Twitter's security alarm
Twitter security is a huge mess, its former security boss charged in a whistleblower complaint — but huge security messes are all too common in the online world.
What they're saying: "Regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics," Peiter "Mudge" Zatko, who had just been fired as Twitter's security head, wrote in a report he intended to deliver to the company's board in February.
Driving the news: Zatko's complaint — filed with the Justice Department, FTC and SEC — landed with explosive force on the already high-stakes legal battleground between Twitter and Elon Musk.
Yes, but: You wouldn't have to hunt too hard to find plenty of other companies that would flunk the sort of basic scrutiny Zatko applied to Twitter's practices.
Between the lines: Many of the security issues Zatko identified in that report sound jaw-dropping, but may not be that far outside the norm. He found that:
- more than half of Twitter employees had direct access to the service's live code and data;
- 30% of employees' computers were not set up for automatic updates;
- 60% of data center servers ran out-of-date operating systems; and
- Twitter "dealt with more than ~50 incidents in the past year," primarily as a result of these three "systemic areas of risk."
None of that is good. But findings from SecurityScorecard — a company that studies the public online infrastructure of different online services and companies to figure out how vulnerable they are to hackers — suggest that Twitter's cybersecurity strategy is probably about average.
- Typically, Twitter has had a score in the 80s (out of 100), matching those of similar companies in the industry that SecurityScorecard measures, though the company's score dipped recently after it disclosed a security breach last month.
- The scorecard is based on publicly available information, such as domain name ownership, the servers a firm operates and the IP addresses those servers use — so it's relying on different kinds of information than Zatko had access to.
The big picture: Twitter's security woes are longstanding, and since 2011 it's been operating under a Federal Trade Commission consent decree requiring it to up its game.
- Zatko's complaint puts the company once more in the FTC's sights, and lawmakers' staff — including aides for Sen. Chuck Grassley (R-Iowa), the top Republican on the Senate Judiciary Committee — have already had briefings from the whistleblower. Zatko's lawyer John Tye also told Axios that he had been meeting with congressional offices since last week.
Zatko's complaint is also being evaluated in terms of which side of the high-stakes and brightly spotlit Twitter vs. Musk legal fight will benefit.
- Observers say Zatko's security alarms and arguments about Twitter's failings in measuring spam and bots appear to bolster Musk's critique of the company, but it's less clear that they help his legal case that Twitter broke the terms of its deal.
- But Tye, Zatko's lawyer, said Tuesday that Zatko began working on his complaint in March, before Musk told the world he wanted to buy Twitter.
That suggests Zatko's story is less about Musk's lawsuit and more of a classic boardroom pattern that the tech industry keeps repeating.
- In this scenario, corporate management invites a highly credentialed and widely respected expert into its ranks to help it clean house — then ends up rejecting the expert's recommendations and showing him the door.
Alex Stamos joined Facebook as chief security officer in 2015 and quit in 2018 after the Cambridge Analytica scandal.
- Before he left he shared a memo urging the company to change course. "“We need to listen to people (including internally) when they tell us a feature is creepy or point out a negative impact we are having in the world,” the note continued.
- After Stamos' departure, Facebook said it would not replace him and reassigned its security personnel to different parts of the company.
Be smart: Stamos' story and Zatko's are more parallel than matching — Stamos' internal conflict at Facebook was largely over fighting disinformation, not everyday security hygiene.
- But the dynamic that pits CEOs against security heads is common in the industry, SecurityScorecard CTO Christos Kalantzis told Axios.
- "Security requires engineering attention, and in a lot of hyper-growth companies, there's an over-indexing on new feature velocity vs. 'Let's make sure everything is as secure as possible,'" he says.
The bottom line: "This did not happen overnight," Zatko wrote in his report. "To get to Twitter's current state of insecurity required repeated downplaying of problems, selective reporting, and leadership ignorance around basic security expectations and practices."
The other side: A statement by Twitter CEO Parag Agrawal said that Zatko had been fired for "ineffective leadership and poor performance" and that his claims "so far" are "a false narrative that is riddled with inconsistencies and inaccuracies."