It is rather disconcerting how a platform that is apparently rather integral to the discourse of today is in the hands of a single private company. It doesn't matter who owns it, if it's Musk or someone else, the fact that it's at the whims of a private company, is the primary channel for discourse, and is something legislatures cannot even comprehend because of their age, should have alarm bells going off. Coupled with the fact that there is lacking IT education about hardware/software means that there is an environment that is ripe for the encroachment of digital rights, as we've been seeing this past decade.
Primary for whom? If you polled 50 people on the streets of NYC, I bet fewer than 3 would say they actively use twitter. Now do the same for Des Moines, IA and you maybe get 1?
I think that Twitter is very much the tail that wags the dog. Sure, 1 out of 50 normal people may use it, but nearly 1 out of 1 reporters use it. Those reporters often quote opinions on it as if they are representative of the larger public, even if the tweet they quote is by someone with 10 followers and no stars.
The fun thing about social media is that reporters can back up any narrative they want. “People are upset about X”, “Gen Z is doing X”, “Millenails are killing X”. Find two people and it's a confirmed trend!
I saw a reddit post today that "Disney fans are furious that Avatar was temporarily pulled from Disney Store" and the top 500 comments were like "No one is furious".
Here, I'll give it a go: "Environmentalists are furious that Bill Gates kills mosquitos"
I did a quick Twitter search, and unfortunately your story isn't supported by any tweets I can find. Good news: you get to write a story about conspiracy theories about Gates and mosquitoes instead though! https://twitter.com/lorijean333/status/1561224522166067201?s...
I saw this happen live and I couldn't believe it. There was this Netflix movie last year called "Kate" that has a white female assassin killing a lot of asian people (it takes place in Tokyo). There were a handful of articles (first in places like Yahoo news and then sites like Slate.com) written about how this is racist and they all quoted people on twitter. Since I was following this movie heavily, I saw the tweets come in real time and the subsequent articles written a day later. In the end it all started from one tweet from a random user which then spread into a small handful other people making a similar comment and then leaving it at that. These tweets then got turned into multiple articles. I could not believe how crazy the whole thing was.
The original tweet author did not give permission for her thoughts to be published in so many articles and apparently endured a lot of harassment(She indicated this on subsequent tweets). She eventually deleted the tweet.
This was the original tweet: "Shame on Netflix for this. After this past year especially, to then release a film that is literally white people murdering Asian people based on stereotypes and fetishization??? Hard pass.”
If you google that quote you'll see how many articles quote that tweet.
There were no winners in this whole saga. The movie takes place in Tokyo so of course asian men are going to be the bad guys. So Netflix endured negative press for nothing. The press didn't actually change anything about the film, it obviously pissed off enough people that it caused them to start looking for the tweet author to harass her and finally she deleted her tweet. Who were the winners? The site owners making the money I guess. The whole thing really shows how much of a joke online media is. When regular establishment press is not that good either, what are people to do?
There might be a huge wave of people just ignoring online news and deleting social media(ie. disconnecting). That could very well be the end state for many people. In the above example, if the tweet authors had restricted their account visibility to people only they know, then possibly the articles would never have been written. If enough people get burned out they might just walk away.
Ironically the white female actress who plays the assassin in the film: Mary Elizabeth Winstead was herself a victim of massive online targeting and harassment.
She had already once deleted her public accounts in protest after the famous iCloud hacks in the early 10s because people were ogling her private nude photos and then harassing her about it after she scolded "the internet". She came back a few years later only to delete everything all over again in 2017 when she got non stop barrage after she went through a bad divorce. Its tough for actors who are in the business of selling themselves to just walk away from all public social media.
I think people who weren't into tech and who came of age before the internet became mainstream might be the first people to disconnect from this social media nonsense. She was early 80s and homeschooled to focus all her waking moments on becoming an actress. Gen-Z/Alpha might never disconnect. Have they ever known anything different? It will be interesting to see what happens.
Except, one person telling someone else "I don't like <thing>" and other people responding with "Hey yeah I don't like <thing> too!" is literally how it has worked forever, even before computers. Newspapers have been running "<THING> BAD" or "<THING> GOOD" headlines with no or weak backing for literal centuries.
It annoys me to see this. Quoting tweets is the laziest form of journalism. But to be fair to journalists, finding a couple of real world people and quoting their opinions as if they are representative of the larger public isn’t any more rigorous.
And it’s possible to cherry-pick people to push any narrative you want. Like the NYT talking about how GenZ is very pro-life, quoting several pro-life youngsters. Meanwhile buried somewhere in that long article is the lede - only 20% of GenZ is pro-life.
I'm involved in a community advocacy organisation that uses Twitter, Facebook and Instagram for public engagement.
Facebook is a great platform for actually getting normal people to see our content and invite them along to our meetings and such. Twitter, on the other hand, has a far more niche audience - but I know for a fact that the niche audience includes several state legislators who follow us and interact with our tweets, and we've gotten several press stories via contacts we've made with journalists over Twitter.
If you've got a message to get out there, it's a highly strategic platform.
Except that a lot of those 50 people instead consume all kinds of other "news media" who by now regularly use Twitter as a source, so they are still indirectly affected by Twitter even if they don't actively use it.
The three are the elites of society, blue checkmarks - journalists, politicians, propagandists, influencers. For the society as whole they have way more influence where it's going than average Joe in front of corner shop.
If you're in any community that is popular/new enough to not use forums, but not large enough to talk outside of twitter, it definitely controls a lot.
That's because decentralized networks are expensive and can't handle spam unless you make receiving messages opt-in, and then you can't @ people like you can on Twitter.
We had, and still have, standards to deal with crossplatform messaging, like Jabber or Matrix.
What prevents that from catching on at scale is, the "big boys", like MS, FB or Google, mostly not playing ball and never implementing these in their own messaging platforms, to keep their gardens neatly walled from each other.
As intraplatform exchange is not really in-line with what most of these platforms are striving for these days; Interactions with their own platforms and the advertisers on it.
> It is rather disconcerting how a platform that is apparently rather integral to the discourse of today is in the hands of a single private company.
Unpopular opinion: I think it's awesome that a private company has created a platform like Twitter. It's kind of like comparing a private amusement park with a public park: one has roller coasters, water slides and an arcade... the other has a swingset and a nice field of dried up grass.
> the fact that it's at the whims of a private company
How is this worse than at the whims of the crown?
> there is an environment that is ripe for the encroachment of digital rights
I love that were even talking about having digital rights.
Ahh they typical brigade is definitely in effect even above this post... A bunch of comments to suppress the real ones made, just like what happens on Twitter regularly.
I had to scroll down past the posts dismissing the issues to get to this one. The news at this point is also conveniently not trending on Twitter even though I am pretty sure a lot more people are Tweeting about it than about Doja Cat right now (who is trending).
I also didn't even see the article, tweeted by CNN, even though I follow them on Twitter.
We're officially chest deep in the era where nothing popular on the Internet is trustworthy nor credible, and where nothing works as expected.
My solution is the same as it always has been... Never respect them enough to enter your real (government) name, and never post anything that you can't afford to have compromised. There is no end to what modern data greed will use your data for.
> a platform that is apparently rather integral to the discourse of today
Not true. If anything Twitter is a cancer on our discourse that should be disdained, not something that should be enshrined as a fixture into our lives.
> About half of the company's 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors
It's one of the reasons I disliked Twitter forcing the use of mobile numbers for 2FA, they're just not sufficiently trustworthy. And I have an account under my real name! If I were a political dissident etc that just feels like an insane idea.
It really doesn't. After all, many (most?) other languages like Java and JavaScript are implemented primarily in C and/or C++.
Where it gets deserved opprobrium is that it has no memory safety features, and thus inherently contributes to gobs of security vulnerabilities, and there are safer alternatives now, like Rust.
C is basically "portable assembly", and it's rarely the right tool for the job these days.
Can only patch so many buffer overflows, off-by-one errors, format string vulnerabilities, integer overflows, race conditions, use-after-free errors, etc, before it gets to be a bit tiring. Safer alternatives exist.
We observe very clearly that teams consistently fail to write vuln-free C applications of any meaningful technical or organizational complexity. Following various guidelines empirically does not solve the problem.
First, servers generally run on operating systems. No one with any serious knowledge would use the phrase run on software. Second, does this guy have any actual tech knowledge at all? He doesn't list what operating system they are running or what security updates he is expecting. It doesn't sound great but I assure you I've probably seen worse on systems used by the literal federal government to conduct official business and store sensitive information on. All government cares about is having remediation plans in place.
> Second, does this guy have any actual tech knowledge at all? He doesn't list what operating system they are running or what security updates he is expecting.
Then he should be in an even better position to specify what the actual issues are in details and not some abstract garbage. You could summarize the information there as.. "Momma, servers bad. Need encryption. Need updates."
Publishing a detailed report of infrastructure and specific CVEs would be irresponsible and malicious. If that is off the table the only thing left is ambiguity. Also, the audience is important. They are going for maximum outrage, not glassy eyes.
The "does not support basic security features such as encryption for stored data" unquoted line of reporting is almost certainly not what Mudge wrote and is likely not literally true.
That 500k servers in Twitter infra are missing patches certainly is true and what was likely in the original was a statement that stored data that should have been encrypted at rest was not, and/or that acceptable standards for data at rest encryption, a relatively rapidly moving freight train, were not maintained.
I have discovered that there are vastly different definitions of "encryption for stored data" that can mean critically different things for security.
One definition is "the underlying disk is encrypted". This is true, by default, of virtually all cloud environments these days. But it really only protects you against physical access to the storage media, which actually is far from the top threat.
The other, more useful/meaningful definition, is "we encrypt everything at the application layer before it is placed into the DB, and all decryption requests are logged by user". For example, using an envelope encryption scheme to encrypt data before it is stored in a DB, and upon retrieval decrypting the data with a call to something like KMS. In that environment you can literally give readonly DB access to all your developers and not have to worry about PII being exposed. If hackers somehow got access to your DB, they wouldn't be able to read sensitive data, and if they also managed to get access to your KMS credentials, any attempts to decrypt the data would be tracked and logged.
My point is that when many companies say "we encrypt your data", they are usually just talking about the first thing, but that doesn't really provide that much additional security. The second definition is really what you should be doing.
I think the good comparison that people encounter day-to-day is full disk encryption. It's the default on macOS, the only option on iOS, (those are the two platforms I use), and I assume the case on windows and android.
The thing is FDE essentially only protects your data when your machine is powered off. Once your machine is booted and you've logged in any block level encryption ceases to be relevant, because to get to the point of running your machine has to have loaded in the relevant key material to decrypt. From that point on user space code no longer sees a difference between encrypted and decrypted drives. In other words FDE is not relevant is you lose a powered on device (post login if relevant to the platform), and you're the kind of person people are actively targeting (I recall recently? the content of someone's phone or such being dumped by the FBI because they grabbed it while it was being used).
That's why modern OS's have different key classes, there's the lowest level which is just FDE, but you can have higher levels where requesting key material essentially just gives you a handle to that material. Then the OS, or preferably hardware with a much less complex OS, manages those handles and invalidates them according to policy rules. e.g you may want your phone to have access to your address book while your phone is locked, which does not mean you need your call history available as well.
The policies provided by OSs tend to be fairly simple because it's better to have an easy to understand API that is easy to use and hard to screw up than a more "powerful" API that is easy to screw up and hard to use (the latter resulting in people simply not encrypting things at all). e.g iOS/macOS only has the following file protections when you create files: "NSFileProtectionComplete", "NSFileProtectionCompleteUnlessOpen", "NSFileProtectionCompleteUntilFirstUserAuthentication", "NSFileProtectionNone", but they're very easy to understand.[1]
I tried to find the android equivalent but I don't know the terminology that's used and I just get linked to instructions on using AES, so if someone could link the correct doc I'd appreciate it.
"..more than half of Twitter's 500,000 servers are running out-of-date operating systems so out of date that many do not support basic privacy and security features and lack vendor support. More than quarter of the 10,000 employee computers have software updates disabled! More than half of Twitter employees have access to Twitter's production environment -- unheard of in a company the age and importance of Twitter, where nearly all employees have access to systems or data they should not. At Twitter engineers work on live data when building and testing software because Twitter lacks testing and stage environments; work is conducted instead in production and with live data..
"This did not happen overnight. To get where Twitter is today took.. many years.. required repeated downplaying of problems, selective reporting, and leadership ignorance around basic security expectations and practices."
Just do it the Zuck way: "If you make an FB app, you can read all user's data and their friends' data, but click here to promise that you won't do that and you won't use the data to subvert democracies...".
I think it's also important to recognize how much of a "check the box" security control encryption at rest has become for many vendors/GRC teams. A lot of times, the encryption at rest control only has the capability to prevent somebody from physically detaching the disk and trying to mount it with their own machine and access the data that way. In a world where many companies now run their workloads on public cloud providers who keep their hardware in distributed cages in secure datacenters, this isn't the security control many assume it is.
