The complaint [0] is both very interesting – particularly the details on how sloppy/non-existent Twitter's user-access-control was back in 2015 – and pretty funny, such as how one of the suspects tried to fake a digital document but didn't fake the timestamp, and the FBI noticed the receipt having a creation date the same day of their interview with him (pg 13).
According to one of the suspects' LinkedIn, he left Twitter in 2015, and then worked at Amazon for 3 years in marketing and social media. While I have little doubt Amazon's internal auditing and access control are better than Twitter's, it'd be nice to hear confirmation from Amazon that he didn't access any private user data.
> such as how one of the suspects tried to fake a digital document but didn't fake the timestamp, and the FBI noticed the receipt having a creation date the same day of their interview with him (pg 13)
It's even better: he typed the fake invoice up in his bedroom while the FBI was in his house, after explicitly asking the FBI not to follow him in there. I can picture the agents looking at each other trying not to burst out laughing.
Is that really that unusual though? Can you think of a situation where not asking the FBI to not follow you around the house would be reasonable?
And why would the FBI assume he was typing the invoice? If you ask me for certain documents I actually possess, depending on the document I might be gone 10 to 15 minutes as well, or even outright say that I need to find it first, I'll bring it to <X>.
I mean, if the FBI drops by for a chat, encouraging them to stick to the living room is probably not unusual. But if you're being asked for a document present in your house that's going to take 10+ minutes to find, inviting the agents along or bringing the relevant folders/computer/whatever to where they are sounds pretty reasonable.
Not necessary, which is obvious from the agents agreeing to this request. But maybe a good way to forestall concerns like "what if they think I'm forging the document right now?"
Tangent, but one of the most interesting things in the complaint -- to me -- was this language:
> Many Twitter users live in Saudi Arabia and some users of Saudi nationality or descent live outside of Saudi Arabia, including in the United States.
It's kind of surreal to use "Saudi" as the demonym for the people of Arabia. "Arab" would be normal. The language is Arabic, the country is Arabia, and those are both named after the people, the Arabs. The "Saudi" in the name of the country refers to the royal house, the House of Saud, and I would expect a "person of Saudi descent" to be Arabic royalty, not just any old Arab.
>It's kind of surreal to use "Saudi" as the demonym for the people of Arabia
Huh? They use it as a name for "people from Saudi Arabia" and it's a very common use.
"some users of Saudi nationality or descent live outside of Saudi Arabia" --> people who are SA nationals/origin and live outside the country.
>The "Saudi" in the name of the country refers to the royal house, the House of Saud, and I would expect a "person of Saudi descent" to be Arabic royalty, not just any old Arab.
Saudi != Arab. If anything, Arab is a superset (and Saudis, if we talk about the nation state and not the ethnicity, are not all Arabs).
But the main point, is that the name Saud is commonly used for the nationals of Saudi Arabia, not just the royals.
Wikipedia:
Saudis or Saudi Arabians are a nation composed mainly of Arab ethnic groups who are native to the Arabian Peninsula and live in the five historical Regions: Najd, Al-Hijaz, Asir, Tihama and Al-Ahsa;
Arabia is a peninsula. Qataris, Yemenis and Emiratis among others would not appreciate Saudis attempting to appropriate Arabian to refer to those from Saudi Arabia.
And Arab refers to people from Morocco to Iraq so it’s equally unsuitable.
Exactly, imagine if people of the United States appropriated the name 'American'! I'm sure that every other country in the two Americas would be up in arms!
Some other countries actually use terms like United Statians or North Americans. And after traveling a bit makes the USA's use of 'America' seem arrogant or ignorant.
I'm guessing you haven't traveled much. American is a virtually ubiquitous term to describe someone from the United States worldwide, no matter which language you're speaking. Countries which have a problem with calling yourself American are a minority, and even then it's usually a small minority of the younger generation.
If you go anywhere within Latin America, you'll find quite quickly that "American" is used to describe someone from the continents, and it's consider very odd to introduce yourself as "American" to a local. You say you're Estadounidense, or "Soy de Estados Unidos" (From the United States).
It's actually a very charged topic in Latin America, as many latinos feel that the word they use to describe themselves has been stolen.
Wikipedia:
Saudis (Arabic: سعوديون Suʿūdiyyūn) or Saudi Arabians are a nation composed mainly of Arab ethnic groups who are native to the Arabian Peninsula and live in the five historical Regions: Najd, Al-Hijaz, Asir, Tihama and Al-Ahsa;
Is anyone surprised considering the amount of saudi money flooding around traditional and social media?
Now lets look into israel and their spying/influence in traditional and social media.
It was amazing the amount of "news" and social media spam we got about russia ( We were always at war with eurasia ). It's amazing the amount of "news" and social media spam we are getting about china ( We were always at war with eastasia ).
But one hardly ever hears a peep about israel or saudi arabia. Considering what is happening to the palestinians, yemenis, etc, you would think you'd hear a lot more "news" about them. Especially about saudi arabia from the feminist/lgbt traditional media considering the saudis probably treat women and the lgbt as badly as any nation on earth.
How come the "news" industry isn't going apeshit over more than half of the state and the US house of senate pushing unconstitutional anti-BDS laws?
I can't stand these kind of takes that are based purely in anecdote. On what basis are you claiming we "hardly ever hear a peep about israel or saudi arabia"? How do you even measure that?
All this sort of stuff is claimed under Manufacturing Consent. Chomsky's point is often why don't we hear about these other incidents .. because the news isn't balanced and the government is trying to fashion a narrative and they use the media to do this by selectivly choosing what we hear and see.
One of the points of Manufacturing Consent is that it's not necessarily the government directly choosing a narrative (that sometimes does happen, especially through selective leaks) but that the news media itself and the people who end up doing editorial policy are largely aligned with the government to begin with.
It's not that they are aligned with the government, necessarily. Rather, they are aligned with large advertisers, and those tend to be powerful companies and conglomerates with global interests.
Essentially, if you're a media outlet, you'll try hard to not piss off the hand that is feeding you, and Chomsky's assertion is that this is how the media manufactures consent (for all the horrible things the government does to defend the interests of those advertisers abroad).
That is one aspect, but there is even more: in general, people who rise in positions of power, such as editorial positions on major media outlets, or political power, or capital, tend to have similar beliefs and interests. This is because of things like common education institution and social bonds.
Essentially, if your opinions are significantly different from those of most politicians (on the important topics), you're unlikely to rise up through the ranks in most major institutions.
For starters: "NSO (Israel) hacked Jamal Kashoggi's contact via WhatsApp & passed whereabouts of Kashoggi to Saudi Arabia which eventually led to his death." I've never heard of this news until I read this thread today, even though it was covered by NYT to some extent.
Not only negative news about some countries don't emerge in the Western society, but also positive news debunking the falsehoods and stereotypes about the "blamed" countries don't show up neither:
https://theintercept.com/2019/08/14/trump-iran-worst-lies
A major problem of our global society is that public perception is biased towards the "winners" and we learn the truth, if we are lucky, about their negative impact long after the damage was done. Example: the US invasion on Iraq was based on the false narrative about the weapons of mass destruction. Again, there were some news outlets that were telling the truth, but it was ignored.
You're proabaly up to date with the war in Syria but why not Yemen? Why is Syria vastly more newsworthy than Yemen? Because this is what the column inches suggest.
The Yemeni Civil War makes it appear as if there is very little involvement from the three global superpowers, while the Syrian standoff was worryingly similar to a cold war era proxy war. Also quite close to Europe, thus more important for our media and upcoming elections.
