
| Wait until you hear about the large cloud provider running
| RHEL5... (I worked at said provider).
| imron wrote:
| I wish this was a joke. I know of systems running
| multibillion dollar companies that are still using rhel6.
| kerng wrote:
| I wish companies generally would be more transparent - I'd
| imagine this be the norm at most companies.
| secondcoming wrote:
| Why bother hacking Twitter when it'd be cheaper to bribe an
| employee to get all the information you want:
|
| > allows too many of its staff access to the platform's central
| controls and most sensitive information without adequate
| oversight
|
| It'd be even easier if you find an employee who's on the same
| political team as you.
| Mindwipe wrote:
| The likelihood is that bad actors do.
|
| It's one of the reasons I disliked Twitter forcing the use of
| mobile numbers for 2FA, they're just not sufficiently
| trustworthy. And I have an account under my real name! If I
| were a political dissident etc that just feels like an insane
| idea.
| rightbyte wrote:
| It is also frightening that they need half a million servers.
| jonahbenton wrote:
| The JVM is a hungry beast.
| qualudeheart wrote:
| This is why smart people use C.
| hunter-gatherer wrote:
| C has such a bad wrap with the HN crowd...
| memling wrote:
| > C has such a bad wrap with the HN crowd...
|
| why?
| docandrew wrote:
| Can only patch so many buffer overflows, off-by-one
| errors, format string vulnerabilities, integer overflows,
| race conditions, use-after-free errors, etc, before it
| gets to be a bit tiring. Safer alternatives exist.
| hn_throwaway_99 wrote:
| It really doesn't. After all, many (most?) other
| languages like Java and JavaScript are implemented
| primarily in C and/or C++.
|
| Where it gets deserved opprobrium is that it has no
| memory safety features, and thus inherently contributes
| to gobs of security vulnerabilities, and there are safer
| alternatives now, like Rust.
|
| C is basically "portable assembly", and it's rarely the
| right tool for the job these days.
| encryptluks2 wrote:
| swores wrote:
| I think a comment of "smart people use <any language>"
| would be downvoted.
| UncleMeat wrote:
| An interesting statement in a thread about widespread
| security weaknesses.
| encryptluks2 wrote:
| First, servers generally run on operating systems. No one with
| any serious knowledge would use the phrase run on software.
| Second, does this guy have any actual tech knowledge at all? He
| doesn't list what operating system they are running or what
| security updates he is expecting. It doesn't sound great but I
| assure you I've probably seen worse on systems used by the
| literal federal government to conduct official business and
| store sensitive information on. All government cares about is
| having remediation plans in place.
| WatchDog wrote:
| Operating systems are software.
| thedougd wrote:
| My first thought was the hypervisor layer.
| vngzs wrote:
| > Second, does this guy have any actual tech knowledge at
| all? He doesn't list what operating system they are running
| or what security updates he is expecting.
|
| "This guy": https://en.wikipedia.org/wiki/Peiter_Zatko
| encryptluks2 wrote:
| Then he should be in an even better position to specify
| what the actual issues are in details and not some abstract
| garbage. You could summarize the information there as..
| "Momma, servers bad. Need encryption. Need updates."
| koheripbal wrote:
| They are intentionally vague for legal and security
| reasons.
| encryptluks2 wrote:
| What legal and security reasons exactly?
| batch12 wrote:
| Publishing a detailed report of infrastructure and
| specific CVEs would be irresponsible and malicious. If
| that is off the table the only thing left is ambiguity.
| Also, the audience is important. They are going for
| maximum outrage, not glassy eyes.
| jonahbenton wrote:
| The "does not support basic security features such as
| encryption for stored data" unquoted line of reporting is
| almost certainly not what Mudge wrote and is likely not
| literally true.
|
| That 500k servers in Twitter infra are missing patches
| certainly is true and what was likely in the original was a
| statement that stored data that should have been encrypted at
| rest was not, and/or that acceptable standards for data at rest
| encryption, a relatively rapidly moving freight train, were not
| maintained.
| akkartik wrote:
| No need to speculate, thanks to the links provided by mzs at
| https://news.ycombinator.com/item?id=32562815#32564900
|
| From https://www.washingtonpost.com/technology/interactive/20
| 22/t..., page 6:
|
| _"..more than half of Twitter 's 500,000 servers are running
| out-of-date operating systems so out of date that many do not
| support basic privacy and security features and lack vendor
| support. More than quarter of the 10,000 employee computers
| have software updates disabled! More than half of Twitter
| employees have access to Twitter's production environment --
| unheard of in a company the age and importance of Twitter,
| where nearly all employees have access to systems or data
| they should not. At Twitter engineers work on live data when
| building and testing software because Twitter lacks testing
| and stage environments; work is conducted instead in
| production and with live data.._
|
| _" This did not happen overnight. To get where Twitter is
| today took.. many years.. required repeated downplaying of
| problems, selective reporting, and leadership ignorance
| around basic security expectations and practices."_
| hn_throwaway_99 wrote:
| I have discovered that there are vastly different definitions
| of "encryption for stored data" that can mean critically
| different things for security.
|
| One definition is "the underlying disk is encrypted". This is
| true, by default, of virtually all cloud environments these
| days. But it really only protects you against physical access
| to the storage media, which actually is far from the top
| threat.
|
| The other, more useful/meaningful definition, is "we encrypt
| everything at the application layer _before_ it is placed
| into the DB, and all decryption requests are logged by user
| ". For example, using an envelope encryption scheme to
| encrypt data before it is stored in a DB, and upon retrieval
| decrypting the data with a call to something like KMS. In
| that environment you can literally give readonly DB access to
| all your developers and not have to worry about PII being
| exposed. If hackers somehow got access to your DB, they
| wouldn't be able to read sensitive data, and if they also
| managed to get access to your KMS credentials, any attempts
| to decrypt the data would be tracked and logged.
|
| My point is that when many companies say "we encrypt your
| data", they are usually just talking about the first thing,
| but that doesn't really provide that much additional
| security. The second definition is really what you should be
| doing.
| antegamisou wrote:
| Wasn't it them that had a bug that exposed users' passwords in
| plain text a few years back?
| netsharc wrote:
| Just do it the Zuck way: "If you make an FB app, you can read
| all user's data and their friends' data, but click here to
| promise that you won't do that and you won't use the data to
| subvert democracies...".
| adrianmsmith wrote:
| To be fair this hasn't been the case for many years.
| m3kw9 wrote:
| Does Musk know Mudge?
| thesuperbigfrog wrote:
| "Twitter has hidden negligent security practices, misled federal
| regulators about its safety, and failed to properly estimate the
| number of bots on its platform, according to testimony from the
| company's former head of security, the legendary hacker-turned-
| cybersecurity-expert Peiter "Mudge" Zatko."
|
| "Zatko was fired by Twitter in January and claims that this was
| retaliation for his refusal to stay quiet about the company's
| vulnerabilities. Last month, he filed a complaint with the
| Securities and Exchange Commission (SEC) that accuses Twitter of
| deceiving shareholders and violating an agreement it made with
| the Federal Trade Commission (FTC) to uphold certain security
| standards. His complaints, totaling more than 200 pages, were
| obtained by CNN and The Washington Post and published in redacted
| form this morning."
|
| What a bombshell! Maybe Elon Musk's complaints about Twitter have
| more merit than anyone expected.
|
| What might the SEC and shareholders do in response?
| paulpauper wrote:
| _What a bombshell! Maybe Elon Musk 's complaints about Twitter
| have more merit than anyone expected._
|
| Anything Elon or crypto related is still being spammed heavily
| with giveaway/impersonation bots. Nothing has changed. The
| spam/bot problem is as bad now as it has ever been, and likely
| is worse than assumed, because it includes not just obvious
| spam accounts, but legit accounts that have been taken over by
| spammers or repurposed for spamming. So there is a % of
| accounts which are obvious bots and than another % accounts
| that exhibit bot-like behavior. Given how much time Elon spends
| on twitter and his first-hand experience with scammers using
| his name and spamming his comments, I think his assessment is
| probably more accurate compared to what twitter is claiming.
| zimpenfish wrote:
| > Maybe Elon Musk's complaints about Twitter have more merit
| than anyone expected.
|
| Not the bot complaints, anyway, because "failed to properly
| estimate the number of bots on its platform" has been covered
| off by Twitter's consistent "this is how we estimate by
| sampling, it's a finger in the air guess, could be right, could
| be miles off, there's no standard methodology for this" stance
| in their SEC filings since 2013 (which no-one has questioned
| until now, mind.)
| jdhn wrote:
| >What might the SEC and shareholders do in response?
|
| If shareholders believe this, they can do a variety of things
| such as sell the stock (smaller holders), or demand answers
| from leadership that go beyond "Yeah, we're secure" (bigger
| holders such as Saudi Arabia).
| mrex wrote:
| Some options that shareholders would have in the situation
| where investors were knowingly deceived by false disclosures
| of a publicly traded company are missing from this response.
| cj wrote:
| Namely, the ability for shareholders to sue Twitter.
| sroussey wrote:
| Their disclosures are similar to this: we check for bots,
| use a process, the process could be wrong.
| mrex wrote:
| Mudge alleges that their disclosures were a less than
| good faith attempt to gauge the figure.
|
| Mudge also raises a number of allegations not pertaining
| to bots, including that Twitter has deliberately failed
| to abide by the terms of a federal consent decree. If
| proven out, that fact alone would constitute material
| adverse affect.
| philipov wrote:
| His complaints don't hold merit because he entered into a
| binding agreement to buy Twitter after waiving due diligence
| rights. Zatko was fired in January. Musk had and waived his
| chance to discover these things. It's too late now.
| mrex wrote:
| >waiving due diligence rights
|
| Pop legal quiz - does "waving due diligence rights" during an
| acquisition remove the other party's liability for fraud
| they've committed against the prospective buyer?
| silent_cal wrote:
| I think this is spot on - it's still possible to make the
| contract voidable if you misrepresent what you're selling.
| zimpenfish wrote:
| > the other party's liability for fraud
|
| What fraud though?
| mrex wrote:
| The fraud that Mudge alleges in this article, for
| instance?
| KerrAvon wrote:
| We're missing the connection to Musk here. Care to
| enlighten us about your theory?
| [deleted]
| mrex wrote:
| There seems to be the impression that "waiving due
| diligence" in an acquisition is some license for the
| seller to defraud the potential buyer without recourse.
|
| If Mudge's allegations are true that Twitter has been
| defrauding the public in their reporting, failing to
| abide by the terms of a federal consent decree, and
| generally turning a blind eye to real problems to prop up
| their image, then "waived due diligence" or not, Musk has
| an out from the acquisition, and cause for a significant
| tort claim.
| KerrAvon wrote:
| Pop legal quiz - define << fraud >>.
|
| Musk literally tweeted about the << bot problem >> on
| Twitter before the acquisition.
| mrex wrote:
| "All multifarious means which human ingenuity can devise,
| and which are resorted to by one individual to get an
| advantage over another by false suggestions or
| suppression of the truth. It includes all surprises,
| tricks, cunning or dissembling, and any unfair way which
| another is cheated."
| philipov wrote:
| So is Musk guilty of defrauding twitter by using
| aggressive acquisition tactics as a pretense to get
| access to internal nonpublic information to use against
| them?
| mrex wrote:
| The only honest answer I can give there is, "I don't
| know". So far as I'm aware, Twitter hasn't alleged that,
| no evidence has been presented supporting such an
| allegation, and generally it seems a heavy burden to
| present a court with convincing evidence of a
| conspiratorial theory like that, but I can't
| categorically say what Elon Musk's motives weren't.
| sroussey wrote:
| Not only that, it seemed like a reason he wanted to buy
| Twitter.
| golemotron wrote:
| Why is CNN doing investigatory journalism now?
| jwogrady wrote:
| saagarjha wrote:
| Seems like Twitter loves going through the cycle of getting
| hacked-hiring good talent and focusing on security-losing people
| and focus-relaxing their stance-getting hacked :(
| LatteLazy wrote:
| Im starting to think social media might not be the best system to
| store my personal data, maintain our democracy and protect
| national security...
| winternett wrote:
| Honestly, can you really trust anything about major social media
| sites any more?
|
| Has Twitter ever been in the news for properly making even a
| thousand people successful from scratch really ever in the
| product's life?
|
| They have pipelines of exploitation for everyone that gets
| "discovered" into contractual nightmare deals, they require tons
| of free labor and costly hurdles just to become notable and
| visible on the platform, they extort people promoting their
| independent work for ad money, they don't protect anyone's
| privacy, they are VERY MANIPULATIVE in multiple (psychological)
| ways, they offer very little support or fairness when accounts
| are compromised, hijacked, or stolen, and they impose a
| stranglehold on information through lobbies and suppression of
| independent art and music.
|
| Social media took over the Internet after they wooed everyone
| into the ideal that they would operate fairly. Now that they have
| captured full attention, they have turned on users and they offer
| very little to anyone who doesn't pay, and can't offer reliable
| security to anyone. There are some serious "God Complexes" going
| on with having access to the personal data these systems harvest
| ON EVERYONE in conjunction with mobile devices.
|
| I really hate to say it would actually probably make me feel
| better if most of the large data monitoring sites/apps went away
| rather than stayed in place, because they make almost every
| aspect of the Internet work against us all.
|
| Twitter has had several opportunities to fix how it operates. The
| platform also generates tons in annual revenue to fix how it
| operates. Twitter has lots of employees that could fix how it
| operates. Twitter has also had numerous security breaches, and it
| regularly causes tons of stress for users. Twitter continues to
| focus on only pleasing it's sponsors, investors, and execs year
| after year and repeatedly stretching the promises it was built
| upon.
|
| I can't say I want to see this whale fail, but I won't miss it if
| it does.
| djbusby wrote:
| > only pleasing it's sponsors, investors, and execs
|
| Yea, that's the game. They are a for profit business. This
| situation will happen every time. Profits over people, line
| must go up!
| the_doctah wrote:
| Yes and part of the profits are generated by their fake MAU
| numbers (bots). They are fraudulent above all else.
| survirtual wrote:
| I think it is clear we need more public regulation over these
| companies, and a lot of the mechanisms need to be embedded in a
| non-profit / social utility system, given they DIRECTLY impact
| politics. Anything that democracy is reliant upon should not be
| subject to private, opaque control.
|
| In the case of data harvesting, data is the most valuable
| resource. You can control what people want using data. No
| entity should have unfettered access to data -- it is
| undeniably evil in the truest sense of the word. Which, in the
| context of my use, means to decay forward progress or to
| increase aggregated suffering.
|
| They will not fix these issues until the public makes it so
| painful not to, that they must. As an example, how is Experian
| still in business after what they've done? They should have had
| a $100 billion+ fine levied against them, and that fine should
| pierce through limited liability to the extent that the board
| of directors and C-level staff are liable for it. The company
| and any owners of it should be bankrupted and living in poverty
| after what they've done.
|
| Until we make PEOPLE liable for the evils they induce on
| others, this will keep happening. I don't get limited liability
| if I went out and murdered someone, why should the PEOPLE
| running companies have limited liability when they murder
| millions with pollution, or with financial terrorism? Answer:
| they shouldn't.
| TeeMassive wrote:
| If it impacts politics then it is one more reason not to be
| regulated by politicians.
| winternett wrote:
| Government regulation spans further than just rules
| engineered by a few politicians, it can be publicly voted
| upon, and it can dictate minimum standards that are upheld
| across private business for everyone's safety, which in
| this case is highly warranted.
|
| It's the best chance we have to stop this horrible trend.
| Companies have shown repeatedly that they are not trust-
| worthy nor responsible enough to self regulate.
| TeeMassive wrote:
| > Government regulation spans further than just rules
| engineered by a few politicians, it can be publicly voted
| upon
|
| You're making a distinction without making a difference.
| Regulating public forums for their content outside of
| illegal content has never been not abused. The UK is
| learning this the hard way with the police "checking the
| thinking" of netizens.
|
| If you think companies are bad, then imagine politicians.
| I can switch off to another social media but I can't
| switch out to another state.
| mschuster91 wrote:
| > They have pipelines of exploitation for everyone that gets
| "discovered" into contractual nightmare deals, they require
| tons of free labor and costly hurdles just to become notable
| and visible on the platform
|
| For what it's worth, as someone running a high-five-digits
| account, it is possible to get notable on Twitter - you just
| have to put in a ton of work to make quality content people are
| actually interested in.
| winternett wrote:
| Sure... In order to build a house, you just need to bring
| your motivation... And lots of time... And money... to hire
| an architect and an entire home building company... Without
| having any income the whole time...
|
| Hard work for free does not make sense in this type of post-
| pandemic world we live in... It's too "Marie Antoinette-
| esque" of people to say it's anywhere near reasonable.
| jdminhbg wrote:
| > Twitter continues to focus on only pleasing it's sponsors,
| investors, and execs year after year
|
| I mean, it's not really doing a good job of any of that either.
| Beldin wrote:
| > _Has Twitter ever been in the news for properly making even a
| thousand people successful from scratch really ever in the
| product 's life?_
|
| There was the Arab Spring
| (https://en.m.wikipedia.org/wiki/Arab_Spring), where it played
| a significant role.
| kmeisthax wrote:
| The Arab Spring should have been looked at as a warning sign,
| but everyone in America was still in full-on neoconservative
| "we will be welcomed as liberators" mode. No private company
| should have the power to overthrow governments.
| BeFlatXIII wrote:
| > no private company should have the power to overthrow
| governments
|
| Go tell that to Raytheon and Blackwater as well.
| speeder wrote:
| I wouldn't consider that as the success op means...
|
| I mean, surely, it some people were successful, but success
| of warlords intending to genocide blacks in Lybia or starting
| a new violent caliphate or kidnapping boys en masse to be
| child soldiers is not the sort or success I want to be
| enabled with technology.
