> Surely the highest-variance aspect of the Twitter vs. Musk saga is Zatko’s whistle-blower complaint. If Zatko can make a compelling case that Twitter is horribly bad — that its information security is so bad that it violates the law, that it has fraudulently concealed its problems, etc. — then that is probably Musk’s best argument to get out of the deal: Twitter is doing fraud, it has suffered a material adverse effect, etc. If Zatko is just a run-of-the-mill paranoid security researcher who is aggrieved about being fired and making mountains out of molehills, then his complaint will quickly be kicked out of court and won’t affect the Musk deal. Zatko’s credibility — whether he’s telling the truth, and also whether he is exaggerating or underselling the importance of Twitter’s problems — is a key input into your evaluation of Twitter’s stock value. The more credible he is, the less likely it is that Twitter will get $54.20 per share, and the less Twitter will be worth without Musk’s deal.
> So if you are a hedge fund, or an expert-network firm working on behalf of hedge funds, you obviously want to know how credible he is. You might, for instance, want to talk to some of his old coworkers to get a feel for him. You might offer to pay them a lot of money for a one-hour phone call, because you might have a lot of money riding on the Twitter deal, which means specifically that you have a lot of money riding on your evaluation of Zatko’s credibility.
> If Zatko can make a compelling case that Twitter is horribly bad
I don't doubt his accusations. However, the same could be said for nearly everywhere there is a network. Twitter is high profile, but there are a million businesses most have never heard of that have a similar lack of information security. IOW, Twitter's crappy security is not remotely exceptional because nearly every business with a computer is bad. There are businesses with decent computer, network and information security, but even in those places tight as a drum a disgruntled employee could reek havoc, and I'd be really surprised if Mudge and most of HN wasn't aware of this.
Things usually go bad for whistleblowers, it is a shame, but most often it doesn't work out for them. They make movies about the successful whistlebowers, but the unsuccessful are buried. It would have been different had Mudge stepped forward prior to termination, as he would have been able to avail himself of Federal whistleblower protections. I don't think it matters to his credibility, but that this is exactly what Musk wanted to hear is a little, tiny bit suspicious to me. What could Mudge gain from this other than saving face (which really isn't worth much)? What Musk did to Twitter is clearly unethical, as much as I respect him for his successes, it seems obvious his behavior regarding Twitter is irresponsible and many innocent lives and their wallets are being adversely affected. The SEC should look really hard at all this before choosing not to act, because he has manipulated markets for his personal benefit before and got a slap on the wrist.
Twitter is high profile, but there are a million businesses most have never heard of that have a similar lack of information security.
There are not a million businesses under FTC consent decrees because of past security breaches.
(Perhaps an argument could be made that there should be, if that's the only way for there to be consequences.)
If Mudge is telling the truth, Twitter has been lying to regulators and is in violation of the consent decree. That would be a lot more serious than just being shit at infosec. It's the difference between getting arrested for your first DUI, or your eighth.
I think pages 2-8 of his whistleblower report (the executive summary) are pretty clear and precise. If anyone commenting on this thread hasn't read his report already—the actual report, not just stories about it in the press—I would strongly encourage them to do so.
The wheels of justice move slowly. Wall Street may be betting on the FTC being slow to take action, or not taking action due to political pressure, limited resources, etc. I don't think just looking at Twitter's stock price is a fair way to evaluate the truthfulness of Mudge's claims.
I just tried to search for it, not with touch effort to be honest, but man is internet search a dumpster fire by now. Results, searching for the actual report filled by Mudge, were news coverage from all kinds of sources, ads for whistleblower training, answers to the question what a Whistleblower is and news coverage of the hearing without any details or links to actual report. So take my comment with that in mind.
Mudge claims that twitter had no way to identify foreign intel agents and get rid of them by themselves. Heck, that is quite a statement. No company actually has that capability in house to do it systematically. Even security sensitive civilian jobs rely on authorities to do just that during security clearance checks. Even intelligence agencies need dedicated counter-intel operations to do that and those fail regularly. Not sure what the other claims are, from news coverage the fact that data access is not tracked by user is a serious problem so, I agree.
Expecting a non-security relevant employer to prevent infiltration by foreign state actors is way too much to expect so, IMHO. That would have been a job for the, e.g. FBI to decide that Twitter important enough to make it security relevant and put a program with Twitter in place to prevent infiltration. Or not, in case US three-letter agencies have their own agents in place. If Twitter knowingly hired foreign agents, that would be something different and quite stupid and dangerous.