Though with the Syrian conflict dying down, I'd expect others like Yemen to get more attention by filling the "war" slot in media.
Not that I totally disagree with the gist of your comments, but the Syria situation seems much more relevant internationally, with Syria involving direct military actions in of two world powers and a NATO member. Not to say that any of the attrocities are to be ignored...
Just as a non-anecdotal proof [0] that just because it's counter-intuitive doesn't mean it's not correct. Sometimes it's the most obvious absence of evidence that shouts the loudest. Looking at those planes there was absolutely no proof that some parts ever get hit and it would be crazy to even suggest that they do. Based on what evidence?
The US tends to come out with almost no bullet holes from SA and Israel but when one is found it's a howitzer. Every time something related to them really blows up you get to how deep they went and it becomes almost unbelievable to assume there were no signs whatsoever to the US and no reporting could have been done by the media.
WaPo has a vested interest in covering SA especially after Khashoggi and the Bezos blackmail incident. But the US and rest of the media are not as vocal as say when talking about anything related to China or Iran, where every piece of gossip is news, where every allegation becomes a sanction. The point to take from here is that "punishment fitting the crime" seems to be a very fluid concept also at country level and the questions to worry about are "Why are some getting a free pass? What are the strings?".
Where is Israel coming here into your argument? Just because you don't like Israel and what they are doing doesn't mean you should treat them the same as Saudi Arabia and create a narrative around them together.
They're both prominent US allies; they're states with some religious identity fundamental to their existence; they're integrated into American civic society - Saudi money in the US economy, academic partnerships between US and Israeli universities; they disenfranchise their own citizens to varying degrees; they buy American weapons and count on American military support to maintain geopolitical relations.
Oh, and they both use the strength of their relationship with the US to make certain parts of the world unlivable for people they don't like.
Israel is pretty much the only Democratic, liberal country in the middle East, with Western level women's rights/empowerment, LGBTQ protections, legal protection for minorites, etc. And a land of massive innovation. US universities aren't partnering with Israel because it's politically convenient, but because Israeli universities breed world leading research in many areas. Which is why most high tech companies have an Israeli division, and which is also why Israel has one of the world's highest per capita entrepreneurship, patents and peer reviewed scientific publications.
Contrast that to Autocratic Saudi Arabia where women weren't allowed to drive, or move about in public without approved male company until a year or two, where the LGBTQ are punished by death, where every non Muslim is systemically discriminated with a religions tax [1], where critical Tweets about the establishment routinely land people in jail, where the actual law of the land [2] is a throwback to the middle ages, with almost no scientific or cultural output of significance!
yes, that behavior is expected of a shit-tier country like saudi arabia. Is that how Israel wants to be regarded?
first-world countries should be held to higher standards of jurisprudence (among all things) than rando third-world nations. if you can't deliver justice, then really are you first-world at all?
do you really think Israel delivers appropriate due process to its occupied territories? Let alone actual representation?
iirc Israel just rolled over and occupied Jerusalem within the last couple years. The US rubber-stamped it, not sure that changes anything.
I think you're the one doing the false equivalency.
I'm not defending Saudi Arabia, which is indeed as backward as it gets, but in the case of Israel, if you want to talk about discrimination and human rights abuse, you cannot ignore (like you did) the way the indigenous population is treated, in what is effectively an apartheid state.
The real equivalency is that Saudi Arabia, Israel, the US, Russia, China, and - increasingly - the UK and other satellite states are now essentially extreme nationalist regimes with a far-right political slant and a fondness for various forms of violence.
The differences are more about superficial local colour than political dynamics, which are becoming depressingly consistent across the board.
It's becoming less and less surprising that there are high-level links between all of them which converge through the use of social media and other tools of influence.
Claiming Israel has a far right political stance is disingenuous. In terms of what? Geopolitical strategy? Economically they're definitely not on the right by any US standards.
He wrote "extreme nationalist regimes". I really hope that the Palestinian minority, which isn't really small and keeps growing, gets a say in Israeli politics after all these years of being totally sidelined by the majority. I don't see any other path to peace in that region.
I take serious issue with this. I completely agree that Saudi Arabia and Israel are significant national security and geopolitical issues that aren't being dealt with appropriately. The Israelis are spying on US politicians and others inside the US. It's crazy. And pointing out that the Israelis are doing so, and most likely also directly influencing politicians to treat Israel more favourably, is regarded solely as racism and "anti-Israeli" - as if Israel doesn't and isn't doing despicable things as well. They aren't above reproach, but they absolutely treated like they are. Saudi Arabia is far worse, and they're treated the same way in US politics.
But this doesn't mean Russia and China aren't doing bad things. This doesn't mean that they aren't bad actors that don't need to be dealt with. This is whataboutism, and it detracts from issues instead of productively extending the conversation. If one problem is mentioned, people like you jump out of the woodworks exclaiming, "NO, that's PROPAGANDA! listen to my favourite problem to talk about instead!".
All of these countires. USA. Israel. Saudi Arabia. China. Russia. They're all bad in their own ways, doing bad shit for shitty reasons and they all need to be talked about. But just because one of them does something bad doesn't mean you can't talk about the other ones as well. It doesn't excuse any of them. That's just moral relativism and it's destroying public discourse.
>This is whataboutism, and it detracts from issues instead of productively extending the conversation
This is a self contradictory statement. Calling someone's argument "whataboutism" is itself a logical fallacy designed to prevent extension of the conversation into a larger context
It's been surprising to me to behold the hawkish rhetoric we get in the press re: Turkey and Iran lately. I don't believe it's coming from people who are genuinely concerned about the fate of the PKK
If it isn't used to defend the action (spying), establish it as justified and therefore clear the offender from guilt, the fallacy doesn't really apply.
Are you implying that the BDS movement is anti-semitic? That would be an extreme claim, which would require some kind of evidence. Being against Israel's actions towards Palestine, which is far and away the most important topic covered by the BDS movement, is in no way an anti-semitic sentiment.
Two state solutions have been offered multiple times. What you're really claiming is that Jews should evacuate the land that they're living on after fleeing consistent mass murders and persecutions throughout history. What you're really claiming is that Jews should either exit to countries that have empirically turned hostile to them over time or be unprosperous.
Two state solutions have been offered, agreed upon, and blocked by the US and Israel every time.
I am not in any way for citizens of Israel (Jewish or Arab or Christian or whatever else) evacuating the state. However, illegal Israeli colonies on what is universally agreed as Palestinian land are not acceptable. Opening fire on crowds throwing rubber wheels at a wall is not acceptable. Bombing civilian buildings in retaliation for terrorist activities is not acceptable. Blockading humanitarian efforts to deliver food, water, and building materials is not acceptable.
Every gram of Palestinian resistance is met with a kiloton of Israeli aggression, almost as official doctrine. This is not acceptable.
And all this from the only state in the world which illegally holds nuclear weapons without being a signatory of the non-proliferation agreement, but constantly threatens going to war against a different state for building civilian nuclear infrastructure (which is all the international inspectors have found in Iran for years).
We don't need to look into Israeli or Saudi Arabian money in US politics. It's there and we like it there. Those two countries are the most stable in the region by a mile and are willing to compromise with US interests to maintain the (fragile) stability.
Like it or not, US interests are inextricably tied to those of the region. Don't believe me? Most scholars attribute Trump's election, at least in moderate part, to the massive influx of Syrian refugees to the many countries they went to. If we had done a better job stabilizing the region, perhaps Trump would have never even sniffed power.
These are the most stable countries in the region because they are the only countries in the region allowed to be stable. Iran is by almost any measure a better country to live in than Saudi Arabia, except that it does not do the bidding of the US, so it is getting illegal sanctions imposed upon it, almost officially recognized industrial sabotage, it is cut off from world banking etc.
