This is big and ugly. Many of the bad practices here are common at most Internet companies. Too many people having god mode, full copies of the source code on too many unsecured laptops. It's not great security but it's pretty common and mostly we muddle along somehow.

OTOH Twitter is also under much bigger threat from attackers than most companies. Also they are in the middle of a 20 year agreement with the FTC about security practices. Mudge's allegations that Twitter has been lying to those regulators and its board are very serious. And of course this allegation could throw a big wrench in the Musk acquisition.

I want to highlight this bit from the article:

In 12 months, Zatko could manage only six one-on-one calls, all less than 30 minutes, with his direct boss Dorsey, who also served as CEO of payments company Square, now known as Block

You don't start turning over rocks unless you want to know what's over them. And you don't hire someone like Mudge without managing them very tightly. It's not just bad, it's self-inflicted. Or former self, since Jack is no longer half time CEO.

CNN's article is also very good. Remarkable that the story was provided to both news outlets, someone was very well prepared.
posted by Nelson at 9:16 AM on August 23, 2022 [21 favorites]

Right on, Nelson. This is probably going to dethrone Equifax as the main case study in my human-factors-infosec course, just because the "hire infosec person then refuse to listen to them, scapegoat them, and finally get massively pwned when they bring receipts to the table" is such a common bit of organizational infosec fail.

The disclosure is real clear on the huge amount of prep Mudge did for this. Mudge knew he'd be in the crosshairs and he definitely crossed every available t and dotted every available i. I'd guess he also quietly counted on the infosec community (including Infosec Twitter) largely backing him up -- and from what I'm seeing on Infosec Twitter today, they absolutely have.

I'm hard-pressed to imagine how this could be worse for Twitter. I didn't think Oxboy had a hope in hell of walking away from the deal without parting with a whole lot of cash. Now he does, and if anyone's to blame for that it's Dorsey and Agrawal.
posted by humbug at 9:24 AM on August 23, 2022 [9 favorites]

It can simultaneously be true that this is very bad for Twitter as a company, and that it doesn't help Elon Musk's case very much. I'd love to see some analysis from actual experts in this area of litigation that suggests it is a game changer for Musk, since all I've seen so far has said the opposite. In fact, in some ways this seems to hurt him, if his main claim is that mDAU contains more bots, and Mudge's report explicitly says that they excluded bots from mDAU.

I guess also I'm a little bit jaded by working too long in the tech industry, sometimes in security-adjacent roles. This is definitely not good, but not as shocking to me as it seems to be to a lot of people. There's a LOT of stuff here that, as Nelson said, are common at most internet companies. That don't make them right, but it does make this a lot less shocking than it's being portrayed.

And as someone who idolized Mudge and his compatriots in the 1990s, I'm not sure I really believe that writing L0phtcrack is the right background for an executive level job at a company like this. It's like hiring a master mechanic to be CEO of Ford. They both involve cars, but that's where the similarities in job requirements end.
posted by primethyme at 9:32 AM on August 23, 2022 [16 favorites]

Some color commentary from former Twitter insiders (click for more)

An engineer: I remember when Mudge had us send Twitter kernel and OS reports to a rando buddy of his in Texas.

Founder and former board member: Prob a mistake to hire an assassin and keep him like a pet w no access or authority
posted by Nelson at 9:42 AM on August 23, 2022 [7 favorites]

Great point, primethyme . Did Mudge have the interpersonal and political skills (and experience) needed to effectively engage with and influence a large organization? That’s at least as, and probably more important than, making sure every server’s patched and nobody’s using root for their daily work just because it’s “easier” than fighting inertia & setting things up the right way.

Not saying that someone else with experience in infosec would have gotten a better response from Dorsey.
posted by armoir from antproof case at 9:43 AM on August 23, 2022 [6 favorites]

I know that RICO is a law meme at this point.

In biosafety testing, we get reminders (every few years when someone REALLY screws up and gets promptly caught) that if you know, and your boss knows, their boss knows, and quality knows that you’re pulling one over on a federal regulator That’s A RICO.

