The big story in a nutshell is that Twitter lied and hasn’t fixed security flaws, negligently and catastrophically ignoring customer safety.
An FTC complaint [a decade ago] said far too many Twitter employees could access internal systems and user data, and the company agreed to set up a “comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information.”
When Zatko testified in Congress that no such plan was in place, a third engineer still at the company told Twitter security executives that a program for tweeting as others was still widely available, and that he had tried to get it shut down or restricted years earlier. That issue was reopened, the complaint says, leading to the discovery of even deeper access that also would allow deletion of tweets or the restoration of tweets that had been deleted — something regular users can’t do on their own accounts.
Though Twitter’s then-leaders had said the number of people who had access to such powerful tools had been cut in 2020, the new whistleblower complaint says the GodMode code remains on the laptop of any engineer who wants it. All they would have to do is change a line of the code from FALSE to TRUE and run it from a production machine that they could reach through an easily accessible communications protocol known as SSH.
“Twitter does not have the capability to log which, if any, engineers use or abuse GodMode,” the complaint says.
It’s very easy to log SSH. That’s kind of the point here. Twitter isn’t doing even the basics to protect its customers from itself.
Terrible company management of a horrible technical design while lying about it; what more could convince you to abandon ship?
It gets worse because there’s now allegedly both heavy internal and external threats from management to censor security experts and hide the slide.
The company’s current head of trust and safety, Ella Irwin, did not respond to an email seeking comment on the new claims. […] The whistleblower spoke with The Post on the condition of anonymity because other former employees have been threatened and harassed. …recently departed security staffers said in interviews with The Post that [customer safety and trust] has gotten much worse under Musk.
As I’ve written before, Irwin (after suspiciously fluffing her resume) was very publicly censored by the CEO after she tried to speak freely to external claims. Of course she didn’t respond.