This document feels out of place to me. It's addressed to various regulators, and at a surface level it has the form of an affidavit or other legal document. But the language is far too familiar to be writing for that audience - they refer to Mudge consistently as Mudge rather than, say, "Mr. Zatko"; they make liberal use of superlatives; they add emphasis using bold text. This is kind of like writing a cover letter where you explain why the job would be great for you rather than why you would be great for the job, it's going to sound wrong to your intended audience, and it will degrade your credibility in their eyes (rightly or wrongly). This isn't the style you would adopt if you wanted such austere organizations as the SEC, DOJ, and they even mention _Congress_ to take you seriously.<p>This leads me to believe that this is a document for public consumption adopting the aesthetics of a letter of concern sent to regulators, and that this document is being submitted to the court of public opinion. I don't doubt that Twitter executives are borderline fraudulent and may have crossed the line into outright fraud - I'd be unsurprised to learn that about any group of executives at any large company. But this document has more the feeling of propaganda than a serious appeal to regulators.
Wow, this is a wild read. Some of the most shocking parts:<p>- Lack of development and testing environments; engineers build, deploy, and test code directly on the production environment<p>- >50% of employees having access to the live production environment and sensitive user data (getting _worse_ over time)<p>- Lack of logging of what people did with their production environment access<p>- 30% of employees' systems had disabled software updates<p>- Twitter "has never held proper licenses to the data sets and/or software" they used for some ML models<p>- "The majority of the systems in the data centers were running out of date software no longer supported by vendors"<p>- Misleading the board (e.g. trumpeting "we have endpoint monitoring software on 92% of employee systems!" but neglecting to mention that endpoint monitoring software reported 30% of employees' systems had disabled software updates)<p>- Misleading the FTC (e.g. implying that data was deleted when users closed their accounts, when in fact it was not)
Paragraph 15 is amusing in that it undermines their weird attempt to connect to current affairs without much basis - it comes right out and says "executives are incentivized to avoid counting spam bots as mDAU" yet the greater thrust of the section is that Musk's dispute of the 5% number - a number based on "mDAU" - is generally "correct." That seems extremely twisted: Musk is claiming Twitter claimed something they didn't, Mudge's claim here is that Twitter execs are highly incentivized to be honest about that number they actually claim. In terms of "total" bot accounts... it's a free service with open signup on the fucking internet. You aren't gonna crack down on that effectively without draconian measures that few people really want. Twitter "intentionally prioritized" growing the base of users they were confident in showing ads to since that's the core of their business? Yawn. Company focuses on what actually makes them money, seems responsible of them to their stakeholders! If the bot "problem" got bad enough that they couldn't monetize, they'd be incentived to fix it; they shouldn't necessarily spend millions on trying to fix it just because people complain. There are bots on Twitter, news at 11, this supports the idea that Twitter wasn't lying in their financial reporting. <i>So why are they leading with this BS part?</i><p>The other sections are much more interesting.
Recent and related:<p>--- edit: one thing I regret is not changing the cnn.com URL to the original WaPo reports a few days ago, since they were obviously much better - so I'll add them here:<p><a href="https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/" rel="nofollow">https://www.washingtonpost.com/technology/interactive/2022/t...</a><p><a href="https://www.washingtonpost.com/technology/2022/08/23/peiter-mudge-zatko-twitter-whistleblower/" rel="nofollow">https://www.washingtonpost.com/technology/2022/08/23/peiter-...</a><p>---<p><i>Twitter CEO Parag Agrawal on whistleblower story</i> - <a href="https://news.ycombinator.com/item?id=32565019" rel="nofollow">https://news.ycombinator.com/item?id=32565019</a> - Aug 2022 (82 comments)<p><i>Twitter’s former security chief says company lied about bots and safety</i> - <a href="https://news.ycombinator.com/item?id=32564630" rel="nofollow">https://news.ycombinator.com/item?id=32564630</a> - Aug 2022 (2 comments)<p><i>Ex-Twitter exec blows the whistle, alleging reckless cybersecurity policies</i> - <a href="https://news.ycombinator.com/item?id=32562815" rel="nofollow">https://news.ycombinator.com/item?id=32562815</a> - Aug 2022 (597 comments)<p>Not so recent, but related:<p><i>Twitter shakes up its security team</i> - <a href="https://news.ycombinator.com/item?id=30026171" rel="nofollow">https://news.ycombinator.com/item?id=30026171</a> - Jan 2022 (110 comments)<p><i>Twitter names famed hacker 'Mudge' as head of security</i> - <a href="https://news.ycombinator.com/item?id=25115754" rel="nofollow">https://news.ycombinator.com/item?id=25115754</a> - Nov 2020 (172 comments)
I really hope that's not true. Ooph.