| [deleted]
| NickC25 wrote:
| > Honestly, can you really trust anything about major social
| media sites any more?
|
| Could you ever trust them? Honest question.
| winternett wrote:
| Sure you could! (Back when they were new and they wanted to
| woo you as a user, and when features and functionality worked
| as expected)... Hah.
| rhexs wrote:
| From Wikipedia: "He was the most prominent member of the high-
| profile hacker think tank the L0pht."
|
| That's quite a generous take. There were plenty of excellent
| hackers in the 90s, but "L0pht" just seemed like the PR friendly
| one that could go on good morning America.
|
| Can't tell if this is real or just a 90s security person trying
| to stay relevant after being fired.
| [deleted]
| eatonphil wrote:
| Whether or not it was high profile before they went on talk
| shows and before congress... it's definitely a high profile
| (historic) group now because they went on talk shows and before
| congress. :)
|
| High profile doesn't mean best it just means high profile.
| bogomipz wrote:
| If this is true this would be particularly damning
|
| >Zatko's complaint says he believed the Indian government had
| forced Twitter to put one of its agents on the payroll, with
| access to user data at a time of intense protests in the country.
| The complaint said supporting information for that claim has gone
| to the National Security Division of the Justice Department and
| the Senate Select Committee on Intelligence. Another person
| familiar with the matter agreed that the employee was probably an
| agent.[1]
|
| [1]
| https://www.washingtonpost.com/technology/interactive/2022/t...
| kornhole wrote:
| This should get the attention of politicians who are probably the
| most active users of Twitter. Having their contacts, coms, and
| metadata such as phone location exposed and collected by
| adversaries is probably a concern for them and our entire
| political system. Recall how J Edgar Hoover was collecting dirt
| of every politician to blackmail them to keep his agency funded
| without oversight. Twitter would have been a wet dream for him.
| tdeck wrote:
| I did wonder about this ever since the Ahmad Abouammo story
| broke. How did a media partnerships manager have access to so
| many random users' private info? That stank of poor access
| controls:
|
| https://www.justice.gov/opa/pr/former-twitter-employee-found...
| keepquestioning wrote:
| This guy is obviously paid off by Elon
| dehrmann wrote:
| After the Peter Thiel/Hulk Hogan incident, and especially
| considering Musk and Thiel are both Paypal mafiosi, it's quite
| possible.
| seydor wrote:
| Twitter is like, the 7th season of "Silicon Valley"
| kyrofa wrote:
| Is it just me, or does some of this feel less whistleblower-y and
| more petty? For example:
|
| > The company also lacks sufficient redundancies and procedures
| to restart or recover from data center crashes, Zatko's
| disclosure says, meaning that even minor outages of several data
| centers at the same time could knock the entire Twitter service
| offline, perhaps for good.
|
| That said, this is Mudge. I have a lot of respect for the guy,
| and I believe what he says. I'll chalk the pettiness up to this
| article being a summary of a more complete document that I'd like
| to read at some point.
| MuffinFlavored wrote:
| It doesn't help that he's a "disgruntled employee who was
| fired".
|
| I added that "disgruntled" part but... who gets fired for poor
| performance and doesn't become at least slightly disgruntled?
| Sebb767 wrote:
| Someone who's happy with his employer is not going to become
| a whistleblower, so this isn't really an argument against him
| but more so against whisteleblowers overall. And it's quite
| save to say that we had a lot of important facts uncovered by
| whisteleblowers.
| chipgap98 wrote:
| > The company also lacks sufficient redundancies and procedures
| to restart or recover from data center crashes, Zatko's
| disclosure says, meaning that even minor outages of several
| data centers at the same time could knock the entire Twitter
| service offline, perhaps for good.
|
| I mean if it were true that seems pretty negligent. If that
| were the entire extent of the whistleblower complaint (not sure
| if complaint is the right term?), I would agree, but it seems
| as though there are some significant issue raised in the rest
| of the report.
| kyrofa wrote:
| I dunno, pointing out that something has a poor architecture
| and pointing out that something has severe, known, and
| ignored security issues feels different.
| jnwatson wrote:
| Availability is the A in the CIA triad. DR and resilience
| in general is part of security.
| mzs wrote:
| Knocking-out twitter (used by journalists and govs) during
| a crisis IS a security concern.
| yupper32 wrote:
| A security concern for the governments, not twitter. It's
| not twitter's fault that governments are using it as a
| primary form of communication, nor should it be their
| responsibility to have amazing uptime just because
| governments are using their platform.
| Willish42 wrote:
| It's a national security concern (and international?) if
| Twitter can be compromised by nefarious actors and/or
| brought down via said compromised access. The idea that
| this isn't worthy of whistleblowing because Twitter is a
| corporation is insane. There are countless examples in
| the last year of Twitter being used for communication
| during a crisis.
| riffic wrote:
| for a company that likes to speak of itself as being a valuable
| piece of communication infrastructure (it isn't, Twitter's a
| website), this is pretty concerning and shows a lack of
| seriousness compared to oh, say, the Bell System.
|
| Gov (a term that ranges from your head of state down your
| county dog-catcher,) needs to get off these services asap.
| Twitter, TikTok, Instagram, FB are all modern versions of your
| old AOL Keyword.
|
| Today we have ActivityPub, a W3C recommendation, which would be
| a great alternative.
| maximilianburke wrote:
| I don't think it's petty; availability of data and systems is a
| core component of security design.
| Tainnor wrote:
| It's important not to forget that certain Twitter users share
| incredibly sensitive data over Twitter, increasingly including
| nudity and sexual acts (sometimes on private profiles or in DMs,
| so they're not meant to be public).
|
| While one may (not wrongly) think that this is a bad idea in
| general (unless you subscribe to post-privacy), I think it is our
| duty as a society to protect those who don't have a full grasp on
| the implications of bad IT security.
|
| In my opinion, fines for cyber security violations should be
| swift and harsh (GDPR goes in the right direction in terms of how
| high the fines are, but it is barely enforced). From my POV that
| is the only thing that will force companies to actually invest in
| cybersecurity. Maybe there should even be a law mandating
| security reviews if you handle any PII.
| boomboomsubban wrote:
| >one or more current employees may be working for a foreign
| intelligence service.
|
| I don't doubt this, but the source is someone with fairly deep
| ties to the US intelligence services. Why should he be allowed a
| job and not people with ties to foreign agencies?
| throwaway0asd wrote:
| Conflict of interest violations. Such violations are absolved
| through disclosure of known relationships, which cannot occur
| if persons are keeping ties to foreign intelligence services
| secret.
| boomboomsubban wrote:
| Is maintaining ties with US intelligence services a conflict
| of interest?
| hibikir wrote:
| I don't believe that what Mudge is saying there is all that
| well quoted or explained. The argument I've heard him make, in
| other settings, is that companies that are interesting enough
| will get job applicants that are really moles for intelligence
| agencies. This is very difficult to stop, and once your company
| has enough employees, downright impossible. His recommendation
| however is not to make it impossible for people with ties to
| foreign agencies to join the company. Instead, it's to minimize
| the access than any individual mole might have. This would also
| apply if you consider US intelligence an attacker!
|
| TLDR; Someone like Twitter, Google or Facebook should have
| 'some of our employees are malicious and sophisticated' as part
| of their threat model.
| criddell wrote:
| > companies that are interesting enough will get job
| applicants that are really moles for intelligence agencies
|
| Or they will use money or kompromat to turn existing
| employees.
| blitzar wrote:
| > Someone like Twitter, Google or Facebook should have 'some
| of our employees are malicious and sophisticated' as part of
| their threat model.
|
| I would estimate there is a 100% chance that every one of
| those companies listed, has multiple employees who work for
| or are sources for US domestic and foreign intelligence
| services.
|
| It should be expected and part of their internal systems that
| people only have access to the shared drives they are meant
| to.
| edgyquant wrote:
| >estimate there is a 100% chance that every one of those
| companies listed, has multiple employees who work for or
| are sources for US domestic and foreign intelligence
| services
|
| What are you basing this on?
| lkjwlk wrote:
| jrm4 wrote:
| Ah yes, came for the obvious response which I essentially do see
| here. Cybersecurity is awful at twitter, but that's because
| cybersecurity is awful everywhere.
| [deleted]
| Hamuko wrote:
| How long before Musk weaponises this in his lawsuit against
| Twitter?
| michaelwilson wrote:
| It may appear that this may get Musk off the hook for buying
| Twitter because "Look how bad they are!" but, as I recall,
| Musk's problem is that his offer with without contingency -
| e.g. "Yah, I'll buy it, whatever".
|
| So it may just be another event which will drive Twitter's
| price down even further and make it a _worse_ deal for him.
|
| From Bloomberg "The buyers could only back out of the agreement
| in the case of a material adverse effect, a high bar that
| excludes issues like market volatility or industry challenges."
| (https://www.bloomberg.com/news/newsletters/2022-07-13/elon-m..
| .).
|
| I suppose one could argue that the Whistleblower's report is
| "material adverse affect", something I'm sure will come out in
| the trial.
| nudpiedo wrote:
| I think it is time to go a bit Meta here, bit I start to
| subspect that many HN posts are to influence such things,
| including popular replies to @pmarca etc... when one says
| Netflix falls because it is not a tech company, the next day at
| HN comes an article saying how cool and techie it is, etc.
|
| The reach of HN on the tech world is highly influential, and
| for sure it is weaponized in "communication wars" across actors
| with different interests.
|
| EDIT: that doesn't mean that the given information is
| necessarily false, it is just presented at the right time, to
| promote one view of the world. Also when Twitter hit bottom
| some years ago several HN submissions remind us how they
| declined being purchased by Facebook etc, and social network
| giants have a large track of understanding how such information
| flows and influences people.
| lapcat wrote:
| October 17
| boffinAudio wrote:
| How long before people start conflating this story with Musk in
| an attempt to discredit both, you mean?
| beeboop wrote:
| The modern equivalent of Godwin's law is mentioning either
| Tr*mp or El*n in any circumstance possible.
| bombcar wrote:
| https://twitter.com/deitaone/status/1562069657582018560
|
| So about a few hours.
|
| *Walter Bloomberg @DeItaone ELON MUSK'S LEGAL TEAM HAS
| SUBPOENAED PEITER "MUDGE" ZATKO, TWITTER'S FORMER HEAD OF
| SECURITY - CNN 8:30 AM * Aug 23, 2022*TweetDeck
| bastardoperator wrote:
| If it's your job to address specific issues and you fail to do
| that, how is that whistleblowing? If this person can't prove they
| were blowing whistles before termination, well, that's a lot of
| egg to wear on ones face.
| [deleted]
| purpleblue wrote:
| Millenials and GenZ may have no idea who Mudge is. I, however,
| almost lost my first job out of college at a bank because I ran
| l0phtcrack against our Windows NT 4 server to see if it could
| crack passwords. I showed my boss, and he pulled me aside into
| another room and tore my head off for irresponsibly running this
| tool against a production server. He said I could have been fired
| if this got out, but he covered my ass, sent out an email
| requesting everyone reset their passwords, and let me continue
| working. I learned a good lesson because even though my
| intentions were good, and it did expose security issues, it was a
| bit immature and should have been done in a more controlled
| manner along with the proper clearances.
|
| Mudge knows the implications of "whistleblowing". He has been a
| security consultant and even testified to Congress. He's not some
| noob that doesn't understand security or how systems work
| together to provide services like disclosure to FTC. The idea
| that Twitter PR can pooh-pooh away his concerns is shockingly
| stupid.
|
| I think Twitter is in real trouble here.
| Consultant32452 wrote:
| That's a funny story. I have a similar anecdote where I was
| asked to crack a zip file in a saga related to a dispute with a
| vendor who gave us a password protected zip file with the
| deliverables but not the password.
|
| Those were wild times.
| ChrisArchitect wrote:
| l0phtcrack? "Now that's a name I've not heard in a long time."
| Wow I thought the name Mudge seemed slightly familiar.
| shagie wrote:
| I think it was '96? I was working at Taos Mountain at the time.
| At that time, Taos had a reasonably close relation to Randal
| Schwartz ( https://www.oreilly.com/library/view/learning-
| perl-6th/97814... ) and he gave a talk for contractors which
| was titled "Just Another (convicted) Perl Hacker".
|
| In that talk he told of his time at Intel and running crack on
| a shiny new sparc and all the problems that caused.
|
| The focus of it was a "how not to get into trouble as a
| contractor".
|
| Somewhere, I've still got my pink camel book with duct taped
| edges (for durability) with his signature on the inside title
| page.
| webdoodle wrote:
| > I ran l0phtcrack against our Windows NT 4 server to see if it
| could crack passwords.
|
| Lol, did the same thing for a government entity I was working
| for, also without prior permission. It showed 1/4 of the people
| used the name of the entity as there password, including 2
| users with domain admin credentials. Both of the domain admins
| weren't even IT people, there were the director and his
| assistant, who demanded to be admins, because they were 'admin'
| within the org.
|
| In my case, I didn't get scolding, but probably should have. As
| you're prior boss said, it was not good to do it on a running
| production server. Now a restored backup running on a private
| network...
| datavirtue wrote:
| It's Twitter. What possible serious security implications could
| possibly warrant everyone in Washington getting into a frenzy?
|
| All you do is make public comments that have zero value.
|
| And if this is indeed serious, where the fuck have we landed?
| btown wrote:
| A well-timed set of tweets from compromised government and
| private-sector accounts, coordinated with real stock market
| activity planned by the attacker such that investors _cannot_
| ignore the rumors, could cause a geopolitically significant
| market panic. This already happened in 2013, and that was
| with just a single account being compromised:
| https://business.time.com/2013/04/24/how-does-one-fake-
| tweet...
| nradov wrote:
| In the long run that would be a good thing. It would be an
| object lesson that investors shouldn't believe anything
| they read on social media.
|
| Investors always have the option to ignore rumors.
| Sebb767 wrote:
| But investors also need to be quick to react if they want
| to make (serious) money. Ignoring a tweet from a verified
| account about a disastrous event is not reasonable at all
| in 99.9% of cases.
|
| What I'm trying to say is, you might be able to discredit
| Twitter, but you won't fix investors trying to invest
| ahead of the news.
| datavirtue wrote:
| OK, Twitter needs regulated then. Hardly a private going
| concern if you are right.
| gopher_space wrote:
| This won't fix the fragility of our economy. It would
| start a weird exit model for social platforms, though.
| Get big enough that the US buys you out.
| datavirtue wrote:
| Our economy is not fragile.
| k099 wrote:
| I can think of a few accounts that, with a single tweet,
| could move markets, inflame tensions, or kick off multiple
| cycles of misinformation. For many of these large,
| influential accounts, Twitter is effectively the same as an
| official press release.
| enumjorge wrote:
| The last US President used Twitter as his primary way to
| communicate with the world. That on its own has serious
| security implications.
|
| I agree with you that we have landed in not a great place.
| SV_BubbleTime wrote:
| > The last US President used Twitter as his primary way to
| communicate with the world.
|
| Without it sounding like an endorsement or defense of the
| guy... I never would have believed without seeing it, just
| how furious this made the media and other politicians. That
| you have a guy come in who said forget the system, I'm
| going talk to the people directly (and say some dumb things
| now and then).
|
| I still attest that _some_ of the Trump hate is solely
| because groups of people that control the narrative in the
| US were excluded from creation and forced to be on
| narrative-adjustment.
|
| Agreed, this isn't a good place. One platform should not
| have this level of influence.
| smsm42 wrote:
| It wasn't the platform. As you can see, it took some
| time, but Trump found a way to do the same without
| Twitter. Despite all the efforts of Big Tech to control
| the access to public discussion, they still can't make it
| airtight, and contain somebody of Trump's caliber.
| Arguably, they have more luck with people of the smaller
| caliber though. And that's definitely not a good place.
| It's not about the specific guy, it's about how eager the
| Big Social turned out to be to control what we think and
| what we are allowed to talk about.
| slowmovintarget wrote:
| I hope we get to a place where we all agree that a sitting
| U.S. President should not "tweet." The White House
| maintains a Press Secretary for a reason. Granted, the
| current person holding the job is no C.J. Craig.
| jacobolus wrote:
| Both Psaki and Jean-Pierre have been excellent press
| secretaries. C.J. Craig is a fictional character written
| to be superhumanly prescient and witty in response to
| fictional crises.
| nradov wrote:
| I don't agree. The US president (and other politicians)
| should have a convenient way to communicate directly with
| the public, without the message being distorted by media
| organizations. Ideally though it should be a service that
| can't be censored; Twitter frequently censors users based
| on the arbitrary whims of their employees.
| raarts wrote:
| Like traditional secretaries, the WH Press Secretary may
| have become obsolete.
| robotnikman wrote:
| Considering a journalist was murdered and dismembered due to
| their lax security not to long ago, I would consider it
| definitely worth looking into.
| enraged_camel wrote:
| >> It's Twitter. What possible serious security implications
| could possibly warrant everyone in Washington getting into a
| frenzy?
|
| Considering how widely used Twitter is, at this point we can
| comfortably assume that most politicians and political
| operatives, even high profile ones, must have very sensitive
| information in their Twitter DM inboxes.
| raxxorraxor wrote:
| > must have very sensitive information in their Twitter DM
| inboxes.
|
| I doubt that, and if they really do, they should be either
| trained or exposed pronto. Twitter is an entertainment
| platform.
| jcims wrote:
| You've described the way it ostensibly should be.
|
| My guess is that the reality is almost perfectly in
| opposition to what you've described. Anything that
| introduces plausible deniability is going to be of a
| major benefit.
| wiz21c wrote:
| ah ah ah so they trust twitter ? the situation is improving
| at minus light speed...
