Zakto further alleges that Twitter doesn’t have a comprehensive testing or development environment to test out new features and system upgrades before rolling them into live production software. As such, Zatko describes a situation in which engineers would work alongside live systems and “test live on commercial service, resulting in frequent service disruptions.” And the documents allege that half of Twitter employees have privileged access to live production systems and unattended user data to be able to catch any tampering, or track unwanted activity. Zatko’s complaint describes Twitter as having about 11,000 employees. Twitter says it now has about 7,000 employees.
Complaints claim that these poor privacy practices explain Twitter track record security incidents, data breaches and dangerous user account takeovers.
“We are reviewing published redacted statements,” Twitter CEO Parag Agrawal Written in a message to Twitter employees this morning. “We will pursue every avenue to protect our integrity as a company and set records.”
Twitter says that all employee computers are centrally managed, and that its IT department can force updates or impose access restrictions if updates aren’t installed. The company also said that before a computer can connect to production systems, it must pass a check to make sure its software is up to date and only employees with “business reasons”. business” can access the production environment for “specific purposes. “
Al Sutton, co-founder and chief technology officer of Snapp Automotive, was a software engineer for Twitter employees from August 2020 to February 2021. He noted in a tweet Tuesday that Twitter never remove him from the GitHub group staff can submit software changes to the company code management on the development platform. Sutton had access to private archives for 18 months after being fired from the company, and he post proof Twitter uses GitHub not only for open source work, but also for internal projects. About three hours after posting about access, Sutton report that it has been withdrawn.
“I think Twitter is being pretty casual about Mudge’s claims, so I thought a verifiable example might be helpful to everyone,” he told WIRED. When asked if Zatko’s accusations were consistent with his experience working at Twitter, Sutton added, “I think the best thing to say here is that I have no reason to doubt it. his statements.”
Security researchers and engineers emphasize that while there are different ways to approach security in a production environment, there is a conceptual problem if employees have broad access to user data and the code is deployed without extensive logging. Some organizations take an approach that severely restricts access, while others use a combination of broader access and continuous monitoring, but either choice should be a conscious choice. in which a company invests heavily. For example, after the Chinese government violated Google in 2010, the Company went all with the previous approach.
“It’s not really unusual for companies to have a relatively liberal policy about allowing engineers access to production systems,” said Perry Metzger, managing partner at consulting firm Metzger. export, but when they do they are very strict about logging everything that is completed. Dowdeswell & Company. “Mudge has a top reputation, but let’s just say he’s completely incompetent. It was easy for them to provide technical details of the logging system they used to give the engineer access to the production system. But what Mudge is portraying is a culture where people would rather cover things up than fix them, and that’s a bit unsettling. “
Zatko and Whistleblower Aid, the nonprofit legal group representing him, said they sided with the documents released on Tuesday. Libby Liu, CEO of Whistleblower Aid, said: “Twitter has a tremendous influence on the lives of hundreds of millions of people around the world, and it has fundamental obligations to users and governments in keeping with it. provides a safe and secure platform.
For now, however, the allegations raise a series of serious concerns that seem unlikely to be quickly explained or fully resolved.