back to article Twitter savaged by former security boss Mudge in whistleblower complaint

Twitter's former security chief Peiter "Mudge" Zatko accused the company and its board of directors of violating financial rules, of fraud, and of grossly neglecting its security obligations in a complaint to the US Securities & Exchange Commission, the Federal Trade Commission, and the US Justice Department last month. The …

  1. DS999 Silver badge

    Musk has about 44 billion reasons

    To hope Mudge has proof of his claims.

    1. Anonymous Coward
      Anonymous Coward

      Re: Musk has about 44 billion reasons

      Musk's probably behind it. It does read like its made for the press and not for a court.

      e.g. he says the 5% Bots claim is a lie akin to fraud, but then switches to 'they "really don't know" as the lie.

      He claims fraud (e.g. section 3), but then only says he was collecting evidence of fraud when terminated.

      He cites a compliance officer *request*for*details* of his fraud claim, as if its *confirmation* of his fraud claim. Which obviously it is not.

      Lots of grand-standing, e.g. "Further Redacted for Congress".... I doubt Congress is interested, and they certainly wouldn't get a *more* redacted version if they were!

      There's a lot of the Musk stuff too, but he was sacked more than year before Musk launched his bid e.g. he claims the 5% bots claim is fraud, but then switches to "they really don't know". Which is true, and also fully consistent with a 5% *estimate*.

      If he was so concerned why didn't he approach Musk when Musk first showed interest in buying Twitter?

      If he was so concerned why did he wait a year and a half before whistleblowing?

      Claims they tried to hide the bots number, but then switches to "19.Repeated Efforts to Disable ROPO:"... (ROPO is their 'your account if blocked till you confim via SMS you are not a bot' algo that pisses off Twitter users). Is wanting to disable ROPO the same as "hiding the bot numbers"..... oh fuck no.

      By page 20, he's on "Hacked by a teenager".... because the fact the hacker was 17 is materially important right?

      I stopped scan-reading at page 43. "CEO Jack Dorsey assigned Mudge a vast portfolio, responsible for some of the hardest problems, with hundreds of staff and thousands of contractors in chains that reported up to him"

      "I AM VERY IMPORTANT, REALLY I AM....."

      Methinks, if this is the best Musk can do, then Musk has nothing.

      1. Khaptain Silver badge

        Re: Musk has about 44 billion reasons

        He was fired ling before the Twitter/Musk problem and writing an 84 page document takes time...

        Then, since he was formerly part of the Dead Cow group, and also on the same role in other companies you have to admit that this guy probably knows his stuff.

        If Musk was behind this he would have made a Tweet, oh the irony of using that same platform, but for the moment Musk hasn't said a thing which is out of character.

        I very much doubt that Musk is behind this, I see more of a very bruised and frustrated ego that is really pissed off about getting fired ..

        1. sabroni Silver badge

          Re: I very much doubt that Musk is behind this, I see more of a very bruised and frustrated ego...

          ... that is really pissed off about getting fired

          Hmm, but you don't see a very bruised and frustrated ego that's being told he has to go through with the deal he signed that would actually make him significantly poorer?

          "If Musk was behind this he would've made a tweet". If he sees any story related to Twitter he tweets. The fact he hasn't weighed in on this is telling.

          1. Danny 2 Silver badge

            Re: I very much doubt that Musk is behind this, I see more of a very bruised and frustrated ego...

            "and writing an 84 page document takes time..."

            No, it doesn't. A day or so with editing.

            He worked with the Dead Cow so he must be okay is obvious bullshit. I worked with peace organisations who portray themselves as saints, and some of them are, or are cover as paedos, thieves, and similar. I doubt even the worst of them would have worked for Twitter. I do have a couple of good Dead Cow anecdotes that could maybe fill 84 pages, but I'll spare you and sign off with two timely words from the bible, filthy lucre. Guy's a bad'un.

            1. A random security guy

              Re: I very much doubt that Musk is behind this, I see more of a very bruised and frustrated ego...