This looks a lot like what biosafety labs that get busted would do on a surface level.
posted by Slackermagee at 9:44 AM on August 23, 2022 [1 favorite]

Twitter CEO response describes Mudge as "a former Twitter executive who was terminated in January 2022 for ineffective leadership and poor performance.... We are reviewing the redacted claims that have been published, but what we've seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context... Mudge was accountable for many aspects of this work that he is now inaccurately portraying more than six months after his termination."
posted by ook at 9:50 AM on August 23, 2022

Twitter removes more than a million spam accounts every day

This is cited by the Twitter spokesperson in their defense. If my job was to keep turds out of the water supply, I wouldn't brag about how many turds I found in the water supply.
posted by echo target at 9:51 AM on August 23, 2022 [18 favorites]

In fact, in some ways this seems to hurt him, if his main claim is that mDAU contains more bots, and Mudge's report explicitly says that they excluded bots from mDAU.

I think the angle is going to change from mDAU to executives intentionally misleading the FTC. if that's substantiated, I think it has a pretty good chance of allowing Mr Full* Self Driving to spike the deal without penalty.
*lol
posted by tclark at 9:52 AM on August 23, 2022 [1 favorite]

a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context... Mudge was accountable for many aspects of this work

So "thing are fine, and also he's responsible for things not being fine"?
posted by clawsoon at 9:53 AM on August 23, 2022 [9 favorites]

ha ha, Agrawal's response is just a crisis management mad lib

(which is fair, I suppose, at this early hour)
posted by ryanrs at 10:11 AM on August 23, 2022 [6 favorites]

Zatko was CISO (or analogue; I don't know his exact title) at Stripe for a while, and seems to have left there on good terms. Stripe's arguably a minnow compared to Twitter's (fail?)whale, but it does say something, at least, about Zatko's C-suite-whispering skills.

With the evidence currently available, I cautiously opine that this was a case of Twitter hiring a well-known public figure to leverage his integrity and reputation in Twitter's self-defence (against the feds as well as in public). I doubt Dorsey and Agrawal had any intention of actually heeding him; Dorsey ignoring him and Agrawal silencing him backs that up. So he got louder, and they fired him. Now he's bringing the real noise.

One of the reasons this rings true to me is that, as primethyme and Slackermcgee suggest, this syndrome is actually pretty common. The case I currently use in human-factors-infosec is the Fairfax County Schools breach debacle from 2020, where FCS blamed their former infosec chief, who promptly produced receipts indicating that he'd warned FCS's CIO, who studiously ignored the warnings.

I do think we'll see that both Zatko's account and Twitter's contain inaccuracies and fudges. That's pretty standard in a slapfight as public as this, and given how quickly and completely he was frozen out, I don't think Zatko could have known everything he needed to know. I think (again, based on current evidence) Twitter's going to come out of this looking a lot worse than Zatko, though.
posted by humbug at 10:13 AM on August 23, 2022 [15 favorites]

I still don't understand why Twitter needs 8,000 employees.

Oh well, best of luck to them on the reorg.
posted by JoeZydeco at 10:14 AM on August 23, 2022 [3 favorites]

if you know, and your boss knows, their boss knows, and quality knows that you’re pulling one over on a federal regulator That’s A RICO.

Is you taking notes on a fucking criminal conspiracy!?
posted by chavenet at 10:28 AM on August 23, 2022 [6 favorites]

This reminds me of a portion of a recent interview Lex Fridman did with John Carmack. The gist: Carmack is astonished how reluctant mega-corp silicon valley types are to apply strict vicious judgment to their code via IDEs and debugging tools. Talks about how much it helped him develop quality code. Slightly related.
posted by shenkerism at 10:35 AM on August 23, 2022 [4 favorites]

I still don't understand why Twitter needs 8,000 employees.