If you're trying to prevent an actor who has gained a foothold on a box/network from seeing plaintext data that is actually in use by the actual production system at that very moment, you're looking for a much stronger type of control - probably some sort of client-side encryption or obfuscation/tokenization
Finally, someone points out the emperor has no clothes. When customers first started requesting encryption at rest, it didn’t make any sense to me — the threats it mitigates aren’t worth worrying about if you’re using public cloud.
Big tech was taken over by bean counters long ago, the fact that it’s all running on duct tape and popsicle sticks under the hood will come back to bite us when we have a digital Pearl Harbor event.
China will invade Taiwan and the first shot won’t be physical, it will be activating the 30 years of assets they grew in AWS/GCP/cloudfare/level3/AT&T/Etc
Most of their HR/engineering departments are completely retarded. They’ll hire any H1B who passes l33t code that accepts $50k under market rate then give them repo access in a few weeks. Our soulless megacorps are beyond easy to penetrate by hostile intelligence.
The CIA/NSA/FBI, you know the groups who we pay billions per year for and they take half my income to fund will of course not catch any of this.
The FBI is too busy manufacturing domestic terrorist, the NSA is too busy hacking American companies, and the CIA is too busy importing drugs to actually secure our country from foreign attack. Why? Because it’s been so long since we were actually attacked they believe it can’t happen so why not loot Rome in the mean time?
Seems like Twitter loves going through the cycle of getting hacked→hiring good talent and focusing on security→losing people and focus→relaxing their stance→getting hacked :(
I think it is time to go a bit Meta here, bit I start to subspect that many HN posts are to influence such things, including popular replies to @pmarca etc... when one says Netflix falls because it is not a tech company, the next day at HN comes an article saying how cool and techie it is, etc.
The reach of HN on the tech world is highly influential, and for sure it is weaponized in "communication wars" across actors with different interests.
EDIT: that doesn't mean that the given information is necessarily false, it is just presented at the right time, to promote one view of the world. Also when Twitter hit bottom some years ago several HN submissions remind us how they declined being purchased by Facebook etc, and social network giants have a large track of understanding how such information flows and influences people.
It may appear that this may get Musk off the hook for buying Twitter because "Look how bad they are!" but, as I recall, Musk's problem is that his offer with without contingency - e.g. "Yah, I'll buy it, whatever".
So it may just be another event which will drive Twitter's price down even further and make it a _worse_ deal for him.
From Bloomberg "The buyers could only back out of the agreement in the case of a material adverse effect, a high bar that excludes issues like market volatility or industry challenges." (https://www.bloomberg.com/news/newsletters/2022-07-13/elon-m...).
I suppose one could argue that the Whistleblower's report is "material adverse affect", something I'm sure will come out in the trial.
*Walter Bloomberg
@DeItaone
ELON MUSK’S LEGAL TEAM HAS SUBPOENAED PEITER “MUDGE” ZATKO, TWITTER’S FORMER HEAD OF SECURITY - CNN
8:30 AM · Aug 23, 2022·TweetDeck
-- I've always (since the 90s) used the rule of thumb treat everything on the internet as if it's compromised - I employ low personal security - however i also employ low trust - wouldn't go so far as to blame the users or the platforms - i'd blame both equally - user education is low - false sense of security is high - as the years have gone by - adjustments have been made on my side: comments sections are probably misinformation - emails from people I know may or may not be real - emails from people I don't know are probably not real - use pen and paper for things that need to stay relatively confidential - this is how I was taught to use the internet in the early days - still use it this way today --
It's tinfoil hat territory, but the connection could run the other way in principle: the ex-exec could have been shopping for someone to injure Twitter and cooked up a plot in which Twitter was an innocent victim and Musk a double-crossed coconspirator.
Why, it explains Musk's confidence that Twitter was up to something with its fake-account stats... It must be true!
On the other hand, if you want to fan the conspiracy flames, he does have strong ties to Dorsey (via Stripe and Twitter) and Dorsey has always been Team Musk, especially re: the takeover.
I hate being asked to hand over my phone number for 2FA or similar protections. Or facing the choice between deleting all my DMs or risking them being compromised on account no E2E support. Then again, even if you delete something, there's no knowing what their data retention handling is.
I think it's safe to assume most anything you delete from a web app gets a deleted boolean or timestamp field set and the content persists in the database indefinitely.
In my experience I've found it rare that user content is ever actually permanently deleted for various reasons.
I assume that storage has gotten so cheap now that storing everything forever is feasible for companies? I always knew they had to retain content for X period of time, to comply with laws about data retention for criminal investigations, but I always assumed (from reading about it 10+ years ago) that because of how much extra storage space all the "deleted" content would take up, that it wouldn't be feasible for them to do it long-term for everything. I knew that would become a moot point eventually, and I suppose that is now.
It is. I recall seeing some documentary about Facebook for the exact same thing - that it was cheaper to buy new hard drives and inactivate old content than it is to try to permanently scrub old content, and that was probably 10 years ago.
Yeah that's how most of them work. On some platforms (e.g. Reddit) if you do a full data request you'll see all your deleted comments as it's still there in the database, just hidden from public view.
Mudge is a very credible source. Interesting to see where this goes. Twitter has gone through more security heads than any high tech company should. Not surprised it’s a chaotic environment.
No he's not. He's literally on the CIA payroll along with the rest of CDC.
He has a track record of making up ridiculous stories that serve his task masters. Remember the "Hong Kong Blondes"? Oh right it turned out to be completely fake.
It's important not to forget that certain Twitter users share incredibly sensitive data over Twitter, increasingly including nudity and sexual acts (sometimes on private profiles or in DMs, so they're not meant to be public).
While one may (not wrongly) think that this is a bad idea in general (unless you subscribe to post-privacy), I think it is our duty as a society to protect those who don't have a full grasp on the implications of bad IT security.
In my opinion, fines for cyber security violations should be swift and harsh (GDPR goes in the right direction in terms of how high the fines are, but it is barely enforced). From my POV that is the only thing that will force companies to actually invest in cybersecurity. Maybe there should even be a law mandating security reviews if you handle any PII.
>one or more current employees may be working for a foreign intelligence service.
I don't doubt this, but the source is someone with fairly deep ties to the US intelligence services. Why should he be allowed a job and not people with ties to foreign agencies?
Conflict of interest violations. Such violations are absolved through disclosure of known relationships, which cannot occur if persons are keeping ties to foreign intelligence services secret.
I don't believe that what Mudge is saying there is all that well quoted or explained. The argument I've heard him make, in other settings, is that companies that are interesting enough will get job applicants that are really moles for intelligence agencies. This is very difficult to stop, and once your company has enough employees, downright impossible. His recommendation however is not to make it impossible for people with ties to foreign agencies to join the company. Instead, it's to minimize the access than any individual mole might have. This would also apply if you consider US intelligence an attacker!
TLDR; Someone like Twitter, Google or Facebook should have 'some of our employees are malicious and sophisticated' as part of their threat model.
> Someone like Twitter, Google or Facebook should have 'some of our employees are malicious and sophisticated' as part of their threat model.
I would estimate there is a 100% chance that every one of those companies listed, has multiple employees who work for or are sources for US domestic and foreign intelligence services.
It should be expected and part of their internal systems that people only have access to the shared drives they are meant to.
>estimate there is a 100% chance that every one of those companies listed, has multiple employees who work for or are sources for US domestic and foreign intelligence services
Eh, you could take out Twitter and insert many other company names and it'll still hold true. And those companies hold so much more sensitive data about you than Twitter.
I know of insurance companies that have help desk employees with domain admin access. And all crippling ransomware attacks take advantage lax permissions.
Cynically, because it's twitter, and it's trendy amongst a certain subset of the population to bash social media in general and twitter in particular. And I think your point is fair.
(FWIW, I think social media has if not caused, then certainly exacerbated, some major problems at individual, societal, and global levels, but by no means do I think twitter is the biggest contributor. I don't think we'd see the kind of unconstructive political polarisation we're seeing in the US and UK and perhaps, to a lesser extent, within the EU, without it.)
My reasoned mind says it's due to the recent disclosure in Twitter due to linking of phone numbers to people, while my other mind says it's Elon finding anything to make Twitter give up their case.
For sure, the phone numbers issue definitely won't have helped, but the whole Elon/Twitter situation is definitely up there. Plus, as I say, it's been sort of trendy to bash them for a while: they're either not doing enough to protect people from harmful content, or they're subverting freedom of speech by, for example, banning Trump, and applying permanent, temporary, or shadowbans to other accounts. I'm not that sympathetic, but they sort of can't win.
> in Twitter due to linking of phone numbers to people
Except like the linkedin "hack" which was just a scrape of peoples profiles, the twitter "hack" was someone running phone numbers through the "upload you contacts and find your friends account" feature.
They are both barely stories, except to remind people that posting stuff publicly is public.
>..the twitter "hack" was someone running phone numbers through the "upload you contacts and find your friends account" feature.
>They are both barely stories, except to remind people that posting stuff publicly is public.
The reoccurring issue is that Twitter and other companies are convincing (and often forcing) you to do something unsafe like linking your phone number, while telling you that your data will be kept private and at the same time opting you in by default, or aggressively marketing, an option that compromises your security.
I'm sure you may be smart enough to know this compromises your anonymity, allows stalkers to find your phone number, etc. but the 99% of users wont.
Linking everything to a phone number is a major dark pattern that benefits the corporations while compromising the user. So rightfully, these malicious and harmful practices should be called out.
Additionally, Twitter collected PII and then did a bad job protecting it. We don't see a phone-numbers-leaked story like this out of Google, which has had 2FA with phone number deployed for years.
Twitter has some 200+ million daily active users and should act like it.
Decide whether people who have your email address or phone number can find and connect with you on Twitter. If you select yes, then someone with l33t skills can "hack" twitter and type in your email / phone number and get your twitter handle (or just put it in their contacts and click a button in the twitter app aka l33t hax0r skills)
The reason there isnt "leak" from google is because they dont offer the functionality to look up your account by your phone number.
I think you are referring to corporate and state controlled social media. There is a big difference between those platforms and the fediverse instances I am running on a RPI sitting on my desk.
Cybersecurity is one of my roles I suppose (small place with an operations team of approximately 2.5), and I have to say that I have no idea what proper security is supposed to mean today; it's very hard for me to tell the marketing from best practice now. It seems like what most products really are is an ass covering service so you can tell your leadership and your customers that you did the right things.
Basically we work on keeping everything patched and try not to create any obvious issues. Honestly, I think the best thing we have going for us is obscurity.
1) Like a car mechanic, these people get paid to sell you solutions and they are incentivized to sell you more.
2) Plenty or honest people have biases because of what they do. If you spend all day thinking about security you might be overly concerned about things that are actually not that risky.
This isn’t to say that there aren’t great people working in the field. But it’s daunting from an outsiders perspective.
With the example of the doctor you run into the nocebo effect - you can spend a lot of time tracking down things that turn out to be of very low value which ends up causing more harm than good. To painfully extend the metaphor you could have an overly aggressive password policy and end up having users reusing passwords or writing them down.
Develop sufficient in-house subject matter expertise so that you're not depending on sales consultants to do your cyber program for you.
Develop an empirical understanding of risk management. While we can't predict the future, through well established techniques and adequate resourcing, professionals can achieve consistent results that are far better than random guessing. Risk management principles drive not just corporate stragegy writ large, but entire industries like banking and insurance.
To answer points 1 & 2, you're more than permitted to think for yourself and establish if their recommendations are worth perusing. You could even get multiple opinions and see if there are any recurring themes that might suggest areas to look at first.
I think the commenter brings up an interesting point that China more effectively regulates industries that commit wrong [1]. I wouldn't reduce their point to being tantamount to fascism; rather, I read @gsatic as arguing for equal application of the law. This seems fundamental to the US constitution vis à vis John Locke: people (corporations in this case) cede rights for security. If we give corporations regulatory fines that pale in comparison to revenue as a result of malfeasance, are we allowing companies to enjoy our society's benefits, without having to sacrifice the same rights others do?
[1] - Of course, this isn't the complete picture: China has a penchant for arbitrarily dealing a heavy hand to law-abiding companies/persons.
I've recently gotten a lot of good guidance on security best practice from a new boss. A great place to start is the CIS 18 critical security controls. They cover most things for protecting an organization.
Walk through the controls list, see where you compare to the controls and sub-controls and then start to establish a path forward.
I’m a security engineer and nobody knows what’s best practice. Everyone is making it up at this point, and security is still a nascent field. Most companies don’t even have a security team.
I think it’s still not clear how you should build a security org, and if you should at all (should security be part of normal workstreams of your devs?)
There is a best practice... but the issue is that the "best practice" is something that gets abused for cargo culting and stopping at the discovery of the best practice.
