Mudge Files Whistleblower Complaint against Twitter

Peiter Zatko, aka Mudge, has filed a whistleblower complaint with the SEC against Twitter, claiming that it violated an eleven-year-old FTC settlement by having lousy security. And he should know; he was Twitter’s chief security officer until he was fired in January.

The Washington Post has the scoop (with documents) and companion backgrounder. This CNN story is also comprehensive.

EDITED TO ADD: Another news article. Slashdot thread.

EDITED TO ADD (9/2): More info.

Posted on August 24, 2022 at 6:40 AM23 Comments

Comments

Ted August 24, 2022 7:45 AM

Up the number of CEO’s who are taking out their Security Leads for a nice cup of coffee, egg sandwich, and fresh fruit this month.

It would be interesting to see some industry benchmarking.

Untitled August 24, 2022 9:30 AM

Up the number of CEO’s who are taking out their Security Leads

Maybe up the number of CEO’s who have Security Leads, or who know their names.

JonKnowsNothing August 24, 2022 9:31 AM

@All

In one MSM circular reporting of the filing, one of the issues was that the PCs (aka the people who used them) did not allow security or AV updates….

Color me Not Surprised.

Of all the corporations in my career, getting any kind of update on a machine was akin to a miracle.

There are 2 kinds of corporate updates:

1) Massive departmental update, usually done with the distribution of new machines.

Roll in the new ones with all the latest updates, refurbish the old ones and install what’s available and redeploy them (1) or recycle the dead hardware.

2) A user initiated update:

I got this prompt that says Update…

a) I canceled the update. That’s what the corporate policy says to do.

b) I let the update complete. The message said it was secured and approved.

And then there is Engineering where the word Update has 1,000,000 meanings …

===

1) I doubt today one can redeploy a machine. In past times, people that didn’t have a machine were grateful for any machine that would make their work flow easier. Today I don’t think anyone could or would redeploy a Win7, Win10, OldMac etc to any portion of the corporation or even as a sell-a-thon to employees. It’s too great a risk.

MikeA August 24, 2022 10:28 AM

Once upon a time, I attended a large group meeting about corporate security, given by the chief of security. Generally motherpie and applehood, but I had a brief conversation with them as we filed out of the room. I asked why the company still mandated frequent password changes and “good password” rules that made them easier to guess, a decade or two after these practice had been deprecated. Their reply:
“I know, but it’s not my call”.

What, exactly, is the point of having a chief of security if they don’t have the power to enhance security?

As for Updates: They are about 50/50 between actual security fixes, and “good for the manufacturer/carrier/vendor, monetization-wise” bordering on malware (or over the border) You’d need a brilliant psychologist/psychopath to even figure out which, and you’d have to give them the power to deal with the problem.

Clive Robinson August 24, 2022 10:40 AM

@ ALL,

The Twitter CEO is making at best unsubstantiated claims, then getting other unnamed individuals to make claims that at best are dubious.

On balance of probability I would now say that all of Twitters claims should be independently investigated for veracity.

And yes I realy think the FTC should wade in not just wirh fines in mind but full on sanctions against individuals if they are found to have stepped out of line with agreements, regulations and legislation.

To be honest though Twitter had all the hall marks via it’s share price of having been part of a “pump and dump” that did not go the way expected. It was already on a downwards trajectory that looked heading for a crash and burn before Elon Musk jumped in.

I’ll be honest and say I think Twitter has had it’s day and may be the first of the big social media sites to fail, followed by others.

I would say from Google / Alphabets behaviours over the past half decade, they seriously expect “online advertising” to stop being a major revenue source.

I guess we are going to have to wait and see but I suspect a second “Internet bubble burst” to happen in the near future as advertisers finally acknowledge they are being taken for a ride with no viable return.

Winter August 24, 2022 11:13 AM

@Clive

I’ll be honest and say I think Twitter has had it’s day and may be the first of the big social media sites to fail, followed by others.

I would say from Google / Alphabets behaviours over the past half decade, they seriously expect “online advertising” to stop being a major revenue source.