Dan Luu, whose career involved working at Twitter and then later working on Google's Tensorflow silicon, has a general purpose rebuttal to these leading questions. For those who hate his aggressively basic webpages, the gist for those that companies (attempt to) hire engineers until the marginal gains no longer exceed costs. Twitter needs 8k employees because theres at least that many cost saving or money making opportunities. Probably most of that opportunity is in the ads business, and is largely invisible to customers.

To bring this back on topic, he even has an aside on security:

There's also security! If you don't “bloat” your company by hiring security people, you'll end up like hotmail or yahoo, where your product is better known for how often it's hacked than for any of its other features.

posted by pwnguin at 10:42 AM on August 23, 2022 [13 favorites]

aggressively basic webpages

wow, you are not kidding! he could at least use a sans-serif font 😒 < emoji!
posted by supermedusa at 10:53 AM on August 23, 2022 [1 favorite]

I understand Luu's point, but are we really equating Twitter with Google in terms of engineering span and depth? Or is it all ad sales?
posted by JoeZydeco at 10:54 AM on August 23, 2022

This reminds me of a portion of a recent interview Lex Fridman did

Fascinating lecture. Not sure how useful debuggers are in distributed systems, but most of tech is also wildly hostile to Lamport's TLA+. Amazon talks up a good game about proving correctness with TLA+ but I'm honestly assuming its a niche application rather than an endemic practice.

Frankly, I have problems getting QA teams to actually enforce the test suite instead of granting exceptions, rerunning test suites until they randomly pass, or removing failing tests.
posted by pwnguin at 10:57 AM on August 23, 2022 [3 favorites]

from TFA:

After terminating Peiter Zatko, Twitter asked him to spell out his concerns with the company's security so that it could investigate.

Huh. "You can't work for us anymore, but we trust you & your opinion enough to solicit your feedback on us, the company that just fired you."

Life must be more chummy at the executive level.
posted by Sauce Trough at 11:00 AM on August 23, 2022 [3 favorites]

humbug, I had seen this reported at CNN, but I hadn't seen that link you provided to the actual (redacted) whistleblower disclosure. The lawyers are from Whistleblower Aid, and I am really glad to know about that organization now. From my layperson's perspective, they seem to have done an excellent job at laying out the evidence of the violations.

I am so grateful for the existence of the internet and the ability to read these documents ourselves.

The document specifies (at least some of) the laws that may have been broken:

a. 15 U.S. Code §7142 on corporate responsibility for SEC reporting;
b. 15 U.S. Code § 7262 on management assessment of internal controls.
c. 18 U.S. Code § 1350(c)

and details the efforts of foreign governments to infiltrate and control various aspects of Twitter.

Items 4, 5, and 6 on p. 4 are especially astonishing to me:

4. Astonishingly, hours after Twitter terminated Mudge’s employment, including immediately denying him access to corporate systems, Twitter's Chief Compliance Officer began emailing Mudge at his personal gmail account, seeking to obtain his latest disclosures of fraud.
...
5. Apparently, Twitter's own compliance officers understood the gravity of a situation in which the CEO had deliberately misled the Board.
...
6. Mudge ultimately worked at least 150 hours - after he was terminated, without pay, and without access to his Twitter accounts or laptop - to do his best to document the underlying facts about information security, and the fraud he had identified.

Getting access to this document gives me a vastly better understanding of what Zatko is warning us about.

Thank you so much for posting this, humbug - I really appreciate it, and I hope Zatko's efforts make a real and lasting difference.
posted by kristi at 11:01 AM on August 23, 2022 [12 favorites]

You're welcome, kristi! I'm still reading through the redacted disclosure myself. It's good that I'm WFH today, because "holy $#!+" is leaving my mouth at intervals.

One thing that the redacted disclosure makes clear that the news stories don't is exactly what Sauce Trough noticed. Twitter's higher-ups weren't all on the same page in this mess. It was Compliance that got in touch with Zatko after he was fired. Exactly whether/how Compliance cleared or even discussed this with the C-suite... well, that sure is a question, isn't it.

