TWIT 890: Jail or Olympics

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

I was listening on my run this morning and was disappointed in the coverage of the Twitter Whistleblower story. I was intersted to see what the discussion today would be about it and was hoping for good coverage. Focusing on Mr. Musk and Monthly Users and bots was a big distraction in my mind to some gems that have come out.

“it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did… Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.”

This I believe is part of Senator Grassley’s letter, there is/was no logging as to what happened. Imagine an engineer, or a state/foreign actor that could get access to Twitter and change the content of the Tweet w/o any logging or consideration to that logging. Remember that Tweets for better or worse or considered official statements of the President based on a ruling of the DOJ (DOJ: Donald Trump's tweets are 'official statements of the President' - Washington Times)

Let’s continue into the problems:

“About half of the company’s 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors”

Or

“The whistleblower report says the US government provided specific evidence to Twitter shortly before Zatko’s firing that at least one of its employees, perhaps more, were working for another government’s intelligence service.”

Or

According to the complaint, materials prepared for a board meeting suggested that 92% of computers had security software installed, but left out other stats which suggested that around 50% of those computers had “critical flaws” or had “disabled critical safety settings.”

All of these topics could have been covered but weren’t

The quotes were from Protocol ( Twitter whistleblower Peiter Mudge Zatko: Everything to know - Protocol) and CNN (https://www.cnn.com/2022/08/23/tech/twitter-whistleblower-peiter-zatko-security/index.html)

Also couldn’t recommend Bluey more as well. Bandit (Bluey’s dad) encourages me to want to be a better dad. Seriously.

I have a t-shirt that has a picture of Bandit and labeled as “Dad” and when I wear it in public multiple dads will stop me and say “I love that show”

Bluey is life.

Unsure what’d be worse in terms of Netflix going ad supported. They could either write the ads into the scripts, which would impact the stories that are told, or they just plop them in at random. Just putting them in at random, as the Dave channel does with old BBC shows would be preferable because the show will fade to black at the start of the ad break, then fade back in, which would disrupt the flow of a given scene and take us out. I did think about switching from LastPass to BitWarden so do you think I should?
One thing that Netflix really should have done is release their shows weekly. If they’d done that with Stranger Things tthen there wouldn’t have been such a long gap between the first 7 episodes and the final 2, and it would have meant that people couldn’t just cancel after resubscribing. If they release Cobra Kai series 5 as a whole then I can just cancel Netflix before my renewal date whereas, going weekly, I can’t
One thing that gets me about EVs is where the power comes from. Even when there are enough charging stations there will be no point unless we get rid of fossil fuels entirely? If you’re charging your EV using renewable energy then great, but if the electricity to charge your car is coming from coal, oil, or gas, then what’s the benefit over a regular car?

I think that Twitter is the poster boy for the Silicon Valley start up culture, compared to the real world.

In the real world, we have to build in security from the ground up, but Twitter, and many other start ups, start with a system with little or no real,security (especially restricting employees access to the systems and putting in change control procedures). The service is developed in a quick and dirty way and all the important stuff gets left by the wayside, because it takes time and isn’t sexy, to be added on later, only by the time that is needed, it is too expensive to implement or implement properly.

YouTube and Facebook have suffered from similar problems, especially with their copyright systems. They skirt the law and only take action when the lawyer fees and fines exceed the development costs of what they should have done from the beginning and by that time, to do it properly would kill income and profits, so it isn’t done properly, a broken plaster is stuck over the wound, in the hope that authorities and other parties will accept a broke system as better than no system.

Um, so what?? Twitter is NOT part of the government. Despite the fact that some people think Twitter matters, they have no legal requirement to provide reliable service for their users. If the government wants a “government secure” Twitter service, they should create one, and not think they can co-opt a public company into being a government service.

There were multiple articles written about Mr. Trump’s tweets being considered policy of the Executive Office. Imagine a nefarious actor tweeting something from @potus, or @whitehouse, or @veep something that was a game changing policy statement. “We now consider Tiawan to be a country with the same rights as China” or “We decided Antartica was American and now the 51st state…” All wild and crazy statements but the Department of Justice said that Tweets could be considered policy.

This is why logging of who access to the system and/or if those engineers have the ability to tweet/change a tweet is national security.

I repeat: Twitter is NOT the government. If the government is confused about this then it is a government policy failure, and nothing what-so-ever to do with Twitter. Twitter should not be subjected to judicial harm because they didn’t treat the government’s communications as privileged and in need of special protection. IMHO, the government should be subjected to judicial harm for using Twitter for privileged communication. (But the former President already has enough judicial issues right now, so adding one more isn’t really helpful.)

1st off I’m not confused about this. I also believe that a tweet shouldn’t be considered policy. But that’s how Mr. Trump’s tweets were treated. Cybersecurity Twitter discussed all of this the moment the tweet came out. It wasn’t an idea new to me.

But let’s move on to this. Let’s get back to all the other issues that were mentioned that had nothing to do w/ Mr. Musk and should’ve been focused on and discussed. Who cares about Mr. Musk and Bots and all that.

