Former Twitter Security Head Tells Senate That Twitter Has a Chinese Intelligence Agent On Their Payroll, But Doesn't Seem to Care

Twitter employs not just Indian spies, which had already been disclosed, but Chinese spies -- which had been suspected, but was confirmed today in the Senate.

Twitter executives put profit ahead of security, opening the platform to infiltration by foreign agents and hackers, the company's former head of security told Congress on Tuesday.

"Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors," Peiter "Mudge" Zatko told the Senate Judiciary Committee. "The company's cybersecurity failures make it vulnerable to exploitation, causing real harm to real people."

...

Sen. Charles Grassley, R-Iowa, revealed at Tuesday's hearing that the FBI had warned Twitter that a Chinese agent was on its payroll, a previously undisclosed detail from Zatko's complaint.

Zatko said Twitter struggled to identify potential infiltration by foreign agents and typically was only able to do so when notified by outside agencies. The company was "unwilling to put the effort in" to hunt down bad actors, he said.

...

He quoted writer Upton Sinclair, saying: "It is difficult to get someone to understand something when his salary depends on him not understanding something."

Thomas Brewster
@iblametom

Wow from @dotMudge [the former security chief "Mudge"] - "I'm reminded of one conversation with an executive when I said, 'I am confident that we have a foreign agent,' and their response was, 'Well, since we already have one, What does it matter if we have more? Let's keep growing the office."

NEW - Indian, Chinese and Saudi Arabian spies allegedly made it onto Twitter's workforce and, according to @dotmudge testimony, Twitter barely cared.

Mudge told them that the security was so poor at Twitter that any employee there could take over any Senator's account.

Twitter whistleblower Peiter Zatko described the company as a Wild West of unsecured data whose management consistently chose revenue and subscriber growth over security and privacy.

"Thousands of Twitter employees can access user data they don't need access to to do their jobs. And if foreign assets work for Twitter, those foreign assets can also access the data," he alleged in testimony before the Senate Judiciary Committee. "An employee could take over the accounts of all of the Senators in this room."

Last month, a former Twitter employee was found guilty of spying on Saudi dissidents using the social media platform to pass their personal information to an aide of Crown Prince Mohammed bin Salman.

Zatko, known as "Mudge", a hacker who served as Twitter's head of security until he was fired in early 2022,, said some Twitter employees were also concerned that the Chinese government could collect user data.

When he first arrived at Twitter, "There were thousands of failed attempts to access systems per week that no one was noticing" and that surprised management. Overall poor tracking of who logs in, or tries to, "is a remnant of [Twitter] being so far [behind] on their engineering."

Twitter's CEO Parag Agarwal refused to testify, claiming he could not, due to Twitter's lawsuit against Elon Musk.

Mudge called the company a "ticking bomb of security liabilities." Which seems like a tailor-made line for Elon Musk's lawsuit.

Twitter Inc.'s security lapses were so grave that they threatened national security and far outpaced US regulators' ability to police them, the company's former head of security-turned-whistle-blower told senators on Tuesday. Speaking before the Senate Judiciary Committee, Peiter Zatko, also known by his hacker name "Mudge," said Twitter was a decade behind necessary security upgrades, which he described as a "ticking bomb of security vulnerabilities." He detailed several cases in which Twitter prioritized profit over addressing the risks on its influential platform.

"Twitter's unsafe handling of the data of its users and its inability or unwillingness to truthfully represent issues to its board of directors and regulators have created real risk to tens of millions of Americans, the American democratic process, and America's national security," Zatko said in the hearing.

He also said the company's leadership "repeatedly covered up its security failures by duping regulators and lying to users and investors."

Ooof. That will be of tremendous use to Musk.

Sitting alone at a table facing the dais of senators, Zatko painted a picture of a company that collected vast amounts of user data but only understood how about 20% of it was used and allowed many employees a dangerous level of access to that information. Even though Twitter was under a 2011 consent decree from the Federal Trade Commission to address security lapses, Zatko said US regulators -- and the one-time fees they use as deterrents -- are ineffective compared to their foreign peers like France's data protection agency.

"The FTC is in a little bit over their head" policing powerful companies like Google, Facebook and Twitter, Zatko said. "They're left letting companies grade their own homework."

