Twitter savaged by former security boss Mudge in whistleblower complaint Twitter's former security chief Peiter "Mudge" Zatko accused the company and its board of directors of violating financial rules, of fraud, and of grossly neglecting its security obligations in a complaint to the US Securities & Exchange Commission, the Federal Trade Commission, and the US Justice Department last month. The …
Musk's probably behind it. It does read like its made for the press and not for a court.
e.g. he says the 5% Bots claim is a lie akin to fraud, but then switches to 'they "really don't know" as the lie.
He claims fraud (e.g. section 3), but then only says he was collecting evidence of fraud when terminated.
He cites a compliance officer *request*for*details* of his fraud claim, as if its *confirmation* of his fraud claim. Which obviously it is not.
Lots of grand-standing, e.g. "Further Redacted for Congress".... I doubt Congress is interested, and they certainly wouldn't get a *more* redacted version if they were!
There's a lot of the Musk stuff too, but he was sacked more than year before Musk launched his bid e.g. he claims the 5% bots claim is fraud, but then switches to "they really don't know". Which is true, and also fully consistent with a 5% *estimate*.
If he was so concerned why didn't he approach Musk when Musk first showed interest in buying Twitter?
If he was so concerned why did he wait a year and a half before whistleblowing?
Claims they tried to hide the bots number, but then switches to "19.Repeated Efforts to Disable ROPO:"... (ROPO is their 'your account if blocked till you confim via SMS you are not a bot' algo that pisses off Twitter users). Is wanting to disable ROPO the same as "hiding the bot numbers"..... oh fuck no.
By page 20, he's on "Hacked by a teenager".... because the fact the hacker was 17 is materially important right?
I stopped scan-reading at page 43. "CEO Jack Dorsey assigned Mudge a vast portfolio, responsible for some of the hardest problems, with hundreds of staff and thousands of contractors in chains that reported up to him"
"I AM VERY IMPORTANT, REALLY I AM....."
Methinks, if this is the best Musk can do, then Musk has nothing.
He was fired ling before the Twitter/Musk problem and writing an 84 page document takes time...
Then, since he was formerly part of the Dead Cow group, and also on the same role in other companies you have to admit that this guy probably knows his stuff.
If Musk was behind this he would have made a Tweet, oh the irony of using that same platform, but for the moment Musk hasn't said a thing which is out of character.
I very much doubt that Musk is behind this, I see more of a very bruised and frustrated ego that is really pissed off about getting fired ..
... that is really pissed off about getting fired
Hmm, but you don't see a very bruised and frustrated ego that's being told he has to go through with the deal he signed that would actually make him significantly poorer?
"If Musk was behind this he would've made a tweet". If he sees any story related to Twitter he tweets. The fact he hasn't weighed in on this is telling.
"and writing an 84 page document takes time..."
No, it doesn't. A day or so with editing.
He worked with the Dead Cow so he must be okay is obvious bullshit. I worked with peace organisations who portray themselves as saints, and some of them are, or are cover as paedos, thieves, and similar. I doubt even the worst of them would have worked for Twitter. I do have a couple of good Dead Cow anecdotes that could maybe fill 84 pages, but I'll spare you and sign off with two timely words from the bible, filthy lucre. Guy's a bad'un.
Try writing a whistleblower complaint with evidence to back it up without showing it, ensuring that you don't give out proprietary information, only make claims that are obvious.
This is solid 6 months of work.
I have no idea why you have been downvoted so many times, because you're right.
Being a member of a well known hacking group is a far cry from actually managing large numbers of people in a vast corporation.
It looks to me like Twitter employed him on the strength of his reputation, then realised that he doesn't have the skills to do what they actually need and sacked him.
Weirdly the A/C above makes some very well reasoned points and has lots of downvotes too.
I wonder what's going on.
> I see more of a very bruised and frustrated ego that is really pissed off about getting fired
Alternatively, he was hired to give Twitter some cred on the security arena and then the board / CEO started flapping when he went after their own lies. Sounds like one of those don't rock the corporate boat stories.
I wonder if he collected the evidence to support his claims whilst he was working at Twitter...
I assume he has passed those documents on to someone who can securely store them until they are needed in court (ie. beyond the reach of any search warrant Twitter might serve). Otherwise, this is just heresay.
Less than half the companies I've worked for cared about security. Some let offshore QA contractors access live financial systems for testing. Some deliberately used extremely vulnerable code because correct coding style needed approval. Another had a manager with a dream of a new financial processing system, but it had exploitable race conditions that could misplace more money than the company was worth.
The only thing special about Twitter is that there's a large audience of investors who'd like to know if the company might go "poof" and be gone.
For all of us who have been in his position, you try to work with the system you have. And we probably have had CEOs who ignored even the basics. In this case, the CEO went one step further and fired the messenger. I doubt he had time to go to the SEC. They would not even let him give an honest report to the board and went around him. The report is pretty damning. And every claim in that report probably has many pieces of supporting evidence.
Exactly. Mudge's position at Twitter was essentially "identify our security issues and push projects to fix them". In a bit over a year he did a bunch of the former part; only insiders can say how much of the latter. Then Agrawal came in and said "shit, this is going to cost us some bonuses!" or "man, this guy will not say what I tell him to say!", and fired him.
There's little reason for executives to blow the whistle on issues in their own portfolios, while they're still in a position to try to get them fixed.
I don't see anything wrong with what Mudge is doing here.
but the brand new Tesla he mysteriously found on his driveway this morning is really neat!
