[Maursault]

> If Zatko can make a compelling case that Twitter is horribly bad

I don't doubt his accusations. However, the same could be said for nearly everywhere there is a network. Twitter is high profile, but there are a million businesses most have never heard of that have a similar lack of information security. IOW, Twitter's crappy security is not remotely exceptional because nearly every business with a computer is bad. There are businesses with decent computer, network and information security, but even in those places tight as a drum a disgruntled employee could reek havoc, and I'd be really surprised if Mudge and most of HN wasn't aware of this.

Things usually go bad for whistleblowers, it is a shame, but most often it doesn't work out for them. They make movies about the successful whistlebowers, but the unsuccessful are buried. It would have been different had Mudge stepped forward prior to termination, as he would have been able to avail himself of Federal whistleblower protections. I don't think it matters to his credibility, but that this is exactly what Musk wanted to hear is a little, tiny bit suspicious to me. What could Mudge gain from this other than saving face (which really isn't worth much)? What Musk did to Twitter is clearly unethical, as much as I respect him for his successes, it seems obvious his behavior regarding Twitter is irresponsible and many innocent lives and their wallets are being adversely affected. The SEC should look really hard at all this before choosing not to act, because he has manipulated markets for his personal benefit before and got a slap on the wrist.

[dpifke]

Twitter is high profile, but there are a million businesses most have never heard of that have a similar lack of information security.

There are not a million businesses under FTC consent decrees because of past security breaches.

(Perhaps an argument could be made that there should be, if that's the only way for there to be consequences.)

If Mudge is telling the truth, Twitter has been lying to regulators and is in violation of the consent decree. That would be a lot more serious than just being shit at infosec. It's the difference between getting arrested for your first DUI, or your eighth.

[enos_feedler]

If this was true there would be a crystal clear, precise account of the violation by now and the stock would be trading much lower.

[dpifke]

I think pages 2-8 of his whistleblower report (the executive summary) are pretty clear and precise. If anyone commenting on this thread hasn't read his report already—the actual report, not just stories about it in the press—I would strongly encourage them to do so.

The wheels of justice move slowly. Wall Street may be betting on the FTC being slow to take action, or not taking action due to political pressure, limited resources, etc. I don't think just looking at Twitter's stock price is a fair way to evaluate the truthfulness of Mudge's claims.

[hef19898]

I just tried to search for it, not with touch effort to be honest, but man is internet search a dumpster fire by now. Results, searching for the actual report filled by Mudge, were news coverage from all kinds of sources, ads for whistleblower training, answers to the question what a Whistleblower is and news coverage of the hearing without any details or links to actual report. So take my comment with that in mind.

Mudge claims that twitter had no way to identify foreign intel agents and get rid of them by themselves. Heck, that is quite a statement. No company actually has that capability in house to do it systematically. Even security sensitive civilian jobs rely on authorities to do just that during security clearance checks. Even intelligence agencies need dedicated counter-intel operations to do that and those fail regularly. Not sure what the other claims are, from news coverage the fact that data access is not tracked by user is a serious problem so, I agree.

Expecting a non-security relevant employer to prevent infiltration by foreign state actors is way too much to expect so, IMHO. That would have been a job for the, e.g. FBI to decide that Twitter important enough to make it security relevant and put a program with Twitter in place to prevent infiltration. Or not, in case US three-letter agencies have their own agents in place. If Twitter knowingly hired foreign agents, that would be something different and quite stupid and dangerous.

EDIT: Coming to think of it. Why would it be up to Twitter to decide what to do about a foreign spy in their workforce? Wouldn't US counter intel take the lead in that? And just maybe Twitter firing the person isn't actually in the US best interest...

[porbelm]

It was not THAT hard to find?

The first result for "mudge whistleblower report pdf" was https://s3.documentcloud.org/documents/22186683/twitter-whis...

But not being able to verify the source I looked at articles and the WaPo one had the document linked in this article:

https://www.washingtonpost.com/technology/interactive/2022/t...

[hnburnsy]

https://s3.documentcloud.org/documents/22186683/twitter-whis...

