mboost-dp1

Shutterstock

Twitter-whistleblower rejser sikkerhedsproblemer

- Via BBC News -

En tidligere sikkerhedschef for Twitter påstår, at virksomheden vildleder brugere og amerikanske regulatorer om huller i sikkerheden.

Det oplyser BBC News.

Peiter Zatko, som whistlebloweren hedder, hævder også, at Twitter undervurderede antallet af falske konti der er på deres platform.

Beskyldningerne kan påvirke den juridiske kamp mellem Twitter og milliardæren Elon Musk, der forsøger at annullere sin aftale på 44 milliarder dollars (329 milliarder kroner) om at købe virksomheden.

Twitter siger imidlertid, at Zatkos påstande er unøjagtige og inkonsekvente, samt at han blev fyret i januar for ineffektiv ledelse og dårlig præstation.

I Zatkos fordømmende afsløringer anklagede han Twitter for at undlade at opretholde en streng sikkerhedspraksis og at lyve om antallet af bots til Elon Musk.

Han indgav sin klage til Securities and Exchange Commission i juli. Heri kritiserede Zatko også den måde, hvorpå Twitter håndterede følsomme oplysninger og hævdede, at virksomheden ikke har rapporteret nogle af disse forhold nøjagtigt til amerikanske tilsynsmyndigheder.





Gå til bund
Gravatar #1 - arne_v
25. aug. 2022 12:26
#0

CNN artiklen er langt mere dybdegående.

https://edition.cnn.com/2022/08/23/tech/twitter-wh...

Jeg tror at man skal skelne mellem hans anklager om:
* Twitters sikkerhed
* Twitters bot problem
* Twitters forretningsmoral

Med hensyn til Twitters sikkerhed, så var det hans job hos Twitter og han har nogle rimeligt konkrete anklager:


What Zatko says he found was a company with extraordinarily poor security practices, including giving thousands of the company's employees — amounting to roughly half the company's workforce — access to some of the platform's critical controls.



But, the disclosure says, Zatko soon learned "it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did.... Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment."



Twitter also lacked the ability to hold workers accountable for information security lapses because it has little control or visibility into employees' individual work computers, Zatko claims, citing internal cybersecurity reports estimating that 4 in 10 devices do not meet basic security standards.



About half of the company's 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors, according to the letter to regulators and a February email Zatko wrote to Patrick Pichette, a Twitter board member, that is included in the disclosure.



The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko's disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.


Det lyder som om Twitter har et sikkerheds problem.

Og det er noget som en IT sikkerhedschef ikke vil bryde sig om.

Twitters svar:


Twitter did not respond to questions about the risk of data center outages, but told CNN that people on Twitter's engineering and product teams are authorized to access the production environment if they have a specific business justification for doing so. Twitter's employees use devices overseen by other IT and security teams with the power to prevent a device from connecting to sensitive internal systems if it is running outdated software, Twitter added.

The company also said it uses automated checks to ensure laptops running outdated software cannot access the production environment, and that employees may only make changes to Twitter's live product after the code meets certain record-keeping and review requirements.

Twitter has internal security tools that are tested by the company regularly, and every two years by external auditors, according to the person familiar with Zatko's tenure at the company. The person added that some of Zatko's statistics surrounding device security lacked credibility and were derived by a small team that did not properly account for Twitter's existing security procedures.


er lidt vagt - det er ikke klart om de ansatte ikke kan eller bare ikke må gøre det forkerte - hvor kritikken jo går på at de kan gøre det forkerte.

Umiddelbart virker hans kritik troværdig.

Og han er ikke den første IT sikkerhedschef som har været frustreret over et firmas It sikkerhed.

Med hensyn til Twitters bot problem så er det uden for hans arbejdsområde og hans anklage går heller ikke på antal bots men på ledelses attitude:


Zatko says he began asking about the prevalence of bot accounts on Twitter in early 2021, and was told by Twitter's head of site integrity that the company didn't know how many total bots are on its platform. He alleges that he came away from conversations with the integrity team with the understanding that the company "had no appetite to properly measure the prevalence of bots," in part because if the true number became public, it could harm the company's value and image.


At han gik fra et møde med "et indtryk" af at ledelsen ikke var interesseret er ikke særligt substantielt.

Elon Musk finder det naturligvis interessant. Men jeg tvivler på at domstolen vil tillægge det nogen nævneværdig vægt - "et indtryk" er bare ikke fakta.

Og det er det samme omkring Twitters forretningsmoral.


Last year, prior to Russia's invasion of Ukraine, Agrawal — then Twitter's chief technology officer — proposed to Zatko that Twitter comply with Russian demands that could result in broad-based censorship or surveillance of the platform, Zatko alleges.

The disclosure does not provide details of Agrawal's suggestion. Last summer, however, Russia passed a law pressuring tech platforms to open local offices in the country or face potential advertising bans, a move western security experts said was intended to give Russia greater leverage over US tech companies.

While Agrawal's suggestion was ultimately discarded, it was still an alarming sign of how far Twitter was willing to go in pursuit of growth, according to Zatko.

