This guy really irks me. For one, since he took over it really seems Twitter is heading towards a direction to suit activist investor demands. I used to be able to browse Twitter posts of people I tend to respect (mainly scientific and academic people) without having to login and it is getting increasingly difficult without doing so lately as they keep showing me the login screen.
This guy has a toxic history of narcissistic behavior as reported in several local Indian social
Media and he would only seem to suck up to corporate demand and make Twitter more suffocating.
What are the activist investor issues? (I haven’t been paying attention to “activist investor” behaviour for a while as so many seemed to just be pushing for “make me rich in the short term regardless of cost”)
Traditionally, the "activist" in "activist investor" simply means "an investor who is actively pushing for specific policies," generally to increase the return on their investment.
"Financial activists" like Carl Icahn or Starboard frequently take > 5% stakes in order to pressure companies to sell themselves to competitors, break themselves apart in order to shed lower-performing divisions, funnel cash to shareholders through dividends or stock buybacks, or reverse policies they see as injurious to the bottom line
CEOs naturally hate this, and activist investors have a reputation -- arguably often well-deserved -- for improving the profitability of their portfolios at the cost of the companies they target. Sometimes this can force companies to walk away from suboptimal strategies -- did AOL really think Patch was going to be a market maker? -- but in many cases their activism simply results in the company's acquisition, aggressive offshoring or deindustrialization, or just straight-up bankruptcy. Icahn, for example, took a heavy position in Blockbuster and was instrumental in forcing them to reinstate late fees and drop plans to enter the streaming market, which left them exceedingly vulnerable when Netflix introduced streaming (the dueling HBR articles on this are well worth reading).
Over the past few decades "social activist investors" have become more common, especially amongst large public sector and union pension plans who have both financial throw-weight and a need to answer to causes somewhat beyond their immediate bottom lines, but in general they are much smaller, and less effective, groups than the usual hedge fund suspects. For example, an organization of decarbonization activists have been trying for years to force ExxonMobil to diversify its energy base beyond hydrocarbons (as other petrochemical firms have done), but they've had notably zero effect on XOM's strategy, despite having an argument based on economics as much as ecology.
An activist investor is someone who buys into a company with the intent of reforming or changing it.
Maybe you really hate twitter, so you buy into it for $200 million and then use your power on the board to vote down anything good for twitter and vote for anything that is harmful.
Activist investors often don't act in line with financial interest, instead focusing on "activism" even if it costs money.
Do you have any examples of activist investors who actually wanted to do harm to a company? I’m incredulous. What a waste of time and money. I usually hear about ones who think they can turn it around.
That's not really an activist investor, more like a quarrel over priorities in a boardroom. Carl Icahn, and Bill Ackman are examples of activist investors. The key to being an activist investor is that you have to control enough of the company to be able to make decisions that would greatly change it. A single board seat doesn't really get you much. Secondarily, activist investors are usually seizing control of failing organizations, not successful ones.
Before the site was just fake-broken. Now it basically doesn't work at all; entirely unusable. I use Nitter now but that has some issues, unfortunately.
I'm glad that he and I seemingly share the same goals. That is: the downfall of Twitter. Firing everyone in sight and deploying dark patterns for short-term revenue seem like good first steps.
He took over as CEO a month and a half ago. I really doubt he has been able to change the company culture or user experience to the extent that people can form opinions on his tenure.
"Mr. Agrawal said the “nature of this situation” limited what he was allowed to share with employees"
Even when things are a bit contentious, companies and C-level execs like CISOs usually come to an agreement and have a joint statement about 'spending time with family' or 'pursuing other endeavors'. This sounds like it was either very one-sided, or something very bad was happening...
I can see that happening with a CISO, though, in many scenarios. Like if they presented a stark picture of current state and said that work needed to happen that would put planned revenue generating work on hold. And weren't willing to back down on the opinion that it was that critical.
