5 suggestions from Twitter whistleblower Peiter Zatko

SAN FRANCISCO (AP) — Shocking new revelations from former Twitter security chief Peiter Zatko have raised serious new questions about the safety of the platform’s service, its ability to identify and remove fake accounts and the veracity of statements. of to users. shareholders and federal regulators.

Zatko — better known by his hacker handle “Mudge” — is a respected cyber expert who first rose to prominence in the 1990s and later held senior positions at the Pentagon’s Defense Advanced Research Projects Agency and Google. Twitter fired him from his security job earlier this year for what the company called “ineffective leadership and poor performance.” Zatko’s lawyers say that claim is false.

In a whistleblower complaint made public on Tuesday, Zatko detailed his 14-month effort to strengthen Twitter’s security, strengthen the trustworthiness of its service, fend off intrusions by agents of foreign governments, and measure and take action against fake of “bot” accounts that spam the platform. In a statement, Twitter called Zatko’s account of events a “false narrative.”

Here are five facts from that whistleblower complaint.

TWITTER’S SECURITY AND PRIVACY SYSTEMS WERE FABULOUSLY DEFICIENT

In 2011, Twitter settled a Federal Trade Commission investigation into its privacy practices by agreeing to put in place stronger data security safeguards. Zatko’s complaint alleges that Twitter’s problems worsened over time.

For example, the complaint says, Twitter’s internal systems allowed too many employees to access personal user data they didn’t need for their jobs — a situation ripe for abuse. For years, Twitter also continued to mine user data such as phone numbers and email addresses — reserved for security purposes only — to target ads and marketing campaigns, according to the complaint.

ENTIRE TWITTER SERVICE MAY HAVE CRASHED IRREVOCABLY UNDER RULES

One of the most striking revelations in Zatko’s complaint is the claim that Twitter’s internal data systems were so disorganized — and the company’s contingency plans so inadequate — that any widespread crash or unplanned shutdown could have destroyed the entire platform. .

The concern was that a “sequential” data center failure could quickly spread to Twitter’s fragile information systems. As the complaint put it: “This meant that if all hubs went offline at the same time, even briefly, Twitter wasn’t sure if they could restore service. Estimates of downtime ranged from weeks of around-the-clock work to permanent irreparable failure.”

TWITTER SACKED REGULATORS, INVESTORS AND MUSKS FOR FAKE ‘SPAM’ BOTS

Essentially, Zatko’s complaint says that Tesla CEO Elon Musk — whose $44 billion bid to acquire Twitter is headed to trial in October in a Delaware court — is correct when he charges that Twitter executives have little incentives to accurately measure the prevalence of fake accounts in the System.

The complaint alleges that the company’s executive leadership exercised “willful ignorance” on the issue of these so-called spam bots. “Senior management had no appetite to properly measure the prevalence of bot accounts,” the complaint says, adding that executives were concerned that accurate bot counts would harm Twitter’s “image and valuation.”

ON JAN. 6, 2021, TWITTER MAY BE AT THE MERCY OF DISGUSTED EMPLOYEES

Zatko’s complaint states that as a mob gathered in front of the U.S. Capitol on Jan. 6, 2021, eventually storming the building, he became concerned that employees sympathetic to the rioters might try to sabotage Twitter. That concern was heightened when he learned that it was “impossible” to protect the platform’s core systems from a hypothetical rogue or disgruntled engineer aiming to wreak havoc.

“There were no logs, no one knew where the data was or if it was critical, and all engineers had some form of critical access” to Twitter’s core functions, the complaint states.

A CHILDREN’S JOY FOR FOREIGN GOVERNMENTS

The Zatko complaint also highlights Twitter’s difficulty detecting — much less countering — the presence of foreign agents on its service. In one case, according to the complaint, the Indian government asked Twitter to hire specific individuals alleged to be spies who would have had significant access to sensitive data thanks to Twitter’s lax security controls. The complaint also alleges a murkier situation involving receiving money from unidentified “Chinese entities” who could then access data that could compromise Twitter users in China.

Leave a Reply

Your email address will not be published.