Millenials and GenZ may have no idea who Mudge is. I, however, almost lost my first job out of college at a bank because I ran l0phtcrack against our Windows NT 4 server to see if it could crack passwords. I showed my boss, and he pulled me aside into another room and tore my head off for irresponsibly running this tool against a production server. He said I could have been fired if this got out, but he covered my ass, sent out an email requesting everyone reset their passwords, and let me continue working. I learned a good lesson because even though my intentions were good, and it did expose security issues, it was a bit immature and should have been done in a more controlled manner along with the proper clearances.<p>Mudge knows the implications of "whistleblowing". He has been a security consultant and even testified to Congress. He's not some noob that doesn't understand security or how systems work together to provide services like disclosure to FTC. The idea that Twitter PR can pooh-pooh away his concerns is shockingly stupid.<p>I think Twitter is in real trouble here.
I learned a lot about Mudge by reading "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World."<p>For anyone wanting to explore 90's security nostalgia, it's worth a read. For anyone wanting to learn where hacktivism comes from, it's worth a read. For anyone wanting to learn about how security consulting has evolved over the years, it's worth a read.<p>Mudge is a very cool and capable individual. I am slightly surprised that Twitter would ignore someone of his talent and respect, and choose to air their dirty laundry in this manner. It's as if they have no idea who they hired. That, or C-levels think they can outpay $$$ any PR against Twitter to control the narrative. Either way, if Mudge is whistleblowing, there's probably some bad shit going down.
The whistleblowing case is a new dimension. To me as an outsider it implies Agrawal may have also been the manager in his previous technical role for a lot of the tech problems Zatko identified, and what made Agrawal CEO was his ability to leverage these problems to play ball with all the interests in that company and board, while sustaining through neglect some of those concerning practices within the organization. Twitter's product isn't technology, it's an uncertified slot machine that pays out in political influence, and there are a lot of big interests depending on their cut of it. They needed a steady hand who wouldn't be vulnerable to being swayed by principle, and that's the one thing you don't keep hackers around for, imo.<p>If I were betting, nothing is ever really systemically broken in large orgs, it just works for someone you can't see. This is a factor everywhere and not necessarily at Twitter. Shitty process? Cui bono. Unverifiable systems? Cui bono. Deniable and unaccounted-for access to God-mode data? Cui bono. Repudiable numbers reporting? Cui bono. Bizarre political posturing? Cui bono, etc.
Is it just me, or does some of this feel less whistleblower-y and more petty? For example:<p>> The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko's disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.<p>That said, this is Mudge. I have a lot of respect for the guy, and I believe what he says. I'll chalk the pettiness up to this article being a summary of a more complete document that I'd like to read at some point.
Twitter CEO's response to employees which denies none of the claims made by CNN & WaPo*<p><a href="https://twitter.com/donie/status/1562069281545900033" rel="nofollow">https://twitter.com/donie/status/1562069281545900033</a><p>* <a href="https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/" rel="nofollow">https://www.washingtonpost.com/technology/interactive/2022/t...</a><p>edit: the PDFs from *<p><a href="https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/current_state_assessment.pdf" rel="nofollow">https://www.washingtonpost.com/technology/interactive/2022/t...</a><p><a href="https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/risk_committee_issues.pdf" rel="nofollow">https://www.washingtonpost.com/technology/interactive/2022/t...</a><p><a href="https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/whistleblower_disclosure.pdf" rel="nofollow">https://www.washingtonpost.com/technology/interactive/2022/t...</a><p>cover letter: <a href="https://s3.documentcloud.org/documents/22161666/twitter-whistleblower-cover-letter.pdf" rel="nofollow">https://s3.documentcloud.org/documents/22161666/twitter-whis...</a><p>latest reaction from Capitol Hill: <a href="https://www.washingtonpost.com/technology/2022/08/23/twitter-whistleblower-congress-investigation/" rel="nofollow">https://www.washingtonpost.com/technology/2022/08/23/twitter...</a><p>>Nobody at the Valley's unicorns seemed too concerned with security. (I asked Jack Dorsey that year whether he worried about the fact that hackers were continually pointing out holes in Twitter and in his new pay-ment start-up, Square. "Those guys like to whine a lot," he replied.)<p><a href="https://twitter.com/nicoleperlroth/status/1562048569028366337" rel="nofollow">https://twitter.com/nicoleperlroth/status/156204856902836633...</a>
God Mode, from my understanding, allows a Twitter employee to have access to an account and allows for a post to be made, under that account's id, without the account being notified or seeing the post show up in their own timeline.<p>Is this an accurate statement?<p>If so, why did nearly 1000 employees (12% of the workforce) have access to this mode before it was restricted, and what's the business case for that?