"Twitter data centers were fragile, and Twitter lacked plans and processes to “cold boot.” That meant that if all the centers went offline simultaneously, even briefly, Twitter was unsure if they could bring the service back up. Downtime estimates ranged from weeks of round-the-clock work, to permanent irreparable failure"
Has anyone worked with him? This report makes him sound immature, unprofessional, and out of his depth with respect to legal matters. Is that an unfair characterization?
Interesting tidbits to HN users, who like to complain about new Twitter accounts being disabled and required to add a phone number: this is called "ROPO" internally, and multiple executives actually <i>want</i> that to be disabled. But Mudge asked for research that proved it was one of the most efficient anti-spam measure they have at their disposal.
I read most of the document, and even if a fraction of it is true, Twitter will have a lot of explaining to do in front of the SEC. It sounds like it would be easy to find criminal intent.
> 32. Unfortunately, as detailed in the rest of this disclosure, Agrawal's
misrepresentations about spam bots are just the tip of the iceberg.<p>If the smoking gun is the bot section, then there is nothing here at all.
I think a lot of this is... bad. But not bad bad. It's bad in the sense of "This company is rubbish and Mudge clearly fought with Agrawal" but not bad in the sense of "This company is clearly doing illegal things".<p>For example, Mudge claiming he was ordered not to present a report to the board. He might not be happy about that, but that's perfectly fine, it's not down to him to chose what the CEO decides should be presented to the board, you can have perfectly reasonable disagreements about what's appropriate and at the end of the day the call is down to the CEO. The fact that there are other cases where board members intervene to tell Mudge this reinforces that.<p>Or the claim that the CEO instructed Mudge to send the board documents they both knew were misleading. This is an explosive claim, but it seems highly unlikely that Mudge can prove Agrawal knew the documents to be false, and misleading is impossible to know, because he can't know the context they were presented in. I think it's just highly unlikely that Twitter's CEO is so incompetent that he's just moustache twirling and lying to everyone, it seems highly likely this will come down to Agrawal having a different opinion or interpretation of the facts.<p>What really undermines the claim is when we get to this section:<p>>Agrawal’s tweet was a lie. In fact, Agrawal knows very well that Twitter executives are not incentivized to accurately “detect” or report total spam bots on the platform.<p>Mudge is massively over-reaching here. At best, an argument can be made that at some point there are some perverse incentives where allowing spam bots could inflate numbers to make the company look successful. But even if that argument were convincing, which it isn't, Agrawal clearly doesn't believe it. It's trivial to make Agrawal's argument here.<p>That's why this looks like big claims, but unsupported claims. Because where it's clear that people can reasonably believe what they say but disagree with each other, Mudge claims one side must be lying. What could easily presented as openness, honesty and transparency about the challenges the company faces("Mudge asked the Head of Site... what the underlying spam bot numbers were. Their response was "We don't really know.”) - Mudge basslessly claims this is essentially proves they were acting in bad faith.<p>This all looks designed to be explosive on first sight, but not actually correct in the detail.
The implications of what is being alleged are.. Hard to wrap ones head around. Fascinating to ponder. We all assume stuff like this is going on, but here it is; no conspiracy theory.<p>At a minimum it's worth spending brain cycles considering the impact on "national security".<p>Arguing over the blame and legal implications could be interesting in the context of dispassionate technical legal analysis, but most of that discourse seems little more than a couch for people to signal their biases for the parties involved.
Twitter is in dire hot water over this and are going to have a nice conversation with Elon, Jack, etc in court with the SEC, and the FTC watching them over this potential case of fraud with this disclosure.<p>Did Twitter really think that continuous denial, lies and more PR deception was going to be that easy to get away with?<p>Not this time.