bkq 2022-08-23 10:48 UTC link

It is rather disconcerting how a platform that is apparently rather integral to the discourse of today is in the hands of a single private company. It doesn't matter who owns it, if it's Musk or someone else, the fact that it's at the whims of a private company, is the primary channel for discourse, and is something legislatures cannot even comprehend because of their age, should have alarm bells going off. Coupled with the fact that there is lacking IT education about hardware/software means that there is an environment that is ripe for the encroachment of digital rights, as we've been seeing this past decade.

Signez 2022-08-23 10:57 UTC link

This excerpt is frightening:

> About half of the company's 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors

saagarjha 2022-08-23 11:01 UTC link

Seems like Twitter loves going through the cycle of getting hacked→hiring good talent and focusing on security→losing people and focus→relaxing their stance→getting hacked :(

kmfrk 2022-08-23 11:20 UTC link

I hate being asked to hand over my phone number for 2FA or similar protections. Or facing the choice between deleting all my DMs or risking them being compromised on account no E2E support. Then again, even if you delete something, there's no knowing what their data retention handling is.

LatteLazy 2022-08-23 11:31 UTC link

Im starting to think social media might not be the best system to store my personal data, maintain our democracy and protect national security...

vlan0 2022-08-23 11:48 UTC link

Eh, you could take out Twitter and insert many other company names and it'll still hold true. And those companies hold so much more sensitive data about you than Twitter.

I know of insurance companies that have help desk employees with domain admin access. And all crippling ransomware attacks take advantage lax permissions.

This is rampant. How is this a story?

neilv 2022-08-23 12:34 UTC link

For a solid and genuine technical person considering a CISO or CISO-like role, I've had the impression that they have to be very selective where they go.

Even in what I'd guess is an "ideal" situation, of tractable technical&process problems, and genuine buy-in from the C-suite for solving/improving them, there's still going to be dynamics/politics to navigate.

I also hear of a lot of much-less-than-ideal situations.

shrubble 2022-08-23 12:52 UTC link

God Mode, from my understanding, allows a Twitter employee to have access to an account and allows for a post to be made, under that account's id, without the account being notified or seeing the post show up in their own timeline.

Is this an accurate statement?

If so, why did nearly 1000 employees (12% of the workforce) have access to this mode before it was restricted, and what's the business case for that?

elesbao 2022-08-23 13:10 UTC link

By the CNN piece it seems like twitter hired a community figure - which is a common mistake that leads to bad performance evaluation. Public figures are trained on being public figures, they not necessarily are the best folks to build a security organization. OTOH there seems to be some frustration from both sides regarding performance and if it gets public our hackerman will have a rough time being exposed. I don't think that was a good idea (reporting to SEC would work better IMO).

motohagiography 2022-08-23 13:36 UTC link

The whistleblowing case is a new dimension. To me as an outsider it implies Agrawal may have also been the manager in his previous technical role for a lot of the tech problems Zatko identified, and what made Agrawal CEO was his ability to leverage these problems to play ball with all the interests in that company and board, while sustaining through neglect some of those concerning practices within the organization. Twitter's product isn't technology, it's an uncertified slot machine that pays out in political influence, and there are a lot of big interests depending on their cut of it. They needed a steady hand who wouldn't be vulnerable to being swayed by principle, and that's the one thing you don't keep hackers around for, imo.

If I were betting, nothing is ever really systemically broken in large orgs, it just works for someone you can't see. This is a factor everywhere and not necessarily at Twitter. Shitty process? Cui bono. Unverifiable systems? Cui bono. Deniable and unaccounted-for access to God-mode data? Cui bono. Repudiable numbers reporting? Cui bono. Bizarre political posturing? Cui bono, etc.

mzs 2022-08-23 13:50 UTC link

Twitter CEO's response to employees which denies none of the claims made by CNN & WaPo*

https://twitter.com/donie/status/1562069281545900033

* https://www.washingtonpost.com/technology/interactive/2022/t...

edit: the PDFs from *

https://www.washingtonpost.com/technology/interactive/2022/t...

https://www.washingtonpost.com/technology/interactive/2022/t...

https://www.washingtonpost.com/technology/interactive/2022/t...

cover letter: https://s3.documentcloud.org/documents/22161666/twitter-whis...

latest reaction from Capitol Hill: https://www.washingtonpost.com/technology/2022/08/23/twitter...