Note: I'm not claiming Iran is some tortured paradise. It is still a brutal regime, with horrible regressive views and which is acting tyranically towards its own population. It is much worse than Israel in that regard (though at least Iran is not waging a war of aggression on a neighbor sattelite state, and defying UN resolutions and international law in doing so). But it is still significantly better than Saudi Arabia in almost everything to do with human rights.
Its the way of the world. The Palestinians were weak so they got bullied around and Israel was born. They remained weak and Israel continues. This is the way of the world. Strong eat the weak. Whether its monopolizing tech companies or nation states. They can abuse their power. Once established, they can then rewrite history. Look how now Microsoft has become such a champion for open-source. Tomorrow the champion of privacy will be Facebook. Tomorrow the champion for human rights will be the Saudis and the Israelis.
This is how garbage spreads, without wisdom and foresight.
Israel could've been a much better product of creative thinking. Now it's an apartheid state with the indigenous kept in an open air prison that is regularly used for international weapons testing.... The unwise think in very short terms...and it comes back to bite them shortly after.
I am serious but obviously sarcastic. Most the world is oblivious to the savagery of the Saudi war against Yemen. One day the Saudis will champion some liberal cause and hire some PR campaign to make sure its in headline news and placed smack middle of some Netflix movie. Poof!
I don't understand why you're being downvoted. Yes, there are valid technical reasons to use telemetry, but the tricks Microsoft is playing to get these data against the wishes of their users can't be considered fair.
Am I out of the loop, what have Microsoft done to support open-source? Made linux containers easy to use on Azure? Wrote a code editor so that they extend and extinguish developer mindshare and get them onto Azure? Im being serious, what have MS actually done to claim they have supported open-source (and of course, open-source != free software)
They are one of the largest contributors to linux, donate $500k annually to Linux foundation (since 2016. Google joined in 2018), VS code, .net is open source to large degree, typescript is open source.
The Linux kernel contributions link doesen't have a year, so I don't know if something changed. But the last time I checked this, they were "top" contributor for one quarter/some time because they basicly dumped all of their HyperV support into the kernel and after that they disappeared from the kernel contributors lists almost compleately.
A quick google shows the latest Linux Kernel report by Linux Foundation from 2017[1] with the numbers, and they are not even there. It could be that some Microsoft employees are doing work on the kernel without attribution back to Microsoft, but generally speaking I think it's safe to say that the only contribution to the Linux Kernel from Microsoft was HyperV support quite some time ago.
Not saying that they didn't change their ways, but they are a long way from proving that this is not another EEE cycle. Not to even mention "breaking even" on the damage they did directly (and deliberately) to open source effort.
You ignored the 500k per year contribution to linux, VS code, the ongoing effort to fully open source dot net, them dumping Edge for chromium, their contributions to chromium especially on efficiency for battery is non trivial.
Microsoft could open source Windows and people will still mention EEE. Impossible right? But, open sourcing dot net was inconceivable just a few years ago.
You're talking about EEE. In fact, the organization that's actively performing the EEE strategy is Google. It's quite easy to spot if one isn't blinded by fandom.
E.g. webkit -> blink, rss, bundling of apps on android prevent manufacturers from using forked android, chrome OS has only one browser - MS didn't even do this to get in trouble, AMP project, and then experimenting with removing urls from the search page.
I worked directly with Ahmad at Twitter on the international media team. All I can say is I now understand how the next door neighbor to a serial killer can say "but he always seemed like the nicest guy." He really was very nice to everybody, worked hard, and seemed genuine.
They were definitely tools available to all of us that allowed this type of access to personal data and more. Specifically a lot of the lists that were generated about who to follow suggestions were manually curated at the time and we could put whoever we wanted on the list. We were expected to put people that were relevant in our industry on those lists, but I think Ahmed actually got in trouble for putting himself on that list to build up his Twitter following.
At the time it was certainly a major initiative to rebuild the legacy systems to fix exactly this type of problem. There were strong mandates from the top of the company that were made abundantly clear to us that while they were fixing these things we were all under agreement and NDA to keep all of this data private. The systems were broken no question, but the message was clear. That just makes it even more disappointing to see what he did. He has a very young family at home that is now going to be totally broken.
> All I can say is I now understand how the next door neighbor to a serial killer
Hey, i get it, its a little surprising and scary. But this is just a quick reminder that we do the whole innocent until proven guilty thing here in the US. He hasn't been convicted yet, just keep that in mind when thinking about your colleague.
Another thing to bear in mind is that people who commit espionage are often coerced into doing it by blackmail or threats. This is one of the primary reasons for background checks beyond simple criminal background checks: you want to make sure the people you trust don't have anything in their history that can be used to blackmail or otherwise coerce them.
In this case, the behavior of the former Twitter employee makes him appear unlikely to be innocent.
He tried to forge an invoice while an FBI agent was in his home:
“ According to the complaint, Abouammo created a false receipt using his home computer during the interview to show a $100,000 payment received from Asaker to disguise the payments as media strategy work.”
Innocent until proven guilty is for the US courts though. Real life operates by a different principle -- use your eyes and don't f* up.
There are accusations that a teacher sexually molested somebody, but the investigations never went anywhere; do you hire that teacher? I don't think parents are about to blame you for not hiring that teacher.
> There are accusations that a teacher sexually molested somebody, but the investigations never went anywhere; do you hire that teacher? I don't think parents are about to blame you for not hiring that teacher.
That has bad externalities. In particular, you'd be creating perverse incentives for people to make accusations against those they dislike (or threaten to do so), a very asymmetric weapon that benefits liars more than anyone else.
I'm pointing out an observation, I'm not sure how interesting it is to ask me to imagine what if I were accused of sexual assault.
But while we are imagining, imagine that you are a school administrator who has hired such a teacher, and then there is another accusation of sexual crime with the same teacher. You suspend the teacher while investigations are ongoing, and ultimately the investigations go nowhere.
From the perspective of others, who is at fault? Isn't it time to quit because as an organizational leader you've lost the confidence of the public, which now impairs your effectiveness? As an observer, that is the answer I observe to be true of the land.
And let's not forget... the justice system gets things wrong sometimes. It's not a proxy for your eyes.
And then it is very easy to destroy someones livehood and future. Or blackmail someone: "raise my grade or I'll tell everyone you touched me". Then the poor teacher with some kind of integrity will never have a job as a teacher again.
People tend to care more about their kids than they do about teachers. A lot of people even support the death penalty, even though it obviously means innocents will also be executed at times. Justice and punishment is always a balance, where hopefully an optimum is found where the least people suffer.
The difference is that the punishment isn't supposed to in some way make up for, or balance the crime. In a modern society the punishment is for deterrence and rehabilitation.
That's laudable, and what most people in the justice system probably work for. But go and talk to the people that system serves, i.e. the public, and I think you'll come out with a different understanding of what purposes punishment in the justice system serves.
Not to mince words, we've managed to humanize the justice system to a large extent, but by no means have we been able to remove the desire of the public to see criminals humiliated and deprived of their freedom, even lives, on tit-for-tat moral grounds. So, while the justice system in many 'civilized' countries does the best it can to be rational, in order to keep the public happy, it also needs to be seen to be sufficiently harsh on crime.
This is traditional spycraft and HUMINT. Targeted intelligence collection of persons of interests will always be a problem, but it's not problem threatening the whole society as mass surveillance is.
Twitter (and Yahoo) deserve kudos for fighting back and being uncooperative. Twitter refused to join PRISM.
I’m surprised that anyone remembers Yahoo as being champions of privacy. Yahoo installed kernel modules on their servers to scan customer data at the request of the government, without even alerting their very own security team.
First, he hasn't been convicted yet. Second, most civilians who do this kind of thing are coerced into it. "Do this thing for me or I'll kill your family. If you talk to the FBI, I'll kill your family."
If he doesn't get sent to prison, people who don't know the story and condemn him because of a headline will.
Yes. That's is the whole point I am making. He knew it was wrong, and a lot of people suffer, including his innocent children. Not sure if you think I am defending what he is reported to have done, but I am not at all intending to do so.
Additionally I think it disappointing that Twitter curates this type of content at all. I was never a heavy user, but currently Twitter just hasn't any draw at all anymore.
Should anyone have access to the actual data at their company? I feel like this is an indication of maybe scrubbing the said data is a "must" before it goes into the hands of employees.
Then again, what type of side-affects would that have on the quality of the products moving forward.
You can and should restrict the number of people with access to the data, but in a tech company there's always going to be a significant number of people with direct access to the raw data. Software engineers on an on-call rotation, full-time site reliability engineers, data analysts, maybe even some external contractors... maybe this isn't the case for Twitter, but many companies also have to put complete trust in their cloud provider or datacenter, which puts even more people in the loop.
Even if you follow best practices with access control, in the end you're always going to have a group of people who you need to trust with access to folks' personal data. Maybe the solution is better audit logging and even tighter access, but I'm not sure leaks of this nature are preventable.
"Software engineers on an on-call rotation...data analysts, maybe even some external contractors"
These groups usually get access through a bastion that anonymizes data and logs access. I remember that as a SWE at Google, I could run aggregated & anonymized statistics across query logs, but some info (eg. IPs, user logins) had been scrubbed before any of my code could get access to it, and for things that were more personal (eg. your GMail login) you could only get access to your own account.
There's nothing you can do about SREs who have root access on the box or the SWEs who need to implement & maintain the bastion servers, but that's presumably a more restricted, vetted, and trusted group.
> usually get access through a bastion that anonymizes data and logs access
I think this may be something that is unique to a certain size tech company that simply isn't the case at 99.99% of companies with user data in their possession.
It hasn't been until recently. We are currently locking down all internal systems based on the minimum necessary accesses for various systems. We should have done this a lot sooner.
Yeah, I was there when it happened (and it was a fairly big deal internally). He was an SRE with pretty high-level access. There's relatively little you can do for this kind of threat - the nature of their jobs usually requires that they have root on the box. (Though a sibling comment suggests that there's even more rigorous procedures now.)
The centralization of infrastructure has really changed the insider risk profile at that company. A decade ago it was common for a service to own their hardware and to have broad authority over those machines but not so much these days. Nobody wants to own their hardware, everything is uniform and it's easier to spot deviants that way.
Of course many of the changes around that time were in response to the breach by the Chinese government, not only in response to embarrassing privacy incidents. Later improvements came about because of things Snowden published.
There was some spying by the NSA without their knowledge or consent. Network traffic between their internal networks wasn't encrypted, which enabled snooping.
IIRC they didn't know about the tap on their international cable and the leaks caused them to prioritize the encryption of traffic on their internal network. Not sure about anything else though.
Its the same for telcos, these days there is much stricter auditing and actual real security vetting - I know team leaders on some systems had to be PV (top secret in US terms)
I suspect that at some stage this might come for some FANG employees
Would it be smart for companies like google and twitter to publish how they vet people for these roles? That’s a seriously tremendous amount of power. I almost think it needs to be regulated like heath info. I get that that would make it more expensive to handle this data at all, and would serve as a significant barrier to entry for startups ... but data breach after data breach is pushing me in the regulation direction.
Pretty much nobody at Google has that kind of access. You can be an SRE of just about anything at Google and never access user data. The "break-glass" means of emergency access is ridiculously booby-trapped. A person wanting to do this thing has to 1) badge into a special room, at which time both production security and privacy incident teams are notified, 2) use a special hardware security device that is used for no other purpose than to activate a VPN box with a hard-line into the production network. By the way if a random Googler just rolls up to a datacenter without a reason to be there, that also triggers privacy incident response, even though physical access to production storage is virtually useless due to all the encryption.
I would say it is much more likely that Google will accidentally lose the organizational ability to become root-in-prod, than it is that a person has done this thing without being noticed.
In short, insider risk cannot be mitigated with hiring practices. You need robust technical measures against insider risk.
Thanks for proving my point, I guess? I’d love to see a formal write up from google about these procedures. It would go a long way to increasing confidence in how they handle this data.
Even if you managed to get direct access to production through the special room's direct link, you'd still need a special kind of credentials to send RPCs to any service.
There was a video with some of the datacenter security measures, e.g. iris scanning (just to get yours in the DB required approvals from senior people). On the actual floor, to which very few have actual access, you need to badge both on your way in and out, individually. If you badge out without having badged in, the door won't open and an alarm will go off.
Snowden's revelations (2013) were a major watershed. There'd been several measures taken since, based on what I heard on the outside, largely through discussions, mostly public, a few direct, with Google staff via G+.
Starting on, of all days, November 9th, 2016, I began regularly posting an image of Jewish shop windows shattered during Krystallnacht, asking whether Google were thinking of brownshirt-proofing their data. That generated responses including from G+'s architect (then in a role with user data safety & privicy), and the data security lead.
It wasn't until some time later that I realised I'd entirely accidentally picked the anniversary of the event for the post. Though the coincidence was useful.
My understanding was that numerous protections were in place by that time. I continue to have concerns.
> I began regularly posting an image of Jewish shop windows shattered during Krystallnacht
This is so incredibly cringey. You're actively building the panopticon and yet you think of yourselves as righteous warriors for justice.
I don't mean this to be a personal attack, but yours is such a revealing comment about the mindset of people inside these surveillance behemoths.
(See also: this "pledge" http://neveragain.tech/ to not build registries for targeting citizens...signed by a bunch of people who work at companies whose entire business is targeting citizens with ads)
I’m actually inclined to think they have similar procedures, if only because we haven’t seen “whistle blower” stories in the news about folks reading texts and looking at other private user data. Maybe I’ve missed them, but because bashing Facebook is kind of a trend one would think there’d be an appetite for “I read illicit group texts for a year here’s what I saw AMA” stories.
If this happens, every incentive (of every party that is aware) is to not whistleblow, as it is a criminal offence for the snooper, and a PR disaster for the company.
> Would it be smart for companies like google and twitter to publish how they vet people for these roles?
I think much like anti-hacking and anti-fraud efforts, publishing information about how they vet candidates would just make it easier for attackers to figure out how to game the system.
Ironically, one of the vetting regimes that has the most publicly available information about it is the US government's security clearance system. https://ogc.osd.mil/doha/isp.html
(Just as an FYI, the last time I checked that number was staggeringly skewed towards sales/marketing/evangelism teams rather than coders. Not that your point is diminished.)
Hardly. They get the filtered data that SEs designed for them to get, probably on an account-by-account basis. It’s the raw data SEs have access to that we are mainly talking about here.
Maybe because tech companies tend to be careless with data. It isn’t NP-complete to track and monitor access to prod data, or prevent access to it entirely. It’s just that people don’t want to do it.
It is pretty damn hard to reliably operate a service that you can’t introspect or debug in any way. The real world is more creative than you; things will happen in production that you didn’t think of in your synthetic test fixtures.
That’s still no excuse. Maybe Bill has to access some customer data to troubleshoot. Fine, log it. Maybe Susan has to look at sensitive logs to fix a bug. Fine, log it. These aren’t new or unsolvable problems.
As in, define "tech companies" (name specific companies that do this and why you think that can be generalized to the entire industry) and define "careless" (it's a relative term so please say if it's less or more careless of other examples of organizations that manage similarly large amounts of data but that aren't "tech companies").
Because to me the opposite seems true. It's the non-tech companies (if you equate that to FAANG) that manage large amounts of data that tend to have a lot more data leaks (internal or external) than the tech companies.
> in a tech company there's always going to be a significant number of people with direct access to the raw data.
Why?
I've worked for a few large tech companies that handled very sensitive customer data, and they didn't allow unsanitized access to it by a significant number of people. Typically (on the dev side, anyway), there was a small designated team (less than 10 people) who were the only ones who had such access. Any dev work that absolutely required access to that data -- which was very rare -- was performed by that team.
It's not like this at smaller companies. It's anything goes.
I worked at one place that had the development network permanently VPN'd into prod. One day, a developer accidentally configured his local environment to connect to a production queue and database. It was like this for over a week.
A previous company didn't bother with the VPN. They had an AWS environment that predated VPC, so SSH and many other service ports were open to the office IP addresses. And several people's homes, for remote work.
> It's not like this at smaller companies. It's anything goes.
It depends on the company (as with large ones, apparently). I currently work for a small company, and it is no less diligent about this stuff than the major companies I've worked for.
Those large tech companies probably had a team or teams of people whose job is to look after the backups for production servers.
Backups generally have "god mode" access (best description) as they need to backup and restore not just filesystem data, but the audit log data as well.
Most (corp) places I worked, the developers and SysAdmin's working on production servers gave little thought to the backup component apart from making sure the software is installs and runs. ;)
No, even US people like police abuse license plate searches for personal reasons. It's not even a matter of nationality. If data is being collected and the only protection is a "policy," then it's being abused or will be.
There’s a difference between a policy that’s just enforced by an honour system and a policy that is enforced with strong access control, alarm bells, and a paper trail. It’s very possible to encode the sorts of policies that we need to protect peoples data into real restrictions that are strongly enforced. A police officer might need to do some routine queries, but they should probably have gone through vetting about people they are close to and not have access to their data. Additionally, there should be audits performed on a regular basis.
I think we're arguing semantics here. What I mean by policy is a de jure rule. I think you can have policy while not having any sort of de facto enforcement, and you can have de facto enforcement (encryption), even if you don't have a policy.
Policy is never useful because even if there is enforcement, there is never 100% perfect enforcement that beats out cryptographic enforcement, at which point policy is no longer needed.
For example Apple can state that your data is end-to-end encrypted and they have no access, and it would be redundant to also have such a policy saying they will not access your data—they can simply say they can't access your data which is a superset of any such policy.
There are policies like "You are not allowed to access user data." and there are policies like, "All access, keystrokes, and applications that have access to user data are logged and those logs are tied to employee IDs. Further the logs are audited and there must by a form 505/2 on file for every access that details the need for the access, what was done with the data, and how the data was handled. If the auditors discover an access in the logs associated with your employee ID and there is no matching 505/2 on file, you will be subject to immediate termination and may be liable in civil and criminal court. Your signature below states that you understand these restrictions, you consent to monitoring of your behavior, and will abide by the policies."
Strong audit trails, logs that cannot changed by being created in an immutable way, logged access at all terminals and entry points. Combined with a separate auditing group that reports through a different chain of command (like through to the general counsel or something) and you have a policy with teeth.
Still punishing after-the-fact is no substitution. If the reward is greater than the punishment then it renders the policy moot.
If i publish my crypto wallet private keys and enact a policy that anyone who tries to take the wallet contents will be beaten to death, and get everyone to agree to this policy, then it would be rendered moot when the person who steals the wallet uses it to hire personal body guards.
I don't disagree, with this. The use of policies with enforcement is that it raises the risk to the employee so that raises the amount someone must spend to get them to take that risk.
Through contacts I've heard stories of practices at a wide range of establishments over the past 25-30 years. Practices have almost always severely lagged advice, and though specific leading firms or organisations might have strong data hygiene policies and practices, a great many other organisations do not.
Through roughly 2000, the principle saving grace was that disk storage was so expensive, and networking so slow, that large quantities of data were unlikely to be found online except in the case of very major organisations. Most financial firms would read data from tape for analysis or marketing programmes, as an example. A major credit card network might have a couple of, say, Sun Starfire class servers onto which a comprehensive union cardholder databset might be assembled and accessed. One friend reported accessing their campus workstation to which a large national medical insurance database was being processed, from the New York Public Library over Telnet (though I believe they didn't actually log in, they did receive the prompt). E-commerce software vendors and systems stored credit card information, which was accessed. Numerous services and datasets fly around all kinds of organisations, with little protection, and were transmitted in unencrypted FTP sessions. Social networks in which NOC addresses were directly accessible from the office network (WiFi access, natch), with millions of members' data directly accessible.
There are many ways to get this wrong. Few to get it right. And most organisations lack the staff, capitalisation, or incentives to do the right thing.
Google are problably among the best. That leaves open the question of how good they are, and what their past practices have been, even in relatively recent years.
Or how they might behave should their advertising monopoly and revenues fail.
My first year at a community college I was doing work study that was part of my FAFSA. I was late getting in there and I had limited options, one was working in the cafeteria, the other was working for the very job placement center that was tasked with finding me a work study job.
I got very lucky here. The work study job in the job placement center was turning job listings that were faxed in into html to post on our fresh new website. Nobody at the time new what HTML was.
A few years earlier I had bought a "Learn HTML in 24 hours book" and I made a Tony Hawk Pro Skater webpage that listed all the special moves. I used a lot if iframes and thought it was pretty good. CSS wasn't really a thing back then. iframes and tables got the job done.
But I got the job and they thought they got very lucky. I worked in this back room with a computer and a fax machine. Jobs listings would be faxed in. I would scan them and let the OCR software try, and then I would clean it up and add some <h> and <b> tags and then do my econ homework for the rest of my shift.
But as the digital stuff become more popular they hired another guy to be in the back room with me. Dude was a bit of a creep and a student came in looking for a part time job that would work around her classes. He kept on going on about how hot she was. A few weeks later he was talking about he signed up for a few of the classes the hot girl was taking.
Every single student record was available on our computers. Names, address, phone numbers, class schedule, SSN, FAFSA data. It was madness.
Agreed, data governance is important for any company to get right, but someone has to have DB access in order to manage it. When you factor in that so many companies derive revenue from the data they generate, then it gets harder.
If you’re Twitter, how can you build the services you need as an architect or data scientist without the actual data?
The scrubbers do not need raw DB access. All they need is a strictly audited web UI.
Very, very few people need root access and the ability to see all raw data. For example, at Google, this is a tiny number of senior SREs and that's it. Your average employees should be using audited UIs running through service accounts that have restricted permissions.
I’ve achieved this without so much hassle at a smallish/medium sized company (~60 engineers). A typical engineer had access to anonymized data, only a few had access to query raw data. All their queries were logged with justifications. They also wouldn’t query raw data as a matter of BaU (outside of some very rare situations), it was pretty much only ever done when making changes to the ETL pipelines.
The solution we had wasn’t particularly difficult to set up, and actually made life much easier for everybody, because we’d provided everybody with a very easy to use interface for the data they wanted (much better than the old school shelling into a DB to run your arbitrary SQL statements).
We had a data warehouse where we sent pretty much all the data we had in the organisation, and redash in front of it to allow query access, reporting, etc...
Everything in the data warehouse was anonymized, and people only had access to the schemas they needed (though this was defined quite broadly). Anonymization was handled by our ETL pipeline. When we first set it up, the requirements were pretty simple and we just wrote a little java app to do it. This scaled pretty poorly, and the team ended up putting a proper ETL product in there. I can’t remember which one they used, but there’s a lot of perfectly decent products in that space (even some open source).
that's not entirely true - it's possible for all the data of that nature to be in an audit-logged data store, and to require specific business cases for access to the data. So you can only see a user's private information if there's a specific bug you're working on, and even then the access is audited.
I mean, the data is still accessible, it's just not easy to get it willy-nilly without setting off alarms.
Backup/restore of audit data can make things complicated. eg the ability to overwrite incorrect/damaged audit data (etc)
So far, I've not yet come across a system where some level of direct admin access isn't needed for at least "last resort" situations. (obviously, only available to a very specific set of trusted people)
You never want to be able to retrieve a password after hashing and storing it in a DB. You _do_ want to be able to retrieve text content after possibly encrypting and storing it, otherwise it's useless.
One could arguably build chat apps and social media that retained no PII. In my opinion, providers retain PII primarily in order to monetize it.
But the problem is that it becomes toxic waste. And it always leaks, eventually. Putting users at risk, and damaging providers' reputations.
Consider the Tox P2P chat app. Each user device runs a Tor onion service. And chats involve only connections among them. Users need disclose no PII. And there's no need for central servers holding PII.
Regarding social media, consider all the "dark markets" that have run as Tor onion services. There's no reason why any sort of social media that you want couldn't be implemented similarly. Although there'd be central servers, there'd be no need for them to handle any PII. Indeed, the fact that "dark markets" handle PII is one of their main weaknesses.
And it's not even necessary to use Tor. One can achieve substantial privacy and anonymity using nested VPN chains, with far less risk of attracting unwanted attention.
I liked the access controls at PayPal. Access to data was a function of insider status with real financial consequences (ability to sell stock was restricted much more for higher level insiders), subject to strict controls and auditing, and required need-to-know periodic renewals. I used to think PayPal was fly by night but my work experience there really grew my trust in their access controls and made me much more likely to use them for payment.
The best way to protect dissidents would be not to ask unnecessary personal information like phone numbers. Sadly, it is difficult to find a messenger or web email service that doesn't require it.
It's hard to deduplicate spam users without an identifier that is at least slightly costly to get. There's no easy/practical way to do "charge $0.02 per signup".
If you get 10k new accounts in 5 minutes and they're all from some VoIP provider in a tiny corner of the second or third world, you have some data to work with there.
Yeah, I thought of that, I was just thinking that surely someone able to create sufficient karma to do something like that would necessarily also be unlikely to be petty enough to bother.
Perhaps true. But the original cool thing about Twitter was that you could tweet just by texting the twitter number from your dumb phone. The service literally required your phone number, and made broadcast information happen in real-time before smartphones really were ubiquitous. Many messenger apps still use/link people through their numbers. While it is possible to not require numbers, and services like Facebook surely never needed it, there are times when providing phone numbers really reduces friction in communication.
> "Reducing friction" is not worth costing people their lives or freedom.
I mean, if you're a dissident in a country with a violent government, maybe don't use the service that requires personal information?
It seems a bit much to me to say no service ever should require people's phone numbers because somewhere, someone might make a bad decision and use the service when they shouldn't have.
That's like saying, "I mean, if you're a dissident in a country with a violent government, maybe don't use any service and keep your mouth shut because your freedom isn't as important as my VC money."
Maybe SV should try to innovate more instead of reverting to "Wow, sucks to live where you do; hold my craft beer" so much these days.
The internet was supposed to set people free. It's not working.
I had to command-f for "isp" and "comcast" because that's the stuff that should scare you. The kind of data someone can get and the ease of which they can get it while not even going through so much as a background check should scare you. We had internal tools, such as the aptly named Xray, which would give you a pretty detailed profile on someone, everything from the names of the devices attached to their wifi network, places that they used Xfinity Wifi, and even what they ordered on Pay-per-view. Going further down the rabbit hole, we had access to logging that could tell you what you passed into your voice remote, what channels you watched and for how long, and what you were downloading. To me, it is a matter of time until a tool like this is abused and you find out that some NFL star was watching scandalous pornography, or even worse, using the Xfinity wifi hotspots to get an idea on where someone was in the US.
It's interesting to see how the phrasing of the headline makes this seem totally different. "Saudi Spies Managed To Infiltrate Twitter as Employees" reads very differently than "Former Twitter Employees Charged with Spying for Saudi Arabia".
It again raises my periodic wonder: how many spies, both for the USA, as well as the intel agencies of others, are employed in sensitive roles at Apple, Amazon, Microsoft, Google, and others? How many of them work on the cloud platforms? How many of them have access to HSMs and other internal systems that are used as trust roots?
Can we assume that any major platform provider's highest level keys haven't been stolen, perhaps without their own knowledge? It's safe to assume that if they were stolen by their own government's agents, they probably wouldn't tell anyone even if they found out (even if they weren't gag ordered, which they probably would be).
You can trust a company down to the ground but still necessarily realize that everyone who hires engineers is going to be vulnerable to this. AWS' GovCloud that only permits US citizens physical access to the facilities doesn't even totally solve the problem, it just (somewhat) reduces the risk, because even US citizens like bribes.
Seemed rather a weird coincidence that after leaving(or being fired from) Twitter, Ali was appointed the CEO of MBS's MiSK Foundation – which is essentially a mafia organization for his loyalists.
It seems like there is an inverse relationship between sophistication and risk. If everything is full-custom then it may be quite easy to integrate auditing tools for who accessed user data. If an org uses mostly off-the-shelf software then it's pretty much impossible to audit e.g. who connected to what mysql server and ran which queries. So I'd be a lot more worried about a Twitter (fairly unsophisticated deployments of standard software stacks), moderately worried about Facebook (hacks upon the usual stack) and not very worried about Google (literally everything written in-house).
The data scientists at Facebook have pretty much free reign to pull down whatever data they feel they need and often do. As much as there's talk about how much of a no-no that is there, it doesn't seem like anyone is really looking.
You should be a lot more worried about Facebook.
This pretty much applied to US government warrantless wiretaps as well come to think of it. Unfettered access isn't so hot if you like your privacy.
That's a different problem though. The fact that Facebook employees access your private data is not because of insider risk being taken unseriously. It's because looking at and distributing your private data is a core function for that company. They don't consider it a flaw.
It is quite common that sql servers run just with a few accounts. Helpful audit logs on critical systems have a high cost. So technically it is not hard but practically it is.
True but they can have systems which execute on the behalf of an authenticated user and pass that to the SQL server but the system in the middle would have logs of that query and by whom. Now, to be fair, there are usually holes that allow direct access as well.
I work in the public sector where we take these things fairly seriously, but it doesn’t really matter when the auditors are drowned in the vast amount of data.
We have 300 IT systems with 8000 users that take care of 700000 citizens. There is an ungodly amount of information on who accessed what and when. Data security, even post GDPR is a total illusion.
We’re working to build better access control, by indexing data and mapping user rights to job functions, but even then things are going to get lost in the audits.
> who connected to what mysql server and ran which queries.
Let’s say I’m a foreign spy who happens to be the company’s DBA. Audit logs don’t really help you there since it’s not particularly noteworthy that I was in the DB.
