According to a whistleblower, Twitter’s board has been hiding its “severe, flagrant inadequacies” that pose a serious threat to democracy and national security, and executives are unaware of the platform’s bot population.
Peiter “Mudge” Zatko, a self-described “ethical hacker,” revealed the shocking information to government agencies and Congress last month.
According to CNN and the Washington Post, he stated that the software company is horribly mismanaged and that thousands of employees have access to sensitive data without proper management.
Senior officials have allegedly been hiding the platform’s worst flaws, according to Zatko, who directly reported to CEO Jack Dorsey and his successor Parag Agrawal. He even suggested that one or more workers may be spies for foreign intelligence agencies.
According to the whistleblower, management deceived the board and authorities about the system’s security weaknesses, which left it open to hacking, manipulation, and misinformation.
Zatko also said that Twitter executives lack the capacity to determine the number of bots on the website, allegations that will support Elon Musk’s legal defense.
Last month, Peiter “Mudge” Zatko, the social media company’s former chief of security, presented the shocking revelation to Congress and government authorities.
Pictured in 1998 appearing before the Senate Governmental Affairs committee on federal computer security is Zatko, whose hacker nickname is Mudge.
The Tesla CEO pulled out of his $44 billion buyout agreement after claiming that the platform had not been forthright about the amount of bots and fraudulent accounts among its 238 million daily active users.
In addition, according to Zatko, a former employee of Google and the Department of Defense, Twitter often loses track of deleted user data once an account is deactivated.
He found “egregious flaws, carelessness, intentional ignorance, and dangers to national security and democracy,” according to the statement.
His illustrious career started in the 1990s, when he worked secretly for a government contractor while also leading the hacker collective Cult of the Dead Cow, known for disseminating Windows hacking tools to pressure Microsoft into enhancing security.
After a string of disastrous hacks in which users including Barack Obama, Joe Biden, and Elon Musk were hacked, he was assigned to Twitter to suggest changes in structure and processes to strengthen its security.
When he first announced his plan, he claimed he would look at “information security, site integrity, physical security, platform integrity—which begins to touch on misuse and manipulation of the platform—and engineering.”
However, the corporation sacked him in January for what he said was retribution; the company claimed it was due to poor performance.
Before going public, the cyber whiz said he sought to alert the board to the security flaws.
Zatko said that he and Twitter CEO Parag Agrawal, who succeeded Jack Dorsey (pictured) in November, had a contentious relationship.
Throughout Jack Dorsey’s last months at Twitter, employees “feared he was sick.”
One of Twitter’s co-founders, Jack Dorsey, abruptly resigned as CEO in November of last year.
However, the decision surprised a lot fewer people at the social media company than one would have expected.
Because, according to Zatko, over his last months, Dorsey had become so aloof and uninterested that some top managers had even suspected he was sick.
The security chief said that in 2021, Dorsey had a “drastic lack of concentration,” seldom showed up for meetings, and sometimes was quiet for days or weeks at a period.
Zatko said that Dorsey didn’t do anything to help him fit in at the business and that the former CEO only spoke to him 50 times a year on average.
In the six one-on-one conversations they had over the course of a year, each lasting less than 30 minutes, Zatko said he performed practically all of the speaking.
According to Twitter, Mr. Zatko was sacked from his senior executive position at the company more than six months ago due to poor performance and weak leadership.
Despite the fact that we haven’t had access to the particular claims mentioned, what we’ve seen so far is a narrative about our privacy and data security policies that is rife with contradictions and falsehoods and lacks crucial context.
Mr. Zatko’s accusations and shrewd timing seem to be intended to garner attention and hurt Twitter, its users, and its stockholders. We still have a lot of work to do, but security and privacy have always been top priority at Twitter as a whole.
Zatko said that he and Twitter CEO Parag Agrawal, who succeeded Jack Dorsey in November, had a contentious relationship.
He said that Agrawal and his staff repeatedly advised him not to provide the board with a thorough explanation of the security issues and instead to present his findings orally.
The whistleblower said that after being told to offer selective statistics to create the appearance of progress, they worked behind his back to edit a consulting firm’s report and conceal the severity of the issues.
Zatko said that Dorsey was less involved in his last months at the internet giant than Agrawal, despite the latter being more receptive to his suggestions.
Because Dorsey had become so distant and disinterested in the business, some employees even believed he was unwell, according to Zatko.
The Securities and Exchange Commission, the Federal Trade Commission, the Senate Intelligence Committee, and the Department of Justice received the disclosure of more than 200 documents last month.
Zatko said that Agrawal (seen in the previous month’s photo) and his staff continuously forbade him from providing the board with a detailed explanation of the security issues.
How does Elon Musk feel about this?