And it sure was smart of Zatko to lawyer up.
posted by humbug at 11:06 AM on August 23, 2022 [3 favorites]

As long as security breaches only affect the bottom line (and are thus accountable as the cost of doing business) this bullshit will continue just as it is. When jail is offered for execs, only then will it cease in the most obvious cases. By and large, though, running a corp is all about maximizing your externalities in every way possible without regard to legality; because if you don't get caught, it isn't illegal, right? That's the rich man's motto.
posted by seanmpuckett at 11:07 AM on August 23, 2022 [5 favorites]

are we really equating Twitter with Google in terms of engineering span and depth

According to public filings, Twitter has approximately 7500 employees and Google has approximately 175k. So, no.
posted by primethyme at 11:33 AM on August 23, 2022 [3 favorites]

Times like this I wish my buddy who works for Twitter was a little less security-conscious. The gossip train appears to be on fire internally, but they're completely mum.
posted by kkar at 11:33 AM on August 23, 2022 [2 favorites]

"My god. It's full of twits."

-me, 2007.
posted by loquacious at 11:49 AM on August 23, 2022 [7 favorites]

As long as security breaches only affect the bottom line (and are thus accountable as the cost of doing business) this bullshit will continue just as it is. When jail is offered for execs, only then will it cease in the most obvious cases.

Jail is offered for execs via Sarbanes Oxley, but it's pretty hard to prove because one group (often Congress) writes the standards, one group interprets the standards for the specific corporation, limited to their understanding of them based on their understanding of the company's mission, employees or contractors do the work to meet the standards (which involve lots of judgment calls) and then independent auditors review the company's compliance with the standards. It's judgement calls all the way down unless someone is seriously cheating the system.

If my job was to keep turds out of the water supply, I wouldn't brag about how many turds I found in the water supply.

I know this was written facetiously, but cities actually do monitor because the answer is never zero. In most cities, it's public information about how much they are missing.
posted by The_Vegetables at 1:05 PM on August 23, 2022 [1 favorite]

Facetiously? Or fecesiously?
posted by JHarris at 3:47 PM on August 23, 2022 [3 favorites]

I'd love to see some analysis from actual experts in this area of litigation that suggests it is a game changer for Musk, since all I've seen so far has said the opposite.

Hello, I am a lawyer that sometimes works on merger due diligences. I would wager that this changes precisely nothing for Musk. He waived the due diligence process. The deal he signed had no caveats regarding security or bots.
posted by His thoughts were red thoughts at 3:54 PM on August 23, 2022 [10 favorites]

Did Mudge have the interpersonal and political skills (and experience) needed to effectively engage with and influence a large organization?

He worked at a high level for DARPA and Google as well as a major government contractor. What more experience do you think he'd need?
posted by Candleman at 6:18 PM on August 23, 2022 [5 favorites]

Frankly, given the engagement and relationship, I'd wonder if Twitter had the technical and diplomatic skills needed to effectively engage with the material Mudge was providing to them.
posted by rhizome at 6:51 PM on August 23, 2022 [11 favorites]

There’s a big difference between working in a large organization and having a top-level leadership role in a larger organization (and in terms of organizational maturity, transparency, and probity of top level execs, Google’s not the greatest example). That being said, my question was asked before i’d learned whether he had done any of the latter, and before i’d finished reading and discovered that at Twitter he was apparently surrounded by asshattery of the highest order. So whether or not he came to the job with skills to transform the organization in the manner that was needed, is moot. Perhaps he did; probably did; but it couldn’t happened giving the clowns he was working for/with. I wish him the best and consider myself thankful and lucky that he’s willing to do what he’s doing, and hope his next gig brings him colleagues and challenges that deserve all his skills.
posted by armoir from antproof case at 8:16 PM on August 23, 2022 [3 favorites]

As an aside, by providing clear and direct links to source documents WaPo may have finally earned my subscription dollar.
posted by Tell Me No Lies at 9:01 PM on August 23, 2022 [2 favorites]

I just read through all the documents, and I’ve gotta say that the whole thing just feels…weird. Like, it’s written rather poorly, from both a narrative perspective and in its content. The basic infosec problems alleged are quite serious (but, as others have mentioned, distressingly commonplace at the same time), but there’s just this odd lack of specificity throughout the whole document and a lot of bones picked with Agrawal.