Some time back, I got a copy of "A Practical Guide for Policy Analysis: The Eightfold Path to More Effective Problem Solving" so that I could properly quote back the use of best practices.
With most times people are looking at best practices, they skip to the decide step without defining the problem - that's even been done here. Is there a best practice for non-cybersecurity at private business? Well, yes - but first, what is the problem that is trying to be solved? There's no "get this book of everything to do and you're good". On the other hand a "we have customer data that includes PII data, we need to secure the data and prevent casual examination of it in house" is a problem that can be looked at and a best practice can be found.
The best practices involve a survey of looking at other organizations and seeing what they have done - what worked and what didn't.
> Part IV "Smart (Best) Practices" Research - Understanding and Making Use of Whatlook Like Good Ideas from Somewhere Else
> It is only sensible to see what kinds of solutions have been tried in other jurisdictions, agencies, or locales. You want to look for those that appear to have worked pretty well, try to understand exactly how and why they may have worked, and evaluate their applicability to your own situation. IN many circles, this is known as "best practices" research. Simple and commonsensical as this process sounds, it represents many methodological and practical pitfalls. The most important of these is relying on anecdotes and on very limited empirical observations for your ideas. To some extent, these are - one hopes - supplemented by smart theorizing. This method is never perfectly satisfactory, but in the real world the alternative is not usually more empiricism but, rather, no thoughtless theorizing.
> Develop Realistic Expectations
> Semantic Tip First, don't be mislead by the word best in so-called best practice research. Rarely will you have any confidence that some helpful-looking practice is actually the best among all those that address the same problem or opportunity. The extensive and careful research needed to document a claim of best will almost never have been done. Usually, you will be looking for what, more modestly, might be called "good practices."
---
A "here is a list of all the best practices, follow these" is the wrong way to try to use best practices but rather relabeled cargo cult security.
Eval yourselves with the NIST Cybersecurity Framework and you’ll get a good idea of where to work on. It’s useful to guide an early stage security program doing all the things.
Also, build a risk matrix of security risks the company can face by impact vs likelihood of the risk happening. Get someone senior to sign off on it.
Use the NIST CSF and the risk registry with senior leadership support to guide the work you do.
Itll be easier if you think about security as understanding your risk posture as an org, and that risk is either fixed at your level, carefully escalated to outside your teams for a fix, or labeled and accepted risk. security teams should never be the ones to accept risk, so get a a manager to see and acknowledge in writing whenever it’s decided to just roll with a known vuln you’re
Unable to fix without more time/money/tech. Try to fix as many risks as possible at your level as to not build an alarmist rep. Then, that leaves space to escalate into cross-team fixes (and you can point to the NIST CSF and the risk register with a senior leader’s sit side as a baseline reason for why they need to fix it).
>It seems like what most products really are is an ass covering service
You do have a pretty good idea then. Sadly, this is exactly what it looks like at the moment: because business decisions are made by clueless dummies, there’s no way to sell a proper product; to make money you need to focus on snake oil instead.
Did you actually read it? The story isn't some handwaving about companies in general having bad security. It's that Twitter's former head of security is blowing the whistle on "reckless and negligent cybersecurity policies" including deliberately misleading government regulators and its own board about various issues, and concerns about foreign espionage and disinformation.
If you don't know how that's a story I don't know how to explain it to you, I can only assure you many people will find it extremely newsworthy.
I hear you. All of that is a big deal and should not be taken lighten.
Maybe I'm a bit jaded by what I've seen, but that doesn't seem too far off from normal American business culture. Deflection and manipulation seem to be par for the course. It's why lobbyist exist. Companies want permission to do/not do the things they're not currently allowed/required to do.
The ones that get caught are normally a few bad actors that whistle blow. The companies where it's ingrained in their culture get away with it. Of course...this is all my own experience :)
Because people with a lot of money are inflating this story to get back at Twitter. It sounds like a conspiracy, but that's the most plausible explanation I have for why this specific whistleblower gets amplified by the media.
Not a lot of companies get infiltrated by foreign agents or assets. Access to Twitter, in particular, can help unmasking anonymous sources, sensitive DMs, dissidents - and their locations.
I don't claim Mudge was infiltrating Twitter, nor that his claims to bad security are false, nor that it is not dangerous to use Twitter if you value privacy. Bad security at Twitter, or any other social media is a given. Remember they're in the business of selling personal data.
My claim is that this specific story which is most likely true but in no way surprising gets amplified right now because some specific powerful people wanted it so.
Or the current Twitter drama is precisely why it is an interesting story for the media.
That said, given foreign influence campaigns in the news in the last 6 years, this would’ve been news then too. I’m sure it was news back in 2010 when the FTC ordered it to fix the problems.
Or maybe, you know, the media finds this story interesting because this is an extremely visible company with tons of influence on narratives around the world.
Who are these "powerful people"? And why do they care about Twitter so much? Most powerful people aren't even ON Twitter.
I know about a certain person who has been doing very unorthodox moves towards the acquisition of Twitter since earlier this year; this person, as well as all the wealthy stakeholders who have a lot to lose if the deal goes through in an unprofitable way, would certainly gain a lot by amplifying this story with a few grands in the pockets of the CNN business editors.
Not necessarily the man specifically. Anyone with a high stake in Tesla/SpaceX/long-termist companies and an arm in the media machine who would benefit from this press release.
I don't think you understand how poorly attacking Mudge's character or insinuating that he's driven by some unethical ulterior motive is going to work out. Mudge is... he's Mudge. He's a known quantity, and one everyone wishes we had more of. When he says something like this, smart people listen intently.
Because it's CNN and they like to make headlines with some bogus whistleblower that is concerned that some die-hard trumpers are going to hack top companies and create some kind of mass hysteria. Just the usual fear mongering in the news media to get views.
Well, it's on the front page of CNN right now for starters, so that means it's probably significant to a lot of people...
If you have a business, you most likely need to promote it on Twitter, or to at least reserve an account there so that someone else won't impersonate you. You also need to do that on almost all other major social platforms.
If you have a business or personal account on Twitter, your direct messages, the data the system generates about your preferences and interests, your geo-coordinates, and everything you post, including control of how your account works can apparently be accessed by too many people within the company.
It's a pretty big deal for anyone that uses the platform citing all that... Not something that should just be "left to it's own devices" because everyone else is doing the same. All cases of data abuse/misuse should be addressed, but addressing one this big would also be a pretty big deal.
Twitter is under a consent agreement with the FTC about its security practices. Part of the allegations here is that they've been lying to those regulators.
OK, so their security is a mess, as many commenters have pointed out, they are one of many companies.
What I can't figure out is what's this guy's beef that he went revealing all this? Was he fired or demoted or something and thought to get his own back?
Look at Mudge's track record. He didn't become a security legend by staying quiet about problems, and if Twitter wasn't willing to address it internally...
"Zatko says, he believes he is doing the job he was hired to do for a platform he says is critical to democracy. "Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I'm still performing that mission," he said."
He was fired January last for alleged poor performance. Totally can see now why it's all come to light, less the altruistic urge to make things secure, and more the old case of flipping the bird to a former boss.
From Wikipedia: “He was the most prominent member of the high-profile hacker think tank the L0pht.”
That’s quite a generous take. There were plenty of excellent hackers in the 90s, but “L0pht” just seemed like the PR friendly one that could go on good morning America.
Can’t tell if this is real or just a 90s security person trying to stay relevant after being fired.
Whether or not it was high profile before they went on talk shows and before congress... it's definitely a high profile (historic) group now because they went on talk shows and before congress. :)
High profile doesn't mean best it just means high profile.
"The whistleblower also says Twitter executives don't have the resources to fully understand the true number of bots on the platform, and were not motivated to."
I imagine this hurts Twitter's defense against Musk from pulling out of the takeover deal, or, is this whistleblower's account inadmissible?
I am willing to take a shot in the dark on this story, and say that this is the whole point. I don't see why this story would get shared and amplified so much otherwise.
> I imagine this hurts Twitter's defense against Musk from pulling out of the takeover deal
Not really because they have consistently said "this is what we do, it's a finger in the air estimate based on sampling, it might be right, it might be wildly wrong, there's no agreed methodology for this".
For someone to then go "they don't fully understand the true number of bots! GOTCHA!" is dumb because it's literally just pointing out exactly what they've said in their SEC filings since 2013.
Musk has problems with impulse control. That's why he publicly called a literal hero of dying children a "pedophile". If he didn't have money he would likely not be able to keep friendships functional, because he doesn't know how to interact with other people in a healthy way.
I don't understand how you can look at his public behavior and think anything else. The only alternative is that he thought doing shitty things was a rational way to improve his situation, and I personally think that's a worse option
The really damning part of the whistleblower's statements isn't about the bots, it's about Twitter executives misleading the board of directors and stockholders. That's what could aid Musk at trial.
> If the executives did not make a meaningful effort to count them
They've been filing their methodology for bot counting with the SEC since 2013.
If they're not making a "meaningful effort" and it materially affected the stock price in some way, either the SEC or a shareholder would have gone "HOLD ON SHENANIGANS O'CLOCK", surely?
It can't be that the entire world was A-OK with Twitter's bot counting until June 2022 when a man claiming to want to buy Twitter to fix the bot problem got cold feet on a market drop...
The "methodology" is that people look at 100 accounts a day and determine whether they are bots. They have never disclosed any of the signals that go into this determination. You have a lot of faith in the immediately efficient market here.
The point is that they have not claimed anything regarding this in their filings that isn't true, not whether or not you think they've been clear and detailed enough to answer the question properly.
And to give Musk an out, which is what this tangent is about, not only do they need to have actually lied, the lies need to have had a VERY substantial effect on the price of the company.
The bot thing simply does not help Musk get out of the deal he's made. That is not the same thing as "Twitter are great at dealing with bots and have been very transparent about how they do it", but that's not the bar that has to be cleared here.
> They've been filing their methodology for bot counting with the SEC since 2013.
No, they haven’t. They describe at a very high level the amount of sampling they do (100 accounts a day? Really, that’s it?), but don’t discuss the methodology used, such as what they use as signals and indicators of botness. That’s not “filing their methodology“, it’s covering their arses.
You have a population of 100 million people. You estimate that the true probability of some statistic is about 5%. What sample size do you need to be 95% sure that you are within 5% of the correct answer? Answer: 73.
(No really, this kind of question is absolutely going to be in a Stats 101 class. And sample sizes really don't need to be that big to be accurate.)
The problem I have in assigning credibility to Twitter's position on bots is that they seem to have held multiple seemingly inconsistent positions (all paraphrased):
1. "Finger in the air estimate based on sampling", aka. "don't read too much into it"
They are completely consistent. They have always said 'no more than 5% according to their sampling' plus a long row of disclaimers and that they sampled based on things like activity and only from monetizeable users, neither of which can be tracked without Twitters internal data on the user.
Unless the bot problem regularly gets in users' way, this isn't really what you want to blow the whistle on--hard problems are hard. You bring this up to damage Twitter.
It truly doesn't matter, given Musk waived due diligence. Unless the number of bots is enormous (think 75% or more) then it won't make a material difference.
Twitter's always hedged their bot stats with the MDAU caveat (e.g., "we're not estimating all the bots who log into Twitter, just the ones that are meaningful for advertising and revenue purposes"), so while these allegations are not at all helpful, they're not necessarily a serious blow to Twitter's position (Mudge is a hacker, not a contracts attorney, and a lot of the allegations he makes regarding regulatory law aren't necessarily supported by his evidence).
However, there's enough here, provided by a highly-credible technical expert, and under consideration by the US Congress, that Musk's litigation team has a strong opportunity to find at least something that holds up as a material misrepresentation, even if relatively minor, and then link it to the broader effect of this document, which could very well rise to the level of a material adverse effect.
So, where bots are concerned, bad but not disastrous; for everything else -- well, let's just say that Musk's litigation team are burning incense to the gods this morning, while a whole bunch of Twitter execs are going to be spending the next few weeks getting grilled by their own retained counsel, at an even more exorbitant hourly rate than they were paying before.
I read some good commentary on this that I agree with.
From a purely legal perspective, this really shouldn't matter much. As has been pointed out many times, Musk explicitly waived due diligence when he signed the contract. Also, it's still laughable to think that Musk's real reason for wanting to get out of the deal is the bot problem (instead of the obvious reason of the market tanking), when Musk himself made the argument that a big benefit of him buying Twitter is that he would be able to clean up the bot problem in the first place.
From the court-of-public-opinion, though, I think it does give Musk more leverage for a negotiated settlement to get out of the deal, which is really what he wants. I don't think Musk really thinks he can win in Delaware, but the longer he drags things out and the more pain he causes Twitter the more incentive they have to negotiate cancelling the deal.
Musk needs twitter to have willfully misrepresented and concealed, not merely to have had estimates that they admitted were nothing more than estimates.