I imagine they wouldn't want to cite differences of opinion on security posture as the reason for departing.
Somebody told me a few years back that the life time of a CISO in a larger organisation is not larger than 24 months. In my organisation that proved to be true so far. Here the rule applies as well.
It really feels like the CISO role has become less about the security posture of an organization and more about being a corporate whipping boy-- Predesignated as the go-to sacrificial lamb for when a public leak or government investigation comes knocking.
Hard to find longevity or stability in a role that exists to fail
Once this is known throughout the industry, it also means that the whipping boys keep getting fired and then taking up their next tenure at the startup next door until they're fired again.
CISO's get paid a ton of money to be that sacrificial lamb. At the same time, since it's widely known that the post is a sacrificial lamb post, there is really not that much to lose.
Having seen how some CISOs "beg for resources", I pretty fundamentally believe most of this money is wasted anyway.
The only way you can really get better security at a company is to have an ingrained security culture. I.e. developers are continually educated on secure coding practices and new threats, code reviews include security checklists, corporate security training includes continual social engineering tests and an atmosphere of continual improvement.
And yes, that stuff does cost money, but that's rarely the resources I see CISO's fight for. Instead, they fight for lots of expensive software, things like useless, shitty WAFs or poorly built "network monitoring" software (which can be a huge threat vector in itself, just see the SolarWinds fiasco).
Like many other comments here, I don't believe security is something you can "bolt on" at a company. Yes, there are specialized roles that a dedicated security team needs to fill, but unless everyone at the company has a true understanding of the value and importance of security vigilance, you're screwed.
To your point about security culture vs. buying security appliances, you need both. They address different aspects of security. If you're only doing one of them, you're in trouble. Likewise for checkbox ticking security-by-compliance.
I strongly agree though that you can't really bolt on security, it needs to be designed in and part of the culture as much as possible. You'll never get everyone to understand the value though (I wish!).
I’ve been told similar for CMO - < 1 year tenure on average. The narrative was that CMO are weirdly in a mix of technical and creative and accounting, meaning they need to come up with answers and execution that satisfy CEOs.
So either the company does well and the CMO stays, or not. And the default for most companies is to fail.
It's hard to imagine anyone being that bad of a CISO. No CISO is going to say "shut down the business while we figure out security", not one who's been a CISO multiple times at least. And then for them to not back down or discuss things? Unlikely.
More likely they just weren't getting things done fast enough. CISOs come and go - they're a very short lived position.
If it's a straight-up termination, that's what you'd expect the company to say (it's extremely unusual for a company to provide backstory for why they're firing senior management, even if the reason is really boring, like "we've lost confidence in the current path the organization is on and feel like we need to take a new direction").
I find it odd the CISO gets two weeks to transition things while the Head of Security (does that get an acronym?) got shown to the door. The latter doesn't seem as much like a straight-up termination for ordinary performance reasons.
Then again, I was at a large company where the CISO managed to get insta-fired in a 1:1 with the CIO. I actually saw the person about two minutes after it happened while they were grabbing their jacket and heading for the door — I don't know what was said, but judging by appearances things got really heated and the CIO had enough. Corporate security appeared shortly to begin boxing things up.
I don't know what the "head of security" role is. I have no inside knowledge here. But if he wasn't on many people's reporting chain, and a big part of his role was talking to external people and selling Twitter's security program --- not an unusual portfolio for a CSO! --- then there might have been no reason to ask him to hang around. You tend not to have your outgoing CSO do high-profile meetings to sell your security programs exsternally.
> No CISO is going to say "shut down the business while we figure out security"
I understand why they wouldn't from a personal perspective, however I can imagine situations where this is the right call. For Twitter perhaps not, but I hope the CISO who works at my bank would make this choice if things got bad enough.
The only situations I could see myself saying that are situations where I'd likely be getting authorities involved anyways. For example if the company is covering up an ongoing breach.