              Try writing a whistleblower complaint with evidence to back it up without showing it, ensuring that you don't give out proprietary information, only make claims that are obvious.

              This is solid 6 months of work.

            2. Youngone Silver badge

              Re: I very much doubt that Musk is behind this, I see more of a very bruised and frustrated ego...

              I have no idea why you have been downvoted so many times, because you're right.

              Being a member of a well known hacking group is a far cry from actually managing large numbers of people in a vast corporation.

              It looks to me like Twitter employed him on the strength of his reputation, then realised that he doesn't have the skills to do what they actually need and sacked him.

              Weirdly the A/C above makes some very well reasoned points and has lots of downvotes too.

              I wonder what's going on.

        2. Anonymous Coward
          Anonymous Coward

          Re: Musk has about 44 billion reasons

          > I see more of a very bruised and frustrated ego that is really pissed off about getting fired

          Alternatively, he was hired to give Twitter some cred on the security arena and then the board / CEO started flapping when he went after their own lies. Sounds like one of those don't rock the corporate boat stories.

      2. Roland6 Silver badge

        Re: Musk has about 44 billion reasons

        I wonder if he collected the evidence to support his claims whilst he was working at Twitter...

        I assume he has passed those documents on to someone who can securely store them until they are needed in court (ie. beyond the reach of any search warrant Twitter might serve). Otherwise, this is just heresay.

    2. Michael Wojcik Silver badge

      Re: Musk has about 44 billion reasons

      What about Musk's purchase agreement for Twitter do you think this applies to?

  2. Anonymous Coward
    Anonymous Coward

    Fill in the blank

    Less than half the companies I've worked for cared about security. Some let offshore QA contractors access live financial systems for testing. Some deliberately used extremely vulnerable code because correct coding style needed approval. Another had a manager with a dream of a new financial processing system, but it had exploitable race conditions that could misplace more money than the company was worth.

    The only thing special about Twitter is that there's a large audience of investors who'd like to know if the company might go "poof" and be gone.

  3. richdin

    CNN comes up with this?

    With all the talk around collaboration (if not collusion) between the MSM and the High-Tech world - it figures that CNN would be the outlet to "scoop" this.

    1. A random security guy

      Re: CNN comes up with this?

      That is all you got out of it? Using MSM, CNN, etc.? Mudge made a whistleblower complaint. That is the news. Twitter is in trouble because they shot the messenger. You are shooting the messenger too.

  4. Potemkine! Silver badge

    The timing raises questions

    But I won't be surprised these allegations are nonetheless true.

    1. Charlie Clark Silver badge

      Re: The timing raises questions

      Indeed. If the guy really did have qualms during his tenure, why didn't he raise them with SEC then?

      1. First Light Silver badge

        Re: The timing raises questions

        Maybe Mudge and the nonprofit supporting him, were waiting for the optimal moment.

        Many whistles may as well be blown into the wind given how much coverage they get.

      2. A random security guy

        Re: The timing raises questions

        For all of us who have been in his position, you try to work with the system you have. And we probably have had CEOs who ignored even the basics. In this case, the CEO went one step further and fired the messenger. I doubt he had time to go to the SEC. They would not even let him give an honest report to the board and went around him. The report is pretty damning. And every claim in that report probably has many pieces of supporting evidence.

        1. Michael Wojcik Silver badge

          Re: The timing raises questions

          Exactly. Mudge's position at Twitter was essentially "identify our security issues and push projects to fix them". In a bit over a year he did a bunch of the former part; only insiders can say how much of the latter. Then Agrawal came in and said "shit, this is going to cost us some bonuses!" or "man, this guy will not say what I tell him to say!", and fired him.

          There's little reason for executives to blow the whistle on issues in their own portfolios, while they're still in a position to try to get them fixed.

          I don't see anything wrong with what Mudge is doing here.

  5. Howard Sway Silver badge

    During Mudge's employment, he uncovered extreme, egregious deficiencies

    but the brand new Tesla he mysteriously found on his driveway this morning is really neat!

