337 comments

[ 6.4 ms ] story [ 303 ms ] thread
I would be shocked if there weren't a handful of spies working for various countries at every large tech company at this very moment. I have no idea how a company would screen for that but it would make little sense to not embed insiders into each of these companies.
Don’t screen; how can you? Principle of least access.
Ahmad Abouammo and Ali Alzabarah you say? Not even the simplest employee vetting: names??
I can’t tell if you’re being serious or not but what you just said is incredibly racist.
I wonder if GitLab will add Saudi Arabia to their employee region block?
Saudi Arabia is a US ally, so family region block against them is unlikely. Even if it is a country that tolerates and promotes open slave trade (look up #maidsfortransfer on BBC).
It's probably more difficult for social media companies like Twitter to prevent something like this than it is to actually properly secure and protect user data.
Even Twitter money pales in comparison to sheik money. I'm not sure you can defend against somebody giving an engineer with admin access a suitcase with $300k in it. Not to mention any other pressures that MBS could potentially have brought to bear in these cases.
How do banks defend against insider trying to rob it?

I'm sure twitter can do it - it's a matter of cost vs benefits. They don't want to spend the money required to secure access and audit.

Insider risk controls and oversight, two person systems, data loss prevention, etc.
Think that was a rhetorical question
That is GP's point, that no engineer should have admin access to PII when you are operating at Twitter scale. Or at least not without a lot of red tape to make it very easy to catch rule breakers.
Part of it is, Twitter doesn't fully think of itself as Twitter-scale. It's not that long ago that Twitter was fail-whaling around, a non-serious place for stream-of-consciousness shitposting by anonymous egg accounts. It's still move-fast-and-break-things.

Someone else made the comparison to banks, and well, banks deal with real money and have always been dead serious, and they've got decades of head start on handling this stuff properly.

Very true, when the means meet the will or motivation, this sort of thing is bound to happen, especially as these Silicon Valley companies have so much influence. I hope this doesn't become a trend, lest we get calls for a "Silicon Valley blacklist" ala Hollywood during the Cold War.

https://en.m.wikipedia.org/wiki/Hollywood_blacklist

I wonder what the maximum here is. Cash is harder to spend than it used to be and in addition you’d be at risk that the actual people facilitating the payment delivery would be your biggest risk since it would be very likely they would turn around later and rob/murder you.

There’s probably some optimal “suitcase full of cash” number that basically optimizes for spendability and risk.

Why would they murder you when you have access to invaluable data they can get from you at any time? If anything they might blackmail you to do future investigations for cheaper, but why would they mess with a good thing? We're talking about people who can basically print money.
Audit log around administration tool with frequent reviews of the log. Banks and financial firms do this type of auditing all the time. The consequences just need to be there to incentivize social media companies to take action.
I work on a big data system in the healthcare industry. Every query executed on the database is logged.
But for financial data there is a mssive industry for auditing problems. I would like that because it would make administrating user data extremely expensive, but I don't see it becoming feasible.
It would be interesting to know what Saudi Arabia asked Abouammo to do at Amazon as well.
Ive always wondered if social media companies had any nefarious parts to play in the arab spring, since it all started on social media and this was before the accute awareness of bots to cause crazes on social media. Things like this make me wonder more.
They absolutely did - at the behest of the US State Department. Twitter was scheduled to have some planned downtime during the Egyptian Arab Spring, but they postponed it at the request of State. Evgeny talks about this.
I wouldn't call that nefarious.
That depends on your perspective. I support the intentions of the Arab Spring, but I still think it's inherently nefarious for a private technology company to partner with the US government in order to overthrow governments. I also seriously doubt that they were simply sitting idly by and hoping that the revolution went their way, as we now see that most all world governments have their own online propaganda divisions.
Would it be nefarious if the State Department asked Twitter to stay open during a hurricane? Or on Election Day?
I think a better question would be:

Would it be nefarious if the State Department asked Twitter to stay open during Pinochet's coup of Salvador Allende?

(comment deleted)
It's a long way from postponing scheduled downtime to 'partnering with the US government in order to overthrow governments'. I don't have any difficult seeing how someone could view the former as nefarious but they aren't the same thing.
You mean the latter not the former.
No, I mean what I wrote. I don’t have to agree with it but there are plenty of people who think cooperation, however indirect, with a US foreign policy goal is bad. It’s a viewpoint. Calling a thing something that it isn’t is not a viewpoint, it’s just wrong.
I think perhaps you misunderstood me? You're saying:

> I don't have any [difficulty] seeing how someone could view [postponing scheduled downtime] as nefarious but they aren't the same thing.

Didn't you instead mean the following?

> I don't have any [difficulty] seeing how someone could view [partnering with the US government in order to overthrow governments] as nefarious but they aren't the same thing.

Or maybe you did mean that postponing scheduled downtime looks nefarious to some. It just seemed like a weird thing to say compared to the other option.

maybe you did mean that postponing scheduled downtime looks nefarious to some

You got it.

> I support the intentions of the Arab Spring

Difficulty those intentions aren't the same as Saudi Arabia's or the gulf states. Nor the State Department's.

At first, I thought the US Department of State requested that the downtime occur during the revolution.

But how is keeping social media open to the masses a nefarious thing? Unless the parent is one of those autocrat supporters?