Avg tenure of a CISO is low. I read one figure that put it at 18-24 months. Something will happen. CISO gets the heat. Rinse repeat. This is only a little shorter than usual, assuming it was performance related.
Security is also something that's pretty hard to "bolt on". The best posture is for every engineer writing code to be aware of potential security problems, and design the system to avoid them. But there aren't enough developers with that skillset to fill the open positions, so instead, they throw it over the wall to another team that improves the security. That makes the security team always one step behind, which is probably annoying to everyone. (People try this with testing and operations as well, with similarly poor results.)
> But there aren't enough developers with that skillset to fill the open positions, so instead, they throw it over the wall to another team that improves the security.
The best- run companies I've seen with respect to this have regular and frequent security audits and assign tickets to the team who wrote the code, sometimes even to the developer who wrote it. Also, security is built into the continuous integration as much as possible.
A good security engineering function as an organization goes a long way. As does security engineering having a good relationship with dev teams. It starts with developers believing in security and knowing how to transform that belief into action with appropriate change agents. There is always a lot more than audits for places with good security practices and developers who deal well with frequent audits.
After Mudge got the position I had a feeling it wouldn't last, but I figured it would be later. It's sad to see him go, but I'm sure he'll continue to do awesome stuff.
It's very hard to find security people who can keep business needs in the back of their minds as well. That's why developers make the best security people, and pure security people are often too hard headed. (I'm saying that as a pure security person who learned the hard way.)
Remember like a year and half ago when some of the most powerful people on the planet had their Twitter accounts hacked in some bitcoin scam and then the story just sort of went away without any real discussion about how dangerous that could have been if the hackers had different motivations (EDIT: there was an implied "and how to prevent that in the future" here)?
>Pretty sure they were implying we never got the how they were hacked.
>The Twitter incident began when the hackers connected last year in an online forum focused on buying and selling rare user names, some of the individuals involved told The New York Times at that time. They then broke into Twitter’s systems by tricking employees into providing login information, according to legal filings. The hackers used an administrative tool to take over accounts belonging to political figures and celebrities, including former President Barack Obama, Kanye West and Elon Musk, using the accounts to conduct a Bitcoin scam, the filings said.
I guess I phrased that poorly. Yes, there was some discussion about how it could have been worse. However I wanted that discussion to be more than us shrugging our shoulders and saying "we dodged a bullet". There was no real discussion either about standards in the tech industry or political discussions regarding legislative changes in order prevent that worse version from happening in the future. We didn't seem to learn anything from it.
I guess if your statement is intended to be broad, sure. It seemed targeted to this breach, which yeah I think it's sort of wrong to call out one breach for being exactly like all other breaches.
I wanted a discussion about it. I'm just a random developer who doesn't have the perfect answer. Yet some obvious things that might help would be to increase penalties for breaches and potentially require more stringent security auditing for companies of a certain size.
I think the reality is security is really hard, and you only need 1 weakness for someone to drive a truck through. The biggest weakness time and time again is humans, and that's exactly what was attacked here with Twitter via social engineering. You can put all the penalties you want, but ultimately business needs and reality will make it so certain humans have powers that are high-up, which then creates unavoidable weaknesses. Just look at what happened with Ubiquiti and their head of cloud basically blackmailing the company in secret... they were attacked from within. How could that have been prevented assuming the person passes background checks and has years of relevant experience?
Many sectors (finance, health care, etc) have all kinds of auditing requirements. I've helped answer some of these audits. It's largely just a bunch of checkboxes for obvious stuff, and in general, isn't how anyone would attack a company that's moderately competent. I've seen and fixed security vulnerabilities in startups that no one else recognized where there, despite passing all these 3rd party audits. I don't know what more could have been done without extremely knowledgeable people look at every aspect of your business in absolute depth that in part only comes from actually working/building it in the first place. Such experts are rare finds, yet the number of companies with computers attached is far greater.