EDIT: Coming to think of it. Why would it be up to Twitter to decide what to do about a foreign spy in their workforce? Wouldn't US counter intel take the lead in that? And just maybe Twitter firing the person isn't actually in the US best interest...
His accusations include “Twitter was dismissive when informed about foreign nation spies in their ranks”. That’s not comparable to “any business that uses computers”.
Because I do not believe in the almighty influence of Twitter, I honestly don't understand why it would matter if one or a hundred Chinese spies worked for Twitter, because Twitter employees don't create Twitter content; users do. And I think Twitter content was recently declassified by former President Trump, so where is the danger? What is China's strategic benefit in learning these[1] things?
Twitter has controversial moderation policies. It also has some sort of machine-executed algorithm for selecting which tweets to show to each user, and in what order.
Both of these mechanisms could be used to promote or suppress specific topics/stories.
Many people, including a very large number of journalists, use Twitter as a news source.
Taken together, I can absolutely see why nation state actors would want to exert control over Twitter.
spies can find the irl identities of otherwise anonymous dissident accounts, for one. i've read stories about chinese students in the USA being confronted with their post history by govt agents despite impeccable opsec.
This isn't complete without mentioning that there is a HUGE percentage share of SEC fines, if successful, for whistleblower. Individuals have made off 10 figure payments off public money in the past through the program.
23% of Americans claim to use Twitter. 61% of Americans voted in the last Presidential election. So Twitter's influence, if it exists, could only be over 14% of weak-minded Americans. That's at best, if every one of those 14% was really a Twitter user and was actually bamboozled into changing their vote.
The reality is that most Twitter users are not obsessed with the platform, and most Americans are not on the fence with their votes. The premise that Twitter has the power to influence elections is false.
Among other flaws in this comment, like the assumption that Twitter has no indirect effects on people who aren't active Twitter users, or ignoring the fact that one of the candidates in the last election was a huge Twitter user, is the surprising assumption that the 61% and 23% are totally uncorrelated.
I don't think you read my comment very carefully, because I didn't say "huge effect" anywhere and I don't think I made any claims that could be construed as hyperbole. The only thing I said which expressed any magnitude at all was that Donald Trump was a huge user of the platform, which I think is pretty defensible.
It is hyperbole to claim Twitter is influential in this manner, which is to implicitly suggest that the 23% of Americans that claim to be Twitter users will swing an election because it would require significant amounts of those 23% of Twitter-using Americans to be bamboozled into changing their vote and then vote together en masse, which IMO is absurd, because they're not all of one party. It is hyperbole to suggest that Twitter is influencing non-Twitter users into changing their votes. It is even further hyperbole to suggest that Trump's Twitter use had any effect on the election other than to cause him to lose the popular vote by nearly 5%, more than twice the margin of his performance in the 2016 election.
Voters can be fooled, but the trick is not permanent, and they will not be doomed to believe foolish and false facts terminally. Maybe even some voters were fooled into voting based on false reports leading to lingering false beliefs. But to suggest there is some army of idiots swinging elections is ludicrous and frankly paranoid.
Liberals vote Democrat. Conservatives vote Republican. Even if any of them are fooled into believing false information, they do not change their votes. Anyone that crossed party lines did not do so on a whim. And moderates are skeptical and less likely to take false information seriously.
For what it's worth, I apologize for misrepresenting your statement, which I promise you was not due to malice and only due to my poor comprehension.
Ignoring the vast research showing that fake news spread on Twitter correlates with voting intentions for the moment there are more direct ways of showing immediate election influence: the number of candidates who have withdrawn from elections after something happened on Twitter.
[1] is a recent example. To quote:
> Leading Florida Democrats are walking back their endorsement of Naomi Blemur after past Facebook posts showed the Agriculture Commissioner candidate calling abortion a sin and promoting or defending anti-gay comments.
> Screenshots shared on Twitter showed a history of social media comments that some Democrats are calling “anti-choice” and “homophobic.” Prominent Democrats began retracting their endorsements or denouncing Blemur after her post history came to light.
To say that Twitter has no power to influence elections is demonstrably false when information shared on Twitter led directly to endorsements being withdrawn.