[shapefrog]

"Particular episodes of fraud and deliberate efforts to mislead include,

d. Agrawal terminated Mudge"

Read it a few times already. Staggered that 50% of it is total and utter garbage.

[rtev]

His accusations include “Twitter was dismissive when informed about foreign nation spies in their ranks”. That’s not comparable to “any business that uses computers”.

[baby]

Any business at scale has that issue

[Maursault]

Because I do not believe in the almighty influence of Twitter, I honestly don't understand why it would matter if one or a hundred Chinese spies worked for Twitter, because Twitter employees don't create Twitter content; users do. And I think Twitter content was recently declassified by former President Trump, so where is the danger? What is China's strategic benefit in learning these[1] things?

[1] https://en.wikipedia.org/wiki/List_of_most-liked_tweets

[efitz]

Twitter has controversial moderation policies. It also has some sort of machine-executed algorithm for selecting which tweets to show to each user, and in what order.

Both of these mechanisms could be used to promote or suppress specific topics/stories.

Many people, including a very large number of journalists, use Twitter as a news source.

Taken together, I can absolutely see why nation state actors would want to exert control over Twitter.

[nyolfen]

spies can find the irl identities of otherwise anonymous dissident accounts, for one. i've read stories about chinese students in the USA being confronted with their post history by govt agents despite impeccable opsec.

[hackernewds]

This isn't complete without mentioning that there is a HUGE percentage share of SEC fines, if successful, for whistleblower. Individuals have made off 10 figure payments off public money in the past through the program.

[scythe]

>Twitter is high profile, but there are a million businesses most have never heard of that have a similar lack of information security.

Why should a $30B cap tech company with the power to influence elections be held to the same standards as "never heard of" businesses?

[Maursault]

> with the power to influence elections

23% of Americans claim to use Twitter. 61% of Americans voted in the last Presidential election. So Twitter's influence, if it exists, could only be over 14% of weak-minded Americans. That's at best, if every one of those 14% was really a Twitter user and was actually bamboozled into changing their vote.

The reality is that most Twitter users are not obsessed with the platform, and most Americans are not on the fence with their votes. The premise that Twitter has the power to influence elections is false.

[endtime]

Among other flaws in this comment, like the assumption that Twitter has no indirect effects on people who aren't active Twitter users, or ignoring the fact that one of the candidates in the last election was a huge Twitter user, is the surprising assumption that the 61% and 23% are totally uncorrelated.

[nl]

Ignoring the vast research showing that fake news spread on Twitter correlates with voting intentions for the moment there are more direct ways of showing immediate election influence: the number of candidates who have withdrawn from elections after something happened on Twitter.

[1] is a recent example. To quote:

> Leading Florida Democrats are walking back their endorsement of Naomi Blemur after past Facebook posts showed the Agriculture Commissioner candidate calling abortion a sin and promoting or defending anti-gay comments.

> Screenshots shared on Twitter showed a history of social media comments that some Democrats are calling “anti-choice” and “homophobic.” Prominent Democrats began retracting their endorsements or denouncing Blemur after her post history came to light.

To say that Twitter has no power to influence elections is demonstrably false when information shared on Twitter led directly to endorsements being withdrawn.

[1] https://floridapolitics.com/archives/544897-democrats-rescin...

[Maursault]

You are confusing the information with Twitter's allegedly having vast influence. It is incidental what actual facts were broadcast on Twitter, as they could just as easily have been broadcast on classic media. It isn't Twitter that is influential, it is the information.

[autoexec]

> It is incidental what actual facts were broadcast on Twitter, as they could just as easily have been broadcast on classic media.

What social media platform has "vast influence" whose content couldn't "just as easily have been broadcast on classic media"?

Really, it doesn't matter if something could have been broadcast on classic media, what matters is where the people's attention is focused. What they see will influence them, and what they see will be controlled by the platform they are paying attention to, which means whatever platform that is has influence.

Platforms use this influence all the time. They promote certain content over others in exchange for money for example. A platform everyone reads can spread a lie more effectively than a million websites no one is paying attention to can spread the truth. Your attention matters so much to these companies for a reason.