This aspect of the story was entirely predictable:
>Musk lawyer Alex Spiro said they want to talk to Twitter whistleblower. “We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding.”
For a solid and genuine technical person considering a CISO or CISO-like role, I've had the impression that they have to be very selective where they go.
Even in what I'd guess is an "ideal" situation, of tractable technical&process problems, and genuine buy-in from the C-suite for solving/improving them, there's still going to be dynamics/politics to navigate.
I also hear of a lot of much-less-than-ideal situations.
God Mode, from my understanding, allows a Twitter employee to have access to an account and allows for a post to be made, under that account's id, without the account being notified or seeing the post show up in their own timeline.
Is this an accurate statement?
If so, why did nearly 1000 employees (12% of the workforce) have access to this mode before it was restricted, and what's the business case for that?
Now think about the implications with respect to Twitter DMs that show up in criminal investigations.
For instance, consider the Twitter DMs exchanged by Donald Trump, Jr and WikiLeaks. In that particular case, the communication was acknowledged by the party in question, but imagine the two possibilities thousands of employees being able to act on the part of users opens up:
1. Twitter employees could fabricate a criminal conspiracy by creating messages between multiple Twitter accounts.
2. A criminal conspiracy can now use the "Wasn't me, must have been some random Twitter employees" defense.
This seems like a huge win for the defense in a case using DMs or Tweets as evidence.
It would be quite easy to argue that a highly-politicized org like Twitter _might_ alter tweets or DMs to implicate someone in the opposing party. That’s reasonable doubt that at least some jurors would buy.
Perfidy could still happen in a tightly controlled system, where only a small number of people could view or modify user data, in a way that requires multiple individuals to sign off on it, and both the access and the modifications were internally logged and audited.
But that turns into "there was a sizeable conspiracy to fabricate evidence", as opposed to "a random person out of 2000 got bored, had a grudge, decided to have a laugh, and was acting alone".
Usually these sorts of systems have very detailed logs and those logs are kept for a long time for things like lawsuits. In the hypothetical scenario you're describing the other party would subpoena Twitter and they would corroborate whether or not someone logged as that user or not.
But part of what this article calls out from the whistleblower's POV is that the logging and auditing systems that would be needed to do that don't exist at Twitter. That users can activate God Mode or get into production systems without any logging or accountability
> A criminal conspiracy can now use the "Wasn't me, must have been some random Twitter employees" defense.
I could see this being billed as a feature of a privacy-forward chat platform. Messages are slipped into conversations without either party having actually sent them and no way to tell whether they were real or not.
I’ve heard of similar things to this being discussed…
Eg. simple things like tracking-busters where it randomly clicks links in headless chrome to fool the algorithm, p2p vpns where you use a random user’s IP address to randomize who made what request, etc.
There is also a school of thought that you should periodically publish private keys for plausible deniability (“was it me, or did someone sign that after I published the key”).
Yeah, at the bare minimum what you want to see is:
1. No employees have direct, immediate access to user accounts or data.
2. Only a small number of employees should ever be able to gain access to user accounts or data, for the purpose of resolving issues directly affecting said accounts or data.
3. Access is only granted to one specific user account at a time, and only for a limited amount of time.
4. Access to a user account requires at least one other person to sign off on the access-grant.
5. Every operation performed upon a user account -- viewing a field, modifying a field -- is logged in a place the people from #2 and #4 do not have access to.
6. Access logs are routinely audited for perfidy.
7. Gaining accesses to user accounts or interacting with them in a way that is not necessary or attempting to circumvent the above process must be a don't-bother-cleaning-out-your-desk-we'll-do-it-for-you offense.
With policies in place like that, you reduce the insider risk to user accounts. You need multiple people directly involved in secretly accessing or taking over a user account, and you potentially need dozens of others (the potential auditors) to be complicit. The more people you have involved, the more likely it is someone shuts it down, or at least blows the whistle on it when shit hits the fan.
If someone can just get drunk one night, open up a user account, tweet something, then SSH over to the audit server and drop the rows from the access log indicating what they did, and there's no way to even prove something happened, let alone who did it.
It's common in lots of software - a form of a "su" command that lets you assume all aspects of a particular user.
Usually developed for testing purposes (easiest way to reproduce a problem, after all) and prevents password-sharing. But it can obviously be used for evil, and so it should be heavily logged and flagged.
But the comment says that users wouldn't even see posts from the Twitter employee assuming their account in their own timeline. What legitimate purpose would that serve?
Why would this be a production data "tool"? Makes no sense at all unless Twitter DGAF about it's users privacy... Ok, answered my own question there didn't I.
I worked in finance and we are brick-walled from real production data. There's obviously a way around it, but it is not a function you can pull out the company toolbox.
This is a clear breach of infosec if there's a $#%*# su to post as Waldo and Waldo can't see that post.
In fact it seems ONLY possible to do _evil_ with that feature.
Yeah I’m not sure the “just” is justified, and it’s not good but it’s certainly different than being able to send tweets as a particular user. IPMI access was typically only given to SREs.
Honestly, can you really trust anything about major social media sites any more?
Has Twitter ever been in the news for properly making even a thousand people successful from scratch really ever in the product's life?
They have pipelines of exploitation for everyone that gets "discovered" into contractual nightmare deals, they require tons of free labor and costly hurdles just to become notable and visible on the platform, they extort people promoting their independent work for ad money, they don't protect anyone's privacy, they are VERY MANIPULATIVE in multiple (psychological) ways, they offer very little support or fairness when accounts are compromised, hijacked, or stolen, and they impose a stranglehold on information through lobbies and suppression of independent art and music.
Social media took over the Internet after they wooed everyone into the ideal that they would operate fairly. Now that they have captured full attention, they have turned on users and they offer very little to anyone who doesn't pay, and can't offer reliable security to anyone. There are some serious "God Complexes" going on with having access to the personal data these systems harvest ON EVERYONE in conjunction with mobile devices.
I really hate to say it would actually probably make me feel better if most of the large data monitoring sites/apps went away rather than stayed in place, because they make almost every aspect of the Internet work against us all.
Twitter has had several opportunities to fix how it operates. The platform also generates tons in annual revenue to fix how it operates. Twitter has lots of employees that could fix how it operates. Twitter has also had numerous security breaches, and it regularly causes tons of stress for users. Twitter continues to focus on only pleasing it's sponsors, investors, and execs year after year and repeatedly stretching the promises it was built upon.
I can't say I want to see this whale fail, but I won't miss it if it does.
I think it is clear we need more public regulation over these companies, and a lot of the mechanisms need to be embedded in a non-profit / social utility system, given they DIRECTLY impact politics. Anything that democracy is reliant upon should not be subject to private, opaque control.
In the case of data harvesting, data is the most valuable resource. You can control what people want using data. No entity should have unfettered access to data — it is undeniably evil in the truest sense of the word. Which, in the context of my use, means to decay forward progress or to increase aggregated suffering.
They will not fix these issues until the public makes it so painful not to, that they must. As an example, how is Experian still in business after what they’ve done? They should have had a $100 billion+ fine levied against them, and that fine should pierce through limited liability to the extent that the board of directors and C-level staff are liable for it. The company and any owners of it should be bankrupted and living in poverty after what they’ve done.
Until we make PEOPLE liable for the evils they induce on others, this will keep happening. I don’t get limited liability if I went out and murdered someone, why should the PEOPLE running companies have limited liability when they murder millions with pollution, or with financial terrorism? Answer: they shouldn’t.
Government regulation spans further than just rules engineered by a few politicians, it can be publicly voted upon, and it can dictate minimum standards that are upheld across private business for everyone's safety, which in this case is highly warranted.
It's the best chance we have to stop this horrible trend. Companies have shown repeatedly that they are not trust-worthy nor responsible enough to self regulate.
> Government regulation spans further than just rules engineered by a few politicians, it can be publicly voted upon
You're making a distinction without making a difference. Regulating public forums for their content outside of illegal content has never been not abused. The UK is learning this the hard way with the police "checking the thinking" of netizens.
If you think companies are bad, then imagine politicians. I can switch off to another social media but I can't switch out to another state.
> They have pipelines of exploitation for everyone that gets "discovered" into contractual nightmare deals, they require tons of free labor and costly hurdles just to become notable and visible on the platform
For what it's worth, as someone running a high-five-digits account, it is possible to get notable on Twitter - you just have to put in a ton of work to make quality content people are actually interested in.
Sure... In order to build a house, you just need to bring your motivation... And lots of time... And money... to hire an architect and an entire home building company... Without having any income the whole time...
Hard work for free does not make sense in this type of post-pandemic world we live in... It's too "Marie Antoinette-esque" of people to say it's anywhere near reasonable.
My point is, a lot of those wannabe "influencers" who complain the most about "boo hoo, Twitter/Instagram are so unfair" are simply putting out mediocre content.
I wouldn't consider that as the success op means...
I mean, surely, it some people were successful, but success of warlords intending to genocide blacks in Lybia or starting a new violent caliphate or kidnapping boys en masse to be child soldiers is not the sort or success I want to be enabled with technology.
The Arab Spring should have been looked at as a warning sign, but everyone in America was still in full-on neoconservative "we will be welcomed as liberators" mode. No private company should have the power to overthrow governments.
Not wanting to defend Twitter, but I'm pretty sure the situation is very similar across a whole lot of companies, even those that make security their main business, i.e. FireEye.
Because investing in IT security usually has no apparent profit incentives, so most companies leadership will consider it something of very little importance funding wise.
Particularly in the current climate where even minor hacks, and simple ransomware infections, are regularly made out as some kind of "act of God"/allegedly done by some super advanced "state actor", to create the narrative how it just wasn't preventable with the resources of a private company.
Which outsources all the responsibility to ominous intangible parties based on wonky, and often politically motivated, attribution, while holding nobody responsible for running outdate software in exploitable combinations, thus creating the problem in the very first place.
By the CNN piece it seems like twitter hired a community figure - which is a common mistake that leads to bad performance evaluation. Public figures are trained on being public figures, they not necessarily are the best folks to build a security organization. OTOH there seems to be some frustration from both sides regarding performance and if it gets public our hackerman will have a rough time being exposed. I don't think that was a good idea (reporting to SEC would work better IMO).
Building a successful security organization is very easy, it just starts higher up the food chain than whatever experts you hire to do it. Security is a cultural practice, it's not a feature, it's not a bolt-on. To the extent that your security organization influences and receives buy-in from your corporate culture, becoming a part of your organization's identity, it will be successful.
I think this is key. If you don't have a good security culture, where people understand and have ingrained proper security practices, you're toast, no matter who else you hire.
Google has good security practices, can implement those in any big corp as they are very straightforward. Mudge previously worked at Google so I'd assume he was hired to help Twitter security get better by implementing some practices from Google. But maybe he was just hired to look like Twitter cared and they didn't really want to change anything.
Google also has a very good ingrained security culture. They understand that they hold on to people's most private and critical data, and rock-solid security has to be a cornerstone of their business.
I commented on this elsewhere, but Mudge was a program manager at DARPA from 2010-2013 and worked at Google from 2013-2020. This narrative that "Twitter hired a long-haired hippy and he didn't know how to build a security org or work in a corporate environment" ignored the past decade plus of his experience.
Ah yes, came for the obvious response which I essentially do see here. Cybersecurity is awful at twitter, but that's because cybersecurity is awful everywhere.
I think it's a pretty open secret that Twitter is a fairly broken company. It's no surprise that their security practices are bad, because all their practices are bad. It's also very difficult to view this in isolation when you have the timeline of (1): Fired in January, nothing happens. (2) Musk makes offer for twitter then reneges. (3) Months before the lawsuit gets decided re-emerges with accusations.
What happened that caused him to suddenly start whistleblowing now, and not in January? Was it the same thing that caused Ken Paxton in Texas to start investigating Twitter?
This just looks like pretty plain mud-slinging from Musk's team to be honest. Especially since the Whistleblower seems to basically be blowing the whilst on himself.
So, in simpler words, they are indeed a pseudo-monopolistic (pseudo means apparent, something very close to but not quite there) social media giant that can indeed censor millions (10% of USA's population is 30 millions) arbitarily and at will ? Ok :)
And whether a bakery serves your gay wedding or not is perhaps the most petty and inconsequential thing to be upset about. There are thousands upon thousands of bakeries in a large city. You can learn how to bake a cake in a weekend and home-bake your wedding cake yourself, or any one of your wedding guests can do this as a wedding gift. You can go to a no-gays-allowed bakery but simply not tell them you're gay, and take a finished cake from them then write your own name and that of the guy you will marry on it yourself. You can not get cake at all and instead get any of the thousand other types of wedding sweets and food.
It's almost like the whole thing is a hilarious non-issue that some people just invented to cry and act like victims about.