The "whistleblower" is Mudge? Ok, I didn't care before, but if Mudge is putting his reputation on the line, this is probably actually serious and legit.<p>Literally the entire security community knows and looks up to Mudge. If anyone finds out that anything he said was bullshit, it will get blasted from the rooftops and he'll become a laughing stock. He would have to want the rest of his career to be working for morons and be ostracized from his friends and community to make this shit up.
It is rather disconcerting how a platform that is apparently rather integral to the discourse of today is in the hands of a single private company. It doesn't matter who owns it, if it's Musk or someone else, the fact that it's at the whims of a private company, is the primary channel for discourse, and is something legislatures cannot even comprehend because of their age, should have alarm bells going off. Coupled with the fact that there is lacking IT education about hardware/software means that there is an environment that is ripe for the encroachment of digital rights, as we've been seeing this past decade.
This excerpt is frightening:<p>> About half of the company's 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors
For a solid and genuine technical person considering a CISO or CISO-like role, I've had the impression that they have to be very selective where they go.<p>Even in what I'd guess is an "ideal" situation, of tractable technical&process problems, and genuine buy-in from the C-suite for solving/improving them, there's still going to be dynamics/politics to navigate.<p>I also hear of a lot of much-less-than-ideal situations.
I hate being asked to hand over my phone number for 2FA or similar protections. Or facing the choice between deleting all my DMs or risking them being compromised on account no E2E support. Then again, even if you delete something, there's no knowing what their data retention handling is.
Seems like Twitter loves going through the cycle of getting hacked→hiring good talent and focusing on security→losing people and focus→relaxing their stance→getting hacked :(
By the CNN piece it seems like twitter hired a community figure - which is a common mistake that leads to bad performance evaluation. Public figures are trained on being public figures, they not necessarily are the best folks to build a security organization. OTOH there seems to be some frustration from both sides regarding performance and if it gets public our hackerman will have a rough time being exposed. I don't think that was a good idea (reporting to SEC would work better IMO).
If this is true this would be particularly damning<p>>Zatko’s complaint says he believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country. The complaint said supporting information for that claim has gone to the National Security Division of the Justice Department and the Senate Select Committee on Intelligence. Another person familiar with the matter agreed that the employee was probably an agent.[1]<p>[1] <a href="https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/" rel="nofollow">https://www.washingtonpost.com/technology/interactive/2022/t...</a>
This should get the attention of politicians who are probably the most active users of Twitter. Having their contacts, coms, and metadata such as phone location exposed and collected by adversaries is probably a concern for them and our entire political system. Recall how J Edgar Hoover was collecting dirt of every politician to blackmail them to keep his agency funded without oversight. Twitter would have been a wet dream for him.
Eh, you could take out Twitter and insert many other company names and it'll still hold true. And those companies hold so much more sensitive data about you than Twitter.<p>I know of insurance companies that have help desk employees with domain admin access. And all crippling ransomware attacks take advantage lax permissions.<p>This is rampant. How is this a story?
I wish CNN would just air their interview in full instead of splicing his answers into 5 second soundbites with editorialized voiceover framing. I'm infinitely less interested in CNN's reporter's summation of the issue than that of the veteran security analyst at the heart of the story.
Sure the article focuses on Mudge because the's blowing the whistle, but Mudge <i>and</i> Rinki Sethi (ex-CISO) were fired at the same time.<p>When you fire both your chief of security and your CISO months after you hire them, it's weird. Even if your chief of security had personal failings, why fire his boss? If the boss falls on her sword for direct, that certainly makes me think to take what their saying seriously.
copy and paste my comment from an earlier post which failed to see HN traction (<a href="https://news.ycombinator.com/item?id=32562747" rel="nofollow">https://news.ycombinator.com/item?id=32562747</a>):<p>> The complaint from former head of security Peiter Zatko, a widely admired hacker known as “Mudge,” depicts Twitter as a chaotic and rudderless company beset by infighting, unable to properly protect its 238 million daily users including government agencies, heads of state and other influential public figures.<p>this is a fun read. I've long said that government agencies, heads of state and other influential public figures are obvious candidates for running their own ActivityPub installations (or in paying competent people to do that, which shockingly Twitter, Inc. could be in the business of hosting/selling).
Mudge is a very credible source. Interesting to see where this goes. Twitter has gone through more security heads than any high tech company should. Not surprised it’s a chaotic environment.
