Print this page
Published in News

Twitter's security is a mess

by on24 August 2022


If you believe the ex-security guy fired for poor management 

Twitter's former security chief Peiter "Mudge" Zatko has complained to  US Securities & Exchange Commission, the Federal Trade Commission, and the US Justice Department accussing the company and its board of violating financial rules, of fraud, and of grossly neglecting its security obligations.

"During Mudge's employment, he uncovered extreme, egregious deficiencies by Twitter in every area of his mandate, including … user privacy, digital and physical security, and platform integrity / content moderation," the complaint says.

The Washington Post obtained and published a redacted copy of the complaint, which makes numerous allegations about occurrences and practices preceding and during Zatko's time at the company, which ran from November 16, 2020 through January 19, 2022.

All sounds plausible and must be making Elon Musk rub his paws with glee as he had given similar reasons for backing out of his deal with Twitter. The only issue is that Zatko is not exactly the most neutral witness.

He was fired by the new CEO Parag Agrawal for what Twitter called "ineffective leadership and poor performance."

This is somewhat different from what is claimed by nonprofit law firm Whistleblower Aid which is backing Zatko.   

Twitter said that what has been seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.

"Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be," the company said.

The 84-page whistleblower document describes Twitter as a company without insight into its problems and without the leadership to fix them. It asserts that Twitter has failed to comply with its 2011 FTC Consent Order, a claim made separately in May by the FTC and Justice Department that Twitter settled for $150 million.

It paints a dire picture of Twitter's IT operations, alleging that over 50 percent of the company's 500,000 data center servers are running non-compliant kernels or operating systems, that over 30 percent of employee devices have disabled software and security updates, and that mobile device management and internal threat detection are deficient. We're also told that about half of Twitter's roughly 10,000 staff have access to live production systems and user data.

What concerns us though is that this dire picture has been painted of Twitter during the time that Zatko was supposed to be in charge of security. We might be wrong, but if things were that bad, wouldn't he have been the person responsible for fixing them? 

 

Last modified on 24 August 2022
Rate this item
(2 votes)