That's exactly my point. In a company like Twitter there is some person or probably many people who are "the dba" and accessing a mysql directly or even using tools to access the underlying storage is an event of no discernible consequence. By contrast in a Google-style stack there is no person who is "the DBA", making it far easier to audit. A Gmail admin might need to unwrap the encryption keys that protect your attachments to, for example, diagnose a message-of-death that is crashing their backends, but that event would be so rare as to be easily audited, and it would tie a specific actor to a specific victim. Also I would say a custom auditing stack is way more resilient to things like just deleting the logs off the server, restarting the server without auditing, and whatnot.
Insider risk is not limited to "spies", there are lots of actors that may act against the best interests of the company in regards to how the access and use the data. There are procedures (basically layered security, auditing and monitoring) that can be followed to actively manage this. So yes, there may be "spies" at any one of those companies, or just people doing things they shouldn't do, but to me that's logical and not surprising in any way, any organization has to face this issue.
Any company that handles sensitive information, or information about a lot of people (even if not particularly sensitive) has to assume that they have at least one in-house spy of some sort. Partly to make sure they're not more vulnerable than they should be and partly because it's likely to be true.
Every company that collaborates with the NSA (including Microsoft, Google, Facebook, Apple, and Dropbox) has in house spies. We don't like to think about it this way because the spies are on "our side".
This is a scary trend, it's bad enough that anytime I talk to someone online I question if they're a real person. Now we might be transitioning to an era where I can't trust my coworkers either.
1. You can build systems in a way that every access is strictly logged and audited.
2. Many companies like Facebook or Google employ engineers who could be possibly spying for Russia or China. But the systems and trust models are designed with this in mind.
Here we see unrestricted access to user data, not even sure there’s audit logging in place.
Correct, they do not have overseas data (at least in China).
However, GitLab's restriction also prevented them from employees moving to China as well. Many companies employ people in Asia/Europe timezones as a night-time on-call engineers and support.
Not to mention, the list (China, Russia) is a list of countries made up by GitLab, with no particular backing that's officially recognized by any particular government or organization, which makes the situation discriminatory.
Saudi Arabia is a US ally, so family region block against them is unlikely. Even if it is a country that tolerates and promotes open slave trade (look up #maidsfortransfer on BBC).
A few comments about how a non-negligent company handles user data:
* They wouldn't respond to "emergency disclosure" requests from the Kingdom of Saudi Arabia about random users
* The average developer has zero access to user data besides names in crash logs and things that the developer has been explicitly copied on in the support system.
* Every command run on production servers by developers requires approval by someone above your org chart level (up to the executive level, when you just need someone at your level) and is logged forever.
* SREs who have to shell in to servers use Unix accounts that have no access to user data. Root access, which should hardly ever happen, requires org chart approval.
* Test environments use synthetic or anonymized data
* There is a separate team of dozens of highly paid people whose only job is it to identify, classify, and monitor access to user data. This is not even the same as the infosec team, who also would be looking for insider breaches.
I would be shocked if there weren't a handful of spies working for various countries at every large tech company at this very moment. I have no idea how a company would screen for that but it would make little sense to not embed insiders into each of these companies.
Ive always wondered if social media companies had any nefarious parts to play in the arab spring, since it all started on social media and this was before the accute awareness of bots to cause crazes on social media. Things like this make me wonder more.
They absolutely did - at the behest of the US State Department. Twitter was scheduled to have some planned downtime during the Egyptian Arab Spring, but they postponed it at the request of State. Evgeny talks about this.
That depends on your perspective. I support the intentions of the Arab Spring, but I still think it's inherently nefarious for a private technology company to partner with the US government in order to overthrow governments. I also seriously doubt that they were simply sitting idly by and hoping that the revolution went their way, as we now see that most all world governments have their own online propaganda divisions.
It's a long way from postponing scheduled downtime to 'partnering with the US government in order to overthrow governments'. I don't have any difficult seeing how someone could view the former as nefarious but they aren't the same thing.
No, I mean what I wrote. I don’t have to agree with it but there are plenty of people who think cooperation, however indirect, with a US foreign policy goal is bad. It’s a viewpoint. Calling a thing something that it isn’t is not a viewpoint, it’s just wrong.
I think perhaps you misunderstood me? You're saying:
> I don't have any [difficulty] seeing how someone could view [postponing scheduled downtime] as nefarious but they aren't the same thing.
Didn't you instead mean the following?
> I don't have any [difficulty] seeing how someone could view [partnering with the US government in order to overthrow governments] as nefarious but they aren't the same thing.
Or maybe you did mean that postponing scheduled downtime looks nefarious to some. It just seemed like a weird thing to say compared to the other option.
At a minimum it makes you wonder what vested interest the state department had in making sure twitter stayed up. It couldn't have just been for the humanitarian benefiet, it makes me think that they also had a part to play in the social media traffic itself.
I mean, i dont want to make this political but who was the secretary of state during this time and was simultaneous receiving funding to their foundation from saudi arabia as well?
Interesting story here from someone who may have been targeted for an in-person "warning" from Saudi security forces in New Delhi after posting critical remarks from an anonymous Twitter account: https://mobile.twitter.com/marxatfarpoint/status/11921987493...
This is why people who work in IT must be very careful with their loyalties. If the charges are true for these two individuals, Kashoggi's blood is on their hands.
We all need to be circumspect about the effects of our own actions, especially as it relates to climate change, mass extinction, and the military industrial complex.
This is a very interesting article and complaint. Worth reading to get insights into Twitter's insider threat countermeasures and their compliance regime, at least as of 2014-2015.
It's probably more difficult for social media companies like Twitter to prevent something like this than it is to actually properly secure and protect user data.
Audit log around administration tool with frequent reviews of the log. Banks and financial firms do this type of auditing all the time. The consequences just need to be there to incentivize social media companies to take action.
But for financial data there is a mssive industry for auditing problems. I would like that because it would make administrating user data extremely expensive, but I don't see it becoming feasible.
Even Twitter money pales in comparison to sheik money. I'm not sure you can defend against somebody giving an engineer with admin access a suitcase with $300k in it. Not to mention any other pressures that MBS could potentially have brought to bear in these cases.
I wonder what the maximum here is. Cash is harder to spend than it used to be and in addition you’d be at risk that the actual people facilitating the payment delivery would be your biggest risk since it would be very likely they would turn around later and rob/murder you.
There’s probably some optimal “suitcase full of cash” number that basically optimizes for spendability and risk.
Why would they murder you when you have access to invaluable data they can get from you at any time? If anything they might blackmail you to do future investigations for cheaper, but why would they mess with a good thing? We're talking about people who can basically print money.
That is GP's point, that no engineer should have admin access to PII when you are operating at Twitter scale. Or at least not without a lot of red tape to make it very easy to catch rule breakers.
Part of it is, Twitter doesn't fully think of itself as Twitter-scale. It's not that long ago that Twitter was fail-whaling around, a non-serious place for stream-of-consciousness shitposting by anonymous egg accounts. It's still move-fast-and-break-things.
Someone else made the comparison to banks, and well, banks deal with real money and have always been dead serious, and they've got decades of head start on handling this stuff properly.
Very true, when the means meet the will or motivation, this sort of thing is bound to happen, especially as these Silicon Valley companies have so much influence. I hope this doesn't become a trend, lest we get calls for a "Silicon Valley blacklist" ala Hollywood during the Cold War.
There needs to be multi-person authorization required for account spelunking. Engineer files a DB lookup request, and it must be signed by other personnel.
Won't work, people probably need to query details of accounts hundreds of times a day just in the course of daily business. Bad actors would just make the request look like another standard query. People would likely become numb to it after having to approve so many requests.
