With over US$5bil (RM22bil) in revenues—US$14mil (RM64mil) daily—and 7,500 employees—more than thousands of cities—Twitter is of a size that may provoke, “What could go wrong?”
It’s one of the most prolific technologies in worldwide use today. There’s no denying that Twitter has changed the industry’s landscape, the communications paradigm, marketing and advertising practices, and even political ideologies and resulting elections. To say that Twitter’s impact on modern society is profound would be one of the more accurate uses of “profound” to describe a technological phenomenon.
We know from the recent hullabaloo surrounding Elon Musk’s stutter-start at acquiring Twitter that it might not reliably add to the its description to discuss how many users indulge in Twitter. The independent advisory firm Kepios explains that 486 million users make up the Twitter-verse, while Twitter’s SEC filings pare that down to 238 million monetisable active users. Musk’s contentious fight to get out of his deal to buy Twitter is mostly bound to this sort of distinction. Once his initial love letter to America’s Mergers & Acquisitions business customs lost its lustre, he realised that he might not be getting what he meant to be bargaining for. The population of “bot users,” who were not “who”s but rather “what”s, the latter not having any money in any wallet to be squeezed by Musk, his offer felt disproportionate to his get.
Last week Twitter investors approved the US$44bil (RM201bil) deal, nonetheless. However, there’s a new set of spike strips laying across the road to a deal: security implications.
A fellow who goes by the hacker handle “Mudge” seems to have extended Musk’s case for backing away from the table beyond the tricky user count factor. Peiter “Mudge” Zatko attended the Berklee College of Music but chose hacking computers over strumming guitars as his profession. His prowess on the keyboard drove him to password cracking, educating industry and others in security vulnerabilities, and eventually to become a prestigious researcher with the US Department of Defense where he conducted cybersecurity projects with the Defense Advanced Research Projects Agency. This is no light responsibility as DARPA’s critical defence efforts directly impact our national security in terms of military technologies protection.
After DARPA, Mudge, like many govvies, parlayed his Defense experience into a position in industry where the rewards far exceeded the government’s GS schedules of pay. At Google, he landed in its Advanced Technology and Projects group, an impressive function of the innovative firm that was begun by another DARPA alumna. Then, in 2020 Mudge was courted by Twitter where he became its head of security. In such a role, few Twitter stakeholders if any had access to and dealings with the social network’s facets of information security and privacy. Across the globe and across time, therefore, few humans have ever held the specialised knowledge of and exposure to as many humans’ (and bots’) security vulnerabilities in their day-to-day use of Internet technologies.
I’m veering away from “Mudge,” and toward the more formalised “Zatko” from here. That’s because Zatko, now a former Twitter official who’s become a whistleblower against Twitter’s security flaws, recently testified to the US Senate Judiciary Committee about the heretofore unknown risks facing hundreds of millions of Twitterers, yourself quite likely included lest, like me, you’ve had little-to-no direct involvement. Even I as a non-user bear slight risk since many years ago I set up an account with nothing more than an egoist’s aim to (ah-hem) secure my name from becoming someone else’s Twitter handle. I’ll admit it’s embarrassing, though I did the same with Facebook for the same grandiose reason.
Zatko started down this path with a whistleblower complaint not meant for public consumption. He filed his testimonial with the Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission. The Washington Post later obtained and published the allegations lodged against the tech giant. Zatko alleged “egregious deficiencies” in Twitter’s hacker defences. He characterised its spam defences as meagre, and perhaps most excitedly, from the Senate’s perspective, he claimed that Twitter misled regulators about its security practices and abilities, these factors amongst others.
With their attention foremost on profits, and less so on security, Twitter’s billions in revenues would maximise returns for investors, some of the most vested being internal of course, as with any Silicon Valley model. To further illustrate the risks, and knowing that as stated above Twitter has affected the political arena as much as any component of modern society, Zatko emphasised that with Twitter’s lax security controls, “an employee inside the company could take over the accounts of all of the senators in this room.” Talk about pulling at the “jurors'” emotions!
The risk is not academic, either. Part of Zatko’s complaint included evidence that a foreign agent had, in fact, become an employee at Twitter. Whether that le Carré-esque turn of events played out as the novels do, before act three, went unreported.
Zatko continued that he believed that, still, thousands of Twitter employees have too-wide access to users’ credentials. When US presidents’, and Musk’s own, Twitter accounts were taken over, those incidents all could be tracked back to the company’s disinterest in its own security.
Most commentators, and most readers like yourself quite likely, would point to the US$44bil deal and the Musk factor — always one that seems eccentric, if not plain kooky — as underpinning Zatko’s complaint exposure and the Senate’s investigation. It’s not coincidental timing, I would agree. The reason that you need to be wary of these findings is the user security implication, and that’s real even if you’re not an investor, which comparably few are. Here we have one of the world’s, and history’s, most dominant holders of your personal, private information. They care? If their primary focus is on share value, maybe they’ll be compelled to care, sorry to say. – The Times-Tribune, Corbin, Ky./Tribune News Service