Peiter “Mudge” Zaitko has been a major figure in the development of cybersecurity practices since the 1990s, and had recently been serving as the CISO of Twitter. He is also the author of a damning whistleblower report drawn from his time at that company, one that paints an extremely worrying picture of the security and privacy culture there.
The Mudge whistleblower report was filed with the DOJ, FTC, SEC and a number of relevant congressional committees. It describes ongoing lax security practices that are repeatedly papered over by top executives, including deceiving the board of directors and employing foreign agents that are passing intelligence back to their home countries.
Whistleblower report: Lack of logging and accountability, poor employee access control, failure to meet terms of 2011 FTC settlement at Twitter
Twitter has experienced a long string of security and privacy issues, but the specific one that triggered Mudge’s hiring (by former CEO Jack Dorsey) was the mid-2020 social engineering attack that allowed a group of teenagers to run wild across the platform simply by taking over an engineer account. The whistleblower report claims that this access control issue has not seriously been addressed since then, with company engineers having free access to the production environment without any logging of their actions and “thousands” of employees overall having questionable control over user accounts and data.
That is far from the only security and privacy problem identified by the whistleblower report, however. Mudge says that 30% of the company’s computers are set to not accept security updates, yet Twitter executives told the board of directors that only 8% of its systems were not fully up to date. Additionally, about half of the company’s half-million servers allegedly have outdated software that no longer receives security updates. He also echoed the concerns that led Elon Musk to attempt to pull out of the Twitter deal, saying that he could not get executives to clearly disclose how many accounts on the platform were bots / used for spam.
But perhaps the most eye-catching allegation was that foreign spies have infiltrated the company. The whistleblower report discloses that at least one foreign agent is believed to be employed there, and possibly several more; this comes shortly after a former Twitter manager was convicted of spying for Saudi Arabia via the platform. This was particularly concerning when combined with the news that a timed denial of service attack, or even a series of unfortunate crashes, could potentially destroy the entire platform if they happened simultaneously across several data centers.
Twitter ad hominem response does little to alleviate concerns in security and privacy circles
Mudge has a nearly unimpeachable reputation in the security and privacy industry that dates back to his emergence with the L0pht in the 1990s, but Twitter has nevertheless taken the tack of character assassination in response to his whistleblower report. Company statements have hinted at his motivation being rewards from the pocketbook of Elon Musk or a government whistleblower program, and have revised prior statements to say that he was fired for poor performance.
Any battle of reputations is thus clearly tilted to one side, with Twitter experiencing a long chain of security and privacy incidents that stretches back as far as 2009. Its two major breaches in that year prompted action by the FTC and an eventual settlement, which includes security and auditing practices that Twitter is being held to until 2031. Compliance with these terms was key in Twitter avoiding financial penalties for those 2009 breaches, but it could still be fined if it fails to live up to its obligations in this area.