| smsm42 wrote:
| I won't be surprised that they do. Most politicians are
| very thoroughly technically ignorant, and have little
| time or patience to spend on learning technically complex
| things, and really safe communication means aren't
| usually very user-friendly.
| datavirtue wrote:
| Whew, I would assume no one is using Twitter DMs. If they
| are, these should be 100% personal and unimportant. If not,
| those people should be investigated, not Twitter.
|
| I'm not defending Twitter, I don't engage with it at all.
| Scoundreller wrote:
| I'd also add the opportunity for provocateurs to cause
| problems: e.g. inducing vaccine hesitancy (back when the
| covid vaccines worked, but let's not focus too much on
| that).
|
| My feed is still filled with how all of our public service
| problems must be caused by the 1-2% that were put on unpaid
| leave for refusing to disclose their vaccination status.
| I'm sure the 1-2% could help, but the issues are much
| larger than that.
| dboreham wrote:
| I may be _too old_ to know who Mudge is, but I know one of the
| previous Twitter CISOs, and I believe he quit Twitter, which is
| a canary sign to me.
| choppaface wrote:
| Actions speak louder than words. For him to file this complaint
| now, _after_ Musk pulled out of his Twitter purchase, makes any
| truthful statements pretty low value to Musk's case. Does
| Twitter need better security? Yeah. Will Twitter get
| embarrassed? Yeah?
|
| Will this testimony show Musk completely miffed his due
| diligence while building up a huge loan package that would have
| sent most of Twitter's revenue to debt service? The timeline is
| what matters.
| rvz wrote:
| Twitter Inc. is indeed in very serious trouble if you have
| someone like Mudge whistleblowing.
|
| Now looking at the chaos, damage control and the PR disaster
| that is happening at Twitter HQ after this, I have zero
| confidence in whatever Twitter HQ and the CEO is saying other
| than admitting their total incompetency towards how they handle
| information security at the company. All attempts to make this
| disaster disappear will not only fail, but will eventually
| backfire.
|
| So what else was Twitter lying about?
| winternett wrote:
| Well, it's not even trending on Twitter, which is not really
| surprising.
|
| There is nothing more evident about the fatal flaws in social
| media than when news concerning a platform is suppressed on
| the cited platform.
|
| It highlights the failure of democracy they always purport,
| and it shows that they really shouldn't display a social
| "trending" page, because it is subject constantly to the
| politics and profit making of each platform.
|
| Twitter's trending timeline had long been regarded as an
| accurate beacon of real life trends, but that really needs to
| be reevaluated by everyone as the company has regularly
| displayed "somewhat questionable" behavior in how they manage
| timelines alone. There is no real way this wouldn't trend
| somehow on Twitter in my opinion, as it's been on the front
| page of CNN and many other sites for a long time now.
|
| The security breaches are factual, they have published many
| incidences of it themselves over years... Their actual
| reputation for lax security is what works against them most,
| but it's all on record.
| nr2x wrote:
| You really think just after paying an FTC fine, staring
| down SEC actions, and a huge legal fight with
| Musk...Twitter is going to "suppress" the content to keep
| this a secret?
|
| Sure.
| smsm42 wrote:
| I don't have any factual evidence on the either side (I
| don't use Twitter at all, I even have Nitter extension to
| never visit that site even when linked to) - but I
| absolutely can believe they'd go for "all in" strategy,
| and keep messing with the feeds even in light of all
| that. If they felt they have the right and responsibility
| to control the information and shape the discussion on
| the Internet, they'd still feel that now, despite all the
| "mistakes were made" - in fact, they'd probably feel more
| urge to control things as they feel more threatened. And
| why not reduce the "misinformation" about their supposed
| wrongdoings - when all the most truest information about
| it has been already disseminated by them, why allow
| "irresponsible parties" to "misinform" the public? Surely
| it should be stopped. It's the way they always have been
| thinking, why would they change now?
| winternett wrote:
| Yea. It works as damage control for credibility, which is
| under threat not only by the musk suit, but because of
| the last huge data breach they had.
|
| Just an opinion mind you, but not from a hater or a
| "dunce".
|
| This is a huge story of significant relevance to Twitter
| and all users on the platform.
|
| "Suppressing unfavorable news" these days is just as big
| and profitable an industry as disinformation is.
| wpietri wrote:
| > There is nothing more evident about the fatal flaws in
| social media than when news concerning a platform is
| suppressed on the cited platform.
|
| I just looked at the Trending panel and "Mudge" is #12 for
| me, with 4333 tweets. #11 is "Taco Tuesday", with 4172
| tweets. #7 is "Virgo" with 98,500 tweets. So I'm not seeing
| a lot of evidence of suppression. I think it's just a
| pretty niche story. I think the allegations are important
| and worth investigating, but the specific nature of them
| looks way more interesting to tech insiders than general-
| audience users.
| winternett wrote:
| Everyone has a different trending timeline on Twitter
| which is now more based on who they follow. The trending
| timeline is "baked" and dictated also by moderators and
| paid promotion often... It's why topics like "K-POP"
| trend so much, even for people that don't even listen to
| it at all.
|
| If you follow tech personalities, there's a higher chance
| you'll see the news.
|
| On my music account on Twitter, I don't follow tech
| personalities and tech news outlets, but I do follow CNN
| Breaking News, and nothing about this major story has
| popped up all day long.
|
| This is how the Twitter trending timeline is artificially
| baked... This story is a very big deal for everyone on
| Twitter, yet only a fraction of its user base will see
| the story. Privacy is important to every user on the
| platform, you'd think Twitter leadership at least would
| be trying to get a grip on the story first within the
| platform in a very public manner.
|
| It happens on every major social platform at key points
| too, highlighting the conflict in their ability to
| maintain proper social credibility as platforms that
| report on trends that news channels and other
| institutions regularly cite.
| wpietri wrote:
| Given that you understand Twitter ranks based on
| interests, what's your evidence that this was
| "suppressed"? Rather than just ranked according to
| people's interests?
|
| You seem to be saying that people _should_ be interested
| in this story. I 'm not sure I agree, but I definitely
| believe most Twitter users won't be. Is it a good
| headline? Sure. But does it have much direct and
| immediate relevance to their personal lives? Not for most
| Twitter users.
| icelancer wrote:
| Yeah I kinda glossed over the headline and figured, whatever.
|
| Then I clicked through and saw it was Mudge.
|
| Ah jeez.
| smsm42 wrote:
| In any case your own chief of security coming out and saying
| your security is crap would be devastating for any company. But
| when it's a person with credentials list like Mudge's - one can
| be quite sure he's not just doing it because some disagreement
| about salary and vacation days, and it would be impossible to
| dismiss this as "disgruntled employee issue". Twitter would
| probably try anyway, but it won't work.
|
| Twitter is going to be in a lot of hot water now, and I can't
| imagine Musk isn't going to milk this to the last drop.
| dogman144 wrote:
| I agree. I grant It's possible Mudge is
|
| A) an old hand and doesn't know how to run a security program
| with the tech today
|
| B) a strong tech hire who can't lead a program.
|
| But Mudge is still... Mudge, and he's also proven his ability
| to collaborate so if he was a bull in a china shop a twitter,
| that would be surprising.
|
| There's also a broader trend here of well known security leads
| that originate from that time working at social media and
| leaving quickly, like Alex Stamos, who also u-turned out of
| Facebook.
|
| So are the odds higher that Mudge did a bad job, or this set of
| companies are not great internally and old guard security leads
| are pointing it out? The twitter CEO letter framing him as a
| bad employee doesn't address this context.
| time_to_smile wrote:
| > B) a strong tech hire who can't lead a program.
|
| I worked with Mudge (not super close, but enough to see how
| he worked across teams etc) and can certainly say this is
| _not_ the case. At least when I saw him Mudge was excellent
| at the program leadership aspect of his role. At one point he
| ended up a DARPA PM. You can 't go from L0pht to DARPA
| without getting really good at working with other people and
| leading projects.
|
| While he was always a notable presence, he was also never
| prone to drama, and very good at having ego when it was
| important but never letting it get in the way.
|
| Additionally all of the details sound like every KPI chasing
| consumer facing tech company I've ever worked with. I think
| we all know a few very competent people who have stood up to
| leadership at insane tech companies and ultimately gotten
| fired for it.
| latchkey wrote:
| Even 20 years ago, extremely well spoken and has worked at
| high political levels...
|
| https://www.cnn.com/videos/business/2022/08/23/peiter-
| mudge-...
| AtlasBarfed wrote:
| The subject of security consultants, security departments,
| and whistleblowing seems to me to be of particular concern.
|
| I mean, if an auditor publicly reports an audit finding
| that is ignored by the company and his ethics demand its
| reporting, is he branded a "whistleblower"? I do not think
| so, instead it is an "auditor finding". Why does that not
| apply here?
|
| It kind of dovetails with how pathetically organized IT in
| general is from a professional standpoint. Lawyers,
| Doctors, ... ?Accountants? and the like have centuries-
| codified procedures, principles, and the like for ethics.
| You generally don't get to hire one of those and tell them
| how to breach ethics (now, there are a lot of corrupt
| lawyers and a lot of corrupt accountants see: Arthur
| Andersen).
|
| The exploit industry has the 0day and x days of forewarning
| process, so there is that, but the fact a security
| consultant/professional gets accused of whistleblowing
| when... um, isn't that sort of the point? You hire a
| security consultant kind of like an auditor. And if
| auditors find major failings and they aren't addressed,
| aren't they supposed to report them?
|
| I'm pretty sure the security IT industry does not have even
| accountant levels of professional conduct and
| organizations.
|
| As IT subsumes and infiltrates, now to the point that
| fundamental bill of rights / human rights are dependent on
| secure and functioning IT systems, it gets... a bit more
| important. Arguably more important than the ethics around
| accountants and doctors. Lawyers, because they deal with
| the law, are probably more important still, but it shows
| that IT security may be rising in import to that level.
| bink wrote:
| I agree with everything you said, but I'd like to play
| devil's advocate here. Mudge has worked: *
| L0pht / @stake: security research, red teaming, and source
| code auditing, IIRC. * BBN: research. * NFR:
| technical advisory board. * DARPA: Managing a program
| that provided grants for new security products and tools.
| * Google ATAP: Google's "invention studio". *
| CyberUL: Testing of security products.
|
| None of these jobs really suggest a background in building
| a security program. I've worked with some large companies
| in a similar space to Twitter building their security
| programs and you can spend the first 6-12 months just
| trying to justify the new budget. Often that money has to
| come from another team or teams and he would have to
| justify that. He was apparently only there roughly a year.
|
| Again, I don't doubt Mudge's bonafides. I don't doubt his
| security knowledge. But this job was nothing like any he's
| had in the past.
|
| I also don't doubt his claims. Everything he's stated is
| almost certainly true. It does take more than a year to fix
| most of these problems and I wonder if he just got
| frustrated with the political battles that occur in these
| situations.
| michaelt wrote:
| Well, you can devils-advocate anyone into an incompetent.
|
| Decades of experience as a rebellious hacker? Well,
| that's not _commercial_ experience. Founded a security
| consultancy? Too small, they just don 't know how to
| operate in a _large_ bureaucracy. Worked at a secretive
| company as an individual contributor? They 've been
| completely silent in public, clearly they haven't
| achieved anything interesting in years. Working elsewhere
| as an individual contributor? They just don't know how to
| build a team. Decades as a senior manager at a huge
| multinational corporation? Out of touch bullshitter,
| stale coding skills, doesn't know how we really do things
| these days.
| mthomasmw wrote:
| You left out that he built the security program at
| Stripe.
| spudlyo wrote:
| He led the Security team at Stripe for a time, but it was
| a functioning team before he arrived.
| pclmulqdq wrote:
| I read the full whistle-blower complaint, and the whole story
| from his perspective (and the crazy statement from Agrawal)
| looks like it's not B. Instead, it looks like it was a
| culture clash with his manager.
|
| He seems to have tried to escalate things to people above
| Agrawal nearly constantly. He was hired by Jack Dorsey, and
| felt accountable to him and to the board, but he reported to
| Agrawal, who believed that Mudge had a responsibility to
| follow the chain of command very rigidly.
|
| I have previously had managers who want you to rigidly follow
| the chain of command, and if you are a "hacker" type, they
| are a shock (and you are a shock to them). They are often
| very interested in controlling information that goes upward
| and how mandates flow downward through them (both to control
| their reputation and make sure everyone gets information in
| "proper context"), to the point that they see it as an attack
| on their position to even _speak_ with their manager. A
| "hacker" would rather put the information in front of the
| people who need it, instead of filtering it through the
| hierarchy.
|
| At the first opportunity Agrawal had to clean house, he
| cleaned out Mudge because he didn't want to work with him.
| House cleaning is normal for a new CEO. From Agrawal's
| perspective, Mudge did a terrible job, since he wanted to
| circumvent Agrawal.
| pueblito wrote:
| > He was hired by Jack Dorsey, and felt accountable to him
| and to the board, but he reported to Agrawal, who believed
| that Mudge had a responsibility to follow the chain of
| command very rigidly.
|
| With $10mm cash bonuses on the table it's extremely obvious
| why Agrawal would insist on being MITM
| pclmulqdq wrote:
| When you think your job is to tell your boss's boss (and
| their promotion committee) why your boss is doing a bad
| job, you're not in for a happy time.
| barking_biscuit wrote:
| Which sucks because plenty of times it's true.
| Maursault wrote:
| > I read the full whistle-blower complaint
|
| The content of the complaint is all that matters, and it
| should be judged on its own merits. It never matters who
| said what, and attempting to make it matter is ad hominem
| fallacy; it is what is said that matters.
|
| That said, I can't quite fathom why Twitter's cybersecurity
| matters any more than the cybersecurity of any of the
| myriad of online forums, HN included: the "data" simply
| isn't all that important; it is all public, it is all talk,
| and talk, as we know, is cheap. Say Twitter is completely
| overrun by foreign state actors who delete everything. The
| outrage is going to be minimal. "Dang, I really enjoyed
| mouthing off on Twitter. Oh, well."
| docandrew wrote:
| I was kind of curious about this as well, though I
| suppose if a politician's account was compromised it
| could cause some pretty major embarrassment or maybe even
| conflict. Are DMs a thing on Twitter? Having those
| compromised might be pretty serious too.
| leaflets2 wrote:
| > Say Twitter is completely overrun by foreign state
| actors who delete everything.
|
| That's not what's dangerous.
|
| Instead, dangerous things include manipulating the
| algorithms so that "news" of ones choice get lots of
| visibility. Then a foreign state can influence the
| elections
| jonstewart wrote:
| I wouldn't paint with too broad of a brush in this
| instance, however. Yes, mudge is the ur-hacker, but also:
| he worked at BBN and DARPA (where he was extremely
| effective) and elsewhere. He probably has the most
| experience of any technical/hacker on the planet of working
| with executives in large organizations.
|
| Agrawal's memo, in contrast, reeks of insecurity. The
| combination of how he's treated mudge and Rishi Sunak _and_
| the potential consequences of this complaint (particularly
| if FTC investigates and finds Twitter has not been
| following the consent decree) boxes him into a corner -- he
| won 't be able to recruit the talent to solve these
| security problems and will be seen as an impediment to
| compliance/mitigation. I could easily see the FTC et al
| insisting on his resignation as part of a settlement. It's
| an own-goal.
| crb wrote:
| What's the story with Rishi Sunak? Assuming you mean the
| candidate for Conservative Party leader and thus UK PM, I
| wasn't aware of such a connection.
| groby_b wrote:
| Rinki Sethi. OP meant Rinki Sethi. (CISO of Twitter until
| January, left at the same time as Mudge)
| ginger2016 wrote:
| Thank you for the clarification, this got me confused
| too!
| jonstewart wrote:
| Oh, yes, thank you! I can't edit my comment anymore, but,
| yes, Rinki Sethi, apologies for the confusion.
| pclmulqdq wrote:
| I have spoken to a few DARPA program managers before, and
| they are usually amazingly smart people who are great at
| corporate politics. This doesn't sound like someone who
| is bad at corporate politics, just someone who
| underestimated the humility with which his manager would
| approach his job. No disrespect at all to Mudge, I think
| he did the right thing. Unfortunately, he didn't "manage
| up" very well in this instance.
| colechristensen wrote:
| A security lead who didn't try to raise major issues
| around a bad boss would be doing a bad job.
| [deleted]
| gjs278 wrote:
| shadowgovt wrote:
| I don't because I'm not seeing an organization that will hold
| them accountable.
|
| - This Congress is ill-equipped to understand tech, much less
| hold it accountable. As long as the people are happy, Congress
| is happy.
|
| - Lord knows the people are ill-equipped to get how bad this
| is. They already watched this company allow a rogue employee to
| shut off the account of the President of the United States
| (before they chose to do it as policy;
| https://www.washingtonpost.com/news/the-
| switch/wp/2017/11/02...) and watched this company deploy a
| username-to-telephone lookup service publicly where they'd
| intended to deploy a security protocol
| (https://www.ghacks.net/2022/08/08/twitter-confirms-that-a-
| da...). The public doesn't understand why they should care.
|
| - The only group who could really hold Twitter accountable are
| shareholders, but why should they care if the public and
| Congress don't? The money will roll in either way.
|
| Unless they've managed to commit an SEC violation (in which
| case, slap on the wrist incoming), there are no consequences
| for this kind of bad behavior until someone powerful gets
| seriously hurt. I'm glad Mudge is doing the right thing, but
| extremely pessimistic much will come of it. My recommendation
| is to shed Twitter as a user.
| jonstewart wrote:
| Twitter signed a consent decree with the FTC years ago. This
| complaint could result in the FTC investigating deeply
| whether the consent decree is being upheld. If not, there's
| likely sufficient regulatory force to hold Twitter
| accountable.
