5 takeaways from Twitter whistleblower Peiter Zatko

title=s

FILE – The Twitter logo appears above a trading post on the floor of the New York Stock Exchange, November 29, 2021. Startling new revelations from former Twitter security chief Peiter Zatko have raised serious new questions about the security of the platform’s service, its ability to identify and remove fake accounts, and the veracity of its statements to users, shareholders and federal regulators. (AP Photo/Richard Drew, File)


Richard Drew

PA

SAN FRANCISCO

Startling new revelations from former Twitter security chief Peiter Zatko have raised serious new questions about the security of the platform’s service, its ability to identify and remove fake accounts, and the veracity of its statements to users, shareholders and federal regulators.

Zatko – better known by his hacker name “Mudge” – is a respected cybersecurity expert who first rose to prominence in the 1990s and later held senior positions at the Pentagon’s Defense Advanced Research Agency and to Google. Twitter fired him from his security role earlier this year for what the company called “ineffective leadership and poor performance.” Zatko’s lawyers say that claim is false.

In a whistleblower complaint made public Tuesday, Zatko documented his 14-month efforts to bolster Twitter’s security, bolster the reliability of its service, fend off intrusions by foreign government agents, and both measure and take action against fake “bot” accounts that have spammed the Platform. In a statement, Twitter called Zatko’s description of the events a “false narrative.”

Here are five takeaways from this whistleblower complaint.

TWITTER’S SECURITY AND PRIVACY SYSTEMS WERE VERY INADEQUATE

In 2011, Twitter settled a Federal Trade Commission investigation into its privacy practices by agreeing to implement stronger data security protections. Zatko’s complaint instead accuses Twitter’s problems of getting worse over time.

For example, the complaint states that Twitter’s internal systems allowed far too many employees to access users’ personal data that they did not need for their jobs – a situation ripe for abuse. For years, Twitter also continued to mine user data such as phone numbers and email addresses — intended for security purposes only — for ad targeting and marketing campaigns, according to the complaint.

TWITTER’S ENTIRE SERVICE COULD COLLAPSE IRREPARABLY UNDER STRESS

One of the most stark revelations in Zatko’s complaint is the claim that Twitter’s internal data systems were so dilapidated – and the company’s contingency plans so inadequate – that any widespread crash or unplanned shutdown could have paralyzed the whole platform.

The fear was that a “cascading” data center failure would quickly propagate through Twitter’s fragile information systems. As the complaint says: “This meant that if all centers went offline simultaneously, even briefly, Twitter was unsure that they could restore service. Downtime estimates ranged from weeks of 24-hour work to permanent irreparable failure.

TWITTER DECEIVED REGULATORS, INVESTORS AND MUSK ABOUT FAKE “SPAM” BOTS

Essentially, Zatko’s complaint says Tesla CEO Elon Musk — whose $44 billion bid to acquire Twitter is headed for trial in October in a Delaware court — is right when he accuses executives of Twitter has little incentive to accurately measure the prevalence of fake accounts on the system.

The complaint accuses the company’s executive management of practicing “willful ignorance” about these so-called spambots. “Senior management had no desire to properly measure the prevalence of bot accounts,” the complaint states, adding that executives were concerned that accurate bot measurements would harm Twitter’s “image and value.”

JAN. 6 2021, TWITTER COULD HAVE BEEN AT THE THANKS OF MEGREE EMPLOYEES

Zatko’s complaint says that as a crowd gathered outside the U.S. Capitol on January 6, 2021, eventually storming the building, he began to fear that employees sympathetic to the rioters were trying to sabotage Twitter. This concern was heightened when he learned that it was “impossible” to protect the platform’s core systems from a hypothetical rogue or disgruntled engineer out to wreak havoc.

“There were no logs, no one knew where the data was or if it was critical, and all engineers had some form of critical access” to core Twitter functions, the complaint states.

A PLAYGROUND FOR FOREIGN GOVERNMENTS

Zatko’s complaint also highlights Twitter’s difficulty in identifying – let alone resisting – the presence of foreign agents on its service. In one instance, according to the complaint, the Indian government demanded that Twitter hire specific individuals suspected of being spies, who would have had significant access to sensitive data thanks to Twitter’s own lax security controls. The complaint also alleges a more obscure situation involving taking money from unidentified “Chinese entities” who could then access data that could endanger Twitter users in China.

Lynn A. Saleh

Orchid Island Capital (ORC) set to report quarterly earnings on Thursday

Nevada’s ‘Reid Machine’ Passes Tough Mid-Run Test

From its “party island” to its opening date and new renders, here’s what you need to know

Cardinal calls on young people to fight for justice – The Island

Namibia’s South African connection poses a challenge to Sri Lanka – The Island

NC Legislative Races: Sharp divisions on abortion, economy