There are not thousands of bakeries in any city. Many towns might have none, or one. In that regard, the bakery will have an actual monopoly on baked goods to people living there.
The baker is a person with rights as well, you can't force him to make a special order cake for something he disagrees with. You can force him to sell standard cakes, and they offered to sell standard cakes in the case, but the customers wanted to force him to make a designed cake, that would be against the bakers individual rights.
Large corporations lacks those individual rights for obvious reasons, so large corporations should be forced to provide services to everyone even though individuals shouldn't always be.
On users. Any network is worth a function of the number of nodes in it (typically a quadratic). Social Media are networks that link humans, and there is a finite number of humans (or, more accurately, internet-connected humans with time to spare) that grows very slowly and inevitably will stagnate. That means a social network is in direct zero-sum competition with all the other networks, and a giant like twitter hurts everybody else by concentrating a signficant proportion of users into a single (aweful) place, destroying competition by the lock-in effects of network dynamics.
>There are not thousands of bakeries in any city
There are in my city, actually. Dialing the number down to the hundreds or the high tens doesn't signficantly change the validity and implications of the argument either.
> In that regard, the bakery will have an actual monopoly on baked goods to people living there.
If you can actually prove that in a court, and if you furthermore prove that the complaining party will incur significant costs to themselves if they try to seek another bakery elsewhere (by a resonable legal definition of 'significant'), then you have my full blessing to force people to bake your cake.
Until then, comparing an easily-replacable food product with tons of suppliers and publicly-available recipes to a proprietary service supplied by a corporation with thousands of servers, thousands of employees and tens of millions of users is ideologically motivated bullshit.
It has to be an impressive kind of hypocrisy to panic about individuals refusing to associate with individuals out of their own free will and freak out hysterically about "restrictions on freedom"... then turn around and cheer on massive corporations censoring individuals with no oversight or recourse.
The specific worry about Net Neutrality was that ISPs would use their monopoly power to censor specific sources and/or self-preference their own businesses. It's something that should have been expanded to large online platforms rather than being disposed of entirely.
As you said, it was a worry, but ending Net Neutrality about enforcing government censorship was never even an argument being made at all by any sides of the issue.
Justice Brett Kavanaugh[0] argued that Net Neutrality specifically violated the 1st Amendment because Comcast should decide what speech they do and don't retransmit.
False. Get your facts straight before misstating established facts in public. The baker in fact refused to make any cake whatsoever for a same-sex wedding. If you are fuzzy on this, watch the interview with the baker himself in this article:
I read the article, and it doesn't say what you said.
>Zatko began the whistleblower process before there was any indication of Musk’s involvement
Define "Began the whistleblower process". Because that seems like an extremely fuzzy way of saying this. And even if you accept that he was genuinely a whistleblower in good faith trying to do this, which I'm perfectly willing to accept, the fact it's coming out in public now is still convenient timing.
It does say
>The disclosure, sent last month
Which means that the actual firm date we have coincides perfectly with Musk's legal wranglings.
Not exactly. The CNN article doesn't say that, and The Verge's piece[1] on this puts it together pretty clearly.
>Zatko was fired by Twitter in January and claims that this was retaliation for his refusal to stay quiet about the company’s vulnerabilities. Last month, he filed a complaint with the Securities and Exchange Commission (SEC) that accuses Twitter of deceiving shareholders and violating an agreement it made with the Federal Trade Commission (FTC) to uphold certain security standards. His complaints, totaling more than 200 pages, were obtained by CNN and The Washington Post and published in redacted form this morning.
So, breaking it down more concisely:
1.) Fired in January
2.) Musk tries to buy Twitter in early April
3.) Complaint filed with SEC in July by Mudge ("way [after] EM entered the picture")
4.) WaPo published redacted, 200-page report today
Edit: This is not an endorsement of mud-slinging, just an attempt to make sure everyone knows what actually happened and when, at least as best we can discern at this point.
> Please note that Mudge began preparing these disclosures in
> early March 2022, well before Mr. Musk expressed any
> interest in acquiring Twitter, and has not communicated
> these disclosures to anyone with a financial interest
> in Twitter.
Why debate what the timelines implied by various articles are when the primary source is available and makes a clear statement on this matter?
>Why debate what the timelines implied by various articles are when the primary source is available and makes a clear statement on this matter?
Probably because most of us in the chain you're replying to didn't have the time to read an 84-page source document in the middle of a work day (note the time of our comments and how late to this particular chain you are), hoping that a nugget of information like that would be dropped pretty early on in it. Hence my edit at the end, which I had hoped would have made it clear that I was open to being corrected.
But thank you so much for that snarky comment while you clarified things. You're so much better than us for finding that, how could we have ever been so daft? Forgive us?
Nah, I think it's my fault. I have realized this week that I'm dealing with a lot of tough shit and haven't been handling it well. I think I've taken to looking for arguments on HN (and other places) as an outlet and, in hindsight, I am pretty sure that was one of those moments.
It's not fair to you, and I'm sorry. Hope ya have a great rest of the week. :)
> Apperantly he started the whistleblowing process before any Musk involvement with twitter.
According to his lawyer as reported by someone on Twitter. IIRC, lawyers make statements that guilty clients are innocent all the time.
If he was working with Musk help him wiggle out of the Twitter deal, it would fatally undermine the goal for to come out publicly about the relationship. I'm skeptical unless they can provide verifiable 3rd party evidence (e.g. some document filed before the deal).
Linking to a Twitter thread is a little indirect, but Kim Zetter is a reporter on the infosec beat, and if you scroll up, you can see the link to the CNN article she's discussing. Also here's a video that includes the lawyer saying it out loud. https://mobile.twitter.com/donie/status/1562020176278716416 (@donie is the first person to talk in the video.)
So instead of taking a statement from the lawyer you think it makes more sense to wildly speculate and make things up? The burden of proof falls on the other side now to prove the whistle blowing started after Musk.
A statement from a lawyer saying "this is older" isn't evidence. Until the lawyer shows an example of any form of whistleblowing predating Musk, this is still on them.
I mean I want to give the guy the benefit of the doubt but is the only evidence that was the case this journalist saying "Mudge totally told me he did this before Musk got here I swear."
In real life, if you're in the public square shouting your opinions at whomever will listen it's somewhat risky. Twitter are just providing the same digital risk for the modern public square. It's a feature, not a bug.
I think the thing about reporting things to the board is extremely open to interpretation. The board doesn't need to know absolutely every skeleton in the closet - especially if you're aware and in the process of fixing something.
He tried to change things and was stopped by people actually in power (CEO, the board). Being head of security means nothing if you aren't allowed to do your job. He was also there for less than 2 years. If you read the article, you'll find that Twitter has had awful security practices since at least 2010.
How do you know that? The only way you'd find out is if there is a lawsuit that exposes said information. Everyone here is assuming because they want to believe Twitter is an evil behemoth. I'm not suggesting they are wrong, but this guy could have done the bare minimum for all we know thinking his status gave him basically a free income to do almost nothing. I would wait until more information comes out before making such generalized assumptions.
He just got fired in January. Preparing a 200-page legal document with references and accounts takes time. It had been submitted some time ago, it's only now that CNN got a hold of a copy.
A 200 page document may take some time, but we don't know how the document is even formatted. Have they even released a copy? It could be 200 pages but only 20 pages of basic accusations with no real details for all we know, just pandering to congress and a bunch of email threads trying to indicate something without any context. I still would advise everyone to withhold judgement at this time.
I'm not sure why any sizeable portion of the public would know _any_ reputable cyber security experts. Twitter's CEO said the firing was due to "the impact on top priority work", and whistleblowing 6 months later isn't a surprising timeline when you need to have long talks with an attorney and get your own work-life situated.
That's probably the only thing that could lend Twitter any credence. Though, I'm not sure if they published the 200 page complaint, but none of the news outlets have said that he specifically references Musk, just that Twitter employees weren't aware of the amount of bots on the platform and were discouraged from doing so.
I did find one say that the complaint was already in progress before Musk's deal, and Musk rightly tried to subpoena Mudge for his recent exit. It does sound reasonable that the bot comment was added in light of the fiasco with Musk's deal.
As others have said, being head of security is meaningless if the people in charge of actually making changes refuse to make the changes you prescribe.
I've been in that situation at a previous job. The infrastructure for our service was set up so that EC2 instances would start up and pull their code from a central repo. But this repo was open to the world and did not require authentication. It was only a matter of time before some malicious user discovered this and our proprietary server code got leaked.
It took weeks of hounding and escalating until something changed, and at first all they did was change the security groups to limit where you could connect from, and even the first patch merely limited it to a few /8 and /16 CIDRs that covered massive swaths of AWS-owned IPs. They still didn't require authentication.
It's not his responsibility if someone with more power is sabotaging his work. He tried to do his work, realized it was not possible, and escalated to a higher authority. A bit unusual, but technically a way to maybe solve the problem and still do the job at the end.
I seem to read fairly often about security folk (or even plain ol' sysadmins) bemoaning their companies' security, like their presence or oversight is a box checking exercise rather than a real commitment.
If you've worked for any major F500 Enterprise, this is all par for the course. Currently on a contract with a healthcare giant, while security is pretty tight because HIPPA, generally everything else is chaotic. I'm going to speculate that Twitter is probably worse than the mean, but at pretty much every large company that operates massive pieces of software, youre gonna get a ton of chaos by default.
this was my reaction, too. and I'd add: the legal requirement is basically to have 'industry standard' security; no more and no less. there is no legal requirement to have air tight security (which probably isn't even technically possible at a company of this scale anyway).
>> thing that caused Ken Paxton in Texas to start investigating Twitter?
Immediately thought of this item that came up in my Twitter news feed last week [0]
>> "Elon Musk went to Kevin McCarthy’s Party last night in Wyoming—to celebrate Liz Cheney’s loss. While speaking at the MAGA party, Musk asked everyone to deny that he was there. Musk made sure that no press was allowed anywhere near the property — then people started posting selfies"
I'm sure Musk wasn't there to privately insult the Republican leaders by acting like they're the ugly person that they'll date in private but don't want anyone knowing about — he's almost surely seeking some kind of influence/benefit.
Maybe coincidence, but I certainly wonder about the purpose?
Mudge: "Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I'm still performing that mission," he said."
Seems like a legit answer. No need to accuse people of slinging mud.
Jack Dorsey's not there anymore, and the current executives clearly have a different view. So I think the question of "why now and why like this" is still open. Given how many savvy technologists use HN, I'd bet we could put together a list of thousands of companies with concerning-to-reckless security practices. But for better or worse, most of us don't end up getting our concerns on CNN.
Musk's account was among those that were hacked in the 2020 high profile hack. He made the offer in 2022, he therefore can't claim to not have known that twitter's security isn't 100% and really can't use this in court, I guess
The contract Musk signed was very very one sided, from everything I've been reading there's very little Musk can claim that would let him scuttle the deal.
You’re ascribing the worst possible motives to someone based on your hatred of Elon Musk. Someone who has no known relationship with Musk, who has claimed publicly they started this process before Musk was involved with twitter, and who is a long standing and well regarded figure in the infosec world.
I think you’re gonna need more than Musk Derangement Syndrome fueled conspiracy theories to make your accusations stick here.
>You’re ascribing the worst possible motives to someone based on your hatred of Elon Musk.
I'm not going to claim some big conspiracy here, but I do find this beyond coincidence.
I don't think that this is coming out now because Mudge is acting on behalf of Elon. I think Elon's Twitter bid (and ensuing drama and upcoming lawsuit) and this revelation are part of the same agenda. For better or worse, it looks like influential powers that be are going to take down/over Twitter.
>it looks like influential powers that be are going to take down/over Twitter
Let them, Twitter can't get any worse.
At the very least, lets get to the bottom of the bot problem and expose these companies who rely on bot activity to drive their MAU numbers and as a result, their inflated valuations.
To be honest, Twitter didn't manage expectations. If I register on such a platform, I expect my mail/pwd combination to stay reasonably safe. Reasonably, because there is never a guarantee.
The rest of these expectations are entirely on the users. If people take security as seriously as they proclaim, they should not have registered. To now demand meticulous access controls sounds a bit neglectful to me...
644 comments
[ 2.1 ms ] story [ 184 ms ] threadPrimary for whom? If you polled 50 people on the streets of NYC, I bet fewer than 3 would say they actively use twitter. Now do the same for Des Moines, IA and you maybe get 1?
Here, I'll give it a go: "Environmentalists are furious that Bill Gates kills mosquitos"
If there's no evidence for my claim it must be evidence of censorship, because certainly I can't be wrong.
The original tweet author did not give permission for her thoughts to be published in so many articles and apparently endured a lot of harassment(She indicated this on subsequent tweets). She eventually deleted the tweet.
This was the original tweet: "Shame on Netflix for this. After this past year especially, to then release a film that is literally white people murdering Asian people based on stereotypes and fetishization??? Hard pass.”
