> When the conversation concluded, management seized Alzabarah’s laptop, put him on administrative leave, and escorted him out of the building.
> At 5:17 p.m. he called a handler, identified as Associate-1 in the FBI complaint, who arrived in a white SUV two hours later. Driving around Alzabarah’s neighborhood, the two men called “Foreign Official-l” — al-Asaker, according to the Washington Post — at 7:20 p.m., and again at 7:22 p.m. and 7:31 p.m. They then called Dr. Faisal Al Sudairi, the Saudi consul general in Los Angeles, at 8:30 p.m., 8:38 p.m., and 9:26 p.m. Shortly after midnight, the consul general called Alzabarah back and spoke with him for three minutes.
> Early the next morning, Alzabarah, his wife, and daughter boarded a plane for Saudi Arabia.
By cops I meant FBI/... And the way this is done is you notify the cops first and then coordinate with them if needed. It's not like Twitter learned about this 5 minutes before.
The FBI obviously doesn't enforce internal company policies. However, if the company has evidence that the employee is engaging in serious violations of the Computer Fraud and Abuse Act (CFAA) of 1986, or engaging in espionage for a foreign power, then the FBI might send agents to investigate.
Someone I know had been working for twitter and they said they were blown away at the lack of internal protections built in to the system. I guess it could be a goldmine of data for spies.
Not to defend the incompetent jerks who run Twitter or anything, but only a complete idiot would have ever trusted them with private or damaging information (including metadata such as locations). Twitter never made any reliable, verifiable guarantees about security or internal controls.
What I have found, as a technical person, is that things like metadata which are obvious to me may be unknown to most regular people. A person can be very smart and yet not know about how computers work, or how silicon valley works.
To be clear, I am not thrilled with this situation. But even if social networks were legally required to protect PII they would still suffer occasional breaches by advanced persistent threats and state intelligence agencies. Don't post anything important on social media. Just pictures of family vacations and such.
While you may be correct about criminal law, I'm certain this would impact their SOX compliance (https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act) and would put their ability to participate and operate in US securities markets in serious jeopardy.
The F.B.I. began monitoring the Twitter employees in 2014, according to the complaint. Investigators did not contact Twitter until the end of 2015, when they informed executives that the Saudi government was grooming employees to gain information about the company’s users.
[...]
During his employment at Twitter, Mr. Alzabarah had grown increasingly close to Saudi intelligence operatives, Western intelligence officials told executives. The operatives eventually persuaded Mr. Alzabarah to peer into the accounts of users they sought information on, including dissidents and activists who spoke against the crown, multiple people have told The Times.
Mr. Khashoggi’s online attackers were part of a broad effort dictated by Crown Prince Mohammed bin Salman and his close advisers to silence critics both inside Saudi Arabia and abroad. Hundreds of people work at a so-called troll farm in Riyadh to smother the voices of dissidents like Mr. Khashoggi. The vigorous push also appears to include the grooming — not previously reported — of a Saudi employee at Twitter whom Western intelligence officials suspected of spying on user accounts to help the Saudi leadership.
I wonder how many people are murdered each year due to communications platforms that haven't implemented end to end encryption for private user communications, since all these large platforms are easily infiltrated by agents of homicidal regimes.
Apple has access to the plaintext of pretty much every iMessage and the vast, vast majority of iOS users' photo libraries.
They are required to turn over data to the US federal authorities without a warrant (under FAA702), and they do this over 30,000 times per year per their own transparency report.
The mind reels. Can you imagine how much this is used for blackmail, extortion, coercion, parallel construction, etc?
iMessage's "end to end encryption" has a key escrow backdoor which sends your endpoint keys to Apple and is maintained for the FBI. It's more like "end-to-end-and-Apple encrypted".
It's "end to end encrypted" but then the device's private iMessage syncing keys ("Messages in iCloud") are included in an iCloud Backup, which is not end-to-end encrypted, backdooring the crypto. This means that Apple can decrypt the iMessages as they transit Apple's servers in realtime, using the device private keys you backed up (without e2e) the previous evening.