With Twitter allegedly lying about the quantity of bots on the site, Elon Musk is embroiled in a fierce legal dispute over his $44 billion purchase of the social network.
According to reports, Musk’s attorneys have asked a variety of mid-level workers and high-level executives for information on Twitter’s user data and how it was gathered and processed.
The Tesla CEO asserts that bots or phony accounts constitute significantly more than the 5% that the firm reported when he made an acquisition bid to it in April.
The world’s wealthiest man is being sued by Twitter for pulling out of the sale and allegedly citing the bot problem as an excuse for having buyer’s remorse.
The number of users on Twitter, which it provides to investors and advertisers, is a helpful indicator of its future worth.
In order to calculate this, the firm counts all users who are “monetizable daily active users” (mDAUs) and ignores any known bots who are unable to be shown ads.
Less than 5% of its mDAUs, according to them, are fraudulent or spam.
However, Zatko claims that since bots are only taken into account as a portion of mDAUs rather than the overall number of accounts, the issue’s scope is obscured.
He asserts that the director of site integrity for the corporation said he was unaware of the overall number of online bots.
According to Zatko, the business ‘had no inclination to adequately evaluate the frequency of bots’ since doing so may have damaged its reputation and worth.
Despite the fact that Musk’s acquisition proposal did not include a bot exemption, his allegations might support Musk’s legal defense.
After being sent by a top Democratic aide, CNN has now seen a copy.
After the Capitol riots on January 6, Zatko’s worries about Twitter increased because he thought an insider with sympathies may control the site in what is referred to as the “production environment.”
But he claims he saw quickly that “protecting the production environment was impossible.” Every engineer had entry. Nobody’s entry into the environment or their actions were recorded. Every engineer had some level of vital access to the production environment, but nobody understood where the data was stored or if it was important.
He continued, alleging that four out of ten devices do not adhere to fundamental security rules, and that Twitter could not hold specific employees responsible since it had no control over or sight into their machines.
According to the business, if there is a commercial case for it, the engineering and product teams may have access to the production environment.
Zatko was worried about Twitter’s server infrastructure in addition to personnel security issues.
He said that half of its 500,000 servers use out-of-date software that does not enable regular security upgrades or encryption for data storage.
He asserts that due to its insufficient recovery processes from data center accidents, even small outages might permanently take Twitter down.
The IT company said that record-keeping and review standards are in place for any modifications to the live product and that automated checks are in place to guarantee that laptops running outdated software cannot access the production environment.
In a further claim, Zatko asserts that Twitter has “never been in compliance” with the FTC over a consent agreement the business signed after mishandling users’ private information, in which the firm claimed to put in place a thorough security program.
According to the former security head, Twitter has a “anomalously high number of security events” at a rate of around one per week that is significant enough to notify the authorities.
If the allegations are confirmed or it is determined that Twitter has broken the law, Zatko’s revelation may result in billions in penalties for the company.
Mudge discussed the Internet’s major vulnerabilities at the time in 1998 testimony before a Senate committee.
Mudge, a well-known hacker, claimed before Congress about 20 years ago that he could shut down the internet in 30 minutes.
The most well-known member of the pioneering Boston hacker collective the L0pht and the enduring computer and cultural hacking collective Cult of the Dead Cow was Peiter Zatko, also known as Mudge in the hacker community.
He oversaw a Defense Department grant program for computer security initiatives more recently.
Mudge made a substantial contribution to the disclosure and education of information and security vulnerabilities while working with the L0pht.
Mudge obtained a post as a program manager at the government organization Defense Advanced Research Projects Agency (DARPA) in 2010, where he managed the study of cyber security.
Mudge started working for Google’s Advanced Technology & Projects group in 2013.
Mudge, a talented guitarist who was born in December 1970, graduated from the Berklee College of Music at the top of his class.
Mudge conducted early studies on a kind of security flaw called the buffer overflow.
Mudge was one of the first members of the hacking community to make contact and establish connections with business and government. He gave speeches at academic conferences like USENIX and hacker conferences like DEF CON because he was in high demand as a public speaker.
He was one of the seven L0pht members who provided testimony in 1998 before a Senate committee about the grave security flaws in the Internet at the time.
He was asked to meet with President Bill Clinton at a security meeting in 2000, after the first debilitating Internet distributed denial-of-service attacks, along with cabinet officials and business leaders.
In 2004, he joined the technical advisory board of NFR Security and was promoted to division scientist at federal contractor BBN Technologies, where he had previously worked in the 1990s.
He was appointed project manager of a DARPA project in 2010 that aimed to oversee cyber security research.
He stated in 2013 that he will quit DARPA to work for Google ATAP.
Zatko tweeted in 2015 that he will be joining the White House-mandated #CyberUL initiative, an Underwriters Laboratories-inspired testing organization for computer security.