    If you're chief of security and discover any one of things going on at your employer, it's your duty to report them straight away to the regulators, you don't wait 2 years until after you're fired. They don't suddenly become not OK once you're not being paid anymore.

    1. breakfast
      Holmes

      Re: During Mudge's employment, he uncovered extreme, egregious deficiencies

      I'd say your first duty is to report them to the organisation and get them rectified, which it sounds like he tried to do and ran into walls of apathy and incompetence. You can't get a person or an organisation to care about something they don't want to care about.

      He probably should have gone to the regulator when Twitter showed they weren't prepared to try or at the very least when he left, but he was probably under enough NDAs that it didn't feel worth the risk of turning into a massive legal wrangle. The moral high ground is easier to occupy making comments on the internet than it is when you have signed 500 pages of contract saying that you'll get your ass sued to pieces if you breathe a word of anything you have ever done to anyone. I'm guessing that some mysterious benefactor (hard to guess who might have an interest here) has now made it worth his while. The fact that the motivation is transparent doesn't make the claims incorrect - at the very least they are 100% coherent with everything we know about the corporate culture at Twitter.

    2. martinusher Silver badge

      Re: During Mudge's employment, he uncovered extreme, egregious deficiencies

      Three things....

      -- He was hired to identify and rectify those problems.

      -- He probably has something tucked in his employment contract that would make it very painful to go blabbing about company internals. Most companies do (have you read your employment contract?).

      -- Even if you're 100% correct and justified if you have a reputation as a whistleblower then you might find your future employment prospects a bit 'thin'.

      Its quite clear that what Musk wanted to buy wasn't exactly what Twitter was selling. Twitter is potentially a valuable resource but to be correctly valued the user base has to be accurately enumerated. Twitter's business model isn't collecting and forwarding SMS or other messages, its the usual collecting and collating user information and habits for resale through brokers to advertisers (sigh). This is what makes the property valuable, It also means that if this information is 'leaky' then it not only means that personal information can leak into the hands of bad actors but also the data is far less valuable than it might be.

      1. Michael Wojcik Silver badge

        Re: During Mudge's employment, he uncovered extreme, egregious deficiencies

        Its quite clear that what Musk wanted to buy wasn't exactly what Twitter was selling. Twitter is potentially a valuable resource but to be correctly valued the user base has to be accurately enumerated.

        Oh, please. Musk got a bee in his bonnet and launched his bid essentially on a whim, then got buyer's remorse and is trying to back out. The "oh my god it's full of bots" excuse is just him trying to save face, just as the "they won't give us the information" is a transparent legal dodge (which likely won't succeed).

        I doubt Musk had any well-formed idea of "what [he] wanted to buy". He's forever chasing squirrels.

  6. Joe W Silver badge

    I like the acronym DAU

    .. in German it would be "dümmste anzunehmender User" (stupidest imaginable user, pretty close the GAU (größter anzunehmender Unfall, basically nuclear meltdown in a power plant). I would rather use the M (for Mega) rather than a milli-DAU, though...

  7. Anonymous Coward
    Anonymous Coward

    Didn't

    > When asked to comment, Twitter denied the allegations.

    Sorry but Twitter did not do such thing.

    Their statements, quoted in the next two paragraphs of the article are textbook non denial denials.

    El Reg editors should have caught this one.

  8. First Light Silver badge

    Troubling info about the Indian government . . .

    . . . considering the kinds of activities carried out by said government towards activists and journalists.

    https://www.washingtonpost.com/world/2021/07/06/bhima-koregaon-case-india/

    1. A random security guy

      Re: Troubling info about the Indian government . . .

      And a Twitter employee in the pay of the Saudi Government. I wonder how many Saudis were subject to bone saws.

      1. Anonymous Coward
        Anonymous Coward

        Re: Troubling info about the Indian government . . .

        > And a Twitter employee in the pay of the Saudi Government.

        Two of them. One caught, one got away.

  9. Anonymous Coward
    Anonymous Coward

    Always surprised

    > "a new, proprietary, opaque metric" called Monetizable Daily Active Users (mDAUs) and tied executive bonuses to the metric.