If you google that quote you'll see how many articles quote that tweet.
There were no winners in this whole saga. The movie takes place in Tokyo so of course asian men are going to be the bad guys. So Netflix endured negative press for nothing. The press didn't actually change anything about the film, it obviously pissed off enough people that it caused them to start looking for the tweet author to harass her and finally she deleted her tweet. Who were the winners? The site owners making the money I guess. The whole thing really shows how much of a joke online media is. When regular establishment press is not that good either, what are people to do?
These aren’t ideas that can be peacefully mediated.
Ironically the white female actress who plays the assassin in the film: Mary Elizabeth Winstead was herself a victim of massive online targeting and harassment.
She had already once deleted her public accounts in protest after the famous iCloud hacks in the early 10s because people were ogling her private nude photos and then harassing her about it after she scolded "the internet". She came back a few years later only to delete everything all over again in 2017 when she got non stop barrage after she went through a bad divorce. Its tough for actors who are in the business of selling themselves to just walk away from all public social media.
I think people who weren't into tech and who came of age before the internet became mainstream might be the first people to disconnect from this social media nonsense. She was early 80s and homeschooled to focus all her waking moments on becoming an actress. Gen-Z/Alpha might never disconnect. Have they ever known anything different? It will be interesting to see what happens.
What about twitter makes this situation special?
And it’s possible to cherry-pick people to push any narrative you want. Like the NYT talking about how GenZ is very pro-life, quoting several pro-life youngsters. Meanwhile buried somewhere in that long article is the lede - only 20% of GenZ is pro-life.
Twitter has a lot of journalist users so, yes, it does tend to move the whole dog.
Facebook is a great platform for actually getting normal people to see our content and invite them along to our meetings and such. Twitter, on the other hand, has a far more niche audience - but I know for a fact that the niche audience includes several state legislators who follow us and interact with our tweets, and we've gotten several press stories via contacts we've made with journalists over Twitter.
If you've got a message to get out there, it's a highly strategic platform.
[0] https://staltz.com/the-web-began-dying-in-2014-heres-how.htm...
What prevents that from catching on at scale is, the "big boys", like MS, FB or Google, mostly not playing ball and never implementing these in their own messaging platforms, to keep their gardens neatly walled from each other.
As intraplatform exchange is not really in-line with what most of these platforms are striving for these days; Interactions with their own platforms and the advertisers on it.
I have yet to receive spam on my Mastodon or XMPP address (which I treat like my telephone number).
My can and string communications network doesnt have any spam either.
Unpopular opinion: I think it's awesome that a private company has created a platform like Twitter. It's kind of like comparing a private amusement park with a public park: one has roller coasters, water slides and an arcade... the other has a swingset and a nice field of dried up grass.
> the fact that it's at the whims of a private company
How is this worse than at the whims of the crown?
> there is an environment that is ripe for the encroachment of digital rights
I love that were even talking about having digital rights.
How is this worse than at the whims of the crown?
The tiny detail that we're not having a crown anymore.
I had to scroll down past the posts dismissing the issues to get to this one. The news at this point is also conveniently not trending on Twitter even though I am pretty sure a lot more people are Tweeting about it than about Doja Cat right now (who is trending).
I also didn't even see the article, tweeted by CNN, even though I follow them on Twitter.
We're officially chest deep in the era where nothing popular on the Internet is trustworthy nor credible, and where nothing works as expected.
My solution is the same as it always has been... Never respect them enough to enter your real (government) name, and never post anything that you can't afford to have compromised. There is no end to what modern data greed will use your data for.
Not true. If anything Twitter is a cancer on our discourse that should be disdained, not something that should be enshrined as a fixture into our lives.
> About half of the company's 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors
Wait until you hear about the large cloud provider running RHEL5... (I worked at said provider).
> allows too many of its staff access to the platform's central controls and most sensitive information without adequate oversight
It'd be even easier if you find an employee who's on the same political team as you.
It's one of the reasons I disliked Twitter forcing the use of mobile numbers for 2FA, they're just not sufficiently trustworthy. And I have an account under my real name! If I were a political dissident etc that just feels like an insane idea.
https://www.usnews.com/news/technology/articles/2022-08-23/i...
why?
Where it gets deserved opprobrium is that it has no memory safety features, and thus inherently contributes to gobs of security vulnerabilities, and there are safer alternatives now, like Rust.
C is basically "portable assembly", and it's rarely the right tool for the job these days.
"This guy": https://en.wikipedia.org/wiki/Peiter_Zatko
That 500k servers in Twitter infra are missing patches certainly is true and what was likely in the original was a statement that stored data that should have been encrypted at rest was not, and/or that acceptable standards for data at rest encryption, a relatively rapidly moving freight train, were not maintained.
One definition is "the underlying disk is encrypted". This is true, by default, of virtually all cloud environments these days. But it really only protects you against physical access to the storage media, which actually is far from the top threat.
The other, more useful/meaningful definition, is "we encrypt everything at the application layer before it is placed into the DB, and all decryption requests are logged by user". For example, using an envelope encryption scheme to encrypt data before it is stored in a DB, and upon retrieval decrypting the data with a call to something like KMS. In that environment you can literally give readonly DB access to all your developers and not have to worry about PII being exposed. If hackers somehow got access to your DB, they wouldn't be able to read sensitive data, and if they also managed to get access to your KMS credentials, any attempts to decrypt the data would be tracked and logged.
My point is that when many companies say "we encrypt your data", they are usually just talking about the first thing, but that doesn't really provide that much additional security. The second definition is really what you should be doing.
The thing is FDE essentially only protects your data when your machine is powered off. Once your machine is booted and you've logged in any block level encryption ceases to be relevant, because to get to the point of running your machine has to have loaded in the relevant key material to decrypt. From that point on user space code no longer sees a difference between encrypted and decrypted drives. In other words FDE is not relevant is you lose a powered on device (post login if relevant to the platform), and you're the kind of person people are actively targeting (I recall recently? the content of someone's phone or such being dumped by the FBI because they grabbed it while it was being used).
That's why modern OS's have different key classes, there's the lowest level which is just FDE, but you can have higher levels where requesting key material essentially just gives you a handle to that material. Then the OS, or preferably hardware with a much less complex OS, manages those handles and invalidates them according to policy rules. e.g you may want your phone to have access to your address book while your phone is locked, which does not mean you need your call history available as well.
The policies provided by OSs tend to be fairly simple because it's better to have an easy to understand API that is easy to use and hard to screw up than a more "powerful" API that is easy to screw up and hard to use (the latter resulting in people simply not encrypting things at all). e.g iOS/macOS only has the following file protections when you create files: "NSFileProtectionComplete", "NSFileProtectionCompleteUnlessOpen", "NSFileProtectionCompleteUntilFirstUserAuthentication", "NSFileProtectionNone", but they're very easy to understand.[1]
I tried to find the android equivalent but I don't know the terminology that's used and I just get linked to instructions on using AES, so if someone could link the correct doc I'd appreciate it.
[1] https://support.apple.com/guide/security/data-protection-cla... and https://support.apple.com/guide/security/keychain-data-prote...
From https://www.washingtonpost.com/technology/interactive/2022/t..., page 6:
"..more than half of Twitter's 500,000 servers are running out-of-date operating systems so out of date that many do not support basic privacy and security features and lack vendor support. More than quarter of the 10,000 employee computers have software updates disabled! More than half of Twitter employees have access to Twitter's production environment -- unheard of in a company the age and importance of Twitter, where nearly all employees have access to systems or data they should not. At Twitter engineers work on live data when building and testing software because Twitter lacks testing and stage environments; work is conducted instead in production and with live data..
"This did not happen overnight. To get where Twitter is today took.. many years.. required repeated downplaying of problems, selective reporting, and leadership ignorance around basic security expectations and practices."
If you're trying to prevent an actor who has gained a foothold on a box/network from seeing plaintext data that is actually in use by the actual production system at that very moment, you're looking for a much stronger type of control - probably some sort of client-side encryption or obfuscation/tokenization
So it is just a checkbox then.
Big tech was taken over by bean counters long ago, the fact that it’s all running on duct tape and popsicle sticks under the hood will come back to bite us when we have a digital Pearl Harbor event.
China will invade Taiwan and the first shot won’t be physical, it will be activating the 30 years of assets they grew in AWS/GCP/cloudfare/level3/AT&T/Etc
Most of their HR/engineering departments are completely retarded. They’ll hire any H1B who passes l33t code that accepts $50k under market rate then give them repo access in a few weeks. Our soulless megacorps are beyond easy to penetrate by hostile intelligence.
The CIA/NSA/FBI, you know the groups who we pay billions per year for and they take half my income to fund will of course not catch any of this.
The FBI is too busy manufacturing domestic terrorist, the NSA is too busy hacking American companies, and the CIA is too busy importing drugs to actually secure our country from foreign attack. Why? Because it’s been so long since we were actually attacked they believe it can’t happen so why not loot Rome in the mean time?
The reach of HN on the tech world is highly influential, and for sure it is weaponized in "communication wars" across actors with different interests.
EDIT: that doesn't mean that the given information is necessarily false, it is just presented at the right time, to promote one view of the world. Also when Twitter hit bottom some years ago several HN submissions remind us how they declined being purchased by Facebook etc, and social network giants have a large track of understanding how such information flows and influences people.
So it may just be another event which will drive Twitter's price down even further and make it a _worse_ deal for him.
From Bloomberg "The buyers could only back out of the agreement in the case of a material adverse effect, a high bar that excludes issues like market volatility or industry challenges." (https://www.bloomberg.com/news/newsletters/2022-07-13/elon-m...).
I suppose one could argue that the Whistleblower's report is "material adverse affect", something I'm sure will come out in the trial.
So about a few hours.
*Walter Bloomberg @DeItaone ELON MUSK’S LEGAL TEAM HAS SUBPOENAED PEITER “MUDGE” ZATKO, TWITTER’S FORMER HEAD OF SECURITY - CNN 8:30 AM · Aug 23, 2022·TweetDeck
Why, it explains Musk's confidence that Twitter was up to something with its fake-account stats... It must be true!
In my experience I've found it rare that user content is ever actually permanently deleted for various reasons.
advertising, controlling executives, and government spying
He has a track record of making up ridiculous stories that serve his task masters. Remember the "Hong Kong Blondes"? Oh right it turned out to be completely fake.
While one may (not wrongly) think that this is a bad idea in general (unless you subscribe to post-privacy), I think it is our duty as a society to protect those who don't have a full grasp on the implications of bad IT security.
In my opinion, fines for cyber security violations should be swift and harsh (GDPR goes in the right direction in terms of how high the fines are, but it is barely enforced). From my POV that is the only thing that will force companies to actually invest in cybersecurity. Maybe there should even be a law mandating security reviews if you handle any PII.
I don't doubt this, but the source is someone with fairly deep ties to the US intelligence services. Why should he be allowed a job and not people with ties to foreign agencies?
TLDR; Someone like Twitter, Google or Facebook should have 'some of our employees are malicious and sophisticated' as part of their threat model.
Or they will use money or kompromat to turn existing employees.
I would estimate there is a 100% chance that every one of those companies listed, has multiple employees who work for or are sources for US domestic and foreign intelligence services.
It should be expected and part of their internal systems that people only have access to the shared drives they are meant to.
What are you basing this on?
I know of insurance companies that have help desk employees with domain admin access. And all crippling ransomware attacks take advantage lax permissions.
This is rampant. How is this a story?
Cynically, because it's twitter, and it's trendy amongst a certain subset of the population to bash social media in general and twitter in particular. And I think your point is fair.
(FWIW, I think social media has if not caused, then certainly exacerbated, some major problems at individual, societal, and global levels, but by no means do I think twitter is the biggest contributor. I don't think we'd see the kind of unconstructive political polarisation we're seeing in the US and UK and perhaps, to a lesser extent, within the EU, without it.)
Except like the linkedin "hack" which was just a scrape of peoples profiles, the twitter "hack" was someone running phone numbers through the "upload you contacts and find your friends account" feature.
They are both barely stories, except to remind people that posting stuff publicly is public.
>They are both barely stories, except to remind people that posting stuff publicly is public.
The reoccurring issue is that Twitter and other companies are convincing (and often forcing) you to do something unsafe like linking your phone number, while telling you that your data will be kept private and at the same time opting you in by default, or aggressively marketing, an option that compromises your security.
I'm sure you may be smart enough to know this compromises your anonymity, allows stalkers to find your phone number, etc. but the 99% of users wont.
Linking everything to a phone number is a major dark pattern that benefits the corporations while compromising the user. So rightfully, these malicious and harmful practices should be called out.
Twitter has some 200+ million daily active users and should act like it.
The reason there isnt "leak" from google is because they dont offer the functionality to look up your account by your phone number.
Basically we work on keeping everything patched and try not to create any obvious issues. Honestly, I think the best thing we have going for us is obscurity.
