Jump to content

Twitter's former security chief alleges that executives deliberately "misled" everybody about everything, files complaints with SEC, FTC, and DOJ

Commissar SFLUFAN
 Share

Recommended Posts

Commissar SFLUFAN

Commissar SFLUFAN

Posted
Posted
IFAFIEDWWFERLOL6Q5P7EEVJGI.jpg&w=1200

Former security chief claims Twitter buried ‘egregious deficiencies’

WWW.WASHINGTONPOST.COM
An explosive whistleblower complaint from Peiter "Mudge" Zatko alleges that Twitter misled regulators and investors about gaping security holes and efforts to fight spam.

 

 

220822190437-02-peiter-zatko-portrait-su

Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies

WWW.CNN.COM
Twitter has major security problems that pose a threat to its own users' personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.

 

Quote

 

Twitter has major security problems that pose a threat to its own users' personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.

 

The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform's central controls and most sensitive information without adequate oversight. It also alleges that some of the company's senior-most executives have been trying to cover up Twitter's serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

 

The whistleblower, who has agreed to be publicly identified, is Peiter "Mudge" Zatko, who was previously the company's head of security, reporting directly to the CEO. Zatko further alleges that Twitter's leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users' data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don't have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk's attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk's claims).

 

 

Music to the South African man-child's ears.

 

107107902-1661261143010-gettyimages-1242

Twitter whistleblower alleges execs misled board and public on spam, security

WWW.CNBC.COM
A Twitter whistleblower is alleging "extreme, egregious deficiencies by Twitter" related to privacy, security and content moderation.

 

Quote

 

A Twitter whistleblower is alleging “extreme, egregious deficiencies by Twitter” related to privacy, security and content moderation, according to complaints filed with the Securities and Exchange Commission, Federal Trade Commission and Department of Justice, and published by The Washington Post and CNN.

 

The complaints, since obtained by CNBC, were filed by nonprofit law firm Whistleblower Aid, which is representing Twitter’s former head of security, Peiter “Mudge” Zatko. Whistleblower Aid, which also represented Facebook whistleblower Frances Haugen, verified the authenticity of the documents with CNBC.

 

Shares of Twitter were down more than 5% in morning trading.

 

In a complaint with the SEC, Zatko alleges that he “witnessed senior executive engaging in deceitful and/or misleading communications affecting Board members, users and shareholders” on multiple occasions in 2021, during which CEO Parag Agrawal asked Zatko to provide false and misleading documents.

 

 

Link to comment
Share on other sites
  • Commissar SFLUFAN changed the title to Twitter's former security chief alleges that executives deliberately "misled" everybody about everything, files complaints with SEC, FTC, and DOJ
Ghost_MH

Ghost_MH

Posted
Posted
On 8/23/2022 at 2:45 PM, b_m_b_m_b_m said:

Yikes 

 

You would be SHOCKED how often this happens at tech companies not named Apple, Google, or Microsoft. Yearly audits will normally not cover anything outside of basic active directory accounts. Anything not using centralized credentials gets forgotten and left open, sometimes for years. This means Twitter isn't using something like Duo or Okta. Considering Twitter operates their own 2FA platform, I'm not shocked. Also not shocked if they don't fully extend managed credentials to this party sites like GitHub.

 

I'm being serious here. Security among many of the biggest and smallest tech companies is shit. The only reason Apple's security is even any good is because they're paranoid about product leaks, NOT because they care about any of your data.

 

I should note, however, that once you have a certain sized target on your back any pro-active security measures mean nothing. At that point, security becomes reactive. Twitter might not be cutting someone's access right away, but they'd likely notice right away if someone was downloading data or making a bunch of unapproved changes. Even a company like Google can't stop state actors from breaking in, but they can stop them from causing too much damage once they're in.

  • Halal 2
Link to comment
Share on other sites
CitizenVectron

CitizenVectron

Posted
Posted
18 minutes ago, AbsolutSurgen said:

With all of the cloud based software solutions that companies are signing up for nowadays, SSO is not as easy as it seems.

