Millenials and GenZ may have no idea who Mudge is. I, however, almost lost my first job out of college at a bank because I ran l0phtcrack against our Windows NT 4 server to see if it could crack passwords. I showed my boss, and he pulled me aside into another room and tore my head off for irresponsibly running this tool against a production server. He said I could have been fired if this got out, but he covered my ass, sent out an email requesting everyone reset their passwords, and let me continue working. I learned a good lesson because even though my intentions were good, and it did expose security issues, it was a bit immature and should have been done in a more controlled manner along with the proper clearances.
Mudge knows the implications of "whistleblowing". He has been a security consultant and even testified to Congress. He's not some noob that doesn't understand security or how systems work together to provide services like disclosure to FTC. The idea that Twitter PR can pooh-pooh away his concerns is shockingly stupid.
I met Mudge once in my career early on (I was at VA Linux systems circa 1999ish) and I found him intense, an apex intellect, but absolutely affable and self-aware.
He never struck me then, or in any interview or write up since, that he's impulsive, or prone to taking actions like what he's done to Twitter, in a cavalier way. He saw something bad and thinks something should be done to address it.
He likely made that decision because the culture at Twitter is as bolloxed as he states (maybe worse), and that it's one thing to fire a guy, but to do so to hide damning truths, and expect that person to just accept their fate AND let you get away with it without a cost is in this day and age, a farcical hope. Your "Mudge knows the implications of "whistleblowing". He has been a security consultant and even testified to Congress. He's not some noob that doesn't understand security or how systems work together to provide services like disclosure to FTC. The idea that Twitter PR can pooh-pooh away his concerns is shockingly stupid." is spot-on.
A) an old hand and doesn’t know how to run a security program with the tech today
B) a strong tech hire who can’t lead a program.
But Mudge is still… Mudge, and he’s also proven his ability to collaborate so if he was a bull in a china shop a twitter, that would be surprising.
There’s also a broader trend here of well known security leads that originate from that time working at social media and leaving quickly, like Alex Stamos, who also u-turned out of Facebook.
So are the odds higher that Mudge did a bad job, or this set of companies are not great internally and old guard security leads are pointing it out? The twitter CEO letter framing him as a bad employee doesn’t address this context.
I think it was '96? I was working at Taos Mountain at the time. At that time, Taos had a reasonably close relation to Randal Schwartz ( https://www.oreilly.com/library/view/learning-perl-6th/97814... ) and he gave a talk for contractors which was titled "Just Another (convicted) Perl Hacker".
In that talk he told of his time at Intel and running crack on a shiny new sparc and all the problems that caused.
The focus of it was a "how not to get into trouble as a contractor".
Somewhere, I've still got my pink camel book with duct taped edges (for durability) with his signature on the inside title page.
In any case your own chief of security coming out and saying your security is crap would be devastating for any company. But when it's a person with credentials list like Mudge's - one can be quite sure he's not just doing it because some disagreement about salary and vacation days, and it would be impossible to dismiss this as "disgruntled employee issue". Twitter would probably try anyway, but it won't work.
Twitter is going to be in a lot of hot water now, and I can't imagine Musk isn't going to milk this to the last drop.
> I ran l0phtcrack against our Windows NT 4 server to see if it could crack passwords.
Lol, did the same thing for a government entity I was working for, also without prior permission. It showed 1/4 of the people used the name of the entity as there password, including 2 users with domain admin credentials. Both of the domain admins weren't even IT people, there were the director and his assistant, who demanded to be admins, because they were 'admin' within the org.
In my case, I didn't get scolding, but probably should have. As you're prior boss said, it was not good to do it on a running production server. Now a restored backup running on a private network...
Twitter Inc. is indeed in very serious trouble if you have someone like Mudge whistleblowing.
Now looking at the chaos, damage control and the PR disaster that is happening at Twitter HQ after this, I have zero confidence in whatever Twitter HQ and the CEO is saying other than admitting their total incompetency towards how they handle information security at the company. All attempts to make this disaster disappear will not only fail, but will eventually backfire.
I don't because I'm not seeing an organization that will hold them accountable.
- This Congress is ill-equipped to understand tech, much less hold it accountable. As long as the people are happy, Congress is happy.
- Lord knows the people are ill-equipped to get how bad this is. They already watched this company allow a rogue employee to shut off the account of the President of the United States (before they chose to do it as policy; https://www.washingtonpost.com/news/the-switch/wp/2017/11/02...) and watched this company deploy a username-to-telephone lookup service publicly where they'd intended to deploy a security protocol (https://www.ghacks.net/2022/08/08/twitter-confirms-that-a-da...). The public doesn't understand why they should care.