You are confusing the information with Twitter's allegedly having vast influence. It is incidental what actual facts were broadcast on Twitter, as they could just as easily have been broadcast on classic media. It isn't Twitter that is influential, it is the information.
> It is incidental what actual facts were broadcast on Twitter, as they could just as easily have been broadcast on classic media.
What social media platform has "vast influence" whose content couldn't "just as easily have been broadcast on classic media"?
Really, it doesn't matter if something could have been broadcast on classic media, what matters is where the people's attention is focused. What they see will influence them, and what they see will be controlled by the platform they are paying attention to, which means whatever platform that is has influence.
Platforms use this influence all the time. They promote certain content over others in exchange for money for example. A platform everyone reads can spread a lie more effectively than a million websites no one is paying attention to can spread the truth. Your attention matters so much to these companies for a reason.
To expand on this point, 18% of US voters say they get their political information from social media[1]. Even ignoring Twitters influence outside this group (which is significant because most journalists and politicians use it) it is pretty difficult to make the case that 18% of the voting public is insignificant.
> Oh, so it's the "no true Scotsman" argument? It's not influence if it's actual facts? Even if they hadn't been exposed via other methods?
No, and your explanation does not describe a no true Scotsman fallacy.
Your previous comment, beyond confusing the effect news can have with Twitter's alleged influence, also employs a post hoc fallacy. Your most recent comment is a both the non sequitur and straw man fallacies.
> confusing the effect news can have with Twitter's alleged influence
I don't know what you think people mean when they say "influence" but the ability for anyone to broadcast news - in particular with a spin on it at suits them - is absolutely part of the ability it - as a platform - to influence elections.
> your explanation does not describe a no true Scotsman fallacy
I'm sure the irony of you employing a "no true Scotsman" argument on a "no true Scotsman" argument isn't lost on any of the readers. I hope they find it as amusing as I did.
> Your previous comment [snip] employs a post hoc fallacy. Your most recent comment is a both the non sequitur and straw man fallacies.
You realize that just by saying these things it doesn't make them true, right? I have no interest in arguing about the ontology of argument techniques.
The facts are clear - Twitter does influence elections. Your inability to argue otherwise other than trying to redefine "influence" is perfectly clear.
No true Scotsman fallacy requires goalposts to be perpetually moved. But I had no goal posts to be moved. Let's rehash:
>>>> The reality is that most Twitter users are not obsessed with the platform, and most Americans are not on the fence with their votes. The premise that Twitter has the power to influence elections is false.
>>> there are more direct ways of showing immediate election influence: the number of candidates who have withdrawn from elections after something happened on Twitter.
>> It isn't Twitter that is influential, it is the information.
> Oh, so it's the "no true Scotsman" argument?
Please name the goalposts and how they were moved. My assertion that Twitter is not influencing elections was not proven wrong by your evidence, and my clearly exposing why your evidence does not show what you claim it does is not a no true Scotsman fallacy. Incorrectly asserting I employed a no true Scotsman fallacy where none exists is a non sequitur and a straw man.
>Please name the goalposts and how they were moved.
Twitter influenced an election. You then implied (in another comment [1], but implicitly here) that it only counts if Twitter influences the election by providing specifically false information.
>My assertion that Twitter is not influencing elections was not proven wrong by your evidence
It absolutely was. There is no guarantee that that information would have been so widely distributed without Twitter. People do not generally know all of the facts about any candidate; determining which facts get heard and repeated is an important kind of influence.
The premise is wrong; I do not accept the premise that Twitter influences elections. If this is the goalpost it has not moved. But you are revealing more fallacious argument, which is not only your assumption that Twitter influences election, but that if I disagree with you then I have employed no true Scotsman. Both assertions are question begging. You are assuming the antecedent, not proving it.
Again, showing that Twitter broke some news that caused candidates to drop out is not Twitter's influence: it is the influence of that information. Twitter is not the information. nor does Twitter even create the content. If I posted that information on a billboard on the highway causing the candidates to drop out, it is not the billboard that is influential.
Your premise is false, your argument riddled with fallacy. And bizarrely you believe if someone disagrees with you, reveals your error and corrects your false conclusions then they're committing no true Scotsman.
> showing that Twitter broke some news that caused candidates to drop out is not Twitter's influence
Yes it is.
For a similar example that shows how sites that break news that others will not and how that leads to them being influencial I'd point at The Drudge Report.
