Aug 26, 2022 - Technology

Nightmare scenarios from whistleblower's Twitter complaint

Photo illustration of a blurred Twitter logo on someone's phone
Photo: Jakub Porzycki/NurPhoto via Getty Images

Most of the cybersecurity problems in ex-Twitter security chief Peiter Zatko’s 84-page whistleblower complaint aren’t unique to Twitter — but a handful of claims are worrisome enough to catch regulators' and competitors' attention.

The big picture: Only a handful of specific nightmare scenarios in the complaint will end up having staying power as Washington responds to Zatko's claims.

1. Twitter allegedly can't track and limit employees’ access to its networks. In the complaint, Zatko, who is also known by his hacker name Mudge, said he tried to cut off employees' ability to access — or potentially damage — Twitter's live systems during the Jan. 6 Capitol insurrection to prevent rogue employees from taking them offline.

  • He discovered that was impossible.
  • “There was no logging of who went into the environment or what they did,” the complaint said.
  • The complaint also said that all engineers had "some form of critical access to the production environment."

2. Zatko claimed that Twitter came close to a weeks-long shutdown last spring.

  • He said he had warned Twitter's board that the company lacked recovery plans if its data centers went down simultaneously and faced a "'black swan' existential threat."
  • “Downtime estimates ranged from weeks of round-the-clock work to permanent irreparable failure,” the complaint said.
  • Then, in spring 2021, that failure nearly happened, as "Twitter's primary data center began to experience problems from a runaway engineering process," and a quick move to fallback systems stressed them, too.
  • Zatko claimed Twitter then proceeded to misrepresent the stability of its data centers and recovery plans to the SEC.

3. Twitter could have some software licensing headaches ahead.

  • Buried in the complaint were allegations that Twitter doesn't have the "proper licenses" it needs for either the data sets or the software it used to build some of its machine learning systems.
  • The finding, if true, could make Twitter ripe for additional lawsuits.

The other side: Twitter CEO Parag Agrawal told staff this week that Zatko’s allegations are “foundationally, technically and historically inaccurate,” Reuters reports.

Go deeper