- The only group who could really hold Twitter accountable are shareholders, but why should they care if the public and Congress don't? The money will roll in either way.
Unless they've managed to commit an SEC violation (in which case, slap on the wrist incoming), there are no consequences for this kind of bad behavior until someone powerful gets seriously hurt. I'm glad Mudge is doing the right thing, but extremely pessimistic much will come of it. My recommendation is to shed Twitter as a user.
I did the same thing on a server for a major department store chain in the '90s. I booted a Linux diskette and copied the SAM file to it. I also ran l0phtcrack, or John the Ripper on a 486 (?) PC in my apartment. I think I bought a rainbow table and something else to expand the iterations it would use on the hashes. I let it run for over a week and had a couple of thousand clear passwords. This was for every store west of the Mississippi and included most of the "big-wigs" in our chain.
I was going to send the information to our security people in another state but decided it probably wouldn't be a wise thing to do.
I come across the HDD where I have this stuff archived every now and then and it makes me smile. This was also in the "Free Kevin" days.
That's a funny story. I have a similar anecdote where I was asked to crack a zip file in a saga related to a dispute with a vendor who gave us a password protected zip file with the deliverables but not the password.
There's a simpler explanation. He is doing this for profit. I don't buy all the speculation that he approached the SEC out of some professional obligation or simply to spite the Twitter leadership. As a former executive he most likely still holds stock and having the price plunge is not exactly in his interest unless the pay-off from whistleblowing is high enough. Given his high profile, he just burned all bridges career-wise at big tech. The expected whistleblower payout here must be enormous.
Actions speak louder than words. For him to file this complaint now, after Musk pulled out of his Twitter purchase, makes any truthful statements pretty low value to Musk’s case. Does Twitter need better security? Yeah. Will Twitter get embarrassed? Yeah?
Will this testimony show Musk completely miffed his due diligence while building up a huge loan package that would have sent most of Twitter’s revenue to debt service? The timeline is what matters.
I learned a lot about Mudge by reading "Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World."
For anyone wanting to explore 90's security nostalgia, it's worth a read. For anyone wanting to learn where hacktivism comes from, it's worth a read. For anyone wanting to learn about how security consulting has evolved over the years, it's worth a read.
Mudge is a very cool and capable individual. I am slightly surprised that Twitter would ignore someone of his talent and respect, and choose to air their dirty laundry in this manner. It's as if they have no idea who they hired. That, or C-levels think they can outpay $$$ any PR against Twitter to control the narrative. Either way, if Mudge is whistleblowing, there's probably some bad shit going down.
The whistleblowing case is a new dimension. To me as an outsider it implies Agrawal may have also been the manager in his previous technical role for a lot of the tech problems Zatko identified, and what made Agrawal CEO was his ability to leverage these problems to play ball with all the interests in that company and board, while sustaining through neglect some of those concerning practices within the organization. Twitter's product isn't technology, it's an uncertified slot machine that pays out in political influence, and there are a lot of big interests depending on their cut of it. They needed a steady hand who wouldn't be vulnerable to being swayed by principle, and that's the one thing you don't keep hackers around for, imo.
If I were betting, nothing is ever really systemically broken in large orgs, it just works for someone you can't see. This is a factor everywhere and not necessarily at Twitter. Shitty process? Cui bono. Unverifiable systems? Cui bono. Deniable and unaccounted-for access to God-mode data? Cui bono. Repudiable numbers reporting? Cui bono. Bizarre political posturing? Cui bono, etc.
Part of the allegation seems to be that the beneficiaries may be foreign state actors who have infiltrated the organization.
Not particularly shocking as they'd have to be incompetent to not try to infiltrate a major communications platform, and if the internal controls are as bad as alleged (and has exposed in some of the prior hacks, e.g. the control panel screenshots) they'd have to be incompetent to fail.
Is it just me, or does some of this feel less whistleblower-y and more petty? For example:
> The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko's disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.
That said, this is Mudge. I have a lot of respect for the guy, and I believe what he says. I'll chalk the pettiness up to this article being a summary of a more complete document that I'd like to read at some point.
> The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko's disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.
I mean if it were true that seems pretty negligent. If that were the entire extent of the whistleblower complaint (not sure if complaint is the right term?), I would agree, but it seems as though there are some significant issue raised in the rest of the report.
Quite a few parts of it are petty, and honestly feel like he was at war with most of the leaders.