>Nobody at the Valley's unicorns seemed too concerned with security. (I asked Jack Dorsey that year whether he worried about the fact that hackers were continually pointing out holes in Twitter and in his new pay-ment start-up, Square. "Those guys like to whine a lot," he replied.)

https://twitter.com/nicoleperlroth/status/156204856902836633...

purpleblue 2022-08-23 14:08 UTC link

Millenials and GenZ may have no idea who Mudge is. I, however, almost lost my first job out of college at a bank because I ran l0phtcrack against our Windows NT 4 server to see if it could crack passwords. I showed my boss, and he pulled me aside into another room and tore my head off for irresponsibly running this tool against a production server. He said I could have been fired if this got out, but he covered my ass, sent out an email requesting everyone reset their passwords, and let me continue working. I learned a good lesson because even though my intentions were good, and it did expose security issues, it was a bit immature and should have been done in a more controlled manner along with the proper clearances.

Mudge knows the implications of "whistleblowing". He has been a security consultant and even testified to Congress. He's not some noob that doesn't understand security or how systems work together to provide services like disclosure to FTC. The idea that Twitter PR can pooh-pooh away his concerns is shockingly stupid.

I think Twitter is in real trouble here.

mrex 2022-08-23 14:09 UTC link

Just to clarify for those who don't catch it in the article: Mudge's whistleblower complaint predates the Musk/Twitter feud entirely.

vagabund 2022-08-23 15:40 UTC link

I wish CNN would just air their interview in full instead of splicing his answers into 5 second soundbites with editorialized voiceover framing. I'm infinitely less interested in CNN's reporter's summation of the issue than that of the veteran security analyst at the heart of the story.

kyrofa 2022-08-23 16:16 UTC link

Is it just me, or does some of this feel less whistleblower-y and more petty? For example:

> The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko's disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.

That said, this is Mudge. I have a lot of respect for the guy, and I believe what he says. I'll chalk the pettiness up to this article being a summary of a more complete document that I'd like to read at some point.

jonathankoren 2022-08-23 16:24 UTC link

Sure the article focuses on Mudge because the's blowing the whistle, but Mudge and Rinki Sethi (ex-CISO) were fired at the same time.

When you fire both your chief of security and your CISO months after you hire them, it's weird. Even if your chief of security had personal failings, why fire his boss? If the boss falls on her sword for direct, that certainly makes me think to take what their saying seriously.

naltun 2022-08-23 16:26 UTC link

I learned a lot about Mudge by reading "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World."

For anyone wanting to explore 90's security nostalgia, it's worth a read. For anyone wanting to learn where hacktivism comes from, it's worth a read. For anyone wanting to learn about how security consulting has evolved over the years, it's worth a read.

Mudge is a very cool and capable individual. I am slightly surprised that Twitter would ignore someone of his talent and respect, and choose to air their dirty laundry in this manner. It's as if they have no idea who they hired. That, or C-levels think they can outpay $$$ any PR against Twitter to control the narrative. Either way, if Mudge is whistleblowing, there's probably some bad shit going down.

bogomipz 2022-08-23 21:02 UTC link

If this is true this would be particularly damning

>Zatko’s complaint says he believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country. The complaint said supporting information for that claim has gone to the National Security Division of the Justice Department and the Senate Select Committee on Intelligence. Another person familiar with the matter agreed that the employee was probably an agent.[1]

[1] https://www.washingtonpost.com/technology/interactive/2022/t...

kornhole 2022-08-23 21:03 UTC link

This should get the attention of politicians who are probably the most active users of Twitter. Having their contacts, coms, and metadata such as phone location exposed and collected by adversaries is probably a concern for them and our entire political system. Recall how J Edgar Hoover was collecting dirt of every politician to blackmail them to keep his agency funded without oversight. Twitter would have been a wet dream for him.

throwaway892238 2022-08-24 01:19 UTC link

The "whistleblower" is Mudge? Ok, I didn't care before, but if Mudge is putting his reputation on the line, this is probably actually serious and legit.

