Thursday, August 25, 2022

Twitter Whistleblower Peiter Zatko

Casey Newton:

On January 21, a moderately surprising headline hit the New York Times: in one of his first official acts as Twitter CEO, Parag Agrawal had fired the company’s chief information security officer, Rinki Sethi, and its head of security, Peiter Zatko. It was the latter firing that surprised; Zatko, who is known within cybersecurity circles as “Mudge,” is a veteran hacker who had previously worked at DARPA, Google, and Stripe.


In an 84-page complaint filed with the Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission, Zatko alleges severe negligence on the part of Agrawal and other company executives in protecting user data, misleading government officials, and violating a 2011 consent decree with the FTC.


The complaint alleges that about half of Twitter’s employees had access to critical systems that enabled them to make harmful changes or collect sensitive data. Historically that was true, I’m told, but began to change starting around 2018, and now access is more limited and audited more regularly.

Donie O’Sullivan (Hacker News):

First time Twitter CEO @paraga weighs in on whistleblower story.

CNN (via Hacker News, Slashdot):

The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.


According to the disclosure, Agrawal and his lieutenants repeatedly discouraged Zatko from providing a full accounting of Twitter’s security problems to the company’s board of directors. The company’s executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company’s security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent cybersecurity issues, and went behind Zatko’s back to have a third-party consulting firm’s report scrubbed to hide the true extent of the company’s problems.


Zatko’s disclosure argues that by reporting bots only as a percentage of mDAU, rather than as a percentage of the total number of accounts on the platform, Twitter obscures the true scale of fake and spam accounts on the service, a move Zatko alleges is deliberately misleading.

Zach Edwards:

First up… folks have known for awhile that tons of Chinese advertisers were/are buying Twitter ads… But no one had pieced it together that those Chinese advertisers would be using Twitter Custom Audiences to doxx VPN users who verified with real contact info…


Twitter apparently used their cookies for “all purposes” (security cookies used for advertising) ++ once told by the French CNIL to change this, they kept it on purposefully for another month “in order to extract maximum profit from French users before rolling out the fix.”


“Twitter employees were repeatedly found to be intentionally installing spyware on their work computers at the request of external organizations. Twitter learned of this several times only by accident, or because of employee self-reporting.”


“…The Indian government forced Twitter to hire specific individual(s) who were government agents… it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll…”

Nick Heer:

You can read Mudge’s whistleblower disclosure and infosec report — both PDFs — for yourself, if you would like. Both contain heavily redacted sections, especially around claims of corporate fraud.

Mike Masnick reviewed these reports in two parts at Techdirt. Masnick’s first analyzed Mudge’s claims about Twitter’s security infrastructure, its compliance with an FTC consent decree, and whether it had hired foreign spies deeply embedded in the company. The second piece, published today, is exclusively responding to the many stories claiming Mudge’s investigations will help Elon Musk’s justification for backing out of his acquisition of Twitter:

John Gruber:

Remember too that Twitter DMs are not end-to-end encrypted. They are stored on Twitter’s servers in a form that Twitter can read. The phone numbers and email addresses of anonymous dissidents are very sensitive, but I’d argue that the contents of DMs are the most sensitive information Twitter holds.

You should never put anything in a Twitter DM that you wouldn’t print on a postcard sent in the mail.


I don’t think there’s any way to overstate how damning Zatko’s allegations are. He describes a criminally corrupt company and board.

John Gruber:

Anyone inside Twitter aware of Zatko’s concerns could have leaked them to Musk. Jack Dorsey, for example, personally hired Zatko and was CEO until just a few weeks before Zatko’s firing. Musk’s allegations about Twitter misreporting bot activity might be fully legitimate, not an empty pretext for backing out of his acquisition.

See also: Bruce Schneier.


Update (2022-08-26): John Gruber:

All I meant to imply is that Mudge’s allegations seem to back Musk’s claims that Twitter’s “mDAU” category of users is mostly a pile of horseshit when it comes to the experience of using Twitter. […] As Masnick exquisitely illustrates, the problem for Musk is that when he agreed to buy Twitter, he agreed based on Twitter’s mDAU figures.

See also: Hacker News, Dithering.

Update (2022-09-03): Elaine Atwell (via Hacker News):

Still, it’s worth asking why the economic story is overshadowing the security one. Given the amount of sensitive data the site has on its users–including and especially journalists–and the fact that its security lapses have already caused global chaos, why aren’t we all more alarmed?


What’s remarkable about Mudge’s accusations is that Twitter wasn’t just failing to guard against hypothetical scenarios; they were failing to patch holes that had already led to breaches.

Update (2022-09-14): Lorenzo Franceschi-Bicchierai:

In testimony to a Senate committee, a Twitter whistleblower said that the Chinese government had placed at least one agent of the country’s intelligence agency undercover as a Twitter employee.

Ronan Farrow (via Hacker News):

“My family and I are disturbed by what appears to be a campaign to approach our friends and former colleagues under apparently false pretenses with offers of money in exchange for information about us,” Zatko told me. “These tactics should be beneath whoever is behind them.”

Update (2022-12-14): Avid Halaby:

The stuff uncovered in the Twitter whistleblower report is much crazier than anything in the “Twitter files” but it’s much less politically/tribally salient so it got no attention. Going to do a thread on some of the craziest things, in no particular order.

The report is here.

Comments RSS · Twitter

Leave a Comment