He wasn't responsible for disaster recovery, or reliability, yet he was reporting to the board (going above his reporting chain), telling them that the company wasn't doing enough because it can't handle _multiple_ data center outages at once? Very, very few companies could handle that. If twitter can handle their primary datacenter failing, then they do have a working DR plan. They aren't lying. Is the DR plan to Mudge's liking? Obviously not, but his idea of a DR plan is out of line with what the vast majority of the industry considers a reasonable DR plan.
Similarly, mDAU vs user/bot numbers aren't lies. The company switched their reporting metric. They're accurately reporting their growth metric to the board, and to the shareholders. The raw user numbers could actually matter to the board/shareholders, but the board could have required them to report them and didn't. Just because they aren't reporting the metric you'd prefer them to report doesn't mean they're lying to anyone.
There are a number of legitimate complaints in the disclosure related to poor security practices, but many of them feel like internal problems that don't rise to the level of crimes. Sadly, he may have had a hard time moving the needle on those issues because he was spending his time fighting everyone.
He's a gifted engineer, and may even be a gifted leader, but that doesn't mean he was doing a good job in the culture he was working in. I read the whole document, and the majority feels like someone running headfirst into bad cultural issues and burning out while making enemies.
for a company that likes to speak of itself as being a valuable piece of communication infrastructure (it isn't, Twitter's a website), this is pretty concerning and shows a lack of seriousness compared to oh, say, the Bell System.
Gov (a term that ranges from your head of state down your county dog-catcher,) needs to get off these services asap. Twitter, TikTok, Instagram, FB are all modern versions of your old AOL Keyword.
Today we have ActivityPub, a W3C recommendation, which would be a great alternative.
Where do you see that info in the Verge article? All I can see is "he filed last month" (which would be July 2022) - the month Musk "officially" backed out and at least a month after he started doing the "I don't want Twitter any more" dance.
>Nobody at the Valley's unicorns seemed too concerned with security. (I asked Jack Dorsey that year whether he worried about the fact that hackers were continually pointing out holes in Twitter and in his new pay-ment start-up, Square. "Those guys like to whine a lot," he replied.)
God Mode, from my understanding, allows a Twitter employee to have access to an account and allows for a post to be made, under that account's id, without the account being notified or seeing the post show up in their own timeline.
Is this an accurate statement?
If so, why did nearly 1000 employees (12% of the workforce) have access to this mode before it was restricted, and what's the business case for that?
The "whistleblower" is Mudge? Ok, I didn't care before, but if Mudge is putting his reputation on the line, this is probably actually serious and legit.
Literally the entire security community knows and looks up to Mudge. If anyone finds out that anything he said was bullshit, it will get blasted from the rooftops and he'll become a laughing stock. He would have to want the rest of his career to be working for morons and be ostracized from his friends and community to make this shit up.
It is rather disconcerting how a platform that is apparently rather integral to the discourse of today is in the hands of a single private company. It doesn't matter who owns it, if it's Musk or someone else, the fact that it's at the whims of a private company, is the primary channel for discourse, and is something legislatures cannot even comprehend because of their age, should have alarm bells going off. Coupled with the fact that there is lacking IT education about hardware/software means that there is an environment that is ripe for the encroachment of digital rights, as we've been seeing this past decade.
> About half of the company's 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors
For a solid and genuine technical person considering a CISO or CISO-like role, I've had the impression that they have to be very selective where they go.
Even in what I'd guess is an "ideal" situation, of tractable technical&process problems, and genuine buy-in from the C-suite for solving/improving them, there's still going to be dynamics/politics to navigate.
I also hear of a lot of much-less-than-ideal situations.
I hate being asked to hand over my phone number for 2FA or similar protections. Or facing the choice between deleting all my DMs or risking them being compromised on account no E2E support. Then again, even if you delete something, there's no knowing what their data retention handling is.
Seems like Twitter loves going through the cycle of getting hacked→hiring good talent and focusing on security→losing people and focus→relaxing their stance→getting hacked :(
By the CNN piece it seems like twitter hired a community figure - which is a common mistake that leads to bad performance evaluation. Public figures are trained on being public figures, they not necessarily are the best folks to build a security organization. OTOH there seems to be some frustration from both sides regarding performance and if it gets public our hackerman will have a rough time being exposed. I don't think that was a good idea (reporting to SEC would work better IMO).