There really are only 4 or 5 data points to illustrate all of this—40% of 500k servers, 30% of 10000 endpoints, 50% of 8000 users, etc. These are pretty gravely bad things to have going on. But we go from here to oddly phrased claims of “fraud” on the basis that an 11-slide presentation to Twitter’s board used rose colored glasses in presenting his findings. Like, that’s it. He uses the terms “fraud” and “illegal” in the context of this, without displaying anything actually inaccurate about what was put in front of the board. That’s it.

Then there’s an entire section devoted to dissecting twitter exchanges between Musk and Agrawal around bots that’s written not from any sort of security or privacy concern but instead to steel up Musk’s argument that having too many bots is a material adverse event and that mDAUs are stupid and twitter execs get paid too much. Like, those last two things are true, but it really doesn’t help the credibility any.

The only thing I’m seeing here that wasn’t already publicly obvious (and maybe it was?) is that Twitter has no test environment and they apparently develop exclusively in the production environment. Which—frankly I don’t even know how they can function.

I’m seeing both praise and condemnation heaped on this guy, but I know nothing about his background. Going exclusively off this work product, I’m inclined to conclude that Twitter’s security is pathetic and that this is pretty thin gruel written by someone with a grievance and possible Musk-related job aspirations.
posted by Room 101 at 9:06 PM on August 23, 2022 [5 favorites]

My understanding of the many allegations of fraud (after, admittedly, only skimming pretty quickly) is that they concern the consent decree - that, per page 25, "Twitter had never been in
compliance with the 2011 FTC Consent Order, and was not on track to ever achieve full compliance," and (p. 26) "misrepresentations to the FTC on these matters." (And there's the footnote on that page about how they were breaking French data laws in late 2021.)

I am annoyed that so much media attention involves how this affects Musk's attempt to buy Twitter (and attempt to get out of it). Musk is practically irrelevant here. According to Mudge, Twitter is lying to the US government about changes it is legally bound to make to protect user data, and lying to investors, as well.

As the document points out, the July 2020 hack in which a teenager and his friends took over accounts belonging to Obama, Biden, Bezos, Gates, and Musk occurred after "nine years of supposed fixes, investments, compliance policies, and reports to the FTC by Twitter". At the end of that month, the FTC filed a complaint against Twitter for violating the 2011 consent order, and fined the company $150 million this past May.

Some of that info - the FTC's complaint and fine - have been public knowledge, but adding in Mudge's specific knowledge of all the many deficiencies in all the areas targeted by the consent order, and in all the areas that have been misrepresented to investors - that provides a much clearer picture to me of the apparent utter lack of concern for the law and for their investors, much of which does, indeed, to me, sound actually, actionably illegal.

A number of congressfolk have gotten interested, so perhaps we'll have some hearings and some further evidence in the future.
posted by kristi at 9:58 PM on August 23, 2022 [8 favorites]

Zatko was CISO (or analogue; I don't know his exact title) at Stripe for a while, and seems to have left there on good terms. Stripe's arguably a minnow compared to Twitter's (fail?)whale, but it does say something, at least, about Zatko's C-suite-whispering skills.

Given that Stripe is in the payments business, from a compliance point of view they are not really a minnow (even if they are smaller as an organisation).

Zatko was CISO (or analogue; I don't know his exact title) at Stripe for a while, and seems to have left there on good terms. Stripe's arguably a minnow compared to Twitter's (fail?)whale, but it does say something, at least, about Zatko's C-suite-whispering skills.

