Zakto further claimed that Twitter does not have a full-scale development or test environment for experimenting with new features and system upgrades before launching in live production software. As such, Zatko described engineers would work with live systems and “test directly on commercial services, resulting in periodic service outages.” Half of Twitter’s employees had access to real-time production systems and user data without monitoring, the documents said, in order to be able to catch any rogue behavior or track unwanted activity. Zatko’s complaint said Twitter had about 11,000 employees. Twitter said it currently has about 7,000 employees.
These poor security practices explain Twitter’s record of security incidents, data breaches and dangerous user account takeovers, the complaint said.
“We are reviewing the redacted statement that has been published,” Twitter CEO Parag Agrawal wrote In a message to Twitter staff this morning. “We will do everything in our power to defend our integrity as a company and get the facts straight.”
Twitter said all employees’ computers are centrally managed, and its IT department can force updates or impose access restrictions if updates are not installed. The company also said that before a computer can connect to a production system, it must pass checks to ensure its software is up-to-date and that only employees with a “business reason” can access the production environment for “specific purposes.”
Al Sutton, co-founder and CTO of Snapp Automotive, who was a Twitter employee software engineer from August 2020 to February 2021, noted in a tweet on Tuesday that Twitter never removed him from the employee GitHub group, The group can submit software changes to code the company for management on the development platform. Sutton has access to private repositories for 18 months after being fired from company Evidence posted Twitter uses GitHub not only for public, open source work, but also for internal projects. Within about three hours of posting about the access, Sutton report It has been withdrawn.
“I think Twitter’s statement about Mudge is pretty casual, so I thought a verifiable example might be useful to people,” he told WIRED. When asked if Zatko’s allegations were related to his own experience at Twitter, Sutton added: “I think the best way to say it is that I have no reason to doubt his claims.”
Security engineers and researchers stress that while there are different approaches to security in production environments, conceptual problems arise if employees have broad access to user data and deployed code without extensive logging. Some organizations take a substantially restricted access approach, while others use a combination of broader access and continuous monitoring, but either option must be a conscious choice by the company to make significant investments. For example, after the Chinese government hacked Google in 2010, the company went all out with the former method.
“It’s actually not uncommon for companies to have relatively lax policies on allowing engineers to access production systems, but when they do, they document everything very, very strictly,” said Perry Metzger, managing partner at consulting firm Metzger. Things Done.” Mordswell Corporation. “Mudge has a great reputation, but we can say he is completely incompetent. The simple thing they do is provide the technical details of the logging system they use for engineers to access production systems. But what Mudge is portraying is a culture where people would rather Covering things up and reluctance to fix things, that’s what’s disturbing.”
The nonprofit legal group Zatko and Whistleblower Aid, which represents him, said they supported the document released on Tuesday. “Twitter has a huge impact on the lives of hundreds of millions of people around the world, and it has a fundamental obligation to its users and governments to provide a safe and reliable platform,” Libby Liu, CEO of Whistleblower Aid, said in a statement.
For now, though, the allegations have raised a serious set of concerns that seem unlikely to be quickly explained or fully resolved.