Quoting Pew: "Drudge Report: Small Operation, Large Influence" [1], and Wikipedia[2]: "The Drudge Report originally attained prominence when it was the first to report what came to be known as the Lewinsky scandal. It published the story on January 17, 1998, showing that Newsweek had turned down the story."
This is exactly the same kind of influence as Twitter has - because it can spread news (both true and false) - it is influential.
Again - not interested in arguing about the ontology of arguments.
> This is exactly the same kind of influence as Twitter has - because it can spread news (both true and false) - it is influential.
First of all, you haven't even claimed Drudge Report is influential, only that it came to prominence for breaking a story early. Regardless of your lack of interest in valid argument, this argument is false equivalence.
While it is a given that 23% of Americans claim to use Twitter, and 70% of them admit they get their news from Twitter[1], concluding that any influence Twitter may have over elections is significant could not possibly follow. Only a maximum of 16% of Americans could possibly get their news from Twitter, and that influence can't be predicted to be a significant force in either direction. As I have already argued, these Twitter news consumers are not of one mind nor could they be possibly voting the same way as a single block. These allegedly influenced votes will amount to a wash, maybe slightly towards one party or the other, and very likely matching the national demographic of all voters.
It is indeed very strange to be concerned with Twitter's alleged influence by disseminating news, which is limited to at most 16% of Americans who are never voting all the same way, as opposed to that of all the other sources of news, as at least 84% of Americans do not get their news from Twitter. Twitter's influence, if it exists, then pales in comparison to the influence of all other news sources. Why has there never been concern for their influence?
It is because news sources are not influencing elections, and even if they could, they could then not possibly predict how their consumers will vote, negating any possible influence. Further, that type of malicious influence requires intent and measurable potency. Even if there is the former, the latter has never been achieved. Twitter can not possibly predict the votes of however many gullible Twitter users they successfully fool. For Twitter to be able to influence elections, they would need to be able to control their users and their votes, and it is abundantly clear that no one can do that, not even Twitter.
> you haven't even claimed Drudge Report is influential
Indeed. I just quoted Pew making that claim: "you haven't even claimed Drudge Report is influential"
> and 70% of them admit they get their news from Twitter[1]
No, that's 70% who use it as their main source of news.
And nearly 100% of journalists from other news sources are on Twitter.
> These allegedly influenced votes will amount to a wash, maybe slightly towards one party or the other,
Oh, I see. You are under the misapprehension that "influence" means "pushing the result decisively one way or the other"
That isn't the case. "Influence" can also mean changing the way it plays out, which is clearly the case as seen by the transmission and amplification of various conspiracy theories on Twitter and other social media.
>> Quoting Pew: "Drudge Report: Small Operation, Large Influence" [1], and Wikipedia[2]: "The Drudge Report originally attained prominence when it was the first to report what came to be known as the Lewinsky scandal. It published the story on January 17, 1998, showing that Newsweek had turned down the story."
> Indeed. I just quoted Pew making that claim: "you haven't even claimed Drudge Report is influential"
But Pew does not make that claim. "Prominence" does not mean "influential." Influential means, the capacity to have an effect on the character, development, or behavior of someone or something. Prominence means, the state of being important or famous. Your prevarication of these two words is fallacious.
> And nearly 100% of journalists from other news sources are on Twitter.
Pew reports 69%[1], so there's only about 12,000 journalists in the US that do not use Twitter.
> Oh, I see. You are under the misapprehension that "influence" means "pushing the result decisively one way or the other"
Without effect, it is not influence, as influence requires effect. Ahd if any effect is negated, there is, in fact, no effect. That is how arithmetic works.
> "Influence" can also mean changing the way it plays out, which is clearly the case as seen by the transmission and amplification of various conspiracy theories on Twitter and other social media.
Sure, Twitter is influencing elections to have the exact same results as if it had no effect. It is a very subtle, self-negating sort of influence.
What percentage of journalists use Twitter? If it’s 100%, as I suspect, then it doesn’t matter if only some small proportion of users are experiencing viral information on the platform because journalists are essentially superspreaders, who in my estimation are just as, if not more so, susceptible to misinformation than the average person.
But only 60% voted in the last election, more than ever before. If 100% voted, we could assume all 23% would vote. Usually only about 50% ever vote in any US election, so I was giving the benefit of the doubt that voting numbers would remain high. 60% of 23% is 14%.
