top | item 32682974

(no title)

gwittel | 3 years ago

In reading Mudges' complaint, it really paints the Twitter leadership (esp. Agrawal) as simply not caring about security enough to do anything about it. Instead you had an org with massive amounts of technical and operational debt, and leadership not willing to invest in it. There are always tradeoffs between fixing technical debt and building new features. Twitter leadership chose to ignore (and to some extent, hide) the problem rather than invest. They certainly aren't unique in having a security plan that is built around hope.

Engineers having full control over their dev machines up to and including preventing system updates is not ideal; but not out of the norm for tech. Poor data access controls, and out of date server fleets (where I'd expect updates to be pretty automated) are far more worrying to me.

discuss

googlryas|3 years ago

I wonder if Mudge was fired for, basically, being too good at his job. He didn't toe the CEO's line, and was pointing out how the house was on fire, which is not what Agrawal wanted to hear(maybe Dorsey wanted to hear it when he hired Mudge, but Agrawal had different ideas). I suspect that most people who make it ultra high level as "Head of X", are hired more for their organizational/social talents, which oftentimes involves capitulating to those more powerful/higher on the food chain, rather than being actually talented at X. Mudge actually has the bona fides for the role, which is why he got fired (I'm guessing).

ImPostingOnHN|3 years ago

It's worth noting that being good at IT Security is in huge part a function of your soft skills, since you should be able to sell security to the org, since your job is to make the work happen, not to identify it and complain that it needs to be done

any amateur can run some automated scanners and issue security diktats to the rest of the organization

TheRealDunkirk|3 years ago

> In reading Mudges' complaint, it really paints the Twitter leadership (esp. Agrawal) as simply not caring about security enough to do anything about it.

I've worked in 3 Fortune 250 blue chip companies. My experience is that senior management is doing just enough about security to check the boxes that the trade press -- and the consultants they say we should hire -- say we need to check to have enough legal coverage to weather a possible lawsuit.

Given that Yahoo! had their ENTIRE user database hacked, and VISA, and endless other examples of major personal data breaches, and that none of these things ever results in anything more than a slap on the wrist, I'd say that even these paltry box-checking efforts are probably a waste of money.

I don't know how this situation would be materially any different at a "FAANG" company versus a 100-year-old manufacturing company.

saagarjha|3 years ago

> Engineers having full control over their dev machines up to and including preventing system updates is not ideal

If you had an out-of-date version of the OS you’d be cut off from the VPN. Pretty standard stuff.

gwittel|3 years ago

Definitely. Twitter seems to have not been doing a lot of standard best practices for a company of their size.

My intent was pointing out that engineers with high level access to their dev machines is pretty common in tech. Not that other controls like policy enforcement are also often absent in tech (esp in larger companies). Hard to know how common that is -- seems unusual at least in big tech.