Literally the entire security community knows and looks up to Mudge. If anyone finds out that anything he said was bullshit, it will get blasted from the rooftops and he'll become a laughing stock. He would have to want the rest of his career to be working for morons and be ostracized from his friends and community to make this shit up.

secondcoming 2022-08-23 11:13 UTC link

Why bother hacking Twitter when it'd be cheaper to bribe an employee to get all the information you want:

> allows too many of its staff access to the platform's central controls and most sensitive information without adequate oversight

It'd be even easier if you find an employee who's on the same political team as you.

core-utility 2022-08-23 11:20 UTC link

> the primary channel for discourse

Primary for whom? If you polled 50 people on the streets of NYC, I bet fewer than 3 would say they actively use twitter. Now do the same for Des Moines, IA and you maybe get 1?

SpaceL10n 2022-08-23 11:28 UTC link

A world-wide, decentralized, communications platform sounds lovely. Oh wait...

rightbyte 2022-08-23 11:42 UTC link

It is also frightening that they need half a million servers.

jonahbenton 2022-08-23 11:45 UTC link

The "does not support basic security features such as encryption for stored data" unquoted line of reporting is almost certainly not what Mudge wrote and is likely not literally true.

That 500k servers in Twitter infra are missing patches certainly is true and what was likely in the original was a statement that stored data that should have been encrypted at rest was not, and/or that acceptable standards for data at rest encryption, a relatively rapidly moving freight train, were not maintained.

strict9 2022-08-23 11:50 UTC link

I think it's safe to assume most anything you delete from a web app gets a deleted boolean or timestamp field set and the content persists in the database indefinitely.

In my experience I've found it rare that user content is ever actually permanently deleted for various reasons.

bartread 2022-08-23 11:58 UTC link

> How is this a story?

Cynically, because it's twitter, and it's trendy amongst a certain subset of the population to bash social media in general and twitter in particular. And I think your point is fair.

(FWIW, I think social media has if not caused, then certainly exacerbated, some major problems at individual, societal, and global levels, but by no means do I think twitter is the biggest contributor. I don't think we'd see the kind of unconstructive political polarisation we're seeing in the US and UK and perhaps, to a lesser extent, within the EU, without it.)

hotpotamus 2022-08-23 12:01 UTC link

Cybersecurity is one of my roles I suppose (small place with an operations team of approximately 2.5), and I have to say that I have no idea what proper security is supposed to mean today; it's very hard for me to tell the marketing from best practice now. It seems like what most products really are is an ass covering service so you can tell your leadership and your customers that you did the right things.

Basically we work on keeping everything patched and try not to create any obvious issues. Honestly, I think the best thing we have going for us is obscurity.

eastbound 2022-08-23 13:03 UTC link

That explains why some people apologize for things they said would never apologize…

Thing is, now that it’s possible for Twitter, Twitter can never brush off this suspicions again.

We’re literally not sure, by using Twitter, that we see the speech of that person.

sylens 2022-08-23 13:03 UTC link

I think it's also important to recognize how much of a "check the box" security control encryption at rest has become for many vendors/GRC teams. A lot of times, the encryption at rest control only has the capability to prevent somebody from physically detaching the disk and trying to mount it with their own machine and access the data that way. In a world where many companies now run their workloads on public cloud providers who keep their hardware in distributed cages in secure datacenters, this isn't the security control many assume it is.

If you're trying to prevent an actor who has gained a foothold on a box/network from seeing plaintext data that is actually in use by the actual production system at that very moment, you're looking for a much stronger type of control - probably some sort of client-side encryption or obfuscation/tokenization

indymike 2022-08-23 13:08 UTC link

> It is rather disconcerting how a platform that is apparently rather integral to the discourse of today is in the hands of a single private company.

