[dpifke]

Twitter is high profile, but there are a million businesses most have never heard of that have a similar lack of information security.

There are not a million businesses under FTC consent decrees because of past security breaches.

(Perhaps an argument could be made that there should be, if that's the only way for there to be consequences.)

If Mudge is telling the truth, Twitter has been lying to regulators and is in violation of the consent decree. That would be a lot more serious than just being shit at infosec. It's the difference between getting arrested for your first DUI, or your eighth.

[enos_feedler]

If this was true there would be a crystal clear, precise account of the violation by now and the stock would be trading much lower.

[dpifke]

I think pages 2-8 of his whistleblower report (the executive summary) are pretty clear and precise. If anyone commenting on this thread hasn't read his report already—the actual report, not just stories about it in the press—I would strongly encourage them to do so.

The wheels of justice move slowly. Wall Street may be betting on the FTC being slow to take action, or not taking action due to political pressure, limited resources, etc. I don't think just looking at Twitter's stock price is a fair way to evaluate the truthfulness of Mudge's claims.

[hef19898]

I just tried to search for it, not with touch effort to be honest, but man is internet search a dumpster fire by now. Results, searching for the actual report filled by Mudge, were news coverage from all kinds of sources, ads for whistleblower training, answers to the question what a Whistleblower is and news coverage of the hearing without any details or links to actual report. So take my comment with that in mind.

Mudge claims that twitter had no way to identify foreign intel agents and get rid of them by themselves. Heck, that is quite a statement. No company actually has that capability in house to do it systematically. Even security sensitive civilian jobs rely on authorities to do just that during security clearance checks. Even intelligence agencies need dedicated counter-intel operations to do that and those fail regularly. Not sure what the other claims are, from news coverage the fact that data access is not tracked by user is a serious problem so, I agree.

Expecting a non-security relevant employer to prevent infiltration by foreign state actors is way too much to expect so, IMHO. That would have been a job for the, e.g. FBI to decide that Twitter important enough to make it security relevant and put a program with Twitter in place to prevent infiltration. Or not, in case US three-letter agencies have their own agents in place. If Twitter knowingly hired foreign agents, that would be something different and quite stupid and dangerous.

EDIT: Coming to think of it. Why would it be up to Twitter to decide what to do about a foreign spy in their workforce? Wouldn't US counter intel take the lead in that? And just maybe Twitter firing the person isn't actually in the US best interest...

[porbelm]

It was not THAT hard to find?

The first result for "mudge whistleblower report pdf" was https://s3.documentcloud.org/documents/22186683/twitter-whis...

But not being able to verify the source I looked at articles and the WaPo one had the document linked in this article:

https://www.washingtonpost.com/technology/interactive/2022/t...

[hnburnsy]

https://s3.documentcloud.org/documents/22186683/twitter-whis...

[shapefrog]

"Particular episodes of fraud and deliberate efforts to mislead include,

d. Agrawal terminated Mudge"

Read it a few times already. Staggered that 50% of it is total and utter garbage.