Twitter’s former head of security says Twitter’s security was a mess. It’s dynamite for Musk

Peiter “Mudge” Zatko, former head of security at Twitter and a legend in the world of hacking claims that There are serious security problems within the company.

Far from saying that these problems only affect the company, Zatko reported the case to Congress and federal agencies in July, contributing 200 pages, because he believes that the way Twitter works is a threat to users, national security and democracy. . CNN Y Washington Post They have had access to the complaint and have made the case public.

Beyond what happens at the legal level between Congress and Twitter, the company is immersed in a legal battle with Elon Musk. In addition to all the information that can be obtained for that trial through the 200 pages of Zatko, the interesting thing is that Alex Spiro, Musk’s lawyer, has confirmed They have summoned the former director to testify. Two months before the trial is a bomb against the company.

These are Zatko’s accusations to Twitter

Zatko got to twitter during Jack Dorsey’s time as CEO, and was fired last January. In statements to the aforementioned media, the company alleges “poor performance and ineffective leadership”. But the now informant defends himself by stating that his work situation was one of constant tension, and that his dismissal occurred after trying to show the security problems to the Twitter Board (the one Musk was going to join) and thus try to fix serious problems. years problems.

The group that has helped Zatko to denounce is Whistleblower Aid, the same one that helped, Frances Haugen, the Facebook informant. Its founder says that Zatko has been with this complaint process longer than Musk has been in conflict with Twitter, that the thing comes from before. These are the main accusations that Zatko has reported to Twitter:

Twitter Hired At Least One Indian Government Agent. According to the complaint, the Indian government forced Twitter to hire government agents. And the problem is that once inside the company, they would have accessed a large amount of sensitive information, not because they were agents of a foreign government, but because of indiscriminate access to data by many employees.

Regarding Russia, Zatko explains that Parag Agrawal, the current CEO of Twitter, even proposed to comply with Russian demands on censorship or surveillance of the platform, although in the end it was ruled out. In any case, the complaint collect that “The fact that the current Twitter CEO even suggested that Twitter become an accomplice of the Putin regime is a cause for concern about the effects of Twitter on the national security of the United States.”

Too many employees with access to very important controls. Zatko claims that he came across a company that allowed thousands of employees (half of the workers) to access critical control systems, which he describes as generally deficient and negligent.

For all these reasons, Zatko thought that with the events of the assault on the Capitol, someone could manipulate the company’s internal systems. He wanted to restrict who he could, but found that it was impossible. The systems were too unprotected: they did not record who entered them or what they did, etc. Thus, there could be no assumption of responsibility, and the informant says that 4 out of 10 company devices do not meet security standards.

Lies to the Federal Trade Commission (FTC). The FTC, in 2010, denounced Twitter for its mishandling of the treatment of user information, alleging part of what Zatko denounces, that too many employees had access to everything.

The issue was successfully closed for Twitter by reaching an agreement in which they committed to improving their policies and creating and maintaining “a comprehensive information security program.” In this sense, Zatko says that everything is false, that it has not complied and that there is an “abnormally high rate of security incidents” within Twitter. To the point of suffering a serious incident per week, says the informant. The complaint states that Twitter does not correctly delete user data, and that it does not even do it right because the trail of information is lost.

Twitter relied on internal volunteers to deal with the 2020 election. According to the complaint, the lack of resources meant that during events of great importance in the context of the 2020 presidential elections (between Trump and Biden), the company depended on volunteers from other areas, which caused other important events that were neglected. they relied on teams like the strategic response team.

What about the bots?

As we said, beyond the seriousness of all these accusations, there is an open legal war between Twitter and Elon Musk. After having reached an agreementthe CEO of Tesla accused Twitter of not telling the truth about the number of bots present on the platform as reason to withdraw from the purchase. It’s hard to imagine that Elon didn’t know about the problem he now denounces when he showed his intention to buy Twitter, knowing what he tweeted.

In this sense, there is a very important part in what Zatko denounced. Although according to his lawyer the problems and this information existed before Elon Musk came to trial with Twitter, in a document of the complaint it is stated that, in the case of bots, Elon Musk has been lied to. According to the complaint, the CEO lied by posting a statement on the social network about how they deal with bots, referring to the following tweet:

First, let me state the obvious: spam harms the experience for real people on Twitter, and therefore can harm our business. As such, we are strongly incentivized to detect and remove as much spam as we possibly can, every single day. Anyone who suggests otherwise is just wrong.

— Parag Agrawal (@paraga) May 16, 2022

At point 13 of this capture of the complaint it reads “Agrawal’s tweet was a lie. In fact, Agrawal is well aware that Twitter executives have no incentive to accurately ‘spot’ or report the number of bots on the platform.” If there were already employees who could testify in favor of Musk, this evidence, if verified by a court, could be gasoline against Twitter.

Twitter’s response

In a leaked internal message that the CEO of Twitter has sent to employees this morning, you can read the following:

Equipment,

There are news reports outlining claims about Twitter’s privacy, security, and data protection practices made by Muge Zatko, a former Twitter executive who was fired in January 2022 for ineffective leadership and poor performance. We are reviewing the claims that have been published, but what we have seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without significant context.

I know this is frustrating and confusing to read, given that Mudge was responsible for many aspects of this work that he is now inaccurately portraying more than six months after his termination. But none of this takes away from the important work you have done and continue to do to safeguard the privacy and security of our customers and their data. This year alone, we have significantly accelerated our progress through increased focus and incredible leadership from Lea Kissner, Damien Kieran, and Nick Caldwell. This work remains a top priority for us, and if you want to read more about our approach, you can find a summary here. [falta enlace].

Given the spotlight on Twitter at the moment, we can assume that we will continue to see more headlines in the coming days, this will only make our hard work. I know that all of you take pride in the work we do together and in the values ​​that guide us. We will go to any lengths to uphold our integrity as a company and set the record straight.

See you at #OneTeam tomorrow, Parag

As we see, the tone is related to what the company has publicly expressed by spokespersons, accusing Zatko of not performing in his work as expected and, as regards what was presented, accusing him of delivering documents with inconsistencies. The mention of the lack of context is striking, and it is likely that the platform will defend itself by stating that much of the story is missing from what Zatko contributed.