(Daily Mail) Twitter’s board has been covering up its ‘extreme, egregious deficiencies’ that make it a huge risk to national security and democracy, and executives have no idea how many bots are on the platform, a whistleblower has claimed.
‘Ethical hacker’ Peiter ‘Mudge’ Zatko, the social media firm’s former head of security, made the bombshell disclosure to Congress and federal agencies last month.
He claimed the tech giant is completely mismanaged with thousands of staff given access to central controls and the most sensitive information without adequate oversight, CNN and the Washington Post reported.
Zatko, who reported directly to CEO Jack Dorsey and his replacement Parag Agrawal, said senior executives have been covering up the platform’s biggest vulnerabilities, and even claimed one or multiple employees could be working as a spy for foreign intelligence services.
The whistleblower said bosses have misled the board and regulators about its security flaws that have made it susceptible to hacking, manipulation and disinformation.
In claims that will bolster Elon Musk’s legal bid, Zatko also said Twitter chiefs do not have the resources to know how many bots are on the site.
Peiter ‘Mudge’ Zatko (pictured yesterday), the social media firm’s former head of security, made the bombshell disclosure to Congress and federal agencies last month
Zatko, whose hacker alias is Mudge, is pictured testifying before the Senate Governmental Affairs hearing on government computer security in 1998
The Tesla CEO claimed the platform has not been truthful about the number of bots and fake accounts among its 238 million daily active users, and subsequently backed out of his $44billion takeover deal.
Zatko, who previously worked at Google and the Department of Defense, also alleged that Twitter does not reliably delete user data after an account is cancelled, often because staff have lost track of it.
The disclosure describes his overall findings as ‘egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.’
His colorful career began in the 1990s, when he simultaneously conducted classified work for a government contractor and was among the leaders of Cult of the Dead Cow, a hacking group notorious for releasing Windows hacking tools in order to goad Microsoft into improving security.
He was appointed to Twitter to recommend changes in structure and practices to bolster its security after a series of damaging compromises that saw users including Barack Obama, Joe Biden and Elon Musk hacked.
He said at the time he will examine ‘information security, site integrity, physical security, platform integrity – which starts to touch on abuse and manipulation of the platform – and engineering.’
But he was fired in January for what the company claimed was poor performance but what he said was retaliation.
The tech wizard said he tried to flag the security lapses to the board before he went public.
According to his disclosure, Zatko had a tense relationship with Twitter CEO Parag Agrawal, who took over from Jack Dorsey (pictured) in November
Twitter told CNN: ‘Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago.
‘While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context.
‘Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.’
According to his disclosure, Zatko had a tense relationship with Twitter CEO Parag Agrawal, who took over from Jack Dorsey in November.
He claimed Agrawal and his staff constantly discouraged him from giving a full account of the security problems to the board, instead instructing him to give an oral report on his findings.
The whistleblower also said he was ordered to present cherry-picked data to give a false impression of progress and then they went behind his back to scrub a consulting firm’s report and hide the extent of the problems.
Zatko claimed Dorsey was more amenable to his recommendations than Agrawal but he became less engaged in his final months at the tech giant.
Some staff even thought Dorsey was ill because he became so distanced and uninterested in the company, Zatko said.
The disclosure of more than 200 pages was sent to the Securities and Exchange Commission, the Federal Trade Commission, the Senate Intelligence Committee and the Department of Justice last month.
A copy has now been seen by CNN after it was passed on by a senior Democratic aide.
Zatko’s concerns at Twitter grew after the January 6 Capitol riots when he feared a sympathizer within the company could manipulate the platform on what is known as the ‘production environment’.
But he says he soon learned ‘it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did…. Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.’
He added that Twitter could not hold individual workers accountable because it has no control or visibility into their computers, claiming four out of ten devices do not meet basic security standards.
The company said its engineering and product teams can access the production environment if they have a business justification for doing so.
Aside from the staffing security concerns, Zatko also feared its server infrastructure made Twitter vulnerable.
He said half of its 500,000 servers use outdated software that do not support encryption for stored data or regular security updates.
Its inadequate recovery procedures from data center crashes also mean that minor outages could knock Twitter offline for good, he claims.
The tech firm said automatic checks are in place to ensure laptops running outdates software cannot access the production environment and record-keeping and review requirements are in place for any changes to the live product.