I'm not against legislation, and I think good legislation would look like taking companies such as Equifax out of business. We don't need total incompetence continuing to be central to society's function. But we also need to be realistic about what can be achieved.
You can never eliminate the possibility of a security incident, but there are easy steps that can be made to reduce the risk. Clearly Twitter didn't do enough of them. For example, they had too many people with too wide permissions which increased their surface area for a social engineering attack. They didn't have an enhanced security policy for highly targeted users such as requiring approval from multiple people which would reduce the success rate of social engineering attacks. They also didn't have the proper monitoring of these high permissioned accounts to quickly identify the source of the breach and therefore they couldn't easily stop it after it begun. These might just sound like "checkboxes for obvious stuff", but they would have helped if Twitter checked those boxes.
What audit has checkboxes for 'do you require approval from multiple people for basic profile manipulation of highly targeted users?' I've never seen one on any security compliance that I was apart of, and the reason being is that this is so specific to Twitter and very few other companies. Every product will end up being like this -- their own domain and product offering will create their own checkboxes that simply don't apply to the vast majority of other companies.
Regulation that requires signoff from multiple individuals is nothing new. The only piece that is unique is the "highly targeted users" callout, but that can be generalized too. For example, there could be heightened requirements for social media accounts based off their reach. A million followers, subscribers, fans, patrons, or whatever term you use and that account now requires heightened security.
But either way, you are getting too bogged down in the specifics of my hypotheticals. Like I said originally I don't have the answer on the perfect solution, but the fact that we didn't use this incident as motivation to have a discussion about potential solutions is disappointing. Can you at least agree with that?
FWIW, jumping in here, I agree with you that we should be having this conversation. It's just that the conversation is going to be an inherently slow one since it's talking about very sweeping, broad changes. So it happens in little pieces and little changes over time.
> legislative changes in order prevent that worse version from happening in the future.
I’m not convinced legislation achieve your goal having already seen HIPAA in action in law, the systems behind the scene, and the ways in which compliance works. Is it better than nothing? Sure! Does it actually create truly secure systems? I don’t think so.
If liabilities are severe where companies could go under or people go to jail, then I’m still not sure that would be enough to secure systems because you’re always a 0-day away from breach. But if the result is twitter going under or their CSO jailed, all I think that happens is you remove global competitiveness.
I agree with you more should be done. But perhaps in different ways. For example, requiring everyone to take basic security classes before you can be a software engineer might help. Creating societal incentives where bug bounties are required, white hats cannot go to jail or be sued, DARPA spends big on defensive security strategies, and stating the US will take cyber attacks the same as physical attacks are ways that I think would produce better outcomes (but would risk war).
How is this a tech issue? The issue is powerful politicians using private social media companies as a means of communicating with the public. Politicians and other can instantly prevent the risk by only communicating through official means.
Government communication has no value if it doesn't reach it audience. They need to be where the people are.
This also isn't a problem limited to governments and politicians. It calls into question the authenticity of every account on Twitter and that includes other important accounts which can cause damage if compromised such as journalists and news organizations.
And as a corollary, the people will go to whatever channels exist.
This has been something done many times as mediums change. Newspapers to Radio. Newsreels to Television.
Then to the internet, we started with everyone telling you their AOL keyword. Then the web, and then social media.
If authenticity is the concern, these players (journalists/politicians) should adopt W3C recommendations and stand up social media services from their own web presence.
Everything on Twitter should be questioned. It's a private company. They only have their reputation. It is not and should not be suitable for important communication. Imagine if all official communication came through CNN, or the NYT. It's completely nonsensical.
Anyone with access to Twitter has access to whitehouse.gov. Twitter isn't delivering value here, they are a huge societal risk.
Some credential stuffing attack is way less scary and well known than what happened at Twitter where "Verified" accounts with 2FA got hacked because they were able to take them over with internal tools.
Yes, but there's a big difference between random account getting hacked and verified world leader account getting taken over by compromising an internal Twitter system?
