13 votes

Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies

8 comments

  1. Grendel
    Link
    The greatest threat to cyber security isn't the criminals, but rather it is the leadership's refusal to acknowledge the problems and give the appropriate resources to correct them. I'm pretty...

    The greatest threat to cyber security isn't the criminals, but rather it is the leadership's refusal to acknowledge the problems and give the appropriate resources to correct them.

    I'm pretty blessed to be on a cyber security team that has amazing support and resources from our companies leadership.

    10 votes
  2. [2]
    skybrian
    (edited )
    Link
    From the article: [...] You can read Mudge's report to the SEC here (Washington Post) and related links in a Hacker News comment. If you're not previously familiar with Mudge (I only vaguely knew...

    From the article:

    The whistleblower, who has agreed to be publicly identified, is Peiter "Mudge" Zatko, who was previously the company's head of security, reporting directly to the CEO. Zatko further alleges that Twitter's leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users' data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don't have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk's attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk's claims).

    [...]

    The scathing disclosure, which totals around 200 pages, including supporting exhibits -- was sent last month to a number of US government agencies and congressional committees, including the Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice. The existence and details of the disclosure have not previously been reported. CNN obtained a copy of the disclosure from a senior Democratic aide on Capitol Hill. The SEC, DOJ and FTC declined to comment; the Senate Intelligence Committee, which received a copy of the report, is taking the disclosure seriously and is setting a meeting to discuss the allegations, according to Rachel Cohen, a committee spokesperson.

    You can read Mudge's report to the SEC here (Washington Post) and related links in a Hacker News comment.

    If you're not previously familiar with Mudge (I only vaguely knew about him), the Wikipedia article should be interesting, as well as the first couple of footnotes in his report.

    7 votes
    1. skybrian
      (edited )
      Link Parent
      Page 9: This part doesn't seem surprising. That's why they defined mDAU after all, as an advertising metric? Not sure this changes anything for the acquisition, but we'll see what Matt Levine says...

      Page 9:

      II. Lying about Bots to Elon Musk

      [...] there are many millions of active accounts that are not considered mDAU [monetizable daily active users] because Twitter does not believe it can monetize them.

      This part doesn't seem surprising. That's why they defined mDAU after all, as an advertising metric? Not sure this changes anything for the acquisition, but we'll see what Matt Levine says tomorrow.

      Edit: actually I'm a day behind and Matt Levine already wrote about this:

      But if you believe Zatko’s claims, you could spin some legal arguments from them. (Ann Lipton has a good Twitter thread analyzing what Zatko’s claims could mean for Musk.) If Twitter was bad at safeguarding user data, did that violate the law (including in particular its 2011 settlement with the Federal Trade Commission over user data)? Were Twitter’s securities filings misleading, because they didn’t disclose all of its security vulnerabilities? When all this stuff comes out, will that cause a “material adverse effect” on Twitter’s business, which will let Musk get out of the deal? Meh, I don’t know.

      Even if these claims are true, and even if they are evidence of fraud or material adverse effect, they are not evidence of anything that Musk has been complaining about. Musk would have to, like, send Twitter a new termination letter saying “never mind about the bot stuff, now I’m terminating the deal because of the security vulnerability stuff.” But he could do that, why not. He’s not limited to the excuses he’s already tried; if people keep finding him new excuses to get out of the deal, he can try those too. Maybe one will work.

      5 votes
  3. [3]
    Amarok
    Link
    Man, that's straight up insane. The network is the security. I spent a lot of time managing firewall rules and active directory policy that was crafted to make damn sure employees could only...

    “A best practice is that you should only be authorized to see and access what you need to do your job, and nothing else,” said former U.S. chief information security officer Gregory Touhill. “If half the company has access to and can make configuration changes to the production environment, that exposes the company and its customers to significant risk.”

    Man, that's straight up insane. The network is the security. I spent a lot of time managing firewall rules and active directory policy that was crafted to make damn sure employees could only access the systems they were authorized to use for their projects. It's not that hard, once you set it up so that you can just move people into and out of various project groups in those systems. Twitter hasn't even got a unified and fully managed corporate network infrastructure from this account. I see no real reason not to take Munge at his word, either.

    Every company has some secret toys they use to manage their systems that are not shared with anyone else, even the customers. Developers inevitably build them for their own convenience/sanity and that is to be encouraged, they are massive time savers. They don't go through an API - they go with heightened privs straight into the database and application/system configurations. They do include features like "delete everything in the database" or "dump xyz to a file for analysis" or "access sensitive logs we only keep for seven days" or "show me all the deleted stuff from last month." They are supposed to be treated with the level of administrative security and ceaseless oversight one puts into the firewall, because the entire point of hacking into someone's network is to get access to these tools.

    I find myself hoping congress and the DOJ throws the proverbial book at them. It's negligent to run a network so slapdash when you have sensitive data for millions of people to protect. If Munge is right, it seems like the company has provably lied to congress. That sounds... expensive.

    Oh, wait. This is America and Twitter has to fight Tik-Tok, or something. It'll be a slap on the wrist.

    4 votes
    1. [2]
      skybrian
      Link Parent
      I'm no network expert, but my understanding is that the modern way to do this is to use a private VPN, now that working from home is common and so are cell phones and tablets. Any box that has...

      I'm no network expert, but my understanding is that the modern way to do this is to use a private VPN, now that working from home is common and so are cell phones and tablets. Any box that has access to anything privileged needs to be on the VPN, which requires device registration, and users need to log in to use it as well.

      There's a startup called TailScale that seems to be doing good things in this space; you can run it for free and it might be useful if, say, you want to access your home network while traveling, or you have machines on more than one network and you don't manage the networks. At Google a similar thing was called the BeyondCorp initiative. It was fixed there maybe a decade ago.

      In one of the docs Munge writes: "Twitter is where Google was prior to 2005-2007." (He previously worked at Google.)

      So yeah, it sounds like Twitter is way behind the times. Fortunately everything I post there is public.

      2 votes
      1. Amarok
        Link Parent
        I like the approach of just sending every single employee a company laptop. It's easier to lock that down hardcore and you don't have to worry about what everyone else has for a network or...

        I like the approach of just sending every single employee a company laptop. It's easier to lock that down hardcore and you don't have to worry about what everyone else has for a network or supporting their personal computers. You get to pick the hardware, set up the system image with your choice of software, build the user environment, preconfigure everything, and secure the whole stack. It's more expensive for the company, but I think it's worthwhile. Keep it easy for people to have personal and work computing on physically different machines.

        3 votes
  4. [2]
    FishFingus
    Link
    Cybersecurity professionals must feel like some of the most underpaid, underappreciated and un-listened-to employees in a company. And to think, this is a field I think I might be trying to get...

    Cybersecurity professionals must feel like some of the most underpaid, underappreciated and un-listened-to employees in a company. And to think, this is a field I think I might be trying to get into, when I can barely keep up with my Cisco classes unaided.

    None of the security measures matter if the rest of the company is incompatible with them.

    3 votes
    1. skybrian
      Link Parent
      I think this depends very much on the company. Even among big tech companies there are big differences.

      I think this depends very much on the company. Even among big tech companies there are big differences.

      1 vote