At a minimum it makes you wonder what vested interest the state department had in making sure twitter stayed up. It couldn't have just been for the humanitarian benefiet, it makes me think that they also had a part to play in the social media traffic itself.
I mean, i dont want to make this political but who was the secretary of state during this time and was simultaneous receiving funding to their foundation from saudi arabia as well?
makes you wonder how it all stopped rather
What other tech companies have in house spies. NordVPN? Wikipedia? Facebook? Gmail?
It seems like there is an inverse relationship between sophistication and risk. If everything is full-custom then it may be quite easy to integrate auditing tools for who accessed user data. If an org uses mostly off-the-shelf software then it's pretty much impossible to audit e.g. who connected to what mysql server and ran which queries. So I'd be a lot more worried about a Twitter (fairly unsophisticated deployments of standard software stacks), moderately worried about Facebook (hacks upon the usual stack) and not very worried about Google (literally everything written in-house).
>who connected to what mysql server and ran which queries

I'm pretty sure that is not really a hard task

It is quite common that sql servers run just with a few accounts. Helpful audit logs on critical systems have a high cost. So technically it is not hard but practically it is.
True but they can have systems which execute on the behalf of an authenticated user and pass that to the SQL server but the system in the middle would have logs of that query and by whom. Now, to be fair, there are usually holes that allow direct access as well.
I work in the public sector where we take these things fairly seriously, but it doesn’t really matter when the auditors are drowned in the vast amount of data.

We have 300 IT systems with 8000 users that take care of 700000 citizens. There is an ungodly amount of information on who accessed what and when. Data security, even post GDPR is a total illusion.

We’re working to build better access control, by indexing data and mapping user rights to job functions, but even then things are going to get lost in the audits.

Why would you think that MySQL is harder to get logs from than some custom in house database?
> who connected to what mysql server and ran which queries.

Let’s say I’m a foreign spy who happens to be the company’s DBA. Audit logs don’t really help you there since it’s not particularly noteworthy that I was in the DB.

That's exactly my point. In a company like Twitter there is some person or probably many people who are "the dba" and accessing a mysql directly or even using tools to access the underlying storage is an event of no discernible consequence. By contrast in a Google-style stack there is no person who is "the DBA", making it far easier to audit. A Gmail admin might need to unwrap the encryption keys that protect your attachments to, for example, diagnose a message-of-death that is crashing their backends, but that event would be so rare as to be easily audited, and it would tie a specific actor to a specific victim. Also I would say a custom auditing stack is way more resilient to things like just deleting the logs off the server, restarting the server without auditing, and whatnot.
The data scientists at Facebook have pretty much free reign to pull down whatever data they feel they need and often do. As much as there's talk about how much of a no-no that is there, it doesn't seem like anyone is really looking.

You should be a lot more worried about Facebook.

This pretty much applied to US government warrantless wiretaps as well come to think of it. Unfettered access isn't so hot if you like your privacy.

That's a different problem though. The fact that Facebook employees access your private data is not because of insider risk being taken unseriously. It's because looking at and distributing your private data is a core function for that company. They don't consider it a flaw.
I’d wager every single one of them.
If even 1 in 10000 people were spies...
All of them. I imagine if you’re a high value target that can be blackmailed, some intelligence service knows all about you.
These guys weren't blackmailed. They were just bribed.
Insider risk is not limited to "spies", there are lots of actors that may act against the best interests of the company in regards to how the access and use the data. There are procedures (basically layered security, auditing and monitoring) that can be followed to actively manage this. So yes, there may be "spies" at any one of those companies, or just people doing things they shouldn't do, but to me that's logical and not surprising in any way, any organization has to face this issue.
Any company that handles sensitive information, or information about a lot of people (even if not particularly sensitive) has to assume that they have at least one in-house spy of some sort. Partly to make sure they're not more vulnerable than they should be and partly because it's likely to be true.
Digital Ocean, Linode, OVH, Heroku, Cloudways, any cloud database provider, DockerHub, etc?
This is a scary trend, it's bad enough that anytime I talk to someone online I question if they're a real person. Now we might be transitioning to an era where I can't trust my coworkers either.
If it's large and has access to data on lots of people you can bet there are spies.

Hell, Google has real time and historic GPS data for half of America. A government would have to be out of their mind not to go after such data.

Every company that collaborates with the NSA (including Microsoft, Google, Facebook, Apple, and Dropbox) has in house spies. We don't like to think about it this way because the spies are on "our side".
Are you talking about in house spies, or spies placed in companies by governments?

If the latter, then the answer is all of them.

Since like 05 Google has had very high strictness on this kind of access but I'd still bet there are some SREs working as foreign agents
not a good time to be a foreign tech worker in the US
I don't think it's fair to generalize on a sensitive topic like this. People are already scrutinized enough when it comes to getting a working visa.
Rather they might be sympathizing because it might be inevitable for others to generalize like that.
my point is innocent people are going to be unduly scrutinized further. plus our current admin as-is doesn’t exactly love foreign workers (a massive understatement)
I don’t doubt that this will happen, but it’s perfectly within the rights of the United States to apply more scrutiny to e.g. Chinese nationals seeking employment at tech companies. We’re in a trade war with them and a de facto state of cyberwar. It’s not at all unreasonable to expect the US Government to look a little more closely at people coming here to work in tech, especially for roles in sensitive positions.
Nobody said it wasn't reasonable. They're saying this will make your life suck more if you're a foreign worker regardless of whether or not you're a spy. Even if you view it as a necessary evil, it can still suck for people doing nothing wrong.
I imagine most of the tech spying/IP theft doesn’t even happen on US soil. Let employees in e.g., China access your internal network — what could possibly go wrong?
For many BigCos, it is explicitly forbidden to access the network in certain countries, or bring any company devices into those countries.
> not a good time to be a foreign tech worker in the US

—-

Ali Alzabarah, a Saudi citizen - was accused of accessing the personal information of more than 6,000 Twitter accounts in 2015 on behalf of Saudi Arabia.