Let’s focus on how awful the company is. How in one of the whistleblower notes Mudge mentions he had to give his security reports verbally and not write them down. I’m fascinated about how awful this company was/is and got away with it

A different perspective, or more of the same, really:

I guess I’m bummed the discussion focused on Mr. Musk. There was/is so much more to talk about

Well, when you’re terminated for cause, and you try to fight back, it’s a lot of “I said/they said.” Most HR type stuff is covered by confidentiality agreements… if you want a nice separation package you usually have to swear to never disparage your former employer, and they you, etc. Based on how such things normally go, unless actual criminality is involved (which the former employee must be trying somehow to imply by going the whistleblower route) there is unlikely to be much publically know about what “really happened.” And with it going into the courts, you shouldn’t expect much factual reporting until after the courts have had their say.

Gotta agree with you on this one Paul! Just like with the first amendment - Twitter, Facebook et al are in no way obligated to follow it- they are private companies

When I was growing up, men wore bracelets, necklaces and earrings, although only one ear was acceptable, and then, the correct ear. Some people around here, especially younger generations wear necklaces and earrings still, although bracelets seem to have fallen out of fashion.

My daughter gave her husband a pocket watch as an engagement present a couple of years back.

So a few issues with this pod cast. I am software architect at a large firm that produces cyber security software for corporations. Came back to TWIT for what I use to listen to. Oh well.

• Doing security right is HARD. It’s expensive. It’s intrusive. You have to prove a negative to justify it (we kept you safe) While we techies go ‘this is stupid we have to fix it’ try explaining to mostly clueless executives that NOT doing this will be more expensive than doing it. Good luck.
• In the corporate world, especially in a company where a) there is corruption/lying (selling email and phone numbers) and b) security isn’t near the forefront, it can take a year or more just to START turning the boat. To suggest he should have ‘fixed’ this in two years…maybe get some insight from a corporate developer next time.
• Twitter’s security sounds like a joke. Regardless, you missed the worse issue. They can CHANGE what people post and no one can prove/track it. Given the level of self-righteous justification currently professed by the left where ‘anything is ok since we’re protecting democracy’ and the prevalence of woke culture at twitter, the idea that any engineer at twitter can manipulate posts without a trace is frightening. To suggest ‘it’s not a big deal’. Are you kidding? A bad twitter thread can end your career.
• The left is just as stupid as the right. It’s really insulting listening to the comments and attitude on the show about the right. This is my first twit pod cast I listened to in a while and it’ll be the last. Very disappointed.
• Twitter isn’t a town square or anything else. It is a bunch of bubbles where people say vile things they’d never say to someone’s face and other vile people tell them how right they are. That’s it. Personally, I want nothing to do with it. It doesn’t represent crap other than a diatribe on how truly terrible people can be to each other. It’s a tiny vocal minority that shouldn’t have anywhere near the power they have.

Have a nice day.

This is why I am in favour of the GDPR. You have to include your data protection officer in all discussions on project development from the inception onwards, if you do not, you are in contravention of the GDPR and can face huge fines.

This means security has to be built in from the get-go, it has to be there to ensure the privacy rules of the GDPR are followed. This is a huge change for businesses, especially the way Silicon Valley seems to work, which is slapt it together and see if it works, we’ll worry about security, if we are here in 5 years time. That just doesn’t fly any more. And, by the time that 5 years have gone by, the system is too complex to just add security, it would need a complete re-write, which is just too expensive.

Security has to be in there from the conception onwards, it has to be in there from the first line of code onwards.

Yes, this. If lawyers and fines are cheaper than “doing it right”, lawyers and fines it is. This needs to change, again, putting in laws like GDPR can start to make a difference, because 5% of income, world-wide, is a good incentive to do things properly and not wait for everything to go wrong first.

This is a major problem. As a developer and administrator, we never had unfettered access to all the data, you always needed additional rights to see all the data - we could use the backup software to back it up, but we couldn’t see it by default.

Even today, if we have to do something that would involve use looking at a user’s home directory or, say, the personnel department’s files, we always get permission, before giving ourselves access to the data and we remove access, once we are finished.

Heck, our normal day-to-day user accounts don’t have any administration privileges, even local admin on the PCs we use.

No need to bring politics into this, the last part of your sentence is all you needed to make, regardless of anyone’s political leanings.

I tweeted something similar to the following about the need for CSOs and their teams a week or so back:

Security begins with the conception, it begins with the first developer and the first line of code and it goes all the way down to the lowliest user. The cyber security industry is only needed when this breaks down.

Unfortunately, it breaking down is still the norm. We have to get away from offering companies cyber security insurance and get out of jail free cards. Not doing the right thing has to hurt and hurt enough that doing the right thing from the start makes more sense than shoveling tonnes of bad habits and mistakes under the carpet and wondering why it looks like Mount Everest with a pretty pattern over it.

The Attila the Hun line got me great show.