Whistleblower: Twitter a ‘Ticking Bomb of Security Vulnerabilities’

September 14, 2022 Topic: Twitter Region: United States Blog Brand: Techland Tags: TwitterSocial MediaBig TechElon MuskCongress

Whistleblower: Twitter a ‘Ticking Bomb of Security Vulnerabilities’

Just over two weeks after filing a whistleblower complaint, former Twitter security chief Pieter “Mudge” Zatko testified before the Senate Judiciary Committee.

 

Just over two weeks after filing a whistleblower complaint, former Twitter security chief Pieter “Mudge” Zatko testified on Tuesday before the Senate Judiciary Committee.

“I agreed to join Twitter because I believed it was a unique position in which my skills and experience could meaningfully improve the security of users, the United States, and the world. Twitter was and continues to be one of the world’s most influential communications platforms. What happens on Twitter has an outsized effect on public discourse and our culture. I believed that improving the platform’s security would benefit not only Twitter’s millions of users, but also the people, communities, and institutions affected by the information exchanges and debates taking place on the platform,” Zatko said in his opening statement.

 

He also discussed why he went to work for Twitter.

“[I] am here today because I believe that Twitter’s unsafe handling of the data of its users and its inability or unwillingness to truthfully represent issues to its board of directors and regulators have created real risk to tens of millions of Americans, the American democratic process, and America’s national security,” he added. “Further, I believe that Twitter’s willingness to purposely mislead regulatory agencies violates Twitter’s legal obligations and cannot be ethically condoned. Given the potential harm to the public of Twitter’s unwillingness to address problems I reported and Twitter’s continued efforts to cover up those problems, I determined lawful disclosure was necessary despite the personal and professional risk to me and my family of becoming a whistleblower,” Zatko continued.

He also noted that he agreed to join Twitter after the hack of several high-profile accounts in the summer of 2020. But once he joined, he was unhappy with what he discovered.

“Upon joining Twitter, I discovered that the Company had 10 years of overdue critical security issues, and it was not making meaningful progress on them. This was a ticking bomb of security vulnerabilities. Staying true to my ethical disclosure philosophy, I repeatedly disclosed those security failures to the highest levels of the Company. It was only after my reports went unheeded that I submitted my disclosures to government agencies and regulators,” Zatko said.

“I did not make my whistleblower disclosures out of spite or to harm Twitter. Far from that. I continue to believe in the mission of Twitter and root for its success. But that success can only happen if the privacy and security of Twitter’s users and the public are protected. Many of the engineers and employees within Twitter have been repeatedly calling for this, but their calls are not being headed by the executive team.”

Zatko’s claims are expected to be an issue in the upcoming trial between Twitter and Elon Musk. However, Axios reported this week that the testimony may not have a major effect on the lawsuit.

“There was a culture of not reporting bad results up, only reporting good reporting results up because that was the internal incentive structure,” Zatko told the committee, per the Axios report. “You were rewarded based upon relationships and how you performed in an emergency — not for identifying existing errors and doing the groundwork for keeping the lights on and running the business,” he added.

Musk tweeted a popcorn emoji prior to the start of the testimony, even after his use of emojis had been raised as an issue in legal filings in the lawsuit with Twitter.

As expected, on the same day of the testimony, Twitter’s shareholders approved the merger being urged to do so by the company’s board. And, in a letter related to the Musk lawsuit, the company said that it had not breached any of its obligations.

 

“As was the case with both your July 8, 2022, and August 29, 2022 purported notices of termination, the purported termination set forth in your September 9, 2022 letter is invalid and wrongful under the Agreement,” the social media giant’s letter to Musk’s attorneys said, per NBC News.

Also this week, Ronan Farrow reported in the New Yorker that there appears to have been an effort to dig up dirt on the Twitter whistleblower, with former employees reporting that they had been offered money to speak up about Zatko.

“The dozens of e-mails and LinkedIn messages received by people in Zatko’s professional orbit appeared to be mostly from research-and-advisory companies, part of a burgeoning industry whose clients include investment firms and individuals jockeying for financial advantage through information,” the New Yorker reported.

“My family and I are disturbed by what appears to be a campaign to approach our friends and former colleagues under apparently false pretenses with offers of money in exchange for information about us,” Zatko told Farrow. “These tactics should be beneath whoever is behind them.”

Stephen Silver, a technology writer for The National Interest, is a journalist, essayist and film critic, who is also a contributor to The Philadelphia Inquirer, Philly Voice, Philadelphia Weekly, the Jewish Telegraphic Agency, Living Life Fearless, Backstage magazine, Broad Street Review and Splice Today. The co-founder of the Philadelphia Film Critics Circle, Stephen lives in suburban Philadelphia with his wife and two sons. Follow him on Twitter at @StephenSilver.

Image: Reuters.