—-

Well if they plan on spying for their government, don’t think we’d want them to have a great time? Don’t think that is too controversial.

Maybe. But, that doesn't address the parent comment's meaning. I interpret it as saying that both spying and non-spying foreign tech workers might be affected by the same brush tar.
My concern is that companies and people will laser-focus on the "foreign tech worker" part as if they are the sole threat vector. That presents an unacceptable blind spot, not to mention getting people to think that foreigners are likely to be spies.

In practice, it's not really much more difficult to find a US citizen tech worker who'd be willing to take a few hundred thousand to do the same thing (and it's something that happens routinely), and completely ignores the fact that US intelligence agencies also have a long-running habit of getting their spies hired by US companies too.

The difference of course is that when the US intelligence agencies get US workers to spy at US companies they do so for the US government - oh and the countries we see fit to spy on already have fairly severe employment restrictions such that it’s not easy for an American to get a job in one of their companies. There’s an asymmetry that exists here.
> oh and the countries we see fit to spy on already have fairly severe employment restrictions such that it’s not easy for an American to get a job in one of their companies

I'm not sure who you think America spies on, but the real list is much bigger than you probably think, and includes countries considered American allies (for instance, the UK and Germany.)

I guess I’m not sure how that is relative. Israel also spies on the US. My point is the asymmetry here in job opportunities between countries who are our, at least ostensible, geopolitical adversaries.
My point was that the quoted characterization of targets of American intelligence agencies was grossly inaccurate.
> The difference of course is that when the US intelligence agencies get US workers to spy at US companies they do so for the US government

From a security point of view, that's a distinction without a difference.

not from a national security point of view. well, more accurately it kicks the can further down the line to the security of wherever and whoever the government is using for that data.
> In practice, it's not really much more difficult to find a US citizen tech worker who'd be willing to take a few hundred thousand to do the same thing (and it's something that happens routinely)

Where do you get this information?

(comment deleted)
Should anyone have access to the actual data at their company? I feel like this is an indication of maybe scrubbing the said data is a "must" before it goes into the hands of employees.

Then again, what type of side-affects would that have on the quality of the products moving forward.

Someone needs to have access to the data...
that's not entirely true - it's possible for all the data of that nature to be in an audit-logged data store, and to require specific business cases for access to the data. So you can only see a user's private information if there's a specific bug you're working on, and even then the access is audited.

I mean, the data is still accessible, it's just not easy to get it willy-nilly without setting off alarms.

Someone needs to build and maintain the audit log software.
True, but you don't need access to production data to build an audit logger. And any commits to it should involve code review.
Backup/restore of audit data can make things complicated. eg the ability to overwrite incorrect/damaged audit data (etc)

So far, I've not yet come across a system where some level of direct admin access isn't needed for at least "last resort" situations. (obviously, only available to a very specific set of trusted people)

Someone has to scrub the data, though...

Agreed, data governance is important for any company to get right, but someone has to have DB access in order to manage it. When you factor in that so many companies derive revenue from the data they generate, then it gets harder.

If you’re Twitter, how can you build the services you need as an architect or data scientist without the actual data?

The scrubbers do not need raw DB access. All they need is a strictly audited web UI.

Very, very few people need root access and the ability to see all raw data. For example, at Google, this is a tiny number of senior SREs and that's it. Your average employees should be using audited UIs running through service accounts that have restricted permissions.

I’ve achieved this without so much hassle at a smallish/medium sized company (~60 engineers). A typical engineer had access to anonymized data, only a few had access to query raw data. All their queries were logged with justifications. They also wouldn’t query raw data as a matter of BaU (outside of some very rare situations), it was pretty much only ever done when making changes to the ETL pipelines.

The solution we had wasn’t particularly difficult to set up, and actually made life much easier for everybody, because we’d provided everybody with a very easy to use interface for the data they wanted (much better than the old school shelling into a DB to run your arbitrary SQL statements).

Any chance you'd be willing to share more about your setup, at least high-level?
We had a data warehouse where we sent pretty much all the data we had in the organisation, and redash in front of it to allow query access, reporting, etc...

Everything in the data warehouse was anonymized, and people only had access to the schemas they needed (though this was defined quite broadly). Anonymization was handled by our ETL pipeline. When we first set it up, the requirements were pretty simple and we just wrote a little java app to do it. This scaled pretty poorly, and the team ended up putting a proper ETL product in there. I can’t remember which one they used, but there’s a lot of perfectly decent products in that space (even some open source).

Who does the scrubbing if not Twitter employees?
You can and should restrict the number of people with access to the data, but in a tech company there's always going to be a significant number of people with direct access to the raw data. Software engineers on an on-call rotation, full-time site reliability engineers, data analysts, maybe even some external contractors... maybe this isn't the case for Twitter, but many companies also have to put complete trust in their cloud provider or datacenter, which puts even more people in the loop.

Even if you follow best practices with access control, in the end you're always going to have a group of people who you need to trust with access to folks' personal data. Maybe the solution is better audit logging and even tighter access, but I'm not sure leaks of this nature are preventable.

"but in a tech company there's always going to be a significant number of people with direct access to the raw data"

This is absolutely not true. This number can and should be reduced to an absolute minimum number of people.