Even if you turn off the non-e2e iCloud Backup backdoor, your iMessages will still get compromised because it's on by default and all of the other people you iMessage with haven't turned it off.
iCloud Photos isn't end to end encrypted at all. It syncs every photo you take to Apple servers effectively unencrypted. Apple can see all of them, and so can the US government (without a warrant). Turning off iCloud is indeed an effective mitigation for this, which keeps your photos on-device.
Twitter or Facebook is one thing, but imagine the iCloud hacks (not the ones which exfiltrated porn, some apparently single actors using home connections) but those from nation states targeting individuals.
I'm sure the death toll is large and the harassment tool even higher.
> Access controls are just not a priority while blitz scaling and then very difficult to patch on after the fact.
That's why the app that I'm writing now, started off as seriously tinfoil. In fact, I've had to [reluctantly] loosen some of the armor, in order to add a few features.
I won't say that it's Fort Knox, but it ain't gonna be easy to crack.
The demographics of its target user base are pretty paranoid, so I have to do my homework.
I am not at liberty to disclose the app, itself, but it uses many of my open-source contributions.
The backend is a modified version of my BAOBAB server[0], which was actually a "learning" project, for me, but it works quite nicely.
This is the Security document[1] for the generic BAOBAB server. The customization was to add support for a specific workflow that is designed for the app, itself, and the customization is proprietary, as is the source for the iOS app.
It's from my Settings bundle localization file, so the syntax is strange. These are all open-source. I did not write KeychainSwift, but I wrote everything else (I have control issues. I don't like using code that other people wrote, unless it's really good, absolutely necessary, and is something I completely trust). They should be easy to find on GitHub. They are all SPM modules.
The app, itself, is fairly large, at over 30 screens (it was a lot more, but I'm doing the "Thoreau" treatment -Simplify, simplify, simplify- to it). I have been working on it for over a year and a half.
> What the fuck?! Sooner we can decouple from that regime the better in my book.
"The Saudis, a despotic, murderous regime who... er, what's that? Gas prices are where? The Saudis, a heroic, brave people, living in a wonderful country with a deep culture of..."
"Yeah, hey, buddy, pal, MBS-o, think you could maybe squeak out a couple more MBPD? Elections coming up and... oh... really? Few hundred thousand, tops? Well, I guess, see what you can do... thanks!"
I find it super fascination that this guy, as a strategic partner, is at the same time:
1) Completely out of his f---ing mind!
2) Indisputably important and in control.
3) Remarkably easy to please.
Now, sure, I could be wrong about any of these -- my sources of information are almost exclusively the US/EU press, which are not free of bias and might hold a globally minority definition of "truth."
But when you consider what's at stake, and which other famous defenders of Human Rights we're in bed with, I honestly can't understand why we (US/EU) are not working more actively with the most transparent one.
“Abouammo was arrested in Seattle, Washington, on Nov. 5, 2019, and made his initial federal court appearance in Seattle at 2:00 p.m.on Nov. 6, 2019” [1]. He is the one they left behind.
> When the conversation concluded, management seized Alzabarah’s laptop, put him on administrative leave, and escorted him out of the building.
> At 5:17 p.m. he called a handler, identified as Associate-1 in the FBI complaint, who arrived in a white SUV two hours later. Driving around Alzabarah’s neighborhood, the two men called “Foreign Official-l” — al-Asaker, according to the Washington Post — at 7:20 p.m., and again at 7:22 p.m. and 7:31 p.m. They then called Dr. Faisal Al Sudairi, the Saudi consul general in Los Angeles, at 8:30 p.m., 8:38 p.m., and 9:26 p.m. Shortly after midnight, the consul general called Alzabarah back and spoke with him for three minutes.
> Early the next morning, Alzabarah, his wife, and daughter boarded a plane for Saudi Arabia.
https://www.buzzfeednews.com/article/alexkantrowitz/how-saud...
Twitter basically let him walk out. Probably afraid of backlash in case they called the cops on him.