Twitter Accused of Serious Violations by Former Security Chief, Legendary Hacker

A new scandal for Twitter, and not least. The complaint, filed by a whistleblower and released on Aug. 23 by CNN and the Washington Post, shows that the company is “extremely flawed” in terms of computer security, that it will make no real effort to combat spam, and that it has been compromised by foreign government spies.

Parag Agrawal, former CTO and current CEO of the company since November 2021, is heavily incriminated in a nearly 200-page document that was sent last month to several US government agencies, including the Department of Justice, the Federal Chamber of Commerce (which regulates business) . practices) and the SEC (financial market regulator).

He concludes that the service poses a danger to the personal information of its users, as well as to the national security of the United States and even to democracy. Several US senators have said they want to take on the case.

impeccable reputation

For its part, Twitter brushes aside the allegations and attributes them to the bitterness of an employee who was fired in January 2022 for “lack of performance.” We are talking about Peter Zatko, who was hired by Jack Dorsey as head of security at the end of 2020 after the social network was hacked.

The problem with this answer is that Zatko, better known by his pseudonym “Maj”, is a living cybersecurity legend. A pioneer in the sector (especially the discoverer of “buffer overflow” attacks), he was one of the first “ethical hackers” in history to speak before the US Congress in 1998 to warn of the importance of computer security. A prestigious government career followed, followed by executive positions in the private sector, especially at Google and Stripe.

Therefore, his credibility is especially high, and in his interview with the Washington Post he does not hide the fact that the decision to present himself as an informant was the result of “ethical coercion.” We also note that he began this procedure even before his dismissal (and also long before Elon Musk expressed interest in acquiring the company). He believes that he was simply kicked out for insisting on a warning about elementary shortcomings that he observed.

Anomalous flaws

Peter Zatko describes implausible practices, including access by thousands of employees (nearly half of the company’s staff) to critical platform controls. It’s not hard to believe. For example, a low-responsibility employee (customer service) deleted the account of Donald Trump, then President of the United States, on his last day at the company.

After the January 6 uprising, when Donald Trump supporters attempted to storm key government offices, Zatko became concerned that a Twitter employee might be manipulating the social network to make matters worse. He would try to secure access to production, which would be impossible because… all engineers have access, and there is no logging of access or actions performed.

Clearly, there is no way to check who is doing what, or even what action was performed. This leads him to say that Twitter has never properly fulfilled its obligations since the agreement with the FTC in 2011 regarding the management of the personal data of its users. And to make matters worse, according to an internal report, four out of ten computers in the company weren’t properly protected.

Poorly Managed Data Centers

And it doesn’t stop there. Zatko argues that the network infrastructure itself is misunderstood internally and that its 500,000 servers are themselves in an unacceptable state of vulnerability. Half of them are said to run on outdated software that doesn’t support basic features like data-at-rest encryption and don’t receive security updates.

The whistleblower reported this to regulators in February via a letter. Twitter would also not have enough backup capacity or adequate procedures to restart its data centers, which could theoretically bring the social network down even in the event of a minor problem.

Significant espionage risks

Another problem arose, not least the vulnerability to the actions of some foreign governments whose interests would conflict with those of the United States. Peter Zatko reports that shortly before his departure, the US government had to tweet evidence that at least one of its employees was a foreign intelligence agent.

It should be noted that the former manager of the company was convicted two weeks ago for spying in the service of Saudi Arabia. In addition, the whistleblower draws attention to an exchange with Parag Agrawal in which the latter spoke out in favor of complying with the censorship rules requested by Russia (which ultimately did not happen after the invasion of Ukraine).

Twitter executives involved

It is said that Parag Agrawal and his deputies constantly tried to dissuade Peter Zatko from sharing his findings with the board of directors, for example by urging him to talk about it verbally rather than through a written document, asking him to skilfully sift information to give the illusion that progress was being made. achieved, or suppressing a report on government propaganda and disinformation that he commissioned from an outside firm. It’s called the Alethea Group, and its report pointed to shortages in staffing and working conditions as teams “stumble from one crisis to the next.”

CNN reports that Zatko is more lenient towards Jack Dorsey and the whistleblower believes that he sincerely wanted to improve the service’s security issues, however his report highlights that he has been extremely evasive on his commitments over the past year and that his teams have had little contact with him.

Good for Elon Musk

If the actions of Pater Zatko are not directly related to the disagreements between Elon Musk and Twitter, then, nevertheless, they can play into the hands of the billionaire. The latter was especially unceremonious during the takeover procedure, since the level of spam on the platform (which he puts forward as a reason for canceling the takeover) did not figure, for example, among the reasons that could lead to the termination of the agreement.

But Pater Zatko’s claims are much more serious (even if he also mentions that the company doesn’t seem to know how many bots are present and is not interested in them) and could constitute “pecuniary damage” enough to justify this appeal. Elon Musk’s lawyers have already questioned him in this case, simply on the basis of his sudden departure, just like they asked Jack Dorsey, a former CEO who we know was involved in the submarine hijacking project. Whether by instinct or luck, Musk could have gotten away with it anyway.

Julien Bergounhoux @JBergounhoux

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker.