A Twitter (NASDAQ: TWTR) whistleblower says the platform has fundamental flaws that threaten both user safety and U.S. national security, and could also explain why the platform has been so readily weaponized against Bitcoin SV (BSV).
On Tuesday, CNN and the Washington Post jointly reported on a mammoth whistleblower complaint filed with the U.S. federal government on July 6 by Peiter ‘Mudge’ Zatko, a prominent ‘ethical hacker’ who formerly served as Twitter’s head of security. Zatko claims he was fired in January after he challenged Twitter’s management over its inability and/or unwillingness to fix the serious problems he’d identified.
Zatko’s complaint, which was filed with the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and the Department of Justice (DOJ), warns that he identified “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy” on Twitter’s platform.
Among Zatko’s more alarming claims is that around half of Twitter’s 7,000 full-time staff have ready access to internal software, access to which isn’t adequately monitored. The number of staff with access to ‘God-mode’ administrative powers reportedly numbers in the hundreds.
Zatko claims this widespread access to core systems was responsible for 60% of ‘serious intrusions or other security incidents,’ which occur roughly once a week. Zatko claims that “employees were repeatedly found to be intentionally installing spyware on their work computers at the request of external organizations.”
Zatko claims Twitter “has limited ability to effectively constrain and mitigate insider risk.” Despite this type of risk being identified and remedied by other large tech platforms 15 years ago, Zatko claims that “Twitter’s access control risk is growing, not shrinking.”
Nearly one-third of staff’s laptop computers were configured to reject automatic software updates, including security patches, leaving them vulnerable to hacking. Many of these laptops contained copies of Twitter’s source code, and engineers tasked with altering how the platform works aren’t required to test their tinkering in a simulated environment. Zatko paints a picture of a management team lacking awareness of who was doing what to Twitter’s fundamental building blocks.
Shutting the barn door
Then there’s the shady stuff Twitter was aware of. Zatko claims India’s government “forced” Twitter to put one of its agents on the payroll, enabling “direct unsupervised access to the company’s systems and user data” during a period of domestic protests against the Modi government.
Two weeks ago, former Twitter manager Ahmad Abouammo was convicted for wire fraud, money laundering and conspiracy after improperly accessing the account data of Saudi dissidents and passing it to Saudi officials. Abouammo earned over $300,000 for his (apparently effortless) skullduggery.
Zatko’s breaking point came when he couldn’t convince CEO Parag Agrawal to present an accurate depiction of the security situation to Twitter’s board of directors. Zatko claims he was fired after reporting internally that a watered-down report submitted to the company’s Risk Committee may have been fraudulent.
On Tuesday, Agrawal responded to Zatko’s allegations by telling staff that the complaint is “riddled with inconsistencies and inaccuracies” and that Zatko was fired for “ineffective leadership and poor performance.” A Twitter spokesperson separately claimed that Zatko “appears to be opportunistically seeking to inflict harm on Twitter, its customers and its shareholders.”
Twitter’s attempts at spinning this story don’t appear to be working. Sen. Richard Blumenthal (D-CT) has written a letter urging the FTC to examine whether Twitter’s actions (or lack thereof) are a violation of the 2011 settlement it reached with the FTC that required the company to better safeguard customer info. (Zatko’s complaint states that Twitter “had never been in compliance” with the FTC order “and was not on track to ever achieve full compliance.”)
Talking out his Dorsey vent
Zatko was brought into Twitter by co-founder/former CEO Jack Dorsey, who left the company in November 2021. Zatko says Dorsey appeared sincere in his desire to plug Twitter’s holes but had only six one-on-one calls and “a couple dozen” text messages with Zatko over 12 months. Zatko paints Dorsey as “extremely disengaged,” speaking only around 50 words to Zatko during those half-dozen calls.
Dorsey left Twitter in order to focus more on his Square (since renamed Block) digital payments business, which is heavily invested in promoting the BTC token as “the native currency for the internet.” Last December, Block began allowing Cash App customers to send BTC to each other in the hopes that this would spur greater adoption of the technology.
Of course, there’s little chance of BTC ever becoming a true internet currency, in part due to BTC’s notoriously high transaction fees. The use of BTC within Block’s Cash App is heavily subsidized by Block, which saw BTC-based revenue fall 34% in Q2 (-43.6% for the first half of 2022) following “a decline in consumer demand” for the BTC option. (Block also purchased zero additional BTC in Q2, despite its plummeting price.)
Bitcoin SV is far more likely to become the internet’s default currency, based on the BSV blockchain’s ability to scale individual blocks to handle a sufficient volume of transactions, even as it imposes transaction fees measured in fractions of a cent. But Dorsey has placed his bet on BTC and he’s not about to let some BSV interloper steal his thunder.
Block is a founding member of the Crypto Open Patent Alliance (COPA), a group that formed last year for the sole purpose of opposing BSV and one of its main supporters, Dr. Craig Wright. Wright is the real-world individual behind the Satoshi Nakamoto pseudonym credited with authoring the 2008 Bitcoin white paper and has filed numerous patents related to blockchain technology that Dorsey and his COPA co-conspirators fear will thwart their plans to take over this space. Dorsey has also established a Bitcoin Legal Defense Fund to support BTC developers who find themselves in Wright’s legal crosshairs.
Combining Dorsey’s BSV antagonism—Twitter famously closed Wright’s account in 2019—with what Zatko revealed of Twitter’s slipshod internal security, it’s not hard to imagine that some staff might have seen fit to tinker with BSV-affiliated accounts to ensure their BSV message reached as limited an audience as possible.
Several prominent BSV advocates have reported having multiple non-bot real-live-human accounts purged from their lists of followers over the years, as well as certain tweets not being visible to their followers. Whether this was part of a top-down ‘shadow banning’ campaign or the work of a few BSV-loathing minions, only Twitter insiders know for sure. Perhaps the next whistleblower will have more to offer on this score.
A Musk read
The opening salvo of Zatko’s complaint takes issue with Twitter’s alleged reluctance to tackle its bot problem, helpfully titled “Lying about Bots to Elon Musk.” Musk, who famously signed a $44 billion deal to buy Twitter earlier this year, has been trying to get out of it ever since. (Yet another example that anything Musk says needs to be viewed with suspicion, like, say building a Hyperloop or putting one million robo-taxis on the road or bragging that his ‘diamond hands’ will never sell his BTC.)
Musk’s attorneys appear to believe that the Twitter bot issue is their best ‘get out of deal free’ card and Zatko’s complaint may or may not provide Musk with the ammo to convince a judge to let him walk away. Zatko claims Twitter execs have no idea how big a bot problem they have, and that “deliberate ignorance was the norm” because “executive bonuses (which can exceed $10 million) are tied to growing” user numbers.
Zatko filed his whistleblower complaint about a week before Twitter filed its lawsuit to compel Musk to honor the deal he agreed to, and Musk’s camp has denied having any contact with Zatko. Regardless, Musk’s attorneys have now subpoenaed both Zatko and Dorsey to appear at the trial that’s set to kick off in Delaware on October 17.
You don’t suppose we can convince Musk’s attorneys to ask Dorsey about BSV while he’s on the stand? Maybe the mere mention of Dr. Wright will rile Dorsey up so much we can get more than 50 words out of him this time.
Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups from BitMEX to Binance, Bitcoin.com, Blockstream, ShapeShift, Coinbase, Ripple,
Ethereum, FTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.
New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.