> Twitter's crappy security is not remotely exceptional
Uh, no. If Mudge's accusations are true, that would speak to exceptionally bad security. Not compared to Joe's Diner around the corner, but certainly for a major player in the tech market.
The accusations were not exactly specific. You're splitting hairs.
IT doesn't generate revenue. Often for this reason, at many large corporate locations, IT departments are spread critically thin, many far thinner than Twitter, which has money to afford experts like Mudge. These companies aren't sexy so they're never ever in the news and they're not on anyone's radar. Any idea how many Windows Server 2012 installations are still in production? Or how many corporate networks are entirely made of Windows 7? Far too many. The state of security in general across the entire American corporate landscape is shit, and even places that don't get compromised, like NSA, still get compromised.
In July, Twitter experienced a global outage of ~45 minutes, the longest outage global outage in years. If Twitter was some shocking, never before seen level of insecure, it wouldn't have been 45 minutes, and there'd be a lot more of them.
btw, I hate Twitter, Facebook, LinkedIn, et al., and passionately, but it's just not credible to claim that Twitter is the worst of the worst in security, because there is an astounding number of corporations with no security to speak of, like, no IT department, none. "It's something one of the drivers handles for us. He's a real wiz." That kind of thing. At least Twitter not only has an IT department, but also has security personnel. I think if anyone scrutinized, say, Yahoo, they'd find the same thing.
> The accusations were not exactly specific. You're splitting hairs.
Have you read Mudge's actual whistleblower report, rather than just media articles about it? It doesn't go into extreme detail (at least in the unredacted parts), but there are plenty of specifics.
> In July, Twitter experienced a global outage of ~45 minutes, the longest outage global outage in years. If Twitter was some shocking, never before seen level of insecure, it wouldn't have been 45 minutes, and there'd be a lot more of them.
You seem to be conflating security with availability. There are plenty of ways to be insecure (many of them detailed in the report) that have no effect on availability.
Maybe Yahoo was a poor example. Substitute instead... idk, airbnb, doordash, or dominoes. I have no specific knowledge there is slack there, but having contracted in IT in a number of large and global enterprise, lack of security and lack of security concerns was all too common, and it stood out more in places that worked with and kept clients' financial information "on file."
AirBnB and DoorDash are Internet companies, just like Twitter. I wouldn't even consider Twitter "a major player in the tech market." Apple, Amazon, Google, Dell, Microsoft, IBM, Tesla, Nvidia, Samsung etc., are tech companies, but not Twitter or Netflix. What technology is Twitter secretly working on?
The worst thing for Twitter isn't the abysmal security, it's the lies about the security issues. They promised the DOJ+FTC that they fix privacy issues which they instead ignored and left unguarded and unlogged.
That and letting suspected government-employees from various countries have nearly-unrestricted dev access.
It's also going to destroy Agrawal and Dorsey. Dorsey was apparently having a mental breakdown and Agrawal seems dishonest and vindictive.
Musk unethical? For playing hardball in negotiations? It was pretty obvious that Twitter was built out of sand and had a financial motivation to be lying about the efficacy of their ads (and thus validity of "eyeballs").
> Musk unethical? For playing hardball in negotiations?
No. The ethical question relates to whether he was acting in good faith in the first place, and then again for breaking his word, which if the first part is true and he wasn't ever acting in good faith, then his stated intentions were never honest. But it's tough to say whether he was acting in good faith or not because he was so enthusiastic about the deal for months. But it's also hard to believe he wasn't already aware of his final grievances long before he announced his intention to buy. He made it seem like a whim, but is it really likely he is foolish enough to subject himself and an entire company and all the employees and shareholders to his fickle whims? If he wanted to hurt Twitter, for whatever his reasons may be, he should have done everything he did exactly the way he did it. Because regardless of whether he was acting in good faith, he took Twitter for a ride. I have heard of narcissists doing similar destruction to their victims, but I have never seen such a long and complicated game to cause pain except in novels or films. It is almost like he was exacting revenge, but revenge for what? Well, maybe nothing, which is textbook toxic narcissism, the absence of empathy, caring about nothing but one's own personal interests, which could be whims. It's late, I'm babbling.
Fwiw, it’s not much fun when a thread is bombarded with only a small number of users repeatedly replying to a wide number of users. At some point, we understand your views. Apologies, this is not meant as a personal attack.