|
| I agree that, generally, it would be better for the US to
| have a better regulatory mechanism for large tech companies,
| but the consent decree is likely a strong tool in this
| particular case.
| ska wrote:
| > This Congress is ill-equipped to understand tech, ...
|
| "This" congress? There are institutional level problems,
| here.
| doesnotexist wrote:
| I generally agree that it's unlikely we'll see any serious
| accountability. However:
|
| > - The only group who could really hold Twitter accountable
| are shareholders, but why should they care if the public and
| Congress don't? The money will roll in either way.
|
| This might be what does it because is it true that the money
| is and will keep really rolling in? Twitter doesn't pay a
| dividend and is it reasonable to expect that the company's
| stock value should increase that much going forward?
|
| Twitter's gross profit numbers aren't as large as you'd think
| given the household name recognition of the brand. You might
| be as surprised as I was to discover that meme-stocks like
| AMC and GameStop are approximately the same size as Twitter
| in terms of gross profit. Perhaps Twitter is just as much of
| a big name but ailing dinosaur as those businesses? Or if you
| want to make comparisons within social media, isn't it
| surprising that Snap's ~$2.8 billion cap gross profit is
| right up there with Twitter's ~$3.2 billion. How did that
| happen? It is also interesting that snap's market cap is only
| 2/3rds of Twitters despite a much closer delta between the
| two companies reported profits.
|
| On the whole, things aren't looking too good for the social
| media right now, take for example facebook losing active
| users YoY. I often wonder what zeitgeist web properties are
| going to be remembered as a BIG thing that receded in
| popularity in the course of about a decade, say like bell-
| bottom denim jeans from the 60s or disco music from the 70s.
| Could it be social media for the 2010s?
|
| Anyhow if they aren't paying dividends and they aren't able
| to keep growing at pace with expectations what exactly are
| they delivering in terms of value to shareholders?
|
| Given that the allegations are about defrauding shareholders
| by actively deceiving them and sweeping things under the rug.
| Twitter's shareholders might be better off revolting against
| the current leadership to recoup their loses than to look the
| other way and let this slide.
| dcow wrote:
| > My recommendation is to shed Twitter as a user.
|
| I never understood why tech people have such a strange enamor
| towards Twitter. Can't be an industry power dev without it.
| Can't start a company without it. Having a healthy Twitter
| following is often more important than having actual users--
| even to investors. Twitter is digital hype.
|
| I agree. It's time to replace Twitter. The only question is
| what exactly is it that anchors people to the platform? Even
| though it's hard to imagine, we know that news motivates
| people (it happened with the WhatsApp -> Signal exodus).
| Where's the "Signal for Twitter" we can all migrate to?
|
| If the key is not just creating a social platform, but also a
| hype engine, maybe what a competitor needs to realize is that
| hype doesn't happen in a vacuum. You have to do silly
| algorithmic things so that content can go viral. Maybe the
| secret is to be open about how you manufacture hype rather
| than do it behind closed doors? Maybe in a way that people
| can verify it was done fairly?
| Sebb767 wrote:
| > The only question is what exactly is it that anchors
| people to the platform
|
| If I had to take a stab, it's a combination of networking
| effects (obviously), simplicity and the short text limit,
| which forces authors to mostly be concise and optimize for
| a 140 character attention span. This is also supercharged
| by the fact that you can (mostly) access everything
| anonymously - if I'm linked to Twitter, I know I can
| read/watch it and it will mostly be concise. I don't even
| bother clicking a link to FB, for example.
| Jensson wrote:
| Main problem is that journalists uses Twitter, as long as
| they are there Twitter will remain the most relevant
| political forum. It is mandatory for most journalist jobs
| to be active on Twitter, and since all the journalists are
| there anyone who wants publicity will also post on Twitter.
| shagie wrote:
| > - This Congress is ill-equipped to understand tech, much
| less hold it accountable. As long as the people are happy,
| Congress is happy.
|
| There's an article I was introduced to yesterday: Do We Need
| a New Digital Regulatory Agency in the U.S.?
|
| It argues that it it is the agencies and the experts within
| the agencies that need to become more technologically
| literate to be able to advise creation and implement the laws
| that have tech impacts.
|
| Congress isn't _supposed_ to be experts on subjects, they 're
| supposed to be the representatives of their people with
| occasional domain knowledge in certain areas of importance to
| their constituents. We can't (and shouldn't) expect every
| member of congress to be an IT expert.
|
| https://techpolicy.press/do-we-need-a-new-digital-
| regulatory... ( https://news.ycombinator.com/item?id=32555365
| )
| melony wrote:
| There's a simpler explanation. He is doing this for profit. I
| don't buy all the speculation that he approached the SEC out of
| some professional obligation or simply to spite the Twitter
| leadership. As a former executive he most likely still holds
| stock and having the price plunge is not exactly in his
| interest unless the pay-off from whistleblowing is high enough.
| Given his high profile, he just burned all bridges career-wise
| at big tech. The expected whistleblower payout here must be
| enormous.
| nr2x wrote:
| You don't understand the value of reputation.
| melony wrote:
| I don't think you understand what it means to burn all
| bridges. He is literally unhireable right now in any
| corporate context. You are naive if you believe he is doing
| this out of some hacker ethos.
| strictnein wrote:
| The idea that he is "unhireable" in the security space
| because of this is rather amusing.
| zenlf wrote:
| You talk like part of the problem.
| andrewflnr wrote:
| You've not really made an argument that it's a simpler
| explanation, just listed a bunch of reasons it's unlikely
| he'll profit from this, topped with pure speculation that he
| will anyway.
| hermitdev wrote:
| I know it's easy being cynical in this day and age, but there
| are people out there that still operate under a manner of
| principles. I'd like to think that mudge is one of them.
| zeruch wrote:
| I met Mudge once in my career early on (I was at VA Linux
| systems circa 1999ish) and I found him intense, an apex
| intellect, but absolutely affable and self-aware.
|
| He never struck me then, or in any interview or write up since,
| that he's impulsive, or prone to taking actions like what he's
| done to Twitter, in a cavalier way. He saw something bad and
| thinks something should be done to address it.
|
| He likely made that decision because the culture at Twitter is
| as bolloxed as he states (maybe worse), and that it's one thing
| to fire a guy, but to do so to hide damning truths, and expect
| that person to just accept their fate AND let you get away with
| it without a cost is in this day and age, a farcical hope. Your
| "Mudge knows the implications of "whistleblowing". He has been
| a security consultant and even testified to Congress. He's not
| some noob that doesn't understand security or how systems work
| together to provide services like disclosure to FTC. The idea
| that Twitter PR can pooh-pooh away his concerns is shockingly
| stupid." is spot-on.
| fossuser wrote:
| Yeah - comparing mudge's history with the email the Twitter
| CEO sent to internal employees and the situation seems crazy?
| Always hard to know from the outside, but this paired with
| Jack leaving seemingly frustrated with the board looks really
| bad.
|
| I know people have thought Twitter was mismanaged for a
| while, but seems like it's a lot worse than I thought it was
| (and the CEO seems more vindictively bad than I would have
| guessed).
|
| Plus the total lack of principles around speech and just
| doing whatever Russia, India, or KSA wants? Including hiring
| foreign agents? Also covering up bad security issues in
| reporting? It'll be interesting to see what happens from here
| as more comes out.
|
| The internal Twitter email: https://twitter.com/austen/status
| /1562150058727919616?s=21&t...
| zeruch wrote:
| Yeah, I think we're in lockstep here.
|
| I'm no fan of Musk (he's truly worked very hard to be the
| most provacatively pustulent punkass of tech) but that
| doesn't mean that Twitter leadership is any better. Just
| not as well PR'd.
|
| Dorsey himself was mostly an imbecile who drank too much of
| his own Kool Aid. Twitter has for years been the standard
| bearer for the most opaque, and incoherent content
| management; from user feedback to bots, just a village with
| only idiots. It was eventually going to catch up to them,
| the question now is to whom does the bulk of the suffering
| land on, not whether it lands or not.
| fossuser wrote:
| I'm a huge musk fan, but I still think his trying to get
| out of the Twitter deal is lame buyer's remorse and his
| arguments are weak. I see it as mostly unrelated to this
| mudge issue.
| zeruch wrote:
| Oh they are unrelated, but he will leverage the Mudge
| moment for all it can be.
| titzer wrote:
| Never been a "fan" of a personality, but I used to really
| like Tesla and SpaceX, but after hearing a little about
| how their critical software is...not developed like
| critical software...I am very wary of what kind of
| engineering is going over there. With Musk deciding to
| amp up his celebrity with Twitter antics, I just can't
| respect him any more.
| raarts wrote:
| Musk posted a meme explaining why he pulled out.
|
| https://twitter.com/elonmusk/status/1546344529460174849
| sanderjd wrote:
| He is trying to get out of the deal because he's about to
| lose billions of dollars buying a pretty crappy company.
| All this stuff about bots is dishonest nonsense. He could
| have chosen to do due diligence, and chose not to.
| colinmhayes wrote:
| He literally said he was buying it to fix the bot
| problem. It's not like he was unaware that bots existed
| on twitter.
| shapefrog wrote:
| If Musk actually believes this represents anything it
| puts his IQ in the single digit - low double digits
| range.
| fossuser wrote:
| Yeah - but that's dumb bullshit. He can't legally pull
| out because of that.
|
| He waived all of that to force Twitter to agree to the
| deal (because it'd be basically impossible for the board
| to reject it). This made sense at the time, because the
| board was looking for ways to weasel out of it because
| (imo) they politically don't like Musk. Then the market
| crashed and suddenly he was overpaying a ton for Twitter,
| then he complains about bots (this isn't new information
| from when he made the deal).
|
| Whether or not the bots thing is true isn't even relevant
| based on the deal he put forward.
|
| I think he earnestly wanted to buy Twitter for principled
| reasons around speech which I agree with. He structured
| the deal in such a way where Twitter's board couldn't
| reject it (because it was so favorable to shareholders).
| Then when the market tanked the deal way overpriced
| Twitter, but he had already committed to it so he's
| trying everything to get out of it. I suspect he actually
| believes the things he's arguing (he's always seemed
| pretty earnest to me), I just think he's wrong in this
| case and it's mostly driven by motivated reasoning.
|
| That doesn't mean Twitter isn't a disaster, just that
| they're in the right with regard to him having to close
| the deal.
| hammock wrote:
| >I think he earnestly wanted to buy Twitter for
| principled reasons around speech which I agree with. He
| structured the deal in such a way where Twitter's board
| couldn't reject it (because it was so favorable to
| shareholders). Then when the market tanked the deal way
| overpriced Twitter, but he had already committed to it so
| he's trying everything to get out of it.
|
| That's not how business valuations work (it's how
| speculation works). If Twitter was fairly valued by Elon
| Musk before the crash then it would be fairly valued now
| - the fundamentals of the business haven't changed.
| szundi wrote:
| One could argue that the value of a company is the sum of
| net present value of the future free cash flows it can
| produce. If the market crash is because of peope
| realizing there is a recession coming for example, it
| makes sense to update your expectations about the net
| present value of future cash flows - probably in sum a
| bit lower than before probably.
| fossuser wrote:
| "If Twitter was fairly valued by Elon Musk before the
| crash then it would be fairly valued now"
|
| That's a big if - I think a lot of this stuff is more
| speculation than any sort of fundamental cash flow
| valuation. A lot Twitter's actual value (its network
| effect and influence) is hard to measure anyway.
| TheDong wrote:
| > That's not how business valuations work (it's how
| speculation works). If Twitter was fairly valued by Elon
| Musk before the crash then it would be fairly valued now
| - the fundamentals of the business haven't changed.
|
| Some "fundamentals" of a business like twitter's value
| are:
|
| 1. Product/market fit, finances, etc. What you mean by
| "fundamentals" I think.
|
| 2. How easy it is for them to raise money (i.e. the
| "public sentiment" of VC towards their company and the
| industry)
|
| 3. How likely it is for regulation to stifle their
| growth, which is a derivative of public sentiment.
|
| 4. How much shares can be sold for, i.e. the public
| sentiment about how much it's worth.
|
| 5. Predicted future sentiment of their users and of
| advertisers, both of which impact expected future
| revenue.
|
| 2-5 all change with public sentiment, and a market crash
| changes public sentiment of many companies at once.
|
| It's self-evident that elon musk is overpaying more now
| than before unless you insist that twitter's value is not
| actually related to 2-5 above, or 2-5 above should have
| been trivially predictable 100% accurately already as
| part of its "fundamentals", both of which seem obviously
| silly.
| vkou wrote:
| The why doesn't matter, he explicitly waived the ability
| to back out of the deal for any of the reasons he's
| cited.
|
| Twitter is a tyre pyre, but he should have thought about
| that before putting ink on that deal.
| caycep wrote:
| granted, I'm not entirely certain Musk wants to pull out
| vs. getting a better price/discount on the purchase...
| last_responder wrote:
| Ah yes, Lopht Heavy Industries. Indispensable tools at the
| time.
| bombcar wrote:
| Always been a fan of "Heavy Industries".
| Syonyk wrote:
| Yup. I've used that with my normal "last name backwards"
| company name before. I tend to send Christmas and Birthday
| gifts to siblings with the company field filled in.
| "Kinetics," "Orbital Bombardment Division," "Relativistic
| Research," and assorted other things have made their way
| in, but "Heavy Industries" just has such a nice ring to it.
| sbf501 wrote:
| It's a 0, not an 'o'.
| bobabob wrote:
| mrex wrote:
| Just to clarify for those who don't catch it in the article:
| Mudge's whistleblower complaint predates the Musk/Twitter feud
| entirely.
| tacker2000 wrote:
| This is an important point, but why is the media picking it up
| just now? I guess both sides are starting the usual shit-
| flinging...
| zimpenfish wrote:
| Where do you see that info in the Verge article? All I can see
| is "he filed last month" (which would be July 2022) - the month
| Musk "officially" backed out and at least a month after he
| started doing the "I don't want Twitter any more" dance.
| [deleted]
| jyrkesh wrote:
| > John Tye, founder of Whistleblower Aid and Zatko's lawyer,
| told CNN that Zatko has not been in contact with Musk, and
| said Zatko began the whistleblower process before there was
| any indication of Musk's involvement with Twitter.
| mrex wrote:
| "Zatko was fired by Twitter in January and claims that this
| was retaliation for his refusal to stay quiet about the
| company's vulnerabilities."
| zimpenfish wrote:
| That doesn't cover whether or not he had contact with Musk
| and when he started the whistleblowing process.
| riffic wrote:
| he got canned right after the Jack departure.
| tyjen wrote:
| "The whistleblower also says Twitter executives don't have the
| resources to fully understand the true number of bots on the
| platform, and were not motivated to."
|
| I imagine this hurts Twitter's defense against Musk from pulling
| out of the takeover deal, or, is this whistleblower's account
| inadmissible?
| mrpopo wrote:
| I am willing to take a shot in the dark on this story, and say
| that this is the whole point. I don't see why this story would
| get shared and amplified so much otherwise.
| nullc wrote:
| Musk needs twitter to have willfully misrepresented and
| concealed, not merely to have had estimates that they admitted
| were nothing more than estimates.
| mzs wrote:
| This aspect of the story was entirely predictable:
|
| >Musk lawyer Alex Spiro said they want to talk to Twitter
| whistleblower. "We have already issued a subpoena for Mr.
| Zatko, and we found his exit and that of other key employees
| curious in light of what we have been finding."
|
| https://twitter.com/donie/status/1562056198425288704
| zimpenfish wrote:
| > I imagine this hurts Twitter's defense against Musk from
| pulling out of the takeover deal
|
| Not really because they have _consistently_ said "this is what
| we do, it's a finger in the air estimate based on sampling, it
| might be right, it might be wildly wrong, there's no agreed
| methodology for this".
|
| For someone to then go "they don't fully understand the true
| number of bots! GOTCHA!" is dumb because it's literally just
| pointing out exactly what they've said in their SEC filings
| _since 2013_.
| lapcat wrote:
| The really damning part of the whistleblower's statements
| isn't about the bots, it's about Twitter executives
| misleading the board of directors and stockholders. That's
| what could aid Musk at trial.
| [deleted]
| jfoster wrote:
| The problem I have in assigning credibility to Twitter's
| position on bots is that they seem to have held multiple
| seemingly inconsistent positions (all paraphrased):
|
| 1. "Finger in the air estimate based on sampling", aka.
| "don't read too much into it"
|
| 2. "Not more than 5%"
|
| 3. "Methodology can't be understood externally"
| dd36 wrote:
| So many people don't understand this. It's not even clear if
| Musk does.
| Cederfjard wrote:
| Of course he does. He's just grasping at straws to get out
| of the mess he's created for himself.
| bpodgursky wrote:
| If the executives did not make a meaningful effort to count
| them, that is fairly damning, given how much the stock price
| swings on the count.
|
| Nobody said it was easy, but it's certainly harder if you
| don't try.
| zimpenfish wrote:
| > If the executives did not make a meaningful effort to
| count them
|
| They've been filing their methodology for bot counting with
| the SEC since 2013.
|
| If they're not making a "meaningful effort" and it
| materially affected the stock price in some way, either the
| SEC or a shareholder would have gone "HOLD ON SHENANIGANS
| O'CLOCK", surely?
|
| It can't be that the entire world was A-OK with Twitter's
| bot counting until June 2022 when a man claiming to want to
| buy Twitter to fix the bot problem got cold feet on a
| market drop...
| bpodgursky wrote:
| The "methodology" is that people look at 100 accounts a
| day and determine whether they are bots. They have never
| disclosed any of the signals that go into this
| determination. You have a lot of faith in the immediately
| efficient market here.