The absolute minimum number of people may still be significant
Sure, but it comes at a cost. Companies rarely push the limits of these kinds of policies because customers are not willing to pay for them.
Making the penalties for breaches far more severe would be a good place to start though.
Twitter is big enough to pay that cost. Easily.
Twitter has a lot of staff. Even 1% is a relatively large amount of people.
Moreover, anyone seeking privileged access will percolate into such roles.
(Just as an FYI, the last time I checked that number was staggeringly skewed towards sales/marketing/evangelism teams rather than coders. Not that your point is diminished.)
Those people probably have more access to PII than staff engineers - that's who the data is for.
Hardly. They get the filtered data that SEs designed for them to get, probably on an account-by-account basis. It’s the raw data SEs have access to that we are mainly talking about here.
It doesn't need to be 1% of staff, it just needs to be a few dozen people (distributed geographically across the globe) who have root access.
Maybe because tech companies tend to be careless with data. It isn’t NP-complete to track and monitor access to prod data, or prevent access to it entirely. It’s just that people don’t want to do it.
It is pretty damn hard to reliably operate a service that you can’t introspect or debug in any way. The real world is more creative than you; things will happen in production that you didn’t think of in your synthetic test fixtures.
That’s still no excuse. Maybe Bill has to access some customer data to troubleshoot. Fine, log it. Maybe Susan has to look at sensitive logs to fix a bug. Fine, log it. These aren’t new or unsolvable problems.
Who says there weren’t logs? They got caught.
Please back this up and define the terms used.

As in, define "tech companies" (name specific companies that do this and why you think that can be generalized to the entire industry) and define "careless" (it's a relative term so please say if it's less or more careless of other examples of organizations that manage similarly large amounts of data but that aren't "tech companies").

Because to me the opposite seems true. It's the non-tech companies (if you equate that to FAANG) that manage large amounts of data that tend to have a lot more data leaks (internal or external) than the tech companies.

"Software engineers on an on-call rotation...data analysts, maybe even some external contractors"

These groups usually get access through a bastion that anonymizes data and logs access. I remember that as a SWE at Google, I could run aggregated & anonymized statistics across query logs, but some info (eg. IPs, user logins) had been scrubbed before any of my code could get access to it, and for things that were more personal (eg. your GMail login) you could only get access to your own account.

There's nothing you can do about SREs who have root access on the box or the SWEs who need to implement & maintain the bastion servers, but that's presumably a more restricted, vetted, and trusted group.

Would it be smart for companies like google and twitter to publish how they vet people for these roles? That’s a seriously tremendous amount of power. I almost think it needs to be regulated like heath info. I get that that would make it more expensive to handle this data at all, and would serve as a significant barrier to entry for startups ... but data breach after data breach is pushing me in the regulation direction.
Pretty much nobody at Google has that kind of access. You can be an SRE of just about anything at Google and never access user data. The "break-glass" means of emergency access is ridiculously booby-trapped. A person wanting to do this thing has to 1) badge into a special room, at which time both production security and privacy incident teams are notified, 2) use a special hardware security device that is used for no other purpose than to activate a VPN box with a hard-line into the production network. By the way if a random Googler just rolls up to a datacenter without a reason to be there, that also triggers privacy incident response, even though physical access to production storage is virtually useless due to all the encryption.

I would say it is much more likely that Google will accidentally lose the organizational ability to become root-in-prod, than it is that a person has done this thing without being noticed.

In short, insider risk cannot be mitigated with hiring practices. You need robust technical measures against insider risk.

Thanks for proving my point, I guess? I’d love to see a formal write up from google about these procedures. It would go a long way to increasing confidence in how they handle this data.
What I would love to see is somebody at Facebook comparing their barriers against accessing user data with these from Google.
I’m actually inclined to think they have similar procedures, if only because we haven’t seen “whistle blower” stories in the news about folks reading texts and looking at other private user data. Maybe I’ve missed them, but because bashing Facebook is kind of a trend one would think there’d be an appetite for “I read illicit group texts for a year here’s what I saw AMA” stories.
If this happens, every incentive (of every party that is aware) is to not whistleblow, as it is a criminal offence for the snooper, and a PR disaster for the company.
When did that start? Here's an account of someone working at Google accessing info to stalk teens.

https://www.businessinsider.com/google-engineer-stalked-teen...

That story dates from 2010.

Snowden's revelations (2013) were a major watershed. There'd been several measures taken since, based on what I heard on the outside, largely through discussions, mostly public, a few direct, with Google staff via G+.

Starting on, of all days, November 9th, 2016, I began regularly posting an image of Jewish shop windows shattered during Krystallnacht, asking whether Google were thinking of brownshirt-proofing their data. That generated responses including from G+'s architect (then in a role with user data safety & privicy), and the data security lead.

It wasn't until some time later that I realised I'd entirely accidentally picked the anniversary of the event for the post. Though the coincidence was useful.

My understanding was that numerous protections were in place by that time. I continue to have concerns.

> I began regularly posting an image of Jewish shop windows shattered during Krystallnacht

This is so incredibly cringey. You're actively building the panopticon and yet you think of yourselves as righteous warriors for justice.

I don't mean this to be a personal attack, but yours is such a revealing comment about the mindset of people inside these surveillance behemoths.

(See also: this "pledge" http://neveragain.tech/ to not build registries for targeting citizens...signed by a bunch of people who work at companies whose entire business is targeting citizens with ads)

> Pretty much nobody at Google has that kind of access.

Sounds like you'd be surprised at what storage, and backup engineers have access to.

Tremendous amounts of ciphertext?
Because encryption keys are never backed up by the same system either?

/s

> Pretty much nobody at Google has that kind of access.

OK, Google.