> FOREIGN THREATS: Twitter is exceptionally vulnerable to foreign government exploitation in ways that undermine US national security, and the company may even have foreign spies currently on its payroll, the disclosure alleges.<p>This is a very strange article to me. When I think of Twitter and government influence, I think of the overwhelming pro-Washington bias.<p>I think of the "state-affiliated media" tags that somehow don't apply to RFE/RL and BBC.<p>I think of the countless heterodox/dissident accounts that have been banned or silenced on the platform.<p>I think of the "hacked materials" warning label that was invented to discredit a particularly damning story about a covert disinformation campaign involving Reuters and BBC.<p>I think of Twitter's complete tolerance of the obvious platform abuse by the textbook troll farm known as "NAFO".<p>I think of the revolving door between the federal government and policy/compliance positions at large tech companies including Twitter, of which Mudge is one of many.<p>My tinfoil hat is whispering that this story is part of a broader campaign to put pressure on Twitter to be even more compromised by the federal government and intelligence agencies. I just don't see how this "foreign threat" narrative lines up with the reality of how effectively managed Twitter has become over the past few years.<p>Realistically though, Mudge probably just has a huge hacker ego and is butthurt that he was caught slackin'.
You would think that Twitter might have a coherent strategy in place for dealing with the media on this but no. They are trying to discredit Peiter Zatko by stating that he was terminated for performance reasons and yet their spokesperson goes onto to make these completely conflicting statements:<p>From Twitter spokeswoman Rebecca Hahn:<p>Hahn said that Twitter fired Zatko after 15 months “for poor performance and leadership.”<p>Hahn added that Twitter has tightened up security extensively since 2020, that its security practices are within industry standards, and that it has specific rules about who can access company systems.[1]<p>2020 was of course the year that Zatko was hired by former CEO Dorsey. So security tightened up "extensively" on Zatko's watch but he was fired for "for poor performance and leadership"?<p>This only seems to support Zatko's(and many others) assertion that Twitter is a giant shit show of chaos.<p>[1] <a href="https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/" rel="nofollow">https://www.washingtonpost.com/technology/interactive/2022/t...</a>
I've been hearing about Mudge for <i>decades</i>. It's actually a bit ... <i>heartbreaking</i> ... to see him looking so corporate, but we all age, don't we?<p>I doubt he was fired for being bad at his job. But I'll bet he was fired for getting in people's faces. That was basically his calling card for <i>years</i>. Why is anyone surprised?<p>I guess Twitter thought they could hire the cachet, without hiring the man.<p>I remember an Apple WWDC, way back when. It may have been in the 1980s, as it was in San Jose.<p>They hired Ken Kesey to drive his bus to San Jose, and give a speech. The party theme was "Hippies," so he fit right in.<p>So they thought.<p>He got up on stage, and started talking about taking acid, and counterculture.<p>The shepherd's crook came right out, and yanked him off the stage.<p>I heard they had a big fight with him, because they wanted him to leave his Magic Bus, parked in the courtyard.<p>He drove off in it.<p>Smart people that make waves are not easy to control. If you are used to herding around mediocre sheep, you'll probably have a hard time with the wolves.
"The whistleblower also says Twitter executives don't have the resources to fully understand the true number of bots on the platform, and were not motivated to."<p>I imagine this hurts Twitter's defense against Musk from pulling out of the takeover deal, or, is this whistleblower's account inadmissible?
Considering the stories you can read in the security engineer handbook[1] written by FAANG security engineers I’m willing to believe that.<p>[1]: <a href="https://securityhandbook.io/" rel="nofollow">https://securityhandbook.io/</a>
The previous head of security to Zatko talked about fixing these problems. I remember distinctly after the FTC crackdown there were all hands where the discussion came up. I guess these problems were never fixed.
I still think liability is the tool that will change how we approach security.<p>Right now breaches don’t cost much and cause a lot of harm. Companies have no incentive to drive the speed limit and listen to their engineers.
Not wanting to defend Twitter, but I'm pretty sure the situation is very similar across a whole lot of companies, even those that make security their main business, i.e. FireEye.<p>Because investing in IT security usually has no apparent profit incentives, so most companies leadership will consider it something of very little importance funding wise.<p>Particularly in the current climate where even minor hacks, and simple ransomware infections, are regularly made out as some kind of "act of God"/allegedly done by some super advanced "state actor", to create the narrative how it just wasn't preventable with the resources of a private company.<p>Which outsources all the responsibility to ominous intangible parties based on wonky, and often politically motivated, attribution, while holding nobody responsible for running outdate software in exploitable combinations, thus creating the problem in the very first place.