Twitter has been a “has been” for years. It is for “old people” I am told. And old people are a difficult market for advertising.

Facebook has an image problem and seems to hold on to its near monopoly by hanging on their nails, buying and copying every competitor that might offer an escape route for youngsters. That strategy will certainly fail at some point.

But “social media” are here to stay in one form or another. There has never been in human history an example of people foregoing social interaction without violent force.

And I see no reason to expect advertising to stop. Google might get less margin, but it will take quite some time for them to go out of business.

Clive Robinson August 24, 2022 1:37 PM

@ MikeA, ALL,

Re : Not my call.

“What, exactly, is the point of having a chief of security if they don’t have the power to enhance security?”

The question you should ask is either,

1, Who set the rule
2, Who can change the rule.

The answer may turn out to be in either case,

“Nobody in the company”

I’ve seen this sort of nonsense with the Payment Card Industry “auditors”.

Basically they waltzed in, told people what they wanted to see and if it was not as they wanted it on their checkbox list, you could not carry on taking card payments.

These were the same people who accepted

“User name and password”

As two factor authentication…

Yeh I know…

SpaceLifeForm August 24, 2022 4:33 PM

@ ALL

Correction. I said @dotMudge was in CISO role here:

https://www.schneier.com/blog/archives/2022/08/friday-squid-blogging-the-language-of-the-jumbo-flying-squid.html/#comment-409216

But he was never officially in that role.

I conflated the roles, while both were fired.

https://www.theregister.com/2022/01/25/in_brief_security/

Apparently, the CSO role is to make sure the office building is locked up at night.

This may be worth a read. Note there is a lot of spin and misdirection in the comments. But there are very sound comments, and rebutals to the spin.

There are actors in panic mode.

https://news.ycombinator.com/item?id=32562815

Ted August 24, 2022 10:20 PM

@Clive, SpaceLifeForm, All

It’s an interesting thought: What drove CEO Agrawal to fire at least four top company leaders (restructure?) after he took over in late November 2021?

In a February 2021 SEC filing, the company had reiterated a few of its long-term goals, including to:

  • Reach at least 315 million mDAU in Q4 2023, which represents a ~20% compound annual growth rate from the base of 152 million mDAU reported in Q4 2019…
  • At least double total annual revenue from $3.7 billion in 2020 to $7.5 billion or more in 2023.

Do you think these pressures, plus Agrawal’s new leadership position, helped set the current scene?

https://www.cnbc.com/2021/02/25/twitter-sets-goals-to-double-revenue-reach-315-million-users-by-end-of-2023.html

Clive Robinson August 25, 2022 1:54 AM

@ Ted, SpaceLifeForm, ALL,

Re : Agrawal’s Promotion.

“Do you think these pressures, plus Agrawal’s new leadership position, helped set the current scene?”

The goals you indicate especially the doubling of revenue, were never realistic and I doubt they are obtainable without some other economic factor like rampant inflation.

I suspect Agrawal has been getting rid of those he sees as favourable politicaly to his predecessor. That is Agrawal wants to “oust Jack” and thus needs to rob him of support.

I’ve zero confidence that Agrawal can honestly deliver and he knows it, and has thus jumped on the Musk bid as a way out of the disaster he was building up to.

It’s clear Twitter has the wrong hand on the helm and the shareholders and board should rectify that as soon as they effectively can.

Ted August 25, 2022 8:56 AM

@Clive, SpaceLifeForm, All

It’s clear Twitter has the wrong hand on the helm and the shareholders and board should rectify that as soon as they effectively can.

Yes, it should definitely be looked into. Apparently Elliot Management, the ruthless and feared activist hedge fund, had put 3 directors on Twitter’s board in 2020. I don’t know who’s on the board now.

As you may have seen Zatko is now scheduled to appear before the US Senate Judiciary Committee on September 13. He’s also been in talks with House Energy and Commerce Committee, Senate Intelligence Committee, as well as data protection authorities in Ireland (DPC) and France (CNIL).

https://www.theregister.com/2022/08/25/twitter_whistleblower_summoned_to_senate/

Clive Robinson August 25, 2022 10:36 AM

@ Ted, SpaceLifeForm, ALL,

Re : Wrong hand on Twitter tiller.