But AEI and the CATO Institute and the Koch Foundation say that mega-corporation monopolies that coordinate with the government to squelch their competition are the Free Market Operating at Peak Levels, You Guys!!!

Meanwhile, firms are offering huge sums of money for dirt on Mudge -- in order to damage his reputation, so that his allegations against Twitter will have less sting.

On August 23rd, a Slack chat for former employees of the payments company Stripe began filling with accounts of strange queries about an ex-colleague. "I'm getting inundated with paid interview requests," one of the former employees, Dan Foster, wrote. Another, Marty Wasserman, later posted that he'd received a similar message via e-mail. "Hi Marty, Hope you're having a great week!" the message read. "I'm currently working on a project regarding leadership in tech, and my client is hoping to speak to an experienced professional about a particular individual you may have worked with." The message requested a "45-60 minute compensated phone consultation." Wasserman was suspicious of the timing. "Preeeettyy sure this is regarding Mudge," he wrote, pasting it in the Slack chat with his former colleagues. "Hard pass."

Hours earlier, CNN and the Washington Post had reported that Twitter's former head of security, Peiter (Mudge) Zatko, had filed a whistle-blower disclosure to federal agencies, accusing the social-media platform of reckless security practices. Zatko's sweeping claims, if proven, could aid Elon Musk in his attempt to terminate his forty-four-billion-dollar agreement to acquire Twitter, a legal fight with implications of billions of dollars for investors. The dozens of e-mails and LinkedIn messages received by people in Zatko's professional orbit appeared to be mostly from research-and-advisory companies, part of a burgeoning industry whose clients include investment firms and individuals jockeying for financial advantage through information. At least six research outfits--Gerson Lehrman Group (G.L.G.), AlphaSights, Mosaic Research Management, Ridgetop Research, Coleman Research Group, and Guidepoint--approached former colleagues of Zatko's at Stripe, Google, and the Pentagon research agency darpa. All offered to pay for information, sometimes noting that the compensation would be high or apparently unrestricted. At least two investment firms, Farallon Capital Management L.L.C. and Pentwater Capital Management L.P., also sought information from individuals close to Zatko.

...

The consultant told Provos that its analysts were assessing Zatko's "personality professionally and socially," his "strengths and weaknesses," "motives for his whistle-blower complaint and any similar past complaints," his "need for attention," and whether he was a "zealot or ideologue," "conspiratorial," or "vengeful." She also said they were interested in Zatko's "view of Elon Musk and Musk's bid for Twitter." G.L.G. included links to detailed sets of questions discussing Zatko and Twitter's C.E.O., Parag Agrawal. "In regards to Peiter Zatko, can you discuss thoughts on recent news with Peiter, what he did, why he was fired from TWTR?" read one of G.L.G.'s questions.

...

One of the messages from G.L.G. suggested that the information was intended for an investment firm, Davidson Kempner Capital Management L.P. (A source close to G.L.G. told me that it represents multiple clients with an interest in Zatko but has no connection to Twitter and added that compensation for experts is standard.) Farallon, an investment firm rather than an expert network, identified itself in its inquiries. The other companies declined to identify their clients, though at least one told recipients that they were working on behalf of an unnamed hedge fund.

As the inquiries proliferated, the group of ex-Stripe employees began to believe, Wasserman told me, "that multiple different sources, multiple different people, multiple different companies, were all basically trying to dig up dirt on Mudge, all seemingly at the same time." The firms, Provos surmised, were "trying to get information that could further discredit Mudge," an effort that "seemed incredibly shady." Jonathan Kaltwasser, Stripe's former chief information security officer and a member of the Slack group, quickly alerted Zatko.

A lot of people will lose a lot of money if Elon Musk wins his lawsuit against Twitter, and Mudge's testimony will be a great help to Musk in doing that. So there's a large financial incentive to prove that Mudge is a Subversive and White Supremacist and Pervert and Whatever.

There might also be some foreign intelligence services shopping for dirt on him.

In a strange bit of happenstance -- or was this planned? -- Twitter's shareholders voted to formally accept Elon Musk's $44 billion bid for their piece-of-shit spy-ridden security shithole, even though Musk has withdrawn the offer.

Reuters @Reuters BREAKING: Twitter shareholders vote in favor of Elon Musk's $44 billion takeover offer at a special shareholder meeting https://reut.rs/3eJElMA

posted by Ace at 03:16 PM

| Access Comments