Even if you managed to get direct access to production through the special room's direct link, you'd still need a special kind of credentials to send RPCs to any service.

There was a video with some of the datacenter security measures, e.g. iris scanning (just to get yours in the DB required approvals from senior people). On the actual floor, to which very few have actual access, you need to badge both on your way in and out, individually. If you badge out without having badged in, the door won't open and an alarm will go off.

> Would it be smart for companies like google and twitter to publish how they vet people for these roles?

I think much like anti-hacking and anti-fraud efforts, publishing information about how they vet candidates would just make it easier for attackers to figure out how to game the system.

Ironically, one of the vetting regimes that has the most publicly available information about it is the US government's security clearance system. https://ogc.osd.mil/doha/isp.html
one of the vetting regimes that has the most publicly available information about it is the US government's

Why wouldn’t the information be public? It’s the same concept as crypto algos being published and peer-reviewed.

The same way defences industries do I would imagine for SF86 etc
Even Google's policies aren't—or at least weren't—foolproof. In 2010 there was a major incident involving a Google SRE named David Barksdale: https://www.telegraph.co.uk/technology/google/8003925/Google...
Yeah, I was there when it happened (and it was a fairly big deal internally). He was an SRE with pretty high-level access. There's relatively little you can do for this kind of threat - the nature of their jobs usually requires that they have root on the box. (Though a sibling comment suggests that there's even more rigorous procedures now.)
The centralization of infrastructure has really changed the insider risk profile at that company. A decade ago it was common for a service to own their hardware and to have broad authority over those machines but not so much these days. Nobody wants to own their hardware, everything is uniform and it's easier to spot deviants that way.

Of course many of the changes around that time were in response to the breach by the Chinese government, not only in response to embarrassing privacy incidents. Later improvements came about because of things Snowden published.

Why would Google change because of the Snowden Leaks? They knew about it. They were handing over data to the NSA.
IIRC they didn't know about the tap on their international cable and the leaks caused them to prioritize the encryption of traffic on their internal network. Not sure about anything else though.
Its the same for telcos, these days there is much stricter auditing and actual real security vetting - I know team leaders on some systems had to be PV (top secret in US terms)

I suspect that at some stage this might come for some FANG employees

> usually get access through a bastion that anonymizes data and logs access

I think this may be something that is unique to a certain size tech company that simply isn't the case at 99.99% of companies with user data in their possession.

It should be the case at Twitter though.
It hasn't been until recently. We are currently locking down all internal systems based on the minimum necessary accesses for various systems. We should have done this a lot sooner.
Good to hear it. Better late than never.
> in a tech company there's always going to be a significant number of people with direct access to the raw data.

Why?

I've worked for a few large tech companies that handled very sensitive customer data, and they didn't allow unsanitized access to it by a significant number of people. Typically (on the dev side, anyway), there was a small designated team (less than 10 people) who were the only ones who had such access. Any dev work that absolutely required access to that data -- which was very rare -- was performed by that team.

(comment deleted)
It's not like this at smaller companies. It's anything goes.

I worked at one place that had the development network permanently VPN'd into prod. One day, a developer accidentally configured his local environment to connect to a production queue and database. It was like this for over a week.

A previous company didn't bother with the VPN. They had an AWS environment that predated VPC, so SSH and many other service ports were open to the office IP addresses. And several people's homes, for remote work.

> It's not like this at smaller companies. It's anything goes.

It depends on the company (as with large ones, apparently). I currently work for a small company, and it is no less diligent about this stuff than the major companies I've worked for.

Those large tech companies probably had a team or teams of people whose job is to look after the backups for production servers.

Backups generally have "god mode" access (best description) as they need to backup and restore not just filesystem data, but the audit log data as well.

Most (corp) places I worked, the developers and SysAdmin's working on production servers gave little thought to the backup component apart from making sure the software is installs and runs. ;)

You can significantly reduce these problems by decentralizing data and moving away from giant platforms that make such enticing targets for espionage.
If they didn't collect PII, there'd be nothing to leak.

I mean, we all know that it's insane to store plaintext passwords. So why is it necessary to store anything as plaintext?

You never want to be able to retrieve a password after hashing and storing it in a DB. You _do_ want to be able to retrieve text content after possibly encrypting and storing it, otherwise it's useless.
It's no more useless than a hashed password is.

Depending, of course, on how you want to use it.

One could arguably build chat apps and social media that retained no PII. In my opinion, providers retain PII primarily in order to monetize it.

But the problem is that it becomes toxic waste. And it always leaks, eventually. Putting users at risk, and damaging providers' reputations.

Consider the Tox P2P chat app. Each user device runs a Tor onion service. And chats involve only connections among them. Users need disclose no PII. And there's no need for central servers holding PII.

Regarding social media, consider all the "dark markets" that have run as Tor onion services. There's no reason why any sort of social media that you want couldn't be implemented similarly. Although there'd be central servers, there'd be no need for them to handle any PII. Indeed, the fact that "dark markets" handle PII is one of their main weaknesses.

And it's not even necessary to use Tor. One can achieve substantial privacy and anonymity using nested VPN chains, with far less risk of attracting unwanted attention.

No, even US people like police abuse license plate searches for personal reasons. It's not even a matter of nationality. If data is being collected and the only protection is a "policy," then it's being abused or will be.
There’s a difference between a policy that’s just enforced by an honour system and a policy that is enforced with strong access control, alarm bells, and a paper trail. It’s very possible to encode the sorts of policies that we need to protect peoples data into real restrictions that are strongly enforced. A police officer might need to do some routine queries, but they should probably have gone through vetting about people they are close to and not have access to their data. Additionally, there should be audits performed on a regular basis.
I think we're arguing semantics here. What I mean by policy is a de jure rule. I think you can have policy while not having any sort of de facto enforcement, and you can have de facto enforcement (encryption), even if you don't have a policy.