If you're chief of security and discover any one of things going on at your employer, it's your duty to report them straight away to the regulators, you don't wait 2 years until after you're fired. They don't suddenly become not OK once you're not being paid anymore.
I'd say your first duty is to report them to the organisation and get them rectified, which it sounds like he tried to do and ran into walls of apathy and incompetence. You can't get a person or an organisation to care about something they don't want to care about.
He probably should have gone to the regulator when Twitter showed they weren't prepared to try or at the very least when he left, but he was probably under enough NDAs that it didn't feel worth the risk of turning into a massive legal wrangle. The moral high ground is easier to occupy making comments on the internet than it is when you have signed 500 pages of contract saying that you'll get your ass sued to pieces if you breathe a word of anything you have ever done to anyone. I'm guessing that some mysterious benefactor (hard to guess who might have an interest here) has now made it worth his while. The fact that the motivation is transparent doesn't make the claims incorrect - at the very least they are 100% coherent with everything we know about the corporate culture at Twitter.
Three things....
-- He was hired to identify and rectify those problems.
-- He probably has something tucked in his employment contract that would make it very painful to go blabbing about company internals. Most companies do (have you read your employment contract?).
-- Even if you're 100% correct and justified if you have a reputation as a whistleblower then you might find your future employment prospects a bit 'thin'.
Its quite clear that what Musk wanted to buy wasn't exactly what Twitter was selling. Twitter is potentially a valuable resource but to be correctly valued the user base has to be accurately enumerated. Twitter's business model isn't collecting and forwarding SMS or other messages, its the usual collecting and collating user information and habits for resale through brokers to advertisers (sigh). This is what makes the property valuable, It also means that if this information is 'leaky' then it not only means that personal information can leak into the hands of bad actors but also the data is far less valuable than it might be.
Its quite clear that what Musk wanted to buy wasn't exactly what Twitter was selling. Twitter is potentially a valuable resource but to be correctly valued the user base has to be accurately enumerated.
Oh, please. Musk got a bee in his bonnet and launched his bid essentially on a whim, then got buyer's remorse and is trying to back out. The "oh my god it's full of bots" excuse is just him trying to save face, just as the "they won't give us the information" is a transparent legal dodge (which likely won't succeed).
I doubt Musk had any well-formed idea of "what [he] wanted to buy". He's forever chasing squirrels.
> "a new, proprietary, opaque metric" called Monetizable Daily Active Users (mDAUs) and tied executive bonuses to the metric.
…by how dumb corporate metrics are.
Back in my corporate days, the company (or rather, someone in the company) came up with this genius compensation scheme. It was so complex that they had to send people around the world to give us a three day course on it.
First month it goes live, we had figured how to get the maximum possible score while doing very little that was different and doubled our salary. Top management decided that this wasn't right and capped the bonus at about 10% for everyone except themselves. Result as you expect: we all went fuck this and productivity took a dive. We ended that year with a loss before the CEO (who was a great chap) got to the bottom of it and put things right.
"Mr Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance," a Twitter spokesperson told The Register in an emailed statement.
The part hat doesn't appear in the statement reads as follows:
...because his continual bitching about our ineffective at best, and missing completely at worst, security practices -- and demanding that we do something to fix it -- made him an ongoing annoyance and a PITA, and, well, we can't have that in our C-suite, now can we?
The first 18 pages claim Twitter lied by saying fewer than 5% of mDAU accounts are spam when Musk actually asked if more than 5% of all accounts are spam (the total spam figure is not measured). Remuneration and ad prices are based on mDAU...but it is potentially expensive wordplay.
An ex-hacker and ex-employee of the USG (DARPA), working at tech firms that the government would like leverage over and he has been keeping a diary. Hmmm. Anyone want to join those dots? Maybe Twitter HR need to engage in a bit more due diligence.
-a company without insight into its problems and without the leadership to fix them.
That's most of Silicon Valley. And most governments for that matter. Especially the Clown Imperium at Westminster.
Tech corporates are not well-oiled machines. They are disparate groups of barely competent people each guarding their own turf, jobs, and bonuses. It's amazing most tech services have any security at all.
The truth is often elusive and we may never discover what it is.
I realized that this was an intense piece of work for many reasons:
1. Mudge needed to keep proprietary information out.
2. Mudge needed to have attorneys go through every one of his claims and ensure that they were backed up by evidence he had or could ask for
3. This kind of filtering and wording takes time
4. One single false claim will cause him to lose credibility
5. He has stuck to claims which are easy to prove
6. He has used the complaint to go after a CEO who was a fool (bright technically but not in security, privacy, people skills, law, etc.)
The best thing for Twitter is to fire the CEO. Immediately.
https://theconservativetreehouse.com/blog/2022/08/23/twitter-whistleblower-surfaces-presenting-challenge-for-u-s-surveillance-state-enter-cnn-and-the-washington-post/
The firms, which include Twitter (TWTR.N) and Alphabet Inc’s (GOOGL.O) YouTube, share “hashes,” unique numerical representations of original pieces of content that have been removed from their services. Other platforms use these to identify the same content on their own sites in order to review or remove it. (more)
A shared hashing protocol is a form of data system integration. The databases of the identified social media platforms are integrated with the U.S. intelligence system.
So, what is the angle here? Peiter/CNN’s objective is to support Musk‘s part of the legal argument. That support helps Elon Musk exit from Twitter deal. That exit allows Twitter/IC to return to surveillance operations and intel gathering with exposure risk removed. That’s Peiter’s objective.
I shall leave on a happy note, which highlights the nature of the risk:
After this article was initially published, Alex Spiro, an attorney for Musk, told CNN, “We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding.”
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