Unpopular opinion: I think it's awesome that a private company has created a platform like Twitter. It's kind of like comparing a private amusement park with a public park: one has roller coasters, water slides and an arcade... the other has a swingset and a nice field of dried up grass.

> the fact that it's at the whims of a private company

How is this worse than at the whims of the crown?

> there is an environment that is ripe for the encroachment of digital rights

I love that were even talking about having digital rights.

saalweachter 2022-08-23 13:10 UTC link

Now think about the implications with respect to Twitter DMs that show up in criminal investigations.

For instance, consider the Twitter DMs exchanged by Donald Trump, Jr and WikiLeaks. In that particular case, the communication was acknowledged by the party in question, but imagine the two possibilities thousands of employees being able to act on the part of users opens up:

1. Twitter employees could fabricate a criminal conspiracy by creating messages between multiple Twitter accounts.

2. A criminal conspiracy can now use the "Wasn't me, must have been some random Twitter employees" defense.

markwisde 2022-08-23 13:13 UTC link

Nobody seems to know how you can build a successful security org

winternett 2022-08-23 13:16 UTC link

Ahh they typical brigade is definitely in effect even above this post... A bunch of comments to suppress the real ones made, just like what happens on Twitter regularly.

I had to scroll down past the posts dismissing the issues to get to this one. The news at this point is also conveniently not trending on Twitter even though I am pretty sure a lot more people are Tweeting about it than about Doja Cat right now (who is trending).

I also didn't even see the article, tweeted by CNN, even though I follow them on Twitter.

We're officially chest deep in the era where nothing popular on the Internet is trustworthy nor credible, and where nothing works as expected.

My solution is the same as it always has been... Never respect them enough to enter your real (government) name, and never post anything that you can't afford to have compromised. There is no end to what modern data greed will use your data for.

mrex 2022-08-23 13:20 UTC link

>This is rampant. How is this a story?

Bro. It's not every day that literally Mudge, who has -no doubt- seen his fair share of shit-shows, whistleblows on an employer.

dbbk 2022-08-23 13:58 UTC link

What scenario would justify that feature existing though? Why would they need to make posts from arbitrary accounts?

dogman144 2022-08-23 14:27 UTC link

I agree. I grant It’s possible Mudge is

A) an old hand and doesn’t know how to run a security program with the tech today

B) a strong tech hire who can’t lead a program.

But Mudge is still… Mudge, and he’s also proven his ability to collaborate so if he was a bull in a china shop a twitter, that would be surprising.

There’s also a broader trend here of well known security leads that originate from that time working at social media and leaving quickly, like Alex Stamos, who also u-turned out of Facebook.

So are the odds higher that Mudge did a bad job, or this set of companies are not great internally and old guard security leads are pointing it out? The twitter CEO letter framing him as a bad employee doesn’t address this context.

zimpenfish 2022-08-23 14:31 UTC link

Where do you see that info in the Verge article? All I can see is "he filed last month" (which would be July 2022) - the month Musk "officially" backed out and at least a month after he started doing the "I don't want Twitter any more" dance.

hn_throwaway_99 2022-08-23 14:38 UTC link

I commented on this elsewhere, but Mudge was a program manager at DARPA from 2010-2013 and worked at Google from 2013-2020. This narrative that "Twitter hired a long-haired hippy and he didn't know how to build a security org or work in a corporate environment" ignored the past decade plus of his experience.

winternett 2022-08-23 14:51 UTC link

> This is rampant. How is this a story?

Well, it's on the front page of CNN right now for starters, so that means it's probably significant to a lot of people...

If you have a business, you most likely need to promote it on Twitter, or to at least reserve an account there so that someone else won't impersonate you. You also need to do that on almost all other major social platforms.

If you have a business or personal account on Twitter, your direct messages, the data the system generates about your preferences and interests, your geo-coordinates, and everything you post, including control of how your account works can apparently be accessed by too many people within the company.

It's a pretty big deal for anyone that uses the platform citing all that... Not something that should just be "left to it's own devices" because everyone else is doing the same. All cases of data abuse/misuse should be addressed, but addressing one this big would also be a pretty big deal.

nullc 2022-08-23 15:45 UTC link

Part of the allegation seems to be that the beneficiaries may be foreign state actors who have infiltrated the organization.