Policy is never useful because even if there is enforcement, there is never 100% perfect enforcement that beats out cryptographic enforcement, at which point policy is no longer needed.

For example Apple can state that your data is end-to-end encrypted and they have no access, and it would be redundant to also have such a policy saying they will not access your data—they can simply say they can't access your data which is a superset of any such policy.

I don't think it is semantics.

There are policies like "You are not allowed to access user data." and there are policies like, "All access, keystrokes, and applications that have access to user data are logged and those logs are tied to employee IDs. Further the logs are audited and there must by a form 505/2 on file for every access that details the need for the access, what was done with the data, and how the data was handled. If the auditors discover an access in the logs associated with your employee ID and there is no matching 505/2 on file, you will be subject to immediate termination and may be liable in civil and criminal court. Your signature below states that you understand these restrictions, you consent to monitoring of your behavior, and will abide by the policies."

Strong audit trails, logs that cannot changed by being created in an immutable way, logged access at all terminals and entry points. Combined with a separate auditing group that reports through a different chain of command (like through to the general counsel or something) and you have a policy with teeth.

Still punishing after-the-fact is no substitution. If the reward is greater than the punishment then it renders the policy moot.

If i publish my crypto wallet private keys and enact a policy that anyone who tries to take the wallet contents will be beaten to death, and get everyone to agree to this policy, then it would be rendered moot when the person who steals the wallet uses it to hire personal body guards.

I don't disagree, with this. The use of policies with enforcement is that it raises the risk to the employee so that raises the amount someone must spend to get them to take that risk.
I liked the access controls at PayPal. Access to data was a function of insider status with real financial consequences (ability to sell stock was restricted much more for higher level insiders), subject to strict controls and auditing, and required need-to-know periodic renewals. I used to think PayPal was fly by night but my work experience there really grew my trust in their access controls and made me much more likely to use them for payment.
Through contacts I've heard stories of practices at a wide range of establishments over the past 25-30 years. Practices have almost always severely lagged advice, and though specific leading firms or organisations might have strong data hygiene policies and practices, a great many other organisations do not.

Through roughly 2000, the principle saving grace was that disk storage was so expensive, and networking so slow, that large quantities of data were unlikely to be found online except in the case of very major organisations. Most financial firms would read data from tape for analysis or marketing programmes, as an example. A major credit card network might have a couple of, say, Sun Starfire class servers onto which a comprehensive union cardholder databset might be assembled and accessed. One friend reported accessing their campus workstation to which a large national medical insurance database was being processed, from the New York Public Library over Telnet (though I believe they didn't actually log in, they did receive the prompt). E-commerce software vendors and systems stored credit card information, which was accessed. Numerous services and datasets fly around all kinds of organisations, with little protection, and were transmitted in unencrypted FTP sessions. Social networks in which NOC addresses were directly accessible from the office network (WiFi access, natch), with millions of members' data directly accessible.

There are many ways to get this wrong. Few to get it right. And most organisations lack the staff, capitalisation, or incentives to do the right thing.

Google are problably among the best. That leaves open the question of how good they are, and what their past practices have been, even in relatively recent years.

Or how they might behave should their advertising monopoly and revenues fail.

My first year at a community college I was doing work study that was part of my FAFSA. I was late getting in there and I had limited options, one was working in the cafeteria, the other was working for the very job placement center that was tasked with finding me a work study job.

I got very lucky here. The work study job in the job placement center was turning job listings that were faxed in into html to post on our fresh new website. Nobody at the time new what HTML was.

A few years earlier I had bought a "Learn HTML in 24 hours book" and I made a Tony Hawk Pro Skater webpage that listed all the special moves. I used a lot if iframes and thought it was pretty good. CSS wasn't really a thing back then. iframes and tables got the job done.

But I got the job and they thought they got very lucky. I worked in this back room with a computer and a fax machine. Jobs listings would be faxed in. I would scan them and let the OCR software try, and then I would clean it up and add some <h> and <b> tags and then do my econ homework for the rest of my shift.

But as the digital stuff become more popular they hired another guy to be in the back room with me. Dude was a bit of a creep and a student came in looking for a part time job that would work around her classes. He kept on going on about how hot she was. A few weeks later he was talking about he signed up for a few of the classes the hot girl was taking.

Every single student record was available on our computers. Names, address, phone numbers, class schedule, SSN, FAFSA data. It was madness.

And I was a lowly fax to html guy.

I smell a fall guy or two. What do you think the odds are that the token optics of this can be replayed as "standing up" for free speech? Not that what actually happened wasn't sketchy (it was) -- just that I have a sense this slap on the wrist will be enough for some to say "At least we can say we tried"
Slim to none, the article claims they accessed info of people close to the murdered journalist.
It's interesting to see how the phrasing of the headline makes this seem totally different. "Saudi Spies Managed To Infiltrate Twitter as Employees" reads very differently than "Former Twitter Employees Charged with Spying for Saudi Arabia".

It again raises my periodic wonder: how many spies, both for the USA, as well as the intel agencies of others, are employed in sensitive roles at Apple, Amazon, Microsoft, Google, and others? How many of them work on the cloud platforms? How many of them have access to HSMs and other internal systems that are used as trust roots?