> We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
It was social engineering, but still access to internal tools which made this bypass possible.
It is occasional, and seems to be in the context of their "smaller" stories covering various topics in a briefing format. I bet this is really an H2 heading in a broader "Today's news" screen.
I'm probably drawing early conclusions, but it's not a surprise hearing an engineering head or ex-CTO type eliminate security given security is often seen as a roadblock, even in Twitter's case where their leadership and team often worked to make it a business enablement function.
At least from what few accounts I've heard from engineering in Twitter, it doesn't sound like Mr. Agrawal has much faith in this idea, but that just means he'll be the first to go in the event of the next inevitable breach.
My crazy wild guess: they had a weird internal tantrum because of Twitter's PR moves around cryptocurrencies, and they got fired because they went too far.
I remember commenting when Mudge was hired that Twitter/Jack needed someone of that profile to offset his massive organizational weight as a founder, where Zatko would have the technical and community cred to make decisions for the entire org without, a) other people going around him and trying to get Jack's attention, and b) to demonstrate there is no doubt about the competence of the security team of the platform to satisfy some regulatory risk. I also thought it sounded like a bit of an overpowered choice for the role, unless it was not intended to be long term, and mostly as a tactical near term solution. That may have forshadowed this development a bit as well.
Into the territory of startup fanfic, I'd assert from Agrawal's perspective, he needs his own team, and a top technologist indexed on engineering competence is overpowered as an individual at that level - and for the agility the CEO will need for the next stage of his company. He needs his own people to execute for him. The company is no longer a startup, and its explosive growth phase is behind it. Now it's an asset to be managed, and doing that is an orthogonal set of skills to building and managing growth, so you need people who operate aligned to a longer horizon. The previous CEO's tactical super-hire isn't necessarily going to be the same asset for a new CEO's strategy.
It's odd to comment on this like its sports writing, but that's effectively what following these companies is. Knowing very little about the individuals, I don't need to mind read, as there are clear external incentives for this that make it a fairly neutral change.
When you inherit a powerful asset like that, as CEO that can be double edged. It's great to have someone that amazing around, but if they can undermine the momentum in your leadership even (especially?) unintentionally, while you're driving a massive organizational change, the choice really makes itself independent of the individual characteristics of the people involved.
Ceasing to work at twitter is probably the least interesting thing Zatko has ever done, so I don't forsee this reflecting on him at all, but before there are drill downs on personalities and culture stuff, it's worth looking at it from straight business incentives.
The CSO role has basically nothing to do with the stuff that made Zatko famous; it's mostly boring organizational management stuff, with a sprinkling of being real good in meetings. It's not surprising to me that a new CEO who had just shaken up the whole engineering team would also clear the decks on security as well. For instance: this kind of thing happens when a company decides it wants security more closely integrated with engineering --- or the opposite.
I have no insight into what's happening at Twitter but if you made me bet, I'd bet against there being any interesting drama here.
I'd bet there is a lot of drama going on. It's not a company that "decides it wants security more closely integrated with engineering --- or the opposite", it's one person who wants that, and he's bring his buddies along now that he's in power. It's not some logical process. At that level all they have is their personalities and egos.
The new CEO also fired the head of engineering, and other senior leadership. You can call it ego or whatever, I'm just saying, there probably isn't a super interesting story of why Zatko had to go. "We're scrapping top management and we want the new team to have the freedom to organize the security org they way they want to" seems like the most plausible explanation.
And, again: high-level organizational management seems like a weird place to slot Zatko, who seems like he'd be happiest as like, a senior fellow at CSIS or something.
Great breakdown. I think your view, whether it is exclusively a load-shedding/"I'm the man now", is definitely an incentive for this to go down.
Regarding your reflection on the way you communicated your ideas on this: I found Stratechery extremely insightful and funbexause they approach tech and business from this sort of wonky fan-in-the-stands viewpoint. Over the years it helped me wrap my head around a lot of the weird quirks of business.