Good job mudge! For those that don't know him, Mudge is kind of a big deal in cybersecurity:<p><a href="https://en.wikipedia.org/wiki/Peiter_Zatko" rel="nofollow">https://en.wikipedia.org/wiki/Peiter_Zatko</a>
Mudge = Competent advisor, Cybersecurity expert, Senate special witness.<p>Twitter board = Incompetent, Liars, Corporate cronies.<p>Which of these two sources do <i>YOU</i> believe is more reliable? Yeah. That's gonna be the general consensus.<p>Mudge-1 / Twitter-0
Call me paranoid but this is just too convenient.<p>In the next two months we have Elon’s Twitter trial where he’s expected to get railed. Despite waiving due diligence in his commitment to purchase Twitter he’s repeatedly made the claim without evidence that Twitter has made material misrepresentations about bots to him and investors. That would be fraud if true.<p>So right before the trial a “whistleblower” comes forward and makes claims that support Elon’s narrative. <i>Weird</i>. It’s just a little too convenient for me not to be at least skeptical.
While I'm sure Twitter and every social network internal politics suck and are full of sleazy people who hold themselves in very high regard, these accusations seem weak.<p>He appears to indicate precisely what it's public, like the 5% bots but then goes to into the usual obscure "I know it's not that number and the structure is incentivized in the wrong way.."<p>Obviously he has an axe to grind and I wouldn't be shocked if Elon was directly involved with this, but I'm not sure this vagueness holds in court..
I did wonder about this ever since the Ahmad Abouammo story broke. How did a media partnerships manager have access to so many random users' private info? That stank of poor access controls:<p><a href="https://www.justice.gov/opa/pr/former-twitter-employee-found-guilty-acting-agent-foreign-government-and-unlawfully-sharing" rel="nofollow">https://www.justice.gov/opa/pr/former-twitter-employee-found...</a>
-- I've always (since the 90s) used the rule of thumb treat everything on the internet as if it's compromised - I employ low personal security - however i also employ low trust - wouldn't go so far as to blame the users or the platforms - i'd blame both equally - user education is low - false sense of security is high - as the years have gone by - adjustments have been made on my side: comments sections are probably misinformation - emails from people I know may or may not be real - emails from people I don't know are probably not real - use pen and paper for things that need to stay relatively confidential - this is how I was taught to use the internet in the early days - still use it this way today --
The bots problem is absolutely nightmare issue for a social network.
I can't imagine what I'd do if I discovered my network was fake. The whole point of my network is building professional connections and gaining skills for work.<p>Also seeing various weird topics on twitter like kpop or other random things always made me wonder how much artificial bot boosting was done for those who had money to pay the bot net.
Amazing how little has changed in 20 years...<p><a href="https://www.cnn.com/videos/business/2022/08/23/peiter-mudge-zatko-2000-vault-orig.cnn" rel="nofollow">https://www.cnn.com/videos/business/2022/08/23/peiter-mudge-...</a>
Ah yes, came for the obvious response which I essentially do see here. Cybersecurity is awful at twitter, but that's because cybersecurity is awful everywhere.
I mean separately from security questions here, it seems not great that 'public social media' platforms are operating their own DMs<p>DMs should be BYO provider
"Twitter has hidden negligent security practices, misled federal regulators about its safety, and failed to properly estimate the number of bots on its platform, according to testimony from the company’s former head of security, the legendary hacker-turned-cybersecurity-expert Peiter “Mudge” Zatko."<p>"Zatko was fired by Twitter in January and claims that this was retaliation for his refusal to stay quiet about the company’s vulnerabilities. Last month, he filed a complaint with the Securities and Exchange Commission (SEC) that accuses Twitter of deceiving shareholders and violating an agreement it made with the Federal Trade Commission (FTC) to uphold certain security standards. His complaints, totaling more than 200 pages, were obtained by CNN and The Washington Post and published in redacted form this morning."<p>What a bombshell! Maybe Elon Musk's complaints about Twitter have more merit than anyone expected.<p>What might the SEC and shareholders do in response?
It's not just this, but a long series of Twitter-related debacles, that are starting to look less like a company in trouble, and more like a company circling the drain. Do we have any real reason to think Twitter might not be able to survive all this? No one seems to think they're profitable, not even when ad revenue generally was a lot better than the economic environment we're going into. No one who's capable of buying it seems to want to buy it; the reason the poison pill vs. Elon Musk's initial purchase attempt was dropped, is that they checked around and got no other buyers. It's not just the legal and PR problems, it's that there's no $$$ on the other side to make it worth those problems, and we're heading into a "you need to make money" environment. I think they might be circling the drain...