 

We are a microsoft environment and use ADFS /azure web apps to help integrate various platforms into our azure AD. It's worked for 90%+ of our solutions. Obviously won't for everything...but in cases where it doesn't, we still have strict rules for what people have access to, etc. Like, HR should have a series of steps to shut off access for terminated employees.

Link to comment
Share on other sites
b_m_b_m_b_m

b_m_b_m_b_m

Posted
Posted

If you won't do SSO then you need to have good (or even just basic) processes to ensure that only users who need to have access to various systems, including regular audits of who access the information.

 

this stuff isn't hard but it sounds like the bird app is just not concerned about data security, which is insane to me since they make money off of their users data lol

Link to comment
Share on other sites
Ghost_MH

Ghost_MH

Posted
Posted
1 hour ago, b_m_b_m_b_m said:

You’d figure just having SSO would be a no brainer 

 

54 minutes ago, AbsolutSurgen said:

With all of the cloud based software solutions that companies are signing up for nowadays, SSO is not as easy as it seems.

 

There are third parties like Duo and Okta that are dedicated to just providing SSO services. The issue, I can imagine, with a company like Twitter is that Twitter is its own SSO provider. They have their own implementation of OAuth. I can easily imagine a scenario where their SSO doesn't reach everyone under the sun.

 

Most companies SSO solutions don't reach everything it probably should cover. You'd have to be Microsoft or Google for that to actually happen and that's only because they have an SSO solution that they sell to others. Twitter isn't selling theirs to anyone. They just offer anyone that's wants it, hooks to sign into apps with their Twitter creds.

 

It's really not that uncommon. In this case, whoever was managing off boarding fucked up, but also maybe not if there wasn't some documentation covering all the external accounts he had access to. At that point, it's up to a manager paying attention to everyone on the list of comitters. Even then, it wouldn't be unusual to not notice dormant accounts that have been unused for months. Others may have noticed, but it wouldn't be too weird to just assume that person was a contractor who was coming back or someone on an extended leave or sabbatical. It's easy to be forgotten when you get let go and you're a part of these huge engineering teams.

  • True 1
Link to comment
Share on other sites
Ghost_MH

Ghost_MH

Posted
Posted
44 minutes ago, chakoo said:

Do we even know if twitter uses github for private repos? I could imagine at their scale it's internal with github only being for public/open source libraries. 

 

We don't know. The OP of that tweet claims yes. Others claim it's only used for Twitter's open source projects. The only proof that it contains private repos he provided was a screenshot of Twitter's fork of OpenBMC...which is obviously an open source project. Of course, he could have been avoiding posting details of actual private repos for fear of a lawsuit, but he never really claims that in any of his follow-up tweets.

 

Actually spending some time to look into this; the most damning piece of evidence that this guy is full of shit is the fact that Twitter has a few dozen non-Twitter employees as committers on the repo. Also, this is the repo Twitter, themselves, links to from their OSS site.

 

Twitter Open Source

OPENSOURCE.TWITTER.DEV
Twitter Open Source

 

It would be wild if Twitter had an OSS repo that was also mixed with company private repos that also had non-Twitter employees as commit members. That would be crazy, especially considering https://opensource.twitter.dev has been pointing to that GitHub repo for a while now. Recently cached versions of their OSS site has pointed to that GitHub repo since before his tweet went out, so Twitter didn't go in there and make any site changes in reaction to his tweet.

 

I imagine that Twitter is large enough that they could host their own repos. They could have internal or cloud hosted instances of Bitbucket or Subversion or anything else you could imagine for company private data. Even when my company was only 150 people, we still had out own internal instance of Bitbucket.

 

Link to comment
Share on other sites
chakoo

chakoo

Posted
Posted
2 hours ago, Anathema- said:

"You either know how to program or you know how to git."

 

Few accurate variations

"You either know how to program or you know how to stack overflow."

"You either know how to program or you know how to google, copy & paste."

"You either know how to program or you know how to npm install <package>."

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...