reply on: Former Security Lead at Twitter Goes Public with Concerns Over Security on... \ stacker news ~bitcoin

pull down to refresh

100 sats \ 0 replies \ @itsrealfake 23 Aug 2022 \ on: Former Security Lead at Twitter Goes Public with Concerns Over Security on... bitcoin

okay... so this article is filled with goodies for a technical audience. i don't necessarily trust, but i'm still intrigued by the details.

a few choice blurbs, some more heavily edited than others.

... tense relationship with Parag Agrawal,... Agrawal and his lieutenants repeatedly discouraged Zatko from providing a full accounting of Twitter's security problems to the company's board of directors. The company's executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company's security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent cybersecurity issues, and went behind Zatko's back to have a third-party consulting firm's report scrubbed to hide the true extent of the company's problems.

[...disclosure, totals around 200 pages, including exhibits -- sent last month to a number of .govs including the SEC, the FTC and DoJ. ... CNN obtained a copy of the disclosure from a senior Democratic aide on Capitol Hill.]

... a devastating hack in 2020 in which the Twitter accounts of some of the world's most famous people, including then-presidential candidate Joe Biden, former President Barack Obama, Kim Kardashian and Musk, were compromised. Twitter told CNN that in response to the incident, the company began compartmentalizing access to customer support tools.

After the attack, Dorsey recruited Zatko, a well-known "ethical hacker" turned cybersecurity insider and executive who previously held senior roles at Google, Stripe and the US Department of Defense, and who told CNN that he'd been offered a senior, day-one cyber position in the Biden administration.

the disclosure says, Zatko soon learned "it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did.... Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment." Twitter also lacked the ability to hold workers accountable for information security lapses because it has little control or visibility into employees' individual work computers, Zatko claims, citing internal cybersecurity reports estimating that 4 in 10 devices do not meet basic security standards.