| Cederfjard wrote:
| The point is that they have not claimed anything
| regarding this in their filings that isn't true, not
| whether or not you think they've been clear and detailed
| enough to answer the question properly.
|
| And to give Musk an out, which is what this tangent is
| about, not only do they need to have actually lied, the
| lies need to have had a VERY substantial effect on the
| price of the company.
|
| The bot thing simply does not help Musk get out of the
| deal he's made. That is not the same thing as "Twitter
| are great at dealing with bots and have been very
| transparent about how they do it", but that's not the bar
| that has to be cleared here.
| frumper wrote:
| Shenanigans can go on for a lot longer than 9 years
| without anyone noticing.
| the_doctah wrote:
| How is it any harder than giving users a captcha?
| happyopossum wrote:
| > They've been filing their methodology for bot counting
| with the SEC since 2013.
|
| No, they haven't. They describe at a very high level the
| amount of sampling they do (100 accounts a day? Really,
| that's it?), but don't discuss the methodology used, such
| as what they use as signals and indicators of botness.
| That's not "filing their methodology", it's covering
| their arses.
| _null_ wrote:
| Also, Musk repeatedly said publicly that he wanted to buy the
| platform specifically to address the issue of bot accounts.
| HillRat wrote:
| Twitter's always hedged their bot stats with the MDAU caveat
| (e.g., "we're not estimating all the bots who log into Twitter,
| just the ones that are meaningful for advertising and revenue
| purposes"), so while these allegations are not at all helpful,
| they're not necessarily a serious blow to Twitter's position
| (Mudge is a hacker, not a contracts attorney, and a lot of the
| allegations he makes regarding regulatory law aren't
| necessarily supported by his evidence).
|
| However, there's enough here, provided by a highly-credible
| technical expert, and under consideration by the US Congress,
| that Musk's litigation team has a strong opportunity to find at
| least _something_ that holds up as a material
| misrepresentation, even if relatively minor, and then link it
| to the broader effect of this document, which could very well
| rise to the level of a material adverse effect.
|
| So, where bots are concerned, bad but not disastrous; for
| everything else -- well, let's just say that Musk's litigation
| team are burning incense to the gods this morning, while a
| whole bunch of Twitter execs are going to be spending the next
| few weeks getting grilled by their own retained counsel, at an
| even more exorbitant hourly rate than they were paying before.
| lapcat wrote:
| Why would it be inadmissible?
|
| Mudge could be subpeonaed, just like Jack was just subpeonaed.
| paulgb wrote:
| Indeed, he just was.
| https://twitter.com/deitaone/status/1562069657582018560
|
| (That account tweets bloomberg alerts)
| lapcat wrote:
| Wow, that was quick!
| [deleted]
| lifeinthevoid wrote:
| It's probably not coincidence that that piece is in there ...
| dehrmann wrote:
| Unless the bot problem regularly gets in users' way, this
| isn't really what you want to blow the whistle on--hard
| problems are hard. You bring this up to damage Twitter.
| hn_throwaway_99 wrote:
| I read some good commentary on this that I agree with.
|
| From a purely _legal_ perspective, this really shouldn 't
| matter much. As has been pointed out many times, Musk
| _explicitly waived due diligence_ when he signed the contract.
| Also, it 's still laughable to think that Musk's real reason
| for wanting to get out of the deal is the bot problem (instead
| of the obvious reason of the market tanking), when Musk
| _himself_ made the argument that a big benefit of him buying
| Twitter is that he would be able to clean up the bot problem in
| the first place.
|
| From the court-of-public-opinion, though, I think it does give
| Musk more leverage for a negotiated settlement to get out of
| the deal, which is really what he wants. I don't think Musk
| really thinks he can win in Delaware, but the longer he drags
| things out and the more pain he causes Twitter the more
| incentive they have to negotiate cancelling the deal.
| ethnt wrote:
| It truly doesn't matter, given Musk waived due diligence.
| Unless the number of bots is enormous (think 75% or more) then
| it won't make a material difference.
| freeflight wrote:
| Not wanting to defend Twitter, but I'm pretty sure the situation
| is very similar across a whole lot of companies, even those that
| make security their main business, i.e. FireEye.
|
| Because investing in IT security usually has no apparent profit
| incentives, so most companies leadership will consider it
| something of very little importance funding wise.
|
| Particularly in the current climate where even minor hacks, and
| simple ransomware infections, are regularly made out as some kind
| of "act of God"/allegedly done by some super advanced "state
| actor", to create the narrative how it just wasn't preventable
| with the resources of a private company.
|
| Which outsources all the responsibility to ominous intangible
| parties based on wonky, and often politically motivated,
| attribution, while holding nobody responsible for running outdate
| software in exploitable combinations, thus creating the problem
| in the very first place.
| lkjwlk wrote:
| mzs wrote:
| Twitter CEO's response to employees which denies none of the
| claims made by CNN & WaPo*
|
| https://twitter.com/donie/status/1562069281545900033
|
| * https://www.washingtonpost.com/technology/interactive/2022/t...
|
| edit: the PDFs from *
|
| https://www.washingtonpost.com/technology/interactive/2022/t...
|
| https://www.washingtonpost.com/technology/interactive/2022/t...
|
| https://www.washingtonpost.com/technology/interactive/2022/t...
|
| cover letter:
| https://s3.documentcloud.org/documents/22161666/twitter-whis...
|
| latest reaction from Capitol Hill:
| https://www.washingtonpost.com/technology/2022/08/23/twitter...
|
| >Nobody at the Valley's unicorns seemed too concerned with
| security. (I asked Jack Dorsey that year whether he worried about
| the fact that hackers were continually pointing out holes in
| Twitter and in his new pay-ment start-up, Square. "Those guys
| like to whine a lot," he replied.)
|
| https://twitter.com/nicoleperlroth/status/156204856902836633...
| assttoasstmgr wrote:
| Thanks for posting this. Anyone commenting in this thread
| really needs to read the report as it paints the picture of
| their security hygiene. When I read things like 30% of all
| their endpoints have automatic updates disabled, and 40%
| reporting out of compliance, I'm picturing a real immature
| cowboy culture of arrogant developers that think they're above
| security policies, and no one at the helm to rope them into
| line. Sounds like they have no security culture, just policies.
| Security is something that begins with the individual.
| systemvoltage wrote:
| Page 9/84 in the "whistleblower_disclosure.pdf" are about Elon
| Musk's claims of fake twitter accounts and bots. Good lord,
| this does not look pretty for Twitter.
| weeblewobble wrote:
| To me that part is pretty weak compared to the security
| disclosures. The "lie" is about whether or not Twitter
| executives are incentivized to delete bots (later on he says
| that Twitter is incentivized to keep bots out of mDAU because
| they don't click on ads so they'd tank the clickthrough rate,
| kind of blows a whole in Elon Musk's whole thing). In reality
| I'm sure there are multiple overlapping and contradictory
| incentives at play, but it's not really a falsifiable
| statement so not really something you can "lie" about.
|
| The way it's framed ("Twitter lied to Elon Musk about bots")
| makes me suspicious of the whistleblowers' motives here. I
| know he's some kind of legend around these parts but I've
| never heard of him, so I'm just going by what I've learned
| today. Seems like propaganda to me, intended to maximally
| damage twitter and/or curry favor with Musk.
| OMGWTF wrote:
| It wasn't just about incentives. The disclosure also says
| that while Musk asked for [spam bot accounts / total active
| acccounts], Agrawal's response didn't really address the
| question and was pretty misleading [estimated spam bots
| among mDAU accounts / total mDAU accounts < 5%].
|
| ("Argawal's reasoning might appear a bit circular since, by
| definition, mDAU is more or less Twitter's best
| approximation of the set of accounts that aren't bots. And
| Agrawal is not exactly trying to help readers understand
| the bait-and-switch nature of his answer." - page 13/84)
| icelancer wrote:
| Agrawal's internal statement about Zatko is insane. My
| goodness.
| mzs wrote:
| I know right! Was the last CEO who wasn't a monster Bill
| Hewlett?
| riffic wrote:
| copy and paste my comment from an earlier post which failed to
| see HN traction (https://news.ycombinator.com/item?id=32562747):
|
| > The complaint from former head of security Peiter Zatko, a
| widely admired hacker known as "Mudge," depicts Twitter as a
| chaotic and rudderless company beset by infighting, unable to
| properly protect its 238 million daily users including government
| agencies, heads of state and other influential public figures.
|
| this is a fun read. I've long said that government agencies,
| heads of state and other influential public figures are obvious
| candidates for running their own ActivityPub installations (or in
| paying competent people to do that, which shockingly Twitter,
| Inc. could be in the business of hosting/selling).
| mikkergp wrote:
| "as a chaotic and rudderless company beset by infighting,"
|
| Sounds like a match made in heaven for "government agencies,
| heads of state and other influential public figures."
| 1970-01-01 wrote:
| Good job mudge! For those that don't know him, Mudge is kind of a
| big deal in cybersecurity:
|
| https://en.wikipedia.org/wiki/Peiter_Zatko
| elesbao wrote:
| By the CNN piece it seems like twitter hired a community figure -
| which is a common mistake that leads to bad performance
| evaluation. Public figures are trained on being public figures,
| they not necessarily are the best folks to build a security
| organization. OTOH there seems to be some frustration from both
| sides regarding performance and if it gets public our hackerman
| will have a rough time being exposed. I don't think that was a
| good idea (reporting to SEC would work better IMO).
| hn_throwaway_99 wrote:
| I commented on this elsewhere, but Mudge was a program manager
| at DARPA from 2010-2013 and worked at Google from 2013-2020.
| This narrative that "Twitter hired a long-haired hippy and he
| didn't know how to build a security org or work in a corporate
| environment" ignored the past decade plus of his experience.
| markwisde wrote:
| Nobody seems to know how you can build a successful security
| org
| jonstewart wrote:
| Yeah, like l0pht, @stake, DARPA...
| mrex wrote:
| Building a successful security organization is very easy, it
| just starts higher up the food chain than whatever experts
| you hire to do it. Security is a cultural practice, it's not
| a feature, it's not a bolt-on. To the extent that your
| security organization influences and receives buy-in from
| your corporate culture, becoming a part of your
| organization's identity, it will be successful.
| hn_throwaway_99 wrote:
| I think this is key. If you don't have a good security
| culture, where people understand and have ingrained proper
| security practices, you're toast, no matter who else you
| hire.
| Jensson wrote:
| Google has good security practices, can implement those
| in any big corp as they are very straightforward. Mudge
| previously worked at Google so I'd assume he was hired to
| help Twitter security get better by implementing some
| practices from Google. But maybe he was just hired to
| look like Twitter cared and they didn't really want to
| change anything.
| hn_throwaway_99 wrote:
| Google also has a very good ingrained security culture.
| They understand that they hold on to people's most
| private and critical data, and rock-solid security has to
| be a cornerstone of their business.
| solarkraft wrote:
| Yeah, but Elon knew all of it.
| TheBlight wrote:
| These days whenever the media bestows "whistleblower" status on
| someone I become instantly suspicious.
| markwisde wrote:
| Considering the stories you can read in the security engineer
| handbook[1] written by FAANG security engineers I'm willing to
| believe that.
|
| [1]: https://securityhandbook.io/
| [deleted]
| pigtailgirl wrote:
| -- I've always (since the 90s) used the rule of thumb treat
| everything on the internet as if it's compromised - I employ low
| personal security - however i also employ low trust - wouldn't go
| so far as to blame the users or the platforms - i'd blame both
| equally - user education is low - false sense of security is high
| - as the years have gone by - adjustments have been made on my
| side: comments sections are probably misinformation - emails from
| people I know may or may not be real - emails from people I don't
| know are probably not real - use pen and paper for things that
| need to stay relatively confidential - this is how I was taught
| to use the internet in the early days - still use it this way
| today --
| bogomipz wrote:
| You would think that Twitter might have a coherent strategy in
| place for dealing with the media on this but no. They are trying
| to discredit Peiter Zatko by stating that he was terminated for
| performance reasons and yet their spokesperson goes onto to make
| these completely conflicting statements:
|
| From Twitter spokeswoman Rebecca Hahn:
|
| Hahn said that Twitter fired Zatko after 15 months "for poor
| performance and leadership."
|
| Hahn added that Twitter has tightened up security extensively
| since 2020, that its security practices are within industry
| standards, and that it has specific rules about who can access
| company systems.[1]
|
| 2020 was of course the year that Zatko was hired by former CEO
| Dorsey. So security tightened up "extensively" on Zatko's watch
| but he was fired for "for poor performance and leadership"?
|
| This only seems to support Zatko's(and many others) assertion
| that Twitter is a giant shit show of chaos.
|
| [1]
| https://www.washingtonpost.com/technology/interactive/2022/t...
| riffic wrote:
| Twitter has a comms department but there has been a revolving
| door of ineffective comms leadership.
|
| I can't even get someone from Twitter Comms to pop into the
| Twitter subreddit to engage with users there.
|
| Rebecca Hahn doesn't even have a Twitter account afaik.
| bogomipz wrote:
| That is rich. From July:
|
| >"Details: The communications lead role has been vacant since
| last November, but it's been led by Twitter CMO Leslie
| Berland on an interim basis for the past seven months. Hahn,
| who technically started last week, will report to
| Berland."[1]
|
| The VP of Global Communications at Twitter role was vacant
| for 7 months and the person finally hired doesn't seem to
| have a visible Twitter presence after 6 weeks on the job? At
| a time when the company is practically a daily news story?
| You couldn't make this shit up.
|
| [1] https://www.axios.com/2022/07/12/twitter-rebecca-hahn-
| commun...
| shrubble wrote:
| God Mode, from my understanding, allows a Twitter employee to
| have access to an account and allows for a post to be made, under
| that account's id, without the account being notified or seeing
| the post show up in their own timeline.
|
| Is this an accurate statement?
|
| If so, why did nearly 1000 employees (12% of the workforce) have
| access to this mode before it was restricted, and what's the
| business case for that?
| dbbk wrote:
| What scenario would justify that feature existing though? Why
| would they need to make posts from arbitrary accounts?
| bombcar wrote:
| It's common in lots of software - a form of a "su" command
| that lets you assume all aspects of a particular user.
|
| Usually developed for testing purposes (easiest way to
| reproduce a problem, after all) and prevents password-
| sharing. But it can obviously be used for evil, and so it
| should be heavily logged and flagged.
| [deleted]
| ALittleLight wrote:
| But the comment says that users wouldn't even see posts
| from the Twitter employee assuming their account in their
| own timeline. What legitimate purpose would that serve?
| eastbound wrote:
| That explains why some people apologize for things they said
| would never apologize...
|
| Thing is, now that it's possible for Twitter, Twitter can never
| brush off this suspicions again.
|
| We're literally not sure, by using Twitter, that we see the
| speech of that person.
| saalweachter wrote:
| Now think about the implications with respect to Twitter DMs
| that show up in criminal investigations.
|
| For instance, consider the Twitter DMs exchanged by Donald
| Trump, Jr and WikiLeaks. In that particular case, the
| communication was acknowledged by the party in question, but
| imagine the two possibilities thousands of employees being able
| to act on the part of users opens up:
|
| 1. Twitter employees could fabricate a criminal conspiracy by
| creating messages between multiple Twitter accounts.
|
| 2. A criminal conspiracy can now use the "Wasn't me, must have
| been some random Twitter employees" defense.
| BeFlatXIII wrote:
| > A criminal conspiracy can now use the "Wasn't me, must have
| been some random Twitter employees" defense.
|
| I could see this being billed as a feature of a privacy-
| forward chat platform. Messages are slipped into
| conversations without either party having actually sent them
| and no way to tell whether they were real or not.
| bequanna wrote:
| This seems like a huge win for the defense in a case using
| DMs or Tweets as evidence.
|
| It would be quite easy to argue that a highly-politicized org
| like Twitter _might_ alter tweets or DMs to implicate someone
| in the opposing party. That's reasonable doubt that at least
| some jurors would buy.
| saalweachter wrote:
| Perfidy could still happen in a tightly controlled system,
| where only a small number of people could view or modify
| user data, in a way that requires multiple individuals to
| sign off on it, and both the access and the modifications
| were internally logged and audited.
|
| But that turns into "there was a sizeable conspiracy to
| fabricate evidence", as opposed to "a random person out of
| 2000 got bored, had a grudge, decided to have a laugh, and
| was acting alone".
| minhazm wrote:
| Usually these sorts of systems have very detailed logs and
| those logs are kept for a long time for things like
| lawsuits. In the hypothetical scenario you're describing
| the other party would subpoena Twitter and they would
| corroborate whether or not someone logged as that user or
| not.
| jyrkesh wrote:
| But part of what this article calls out from the
| whistleblower's POV is that the logging and auditing
| systems that would be needed to do that don't exist at
| Twitter. That users can activate God Mode or get into
| production systems without any logging or accountability
| robotnikman wrote:
| From what the article mentions it sounds like Twitter
| could very well be lacking those detailed logs and
| checks...
| MuffinFlavored wrote:
| > 1. Twitter employees could fabricate a criminal conspiracy
| by creating messages between multiple Twitter accounts.
|
| Could be thwarted by some kind of "source" database
| column/field/value that says "this is a tweet made by God
| mode"
|
| Whether Twitter has that field, if it is internal only, and
| if they would share it with the public/a court of law, I have
| no clue
| saalweachter wrote:
| Yeah, at the bare minimum what you want to see is:
|
| 1. No employees have direct, immediate access to user
| accounts or data.
|
| 2. Only a small number of employees should ever be able to
| gain access to user accounts or data, for the purpose of
| resolving issues directly affecting said accounts or data.