[nl]

To expand on this point, 18% of US voters say they get their political information from social media[1]. Even ignoring Twitters influence outside this group (which is significant because most journalists and politicians use it) it is pretty difficult to make the case that 18% of the voting public is insignificant.

[1] https://www.pewresearch.org/journalism/2020/07/30/americans-...

[nl]

Oh, so it's the "no true Scotsman" argument?

It's not influence if it's actual facts? Even if they hadn't been exposed via other methods?

[Maursault]

> Oh, so it's the "no true Scotsman" argument? It's not influence if it's actual facts? Even if they hadn't been exposed via other methods?

No, and your explanation does not describe a no true Scotsman fallacy.

Your previous comment, beyond confusing the effect news can have with Twitter's alleged influence, also employs a post hoc fallacy. Your most recent comment is a both the non sequitur and straw man fallacies.

[brigandish]

What percentage of journalists use Twitter? If it’s 100%, as I suspect, then it doesn’t matter if only some small proportion of users are experiencing viral information on the platform because journalists are essentially superspreaders, who in my estimation are just as, if not more so, susceptible to misinformation than the average person.

[staticassertion]

At best 23% of Americans, ie: all Twitter users, voted.

[Maursault]

But only 60% voted in the last election, more than ever before. If 100% voted, we could assume all 23% would vote. Usually only about 50% ever vote in any US election, so I was giving the benefit of the doubt that voting numbers would remain high. 60% of 23% is 14%.

[scythe]

Statistics do not work that way. You can't simply assume being on Twitter and voting are uncorrelated.

[Maursault]

I can draw Venn diagrams to make the same point.

[groby_b]

> Twitter's crappy security is not remotely exceptional

Uh, no. If Mudge's accusations are true, that would speak to exceptionally bad security. Not compared to Joe's Diner around the corner, but certainly for a major player in the tech market.

[Maursault]

> that would speak to exceptionally bad security.

The accusations were not exactly specific. You're splitting hairs.

IT doesn't generate revenue. Often for this reason, at many large corporate locations, IT departments are spread critically thin, many far thinner than Twitter, which has money to afford experts like Mudge. These companies aren't sexy so they're never ever in the news and they're not on anyone's radar. Any idea how many Windows Server 2012 installations are still in production? Or how many corporate networks are entirely made of Windows 7? Far too many. The state of security in general across the entire American corporate landscape is shit, and even places that don't get compromised, like NSA, still get compromised.

In July, Twitter experienced a global outage of ~45 minutes, the longest outage global outage in years. If Twitter was some shocking, never before seen level of insecure, it wouldn't have been 45 minutes, and there'd be a lot more of them.

btw, I hate Twitter, Facebook, LinkedIn, et al., and passionately, but it's just not credible to claim that Twitter is the worst of the worst in security, because there is an astounding number of corporations with no security to speak of, like, no IT department, none. "It's something one of the drivers handles for us. He's a real wiz." That kind of thing. At least Twitter not only has an IT department, but also has security personnel. I think if anyone scrutinized, say, Yahoo, they'd find the same thing.

[jhugo]

> The accusations were not exactly specific. You're splitting hairs.

Have you read Mudge's actual whistleblower report, rather than just media articles about it? It doesn't go into extreme detail (at least in the unredacted parts), but there are plenty of specifics.

> In July, Twitter experienced a global outage of ~45 minutes, the longest outage global outage in years. If Twitter was some shocking, never before seen level of insecure, it wouldn't have been 45 minutes, and there'd be a lot more of them.

You seem to be conflating security with availability. There are plenty of ways to be insecure (many of them detailed in the report) that have no effect on availability.

[nibbleshifter]

Yahoo has previously been found to have abysmal security and was pretty much forced kicking and screaming into taking it seriously.

[Maursault]

Maybe Yahoo was a poor example. Substitute instead... idk, airbnb, doordash, or dominoes. I have no specific knowledge there is slack there, but having contracted in IT in a number of large and global enterprise, lack of security and lack of security concerns was all too common, and it stood out more in places that worked with and kept clients' financial information "on file."

[groby_b]

From my original post: "for a major player in the tech market". Where IT isn't just a cost center.