He was also apparently well regarded as a program manager at DARPA which is a challenging civil service type job with a lot of complicated stakeholder management. I get the idea that old school anti-establishment hacker skills may not map to a CISO role but he's done quite a lot of big-corp / big-government exec roles over the last 20 years so I'm not sure how applicable that is to him in this particular case.

I agree that the bot stuff doesn't help Musk because it isn't new information (and anyway mostly concerns whether it makes sense to use mDAU rather than whether mDAU figures are themselves correct which is what Musk is alleging) but I wonder if being in violation of the FTC consent decree, knowing that they were, and not doing anything about it or disclosing it might help him get out of the deal?
posted by atrazine at 1:38 AM on August 24, 2022 [1 favorite]

Zatko's title at Stripe was "Head of Security", not CISO. He was also not CISO at Twitter; on LinkedIn he lists his title as "Executive Team". (The CISO during Mudge's time at Twitter was Rinki Sethi who has managed to keep a low profile this news cycle.)

The title choice may well be deliberate; I believe the CISO has specific legal obligations under compliance law including Sarbanes-Oxley. A vaguer title frees someone to do a bunch of meaningful work without having to dance around legal and organizational requirements.

Whatever Mudge's corporate skills are it clearly all blew up here. I'm still oscillating between "wow it sure sounds like Twitter fucked up in their security practices" and "wow it sure sounds like Twitter fucked up bringing this guy inside only for him to spill the beans".
posted by Nelson at 7:08 AM on August 24, 2022 [1 favorite]

¿Por qué no los dos?
posted by mephron at 8:26 AM on August 24, 2022 [1 favorite]

Metafilter: posting just to quote our own fifteen-year-old hot take.
posted by viborg at 8:39 AM on August 24, 2022

There's a thing that's happened to me a couple of times, where I've been hired because of my public reputation (in my niche), which includes (I will make bold to say) outspokenness, a critical eye, and a fair amount of personal/professional integrity. Then the folks who hired me got all shocked! SHOCKED! when I turned my critical eye on them and didn't shut up about it.

Like, what were they expecting exactly? They wanted my rep to burnish theirs, but didn't want any of the expertise and behavior leading to that rep. I've wondered sometimes if it was a cynical "nobody actually has integrity; it's all a show, so if we just pay humbug enough money she'll torch her integrity and eventually her rep for our benefit" belief on their part. Yeah, no, actually, I kind of won't.

So yeah, I do think Dorsey hired Zatko partly on the strength of his (earned) reputation for integrity, because Twitter didn't have that rep and Dorsey hoped they could coast on Zatko's. And I do think Agrawal couldn't stand Zatko largely because Zatko was pointing out loudly and clearly that under Agrawal-as-CTO's watch Twitter had become a security dumpster fire. (I'm bemused by commentary indicating that many Twitter employees didn't like Zatko. Of course they didn't. He was pointing out their security screwups and insisting they fix them! Which was his actual job! I talk about this in human-factors infosec: a lot of infosec work at any level is telling people they're doing it wrong, and trying to get them to change how they do things when they emphatically don't wanna. It's hard.) And when Dorsey didn't back Zatko against Agrawal, Zatko found himself without good choices.

And Agrawal didn't have good choices either, or perhaps better said, didn't have a good choice he was willing to accept. He sure looked to be in too deep with the shell game he (and to be fair, Dorsey too) had been playing with the board and SEC to let Zatko do his job. (He may also have been pretty deep in denial about his own performance as CTO. Again, this... is a thing that happens when CTOs and infosec chiefs clash.) And firing Zatko brought the risk of -- exactly what has just happened.

So yeah, sure. Sure, it's dangerous to hire critical, outspoken experts with integrity. I'm largely unhirable in librarianship (and persona wholly non grata in Minnesota libraries) because librarians know who I am and how I operate -- I'm not properly Library Nice. But I'll make bold to say that librarianship is better for my presence in it anyway. And Twitter could have been better off if they'd treated Zatko as an expert instead of a ripoffable reputation.