If this is true this would be particularly damning
>Zatko’s complaint says he believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country. The complaint said supporting information for that claim has gone to the National Security Division of the Justice Department and the Senate Select Committee on Intelligence. Another person familiar with the matter agreed that the employee was probably an agent.[1]
This should get the attention of politicians who are probably the most active users of Twitter. Having their contacts, coms, and metadata such as phone location exposed and collected by adversaries is probably a concern for them and our entire political system. Recall how J Edgar Hoover was collecting dirt of every politician to blackmail them to keep his agency funded without oversight. Twitter would have been a wet dream for him.
Eh, you could take out Twitter and insert many other company names and it'll still hold true. And those companies hold so much more sensitive data about you than Twitter.
I know of insurance companies that have help desk employees with domain admin access. And all crippling ransomware attacks take advantage lax permissions.
I wish CNN would just air their interview in full instead of splicing his answers into 5 second soundbites with editorialized voiceover framing. I'm infinitely less interested in CNN's reporter's summation of the issue than that of the veteran security analyst at the heart of the story.
Sure the article focuses on Mudge because the's blowing the whistle, but Mudge and Rinki Sethi (ex-CISO) were fired at the same time.
When you fire both your chief of security and your CISO months after you hire them, it's weird. Even if your chief of security had personal failings, why fire his boss? If the boss falls on her sword for direct, that certainly makes me think to take what their saying seriously.
[+] [-] purpleblue|3 years ago|reply
Mudge knows the implications of "whistleblowing". He has been a security consultant and even testified to Congress. He's not some noob that doesn't understand security or how systems work together to provide services like disclosure to FTC. The idea that Twitter PR can pooh-pooh away his concerns is shockingly stupid.
I think Twitter is in real trouble here.
[+] [-] zeruch|3 years ago|reply
He never struck me then, or in any interview or write up since, that he's impulsive, or prone to taking actions like what he's done to Twitter, in a cavalier way. He saw something bad and thinks something should be done to address it.
He likely made that decision because the culture at Twitter is as bolloxed as he states (maybe worse), and that it's one thing to fire a guy, but to do so to hide damning truths, and expect that person to just accept their fate AND let you get away with it without a cost is in this day and age, a farcical hope. Your "Mudge knows the implications of "whistleblowing". He has been a security consultant and even testified to Congress. He's not some noob that doesn't understand security or how systems work together to provide services like disclosure to FTC. The idea that Twitter PR can pooh-pooh away his concerns is shockingly stupid." is spot-on.
[+] [-] dogman144|3 years ago|reply
A) an old hand and doesn’t know how to run a security program with the tech today
B) a strong tech hire who can’t lead a program.
But Mudge is still… Mudge, and he’s also proven his ability to collaborate so if he was a bull in a china shop a twitter, that would be surprising.
There’s also a broader trend here of well known security leads that originate from that time working at social media and leaving quickly, like Alex Stamos, who also u-turned out of Facebook.
So are the odds higher that Mudge did a bad job, or this set of companies are not great internally and old guard security leads are pointing it out? The twitter CEO letter framing him as a bad employee doesn’t address this context.
[+] [-] shagie|3 years ago|reply
In that talk he told of his time at Intel and running crack on a shiny new sparc and all the problems that caused.
The focus of it was a "how not to get into trouble as a contractor".
Somewhere, I've still got my pink camel book with duct taped edges (for durability) with his signature on the inside title page.
[+] [-] smsm42|3 years ago|reply
Twitter is going to be in a lot of hot water now, and I can't imagine Musk isn't going to milk this to the last drop.
[+] [-] webdoodle|3 years ago|reply
Lol, did the same thing for a government entity I was working for, also without prior permission. It showed 1/4 of the people used the name of the entity as there password, including 2 users with domain admin credentials. Both of the domain admins weren't even IT people, there were the director and his assistant, who demanded to be admins, because they were 'admin' within the org.
In my case, I didn't get scolding, but probably should have. As you're prior boss said, it was not good to do it on a running production server. Now a restored backup running on a private network...
[+] [-] rvz|3 years ago|reply
Now looking at the chaos, damage control and the PR disaster that is happening at Twitter HQ after this, I have zero confidence in whatever Twitter HQ and the CEO is saying other than admitting their total incompetency towards how they handle information security at the company. All attempts to make this disaster disappear will not only fail, but will eventually backfire.
So what else was Twitter lying about?
[+] [-] dboreham|3 years ago|reply
[+] [-] shadowgovt|3 years ago|reply
- This Congress is ill-equipped to understand tech, much less hold it accountable. As long as the people are happy, Congress is happy.
