Twitter is making a major change to its organization after former security head Peiter "Mudge" Zatko accused the company of having lax security and bot problems. According to Reuters, Twitter is merging its health experience team, which is in charge of clamping down on misinformation and harmful content on the website, with its service team. The latter reviews profiles when they're reported and takes down spam accounts. Together, the combined group will be called Health Products and Services (HPS).
The group will be led by Ella Irwin, who joined the company in June and had previously worked for Amazon and Google. Reuters says Irwin sent a memo to staff members, telling them that HPS with "ruthlessly prioritize" its projects. "We need teams to focus on specific problems, working together as one team and no longer operating in silos," Irwin reportedly wrote.
In a statement sent to Reuters, a Twitter spokesperson said the reshuffling "reflects [the company's] continued commitment to prioritize, and focus [its] teams in pursuit of [its] goals." A source also told the news organization that the teams dealing with harmful and toxic content have had major staff departures recently. Merging these two teams may be the best way to ensure that all important roles are filled going forward.
This news comes on the heels of the revelation that Zatko filed a whistleblower complaint against his former employer. In it, he said Twitter has "extreme, egregious deficiencies" when it comes to security and that it prioritizes user growth over cleaning up spam. Shortly after The Washington Post reported on Zatko's complaint, which also raises concerns about national security, lawmakers from both sides of the aisle announced that they're looking into his claims.
In an email to employees, Twitter CEO Parag Agrawal defended the company and echoed its spokesperson's statement that Zatko's complaint is a "false narrative that is riddled with inconsistencies and inaccuracies." You can read the whole memo, obtained by Bloomberg, below:
"Team,
There are news reports outlining claims about Twitter’s privacy, security, and data protection practices that were made by Mudge Zatko, a former Twitter executive who was terminated in January 2022 for ineffective leadership and poor performance. We are reviewing the redacted claims that have been published, but what we’ve seen so far is a false narrative that is riddled with inconsistencies and inaccuracies, and presented without important context.
I know this is frustrating and confusing to read, given Mudge was accountable for many aspects of this work he is now inaccurately portraying more than six months after his termination. But none of this takes away from the important work you have done and continue to do to safeguard the privacy and security of our customers and their data. This year alone, we have meaningfully accelerated our progress through increased focus and incredible leadership from Lea Kissner, Damien Kieran, and Nick Caldwell. This work continues to be an important priority for us, and if you want to read more about our approach, you can find a summary here.
Given the spotlight on Twitter at the moment, we can assume that we will continue to see more headlines in the coming days – this will only make our work harder. I know that all of you take a lot of pride in the work we do together and in the values that guide us. We will pursue all paths to defend our integrity as a company and set the record straight.
See you all at #OneTeam tomorrow,
Parag"
Peiter "Mudge" Zatko, Twitter's former head of security, says the company has misled regulators about its security measures in his whistleblower complaint that was obtained by The Washington Post. In his complaint filed with the Securities and Exchange Commission, the Department of Justice and the Federal Trade Commission, he accuses the company of violating the terms it had agreed to when it settled a privacy dispute with the FTC back in 2011. Twitter, he says, has "extreme, egregious deficiencies" when it comes to defending the website against attackers.
As part of that FTC settlement, Twitter had agreed to implement and monitor security safeguards to protect its users. However, Zatko says half of Twitter's servers are running out-of-date and vulnerable software and that thousands of employees still have wide-ranging internal access to core company software, which had previously led to huge breaches. If you'll recall, bad actors were able to commandeer the accounts of some of the most high-profile users on the website in 2020, including Barack Obama's and Elon Musk's, by targeting employees for their internal systems and tools using a social engineering attack.
It was after that incident that the company hired Zatko, who used to lead a program on detecting cyber espionage for DARPA, as head of security. He argues that security should be a bigger concern for the company, seeing as it has access to the email addresses and phone numbers of numerous public figures, including dissidents and activists whose lives may be in danger if they are doxxed.
The former security head wrote:
"Twitter is grossly negligent in several areas of information security. If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.
In addition, Zatko has accused Twitter of prioritizing user growth over reducing spam by distributing bonuses tied to increasing the number of daily users. The company isn't giving out any bonuses directly tied to reducing spam on the website, the complaint said. Zatko also claims that he could not get a direct answer from Twitter regarding the true number of bots on the platform. Twitter has only been counting the bots that can view and click on ads since 2019, and in its SEC reports since then, its bot estimates has always been less than 5 percent.
