More On The Twitter Whistleblower
On Thursday, I posted on the wide-ranging allegations by a Twitter whistleblower, its former head of security Peiter “Mudge” Zatko, that alleged numerous risks to the company's business continuity, as well as that CEO Parag Agrawal concealed these issues from the company's board, when current standards of corporate governance clearly establish that the board should have been notified of them. Via Instapundit, here's an update:
According to the whistleblower report, one consequence of these and many other poor practices was a nearly constant stream of security breaches, with serious incidents occurring almost weekly throughout 2020. One such breach made headlines when a group of teenagers hijacked several major accounts, including those of former President Barack Obama, future Twitter CEO Elon Musk, Apple, and Uber, and used them to solicit transfers of bitcoin. The teen hackers’ level of access was “enough to achieve 'God Mode,' where the teenagers could imposter-tweet from any account they wanted,” the report explains. “Twitter's solution was to impose a system-wide shutdown of system access to all of its employees, lasting days. For about a month, hiring was paused and the company essentially shut down many basic operations to diagnose the symptoms, not the causes, of the hack.”
Elsewhere,As one report to Twitter’s Board of Directors put it: “Every new employee has access to data they do not need to have access to.” Presumably that included employees known by Twitter to be agents of the Indian and Chinese governments, of which there were several.
. . . Mudge recalled one Twitter executive’s reaction to the discovery of a foreign agent: “Well since we have one, what does it matter if we have more?”
In my own experience, raising data security issues with managers can certainly result in grumbling and resistance, but eventually common sense wins out, even if the messenger isn't necessarily popular. The impression I have here is that the lunatics were running the asylum, and the issue isn't so much Schadenfreude as it is how this could have happened. And this in turn applies to two regimes, the one pre-Musk and the current one, in which Musk was forced to buy the company when he pretty clearly hadn't done due diligence.As for Twitter pre-Musk, there's an intriguing reference in a mea culpa that Jack Dorsey released this past Monday:
I’ll start with the principles I’ve come to believe. . . . The Twitter when I led it and the Twitter of today do not meet any of these principles. This is my fault alone, as I completely gave up pushing for them when an activist entered our stock in 2020. I no longer had hope of achieving any of it as a public company with no defense mechanisms (lack of dual-class shares being a key one). I planned my exit at that moment knowing I was no longer right for the company.
So it sounds like Jack Dorsey himself knew he was in the wrong job for maybe 18 months, but he did little or nothing to leave it until Musk broke in with a deal that was so insanely generous to Twitter shareholders that they had absolutely no choice but to accept it. Who was the "activist" who "entered our stock in 2020" and somehow changed everything? Sounds like there's a story here, huh? But whoever was running things on the board after that, and it wasn't Dorsey, clearly set up an environment where he or she didn't want any bad news, and the managers, including Dorsey himself, obliged. The takeover by Musk was clearly the best of a whole range of horrible outcomes, good for the board but bad for Musk.Here's the sort of problem that Musk inherited:
[A] series of cascading datacenter problems did put Twitter at risk of “permanent irreparable failure,” and was only prevented by the herculean efforts of a team of Twitter engineers. Every account, every bit of code, every tweet, like, retweet, quote-tweet, DM—everything that constitutes the company, platform, and community known as Twitter—was nearly lost forever during this incident. A key piece of the global information system, poof, gone, and with no way to bring it back. A multibillion-dollar company obliterated in an instant, the biggest 404 error in history, caused not by hackers, but by incredible negligence.
. . . After Agrawal took over as CEO in November 2021, Mudge alleges that prior to his first Board meeting as company chief, Agrawal planned to mislead the Board on a number of security and compliance issues, and required convincing not to do so. And in advance of a meeting with the Board’s Risk Committee, Agrawal announced his plans to present misleading data yet again. This time neither Mudge nor other concerned employees were able to stop him, but after Mudge noted that the events of the meeting could constitute fraud, Twitter’s Audit Committee investigated and ultimately agreed. Mudge began working on a report to correct the record with the Board, but Agrawal fired him the next day.
In other words, although Musk, having neglected due diligence at the time of his April offer to buy Twitter, tried to backtrack on it throughout the spring and summer over ostensible concerns about which accounts were bots, there were in fact clear instances of fraud in the company's operation already recognized by the board's audit committee. It appears that not only had Mudge written a whistleblower report that should have been avilable to Musk's staff, but he'd publicly testified about these issues before Congress. Where were Musk's legal and financial advisers? Not much smarter than the Twits, it would seem.One big problem with the whole Musk-Twitter story is that he conventional wisdom is focusing on a censorship-free speech issue, when the reality is that it looks like Musk walked into a corporate problem much closer to FTX, which he isn't competent to fix. Indeed, he's struggling with just the free speech problem:
I think Bari Weiss gets to the heart of it: Musk is a creature of his own whims, and with Twitter, he's hit a major set of corporate problems he isn't remotely equipped to handle. Among other things, he might want to consider rehiring Mudge -- but of course, only after actually reviewing the circumstances and thinking things through.The old regime at Twitter governed by its own whims and biases and it sure looks like the new regime has the same problem. I oppose it in both cases. And I think those journalists who were reporting on a story of public importance should be reinstated.
— Bari Weiss (@bariweiss) December 16, 2022