For whatever it's worth, Lea Kissner has a pretty great reputation among the security nerds I talk to, and you'd assume that if something shady or dramatic was happening here, Kissner wouldn't be happily jumping into the lion's jaws.
Twitter has been shaking up management for a couple months now. I have no inside knowledge, but this is pretty plausibly just more of the same kind of thing.
The odd thing seems to be the one-sidedness of it, though, instead of the our-extraordinary-journey-to-spend-more-time-with-family-fade-to-gray with the nice severance that smooths everything over. Mudge hasn’t said jack, Sethi’s tweet is sad.
Getting fired is all part of the job as an exec in a tech firm, but the messaging is enough out of the norm that it does make one wonder about them refusing to do X or Y, etc.
I wouldn’t expect him to say “going to spend more time with my family.” But more like, “today’s my last day! It’s been a fun year.” rather than have a NYT article about getting fired.
112 comments
[ 3.9 ms ] story [ 166 ms ] threadThis guy has a toxic history of narcissistic behavior as reported in several local Indian social Media and he would only seem to suck up to corporate demand and make Twitter more suffocating.
"Financial activists" like Carl Icahn or Starboard frequently take > 5% stakes in order to pressure companies to sell themselves to competitors, break themselves apart in order to shed lower-performing divisions, funnel cash to shareholders through dividends or stock buybacks, or reverse policies they see as injurious to the bottom line
CEOs naturally hate this, and activist investors have a reputation -- arguably often well-deserved -- for improving the profitability of their portfolios at the cost of the companies they target. Sometimes this can force companies to walk away from suboptimal strategies -- did AOL really think Patch was going to be a market maker? -- but in many cases their activism simply results in the company's acquisition, aggressive offshoring or deindustrialization, or just straight-up bankruptcy. Icahn, for example, took a heavy position in Blockbuster and was instrumental in forcing them to reinstate late fees and drop plans to enter the streaming market, which left them exceedingly vulnerable when Netflix introduced streaming (the dueling HBR articles on this are well worth reading).
Over the past few decades "social activist investors" have become more common, especially amongst large public sector and union pension plans who have both financial throw-weight and a need to answer to causes somewhat beyond their immediate bottom lines, but in general they are much smaller, and less effective, groups than the usual hedge fund suspects. For example, an organization of decarbonization activists have been trying for years to force ExxonMobil to diversify its energy base beyond hydrocarbons (as other petrochemical firms have done), but they've had notably zero effect on XOM's strategy, despite having an argument based on economics as much as ecology.
https://edition.cnn.com/2022/01/24/investing/peloton-activis...
:D
Maybe you really hate twitter, so you buy into it for $200 million and then use your power on the board to vote down anything good for twitter and vote for anything that is harmful.
Activist investors often don't act in line with financial interest, instead focusing on "activism" even if it costs money.
https://www.google.com/search?q=login+wall+site:https://www....
https://www.google.com/search?q=Twitter+login+wall+site:http...
> "heading towards a direction to suit activist investor demands"
and
> "This guy has a toxic history of narcissistic behavior"
Don't follow. What does that have to do with anything about the original post?
"Mr. Agrawal said the “nature of this situation” limited what he was allowed to share with employees"
Even when things are a bit contentious, companies and C-level execs like CISOs usually come to an agreement and have a joint statement about 'spending time with family' or 'pursuing other endeavors'. This sounds like it was either very one-sided, or something very bad was happening...
I imagine they wouldn't want to cite differences of opinion on security posture as the reason for departing.
Hard to find longevity or stability in a role that exists to fail
The only way you can really get better security at a company is to have an ingrained security culture. I.e. developers are continually educated on secure coding practices and new threats, code reviews include security checklists, corporate security training includes continual social engineering tests and an atmosphere of continual improvement.
