Twitter ex-security head blows the whistle, claims reckless and negligent cyber policies
Incredible news this week that stunned the cybersecurity world. Peiter Zatko, aka Mudge, Twitter’s former head of security, blew the whistle on what he claims are negligent cybersecurity practices at Twitter, from vast internal access to Twitter’s entire source code, laptops that weren’t patched, servers that weren’t licensed, and fears that Twitter was unable to protect itself from insider threats on January 6. Mudge is no stranger to cybersecurity, his credentials are impeccable and his reputation is pristine. He’s worked in government, spent time at Google, and testified to lawmakers. Yet Twitter claims he’s telling half the story and that he’s a disgruntled ex-employee fired for poor performance — claims that just don’t add up. Plus, some ex-Twitter employees piled on with their own security concerns, adding to Twitter’s headaches. The Washington Post has a great profile of Mudge, and CNN’s coverage has been excellent too. Mudge is expected to testify about his whistleblower complaint to lawmakers later this year, per @b_fung. Don’t expect this to blow over any time soon.
Read more in
- Former security chief claims Twitter buried ‘egregious deficiencies’
- A FAMED HACKER IS GRADING THOUSANDS OF PROGRAMS — AND MAY REVOLUTIONIZE SOFTWARE IN THE PROCESS
- The Twitter Whistleblower Needs You to Trust Him
If you are wondering if the stuff about Twitter security being lapse is just one person complaining, you might be interested to know that, 18 months after being let go from the company, I've not been removed from their employees GitHub commiters group. https://t.co/j02GpKdKor pic.twitter.com/zqmj7PyaZM
— Al Sutton (@alsutton) August 23, 2022
JUST IN: Twitter whistleblower Peiter "Mudge" Zatko will testify before the Senate Judiciary Committee at a hearing on Sept. 13, according to the committee.
— Brian Fung (@b_fung) August 24, 2022
Reading Mudge's complaint about Twitter, it's hard to stress how much this bolsters some of Musk's claims about the company failing to fight spam. Comes across either that Musk is unbelievably lucky or he had some insight into such complaints before he filed.
— Kevin Collier (@kevincollier) August 23, 2022
It was clear when Mudge left Twitter something was wrong. Now he’s blowing whistle. Says company doesn’t properly delete data, too many staff access central controls/sensitive info; senior execs cover up vulns; some staff may be working for foreign intel https://t.co/U0We4XtD09
— Kim Zetter (@KimZetter) August 23, 2022
A Twitter spokesperson declined to specify which of Zatko's claims are incorrect. The only thing Twitter's legal team has authorized its comms team to do is share a list of paraphrase-only bullet points.
I'll compare two points to the Zatko claims they seem to be addressing.
— Eric Geller (@ericgeller) August 23, 2022
[Update on 18 September 2022] Ex-Twitter security head Mudge testifies to Congress after whistleblower report
A wild two-hour hearing with lawmakers on the Senate Judiciary Committee, Twitter’s former security lead turned whistleblower testified on Tuesday on a range of topics, mostly about the company’s security (or lack of), but there were a few interesting nuggets disclosed — not least that foreign spies were on (and could still be) on Twitter’s payroll — including from China and India, and that engineers — some half of its staff — had broad access to user and company information. It comes in the same week that The New Yorker reports that Mudge’s friends and colleagues were offered money to dish the dirt on him. Wired also looks at the protections a whistleblower has to take (think more than just Tor and Signal). @ericgeller had a running tweet thread from the testimony. Twitter denied and rebuked much of Mudge’s allegations, but didn’t provide any evidence of its own to the mix, which seems quite short-sighted given the circumstances.
Read more in
- Twitter’s whistleblower testifies before Senate committee
- Twitter whistleblower reveals employees concerned China agent could collect user data
- Twitter ‘lacked the ability to hunt for foreign intelligence agents,’ says whistleblower
- Twitter couldn’t detect foreign agents on its own, whistleblower testifies
- Whistleblower: China, India had agents working for Twitter
— Eric Geller (@ericgeller) September 13, 2022