Peiter “Mudge” Zatko, Twitter’s former head of security, says the company has misled regulators about its security measures in his whistleblower complaint that was obtained by The Washington Post. In his complaint filed with the Securities and Exchange Commission, the Department of Justice and the Federal Trade Commission, he accuses the company of violating the terms it had agreed to when it settled a privacy dispute with the FTC back in 2011. Twitter, he says, has “extreme, egregious deficiencies” when it comes to defending the website against attackers.
As part of that FTC settlement, Twitter had agreed to implement and monitor security safeguards to protect its users. However, Zatko says half of Twitter’s servers are running out-of-date and vulnerable software and that thousands of employees still have wide-ranging internal access to core company software, which had previously led to huge breaches. If you’ll recall, bad actors were able to commandeer the accounts of some of the most high-profile users on the website in 2020, including Barack Obama’s and Elon Musk’s, by targeting employees for their internal systems and tools using a social engineering attack.
It was after that incident that the company hired Zatko, who used to lead a program on detecting cyber espionage for DARPA, as head of security. He argues that security should be a bigger concern for the company, seeing as it has access to the email addresses and phone numbers of numerous public figures, including dissidents and activists whose lives may be in danger if they are doxxed.
The former security head wrote:
“Twitter is grossly negligent in several areas of information security. If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.
In addition, Zatko has accused Twitter of prioritizing user growth over reducing spam by distributing bonuses tied to increasing the number of daily users. The company isn’t giving out any bonuses directly tied to reducing spam on the website, the complaint said. Zatko also claims that he could not get a direct answer from Twitter regarding the true number of bots on the platform. Twitter has only been counting the bots that can view and click on ads since 2019, and in its SEC reports since then, its bot estimates has always been less than 5 percent.
Zatko wanted to know the actual number of bots across the platform, not just the monetizable ones. He cites a source who allegedly said that Twitter was wary of determining the real number of bots on the website, because it “would harm the image and valuation of the company.” Indeed his revelation could factor into Twitter’s legal battle against Elon Musk after the executive started taking steps to back out of his $44 billion takeover. Musk accused Twitter of fraud for hiding the real number of fake accounts on the website and revealed that his analysts found a much higher bot count than Twitter claimed. As The Post notes, though, Zatko provided limited hard documentary evidence regarding spam and bots, so it remains unclear if it would help Musk’s case.
When asked why he filed a whistleblower complaint — he’s being represented by the nonprofit law firm Whistleblower Aid — Zatko replied that he “felt ethically bound” to do so as someone who works in cybersecurity. Twitter spokesperson Rebecca Hahn, however, denied that the company doesn’t make security a priority. “Security and privacy have long been top companywide priorities at Twitter,” she said, adding that Zatko’s allegations are “riddled with inaccuracies.” She also said that Twitter fired Zatko after 15 months “for poor performance and leadership” and that he now “appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders.”
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Source: www.engadget.com