The social network Twitter hid “extreme, huge shortcomings” from US federal authorities about its fight against spam on the platform, its defenses against hackers and the software its data centers use. These accusations come from a report to regulators by the company’s former head of security, Peiter muddy Zatko, a legendary hacker fired in January after 15 months on the job. Unlike in other leaks, Zatko was precisely in charge of making security work on Twitter. He doesn’t speak by hearsay. The media that have had access to the initial complaint are the Washington Post and CNN.
Reading the 84 pages of text gives a sad and unconcerned image of security within Twitter. In October, the company faces trial against Elon Musk, who renounced his agreement to buy the social network after claiming he had withheld information from the public. This report clearly favors Musk’s position. The doubts that have arisen from this alleged coincidence seem to lose weight because Zatko prepared a similar document in February, before the announcement of Musk’s intentions to buy Twitter.
“Twitter is extremely lax in several areas of information security. If these issues are not corrected, regulators, media, and platform users will inevitably be shocked when they learn of its serious lack of basic security,” Zatko wrote in February.
Twitter’s security risks aren’t just about accessing the data of its 238 million users or controlling spam. The weakness of the code on their servers could cause the network to go down for days and the hacking of the accounts of leaders or celebrities can cause political or democratic risks. The complaint says that Zatko warned that half of the company’s servers were running outdated and vulnerable software and that managers hid nefarious data about the number of breaches and the lack of protection of user data.
The report includes Zatko’s well-founded suspicion that the Government of India may have forced Twitter to “knowingly” hire an agent with access to the data at a time of protests in the country. The report says that judicial authorities have been informed. The Washington Post he contrasted this information with another employee who admitted that he was probably a spy.
One problem linked to these would-be spies is the incredible number of Twitter employees who have access to sensitive information. There are more than 7,000 and, furthermore, their access would not be accurately monitored. So they could see personal data or alter how the service works.
Another example of the internal disaster at Twitter is if the company actually deleted the information of a user who requested it. The data, however, was so widely distributed across internal networks that there was no way of knowing for sure. To prevent federal authorities from knowing what was going on, the company explained that the accounts were “deactivated”, which is obviously not the same as “deleted”, in the hope that regulators would not notice the difference. Zatko learned that this was done this way in 2021.
Former Twitter leader Jack Dorsey hired Zatko in the summer of 2020 after a teenage hacker briefly controlled the accounts of some of the most influential users. That was the biggest hack of a social network in history, according to the complaint. After hiring him, he barely listened to him. In 12 months, he was only able to talk to Dorsey six times, always less than 30 minutes. In those meetings, Dorsey hardly spoke: he said perhaps 50 words to Zatko in the whole year, according to the former security chief himself.
On Twitter they have responded to Zatko’s accusations by saying that he is a “hurt ex-employee”. Twitter’s current chief executive, Parag Agrawal, fired him in January. A company spokeswoman accused Zatko of “lack of leadership”, of having made a report “full of inaccuracies” and of now wanting to “opportunistically try to inflict harm on Twitter, its customers and its shareholders”. Zatko is one of the most respected hackers in the community. In 1998, as a member of the youth hacker group L0pht, he appeared in Congress to say that they could shut down the internet in 30 minutes.
Today is the anniversary of the testimony I and other members of the l0pht gave to the US Senate in 1998.
It was the first time the US Govt. publicly referenced “hackers” in a positive context.
The coverage was national and even international.
Come behind the scenes.
— Mudge (@dotMudge) May 20, 2019
The entire report is filled with unheard-of and harsh accusations against the day-to-day activity of Twitter. It alleges, for example, that a crash in the company’s data centers could prevent servers from restarting properly, making the network disappear for months or causing the loss of all its data. In 2021 it was about to happen, but the engineers were able to save the company from a “catastrophic” crisis, without giving more details.
Zatko also goes into one of Elon Musk’s biggest accusations: spam on the platform. The report cites a tweet from Agrawal responding to Musk by saying that “we have strong incentives to detect and remove as much spam as possible.” “That tweet is a lie,” the report says. In 2019, Twitter stopped reporting its total monthly users, closely linked to ups and downs due to massive bot removals or fake accounts. They then began to report something called “monetizable active daily users”, whose formula was controlled internally and was easier to misrepresent. “The bonuses of managers (which can reach 10 million) are linked to that figure,” says the report, with which they have more incentives to raise it.
“Agrawal’s tweets and Twitter blog posts maliciously imply that Twitter employs proactive and sophisticated systems to measure and block spam bots,” the text says. “The reality: simple, mostly outdated, unsupervised programs, plus overworked, inefficient, understaffed, and reactive human teams.”
Don’t Trust On this News and Website Maybe it’s Fake
– Article Written By @jordi perez from https://elpais.com/tecnologia/2022-08-23/el-exjefe-de-seguridad-de-twitter-denuncia-que-la-compania-ha-ocultado-deficiencias-extremas-enormes.html