The price he quoted was for how Twitter billed itself - # of users, in compliance with the FTC, etc. As it becomes clear that they aren't all that their value naturally goes down.
It would be wrong if Musk tried to get out of the purchase simply because the market has moved since his offer but that's not what happened. This is Twitter's malfeasance, they reported untrue things (and failed to report other true thing) to the SEC and therefore to stockholders.
What ride, except fact-checking their statements, did he take them on? And to be fair, didn't they put themselves on that ride in the first place?
Well, no, because there's still no evidence that Twitter has lied in any of its filings, and because Musk intentionally waived due diligence which is the traditional way for a purchasing company to verify the actual state of the company it is buying.
If, and only if, it turns out that Mudge's claims cause FTC action that would be severe enough to be defined as a material adverse effect, Musk may have some grounds to back out or reduce the price. But that's not yet clear.
Remember, Twitter didn't want to be purchased. This was a hostile takeover, achieved by Musk going to Twitter's shareholders with an offer attractive enough that they were not going to refuse, forcing the board into accepting the offer. He then signed a binding offer and in his haste to force the deal waived due diligence.
There is no proof, sure. The whistleblower's report is fairly compelling evidence.
Twitter is its shareholders, not its managers.
I imagine it's the lawsuits that this will spawn which will justify backing out or significantly reducing the price. Users whose data was not properly kept, users whose governments (and maybe others) got to spy on them, ad buyers who were promised a certain number and class of viewers, shareholders upset about these things, etc.
The bar required by the courts to justify backing out from or substantially altering a binding offer is quite rightly a high one, and the possibility of lawsuits alone will probably not be sufficient.
There's no indication that ad buyers were misled, because neither Musk nor Mudge have shown any evidence that Twitter's mDAU claim or method in its FTC filings was either falsely stated or intentionally wrong.
It's likely to be different considering those lawsuits will be about their misrepresentations.
And yes, there are many indications that ad-buyers were defrauded, like the absolute lack of security and bad-account detection and that twitter probably doesn't have the ability to tell who is real or not. And management was incentivized to increase their numbers regardless of concerns. It's not proven but if you'd spent a few hundred million with them it'd definitely be worth a million to try to claw it back.
It's not like Musk needs to prove any specific thing, he just has to shake them up and see what, like the whistleblower report, falls out, and then let the market apply the lawsuits etc.
My guess is that the actual sale-breaking event will be employee sabotage. In my experience Twitter employees hate their own management just less than they hate Elon. If Twitters security is as lax as represented it wouldn't be hard.
Again, Twitter’s disclaimer around mDAUs is a broad one and nothing stated so far by either Musk or Mudge provides any reliable evidence of that being materially false or misleading.
Ad buyers can’t claim to have been defrauded because the total number of bots on the platform, or even the proportion of bots to real people, are not of relevance to them. All that matters is the mDAU and the reporting they’re getting on ad effectiveness.
As long as mDAU is reasonably accurate and Twitter’s ad support tools are reflecting of that they have no case. Mudge was in a senior enough role that he shouldn’t be mixing up mDAU with the overall bot management question.
Musk does actually need to prove a specific thing: That something Twitter did or intentionally did not do represents a material adverse event sufficient to break the terms of the binding agreement he signed to buy it. That is, again, a high bar and so far nothing that’s emerged in this whole stupid saga has met it.
He’s trying to do the due diligence he should’ve done before signing that offer, but that’s not how the law works.
Ad buyers can claim to be defrauded because of anything. Welcome to the USA. You're saying there's no reason any of them could sue. That's clearly wrong. You think none of them would win. I doubt that as well. But assuredly they could cause havoc with distractions, subpoenas, and huge losses of public good-will, and giving Musk a reason to petition for delay, etc.
Nothing said by Mudge directly implicates the number claimed, but everything else about his report is a massive indictment of their ability to properly report on it and their honest desire to do so. I imagine their constant reclassification of mDAU applicable-users won't help them here. If their actual numbers were 10% high, because of an accounting error or whatever, then you'd likely be right that it wouldn't be enough to break the deal. But if they misrepresented, or tried to avoid relevant data about, the numbers this very likely would be a deal breaker. If you can prove they lied about one thing you can safely assume they're willing to lie about more.
As for the value of Twitter, the perceived value plummeted when they were revealed to not have decent test/release procedures, fragile DCs, a CEO who hides from data, no privacy controls or logging of dev activity in prod, etc. There are a lot of things other than the mDAU numbers that are materially changing the industry's view about, and thus the reasonable value of, Twitter.