Not particularly shocking as they'd have to be incompetent to not try to infiltrate a major communications platform, and if the internal controls are as bad as alleged (and has exposed in some of the prior hacks, e.g. the control panel screenshots) they'd have to be incompetent to fail.

webdoodle 2022-08-23 15:57 UTC link

> I ran l0phtcrack against our Windows NT 4 server to see if it could crack passwords.

Lol, did the same thing for a government entity I was working for, also without prior permission. It showed 1/4 of the people used the name of the entity as there password, including 2 users with domain admin credentials. Both of the domain admins weren't even IT people, there were the director and his assistant, who demanded to be admins, because they were 'admin' within the org.

In my case, I didn't get scolding, but probably should have. As you're prior boss said, it was not good to do it on a running production server. Now a restored backup running on a private network...

shagie 2022-08-23 16:12 UTC link

I think it was '96? I was working at Taos Mountain at the time. At that time, Taos had a reasonably close relation to Randal Schwartz ( https://www.oreilly.com/library/view/learning-perl-6th/97814... ) and he gave a talk for contractors which was titled "Just Another (convicted) Perl Hacker".

In that talk he told of his time at Intel and running crack on a shiny new sparc and all the problems that caused.

The focus of it was a "how not to get into trouble as a contractor".

Somewhere, I've still got my pink camel book with duct taped edges (for durability) with his signature on the inside title page.

NelsonMinar 2022-08-23 16:50 UTC link

Twitter is under a consent agreement with the FTC about its security practices. Part of the allegations here is that they've been lying to those regulators.

https://www.ftc.gov/news-events/news/press-releases/2011/03/...

zeruch 2022-08-23 17:53 UTC link

I met Mudge once in my career early on (I was at VA Linux systems circa 1999ish) and I found him intense, an apex intellect, but absolutely affable and self-aware.

He never struck me then, or in any interview or write up since, that he's impulsive, or prone to taking actions like what he's done to Twitter, in a cavalier way. He saw something bad and thinks something should be done to address it.

He likely made that decision because the culture at Twitter is as bolloxed as he states (maybe worse), and that it's one thing to fire a guy, but to do so to hide damning truths, and expect that person to just accept their fate AND let you get away with it without a cost is in this day and age, a farcical hope. Your "Mudge knows the implications of "whistleblowing". He has been a security consultant and even testified to Congress. He's not some noob that doesn't understand security or how systems work together to provide services like disclosure to FTC. The idea that Twitter PR can pooh-pooh away his concerns is shockingly stupid." is spot-on.

smsm42 2022-08-23 18:06 UTC link

In any case your own chief of security coming out and saying your security is crap would be devastating for any company. But when it's a person with credentials list like Mudge's - one can be quite sure he's not just doing it because some disagreement about salary and vacation days, and it would be impossible to dismiss this as "disgruntled employee issue". Twitter would probably try anyway, but it won't work.

Twitter is going to be in a lot of hot water now, and I can't imagine Musk isn't going to milk this to the last drop.

chipgap98 2022-08-23 18:56 UTC link

> The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko's disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.

I mean if it were true that seems pretty negligent. If that were the entire extent of the whistleblower complaint (not sure if complaint is the right term?), I would agree, but it seems as though there are some significant issue raised in the rest of the report.

icelancer 2022-08-23 19:13 UTC link

Agrawal's internal statement about Zatko is insane. My goodness.

systemvoltage 2022-08-23 19:52 UTC link

Page 9/84 in the "whistleblower_disclosure.pdf" are about Elon Musk's claims of fake twitter accounts and bots. Good lord, this does not look pretty for Twitter.

ntonozzi 2022-08-23 19:56 UTC link

If you read the document "Security Chief's Final Report to Twitter" on the Washington Post article (https://www.washingtonpost.com/technology/interactive/2022/t...), you will see that 'god mode' just means they have IPMI access to servers.

Editorial Channel

What the content says

Structural Channel

What the site does