After being let go in January, Zatko submitted a last resort for Twitter in which he criticized the corporation for being “grossly incompetent” in various areas of information security. He disclosed to the authorities that “it was impossible to secure the industrial environment.” Each and every one of our engineers had an entry. No records of who entered the environment or what they did were kept.
Twitter claimed in a statement supplied to WIRED by spokesperson Lindsay McCallum-Rémy, “Mr Zatko was removed from his senior executive post at Twitter in January 2022 for weak leadership and poor performance.” So far, we’ve seen a false narrative about Twitter and our privacy and data security practices that are full of falsehoods and miss the crucial context.
It appears that Mr. Zatko is trying to destroy Twitter, its users, and its investors by making false accusations at an inopportune time. Twitter has always placed a premium on user safety and privacy, and that’s not changing anytime soon.
Zatko was originally employed by Twitter in November 2020, months after a widespread attack compromised the accounts of Apple, Kanye West, Jeff Bezos, and Elon Musk, among others. Over the course of two decades, he gained notoriety as a member of the hacker group L0pht and as a cybersecurity specialist for companies including the Defense Advanced Research Projects Agency, Google, and Stripe.
According to the materials Zatko provided, about a third of employee laptops were not receiving automatic software upgrades, and half of Twitter’s data center servers were not up-to-date and did not support data encryption at rest.
According to Zatko, the corporation lacked control over the thousands of employee devices that communicated with “core” systems because there was no management mechanism in place for employees’ smartphones. His claims, though, that Twitter’s “basic architecture” is insecure get to the heart of the matter.
Zak also claims that Twitter lacks sufficient test and development environments for beta-testing features and upgrades before releasing them in the production software. According to Zatko, this practice resulted in “frequent service outages” as engineers “tested directly on the commercial service.”
According to the docs, 50% of Twitter’s staff had unrestricted access to production systems and user data without proper monitoring to detect and prevent malicious behavior. According to Zatko’s claim, Twitter employs around 11,000 people. Twitter claims to have around 7,000 workers as of this writing.
The accusations state that Twitter’s history of security incidents, data breaches, and potentially harmful user account takeovers can be attributed to the company’s weak security standards. Twitter CEO Parag Agrawal informed employees this morning, “We are investigating the redacted accusations that have been released.” “We will explore all options available to us to defend our company’s honor and correct the record.”
Twitter claims that it centrally manages all employee computers and that its IT department has the ability to mandate updates and block access if they aren’t updated. The company also stated that only personnel with a “business reason” can access the production environment for “particular purposes,” and that all computers must pass a check to guarantee their software is up-to-date before connecting to production systems.
The Snapp Automotive co-founder and CTO Al Sutton worked as a Twitter software engineer from August 2020 until February 2021. He tweeted on Tuesday that Twitter never banned him from the staff GitHub group that has access to submit software updates to code the firm administers on the coding site.
Even after being fired, Sutton had access to private repositories for 18 months, and he used that time to prove that Twitter used GitHub not just for open source projects, but also for internal ones. Sutton said that access had been revoked within three hours of the initial post.
Providing a verifiable example “would be good for others,” he said to WIRED, “because I think Twitter is being quite casual about Mudge’s statements.” Sutton elaborated, “I believe the best thing to say here is that I have no reason to reject his assertions,” in response to a question about whether Zatko’s accusations square with his own experience working at Twitter.
While there are several approaches to securing a production environment, security researchers and engineers agree that it presents a fundamental challenge if employees have unrestricted access to user data and deployed code without adequate logging. Either a corporation takes the extreme measure of restricting access for everyone, or it takes the middle ground by allowing more people access with ongoing monitoring.
For instance, the corporation fully committed to the former strategy after the Chinese government penetrated Google in 2010.”It’s not actually that rare for organizations to have relatively liberal policies about giving engineers access to production systems,” says Perry Metzger, general partner of the consultancy Metzger, Dowdeswell & Company. Let’s pretend Mudge was absolutely incompetent despite his impeccable reputation.
If they wanted to do the simplest thing possible, they would provide the inner workings of their logging systems for engineer access to production systems. The worrisome part, though, is that Mudge depicts a society in which individuals would rather ignore problems than try to solve them.
Legal representatives for Zatko, a nonprofit called Whistleblower Aid, and he insisted that the documents they disclosed on Tuesday are accurate. Twitter has a fundamental responsibility to its users and the government to offer a safe and secure platform, according to Whistleblower Aid CEO Libby Liu. “Twitter has an outsized influence on the lives of hundreds of millions around the world,” she added.
However, the claims bring up a wide range of severe concerns that are not going to be easily explained away or handled in a comprehensive manner at this time.