And yes, that stuff does cost money, but that's rarely the resources I see CISO's fight for. Instead, they fight for lots of expensive software, things like useless, shitty WAFs or poorly built "network monitoring" software (which can be a huge threat vector in itself, just see the SolarWinds fiasco).
Like many other comments here, I don't believe security is something you can "bolt on" at a company. Yes, there are specialized roles that a dedicated security team needs to fill, but unless everyone at the company has a true understanding of the value and importance of security vigilance, you're screwed.
It's probably like the old saw about advertising. Half of all it is useless, we just don't know which half!
I strongly agree though that you can't really bolt on security, it needs to be designed in and part of the culture as much as possible. You'll never get everyone to understand the value though (I wish!).
Can I have a checklist please?
Full stack web dev
Edit: Here I found one https://www.michaelagreiler.com/security-code-review-checkli...
But as list of things to consider, if you already understand what you're doing, its not too bad.
So either the company does well and the CMO stays, or not. And the default for most companies is to fail.
More likely they just weren't getting things done fast enough. CISOs come and go - they're a very short lived position.
I'd be surprised if that warranted the “nature of this situation” language.
Then again, I was at a large company where the CISO managed to get insta-fired in a 1:1 with the CIO. I actually saw the person about two minutes after it happened while they were grabbing their jacket and heading for the door — I don't know what was said, but judging by appearances things got really heated and the CIO had enough. Corporate security appeared shortly to begin boxing things up.
I understand why they wouldn't from a personal perspective, however I can imagine situations where this is the right call. For Twitter perhaps not, but I hope the CISO who works at my bank would make this choice if things got bad enough.
The best- run companies I've seen with respect to this have regular and frequent security audits and assign tickets to the team who wrote the code, sometimes even to the developer who wrote it. Also, security is built into the continuous integration as much as possible.
I have no idea if that has to do with their day-to-day roles or the specifics of why they were let go, but it is all a bit interesting.
https://twitter.com/elonmusk/status/1482858149900136448
What more did you want?
It seemed very unlikely to be credential stuffing or other common things. It seemed more like a rogue inside person or back office hack.
>The Twitter incident began when the hackers connected last year in an online forum focused on buying and selling rare user names, some of the individuals involved told The New York Times at that time. They then broke into Twitter’s systems by tricking employees into providing login information, according to legal filings. The hackers used an administrative tool to take over accounts belonging to political figures and celebrities, including former President Barack Obama, Kanye West and Elon Musk, using the accounts to conduct a Bitcoin scam, the filings said.
https://www.nytimes.com/2021/07/21/technology/twitter-tiktok...
Many sectors (finance, health care, etc) have all kinds of auditing requirements. I've helped answer some of these audits. It's largely just a bunch of checkboxes for obvious stuff, and in general, isn't how anyone would attack a company that's moderately competent. I've seen and fixed security vulnerabilities in startups that no one else recognized where there, despite passing all these 3rd party audits. I don't know what more could have been done without extremely knowledgeable people look at every aspect of your business in absolute depth that in part only comes from actually working/building it in the first place. Such experts are rare finds, yet the number of companies with computers attached is far greater.
I'm not against legislation, and I think good legislation would look like taking companies such as Equifax out of business. We don't need total incompetence continuing to be central to society's function. But we also need to be realistic about what can be achieved.
But either way, you are getting too bogged down in the specifics of my hypotheticals. Like I said originally I don't have the answer on the perfect solution, but the fact that we didn't use this incident as motivation to have a discussion about potential solutions is disappointing. Can you at least agree with that?
> legislative changes in order prevent that worse version from happening in the future.
I’m not convinced legislation achieve your goal having already seen HIPAA in action in law, the systems behind the scene, and the ways in which compliance works. Is it better than nothing? Sure! Does it actually create truly secure systems? I don’t think so.
If liabilities are severe where companies could go under or people go to jail, then I’m still not sure that would be enough to secure systems because you’re always a 0-day away from breach. But if the result is twitter going under or their CSO jailed, all I think that happens is you remove global competitiveness.
