Former Twitter cybersecurity leader turns whistleblower

Mudge blasts insecure production environment, flimsy server infrastructure

Twitter’s former security lead Peiter "Mudge" Zatko has turned whistleblower, alleging that the company is unable to properly secure its porous production environment, its server infrastructure lacks resilience and that Twitter’s CEO undermined his attempts to fully disclose troubling vulnerabilities to the company’s board that could potentially pose a national security risk, in a series of explosive allegations made public this week by CNN.

The legendary former hacker was hired November 16, 2020 and reported directly to Twitter’s CEO Parag Agrawal. Agrawal fired him on January 19, 2022. Twitter’s then-CISO, the respected Rinki Sethi left the same week; something that did not go unnoticed by the security community. (As Jake Williams said at the time: "Zatko and Sethi are two of the most sought-after security leaders in the entire cybersecurity industry. That any organization was ever lucky enough to have them at the same time was itself significant. To hear that they are both leaving the organization in what almost certainly are related circumstances should be concerning for anyone.”)

Zatko made the allegations in a 200-page disclosure, which he sent to the Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice among other entities in July.

https://twitter.com/MalwareTechBlog/status/1562099775142383616

He was hired to help patch up Twitter's security after a high-profile 2020 breach that saw the accounts of Bill Gates, Barack Obama, Elon Musk, Apple and others breached to promote a crypto scam.

Twitter has disputed the claims, telling CNN that Zatko was “fired from his senior executive role at Twitter for poor performance and ineffective leadership” with a spokesperson telling the broadcaster that “what we've seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context” – even as the company admitted it hadn’t “had access to the specific allegations being referenced.” ("It's all rubbish! All those claims he's made that we haven't seen!"

As CNN notes, the documents allege that “too many of its [Twitter’s] staff access to the platform's central controls and most sensitive information without adequate oversight. It also alleges that some of the company's senior-most executives have been trying to cover up Twitter's serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service” -- with the company's executive team allegedly also instructing Zatko to “provide an oral report of his initial findings on the company's security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent cybersecurity issues, and went behind Zatko's back to have a third-party consulting firm's report scrubbed to hide... the company's problems.”

CNN’s full write-up is here.

The Stack’s aware from our regular conversations with CISOs and other security leaders that presenting sometimes unpalatable home truths can be one of the most challenging parts of the job.

We’d be interested in hearing views on how to best manage such complexities of executive or board-level security reporting, on or off the record. Get in touch with founder Ed Targett by email or Signal.