Twitter Whistleblower Peiter 'Mudge' Zatko Testifies To Congress

Just before shareholders voted to approve a $44 billion deal with Elon Musk to buy the company, Twitter whistleblower Pieter Zatko was in Washington testifying before the Senate Judiciary Committee about alleged security flaws. NPR highlights the main takeaways from the hearing: Twitter executives put profits ahead of security, leaving the door open to infiltration by foreign agents and hackers, the company's former head of security told Congress on Tuesday. "Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors," Peiter Zatko testified during a Senate Judiciary Committee hearing. "The company's cybersecurity failures make it vulnerable to exploitation, causing real harm to real people." [...] In Tuesday's hearing, which ran for more than two hours, Zatko painted a portrait of a company plagued by widespread security issues and unable to control the data it collects. Calm and measured, he stuck closely to his expertise, unpacking technical details of Twitter's systems with real-world examples of how information held by the company could be misused. "It's not far-fetched to say that an employee inside the company could take over the accounts of all of the senators in this room," he warned. Zatko alleged the company is highly vulnerable to abuse by foreign intelligence agents -- but is unable or unwilling to root them out. A week before his firing in January, he testified, the FBI told Twitter's security team that at least one agent from China's Ministry of State Security was on the company's payroll. [...] Zatko also alleged that the Indian government had placed an agent inside Twitter. He testified that Twitter struggled to identify potential infiltration by foreign agents and typically was only able to do so when notified by outside agencies. Zatko placed the blame for Twitter's vulnerabilities squarely on a leadership team that he described as reactive, incompetent, and motivated by profit over safety. Executives, he alleged, ignored warnings from him and other employees over Twitter's security flaws because they "lacked the competency to understand the scope of the problem." Zatko described a company culture that avoided negativity and alleged executives presented selectively favorable information to the board. He accused leadership of prioritizing business over security, quoting writer Upton Sinclair: "It is difficult to get someone to understand something when his salary depends on him not understanding something." When Zatko joined Twitter, he said, he was struck that the company kept having recurring security lapses -- "the same amount, year after year." The root cause, he told senators, is that Twitter doesn't understand how much data it collects, why it collects it, and how it's supposed to be used. That includes users' phone numbers, IP addresses, emails, the devices they use, their locations and other identifying information. What's more, he said, around half the employees at Twitter have access to that data. "It doesn't matter who has keys if you don't have any locks on the doors," he said. "The concern there is anybody with access inside Twitter...could go rooting through and find this information and use it for their own purposes." Zatko said that also raised red flags that Twitter may not be complying with its 2011 agreement with the FTC over misuse of email addresses that it told users it was collecting for security reasons, but then used for marketing. (In May, the FTC fined Twitter $150 million for violating that agreement.) "How come we keep making these same mistakes?" Zatko said. "What is it that we are telling the FTC as Twitter that is incorrect?"

Read more of this story at Slashdot.