[Maursault]

AirBnB and DoorDash are Internet companies, just like Twitter. I wouldn't even consider Twitter "a major player in the tech market." Apple, Amazon, Google, Dell, Microsoft, IBM, Tesla, Nvidia, Samsung etc., are tech companies, but not Twitter or Netflix. What technology is Twitter secretly working on?

[LawTalkingGuy]

The worst thing for Twitter isn't the abysmal security, it's the lies about the security issues. They promised the DOJ+FTC that they fix privacy issues which they instead ignored and left unguarded and unlogged.

That and letting suspected government-employees from various countries have nearly-unrestricted dev access.

It's also going to destroy Agrawal and Dorsey. Dorsey was apparently having a mental breakdown and Agrawal seems dishonest and vindictive.

Musk unethical? For playing hardball in negotiations? It was pretty obvious that Twitter was built out of sand and had a financial motivation to be lying about the efficacy of their ads (and thus validity of "eyeballs").

[Maursault]

> Musk unethical? For playing hardball in negotiations?

No. The ethical question relates to whether he was acting in good faith in the first place, and then again for breaking his word, which if the first part is true and he wasn't ever acting in good faith, then his stated intentions were never honest. But it's tough to say whether he was acting in good faith or not because he was so enthusiastic about the deal for months. But it's also hard to believe he wasn't already aware of his final grievances long before he announced his intention to buy. He made it seem like a whim, but is it really likely he is foolish enough to subject himself and an entire company and all the employees and shareholders to his fickle whims? If he wanted to hurt Twitter, for whatever his reasons may be, he should have done everything he did exactly the way he did it. Because regardless of whether he was acting in good faith, he took Twitter for a ride. I have heard of narcissists doing similar destruction to their victims, but I have never seen such a long and complicated game to cause pain except in novels or films. It is almost like he was exacting revenge, but revenge for what? Well, maybe nothing, which is textbook toxic narcissism, the absence of empathy, caring about nothing but one's own personal interests, which could be whims. It's late, I'm babbling.

[alsetmusic]

Fwiw, it’s not much fun when a thread is bombarded with only a small number of users repeatedly replying to a wide number of users. At some point, we understand your views. Apologies, this is not meant as a personal attack.

[LawTalkingGuy]

The price he quoted was for how Twitter billed itself - # of users, in compliance with the FTC, etc. As it becomes clear that they aren't all that their value naturally goes down.

It would be wrong if Musk tried to get out of the purchase simply because the market has moved since his offer but that's not what happened. This is Twitter's malfeasance, they reported untrue things (and failed to report other true thing) to the SEC and therefore to stockholders.

What ride, except fact-checking their statements, did he take them on? And to be fair, didn't they put themselves on that ride in the first place?

[_djo_]

Well, no, because there's still no evidence that Twitter has lied in any of its filings, and because Musk intentionally waived due diligence which is the traditional way for a purchasing company to verify the actual state of the company it is buying.

If, and only if, it turns out that Mudge's claims cause FTC action that would be severe enough to be defined as a material adverse effect, Musk may have some grounds to back out or reduce the price. But that's not yet clear.

Remember, Twitter didn't want to be purchased. This was a hostile takeover, achieved by Musk going to Twitter's shareholders with an offer attractive enough that they were not going to refuse, forcing the board into accepting the offer. He then signed a binding offer and in his haste to force the deal waived due diligence.

[LawTalkingGuy]

There is no proof, sure. The whistleblower's report is fairly compelling evidence.

Twitter is its shareholders, not its managers.

I imagine it's the lawsuits that this will spawn which will justify backing out or significantly reducing the price. Users whose data was not properly kept, users whose governments (and maybe others) got to spy on them, ad buyers who were promised a certain number and class of viewers, shareholders upset about these things, etc.

[_djo_]

The bar required by the courts to justify backing out from or substantially altering a binding offer is quite rightly a high one, and the possibility of lawsuits alone will probably not be sufficient.

There's no indication that ad buyers were misled, because neither Musk nor Mudge have shown any evidence that Twitter's mDAU claim or method in its FTC filings was either falsely stated or intentionally wrong.