Can we assume that any major platform provider's highest level keys haven't been stolen, perhaps without their own knowledge? It's safe to assume that if they were stolen by their own government's agents, they probably wouldn't tell anyone even if they found out (even if they weren't gag ordered, which they probably would be).

You can trust a company down to the ground but still necessarily realize that everyone who hires engineers is going to be vulnerable to this. AWS' GovCloud that only permits US citizens physical access to the facilities doesn't even totally solve the problem, it just (somewhat) reduces the risk, because even US citizens like bribes.

How do those titles sound different to you? Seems pretty similar to me.

Anyway, from the article it seems at least some of them were groomed after becoming Twitter employees, so it wouldn't be quite accurate.

Are they:

employees who happened to become spies

or

spies which happened to become employees

Isn't a large part of Twitter owned by Saudi interests?
Nope.

You could have just Googled "twitters largest stockholders" but the answer is:

The largest stockholders of Twitter are all US mutual funds. Vanguard owns 10%, Morgan Stanley owns 5%, BlackRock owns 5%, StateStreet owns 4%, Fidelity owns 2%, etc.

Really nothing comes to close to the index funds. Vanguard, BlackRock, State Street own 20% of pretty much every company.

That's not a complete picture, Prince Alwaleed owned 4.9% of Twitter as recently as the end of 2016 (the alleged espionage happened before this). It is unknown how much he owns now after his late 2017 detainment, presumably shares were either sold off, seized by Saudi authorities, or both. It's not unusual for ownership to be split among smaller entities, and there is no requirement for US companies to consolidate myriad unknown foreign stock holders into specific entities in their reports.

https://www.cnbc.com/2017/11/05/citigroup-twitter-held-by-de...

end to end encrypted everything.
(comment deleted)
Seemed rather a weird coincidence that after leaving(or being fired from) Twitter, Ali was appointed the CEO of MBS's MiSK Foundation – which is essentially a mafia organization for his loyalists.
The complaint [0] is both very interesting – particularly the details on how sloppy/non-existent Twitter's user-access-control was back in 2015 – and pretty funny, such as how one of the suspects tried to fake a digital document but didn't fake the timestamp, and the FBI noticed the receipt having a creation date the same day of their interview with him (pg 13).

According to one of the suspects' LinkedIn, he left Twitter in 2015, and then worked at Amazon for 3 years in marketing and social media. While I have little doubt Amazon's internal auditing and access control are better than Twitter's, it'd be nice to hear confirmation from Amazon that he didn't access any private user data.

[0] https://context-cdn.washingtonpost.com/notes/prod/default/do...

> such as how one of the suspects tried to fake a digital document but didn't fake the timestamp, and the FBI noticed the receipt having a creation date the same day of their interview with him (pg 13)

It's even better: he typed the fake invoice up in his bedroom while the FBI was in his house, after explicitly asking the FBI not to follow him in there. I can picture the agents looking at each other trying not to burst out laughing.

It's funny that the Post failed to convey this information.
Is that really that unusual though? Can you think of a situation where not asking the FBI to not follow you around the house would be reasonable?

And why would the FBI assume he was typing the invoice? If you ask me for certain documents I actually possess, depending on the document I might be gone 10 to 15 minutes as well, or even outright say that I need to find it first, I'll bring it to <X>.

I think the assumption is if they are "at your door" they probably know you don't have it.
I mean, if the FBI drops by for a chat, encouraging them to stick to the living room is probably not unusual. But if you're being asked for a document present in your house that's going to take 10+ minutes to find, inviting the agents along or bringing the relevant folders/computer/whatever to where they are sounds pretty reasonable.

Not necessary, which is obvious from the agents agreeing to this request. But maybe a good way to forestall concerns like "what if they think I'm forging the document right now?"

>While I have little doubt Amazon's internal auditing and access control are better than Twitter's.

You underestimate the power of stupidity of these people.

Also interesting is on pg 17 where they search through his Apple ID account (notes specifically).
Tangent, but one of the most interesting things in the complaint -- to me -- was this language:

> Many Twitter users live in Saudi Arabia and some users of Saudi nationality or descent live outside of Saudi Arabia, including in the United States.

It's kind of surreal to use "Saudi" as the demonym for the people of Arabia. "Arab" would be normal. The language is Arabic, the country is Arabia, and those are both named after the people, the Arabs. The "Saudi" in the name of the country refers to the royal house, the House of Saud, and I would expect a "person of Saudi descent" to be Arabic royalty, not just any old Arab.

There are other Arab countries. Most people know what is meant by "Saudi" even if it's technically not correct
It is technically correct, although not official.

Wikipedia: Saudis (Arabic: سعوديون‎ Suʿūdiyyūn) or Saudi Arabians are a nation composed mainly of Arab ethnic groups who are native to the Arabian Peninsula and live in the five historical Regions: Najd, Al-Hijaz, Asir, Tihama and Al-Ahsa;

>It's kind of surreal to use "Saudi" as the demonym for the people of Arabia

Huh? They use it as a name for "people from Saudi Arabia" and it's a very common use.

"some users of Saudi nationality or descent live outside of Saudi Arabia" --> people who are SA nationals/origin and live outside the country.

>The "Saudi" in the name of the country refers to the royal house, the House of Saud, and I would expect a "person of Saudi descent" to be Arabic royalty, not just any old Arab.

Saudi != Arab. If anything, Arab is a superset (and Saudis, if we talk about the nation state and not the ethnicity, are not all Arabs).

But the main point, is that the name Saud is commonly used for the nationals of Saudi Arabia, not just the royals.