1) Like a car mechanic, these people get paid to sell you solutions and they are incentivized to sell you more.
2) Plenty or honest people have biases because of what they do. If you spend all day thinking about security you might be overly concerned about things that are actually not that risky.
This isn’t to say that there aren’t great people working in the field. But it’s daunting from an outsiders perspective.
You don't want your doctor to overlook any problems just because they are rare because your health is really valuable.
Develop an empirical understanding of risk management. While we can't predict the future, through well established techniques and adequate resourcing, professionals can achieve consistent results that are far better than random guessing. Risk management principles drive not just corporate stragegy writ large, but entire industries like banking and insurance.
They have gotten away with so much for so long, they live in their own disconnected reality.
When things break some of them cash out. Others find someone to blame. They don't pay a price at all. And the cycle continue.
In China atleast people are scared of the govt. In the west its a total joke how no one is ever held responsible.
Citizens should respect Government, and Government should fear citizens?
I think we are straying away from both of these at the moment.
[1] - Of course, this isn't the complete picture: China has a penchant for arbitrarily dealing a heavy hand to law-abiding companies/persons.
Walk through the controls list, see where you compare to the controls and sub-controls and then start to establish a path forward.
I think it’s still not clear how you should build a security org, and if you should at all (should security be part of normal workstreams of your devs?)
Btw I wrote about my experience in https://securityhandbook.io/
Some time back, I got a copy of "A Practical Guide for Policy Analysis: The Eightfold Path to More Effective Problem Solving" so that I could properly quote back the use of best practices.
https://en.wikipedia.org/wiki/Best_practice
With most times people are looking at best practices, they skip to the decide step without defining the problem - that's even been done here. Is there a best practice for non-cybersecurity at private business? Well, yes - but first, what is the problem that is trying to be solved? There's no "get this book of everything to do and you're good". On the other hand a "we have customer data that includes PII data, we need to secure the data and prevent casual examination of it in house" is a problem that can be looked at and a best practice can be found.
The best practices involve a survey of looking at other organizations and seeing what they have done - what worked and what didn't.
> Part IV "Smart (Best) Practices" Research - Understanding and Making Use of Whatlook Like Good Ideas from Somewhere Else
> It is only sensible to see what kinds of solutions have been tried in other jurisdictions, agencies, or locales. You want to look for those that appear to have worked pretty well, try to understand exactly how and why they may have worked, and evaluate their applicability to your own situation. IN many circles, this is known as "best practices" research. Simple and commonsensical as this process sounds, it represents many methodological and practical pitfalls. The most important of these is relying on anecdotes and on very limited empirical observations for your ideas. To some extent, these are - one hopes - supplemented by smart theorizing. This method is never perfectly satisfactory, but in the real world the alternative is not usually more empiricism but, rather, no thoughtless theorizing.
> Develop Realistic Expectations
> Semantic Tip First, don't be mislead by the word best in so-called best practice research. Rarely will you have any confidence that some helpful-looking practice is actually the best among all those that address the same problem or opportunity. The extensive and careful research needed to document a claim of best will almost never have been done. Usually, you will be looking for what, more modestly, might be called "good practices."
---
A "here is a list of all the best practices, follow these" is the wrong way to try to use best practices but rather relabeled cargo cult security.
Also, build a risk matrix of security risks the company can face by impact vs likelihood of the risk happening. Get someone senior to sign off on it.
Use the NIST CSF and the risk registry with senior leadership support to guide the work you do.
Itll be easier if you think about security as understanding your risk posture as an org, and that risk is either fixed at your level, carefully escalated to outside your teams for a fix, or labeled and accepted risk. security teams should never be the ones to accept risk, so get a a manager to see and acknowledge in writing whenever it’s decided to just roll with a known vuln you’re Unable to fix without more time/money/tech. Try to fix as many risks as possible at your level as to not build an alarmist rep. Then, that leaves space to escalate into cross-team fixes (and you can point to the NIST CSF and the risk register with a senior leader’s sit side as a baseline reason for why they need to fix it).
Do you have runbooks for your systems? (describes how to operate the system normally.)
What about playbooks? (how to handle errors)
Have you game-day-ed various failures? How long does it take you to restore everything from backup? What order do you bring your systems up?
What level of monitoring do you have on your systems? Can you spot unusual activity? How quickly?
What sorts of firewalls? Say "system X" is compromised. How far could damage spread from there?
Obscurity won't protect you when cybercrime is a business model.
You do have a pretty good idea then. Sadly, this is exactly what it looks like at the moment: because business decisions are made by clueless dummies, there’s no way to sell a proper product; to make money you need to focus on snake oil instead.
If you don't know how that's a story I don't know how to explain it to you, I can only assure you many people will find it extremely newsworthy.
Maybe I'm a bit jaded by what I've seen, but that doesn't seem too far off from normal American business culture. Deflection and manipulation seem to be par for the course. It's why lobbyist exist. Companies want permission to do/not do the things they're not currently allowed/required to do.
The ones that get caught are normally a few bad actors that whistle blow. The companies where it's ingrained in their culture get away with it. Of course...this is all my own experience :)
Because it's being publicly revealed.
If the lax security you describe at other companies were also revealed, maybe more would be done to fix it.
And, oh yeah - there is no "conspiracy".
My claim is that this specific story which is most likely true but in no way surprising gets amplified right now because some specific powerful people wanted it so.
That said, given foreign influence campaigns in the news in the last 6 years, this would’ve been news then too. I’m sure it was news back in 2010 when the FTC ordered it to fix the problems.
Who are these "powerful people"? And why do they care about Twitter so much? Most powerful people aren't even ON Twitter.
Are they enamored with him - for sure, are they in his actual pocket? Doubt it.
Bro. It's not every day that literally Mudge, who has -no doubt- seen his fair share of shit-shows, whistleblows on an employer.
Well, it's on the front page of CNN right now for starters, so that means it's probably significant to a lot of people...
If you have a business, you most likely need to promote it on Twitter, or to at least reserve an account there so that someone else won't impersonate you. You also need to do that on almost all other major social platforms.
If you have a business or personal account on Twitter, your direct messages, the data the system generates about your preferences and interests, your geo-coordinates, and everything you post, including control of how your account works can apparently be accessed by too many people within the company.
It's a pretty big deal for anyone that uses the platform citing all that... Not something that should just be "left to it's own devices" because everyone else is doing the same. All cases of data abuse/misuse should be addressed, but addressing one this big would also be a pretty big deal.
https://www.ftc.gov/news-events/news/press-releases/2011/03/...
That said, all these stories are important to the public.
What I can't figure out is what's this guy's beef that he went revealing all this? Was he fired or demoted or something and thought to get his own back?
Seems like a legit answer.
He was fired January last for alleged poor performance. Totally can see now why it's all come to light, less the altruistic urge to make things secure, and more the old case of flipping the bird to a former boss.
That’s quite a generous take. There were plenty of excellent hackers in the 90s, but “L0pht” just seemed like the PR friendly one that could go on good morning America.
Can’t tell if this is real or just a 90s security person trying to stay relevant after being fired.
High profile doesn't mean best it just means high profile.
I imagine this hurts Twitter's defense against Musk from pulling out of the takeover deal, or, is this whistleblower's account inadmissible?
Mudge could be subpeonaed, just like Jack was just subpeonaed.
(That account tweets bloomberg alerts)
Not really because they have consistently said "this is what we do, it's a finger in the air estimate based on sampling, it might be right, it might be wildly wrong, there's no agreed methodology for this".
For someone to then go "they don't fully understand the true number of bots! GOTCHA!" is dumb because it's literally just pointing out exactly what they've said in their SEC filings since 2013.
I don't understand how you can look at his public behavior and think anything else. The only alternative is that he thought doing shitty things was a rational way to improve his situation, and I personally think that's a worse option
Nobody said it was easy, but it's certainly harder if you don't try.
They've been filing their methodology for bot counting with the SEC since 2013.
If they're not making a "meaningful effort" and it materially affected the stock price in some way, either the SEC or a shareholder would have gone "HOLD ON SHENANIGANS O'CLOCK", surely?
It can't be that the entire world was A-OK with Twitter's bot counting until June 2022 when a man claiming to want to buy Twitter to fix the bot problem got cold feet on a market drop...
And to give Musk an out, which is what this tangent is about, not only do they need to have actually lied, the lies need to have had a VERY substantial effect on the price of the company.
The bot thing simply does not help Musk get out of the deal he's made. That is not the same thing as "Twitter are great at dealing with bots and have been very transparent about how they do it", but that's not the bar that has to be cleared here.
No, they haven’t. They describe at a very high level the amount of sampling they do (100 accounts a day? Really, that’s it?), but don’t discuss the methodology used, such as what they use as signals and indicators of botness. That’s not “filing their methodology“, it’s covering their arses.
True, but probably quite successful. So this will most likely not save Musk.
Today's question on your statistics 101 exam:
You have a population of 100 million people. You estimate that the true probability of some statistic is about 5%. What sample size do you need to be 95% sure that you are within 5% of the correct answer? Answer: 73.
(No really, this kind of question is absolutely going to be in a Stats 101 class. And sample sizes really don't need to be that big to be accurate.)
1. "Finger in the air estimate based on sampling", aka. "don't read too much into it"
2. "Not more than 5%"
3. "Methodology can't be understood externally"
However, there's enough here, provided by a highly-credible technical expert, and under consideration by the US Congress, that Musk's litigation team has a strong opportunity to find at least something that holds up as a material misrepresentation, even if relatively minor, and then link it to the broader effect of this document, which could very well rise to the level of a material adverse effect.
So, where bots are concerned, bad but not disastrous; for everything else -- well, let's just say that Musk's litigation team are burning incense to the gods this morning, while a whole bunch of Twitter execs are going to be spending the next few weeks getting grilled by their own retained counsel, at an even more exorbitant hourly rate than they were paying before.
From a purely legal perspective, this really shouldn't matter much. As has been pointed out many times, Musk explicitly waived due diligence when he signed the contract. Also, it's still laughable to think that Musk's real reason for wanting to get out of the deal is the bot problem (instead of the obvious reason of the market tanking), when Musk himself made the argument that a big benefit of him buying Twitter is that he would be able to clean up the bot problem in the first place.
From the court-of-public-opinion, though, I think it does give Musk more leverage for a negotiated settlement to get out of the deal, which is really what he wants. I don't think Musk really thinks he can win in Delaware, but the longer he drags things out and the more pain he causes Twitter the more incentive they have to negotiate cancelling the deal.
>Musk lawyer Alex Spiro said they want to talk to Twitter whistleblower. “We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding.”
https://twitter.com/donie/status/1562056198425288704
Even in what I'd guess is an "ideal" situation, of tractable technical&process problems, and genuine buy-in from the C-suite for solving/improving them, there's still going to be dynamics/politics to navigate.
I also hear of a lot of much-less-than-ideal situations.
Is this an accurate statement?
If so, why did nearly 1000 employees (12% of the workforce) have access to this mode before it was restricted, and what's the business case for that?
Thing is, now that it’s possible for Twitter, Twitter can never brush off this suspicions again.
We’re literally not sure, by using Twitter, that we see the speech of that person.
For instance, consider the Twitter DMs exchanged by Donald Trump, Jr and WikiLeaks. In that particular case, the communication was acknowledged by the party in question, but imagine the two possibilities thousands of employees being able to act on the part of users opens up:
1. Twitter employees could fabricate a criminal conspiracy by creating messages between multiple Twitter accounts.
2. A criminal conspiracy can now use the "Wasn't me, must have been some random Twitter employees" defense.
It would be quite easy to argue that a highly-politicized org like Twitter _might_ alter tweets or DMs to implicate someone in the opposing party. That’s reasonable doubt that at least some jurors would buy.
But that turns into "there was a sizeable conspiracy to fabricate evidence", as opposed to "a random person out of 2000 got bored, had a grudge, decided to have a laugh, and was acting alone".
I could see this being billed as a feature of a privacy-forward chat platform. Messages are slipped into conversations without either party having actually sent them and no way to tell whether they were real or not.
Eg. simple things like tracking-busters where it randomly clicks links in headless chrome to fool the algorithm, p2p vpns where you use a random user’s IP address to randomize who made what request, etc.
There is also a school of thought that you should periodically publish private keys for plausible deniability (“was it me, or did someone sign that after I published the key”).
Could be thwarted by some kind of "source" database column/field/value that says "this is a tweet made by God mode"
Whether Twitter has that field, if it is internal only, and if they would share it with the public/a court of law, I have no clue
1. No employees have direct, immediate access to user accounts or data.
2. Only a small number of employees should ever be able to gain access to user accounts or data, for the purpose of resolving issues directly affecting said accounts or data.