I know at a previous company, we needed a business signoff, and a technical sign off on every deploy. While the technical sign off was usually painstaking, the business sign off was rubber stamped. The guy who signed off on my tickets was so overloaded, he barely even read the titles of the tickets.
> not a good time to be a foreign tech worker in the US
—-
Ali Alzabarah, a Saudi citizen - was accused of accessing the personal information of more than 6,000 Twitter accounts in 2015 on behalf of Saudi Arabia.
—-
Well if they plan on spying for their government, don’t think we’d want them to have a great time? Don’t think that is too controversial.
Maybe. But, that doesn't address the parent comment's meaning. I interpret it as saying that both spying and non-spying foreign tech workers might be affected by the same brush tar.
I imagine most of the tech spying/IP theft doesn’t even happen on US soil. Let employees in e.g., China access your internal network — what could possibly go wrong?
my point is innocent people are going to be unduly scrutinized further. plus our current admin as-is doesn’t exactly love foreign workers (a massive understatement)
I don’t doubt that this will happen, but it’s perfectly within the rights of the United States to apply more scrutiny to e.g. Chinese nationals seeking employment at tech companies. We’re in a trade war with them and a de facto state of cyberwar. It’s not at all unreasonable to expect the US Government to look a little more closely at people coming here to work in tech, especially for roles in sensitive positions.
Nobody said it wasn't reasonable. They're saying this will make your life suck more if you're a foreign worker regardless of whether or not you're a spy. Even if you view it as a necessary evil, it can still suck for people doing nothing wrong.
My concern is that companies and people will laser-focus on the "foreign tech worker" part as if they are the sole threat vector. That presents an unacceptable blind spot, not to mention getting people to think that foreigners are likely to be spies.
In practice, it's not really much more difficult to find a US citizen tech worker who'd be willing to take a few hundred thousand to do the same thing (and it's something that happens routinely), and completely ignores the fact that US intelligence agencies also have a long-running habit of getting their spies hired by US companies too.
> In practice, it's not really much more difficult to find a US citizen tech worker who'd be willing to take a few hundred thousand to do the same thing (and it's something that happens routinely)
The difference of course is that when the US intelligence agencies get US workers to spy at US companies they do so for the US government - oh and the countries we see fit to spy on already have fairly severe employment restrictions such that it’s not easy for an American to get a job in one of their companies. There’s an asymmetry that exists here.
> oh and the countries we see fit to spy on already have fairly severe employment restrictions such that it’s not easy for an American to get a job in one of their companies
I'm not sure who you think America spies on, but the real list is much bigger than you probably think, and includes countries considered American allies (for instance, the UK and Germany.)
I guess I’m not sure how that is relative. Israel also spies on the US. My point is the asymmetry here in job opportunities between countries who are our, at least ostensible, geopolitical adversaries.
not from a national security point of view. well, more accurately it kicks the can further down the line to the security of wherever and whoever the government is using for that data.
You could have just Googled "twitters largest stockholders" but the answer is:
The largest stockholders of Twitter are all US mutual funds. Vanguard owns 10%, Morgan Stanley owns 5%, BlackRock owns 5%, StateStreet owns 4%, Fidelity owns 2%, etc.
Really nothing comes to close to the index funds. Vanguard, BlackRock, State Street own 20% of pretty much every company.
That's not a complete picture, Prince Alwaleed owned 4.9% of Twitter as recently as the end of 2016 (the alleged espionage happened before this). It is unknown how much he owns now after his late 2017 detainment, presumably shares were either sold off, seized by Saudi authorities, or both. It's not unusual for ownership to be split among smaller entities, and there is no requirement for US companies to consolidate myriad unknown foreign stock holders into specific entities in their reports.
If I were spying at Twitter for Saudi Arabia, I'd stream Trump's real-time location back to my handlers, as the Twitter app gathers location data and Trump's online habits are lax.
I wonder if this is in addition to or was part of the McKinsey scandal where they targeted Saudi dissidents on Twitter for Saudi Arabia [1]. I wouldn't be surprised if getting people on the inside like this was part of it though just conjecture.
> Role in Saudi clampdown on dissidents
> In October 2018, in the wake of the assassination of Jamal Khashoggi, a Saudi dissident and journalist, The New York Times reported that McKinsey had identified the most prominent Saudi dissidents on Twitter and that the Saudi government subsequently repressed the dissidents and their families. One of the dissidents was arrested. Another dissident's family members were arrested, and the cell phone of the dissident was hacked. McKinsey issued a statement, saying "We are horrified by the possibility, however remote, that [the report] could have been misused. We have seen no evidence to suggest that it was misused, but we are urgently investigating how and with whom the document was shared." In December 2018, The New York Times reported that "the kingdom is a such a vital client for the firm — the source of nearly 600 projects from 2011 to 2016 alone — that McKinsey chose to participate in a major Saudi investment conference in October 2018 even after the killing and dismemberment of a Washington Post columnist by Saudi agents." [1]
> On the 12th of February 2019, the European Parliament Greens/EFA group presented a motion for a resolution on the situation on women’s rights defenders in Saudi Arabia denouncing the involvement of foreign public relations companies in representing Saudi Arabia and handling its public image namely McKinsey & Company. [1]
McKinsey also supports authoritarian regimes if they ask for reports and have the money.
> Support of authoritarian regimes [1]
> McKinsey's business and policy support for authoritarian regimes came under scrutiny in December 2018, in the wake of a lavish company retreat in China held adjacent to Chinese government internment camps where thousands of Uyghurs were being detained without cause. In the preceding few years, McKinsey's clients included Saudi Arabia's absolute monarchy, Turkey's autocratic leader Recep Tayyip Erdogan, ousted former President of Ukraine Viktor Yanukovych, and several Chinese and Russian companies under sanctions. [1]
McKinsey one of the Big Three management consulting firms [4] is widely used to use plausible deniability for private equity leveraged buyouts and corruption like the Enron scandals. [2]
> Enron was the creation of Jeff Skilling, a McKinsey consultant of 21 years, who was jailed after the company collapsed. McKinsey reportedly "fully endorsed the dubious accounting methods that caused the company to implode in 2001." Enron reportedly used McKinsey on 20 different projects, and McKinsey consultants had "used Enron as their sandbox."
McKinsey was also a big part of the plausible deniability for big banks and funds during the Great Recession. [3]. Very questionable ethics at McKinsey, hard to trust anyone from there.
> McKinsey is said to have played a significant role in the 2008 financial crisis by promoting the securitization of mortgage assets and encouraged the banks to fund their balance sheets with debt, driving up risk, which 'poisoned the global financial system and precipitated the 2008 credit meltdown'. Furthermore, McKinsey advised Allstate Insurance to purposefully give low offers to claimants. The Huffington Post revealed that the strategy was to make claims "so expensive and so time-consuming that lawyers would start refusing to help clients." Next to this, 2016 McKinsey partner Navdeep Arora was convicted for illegally depleting State Farm of over $500,000 over a period of 8 years, in collaboration with a State Farm employee.
I smell a fall guy or two. What do you think the odds are that the token optics of this can be replayed as "standing up" for free speech? Not that what actually happened wasn't sketchy (it was) -- just that I have a sense this slap on the wrist will be enough for some to say "At least we can say we tried"
According to one of the suspects' LinkedIn, he left Twitter in 2015, and then worked at Amazon for 3 years in marketing and social media. While I have little doubt Amazon's internal auditing and access control are better than Twitter's, it'd be nice to hear confirmation from Amazon that he didn't access any private user data.
[0] https://context-cdn.washingtonpost.com/notes/prod/default/do...