It's entirely possible I'm so strongly Team Zatko because I kinda identify with his situation. But it's because I've been in similar situations that Zatko's account rings a lot truer to me than Agrawal/Twitter's vague denials and attempted character assassination.
posted by humbug at 8:41 AM on August 24, 2022 [18 favorites]

Thank you for that personal perspective, humbug. I think you're right that hiring Zatko because it looked good was part of what was going on. Jack might have both sincerely believed Zatko would do useful work for Twitter and that hiring him was good for appearances. And then also fail to follow through in any useful way, setting up the problem we see now.

On the question of what this means for the Musk deal, Levine weighs in

Even if these claims are true, and even if they are evidence of fraud or material adverse effect, they are not evidence of anything that Musk has been complaining about. Musk would have to, like, send Twitter a new termination letter saying “never mind about the bot stuff, now I’m terminating the deal because of the security vulnerability stuff.” But he could do that, why not. He’s not limited to the excuses he’s already tried; if people keep finding him new excuses to get out of the deal, he can try those too. Maybe one will work.

Levine also links to Ann Lipton's thread parsing closely what this might mean for Musk's attempts to get out of the contract he signed.
posted by Nelson at 9:02 AM on August 24, 2022 [2 favorites]

I am annoyed that so much media attention involves how this affects Musk's attempt to buy Twitter (and attempt to get out of it).

Why? The first substantive subhead (#2) is "Lying about Bots to Elon Musk". What that has to do with security is anyone's guess, but that's what they get for including it.

It also reads like they literally gave this guy too wide a list of responsibilities, and he was unable to focus and fix anything because all were seriously deficient. I thought twitter hired decent engineers though? This all reads like he was the first guy to pop in with any industry software experience.
posted by The_Vegetables at 10:59 AM on August 24, 2022 [1 favorite]

If the CTO is dead set against reforms, all Security can do it tell the CEO, Board, and outside regulators/government. The CTO has to want to make these kinds of changes.
posted by ryanrs at 12:27 PM on August 24, 2022 [3 favorites]

IDK, defining segregation of duties and sending an occasional email about having a SDLC is free. When you have 500k servers, setting up a few to be for testing and dev is a rounding error. Heck they probably have a bunch that aren't even allocated, so that's free too.
posted by The_Vegetables at 1:45 PM on August 24, 2022

It can simultaneously be true that this is very bad for Twitter as a company, and that it doesn't help Elon Musk's case very much.

It can be and frankly it's my ideal scenario. "Wow, Twitter is a truly shitty company that's in a lot of legal trouble and likely to lose giant buckets of money! Elon, you have to buy it."
posted by nickmark at 5:24 PM on August 24, 2022 [4 favorites]

Whoa, I just realized that Twitter was Agrawal's first job. Maybe he doesn't realize Twitter's software culture is totally fucked because it's all he's ever known?

He finished his PhD, did a couple research internships, then started as an engineer at Twitter.
posted by ryanrs at 7:54 PM on August 24, 2022 [1 favorite]

Whoa, I just realized that Twitter was Agrawal's first job. Maybe he doesn't realize Twitter's software culture is totally fucked because it's all he's ever known?

Very interesting in the context of, "look, this guy is more of an old school hacker and maybe a bit out of step with how software gets built and operated at a modern massive SV company" when the so-called Adult in the Room, serious SV guy is actually the one with the narrow experience and *not* Mudge.
posted by atrazine at 1:14 AM on August 25, 2022 [2 favorites]

WHOA DANG, I did not know this!

I'm just gonna leave this here (open-access version). It's mostly about undergrads, but hints strongly that things are not much better, engineering-wise, on the graduate level in CS.
posted by humbug at 5:47 AM on August 25, 2022

I don't know - was remediation part of his remit? I've been in a lot of Silicon Valley startups, at varying points in their lifecycle...when you take a job that is basically plugging up holes in the Swiss cheese, there's a certain amount of responsibility/accountability you accept. At Mudge's level, saying "I told the bosses and they didn't listen" seems...fishy? A cop out? I don't know, this is very interesting in terms of how it's playing out. Not passing the smell test, but then again, I'm not a huge fan of Dorsey to begin with - I wouldn't doubt that Twitter isn't very interested in security and privacy, just presenting the best picture for investors to keep the company in business and making that sweet, sweet money.
posted by Chuffy at 10:11 AM on August 25, 2022

Metafilter: posting just to quote our own fifteen-year-old hot take.

