“Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies,” said the CNN headline. My initial reaction? Yawn… so what’s new: a social media company playing fast and loose with its users’ data? And who’s this whistleblower, anyway? A guy called Peiter Zatko. Never heard of him. Probably another tech bro who’s discovered his conscience…
But what’s this? He has a nickname – “Mudge”. (Cue audio of pennies dropping.) The mainstream media calls him a “hacker”, which is their usual way of undermining a gifted software expert. Which this Mudge certainly is. In fact, in that line of business, he has blue-chip status. He was the highest-profile member of a famous hacker thinktank, the L0pht (pronounced “loft”) and a member of the well-known cooperative Cult of the Dead Cow. In that sense, he was a pioneer of “hacktivism” who has spent much of his life trying to educate the world on cybersecurity and has a long list of discovered vulnerabilities to his credit.
During the Clinton administration, he was apparently sometimes involved in national security council briefings of the president. In 2010, he was recruited by Darpa, the Pentagon’s tech thinktank, where he oversaw cybersecurity research funded by the agency. After that, he worked at Google in its advanced technology and projects division and then for Stripe, a leading payment processing company. In 2020, he was hired by Twitter’s founder, Jack Dorsey, as the company’s head of security. It is said that the incoming Biden administration tried to hire Zatko as the country’s cybersecurity chief, but he decided to go to Twitter.
In July, he filed a complaint with the US Securities and Exchange Commission accusing Twitter of violating its 2011 agreement with the Federal Trade Commission (FTC) to maintain safe security practices. Somehow, the Washington Post got its hands on a copy and has made it available on the web. It’s 84 pages long, and heavily censored, but it makes for riveting reading.
It’s basically a devastating critique of Twitter’s management and security practices. In 2011, the FTC found that it was trivially easy for its employees to gain total access to all of its systems and that this poor security had been exploited by hackers, including those who had sent tweets from then President Obama’s account. Ten years on, Zatko says that thousands of employees still have wide-ranging and poorly tracked internal access to core company systems. He also claims that half of the company’s servers are running out-of-date and vulnerable software and that senior executives had withheld from the board of directors information about the number of security breaches and lack of protection of user data.
The same executives, he says, had consistently prioritised the growth of the number of users over data security. “Senior management had no appetite to properly measure the prevalence of bot [automated] accounts because… they were concerned that if accurate measurements ever became public, it would harm the image and valuation of the company.” He also describes how on various occasions in 2021 he “witnessed senior executives engaging in deceitful and/or misleading communications affecting board members, users and shareholders”. In the end, the tensions between him and the chief executive became acute and he was sacked on 19 January. “Mr Zatko was fired from Twitter more than six months ago for poor performance and leadership,” said Rebecca Hahn, Twitter’s global vice-president of communications, the other day. “And he now appears to be opportunistically seeking to inflict harm on Twitter, its customers and its shareholders.”
All this is doubtless music to the ears of Elon Musk’s lawyers as they struggle to find a way for their client to escape from his expensively misguided bid to buy Twitter. His excuse for changing his mind on the purchase is that he was misled by Twitter’s executives about the prevalence of spam bots on the platform and Zatko’s submission to the SEC seems to support that proposition, though doubtless the Delaware court hearing the arguments on both sides may conclude that one shouldn’t make $44bn takeover bids without doing your own due diligence.
Whatever happens in Delaware, Zatko’s submission is likely to be a big headache for whoever winds up owning Twitter. Violating an FTC settlement is rarely a good career move. In 2011, for example, Facebook also had a brush with the commission after the Cambridge Analytica scandal. The company signed a consent decree promising to make the necessary reforms. It didn’t and in 2019 it was back before the commission for failing to comply and was fined $5bn. So wouldn’t it be entertaining if Elon Musk were eventually obliged to shell out the promised $44bn for Twitter and then find himself up before the FTC to receive a $5bn fine for the previous owners’ non-compliance.
What I’ve been reading
Picture this
The Approaching Tsunami of Addictive AI-created Content Will Overwhelm Us is a sobering Substack post by Charles Arthur on the upsides and downsides of text-to-graphics engines such as Dall-E.
Eye in the sky
How Capitalism – Not a Few Bad Actors – Destroyed the Internet is a perceptive essay by Matthew Crain in the Boston Review about the rise of surveillance capitalism.
Loose change
Half a Billion in Bitcoin, Lost in the Dump is a terrific account in the New Yorker of how a cache of bitcoins wound up in landfill.