Zatko wanted to know the actual number of bots across the platform, not just the monetizable ones. He cites a source who allegedly said that Twitter was wary of determining the real number of bots on the website, because it "would harm the image and valuation of the company." Indeed his revelation could factor into Twitter's legal battle against Elon Musk after the executive started taking steps to back out of his $ 44 billion takeover. Musk accused Twitter of fraud for hiding the real number of fake accounts on the website and revealed that his analysts found a much higher bot count than Twitter claimed. As The Post notes, though, Zatko provided limited hard documentary evidence regarding spam and bots, so it remains unclear if it would help Musk's case.
When asked why he filed a whistleblower complaint — he's being represented by the nonprofit law firm Whistleblower Aid — Zatko replied that he "felt ethically bound" to do so as someone who works in cybersecurity. Twitter spokesperson Rebecca Hahn, however, denied that the company doesn't make security a priority. "Security and privacy have long been top companywide priorities at Twitter," she said, adding that Zatko's allegations are "riddled with inaccuracies." She also said that Twitter fired Zatko after 15 months "for poor performance and leadership" and that he now "appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders."
In an essay published Friday on the whistleblower platform Lioness, former Microsoft manager Yasser Elabd alleged that Microsoft fired him after he alerted leadership to a workplace where employees, subcontractors and government operators regularly engaged in bribery. He further alleges that attempts to escalate his concerns resulted in retaliation within Microsoft by managers, and eventual termination from his role.
Elabd claims in his essay that he worked for Microsoft between 1998 and 2018, and had oversight into a "business investment fund " — essentially a slush fund to "cement longer-term deals" in the Mid-East and Africa. But he grew suspicious of unusual payments to seemingly unqualified partners. After examining several independent audits, he discovered what he believes is a common practice: After setting up a large sale to entities in the region, a "discount" would be baked in, only for the difference between the full-freight cost and discounted fee to be skimmed off and divided between the deal-makers.
“This decision maker on the customer side would send an email to Microsoft requesting a discount, which would be granted, but the end customer would pay the full fee anyway. The amount of the discount would then be distributed among the parties in cahoots: the Microsoft employee(s) involved in the scheme, the partner, and the decision maker at the purchasing entity—often a government official,” Elabd alleged.
The former Microsoft manager gave several examples of suspicious transactions and red flags he witnessed over his two decades working for the company abroad. In one audit, Microsoft gave the Saudi Ministry of the Interior a $ 13.6 million discount which never reached the agency’s doors. In 2015, a Nigerian official complained that the government paid $ 5.5 million for licenses "for hardware they did not possess."
In another example, Qatar’s Ministry of Education paid $ 9.5 million, over a period of seven years, for Microsoft Office and Windows licenses that went unused. Auditors later discovered that employees at that agency didn’t even have access to computers.
“We are committed to doing business in a responsible way and always encourage anyone to report anything they see that may violate the law, our policies, or our ethical standards,” Becky Lenaburg, a VP at Microsoft and deputy general counsel for compliance and ethics, wrote in a statement to The Verge. “We believe we’ve previously investigated these allegations, which are many years old, and addressed them. We cooperated with government agencies to resolve any concerns.”
Elabd claims his attempts to alert managers resulted in his being shouted at by one manager, iced out of certain deals and told by an executive that he had effectively set himself up to be let go after attempting to involve CEO Satya Nadella. After being terminated, Elabd wrote that he brought his documentation before the Securities and Exchange Commission and Department of Justice. He claims the DoJ refused to take up his case. According to Protocol, the SEC dropped the case earlier this month due to a lack of resources.
“As I alleged in my complaint to the SEC, Microsoft is violating the Foreign Corrupt Practices Act, and continues to do so brazenly. And why wouldn’t they?" wrote Elabd. "By declining to investigate these allegations and the evidence I’ve given them, the SEC and DOJ have given Microsoft the green light.”
A debate on whether the government should have lawful access to encrypted communications and devices saw former NSA contractor Edward Snowden duking it out with CNN host Fareed Zakaria.
The post NSA whistleblower Snowden, CNN’s Zakaria face off over encryption appeared first on Digital Trends.