Peiter “Mudge” Zatko, Twitter’s former chief of security, testifies before the Senate Judiciary Committee on Data Privacy at Twitter, on Capitol Hill, September 13, 2022 in Washington, DC.
Kevin Dietsch | beautiful pictures
‘s Twitter Former security chief Peiter “Mudge” Zatko testified before a Senate panel on Tuesday that his former employer prioritized profits over addressing security concerns that he said caused User information is at risk of falling into the wrong hands.
“It’s not far-fetched to say that one company employee could take over the accounts of all the senators in this room,” Zatko told members of the Senate Judiciary Committee, less than a year old. a month after he The whistleblower’s complaint has been publicly reported.
Zatko testified that Twitter lacked basic security measures and had a free approach to data access among employees, opening the platform to great risks. As written in his complaint, Zatko said he believes an employee of the Indian government managed to become an employee at the company, an example of the consequences of lax security measures. .
The testimony has fueled criticism from lawmakers that major tech platforms place revenue and growth goals above protecting users. While many companies have flaws in their security systems, Twitter’s unique position as a public square has in fact amplified Zatko’s revelations, which makes even more sense as Twitter fights back. legal dispute. Elon Musk.
Musk sought to acquire the company for $44 billion but then tried to back out of the deal, claiming Twitter should have updated information on how it calculates spam account percentages. A judge in the case recently said Musk could amend his counterclaims to relate to the issues Zatko raised.
A Twitter spokesperson refuted Zatko’s testimony and said the company uses access controls, background checks, and monitoring and detection systems to control access to data.
“Today’s hearing only confirmed that Mr. Zatko’s allegations were contradictory and inaccurate,” the spokesperson said in a statement, adding that the company’s hiring is independent of its influence. of foreign countries.
Here are the key takeaways from Zatko’s testimony:
Lack of control over data
The Twitter logo is seen on the screen of a Redmi phone in this illustration in Warsaw, Poland on August 23, 2022.
Nurphoto | beautiful pictures
According to Zatko, Twitter’s system is so disorganized that the platform can’t say for sure whether it will completely delete users’ data. That’s because Twitter didn’t track where all that data was stored.
“They don’t know what data they have, where they live or where they come from, and so it’s not surprising that they can’t protect it,” Zatko said.
Karim Hijazi, CEO of cyber-intelligence firm Prevailion, said large organizations like Twitter often experience “infrastructure drift,” as people come and go, and systems differ. sometimes forgotten.
“Over time, it tends to look a bit like someone’s garage,” said Hijazi, who was previously Mandiant’s chief of intelligence, now owned by the company. Google. “Now the point is, unlike a garage where you can go in and you can methodically start taking it all apart… you can’t simply wipe the database clean. because it’s a patchwork of new and old information.”
Hijazi said that taking down some components without knowing for sure if they are critical or not risks destroying the broader system.
But security experts expressed surprise at Zatko’s testimony that Twitter doesn’t even have a staging environment to test for updates, an intermediate step engineers can take between the development environment and the environment. developers and production to solve problems with their code before it goes live.
“It was quite unexpected for a big tech company like Twitter to not have the basics,” says Hijazi. Even the smallest startups in the world that started seven and a half weeks ago have development, staging, and production environments. “
Chris Lehman, CEO of SafeGuard Cyber and a former FireEye vice president, said that “that would shock me” if that was true Twitter doesn’t have a staging environment.
He said “most mature organizations” will take this step to prevent systems from breaking on the live site.
“Without a staging environment, you create more opportunities for bugs and issues,” says Lehman.
Broad employee access to user information
The silhouette of an employee is seen below the Twitter Inc logo.
David Paul Morris | Bloomberg | beautiful pictures
Zatko said a lack of understanding of where the data exists means employees also have more access than they need to Twitter’s systems.
“It doesn’t matter who has the key if you don’t have any locks on the door,” says Zatko.
Engineers, who make up a large part of the company, are given access to Twitter’s live testing environment by default, Zatko claims. He said that kind of access should be limited to a smaller group.
With so many employees having access to critical information, the company is vulnerable to questionable activities such as bribery and hacking, Hijazi and Lehman said.
US regulators aren’t afraid of compliant companies
Federal Trade Commission headquarters in Washington, DC
Kenneth Kiesnoski / CNBC
Zatko testified that the one-time fines that are often the result of settlements with US regulators like the Federal Trade Commission were not enough to encourage stronger privacy practices.
Zatko said to Senator Richard BlumenthalD-Conn., That a $150 million payout is like a Twitter hits with FTC in May for allegations it misrepresented how it uses contact information to target ads, it won’t be enough to stop the company from bad security practices.
The company would be much more worried about European regulators being able to impose more permanent remedies, he said.
“When I was there, the only real concern was about a significantly higher amount,” Zatko said. “Or if it’s going to be a risk of more institutional restructuring. But that money won’t be of much interest while I’m there.”
Peiter “Mudge” Zatko, Twitter’s former chief of security, testifies before the Senate Judiciary Committee on Data Privacy at Twitter, on Capitol Hill, September 13, 2022 in Washington, DC.
Kevin Dietsch | beautiful pictures
Zatko and other security experts say that despite the flaws, users shouldn’t necessarily feel obligated to delete their accounts.
“People can always choose to just disconnect,” Lehman said. “But the reality is, social media platforms are platforms for dialogue. And they’re the new town square. That serves the public interest. I think it would be very bad if people stopped using it. “
Hijazi says there’s no point in hiding.
“That’s impossible in this day and age,” he said. “However, I think it’s wrong to be naive in the belief that these organizations actually have control over this and actually have your information secure.”