“As you may have seen Zatko is now scheduled to appear before…”

Hopefully he will be actually listened to, believed, and action taken…

But you can make a reasonable bet that a certain hedge fund that was probably trying to “Pump and Dump” Twitter has lobbyists already sliming their way through those involved with the committees.

Clara August 25, 2022 11:39 AM

@ Winter,

And old people are a difficult market for advertising.

Really? My 90-year-old grandmother’s the only person I know who regularly sees full TV ads anymore—most of which seem to be for old people (landline phones, stairlifts, reverse mortgages, retirement homes, …). My 65-year-old parents have had a DVR for years, and skip them. Is anyone still using AM/FM radio outside a construction site, dental office, or dollar store? For the web, I’m using Tor Browser without an adblocker, and find “obvious” internet ads have largely disappeared over the last 10-15 years. I think DuckDuckGo is the only place I regularly see them. The Register is the only place I’ve recently seen an actual image ad (banners, and lots of them), so I’ll avoid going back there. I’m told Youtube has ads, but I personally only access it via youtube-dl. I switched from transit to bicycle when the pandemic started, and bicycle-friendly roads tend not to have billboards or benches or bus shelters…

So, where has advertising gone that non-old people are seeing much of it? Free phone apps? Or is it mostly “covert” now, in the sense of sponsored reviews, affiliate links, product placement, etc.? (Or maybe, with me being 42—the median age in my country—advertisers just consider me old?)

Winter August 25, 2022 1:10 PM

@Clive

My 90-year-old grandmother’s the only person I know who regularly sees full TV ads anymore—most of which seem to be for old people (landline phones, stairlifts, reverse mortgages, retirement homes, …).

Does she buy much? Anything? Will she switch brands?

It is not how many ads are seen, but how much effect they have. Older people buy less and are difficult to entice to switch brands or try out new products.

Winter August 25, 2022 1:13 PM

Previous should be
@Clara

(I have typed Clive so often, it is burned into my muscle memory)

SpaceLifeForm August 25, 2022 8:27 PM

Money.

‘https://nitter.net/thezedwards/status/1562321634295312384#m

Twitter executives opted to allow Twitter to become more dependent upon revenue coming from Chinese entities even though the Twitter service is blocked in China.

Savita August 26, 2022 6:39 PM

As Dave Chappelle says ‘Twitter is not a place’

Twitter doesn’t deserve to exist. It does nothing creates nothing adds nothing.
Musk is a bad actor 24/7 asleep or awake

Both Twitter and Musk just want attention. Stop giving it to them.
Stop listening to them, stop reading them, just switch off
Ignore them and eventually they will go away

Sean August 31, 2022 4:04 PM

@Savita: that was the strategy which old power took to the Internet; ignore those weirdos on their forums and mailing lists and the culture they are creating and their arguments that our emperors have no close. It worked for them, sort of, but they had power that people who read the comments on a site like this do not have (and in the end they found something they did like to lift up- twitter and co.- rather than just hold down Internet culture).

SpaceLifeForm August 31, 2022 4:57 PM

@ Savita

You are reading this wrong.

It is about communication.

The fascists do not want you to communicate.

They want you to believe their propaganda, they do not want you to think and learn.

They want to hide history.

@ Sean

It is ‘clothes’, but yeah.

Also,

but they had power that people who read the comments on a site like this do not have

That was not clear. I know what you meant.

We actually do have that power. Here, and on Twitter.

I know what you meant to convey. That TPTB can not not block conversation. But, they can attempt to do so, and actually do.

The fascists want to block conversation. They do not want people to think. They want to bombard you with propaganda and bulkshit.

You are welcome to join the cult if you watch Fox every day. That is how they think.

Sean August 31, 2022 6:34 PM

@SpaceLifeForm: yep, I had a typo.