|
| 3. Access is only granted to one specific user account at a
| time, and only for a limited amount of time.
|
| 4. Access to a user account requires at least one other
| person to sign off on the access-grant.
|
| 5. Every operation performed upon a user account -- viewing
| a field, modifying a field -- is logged in a place the
| people from #2 and #4 do not have access to.
|
| 6. Access logs are routinely audited for perfidy.
|
| 7. Gaining accesses to user accounts or interacting with
| them in a way that is not necessary or attempting to
| circumvent the above process must be a don't-bother-
| cleaning-out-your-desk-we'll-do-it-for-you offense.
|
| With policies in place like that, you reduce the insider
| risk to user accounts. You need multiple people directly
| involved in secretly accessing or taking over a user
| account, and you potentially need dozens of others (the
| potential auditors) to be complicit. The more people you
| have involved, the more likely it is someone shuts it down,
| or at least blows the whistle on it when shit hits the fan.
|
| If someone can just get drunk one night, open up a user
| account, tweet something, then SSH over to the audit server
| and drop the rows from the access log indicating what they
| did, and there's no way to even prove something happened,
| let alone who did it.
| ntonozzi wrote:
| If you read the document "Security Chief's Final Report to
| Twitter" on the Washington Post article (https://www.washington
| post.com/technology/interactive/2022/t...), you will see that
| 'god mode' just means they have IPMI access to servers.
| modeless wrote:
| "just"? What percentage of Google engineers do you think have
| IPMI access to servers?
| dnakxnc wrote:
| bkq wrote:
| It is rather disconcerting how a platform that is apparently
| rather integral to the discourse of today is in the hands of a
| single private company. It doesn't matter who owns it, if it's
| Musk or someone else, the fact that it's at the whims of a
| private company, is the primary channel for discourse, and is
| something legislatures cannot even comprehend because of their
| age, should have alarm bells going off. Coupled with the fact
| that there is lacking IT education about hardware/software means
| that there is an environment that is ripe for the encroachment of
| digital rights, as we've been seeing this past decade.
| SpaceL10n wrote:
| A world-wide, decentralized, communications platform sounds
| lovely. Oh wait...
| jonas-w wrote:
| Oh wait?
| freeflight wrote:
| Oh wait, we already had that, and then we centralized and
| monopolized the hell out of it [0]
|
| [0] https://staltz.com/the-web-began-dying-in-2014-heres-
| how.htm...
| astrange wrote:
| That's because decentralized networks are expensive and
| can't handle spam unless you make receiving messages opt-
| in, and then you can't @ people like you can on Twitter.
| indymike wrote:
| > It is rather disconcerting how a platform that is apparently
| rather integral to the discourse of today is in the hands of a
| single private company.
|
| Unpopular opinion: I think it's awesome that a private company
| has created a platform like Twitter. It's kind of like
| comparing a private amusement park with a public park: one has
| roller coasters, water slides and an arcade... the other has a
| swingset and a nice field of dried up grass.
|
| > the fact that it's at the whims of a private company
|
| How is this worse than at the whims of the crown?
|
| > there is an environment that is ripe for the encroachment of
| digital rights
|
| I love that were even talking about having digital rights.
| xg15 wrote:
| _> the fact that it 's at the whims of a private company
|
| How is this worse than at the whims of the crown?_
|
| The tiny detail that we're not having a crown anymore.
| root_axis wrote:
| > _a platform that is apparently rather integral to the
| discourse of today_
|
| Not true. If anything Twitter is a cancer on our discourse that
| should be disdained, not something that should be enshrined as
| a fixture into our lives.
| core-utility wrote:
| > the primary channel for discourse
|
| Primary for whom? If you polled 50 people on the streets of
| NYC, I bet fewer than 3 would say they actively use twitter.
| Now do the same for Des Moines, IA and you maybe get 1?
| Cederfjard wrote:
| People with outsized influence over politics, for example.
| newaccount2021 wrote:
| paulgb wrote:
| The people who those people watch on TV (or read in
| newspapers) use twitter, though.
| ageitgey wrote:
| I think that Twitter is very much the tail that wags the dog.
| Sure, 1 out of 50 normal people may use it, but nearly 1 out
| of 1 reporters use it. Those reporters often quote opinions
| on it as if they are representative of the larger public,
| even if the tweet they quote is by someone with 10 followers
| and no stars.
| ajdlinux wrote:
| I'm involved in a community advocacy organisation that uses
| Twitter, Facebook and Instagram for public engagement.
|
| Facebook is a great platform for actually getting normal
| people to see our content and invite them along to our
| meetings and such. Twitter, on the other hand, has a far
| more niche audience - but I know for a fact that the niche
| audience includes several state legislators who follow us
| and interact with our tweets, and we've gotten several
| press stories via contacts we've made with journalists over
| Twitter.
|
| If you've got a message to get out there, it's a highly
| strategic platform.
| paulgb wrote:
| The fun thing about social media is that reporters can back
| up any narrative they want. "People are upset about X",
| "Gen Z is doing X", "Millenails are killing X". Find two
| people and it's a confirmed trend!
| beeboop wrote:
| I saw a reddit post today that "Disney fans are furious
| that Avatar was temporarily pulled from Disney Store" and
| the top 500 comments were like "No one is furious".
|
| Here, I'll give it a go: "Environmentalists are furious
| that Bill Gates kills mosquitos"
| mcintyre1994 wrote:
| I did a quick Twitter search, and unfortunately your
| story isn't supported by any tweets I can find. Good
| news: you get to write a story about conspiracy theories
| about Gates and mosquitoes instead though! https://twitte
| r.com/lorijean333/status/1561224522166067201?s...
| root_axis wrote:
| > _and unfortunately your story isn 't supported by any
| tweets I can find_
|
| If there's no evidence for my claim it must be evidence
| of censorship, because certainly I can't be wrong.
| nebula8804 wrote:
| I saw this happen live and I couldn't believe it. There
| was this Netflix movie last year called "Kate" that has a
| white female assassin killing a lot of asian people (it
| takes place in Tokyo). There were a handful of articles
| (first in places like Yahoo news and then sites like
| Slate.com) written about how this is racist and they all
| quoted people on twitter. Since I was following this
| movie heavily, I saw the tweets come in real time and the
| subsequent articles written a day later. In the end it
| all started from one tweet from a random user which then
| spread into a small handful other people making a similar
| comment and then leaving it at that. These tweets then
| got turned into multiple articles. I could not believe
| how crazy the whole thing was.
|
| The original tweet author did not give permission for her
| thoughts to be published in so many articles and
| apparently endured a lot of harassment(She indicated this
| on subsequent tweets). She eventually deleted the tweet.
|
| This was the original tweet: "Shame on Netflix for this.
| After this past year especially, to then release a film
| that is literally white people murdering Asian people
| based on stereotypes and fetishization??? Hard pass."
|
| If you google that quote you'll see how many articles
| quote that tweet.
|
| There were no winners in this whole saga. The movie takes
| place in Tokyo so of course asian men are going to be the
| bad guys. So Netflix endured negative press for nothing.
| The press didn't actually change anything about the film,
| it obviously pissed off enough people that it caused them
| to start looking for the tweet author to harass her and
| finally she deleted her tweet. Who were the winners? The
| site owners making the money I guess. The whole thing
| really shows how much of a joke online media is. When
| regular establishment press is not that good either, what
| are people to do?
| nindalf wrote:
| It annoys me to see this. Quoting tweets is the laziest
| form of journalism. But to be fair to journalists, finding
| a couple of real world people and quoting their opinions as
| if they are representative of the larger public isn't any
| more rigorous.
|
| And it's possible to cherry-pick people to push any
| narrative you want. Like the NYT talking about how GenZ is
| very pro-life, quoting several pro-life youngsters.
| Meanwhile buried somewhere in that long article is the lede
| - only 20% of GenZ is pro-life.
| lapcat wrote:
| Ironically, social media has played a big role in the
| rise of cheap clickbait journalism.
| indymike wrote:
| > I think that Twitter is very much the tail that wags the
| dog.
|
| Twitter has a lot of journalist users so, yes, it does tend
| to move the whole dog.
| Dma54rhs wrote:
| The three are the elites of society, blue checkmarks -
| journalists, politicians, propagandists, influencers. For the
| society as whole they have way more influence where it's
| going than average Joe in front of corner shop.
| freeflight wrote:
| Except that a lot of those 50 people instead consume all
| kinds of other "news media" who by now regularly use Twitter
| as a source, so they are still indirectly affected by Twitter
| even if they don't actively use it.
| alexb_ wrote:
| If you're in any community that is popular/new enough to not
| use forums, but not large enough to talk outside of twitter,
| it definitely controls a lot.
| winternett wrote:
| Ahh they typical brigade is definitely in effect even above
| this post... A bunch of comments to suppress the real ones
| made, just like what happens on Twitter regularly.
|
| I had to scroll down past the posts dismissing the issues to
| get to this one. The news at this point is also conveniently
| not trending on Twitter even though I am pretty sure a lot more
| people are Tweeting about it than about Doja Cat right now (who
| is trending).
|
| I also didn't even see the article, tweeted by CNN, even though
| I follow them on Twitter.
|
| We're officially chest deep in the era where nothing popular on
| the Internet is trustworthy nor credible, and where nothing
| works as expected.
|
| My solution is the same as it always has been... Never respect
| them enough to enter your real (government) name, and never
| post anything that you can't afford to have compromised. There
| is no end to what modern data greed will use your data for.
| vlan0 wrote:
| Eh, you could take out Twitter and insert many other company
| names and it'll still hold true. And those companies hold so much
| more sensitive data about you than Twitter.
|
| I know of insurance companies that have help desk employees with
| domain admin access. And all crippling ransomware attacks take
| advantage lax permissions.
|
| This is rampant. How is this a story?
| [deleted]
| mrex wrote:
| >This is rampant. How is this a story?
|
| Bro. It's not every day that literally Mudge, who has -no
| doubt- seen his fair share of shit-shows, whistleblows on an
| employer.
| dehrmann wrote:
| But was he fired by any of those shit shows?
| mrex wrote:
| I don't think you understand how poorly attacking Mudge's
| character or insinuating that he's driven by some unethical
| ulterior motive is going to work out. Mudge is... he's
| Mudge. He's a known quantity, and one everyone wishes we
| had more of. When he says something like this, smart people
| listen intently.
| bartread wrote:
| > How is this a story?
|
| Cynically, because it's twitter, and it's trendy amongst a
| certain subset of the population to bash social media in
| general and twitter in particular. And I think your point is
| fair.
|
| (FWIW, I think social media has if not caused, then certainly
| exacerbated, some major problems at individual, societal, and
| global levels, but by no means do I think twitter is the
| biggest contributor. I don't think we'd see the kind of
| unconstructive political polarisation we're seeing in the US
| and UK and perhaps, to a lesser extent, within the EU, without
| it.)
| zinekeller wrote:
| My reasoned mind says it's due to the recent disclosure in
| Twitter due to linking of phone numbers to people, while my
| other mind says it's Elon finding anything to make Twitter
| give up their case.
| blitzar wrote:
| > in Twitter due to linking of phone numbers to people
|
| Except like the linkedin "hack" which was just a scrape of
| peoples profiles, the twitter "hack" was someone running
| phone numbers through the "upload you contacts and find
| your friends account" feature.
|
| They are both barely stories, except to remind people that
| posting stuff publicly is public.
| BlueGh0st wrote:
| >..the twitter "hack" was someone running phone numbers
| through the "upload you contacts and find your friends
| account" feature.
|
| >They are both barely stories, except to remind people
| that posting stuff publicly is public.
|
| The reoccurring issue is that Twitter and other companies
| are convincing (and often forcing) you to do something
| unsafe like linking your phone number, while telling you
| that your data will be kept private and at the same time
| opting you in by default, or aggressively marketing, an
| option that compromises your security.
|
| I'm sure you may be smart enough to know this compromises
| your anonymity, allows stalkers to find your phone
| number, etc. but the 99% of users wont.
|
| Linking everything to a phone number is a major dark
| pattern that benefits the corporations while compromising
| the user. So rightfully, these malicious and harmful
| practices should be called out.
| shadowgovt wrote:
| Additionally, Twitter collected PII and then did a bad
| job protecting it. We don't see a phone-numbers-leaked
| story like this out of Google, which has had 2FA with
| phone number deployed for years.
|
| Twitter has some 200+ million daily active users and
| should act like it.
| blitzar wrote:
| _Decide whether people who have your email address or
| phone number can find and connect with you on Twitter._
| If you select yes, then someone with l33t skills can _"
| hack"_ twitter and type in your email / phone number and
| get your twitter handle (or just put it in their contacts
| and click a button in the twitter app aka l33t hax0r
| skills)
|
| The reason there isnt "leak" from google is because they
| dont offer the functionality to look up your account by
| your phone number.
| bartread wrote:
| For sure, the phone numbers issue definitely won't have
| helped, but the whole Elon/Twitter situation is definitely
| up there. Plus, as I say, it's been sort of trendy to bash
| them for a while: they're either not doing enough to
| protect people from harmful content, or they're subverting
| freedom of speech by, for example, banning Trump, and
| applying permanent, temporary, or shadowbans to other
| accounts. I'm not _that_ sympathetic, but they sort of can
| 't win.
| kornhole wrote:
| I think you are referring to corporate and state controlled
| social media. There is a big difference between those
| platforms and the fediverse instances I am running on a RPI
| sitting on my desk.
| NelsonMinar wrote:
| Twitter is under a consent agreement with the FTC about its
| security practices. Part of the allegations here is that
| they've been lying to those regulators.
|
| https://www.ftc.gov/news-events/news/press-releases/2011/03/...
| hotpotamus wrote:
| Cybersecurity is one of my roles I suppose (small place with an
| operations team of approximately 2.5), and I have to say that I
| have no idea what proper security is supposed to mean today;
| it's very hard for me to tell the marketing from best practice
| now. It seems like what most products really are is an ass
| covering service so you can tell your leadership and your
| customers that you did the right things.
|
| Basically we work on keeping everything patched and try not to
| create any obvious issues. Honestly, I think the best thing we
| have going for us is obscurity.
| dogman144 wrote:
| Eval yourselves with the NIST Cybersecurity Framework and
| you'll get a good idea of where to work on. It's useful to
| guide an early stage security program doing all the things.
|
| Also, build a risk matrix of security risks the company can
| face by impact vs likelihood of the risk happening. Get
| someone senior to sign off on it.
|
| Use the NIST CSF and the risk registry with senior leadership
| support to guide the work you do.
|
| Itll be easier if you think about security as understanding
| your risk posture as an org, and that risk is either fixed at
| your level, carefully escalated to outside your teams for a
| fix, or labeled and accepted risk. security teams should
| never be the ones to accept risk, so get a a manager to see
| and acknowledge in writing whenever it's decided to just roll
| with a known vuln you're Unable to fix without more
| time/money/tech. Try to fix as many risks as possible at your
| level as to not build an alarmist rep. Then, that leaves
| space to escalate into cross-team fixes (and you can point to
| the NIST CSF and the risk register with a senior leader's sit
| side as a baseline reason for why they need to fix it).
| mellavora wrote:
| It is also about governance.
|
| Do you have runbooks for your systems? (describes how to
| operate the system normally.)
|
| What about playbooks? (how to handle errors)
|
| Have you game-day-ed various failures? How long does it take
| you to restore everything from backup? What order do you
| bring your systems up?
|
| What level of monitoring do you have on your systems? Can you
| spot unusual activity? How quickly?
|
| What sorts of firewalls? Say "system X" is compromised. How
| far could damage spread from there?
|
| Obscurity won't protect you when cybercrime is a business
| model.
| nannal wrote:
| Consult with a security firm or specialist and they should be
| able to steer you in the right direction.
| chadash wrote:
| Two problems with this:
|
| 1) Like a car mechanic, these people get paid to sell you
| solutions and they are incentivized to sell you more.
|
| 2) Plenty or honest people have biases because of what they
| do. If you spend all day thinking about security you might
| be overly concerned about things that are actually not that
| risky.
|
| This isn't to say that there aren't great people working in
| the field. But it's daunting from an outsiders perspective.
| mrex wrote:
| Develop sufficient in-house subject matter expertise so
| that you're not depending on sales consultants to do your
| cyber program for you.
|
| Develop an empirical understanding of risk management.
| While we can't predict the future, through well
| established techniques and adequate resourcing,
| professionals can achieve consistent results that are far
| better than random guessing. Risk management principles
| drive not just corporate stragegy writ large, but entire
| industries like banking and insurance.
| analyst74 wrote:
| It's still comes down to a matter of urgency or value
| perception.
|
| You don't want your doctor to overlook any problems just
| because they are rare because your health is really
| valuable.
| SketchySeaBeast wrote:
| With the example of the doctor you run into the nocebo
| effect - you can spend a lot of time tracking down things
| that turn out to be of very low value which ends up
| causing more harm than good. To painfully extend the
| metaphor you could have an overly aggressive password
| policy and end up having users reusing passwords or
| writing them down.
| infosecSnowman wrote:
| I've recently gotten a lot of good guidance on security best
| practice from a new boss. A great place to start is the CIS
| 18 critical security controls. They cover most things for
| protecting an organization.
|
| Walk through the controls list, see where you compare to the
| controls and sub-controls and then start to establish a path
| forward.
| markwisde wrote:
| I'm a security engineer and nobody knows what's best
| practice. Everyone is making it up at this point, and
| security is still a nascent field. Most companies don't even
| have a security team.
|
| I think it's still not clear how you should build a security
| org, and if you should at all (should security be part of
| normal workstreams of your devs?)
|
| Btw I wrote about my experience in
| https://securityhandbook.io/
| dd36 wrote:
| Is there even best practice for non-cyber security at
| private businesses?