The fact that Twitter's current CEO even suggested Twitter become complicit with the Putin regime is cause for concern about Twitter's effects on US national security,

From Zatko's disclosure

"The fact that Twitter's current CEO even suggested Twitter become complicit with the Putin regime is cause for concern about Twitter's effects on U.S. national security," Zatko's disclosure says.


Alle (der har fulgt med) ved at de store internetfirmaer har gået balancegang mellem forretningskrav og "at gøre det rigtige" når det drejer sig om krav fra lande som Rusland og Kina.

At Twitter har haft den diskussion bør ikke overraske nogen.

At røbe detaljer fra den interne diskussion kan give den daværende CTO nuværende CEO røde ører, men er i virkeligheden lidt SeOgHør agtigt.
Gravatar #2 - arne_v
30. aug. 2022 13:26
#1

Men sikkerhedsniveauet kan tilsyneladende også bruges som argument.

https://www.bloomberg.com/news/articles/2022-08-30...


In a filing on Tuesday, lawyers on behalf of Musk said the allegations by Zatko, including “egregious deficiencies” in the platform’s defenses against hackers and privacy issues, meant that Twitter had breached the conditions in the merger agreement.

Gravatar #3 - larsp
30. aug. 2022 13:58
Jeg gætter stadig på at Musk ender med at købe twitter til en discountet pris.

Nu sættes de juridiske skyts i stilling, og så bliver der såmend nok indgået et forlig før retssagen rigtig kommer i gang, og Musk bliver ejer.
Gravatar #4 - arne_v
9. sep. 2022 13:55
Ny undersøgelse siger få (under 5%) men meget aktive (20-29% af posts) bots:

https://www.businessinsider.com/twitter-bots-compr...
Gravatar #5 - arne_v
9. sep. 2022 15:53
Bob Iger taler også Twitter bots men er lidt mere poleret end Musk.

https://www.reuters.com/technology/disney-found-su...


Former Disney CEO Bob Iger said on Wednesday the entertainment giant had determined that a "substantial portion" of Twitter's users were "not real" in 2016, when Disney was weighing a purchase of the social network.

Iger said the Walt Disney Co (DIS.N) and Twitter Inc (TWTR.N) boards were prepared to enter negotiations when he got cold feet. He said that, with Twitter's help, Disney had learned that "a substantial portion - not a majority -" of users were fake.
...
Iger did not mention Musk by name in his remarks on Wednesday, but he did say: “Interestingly enough, because I read the news these days, we did look very carefully at all of the Twitter users," before going on to say that "a substantial portion" of Twitter users "were not real."

In his memoir, "The Ride of a Lifetime," Iger wrote that he had second thoughts about a deal with Twitter because of the "nastiness" of the discourse on Twitter that he feared would become a distraction.

Gravatar #7 - arne_v
29. sep. 2022 16:37
Twitter siger 5%.

Musk siger 20%.

Nu har to firmaer hyret af Musk sagt henholdsvis 5.3% og 11%.

https://www.businessinsider.com/elon-musk-data-sci...
Gravatar #8 - arne_v
4. okt. 2022 16:52
Og nu forlyder det at Musk måske køber til den oprindeligt aftalte pris frivilligt.

https://www.cnn.com/2022/10/04/tech/elon-musk-twit...
Gravatar #9 - larsp
5. okt. 2022 04:59
#8 Jeg tror ikke at denne eskapade gik som Musk håbede. Det er godt nok en hæftig regning.

Musks oprindelige motivation kom muligvis fra Jack Dorsey: https://twitter.com/techemails/status/157558827770... og indebar open sourcing af protokollen og forbud mod reklamer. Det rimer ikke ret godt med multi-milliard investeringer, hvis Musk da håber på at få bare lidt forrentning for de penge. Men måske er det en gigantisk filantropisk investering fra Musk (jeg tvivler).
Gravatar #10 - arne_v
5. okt. 2022 13:41
#9

Ja - jeg forstår ikke Musk.

Han kunne have valgt at købe til den aftalte pris i god ro og orden.

Eller han kunne have valgt at tage kampen i retten og regne med at betale den 1 B$ falden på gulvet klausul eller et andet beløb som domstolen kom op med.

Men at sige han vil købe, forsøge at bakke ud, se et større antal Twitter ansatte forlade firmaet og dermed reducere værdien af Twitter og så alligevel købe giver ingen mening for mig.

Gravatar #11 - arne_v
6. okt. 2022 18:11
Der er nu et vildt rygte på banen:

https://www.businessinsider.com/twitter-whistleblo...

Der spekuleres i at Zatko muligvis har kontaktet Musk's advokater og ytret ønske om et job inden han offentliggjorde Twitters sikkehedsproblemer.

Musk's advokater var som man kunne forvente ikke interesseret i noget sådant (det ville have store potentielle juridiske og etiske problemer).

Gå til top

Opret dig som bruger i dag

Det er gratis, og du binder dig ikke til noget.

Når du er oprettet som bruger, får du adgang til en lang række af sidens andre muligheder, såsom at udforme siden efter eget ønske og deltage i diskussionerne.

Opret Bruger Login