3. Access is only granted to one specific user account at a time, and only for a limited amount of time.
4. Access to a user account requires at least one other person to sign off on the access-grant.
5. Every operation performed upon a user account -- viewing a field, modifying a field -- is logged in a place the people from #2 and #4 do not have access to.
6. Access logs are routinely audited for perfidy.
7. Gaining accesses to user accounts or interacting with them in a way that is not necessary or attempting to circumvent the above process must be a don't-bother-cleaning-out-your-desk-we'll-do-it-for-you offense.
With policies in place like that, you reduce the insider risk to user accounts. You need multiple people directly involved in secretly accessing or taking over a user account, and you potentially need dozens of others (the potential auditors) to be complicit. The more people you have involved, the more likely it is someone shuts it down, or at least blows the whistle on it when shit hits the fan.
If someone can just get drunk one night, open up a user account, tweet something, then SSH over to the audit server and drop the rows from the access log indicating what they did, and there's no way to even prove something happened, let alone who did it.
Usually developed for testing purposes (easiest way to reproduce a problem, after all) and prevents password-sharing. But it can obviously be used for evil, and so it should be heavily logged and flagged.
This is a clear breach of infosec if there's a $#%*# su to post as Waldo and Waldo can't see that post.
In fact it seems ONLY possible to do _evil_ with that feature.
Has Twitter ever been in the news for properly making even a thousand people successful from scratch really ever in the product's life?
They have pipelines of exploitation for everyone that gets "discovered" into contractual nightmare deals, they require tons of free labor and costly hurdles just to become notable and visible on the platform, they extort people promoting their independent work for ad money, they don't protect anyone's privacy, they are VERY MANIPULATIVE in multiple (psychological) ways, they offer very little support or fairness when accounts are compromised, hijacked, or stolen, and they impose a stranglehold on information through lobbies and suppression of independent art and music.
Social media took over the Internet after they wooed everyone into the ideal that they would operate fairly. Now that they have captured full attention, they have turned on users and they offer very little to anyone who doesn't pay, and can't offer reliable security to anyone. There are some serious "God Complexes" going on with having access to the personal data these systems harvest ON EVERYONE in conjunction with mobile devices.
I really hate to say it would actually probably make me feel better if most of the large data monitoring sites/apps went away rather than stayed in place, because they make almost every aspect of the Internet work against us all.
Twitter has had several opportunities to fix how it operates. The platform also generates tons in annual revenue to fix how it operates. Twitter has lots of employees that could fix how it operates. Twitter has also had numerous security breaches, and it regularly causes tons of stress for users. Twitter continues to focus on only pleasing it's sponsors, investors, and execs year after year and repeatedly stretching the promises it was built upon.
I can't say I want to see this whale fail, but I won't miss it if it does.
Yea, that's the game. They are a for profit business. This situation will happen every time. Profits over people, line must go up!
In the case of data harvesting, data is the most valuable resource. You can control what people want using data. No entity should have unfettered access to data — it is undeniably evil in the truest sense of the word. Which, in the context of my use, means to decay forward progress or to increase aggregated suffering.
They will not fix these issues until the public makes it so painful not to, that they must. As an example, how is Experian still in business after what they’ve done? They should have had a $100 billion+ fine levied against them, and that fine should pierce through limited liability to the extent that the board of directors and C-level staff are liable for it. The company and any owners of it should be bankrupted and living in poverty after what they’ve done.
Until we make PEOPLE liable for the evils they induce on others, this will keep happening. I don’t get limited liability if I went out and murdered someone, why should the PEOPLE running companies have limited liability when they murder millions with pollution, or with financial terrorism? Answer: they shouldn’t.
It's the best chance we have to stop this horrible trend. Companies have shown repeatedly that they are not trust-worthy nor responsible enough to self regulate.
You're making a distinction without making a difference. Regulating public forums for their content outside of illegal content has never been not abused. The UK is learning this the hard way with the police "checking the thinking" of netizens.
If you think companies are bad, then imagine politicians. I can switch off to another social media but I can't switch out to another state.
For what it's worth, as someone running a high-five-digits account, it is possible to get notable on Twitter - you just have to put in a ton of work to make quality content people are actually interested in.
Hard work for free does not make sense in this type of post-pandemic world we live in... It's too "Marie Antoinette-esque" of people to say it's anywhere near reasonable.
There was the Arab Spring (https://en.m.wikipedia.org/wiki/Arab_Spring), where it played a significant role.
I mean, surely, it some people were successful, but success of warlords intending to genocide blacks in Lybia or starting a new violent caliphate or kidnapping boys en masse to be child soldiers is not the sort or success I want to be enabled with technology.
Go tell that to Raytheon and Blackwater as well.
Could you ever trust them? Honest question.
I mean, it's not really doing a good job of any of that either.
Because investing in IT security usually has no apparent profit incentives, so most companies leadership will consider it something of very little importance funding wise.
Particularly in the current climate where even minor hacks, and simple ransomware infections, are regularly made out as some kind of "act of God"/allegedly done by some super advanced "state actor", to create the narrative how it just wasn't preventable with the resources of a private company.
Which outsources all the responsibility to ominous intangible parties based on wonky, and often politically motivated, attribution, while holding nobody responsible for running outdate software in exploitable combinations, thus creating the problem in the very first place.
How do you make those people interested in it though?
(If they weren't, originally when you hired them.)
Adding the right KPI? What'd those be
What if they aren't any bright, just have a good self confidence?
[1]: https://securityhandbook.io/
What happened that caused him to suddenly start whistleblowing now, and not in January? Was it the same thing that caused Ken Paxton in Texas to start investigating Twitter?
This just looks like pretty plain mud-slinging from Musk's team to be honest. Especially since the Whistleblower seems to basically be blowing the whilst on himself.
The bakery also sets precedent as it did go to the supreme court, and it was used as a rallying cry by politicians on the right.
And whether a bakery serves your gay wedding or not is perhaps the most petty and inconsequential thing to be upset about. There are thousands upon thousands of bakeries in a large city. You can learn how to bake a cake in a weekend and home-bake your wedding cake yourself, or any one of your wedding guests can do this as a wedding gift. You can go to a no-gays-allowed bakery but simply not tell them you're gay, and take a finished cake from them then write your own name and that of the guy you will marry on it yourself. You can not get cake at all and instead get any of the thousand other types of wedding sweets and food.
It's almost like the whole thing is a hilarious non-issue that some people just invented to cry and act like victims about.
There are not thousands of bakeries in any city. Many towns might have none, or one. In that regard, the bakery will have an actual monopoly on baked goods to people living there.
Large corporations lacks those individual rights for obvious reasons, so large corporations should be forced to provide services to everyone even though individuals shouldn't always be.
On users. Any network is worth a function of the number of nodes in it (typically a quadratic). Social Media are networks that link humans, and there is a finite number of humans (or, more accurately, internet-connected humans with time to spare) that grows very slowly and inevitably will stagnate. That means a social network is in direct zero-sum competition with all the other networks, and a giant like twitter hurts everybody else by concentrating a signficant proportion of users into a single (aweful) place, destroying competition by the lock-in effects of network dynamics.
>There are not thousands of bakeries in any city
There are in my city, actually. Dialing the number down to the hundreds or the high tens doesn't signficantly change the validity and implications of the argument either.
> In that regard, the bakery will have an actual monopoly on baked goods to people living there.
If you can actually prove that in a court, and if you furthermore prove that the complaining party will incur significant costs to themselves if they try to seek another bakery elsewhere (by a resonable legal definition of 'significant'), then you have my full blessing to force people to bake your cake.
Until then, comparing an easily-replacable food product with tons of suppliers and publicly-available recipes to a proprietary service supplied by a corporation with thousands of servers, thousands of employees and tens of millions of users is ideologically motivated bullshit.
[0] https://techcrunch.com/2017/05/01/judge-argues-net-neutralit...
https://www.nytimes.com/2018/06/04/us/politics/supreme-court...
Media only got its hands on the leaked material now.
>Zatko began the whistleblower process before there was any indication of Musk’s involvement
Define "Began the whistleblower process". Because that seems like an extremely fuzzy way of saying this. And even if you accept that he was genuinely a whistleblower in good faith trying to do this, which I'm perfectly willing to accept, the fact it's coming out in public now is still convenient timing.
It does say
>The disclosure, sent last month
Which means that the actual firm date we have coincides perfectly with Musk's legal wranglings.
>Zatko was fired by Twitter in January and claims that this was retaliation for his refusal to stay quiet about the company’s vulnerabilities. Last month, he filed a complaint with the Securities and Exchange Commission (SEC) that accuses Twitter of deceiving shareholders and violating an agreement it made with the Federal Trade Commission (FTC) to uphold certain security standards. His complaints, totaling more than 200 pages, were obtained by CNN and The Washington Post and published in redacted form this morning.
So, breaking it down more concisely:
1.) Fired in January
2.) Musk tries to buy Twitter in early April
3.) Complaint filed with SEC in July by Mudge ("way [after] EM entered the picture")
4.) WaPo published redacted, 200-page report today
[1]https://www.theverge.com/2022/8/23/23317857/twitter-whistleb...
Edit: This is not an endorsement of mud-slinging, just an attempt to make sure everyone knows what actually happened and when, at least as best we can discern at this point.
Probably because most of us in the chain you're replying to didn't have the time to read an 84-page source document in the middle of a work day (note the time of our comments and how late to this particular chain you are), hoping that a nugget of information like that would be dropped pretty early on in it. Hence my edit at the end, which I had hoped would have made it clear that I was open to being corrected.
But thank you so much for that snarky comment while you clarified things. You're so much better than us for finding that, how could we have ever been so daft? Forgive us?
Apologies for having offended you.
It's not fair to you, and I'm sorry. Hope ya have a great rest of the week. :)
And much good luck with your situation.
Here’s hoping you overcome the things you are struggling with!
https://twitter.com/KimZetter/status/1562061556745089025
According to his lawyer as reported by someone on Twitter. IIRC, lawyers make statements that guilty clients are innocent all the time.
If he was working with Musk help him wiggle out of the Twitter deal, it would fatally undermine the goal for to come out publicly about the relationship. I'm skeptical unless they can provide verifiable 3rd party evidence (e.g. some document filed before the deal).
Whistleblowers are by definition insiders.
A typical whistleblower would say "There were security problems, and the head of security ignored them."
Here, it's "I was the head of security, and security was shitty. I was doing a shitty job, and that's a terrible scandal!"
But if I were a betting man, I do think both Twitter and Mudge's respective track records would place me in Mudge's camp.
I did find one say that the complaint was already in progress before Musk's deal, and Musk rightly tried to subpoena Mudge for his recent exit. It does sound reasonable that the bot comment was added in light of the fiasco with Musk's deal.
I've been in that situation at a previous job. The infrastructure for our service was set up so that EC2 instances would start up and pull their code from a central repo. But this repo was open to the world and did not require authentication. It was only a matter of time before some malicious user discovered this and our proprietary server code got leaked.
It took weeks of hounding and escalating until something changed, and at first all they did was change the security groups to limit where you could connect from, and even the first patch merely limited it to a few /8 and /16 CIDRs that covered massive swaths of AWS-owned IPs. They still didn't require authentication.
1. You find out all the problems. 2. You can't fix all of them (many reasons here, not all malicious) and are setup to take the fall.
Rinse and repeat.
Immediately thought of this item that came up in my Twitter news feed last week [0]
>> "Elon Musk went to Kevin McCarthy’s Party last night in Wyoming—to celebrate Liz Cheney’s loss. While speaking at the MAGA party, Musk asked everyone to deny that he was there. Musk made sure that no press was allowed anywhere near the property — then people started posting selfies"
I'm sure Musk wasn't there to privately insult the Republican leaders by acting like they're the ugly person that they'll date in private but don't want anyone knowing about — he's almost surely seeking some kind of influence/benefit.
Maybe coincidence, but I certainly wonder about the purpose?
[0] https://twitter.com/FriendEden100/status/1559974086264209414
https://twitter.com/donie/status/1562069281545900033
CEO of company defends organization and says previous employee has ulterior motives... Not okay, I hate big tech companies.
See a trend here?
Seems like a legit answer. No need to accuse people of slinging mud.
I think you’re gonna need more than Musk Derangement Syndrome fueled conspiracy theories to make your accusations stick here.
I'm not going to claim some big conspiracy here, but I do find this beyond coincidence.
I don't think that this is coming out now because Mudge is acting on behalf of Elon. I think Elon's Twitter bid (and ensuing drama and upcoming lawsuit) and this revelation are part of the same agenda. For better or worse, it looks like influential powers that be are going to take down/over Twitter.
Let them, Twitter can't get any worse.
At the very least, lets get to the bottom of the bot problem and expose these companies who rely on bot activity to drive their MAU numbers and as a result, their inflated valuations.
The rest of these expectations are entirely on the users. If people take security as seriously as they proclaim, they should not have registered. To now demand meticulous access controls sounds a bit neglectful to me...