It's important not to forget that certain Twitter users share incredibly sensitive data over Twitter, increasingly including nudity and sexual acts (sometimes on private profiles or in DMs, so they're not meant to be public).<p>While one may (not wrongly) think that this is a bad idea in general (unless you subscribe to post-privacy), I think it is our duty as a society to protect those who don't have a full grasp on the implications of bad IT security.<p>In my opinion, fines for cyber security violations should be swift and harsh (GDPR goes in the right direction in terms of how high the fines are, but it is barely enforced). From my POV that is the only thing that will force companies to actually invest in cybersecurity. Maybe there should even be a law mandating security reviews if you handle any PII.
So the CNN article lacks any detail really. There are things on the surface that sound bad but without context its impossible tell.<p>Has any one gong through the Washington Post story and the PDFs and found the real issueS?
If it's your job to address specific issues and you fail to do that, how is that whistleblowing? If this person can't prove they were blowing whistles before termination, well, that's a lot of egg to wear on ones face.
I think it's a pretty open secret that Twitter is a fairly broken company. It's no surprise that their security practices are bad, because <i>all</i> their practices are bad. It's also very difficult to view this in isolation when you have the timeline of (1): Fired in January, nothing happens. (2) Musk makes offer for twitter then reneges. (3) Months before the lawsuit gets decided re-emerges with accusations.<p>What happened that caused him to suddenly start whistleblowing now, and not in January? Was it the same thing that caused Ken Paxton in Texas to start investigating Twitter?<p>This just looks like pretty plain mud-slinging from Musk's team to be honest. Especially since the Whistleblower seems to basically be blowing the whilst on himself.
Honestly, can you really trust anything about major social media sites any more?<p>Has Twitter ever been in the news for properly making even a thousand people successful from scratch really ever in the product's life?<p>They have pipelines of exploitation for everyone that gets "discovered" into contractual nightmare deals, they require tons of free labor and costly hurdles just to become notable and visible on the platform, they extort people promoting their independent work for ad money, they don't protect anyone's privacy, they are VERY MANIPULATIVE in multiple (psychological) ways, they offer very little support or fairness when accounts are compromised, hijacked, or stolen, and they impose a stranglehold on information through lobbies and suppression of independent art and music.<p>Social media took over the Internet after they wooed everyone into the ideal that they would operate fairly. Now that they have captured full attention, they have turned on users and they offer very little to anyone who doesn't pay, and can't offer reliable security to anyone. There are some serious "God Complexes" going on with having access to the personal data these systems harvest ON EVERYONE in conjunction with mobile devices.<p>I really hate to say it would actually probably make me feel better if most of the large data monitoring sites/apps went away rather than stayed in place, because they make almost every aspect of the Internet work against us all.<p>Twitter has had several opportunities to fix how it operates. The platform also generates tons in annual revenue to fix how it operates. Twitter has lots of employees that could fix how it operates. Twitter has also had numerous security breaches, and it regularly causes tons of stress for users. Twitter continues to focus on only pleasing it's sponsors, investors, and execs year after year and repeatedly stretching the promises it was built upon.<p>I can't say I want to see this whale fail, but I won't miss it if it does.
When is mudge going to audit tesla/spacex for "non-compliant kernels", "encryption at rest", etc, etc?<p>Everyone in this shameful industry knows that literally any company in the US would get shredded in such a vigorous audit and the silliest part is that twitter is a fucking shitposting platform that doesn't have my SSN or financial data so equating it to equifax in any way is absolutely laughable.
From Wikipedia: “He was the most prominent member of the high-profile hacker think tank the L0pht.”<p>That’s quite a generous take. There were plenty of excellent hackers in the 90s, but “L0pht” just seemed like the PR friendly one that could go on good morning America.<p>Can’t tell if this is real or just a 90s security person trying to stay relevant after being fired.
>one or more current employees may be working for a foreign intelligence service.<p>I don't doubt this, but the source is someone with fairly deep ties to the US intelligence services. Why should he be allowed a job and not people with ties to foreign agencies?
Zatko reported directly to the CEO, as a senior leader you need to take responsibility for your own work. Does anyone believe that in an organization as large as Twitter he didn't have enough resources to solve this? I imagine his budget ran in the tens of millions.
OK, so their security is a mess, as many commenters have pointed out, they are one of many companies.<p>What I can't figure out is what's this guy's beef that he went revealing all this? Was he fired or demoted or something and thought to get his own back?