Wikipedia: Saudis or Saudi Arabians are a nation composed mainly of Arab ethnic groups who are native to the Arabian Peninsula and live in the five historical Regions: Najd, Al-Hijaz, Asir, Tihama and Al-Ahsa;

Arabia is a peninsula. Qataris, Yemenis and Emiratis among others would not appreciate Saudis attempting to appropriate Arabian to refer to those from Saudi Arabia.

And Arab refers to people from Morocco to Iraq so it’s equally unsuitable.

Exactly, imagine if people of the United States appropriated the name 'American'! I'm sure that every other country in the two Americas would be up in arms!

(It is a joke, laugh).

I’m sure every other country with America in its name would be.
well, the complain was about calling Arabs the people from Saudi Arabia.
It was a bit of sarcasm, as it is exactly comparable. Go look at a globe and tell me which other countries have “America” in their name ;)
Some other countries actually use terms like United Statians or North Americans. And after traveling a bit makes the USA's use of 'America' seem arrogant or ignorant.
In italian "statunitense" is used, but probably not as often as "americano".

Canadians might still not be pleased about 'North American'.

I'm guessing you haven't traveled much. American is a virtually ubiquitous term to describe someone from the United States worldwide, no matter which language you're speaking. Countries which have a problem with calling yourself American are a minority, and even then it's usually a small minority of the younger generation.
If you go anywhere within Latin America, you'll find quite quickly that "American" is used to describe someone from the continents, and it's consider very odd to introduce yourself as "American" to a local. You say you're Estadounidense, or "Soy de Estados Unidos" (From the United States).

It's actually a very charged topic in Latin America, as many latinos feel that the word they use to describe themselves has been stolen.

I think they just mean expats, or dual citizens, or Saudi Citizens living in the US. I don't think they meant the Arab ethnicity.
(comment deleted)
There needs to be multi-person authorization required for account spelunking. Engineer files a DB lookup request, and it must be signed by other personnel.
Won't work, people probably need to query details of accounts hundreds of times a day just in the course of daily business. Bad actors would just make the request look like another standard query. People would likely become numb to it after having to approve so many requests.

I know at a previous company, we needed a business signoff, and a technical sign off on every deploy. While the technical sign off was usually painstaking, the business sign off was rubber stamped. The guy who signed off on my tickets was so overloaded, he barely even read the titles of the tickets.

Your processes are broken if an individual needs to query hundreds of accounts for private information a day. That is a gigantic problem in itself.

Support tickets can be exempt because they’re initiated by user interaction.

Could Jamal Khashoggi might have been a victim of this?
There's really no part of his assassination that needs a connection to Twitter to explain.
The best way to protect dissidents would be not to ask unnecessary personal information like phone numbers. Sadly, it is difficult to find a messenger or web email service that doesn't require it.
It's hard to deduplicate spam users without an identifier that is at least slightly costly to get. There's no easy/practical way to do "charge $0.02 per signup".

If you get 10k new accounts in 5 minutes and they're all from some VoIP provider in a tiny corner of the second or third world, you have some data to work with there.

Could someone who downvoted explain their disagreement? There seems a kernel of truth here that more than a few of us could agree on.
I think I have attracted someone’s ire, that seems to happen to all or most of my comments within a short window after posting.
This happened to me for awhile too. I think people that disagreed with you on a previous post are using bots to downvote you.
This would surprise me given the fairly high karma minimum to downvote.
Make a new account every time you reach the threshold, add it to the bot list.
Yeah, I thought of that, I was just thinking that surely someone able to create sufficient karma to do something like that would necessarily also be unlikely to be petty enough to bother.

Maybe I am too charitable.

You can gain karma fairly casually by just using the site, you get 1 karma per comment, so it's easy to make it a passive activity.

The site has also been around for over a decade, lots of opportunity to accumulate.

That and, everyone doesn't want you to have any way to uniquely identify them and contact them right up until the moment they forget their password.
Perhaps true. But the original cool thing about Twitter was that you could tweet just by texting the twitter number from your dumb phone. The service literally required your phone number, and made broadcast information happen in real-time before smartphones really were ubiquitous. Many messenger apps still use/link people through their numbers. While it is possible to not require numbers, and services like Facebook surely never needed it, there are times when providing phone numbers really reduces friction in communication.
"Reducing friction" is not worth costing people their lives or freedom.
> "Reducing friction" is not worth costing people their lives or freedom.

I mean, if you're a dissident in a country with a violent government, maybe don't use the service that requires personal information?

It seems a bit much to me to say no service ever should require people's phone numbers because somewhere, someone might make a bad decision and use the service when they shouldn't have.

That's like saying, "I mean, if you're a dissident in a country with a violent government, maybe don't use any service and keep your mouth shut because your freedom isn't as important as my VC money."

Maybe SV should try to innovate more instead of reverting to "Wow, sucks to live where you do; hold my craft beer" so much these days.

The internet was supposed to set people free. It's not working.

A few comments about how a non-negligent company handles user data:

* They wouldn't respond to "emergency disclosure" requests from the Kingdom of Saudi Arabia about random users

* The average developer has zero access to user data besides names in crash logs and things that the developer has been explicitly copied on in the support system.

* Every command run on production servers by developers requires approval by someone above your org chart level (up to the executive level, when you just need someone at your level) and is logged forever.

* SREs who have to shell in to servers use Unix accounts that have no access to user data. Root access, which should hardly ever happen, requires org chart approval.

* Test environments use synthetic or anonymized data

* There is a separate team of dozens of highly paid people whose only job is it to identify, classify, and monitor access to user data. This is not even the same as the infosec team, who also would be looking for insider breaches.