Twitter has been accused of serious breaches by its former head of security, a legendary hacker

New scandal for Twitter, and no less. A complaint filed by a whistleblower and made public on August 23 by CNN and the Washington Post shows that the company has “severe deficiencies” in terms of IT security, that it is not making any real efforts to combat spam, and it has been compromised by foreign government spies.

Parag Agrawal, former CTO and current CEO of the company since November 2021, is deeply offended by the document, which totals nearly 200 pages and was sent last month to several American government agencies, including the Department of Justice, the FTC (which regulates business practices), and the SEC (regulator of financial markets).

He concluded that the service poses a risk to the personal information of its users, but also to the national security of the United States and even to democracy. Several US senators have indicated they want to take up the case.

an indestructible reputation

For its part, Twitter dismisses the accusations and attributes them to the bitterness of an employee who was fired in January 2022 for “inadequate performance”. The man in question is Peiter Zatko, and was recruited as head of security by Jack Dorsey at the end of 2020 after the social network was hacked.

The problem with this answer is that Zatko, better known by his pseudonym “Mudge”, is a living legend of cybersecurity. A pioneer in the sector (notably the discoverer of “buffer overflow” attacks), he was one of the first “ethical hackers” in history, testifying before the American Congress in 1998 to warn about on the importance of computer security. A prestigious career in government followed, followed by executive roles in the private sector, notably at Google and Stripe.

His credibility is therefore particularly high, and he did not hide in his interview with the Washington Post that the decision to place himself as a whistleblower was the result of an “ethical compulsion”. We also note that he started this process before his dismissal (as well as before Elon Musk expressed interest in taking over the company). He judges that he was only expelled because he insisted on warning about the mistakes in the elementary school that he observed.

Aberrant deficiency

Peiter Zatko describes incredible practices, including access by thousands of employees (almost half of the company’s workforce) to critical platform controls. It’s not hard to believe. For example, an employee with low responsibility (customer service) deleted the account of Donald Trump, then President of the United States, on his last day at the company.

Following the uprising on January 6, in which Donald Trump’s supporters tried to attack key government bodies, Zatko worried that a Twitter employee might have manipulated the social network to make the situation worse. He would have tried to secure access to production, something that proved impossible because… all engineers had access, and there was no logging of access or actions taken. There will be no dedicated development environment, everything will be done directly in production.

Obviously, there is no way to verify who is doing what, or even what action was taken. Which led him to say that Twitter never properly complied with its obligations following its agreement with the FTC in 2011 regarding the management of its users’ personal data. The company also doesn’t know what happens to the data when a user deletes it (understanding that it can remain stored somewhere). And to make matters worse, four out of ten workstations across the company were not properly secured, according to an internal report.

Data centers are poorly managed

And it doesn’t stop there. Zatko said the network infrastructure itself was not understood internally, and its 500,000 servers were in an unacceptable state of vulnerability. Half of these are said to be running outdated software, which doesn’t support basic features like data-at-rest encryption, or receive security updates.

The whistleblower notified its regulators in February in a letter. Twitter will also not have sufficient redundancy capacities, or sufficient procedures to restart its data centers, which in theory could take the social network out of service even in the event of a small problem

Significant espionage risks

Another problem was raised and not the least: vulnerability to the actions of some foreign governments whose interests are in conflict with the interests of the United States. Peiter Zatko revealed that shortly before his departure, the US government had contacted Twitter with evidence that at least one of its employees was an agent of a foreign intelligence service.

It should be noted that a former manager of the company was sentenced two weeks ago for espionage in the service of Saudi Arabia. In addition, the whistleblower maintains that the Indian government forced the social network to hire one of its agents. He also referred to an exchange with Parag Agrawal in which the latter allegedly argued in favor of following censorship policies demanded by Russia (which was ultimately not the case after the invasion of Ukraine).

Twitter executives were implicated

It is said that Parag Agrawal and his lieutenants continuously tried to prevent Peiter Zatko from sharing his findings with the board of directors, for example urging him to discuss them verbally and not through a written document, which requires him to efficiently filter the information to be provided. the illusion that progress has been made, or going behind his back to suppress a report on government propaganda and disinformation that he commissioned from an outside company. It was identified as the Alethea Group, and its report pointed to inadequate staffing and working conditions where teams “stumble from one crisis to another”.

CNN reports that Zatko is more lenient with Jack Dorsey, who the whistleblower believes he genuinely wants to improve on the service’s security issues, however his report highlights that he is very withdrew from his obligations last year and his teams had little contact with him.

A boon for Elon Musk

If Peiter Zatko’s action is not directly related to the dispute between Elon Musk and Twitter, it could work in the billionaire’s favor. The latter showed himself to be particularly diligent during the acquisition procedure, the spam rate on the platform (which he puts as a reason to cancel his acquisition) does not appear, for example, among the reasons that could lead to conclusion of the agreement. But Peiter Zatko’s claims are more serious and could theoretically be “material damage” sufficient to justify this reversal.

It should be noted that Peiter Zatko also directly mentions the issue of spam at the beginning of his report and that he presents some elements in support of Musk’s position, but his arguments on the matter are in fact unconvincing. This short passage, which has little relevance to the rest of his alert, seems to be a tactic to amplify the media echo of his action, and at worst is the result of a poor legal understanding of the nature of the dispute between Elon Musk and Twitter (it must be said that the entrepreneur is also blurring the tracks). A reminder that great expertise is still not transferable from one field to another.

Anyway, this scandal is the business of the boss of SpaceX and Tesla. Elon Musk’s lawyers say they have already requested Peiter Zatko in the context of the trial, based solely on his sudden departure, just as they requested Jack Dorsey, the former CEO who we know was involved in the submarine buyout project. Fluke or fluke, Musk in any case can get away with it, although nothing has been decided yet.

Selected for you

Leave a Reply

Your email address will not be published. Required fields are marked *