- Lord knows the people are ill-equipped to get how bad this is. They already watched this company allow a rogue employee to shut off the account of the President of the United States (before they chose to do it as policy; https://www.washingtonpost.com/news/the-switch/wp/2017/11/02...) and watched this company deploy a username-to-telephone lookup service publicly where they'd intended to deploy a security protocol (https://www.ghacks.net/2022/08/08/twitter-confirms-that-a-da...). The public doesn't understand why they should care.
- The only group who could really hold Twitter accountable are shareholders, but why should they care if the public and Congress don't? The money will roll in either way.
Unless they've managed to commit an SEC violation (in which case, slap on the wrist incoming), there are no consequences for this kind of bad behavior until someone powerful gets seriously hurt. I'm glad Mudge is doing the right thing, but extremely pessimistic much will come of it. My recommendation is to shed Twitter as a user.
[+] [-] last_responder|3 years ago|reply
[+] [-] ChrisArchitect|3 years ago|reply
[+] [-] icelancer|3 years ago|reply
Then I clicked through and saw it was Mudge.
Ah jeez.
[+] [-] b06timmer|3 years ago|reply
I was going to send the information to our security people in another state but decided it probably wouldn't be a wise thing to do.
I come across the HDD where I have this stuff archived every now and then and it makes me smile. This was also in the "Free Kevin" days.
[+] [-] Consultant32452|3 years ago|reply
Those were wild times.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] datavirtue|3 years ago|reply
All you do is make public comments that have zero value.
And if this is indeed serious, where the fuck have we landed?
[+] [-] gjs278|3 years ago|reply
[deleted]
[+] [-] melony|3 years ago|reply
[+] [-] choppaface|3 years ago|reply
Will this testimony show Musk completely miffed his due diligence while building up a huge loan package that would have sent most of Twitter’s revenue to debt service? The timeline is what matters.
[+] [-] naltun|3 years ago|reply
For anyone wanting to explore 90's security nostalgia, it's worth a read. For anyone wanting to learn where hacktivism comes from, it's worth a read. For anyone wanting to learn about how security consulting has evolved over the years, it's worth a read.
Mudge is a very cool and capable individual. I am slightly surprised that Twitter would ignore someone of his talent and respect, and choose to air their dirty laundry in this manner. It's as if they have no idea who they hired. That, or C-levels think they can outpay $$$ any PR against Twitter to control the narrative. Either way, if Mudge is whistleblowing, there's probably some bad shit going down.
[+] [-] rossdavidh|3 years ago|reply
[+] [-] motohagiography|3 years ago|reply
If I were betting, nothing is ever really systemically broken in large orgs, it just works for someone you can't see. This is a factor everywhere and not necessarily at Twitter. Shitty process? Cui bono. Unverifiable systems? Cui bono. Deniable and unaccounted-for access to God-mode data? Cui bono. Repudiable numbers reporting? Cui bono. Bizarre political posturing? Cui bono, etc.
[+] [-] nullc|3 years ago|reply
Not particularly shocking as they'd have to be incompetent to not try to infiltrate a major communications platform, and if the internal controls are as bad as alleged (and has exposed in some of the prior hacks, e.g. the control panel screenshots) they'd have to be incompetent to fail.
[+] [-] jasonm23|3 years ago|reply
> They needed a steady hand who wouldn't be vulnerable to being swayed by principle.
That's my golden quote of the day, time for bed.
[+] [-] kyrofa|3 years ago|reply
> The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko's disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.
That said, this is Mudge. I have a lot of respect for the guy, and I believe what he says. I'll chalk the pettiness up to this article being a summary of a more complete document that I'd like to read at some point.
[+] [-] chipgap98|3 years ago|reply
I mean if it were true that seems pretty negligent. If that were the entire extent of the whistleblower complaint (not sure if complaint is the right term?), I would agree, but it seems as though there are some significant issue raised in the rest of the report.
[+] [-] maximilianburke|3 years ago|reply
[+] [-] ryan_lane|3 years ago|reply
He wasn't responsible for disaster recovery, or reliability, yet he was reporting to the board (going above his reporting chain), telling them that the company wasn't doing enough because it can't handle _multiple_ data center outages at once? Very, very few companies could handle that. If twitter can handle their primary datacenter failing, then they do have a working DR plan. They aren't lying. Is the DR plan to Mudge's liking? Obviously not, but his idea of a DR plan is out of line with what the vast majority of the industry considers a reasonable DR plan.