People in charge of programming for million-audience channels, or editing hundred-thousand-subscriber magazines, or government ministries with 10,000 employees had power and they used it to erase Internet culture except possibly political blogs (and there was a lot of whining about blogs by Old Media reporters and columnists). They used that power to elevate social media culture especially twitter. They decided to ignore rando forum member, but quote random twitter account. They pronounced that twitter was the public square when really its a less popular reddit and stupider blogosphere with the mods from a bad forum.

The average person who reads comments on this site does not have that kind of power, so we can’t drive down the cultural significance of sites like Facebook or twitter.

Sean M August 31, 2022 6:52 PM

@SpaceLifeForm: I agree that social media is about communication: specifically propaganda and advertising, which are the same thing. One reason why columnists were scared of bloggers was that they had a nice easy job, and now suddenly people on the Internet were doing it better for free. Just before the Internet there was not much competition because print and broadcast media had high fixed costs.

One problem with social media is that because its funded by investors, its designed to transmit advertisements, which makes it good for spreading propaganda. Many governments are scared of instantaneous private communication, but if we want evidence-based collective action social media is the wrong tool.

Clive Robinson September 1, 2022 1:35 AM

@ Sean M, Savita, SpaceLifeForm, ALL,

Re : When Broadcast became cheap.

blockquote”Many governments are scared of instantaneous private communication, but if we want evidence-based collective action social media is the wrong tool.”

Before the Internet, in the UK was “Pirate Radio” the history of which is realy quite eye opening and informative for people to study as a historic refrence.

For instance the UK Prime Minister Harold Wilson went completely overboard with his reactions which gave rise to legislation that was not just draconian but,against international treaties and existing agreements. Because he blaimed Pirate Radio for an election defeat.

But that is jumping the gun as it were… It started because the Government in the UK had to much control over the medium of Broadcast and it showed. With the most exciting thing being “The Home Service” that was so “vanilla” it would give you a bad dose of jaundice if you listened for even a short time.

In the UK there was no private radio stations and no advertising and nothing but shades of dull even radio comedy was actually little more than silly voices and noises (see the “Goon Show”). Worse it was used as a platform for “Religious Opinion” as a proxie for political propaganda.

But… out in the US West Coast there were “Rock Stations” brodcasting music 24hours a day aimed at the youth of the day and supported by advertising. Which showed a few forward thinkers there was a viable business model.

But there was also “Radio Luxembourg” a name few will remember now. As night fell and the sun stoped shining on the ionosphere Radio Luxembourg could be heard all be it with significant fading in quite a large part of the UK. It brought a fresh music feel to radio and many of the generation that preceded mine tuned in every day.

So some decided there was money to be made and the UK Government refused to play (no Government willingly gives up power). Thus some went other ways it ended up with old sea forts being occupied and ships being anchored just outside the teritorial waters limits of the time and it eventually forced the UK Government to very unwillingly shift and give up some power, but for later governments to try gravbing it back[1]

I lived through Pirate Radio as an in the background part time player lending a technical hand and support to a more active player who was a school friend who made a living and business from supplying equipment. We developed whilst in school and college the VHF transmitters that were then still very much a “black art” even amoungst professional engineers and got many of the “London Pirates” off of old valve technology based on “re-purposed” “Pye Westminster” taxi cab and similar equipment and into a more modern setting.

Little has been written about what the UK Government got upto but it represented a very real and frequently quite disgusting war where the likes of officials were happy to lie to courts, two names in that regards you might want to look up are “Eric Gotts” and “Clive Corrie” both of which have provably lied in court and clearly both had certain mental deficiencies that their superiors were clearly happy to exploit then as “useful idiots”. The sort of behaviour people used to be shocked about when told it was how Joseph Stalin behaved…

[1] The environmentaly very unfriendly “Digital Audio Broadcast”(DAB) system being the main visable way. I won’t go into the history of it but it’s a failed technology. What lies hiden behind it is the fact you can not “tune” the radio, but only “select” from a list of stations. With the list controled by only Government Approved and thus controled entities. Worse with all such closed systems a cartel has been formed with all the usual downsides of blatent exploitation.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.