Yeah, sorry about that. My real point is that I knew Twitter was going to be bad news when I first saw it and that it was going to do bad things to our culture and public discourse, and, well... *waves hands at the last 6+ years despondently*

The ironic thing is that I'm also displaying and succumbing to Twitter's own dumb hyper-microblog soundbyte culture.
posted by loquacious at 12:32 PM on August 25, 2022 [2 favorites]

> ryanrs: "Whoa, I just realized that Twitter was Agrawal's first job."

Holy cow, I didn't realize this either. He finished his PhD and joined Twitter as a software engineer around 2011/2012 and somehow 6 years later he's the CTO. That seems... fast. I'm not exactly sure what happened here.
posted by mhum at 1:26 PM on August 25, 2022

According to this profile that I just Googled that was written when he became CEO:

Agrawal started out working on the company’s advertising team. In addition to integrating machine learning technology, Agrawal also improved the platform’s algorithms to make more relevant tweets appear in users’ timelines, CNBC previously reported.

His success as an engineer helped spur audience growth at Twitter, according to his bio, and made him a rising star at the company long before taking over for Dorsey.

So people in the company associated Twitter's growth with his algorithm changes, and that sent him up the company ladder, I guess? Presumably he was good at talking about how his changes helped Twitter, too.
posted by clawsoon at 2:14 PM on August 25, 2022

About that machine learning technology:

Intellectual Property: While several of Twitter's representations and warranties are untrue, in particular note that the "intellectual property" statements are egregious lies. In fact, Twitter senior leadership have known for years that the company has never held proper licenses to the data sets and/or software used to build some of the key Machine Learning models used to run the service. Litigation by the true owners of the relevant IP could force Twitter to pay massive monetary damages, and/or obtain an injunction putting an end to Twitter's entire Responsible Machine Learning program and all products derived from it. Either of these scenarios would constitute a "Material Adverse Effect" on the company.

from the disclosure PDF ctrl+f license
posted by ryanrs at 2:53 PM on August 25, 2022 [1 favorite]

Does it say who those "true owners" are, or will this send the places that Agrawal worked at during his doctorate ("AT&T Labs, Microsoft and Yahoo") digging?
posted by clawsoon at 3:10 PM on August 25, 2022

Yahoo would be funniest, not least because their private equity owners would take Twitter for all it's worth.
posted by ryanrs at 3:45 PM on August 25, 2022 [2 favorites]

The department of Homeland security is now officially interested
posted by Nelson at 4:45 PM on August 26, 2022 [1 favorite]

Oops, small correction; that letter is from the congressional Committee on Homeland Security, not the DHS in the executive branch.
posted by Nelson at 5:24 PM on August 26, 2022 [1 favorite]

The New Yorker: The Search for Dirt on the Twitter Whistle-Blower

Many of Peiter (Mudge) Zatko’s former colleagues have received offers of payment for information about him.
posted by ryanrs at 3:03 PM on September 13, 2022 [2 favorites]

The New Yorker: The Search for Dirt on the Twitter Whistle-Blower

“motives for his whistle-blower complaint and any similar past complaints,” his “need for attention,” and whether he was a “zealot or ideologue,” “conspiratorial,” or “vengeful.”

Ah, yes, the full range of motivations for being a whistleblower.
posted by clawsoon at 4:13 PM on September 13, 2022 [1 favorite]

lol some asshole is paying thousands of dollars to get told "yeah, no, he's completely credible. you are so fucked."
posted by ryanrs at 5:29 PM on September 13, 2022