Similarly, mDAU vs user/bot numbers aren't lies. The company switched their reporting metric. They're accurately reporting their growth metric to the board, and to the shareholders. The raw user numbers could actually matter to the board/shareholders, but the board could have required them to report them and didn't. Just because they aren't reporting the metric you'd prefer them to report doesn't mean they're lying to anyone.
There are a number of legitimate complaints in the disclosure related to poor security practices, but many of them feel like internal problems that don't rise to the level of crimes. Sadly, he may have had a hard time moving the needle on those issues because he was spending his time fighting everyone.
He's a gifted engineer, and may even be a gifted leader, but that doesn't mean he was doing a good job in the culture he was working in. I read the whole document, and the majority feels like someone running headfirst into bad cultural issues and burning out while making enemies.
[+] [-] MuffinFlavored|3 years ago|reply
I added that "disgruntled" part but... who gets fired for poor performance and doesn't become at least slightly disgruntled?
[+] [-] cheeselip420|3 years ago|reply
Next you'll tell me that Twitter would't survive global thermonuclear war.
[+] [-] riffic|3 years ago|reply
Gov (a term that ranges from your head of state down your county dog-catcher,) needs to get off these services asap. Twitter, TikTok, Instagram, FB are all modern versions of your old AOL Keyword.
Today we have ActivityPub, a W3C recommendation, which would be a great alternative.
[+] [-] mrex|3 years ago|reply
[+] [-] zimpenfish|3 years ago|reply
[+] [-] riffic|3 years ago|reply
[+] [-] mzs|3 years ago|reply
https://twitter.com/donie/status/1562069281545900033
* https://www.washingtonpost.com/technology/interactive/2022/t...
edit: the PDFs from *
https://www.washingtonpost.com/technology/interactive/2022/t...
https://www.washingtonpost.com/technology/interactive/2022/t...
https://www.washingtonpost.com/technology/interactive/2022/t...
cover letter: https://s3.documentcloud.org/documents/22161666/twitter-whis...
latest reaction from Capitol Hill: https://www.washingtonpost.com/technology/2022/08/23/twitter...
>Nobody at the Valley's unicorns seemed too concerned with security. (I asked Jack Dorsey that year whether he worried about the fact that hackers were continually pointing out holes in Twitter and in his new pay-ment start-up, Square. "Those guys like to whine a lot," he replied.)
https://twitter.com/nicoleperlroth/status/156204856902836633...
[+] [-] shrubble|3 years ago|reply
Is this an accurate statement?
If so, why did nearly 1000 employees (12% of the workforce) have access to this mode before it was restricted, and what's the business case for that?
[+] [-] throwaway892238|3 years ago|reply
Literally the entire security community knows and looks up to Mudge. If anyone finds out that anything he said was bullshit, it will get blasted from the rooftops and he'll become a laughing stock. He would have to want the rest of his career to be working for morons and be ostracized from his friends and community to make this shit up.
[+] [-] jasonm23|3 years ago|reply
[+] [-] bkq|3 years ago|reply
[+] [-] Signez|3 years ago|reply
> About half of the company's 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors
[+] [-] neilv|3 years ago|reply
Even in what I'd guess is an "ideal" situation, of tractable technical&process problems, and genuine buy-in from the C-suite for solving/improving them, there's still going to be dynamics/politics to navigate.
I also hear of a lot of much-less-than-ideal situations.
[+] [-] kmfrk|3 years ago|reply
[+] [-] saagarjha|3 years ago|reply
[+] [-] elesbao|3 years ago|reply
[+] [-] bogomipz|3 years ago|reply
>Zatko’s complaint says he believed the Indian government had forced Twitter to put one of its agents on the payroll, with access to user data at a time of intense protests in the country. The complaint said supporting information for that claim has gone to the National Security Division of the Justice Department and the Senate Select Committee on Intelligence. Another person familiar with the matter agreed that the employee was probably an agent.[1]
[1] https://www.washingtonpost.com/technology/interactive/2022/t...
[+] [-] kornhole|3 years ago|reply
[+] [-] vlan0|3 years ago|reply
I know of insurance companies that have help desk employees with domain admin access. And all crippling ransomware attacks take advantage lax permissions.
This is rampant. How is this a story?
[+] [-] LatteLazy|3 years ago|reply
[+] [-] vagabund|3 years ago|reply
[+] [-] jonathankoren|3 years ago|reply
When you fire both your chief of security and your CISO months after you hire them, it's weird. Even if your chief of security had personal failings, why fire his boss? If the boss falls on her sword for direct, that certainly makes me think to take what their saying seriously.