Former Twitter Security Head Claims He ‘Uncovered Extreme, Egregious Deficiencies’ at the Company
Zatko also alleges that Twitter “prioritized user growth over reducing spam, though unwanted content made the user experience worse.”
Peiter Zatko, Twitter’s former head of security, filed a complaint against his former employer last month, claiming he “uncovered extreme, egregious deficiencies by Twitter in every area of his mandate.”
Then-CEO Jack Dorsey hired Zatko, a hacker known as “Mudge,” in July 2020 after teenagers hacked Twitter.
Dorsey resigned in November 2021. Parag Agrawal took over as CEO.
Then, in December, Zatko “began the lawful disclosure process and exhausted internal channels before contacting law enforcement agencies.”
Twitter fired Zatko in January for supposed “poor performance.”
From The Washington Post (Archive Link):
Twitter executives deceived federal regulators and the company’s own board of directors about “extreme, egregious deficiencies” in its defenses against hackers, as well as its meager efforts to fight spam, according to an explosive whistleblower complaint from its former security chief.
The complaint from former head of security Peiter Zatko, a widely admired hacker known as “Mudge,” depicts Twitter as a chaotic and rudderless company beset by infighting, unable to properly protect its 238 million daily users including government agencies, heads of state and other influential public figures.
Among the most serious accusations in the complaint, a copy of which was obtained by The Washington Post, is that Twitter violated the terms of an 11-year-old settlement with the Federal Trade Commission by falsely claiming that it had a solid security plan. Zatko’s complaint alleges he had warned colleagues that half the company’s servers were running out-of-date and vulnerable software and that executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors with rosy charts measuring unimportant changes.
Other complaints include:
Zatko further alleges that Twitter’s leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk’s attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk’s claims).
Zatko also alleges that Twitter “prioritized user growth over reducing spam, though unwanted content made the user experience worse.” Executives could win bonuses “as much as $10 million tied to increases in daily users.” They received nothing “for cutting spam.”
Zatko’s complaint is kind to Dorsey but depicts “him as extremely disengaged in his final months leading Twitter — so much so that some senior staff even considered the possibility he was sick.”
The complaint is harsh towards Agrawal, who fired the security head two months after taking over as CEO:
According to the disclosure, Agrawal and his lieutenants repeatedly discouraged Zatko from providing a full accounting of Twitter’s security problems to the company’s board of directors. The company’s executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company’s security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent cybersecurity issues, and went behind Zatko’s back to have a third-party consulting firm’s report scrubbed to hide the true extent of the company’s problems.
Whistleblower Aid, an organization that helps protect whistleblowers, helped Zatko file his claim to the Securities and Exchange Commission (SEC) last month.
The organization cannot discuss anything but praise Zatko:
“Twitter has an outsized influence on the lives of hundreds of millions around the world, and it has fundamental obligations to its users and the government to provide a safe and secure platform,” said Libby Liu, CEO of Whistleblower Aid. “It has taken the courage of a high-level whistleblower with an impeccable reputation for ethics and integrity for law enforcement agencies, and the public, to learn the truth.”
John Tye, Whistleblower Aid’s Chief Disclosure Officer, said:
“Mudge is a hero, stepping forward at real personal risk to ensure that law enforcement agencies have the ground truth about what’s happening inside Twitter. The agencies should investigate these disclosures quickly, and if warranted by the evidence, bring enforcement actions.”
WaPo and CNN reached out to Twitter for comments and answers. It seems both outlets received the same vanilla statement. From CNN:
In a statement, a Twitter spokesperson told CNN that security and privacy are both longtime priorities for the company. Twitter also said the company provides clear tools for users to control privacy, ad targeting and data sharing, and added that it has created internal workflows to ensure users know that when they cancel their accounts, Twitter will deactivate the accounts and start a deletion process. Twitter declined to say whether it typically completes the process.
“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” the Twitter spokesperson said. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Zatko’s complaint could help Elon Musk in his fight against Twitter. Musk is trying to back out of a deal to purchase Twitter, accusing the company “of lying about the number of spam bots on its platform.”
Donations tax deductible
to the full extent allowed by law.
Well, I know first-hand that you can’t call Hillary a disrespectful name. That right there is an egregious deficiency.
To the surprise of nobody except maybe Elon Musk.
And his critics. Did he have an ulterior motive?
If nothing else, he’s certainly given Musk a lot of ammo against Twitter in court.
He’s saying that Twitter doesn’t even KNOW the actual number of bots, because they don’t actually care enough to find out.
I’m smelling shareholder lawsuits out the ass over this.
There are more and more battles being won these days. One that is becoming a major national story is one that Legal Insurrection deserves much credit for:
Slow, slow, slow, the suddenly. Let’s drop the defeatism and hope that November will become one of those “suddenly” moments.
Zatko, a hacker known as “Mudge,”
a high-level whistleblower with an impeccable reputation for ethics and integrity
Those two things do not, at first glance, go together.
lacks important context
Uh oh. That almost always means “We did it, but we have an explanation.”
There is no mystery with security practiced in darkness, in sex and conception, etc.
A faith (i.e. trust, logical domain), a religion is a behavioral protocol, morality in a universal frame, ethics its relativistic sibling, and law their politically consensual cousin.
Diagram the sentence. If parsed properly, it makes sense. But, then, our buddy n.n has a way with complexity, doesn’t he?
Channeling Kamala Harris.
“Hackers” can be ethical and many work in big tech and the government. Just because they can find and show how vulnerabilities would be exploited doesn’t mean that they actually engage in those activities.
Once upon a time, the concept of “counter-intelligence” wasn’t so confusing. We had thousands of exceptionally bright people dedicated to it.
Your brain is simple. I think everyone gets that by now.
Ever hear of white hat hackers? They’re employed by the companies to find holes in their walls so they can be plugged before the black hats can exploit them.
To the industry and the technology segment, the word “hacker” has always had a much wider and much more neutral meaning than the exclusively negative way it is always represented in the MSM. Steve Wozniak, John McAfee, Tim Berners-Lee… even Elon Musk, Thomas Edison, and Tom Swift, would be recognized by their peers as hackers.
It shares that much with other technical terms that have been dirtied in the same way by the same ignorant press, such as semi-automatic, patriot, and separatism. Even the word violence is morally neutral: self-defense is violence, too. What’s not morally neutral is violent aggression. So it is with criminal hacking.
There are entire companies, such as Sophos, that engage in positive productive hacking, finding flaws in your electronic devices so that third-world dirtbags don’t find them first.
Not so. Testing the security of anything involves people who are hired to find a way to wreck it. At least with smart companies.
“as a chaotic and rudderless company beset by infighting, unable to properly protect its 238 million daily users including government agencies, heads of state and other influential public figures.”
But plenty of time and effort available to oppress YOU.
So then, they operate exactly like our federal government does.