    …by how dumb corporate metrics are.

    Back in my corporate days, the company (or rather, someone in the company) came up with this genius compensation scheme. It was so complex that they had to send people around the world to give us a three day course on it.

    First month it goes live, we had figured how to get the maximum possible score while doing very little that was different and doubled our salary. Top management decided that this wasn't right and capped the bonus at about 10% for everyone except themselves. Result as you expect: we all went fuck this and productivity took a dive. We ended that year with a loss before the CEO (who was a great chap) got to the bottom of it and put things right.

  10. Someone Else Silver badge

    "Mr Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance," a Twitter spokesperson told The Register in an emailed statement.

    The part hat doesn't appear in the statement reads as follows:

    ...because his continual bitching about our ineffective at best, and missing completely at worst, security practices -- and demanding that we do something to fix it -- made him an ongoing annoyance and a PITA, and, well, we can't have that in our C-suite, now can we?

  11. daalmo

    Expensive wordplay

    The first 18 pages claim Twitter lied by saying fewer than 5% of mDAU accounts are spam when Musk actually asked if more than 5% of all accounts are spam (the total spam figure is not measured). Remuneration and ad prices are based on mDAU...but it is potentially expensive wordplay.

    1. daalmo

      Re: Expensive wordplay

      The next 66 pages, however, are a delightful read. Serious claims about MI manipulation, poor access controls, IP infringement and attempts to shut the guy up :)

  12. Tron

    Happy Christmas, Elon.

    An ex-hacker and ex-employee of the USG (DARPA), working at tech firms that the government would like leverage over and he has been keeping a diary. Hmmm. Anyone want to join those dots? Maybe Twitter HR need to engage in a bit more due diligence.

    -a company without insight into its problems and without the leadership to fix them.

    That's most of Silicon Valley. And most governments for that matter. Especially the Clown Imperium at Westminster.

    Tech corporates are not well-oiled machines. They are disparate groups of barely competent people each guarding their own turf, jobs, and bonuses. It's amazing most tech services have any security at all.

    The truth is often elusive and we may never discover what it is.

  13. Dark Eagle

    Mudge the otter

    His name reminded me of Spellsinger series by Alan Dean Foster, where there was an otter named Mudge.

  14. A random security guy

    I realized that this was an intense piece of work for many reasons:

    1. Mudge needed to keep proprietary information out.

    2. Mudge needed to have attorneys go through every one of his claims and ensure that they were backed up by evidence he had or could ask for

    3. This kind of filtering and wording takes time

    4. One single false claim will cause him to lose credibility

    5. He has stuck to claims which are easy to prove

    6. He has used the complaint to go after a CEO who was a fool (bright technically but not in security, privacy, people skills, law, etc.)

    The best thing for Twitter is to fire the CEO. Immediately.

  15. Dubliner Express

    https://theconservativetreehouse.com/blog/2022/08/23/twitter-whistleblower-surfaces-presenting-challenge-for-u-s-surveillance-state-enter-cnn-and-the-washington-post/

    The firms, which include Twitter (TWTR.N) and Alphabet Inc’s (GOOGL.O) YouTube, share “hashes,” unique numerical representations of original pieces of content that have been removed from their services. Other platforms use these to identify the same content on their own sites in order to review or remove it. (more)

    A shared hashing protocol is a form of data system integration. The databases of the identified social media platforms are integrated with the U.S. intelligence system.

    So, what is the angle here? Peiter/CNN’s objective is to support Musk‘s part of the legal argument. That support helps Elon Musk exit from Twitter deal. That exit allows Twitter/IC to return to surveillance operations and intel gathering with exposure risk removed. That’s Peiter’s objective.

    I shall leave on a happy note, which highlights the nature of the risk:

    After this article was initially published, Alex Spiro, an attorney for Musk, told CNN, “We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding.”

  16. Michael Wojcik Silver badge

    Well, yes

    "Security and privacy have long been company-wide priorities at Twitter and will continue to be until we have eliminated them entirely."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like