I agree with you more should be done. But perhaps in different ways. For example, requiring everyone to take basic security classes before you can be a software engineer might help. Creating societal incentives where bug bounties are required, white hats cannot go to jail or be sued, DARPA spends big on defensive security strategies, and stating the US will take cyber attacks the same as physical attacks are ways that I think would produce better outcomes (but would risk war).
This also isn't a problem limited to governments and politicians. It calls into question the authenticity of every account on Twitter and that includes other important accounts which can cause damage if compromised such as journalists and news organizations.
And as a corollary, the people will go to whatever channels exist.
This has been something done many times as mediums change. Newspapers to Radio. Newsreels to Television.
Then to the internet, we started with everyone telling you their AOL keyword. Then the web, and then social media.
If authenticity is the concern, these players (journalists/politicians) should adopt W3C recommendations and stand up social media services from their own web presence.
Anyone with access to Twitter has access to whitehouse.gov. Twitter isn't delivering value here, they are a huge societal risk.
[0] https://www.google.com/search?q=hacked+site:https://www.redd...
I'm not sure if I buy the internal tool angle here.
Third party app developers are more likely to have been. It's also likely for a third-party dev to have bad intentions.
I periodically review and make sure to disable third-party app access to my Twitter accounts. Who's to say your average celeb is likely to do that?
> We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
It was social engineering, but still access to internal tools which made this bypass possible.
https://twitter.com/terupancake/status/1484555471054946307
Sound security practices enable good business, e.g giving teams a paved road (https://www.slideshare.net/diannemarsh/the-paved-road-at-net...) that enables rapid and secure releases in place of gates.
At least from what few accounts I've heard from engineering in Twitter, it doesn't sound like Mr. Agrawal has much faith in this idea, but that just means he'll be the first to go in the event of the next inevitable breach.
Watch it be over something dumb like stolen NFTs.
Into the territory of startup fanfic, I'd assert from Agrawal's perspective, he needs his own team, and a top technologist indexed on engineering competence is overpowered as an individual at that level - and for the agility the CEO will need for the next stage of his company. He needs his own people to execute for him. The company is no longer a startup, and its explosive growth phase is behind it. Now it's an asset to be managed, and doing that is an orthogonal set of skills to building and managing growth, so you need people who operate aligned to a longer horizon. The previous CEO's tactical super-hire isn't necessarily going to be the same asset for a new CEO's strategy.
It's odd to comment on this like its sports writing, but that's effectively what following these companies is. Knowing very little about the individuals, I don't need to mind read, as there are clear external incentives for this that make it a fairly neutral change.
When you inherit a powerful asset like that, as CEO that can be double edged. It's great to have someone that amazing around, but if they can undermine the momentum in your leadership even (especially?) unintentionally, while you're driving a massive organizational change, the choice really makes itself independent of the individual characteristics of the people involved.
Ceasing to work at twitter is probably the least interesting thing Zatko has ever done, so I don't forsee this reflecting on him at all, but before there are drill downs on personalities and culture stuff, it's worth looking at it from straight business incentives.
I have no insight into what's happening at Twitter but if you made me bet, I'd bet against there being any interesting drama here.
And, again: high-level organizational management seems like a weird place to slot Zatko, who seems like he'd be happiest as like, a senior fellow at CSIS or something.
Regarding your reflection on the way you communicated your ideas on this: I found Stratechery extremely insightful and funbexause they approach tech and business from this sort of wonky fan-in-the-stands viewpoint. Over the years it helped me wrap my head around a lot of the weird quirks of business.
Twitter has been shaking up management for a couple months now. I have no inside knowledge, but this is pretty plausibly just more of the same kind of thing.
Getting fired is all part of the job as an exec in a tech firm, but the messaging is enough out of the norm that it does make one wonder about them refusing to do X or Y, etc.