| shagie wrote:
| There is a best practice... but the issue is that the
| "best practice" is something that gets abused for cargo
| culting and _stopping_ at the discovery of the best
| practice.
|
| Some time back, I got a copy of "A Practical Guide for
| Policy Analysis: The Eightfold Path to More Effective
| Problem Solving" so that I could properly quote back the
| use of best practices.
|
| https://en.wikipedia.org/wiki/Best_practice
|
| With most times people are looking at best practices,
| they skip to the decide step without defining the problem
| - that's even been done here. Is there a best practice
| for non-cybersecurity at private business? Well, yes -
| but first, what is the problem that is trying to be
| solved? There's no "get this book of everything to do and
| you're good". On the other hand a "we have customer data
| that includes PII data, we need to secure the data and
| prevent casual examination of it in house" is a problem
| that can be looked at and a best practice can be found.
|
| The best practices involve a survey of looking at other
| organizations and seeing what they have done - what
| worked and what didn't.
|
| > Part IV "Smart (Best) Practices" Research -
| Understanding and Making Use of Whatlook Like Good Ideas
| from Somewhere Else
|
| > It is only sensible to see what kinds of solutions have
| been tried in other jurisdictions, agencies, or locales.
| You want to look for those that appear to have worked
| pretty well, try to understand exactly how and why they
| may have worked, and evaluate their applicability to your
| own situation. IN many circles, this is known as "best
| practices" research. Simple and commonsensical as this
| process sounds, it represents many methodological and
| practical pitfalls. The most important of these is
| relying on anecdotes and on very limited empirical
| observations for your ideas. To some extent, these are -
| one hopes - supplemented by smart theorizing. This method
| is never perfectly satisfactory, but in the real world
| the alternative is not usually more empiricism but,
| rather, no thoughtless theorizing.
|
| > Develop Realistic Expectations
|
| > _Semantic Tip_ First, don 't be mislead by the word
| _best_ in so-called best practice research. Rarely will
| you have any confidence that some helpful-looking
| practice is actually the best among all those that
| address the same problem or opportunity. The extensive
| and careful research needed to document a claim of best
| will almost never have been done. Usually, you will be
| looking for what, more modestly, might be called "good
| practices."
|
| ---
|
| A "here is a list of all the best practices, follow
| these" is the wrong way to try to use best practices but
| rather relabeled cargo cult security.
| gsatic wrote:
| Corporate robots don't care.
|
| They have gotten away with so much for so long, they live in
| their own disconnected reality.
|
| When things break some of them cash out. Others find someone
| to blame. They don't pay a price at all. And the cycle
| continue.
|
| In China atleast people are scared of the govt. In the west
| its a total joke how no one is ever held responsible.
| 12many wrote:
| Yikes, I wouldn't boast about being scared of a govt.
| That's on the cusp of being fascist.
| reitanqild wrote:
| Isn't the ideal something like:
|
| Citizens should respect Government, and Government should
| fear citizens?
|
| I think we are straying away from both of these at the
| moment.
| kvathupo wrote:
| I think the commenter brings up an interesting point that
| China more effectively regulates industries that commit
| wrong [1]. I wouldn't reduce their point to being
| tantamount to fascism; rather, I read @gsatic as arguing
| for equal application of the law. This seems fundamental
| to the US constitution vis a vis John Locke: people
| (corporations in this case) cede rights for security. If
| we give corporations regulatory fines that pale in
| comparison to revenue as a result of malfeasance, are we
| allowing companies to enjoy our society's benefits,
| without having to sacrifice the same rights others do?
|
| [1] - Of course, this isn't the complete picture: China
| has a penchant for arbitrarily dealing a heavy hand to
| law-abiding companies/persons.
| coliveira wrote:
| dd36 wrote:
| Right. Democracy is fake...
| [deleted]
| 12many wrote:
| Because it's CNN and they like to make headlines with some
| bogus whistleblower that is concerned that some die-hard
| trumpers are going to hack top companies and create some kind
| of mass hysteria. Just the usual fear mongering in the news
| media to get views.
| throwawaylinux wrote:
| Did you actually read it? The story isn't some handwaving about
| companies in general having bad security. It's that Twitter's
| former head of security is blowing the whistle on "reckless and
| negligent cybersecurity policies" including deliberately
| misleading government regulators and its own board about
| various issues, and concerns about foreign espionage and
| disinformation.
|
| If you don't know how that's a story I don't know how to
| explain it to you, I can only assure you many people will find
| it extremely newsworthy.
| vlan0 wrote:
| I hear you. All of that is a big deal and should not be taken
| lighten.
|
| Maybe I'm a bit jaded by what I've seen, but that doesn't
| seem too far off from normal American business culture.
| Deflection and manipulation seem to be par for the course.
| It's why lobbyist exist. Companies want permission to do/not
| do the things they're not currently allowed/required to do.
|
| The ones that get caught are normally a few bad actors that
| whistle blow. The companies where it's ingrained in their
| culture get away with it. Of course...this is all my own
| experience :)
| [deleted]
| thomassmith65 wrote:
| It is certainly rampant. Amazon, for example:
| https://www.wired.com/story/amazon-failed-to-protect-your-da...
|
| That said, all these stories are important to the public.
| mrpopo wrote:
| Because people with a lot of money are inflating this story to
| get back at Twitter. It sounds like a conspiracy, but that's
| the most plausible explanation I have for why this specific
| whistleblower gets amplified by the media.
| jonstewart wrote:
| This specific whistleblower also happens to be mudge. It's
| funny how the initial top comments here don't seem to have
| any clue about who mudge is.
| papito wrote:
| Not a lot of companies get infiltrated by foreign agents or
| assets. Access to Twitter, in particular, can help unmasking
| anonymous sources, sensitive DMs, dissidents - and their
| locations.
|
| And, oh yeah - there is no "conspiracy".
| mrpopo wrote:
| I don't claim Mudge was infiltrating Twitter, nor that his
| claims to bad security are false, nor that it is not
| dangerous to use Twitter if you value privacy. Bad security
| at Twitter, or any other social media is a given. Remember
| they're in the _business_ of selling personal data.
|
| My claim is that this specific story which is most likely
| true but in no way surprising gets amplified right now
| because some specific powerful people wanted it so.
| papito wrote:
| Or maybe, you know, the media finds this story
| interesting because this is an extremely visible company
| with tons of influence on narratives around the world.
|
| Who are these "powerful people"? And why do they care
| about Twitter so much? Most powerful people aren't even
| ON Twitter.
| mrpopo wrote:
| I know about a certain person who has been doing very
| unorthodox moves towards the acquisition of Twitter since
| earlier this year; this person, as well as all the
| wealthy stakeholders who have a lot to lose if the deal
| goes through in an unprofitable way, would certainly gain
| a lot by amplifying this story with a few grands in the
| pockets of the CNN business editors.
| papito wrote:
| I think you are overestimating the influence of Elon Musk
| on American media, my friend.
|
| Are they enamored with him - for sure, are they in his
| actual pocket? Doubt it.
| mrpopo wrote:
| Not necessarily the man specifically. Anyone with a high
| stake in Tesla/SpaceX/long-termist companies and an arm
| in the media machine who would benefit from this press
| release.
| dd36 wrote:
| Or the current Twitter drama is precisely why it is an
| interesting story for the media.
|
| That said, given foreign influence campaigns in the news
| in the last 6 years, this would've been news then too.
| I'm sure it was news back in 2010 when the FTC ordered it
| to fix the problems.
| encryptluks2 wrote:
| At least you get it. I've seen worse on actual government
| systems.
| winternett wrote:
| > This is rampant. How is this a story?
|
| Well, it's on the front page of CNN right now for starters, so
| that means it's probably significant to a lot of people...
|
| If you have a business, you most likely need to promote it on
| Twitter, or to at least reserve an account there so that
| someone else won't impersonate you. You also need to do that on
| almost all other major social platforms.
|
| If you have a business or personal account on Twitter, your
| direct messages, the data the system generates about your
| preferences and interests, your geo-coordinates, and everything
| you post, including control of how your account works can
| apparently be accessed by too many people within the company.
|
| It's a pretty big deal for anyone that uses the platform citing
| all that... Not something that should just be "left to it's own
| devices" because everyone else is doing the same. All cases of
| data abuse/misuse should be addressed, but addressing one this
| big would also be a pretty big deal.
| trombone5000 wrote:
| > This is rampant. How is this a story?
|
| Because it's being publicly revealed.
|
| If the lax security you describe at other companies were also
| revealed, maybe more would be done to fix it.
| someonehere wrote:
| The previous head of security to Zatko talked about fixing these
| problems. I remember distinctly after the FTC crackdown there
| were all hands where the discussion came up. I guess these
| problems were never fixed.
| mzs wrote:
| >If you are wondering if the stuff about Twitter security being
| lapse is just one person complaining, you might be interested
| to know that, 18 months after being let go from the company,
| I've not been removed from their employees GitHub
| commiters[sic] group.
|
| ...
|
| >I can see private repos, yes.
|
| ...
|
| >A Twitter employee, Chris Banes, has claimed "that nothing
| internal or private is hosted on GitHub. It's all just open
| source code.". Here is a picture of a private, active, repo I
| had access to until about 50 minutes ago. Chris's statement is
| incorrect.
|
| https://twitter.com/alsutton/status/1562152606096658432
|
| https://twitter.com/alsutton/status/1562116259357024257
| rossdavidh wrote:
| It's not just this, but a long series of Twitter-related
| debacles, that are starting to look less like a company in
| trouble, and more like a company circling the drain. Do we have
| any real reason to think Twitter might not be able to survive all
| this? No one seems to think they're profitable, not even when ad
| revenue generally was a lot better than the economic environment
| we're going into. No one who's capable of buying it seems to want
| to buy it; the reason the poison pill vs. Elon Musk's initial
| purchase attempt was dropped, is that they checked around and got
| no other buyers. It's not just the legal and PR problems, it's
| that there's no $$$ on the other side to make it worth those
| problems, and we're heading into a "you need to make money"
| environment. I think they might be circling the drain...
| jonathankoren wrote:
| Sure the article focuses on Mudge because the's blowing the
| whistle, but Mudge _and_ Rinki Sethi (ex-CISO) were fired at the
| same time.
|
| When you fire both your chief of security and your CISO months
| after you hire them, it's weird. Even if your chief of security
| had personal failings, why fire his boss? If the boss falls on
| her sword for direct, that certainly makes me think to take what
| their saying seriously.
| mupuff1234 wrote:
| boffinAudio wrote:
| The article states he has had no contact with Musk and that the
| whistleblowing started before Musk attempted his takeover of
| Twitter ..
| chalst wrote:
| It's tinfoil hat territory, but the connection could run the
| other way in principle: the ex-exec could have been shopping
| for someone to injure Twitter and cooked up a plot in which
| Twitter was an innocent victim and Musk a double-crossed
| coconspirator.
|
| Why, it explains Musk's confidence that Twitter was up to
| something with its fake-account stats... It _must_ be true!
| [deleted]
| zimpenfish wrote:
| On the other hand, if you want to fan the conspiracy flames,
| he does have strong ties to Dorsey (via Stripe and Twitter)
| and Dorsey has always been Team Musk, especially re: the
| takeover.
| PedroBatista wrote:
| While I'm sure Twitter and every social network internal politics
| suck and are full of sleazy people who hold themselves in very
| high regard, these accusations seem weak.
|
| He appears to indicate precisely what it's public, like the 5%
| bots but then goes to into the usual obscure "I know it's not
| that number and the structure is incentivized in the wrong way.."
|
| Obviously he has an axe to grind and I wouldn't be shocked if
| Elon was directly involved with this, but I'm not sure this
| vagueness holds in court..
| kmfrk wrote:
| I hate being asked to hand over my phone number for 2FA or
| similar protections. Or facing the choice between deleting all my
| DMs or risking them being compromised on account no E2E support.
| Then again, even if you delete something, there's no knowing what
| their data retention handling is.
| strict9 wrote:
| I think it's safe to assume most anything you delete from a web
| app gets a deleted boolean or timestamp field set and the
| content persists in the database indefinitely.
|
| In my experience I've found it rare that user content is ever
| actually permanently deleted for various reasons.
| digitallyfree wrote:
| Yeah that's how most of them work. On some platforms (e.g.
| Reddit) if you do a full data request you'll see all your
| deleted comments as it's still there in the database, just
| hidden from public view.
| beeboop wrote:
| > various reasons
|
| advertising, controlling executives, and government spying
| thepasswordis wrote:
| Or devs who fear some runaway bug.
| DangitBobby wrote:
| Or a disgruntled employee or a hack or any of the other
| reasons you might want deletes to be reversible.
| DaftDank wrote:
| I assume that storage has gotten so cheap now that storing
| everything forever is feasible for companies? I always knew
| they had to retain content for X period of time, to comply
| with laws about data retention for criminal investigations,
| but I always assumed (from reading about it 10+ years ago)
| that because of how much extra storage space all the
| "deleted" content would take up, that it wouldn't be feasible
| for them to do it long-term for everything. I knew that would
| become a moot point eventually, and I suppose that is now.
| imchillyb wrote:
| Mudge = Competent advisor, Cybersecurity expert, Senate special
| witness.
|
| Twitter board = Incompetent, Liars, Corporate cronies.
|
| Which of these two sources do _YOU_ believe is more reliable?
| Yeah. That 's gonna be the general consensus.
|
| Mudge-1 / Twitter-0
| neilv wrote:
| For a solid and genuine technical person considering a CISO or
| CISO-like role, I've had the impression that they have to be very
| selective where they go.
|
| Even in what I'd guess is an "ideal" situation, of tractable
| technical&process problems, and genuine buy-in from the C-suite
| for solving/improving them, there's still going to be
| dynamics/politics to navigate.
|
| I also hear of a lot of much-less-than-ideal situations.
| donohoe wrote:
| So the CNN article lacks any detail really. There are things on
| the surface that sound bad but without context its impossible
| tell.
|
| Has any one gong through the Washington Post story and the PDFs
| and found the real issueS?
| SilverBirch wrote:
| I think it's a pretty open secret that Twitter is a fairly broken
| company. It's no surprise that their security practices are bad,
| because _all_ their practices are bad. It 's also very difficult
| to view this in isolation when you have the timeline of (1):
| Fired in January, nothing happens. (2) Musk makes offer for
| twitter then reneges. (3) Months before the lawsuit gets decided
| re-emerges with accusations.
|
| What happened that caused him to suddenly start whistleblowing
| now, and not in January? Was it the same thing that caused Ken
| Paxton in Texas to start investigating Twitter?
|
| This just looks like pretty plain mud-slinging from Musk's team
| to be honest. Especially since the Whistleblower seems to
| basically be blowing the whilst on himself.
| carvking wrote:
| Mudge: "Jack Dorsey reached out and asked me to come and
| perform a critical task at Twitter. I signed on to do it and
| believe I'm still performing that mission," he said."
|
| Seems like a legit answer. No need to accuse people of slinging
| mud.
| wpietri wrote:
| Jack Dorsey's not there anymore, and the current executives
| clearly have a different view. So I think the question of
| "why now and why like this" is still open. Given how many
| savvy technologists use HN, I'd bet we could put together a
| list of thousands of companies with concerning-to-reckless
| security practices. But for better or worse, most of us don't
| end up getting our concerns on CNN.
| jonstewart wrote:
| An important detail: the whistleblower is mudge. I'm at a bit
| of a loss for words comparing him to Ken Paxton.
| agentultra wrote:
| This was my first thought. TFA claims he started the
| whistleblower process before the Musk deal was signed. Seems
| kind of fishy though.
| pb7 wrote:
| Maybe, just maybe, Twitter is actually a poorly run company
| and it's not a conspiracy.
| themitigating wrote:
| Poorly run but also being targeted by conservatives who are
| using their government positions to destroy a liberal west
| coast company that harms their ability to get elected.
| TeeMassive wrote:
| I don't remember conservatives threatening Twitter to
| censor "dangerous" views or "misinformation" or telling
| who to ban.
| encryptluks2 wrote:
| I remember conservatives advocating for business rights
| to refuse service when they were asked to bake a cake for
| a gay couple.
| Banana699 wrote:
| Because a random bakery shop is totally like a pseudo-
| monopolistic social media giant that can censor millions
| arbitarily and at will.
| themitigating wrote:
| it's not a monopoly because there are alternatives, and
| it only has a 10% market share in the US
| (https://gs.statcounter.com/social-media-
| stats/all/united-sta...).
|
| The bakery also sets precedent as it did go to the
| supreme court, and it was used as a rallying cry by
| politicians on the right.
| Banana699 wrote:
| So, in simpler words, they _are_ indeed a pseudo-
| monopolistic (pseudo means apparent, something very close
| to but not quite there) social media giant that _can_
| indeed censor millions (10% of USA 's population is 30
| millions) arbitarily and at will ? Ok :)
|
| And whether a bakery serves your gay wedding or not is
| perhaps the most petty and inconsequential thing to be
| upset about. There are thousands upon thousands of
| bakeries in a large city. You can learn how to bake a
| cake in a weekend and home-bake your wedding cake
| yourself, or any one of your wedding guests can do this
| as a wedding gift. You can go to a no-gays-allowed bakery
| but simply not tell them you're gay, and take a finished
| cake from them then write your own name and that of the
| guy you will marry on it yourself. You can not get cake
| at all and instead get any of the thousand other types of
| wedding sweets and food.
|
| It's almost like the whole thing is a hilarious non-issue
| that some people just invented to cry and act like
| victims about.
| pb7 wrote:
| Monopoly on what?
|
| There are not thousands of bakeries in any city. Many
| towns might have none, or one. In that regard, the bakery
| will have an actual monopoly on baked goods to people
| living there.
| Jensson wrote:
| The baker is a person with rights as well, you can't
| force him to make a special order cake for something he
| disagrees with. You can force him to sell standard cakes,
| and they offered to sell standard cakes in the case, but
| the customers wanted to force him to make a designed
| cake, that would be against the bakers individual rights.
|
| Large corporations lacks those individual rights for
| obvious reasons, so large corporations should be forced
| to provide services to everyone even though individuals
| shouldn't always be.
| Banana699 wrote:
| >Monopoly on what?
|
| On users. Any network is worth a function of the number
| of nodes in it (typically a quadratic). Social Media are
| networks that link humans, and there is a finite number
| of humans (or, more accurately, internet-connected humans
| with time to spare) that grows very slowly and inevitably
| will stagnate. That means a social network is in direct
| zero-sum competition with all the other networks, and a
| giant like twitter hurts everybody else by concentrating
| a signficant proportion of users into a single (aweful)
| place, destroying competition by the lock-in effects of
| network dynamics.
|
| >There are not thousands of bakeries in any city
|
| There are in my city, actually. Dialing the number down
| to the hundreds or the high tens doesn't signficantly
| change the validity and implications of the argument
| either.
|
| > In that regard, the bakery will have an actual monopoly
| on baked goods to people living there.
|
| If you can actually prove that in a court, and if you
| furthermore prove that the complaining party will incur
| significant costs to themselves if they try to seek
| another bakery elsewhere (by a resonable legal definition
| of 'significant'), then you have my full blessing to
| force people to bake your cake.
|
| Until then, comparing an easily-replacable food product
| with tons of suppliers and publicly-available recipes to
| a proprietary service supplied by a corporation with
| thousands of servers, thousands of employees and tens of
| millions of users is ideologically motivated bullshit.
| kmeisthax wrote:
| Bigger example: Donald Trump called Net Neutrality
| "Obamacare for the Internet", back when the bug-bear was
| Comcast rather than FAANG.
| TeeMassive wrote:
| Ending the enforcement of Net Neutrality was not about
| censoring content or subjects.
| kmeisthax wrote:
| The specific worry about Net Neutrality was that ISPs
| would use their monopoly power to censor specific sources
| and/or self-preference their own businesses. It's
| something that should have been _expanded_ to large
| online platforms rather than being disposed of entirely.
| TeeMassive wrote:
| As you said, it was a worry, but ending Net Neutrality
| about enforcing government censorship was never even an
| argument being made at all by any sides of the issue.
| TeeMassive wrote:
| You are making a false comparison. They refused to write
| a particular message, not to not serve the customer a
| cake.
| themitigating wrote:
| They push for censorship of pornographic material, which
| is less dangerous than misinformation about vaccines.
| TeeMassive wrote:
| What's the problem with making public pages SFW?
| labcomputer wrote:
| And they say the Tesla _fans_ are a cult... I 'm at a loss for
| words.
| jmeister wrote:
| Did you read the article before slinging mud yourself? The
| whistleblower has been communicating with DC way before EM
| entered the picture.
|
| Media only got its hands on the leaked material now.
| SilverBirch wrote:
| I read the article, and it doesn't say what you said.
|
| >Zatko began the whistleblower process before there was any
| indication of Musk's involvement
|
| Define "Began the whistleblower process". Because that seems
| like an extremely fuzzy way of saying this. And even if you
| accept that he was genuinely a whistleblower in good faith
| trying to do this, which I'm perfectly willing to accept, the
| fact it's coming out in public now is still convenient
| timing.
|
| It does say
|
| >The disclosure, sent last month
|
| Which means that the actual firm date we have coincides
| perfectly with Musk's legal wranglings.
| jjulius wrote:
| Not exactly. The CNN article doesn't say that, and The
| Verge's piece[1] on this puts it together pretty clearly.
|
| >Zatko was fired by Twitter in January and claims that this
| was retaliation for his refusal to stay quiet about the
| company's vulnerabilities. Last month, he filed a complaint
| with the Securities and Exchange Commission (SEC) that
| accuses Twitter of deceiving shareholders and violating an
| agreement it made with the Federal Trade Commission (FTC) to
| uphold certain security standards. His complaints, totaling
| more than 200 pages, were obtained by CNN and The Washington
| Post and published in redacted form this morning.
|
| So, breaking it down more concisely:
|
| 1.) Fired in January
|
| 2.) Musk tries to buy Twitter in early April
|
| 3.) Complaint filed with SEC in July by Mudge ("way [after]
| EM entered the picture")
|
| 4.) WaPo published redacted, 200-page report today
|
| [1]https://www.theverge.com/2022/8/23/23317857/twitter-
| whistleb...
|
| Edit: This is not an endorsement of mud-slinging, just an
| attempt to make sure everyone knows what actually happened
| and when, at least as best we can discern at this point.
| jacooper wrote:
| Apperantly he started the whistleblowing process before any
| Musk involvement with Twitter.
|
| https://twitter.com/KimZetter/status/1562061556745089025
| tablespoon wrote:
| > Apperantly he started the whistleblowing process before any
| Musk involvement with twitter.
|
| According to his lawyer as reported by someone on Twitter.
| IIRC, lawyers make statements that guilty clients are
| innocent all the time.
|
| If he was working with Musk help him wiggle out of the
| Twitter deal, it would fatally undermine the goal for to come
| out publicly about the relationship. I'm skeptical unless
| they can provide verifiable 3rd party evidence (e.g. some
| document filed before the deal).
| sp332 wrote:
| Linking to a Twitter thread is a little indirect, but Kim
| Zetter is a reporter on the infosec beat, and if you scroll
| up, you can see the link to the CNN article she's
| discussing. Also here's a video that includes the lawyer
| saying it out loud.
| https://mobile.twitter.com/donie/status/1562020176278716416
| (@donie is the first person to talk in the video.)
| Larrikin wrote:
| So instead of taking a statement from the lawyer you think
| it makes more sense to wildly speculate and make things up?
| The burden of proof falls on the other side now to prove
| the whistle blowing started after Musk.
| Arainach wrote:
| A statement from a lawyer saying "this is older" isn't
| evidence. Until the lawyer shows an example of any form
| of whistleblowing predating Musk, this is still on them.
| [deleted]
| adamsmith143 wrote:
| I mean I want to give the guy the benefit of the doubt but is
| the only evidence that was the case this journalist saying
| "Mudge totally told me he did this before Musk got here I
| swear."
| criddell wrote:
| It doesn't really sound like you want to give him the
| benefit of the doubt.
| TimCTRL wrote:
| Musk's account was among those that were hacked in the 2020
| high profile hack. He made the offer in 2022, he therefore
| can't claim to not have known that twitter's security isn't
| 100% and really can't use this in court, I guess
| rtkwe wrote:
| The contract Musk signed was very very one sided, from
| everything I've been reading there's very little Musk can
| claim that would let him scuttle the deal.
| phlhr wrote:
| the contract does not allow twitter to commit fraud. Which
| they have.
| [deleted]
| gonzo41 wrote:
| In real life, if you're in the public square shouting your
| opinions at whomever will listen it's somewhat risky. Twitter
| are just providing the same digital risk for the modern public
| square. It's a feature, not a bug.
| happyopossum wrote:
| You're ascribing the worst possible motives to someone based on
| your hatred of Elon Musk. Someone who has no known relationship
| with Musk, who has claimed publicly they started this process
| before Musk was involved with twitter, and who is a long
| standing and well regarded figure in the infosec world.
|
| I think you're gonna need more than Musk Derangement Syndrome
| fueled conspiracy theories to make your accusations stick here.
| itsoktocry wrote:
| > _You're ascribing the worst possible motives to someone
| based on your hatred of Elon Musk._
|
| I'm not going to claim some big conspiracy here, but I do
| find this beyond coincidence.
|
| I don't think that this is coming out now because Mudge is
| acting on _behalf_ of Elon. I think Elon 's Twitter bid (and
| ensuing drama and upcoming lawsuit) and this revelation are
| part of the same agenda. For better or worse, it looks like
| influential powers that be are going to take down/over
| Twitter.
| the_doctah wrote:
| >it looks like influential powers that be are going to take
| down/over Twitter
|
| Let them, Twitter can't get any worse.
|
| At the very least, lets get to the bottom of the bot
| problem and expose these companies who rely on bot activity
| to drive their MAU numbers and as a result, their inflated
| valuations.
| factorialboy wrote:
| > Especially since the Whistleblower seems to basically be
| blowing the whilst on himself.
|
| Whistleblowers are by definition insiders.
| chihuahua wrote:
| Yes, but that's not the point here.
|
| A typical whistleblower would say "There were security
| problems, and the head of security ignored them."
|
| Here, it's "I was the head of security, and security was
| shitty. I was doing a shitty job, and that's a terrible
| scandal!"
| msh wrote:
| Its more like "I was head of security and the CEO blocked
| me and tried preventing me reporting the true state of
| affairs to the board."
| SilverBirch wrote:
| I think the thing about reporting things to the board is
| extremely open to interpretation. The board doesn't need
| to know absolutely every skeleton in the closet -
| especially if you're aware and in the process of fixing
| something.
| Sohcahtoa82 wrote:
| As others have said, being head of security is meaningless
| if the people in charge of actually making changes refuse
| to make the changes you prescribe.
|
| I've been in that situation at a previous job. The
| infrastructure for our service was set up so that EC2
| instances would start up and pull their code from a central
| repo. But this repo was open to the world and did not
| require authentication. It was only a matter of time before
| some malicious user discovered this and our proprietary
| server code got leaked.
|
| It took weeks of hounding and escalating until something
| changed, and at first all they did was change the security
| groups to limit where you could connect from, and even the
| first patch merely limited it to a few /8 and /16 CIDRs
| that covered massive swaths of AWS-owned IPs. They still
| didn't require authentication.
| PurpleRamen wrote:
| It's not his responsibility if someone with more power is
| sabotaging his work. He tried to do his work, realized it
| was not possible, and escalated to a higher authority. A
| bit unusual, but technically a way to maybe solve the
| problem and still do the job at the end.
| pb7 wrote:
| He tried to change things and was stopped by people
| actually in power (CEO, the board). Being head of security
| means nothing if you aren't allowed to do your job. He was
| also there for less than 2 years. If you read the article,
| you'll find that Twitter has had awful security practices
| since at least 2010.
| encryptluks2 wrote:
| How do you know that? The only way you'd find out is if
| there is a lawsuit that exposes said information.
| Everyone here is assuming because they want to believe
| Twitter is an evil behemoth. I'm not suggesting they are
| wrong, but this guy could have done the bare minimum for
| all we know thinking his status gave him basically a free
| income to do almost nothing. I would wait until more
| information comes out before making such generalized
| assumptions.
| pb7 wrote:
| I'm relaying information from the article based on the
| 200-page document sent to government agencies. Everything
| else is speculation based on nothing.
| prophesi wrote:
| We're all speculating here.
|
| But if I were a betting man, I do think both Twitter and
| Mudge's respective track records would place me in
| Mudge's camp.
| josefresco wrote:
| I don't know Mudge and neither does 99.9% of the public.
| His timing here is suspect. If these problems existed for
| so long, why now?
| pb7 wrote:
| He just got fired in January. Preparing a 200-page legal
| document with references and accounts takes time. It had
| been submitted some time ago, it's only now that CNN got
| a hold of a copy.
| prophesi wrote:
| I'm not sure why any sizeable portion of the public would
| know _any_ reputable cyber security experts. Twitter's
| CEO said the firing was due to "the impact on top
| priority work", and whistleblowing 6 months later isn't a
| surprising timeline when you need to have long talks with
| an attorney and get your own work-life situated.
| josefresco wrote:
| Mudge specifically referenced Musk in his complaint. This
| isn't just 6 months of due diligence it's targeted and
| timed for maximum damage.
| SilverBirch wrote:
| Sure, but it's not normally the guy _in charge_ of security
| that gets to complain the security isn 't good enough.
| zhengyi13 wrote:
| I seem to read fairly often about security folk (or even
| plain ol' sysadmins) bemoaning their companies' security,
| like their presence or oversight is a box checking exercise
| rather than a real commitment.
| bombcar wrote:
| Being in charge of security usually means two things:
|
| 1. You find out all the problems. 2. You can't fix all of
| them (many reasons here, not all malicious) and are setup
| to take the fall.
|
| Rinse and repeat.
| alvis wrote:
| Looking at @paraga's response over the incidence, I don't see
| attacking Mudge Zatko's character does any help here. Does he
| know it can backfire?
|
| https://twitter.com/donie/status/1562069281545900033
| encryptluks2 wrote:
| Alleged whistleblower publicly attacks company's
| reputation... A okay, I hate big tech companies.
|
| CEO of company defends organization and says previous
| employee has ulterior motives... Not okay, I hate big tech
| companies.
|
| See a trend here?
| [deleted]
| raxxorraxor wrote:
| To be honest, Twitter didn't manage expectations. If I register
| on such a platform, I expect my mail/pwd combination to stay
| reasonably safe. Reasonably, because there is never a
| guarantee.
|
| The rest of these expectations are entirely on the users. If
| people take security as seriously as they proclaim, they should
| not have registered. To now demand meticulous access controls
| sounds a bit neglectful to me...
| _fat_santa wrote:
| If you've worked for any major F500 Enterprise, this is all par
| for the course. Currently on a contract with a healthcare
| giant, while security is pretty tight because HIPPA, generally
| everything else is chaotic. I'm going to speculate that Twitter
| is probably worse than the mean, but at pretty much every large
| company that operates massive pieces of software, youre gonna
| get a ton of chaos by default.
| [deleted]
| johndhi wrote:
| this was my reaction, too. and I'd add: the legal requirement
| is basically to have 'industry standard' security; no more
| and no less. there is no legal requirement to have air tight
| security (which probably isn't even technically possible at a
| company of this scale anyway).
| mcqueenjordan wrote:
| It takes time to compile documents and write these things.
| toss1 wrote:
| >> thing that caused Ken Paxton in Texas to start investigating
| Twitter?
|
| Immediately thought of this item that came up in my Twitter
| news feed last week [0]
|
| >> "Elon Musk went to Kevin McCarthy's Party last night in
| Wyoming--to celebrate Liz Cheney's loss. While speaking at the
| MAGA party, Musk asked everyone to deny that he was there. Musk
| made sure that no press was allowed anywhere near the property
| -- then people started posting selfies"
|
| I'm sure Musk wasn't there to privately insult the Republican
| leaders by acting like they're the ugly person that they'll
| date in private but don't want anyone knowing about -- he's
| almost surely seeking some kind of influence/benefit.
|
| Maybe coincidence, but I certainly wonder about the purpose?
|
| [0]
| https://twitter.com/FriendEden100/status/1559974086264209414
| awinter-py wrote:
| I mean separately from security questions here, it seems not
| great that 'public social media' platforms are operating their
| own DMs
|
| DMs should be BYO provider
| naltun wrote:
| I learned a lot about Mudge by reading "Cult of the Dead Cow: How
| the Original Hacking Supergroup Might Just Save the World."
|
| For anyone wanting to explore 90's security nostalgia, it's worth
| a read. For anyone wanting to learn where hacktivism comes from,
| it's worth a read. For anyone wanting to learn about how security
| consulting has evolved over the years, it's worth a read.
|
| Mudge is a very cool and capable individual. I am slightly
| surprised that Twitter would ignore someone of his talent and
| respect, and choose to air their dirty laundry in this manner.
| It's as if they have no idea who they hired. That, or C-levels
| think they can outpay $$$ any PR against Twitter to control the
| narrative. Either way, if Mudge is whistleblowing, there's
| probably some bad shit going down.
| rossdavidh wrote:
| It appears that Dorsey was the one who hired him, and then
| Dorsey left, which might explain why they act as if "they have
| no idea who they hired".
| [deleted]
| motohagiography wrote:
| The whistleblowing case is a new dimension. To me as an outsider
| it implies Agrawal may have also been the manager in his previous
| technical role for a lot of the tech problems Zatko identified,
| and what made Agrawal CEO was his ability to leverage these
| problems to play ball with all the interests in that company and
| board, while sustaining through neglect some of those concerning
| practices within the organization. Twitter's product isn't
| technology, it's an uncertified slot machine that pays out in
| political influence, and there are a lot of big interests
| depending on their cut of it. They needed a steady hand who
| wouldn't be vulnerable to being swayed by principle, and that's
| the one thing you don't keep hackers around for, imo.
|
| If I were betting, nothing is ever really systemically broken in
| large orgs, it just works for someone you can't see. This is a
| factor everywhere and not necessarily at Twitter. Shitty process?
| Cui bono. Unverifiable systems? Cui bono. Deniable and
| unaccounted-for access to God-mode data? Cui bono. Repudiable
| numbers reporting? Cui bono. Bizarre political posturing? Cui
| bono, etc.
| nullc wrote:
| Part of the allegation seems to be that the beneficiaries may
| be foreign state actors who have infiltrated the organization.
|
| Not particularly shocking as they'd have to be incompetent to
| not try to infiltrate a major communications platform, and if
| the internal controls are as bad as alleged (and has exposed in
| some of the prior hacks, e.g. the control panel screenshots)
| they'd have to be incompetent to fail.
| sn0w_crash wrote:
| Mudge is a very credible source. Interesting to see where this
| goes. Twitter has gone through more security heads than any high
| tech company should. Not surprised it's a chaotic environment.
| ok123456 wrote:
| No he's not. He's literally on the CIA payroll along with the
| rest of CDC.
|
| He has a track record of making up ridiculous stories that
| serve his task masters. Remember the "Hong Kong Blondes"? Oh
| right it turned out to be completely fake.
| [deleted]
___________________________________________________________________
(page generated 2022-08-23 23:00 UTC)