During the dotcom days, when employees had desk phones, some of my coworkers would get unsolicited calls from analysts or other people searching for inside information about our company. They would engage them in conversation, try to become friends with them over months so that they could reveal even the smallest bit of inside information for them.
The lengths that people will go to get some sort of information edge to make money, even doing illegal things, is incredible.
Is that illegal for analysts? If an employee chooses to share confidential info to any random person, that's a breach of contract for the employee but does the analyst face any culpability?
Insider trading is illegal even for non-employees. Sharing insider info with a spouse or sibling who trade on it will get all parties involved on trouble with the SEC
Usually the information these types of analysts are trying to collect isn't really "material nonpublic information" in the somewhat narrow sense of insider trading law. Some of them aren't even in the investing industry but rather work for advisory organizations like Gartner. There's sort of a wide gray area between clear MNPI and information that the company just doesn't publish. Things like employee counts, general product plans, subjective opinions about user feedback, etc.
At least back then, they were straight asking for MNPI, although I think back then it wasn't called that. Whatever information the person was willing to provide, these people were willing to take.
Gonna need a non-right-wing source for that “frequent” claim.
Here’s some senators (mostly republicans, but also Feinstein — can we please recall her already? she has late-stage Alzheimer’s, for fuck’s sake) doing it blatantly:
The SEC has brought some novel cases lately and won so I am much less sure of myself than I would have been 5 or 10 years ago, but this certainly doesn’t look like classical American insider trading to me.
The analyst in this case has no fiduciary duty to the harmed parties so they wouldn’t be insiders.
I’d talk to a lawyer but it’s for sure not “totally illegal”. It’s in the grey area.
> The analyst in this case has no fiduciary duty to the harmed parties so they wouldn’t be insiders.
The current doctrine - as Matt Levine puts in in his recurring motif "Everything is a Securities Fraud" - is not about fiduciary duty, but about an unfair information edge and basically "cheating" other people trading without insider information.
You don't have to be an insider to be guilty of insider trading - it is sufficient to trade on insider information.
I can't recall any recent case where an outsider eon against the SEC by arguing they don't have a contractual duty to shareholders, because the alleged harm is broader than that
The issue isn’t so much being an insider, it’s did you get access to the data through nefarious purposes or did you have an obligation to protect that data.
If I’m an analyst and I cold call someone with a duty to protect the data, it’s not at all clear how I’ve stolen from the shareholders. Which is the basis of US insider trading. Theft, not information asymmetry.
Compare that to if I steal a binder from my sleeping girlfriend (a recent case). She has a duty, but I’ve stolen from the shareholders in that case.
That said, the SEC has certainly expanded the definition of insider trading recently with their court hypothesis’
Only if the analyst knows or should know that the employee is getting a "personal benefit" for sharing this information, or the analyst learns it in a context where they have a duty to keep it confidential. Handing an employee a sack of cash to tell you confidential information you then trade on? Illegal. Overhearing confidential information on the train and trading on that? Totally fine. Trading on confidential information from your brother-in-law? Illegal (family members are assumed to automatically meet the personal benefit test). Something you heard in a therapy session? Illegal (there's a duty of confidentiality).
Something your casual acquaintance tells you, with no close relationship and no obvious quid pro pro? That one's been litigated back and forth in recent years, with different cases coming out both ways (to the point that Matt Levine has a running joke about the sacred duty of golf-buddy confidentiality). You'd probably have to roll the dice in court.
My understanding is that under current EU market abuse regulations trading on inside information* that you overheard on the train is still insider trading. Sharing inside information in a manner not required to fulfill your role (i.e. with an analyst if you are a regular employee, or with a specific analyst before the general analyst community if you are the management) is also a violation of MAR (dissemination) even if nobody trades on it. It is only if the information is public that you can trade on it (with an exemption for market makers).
* Under MAR confidential information is not necessarily inside information, as one of the prerequisites for the information to be inside information it must be likely that it has a significant effect on the price of a financial instrument if made public.
Well hell, I made the wrong choice at a fork in the road then. If finance is willing to buy a tighter confidence interval based on insight to Mudge’s credibility, then I severely underpriced the potential payout in finance.
E-mail is open to those who want tighter intervals re this deal or similar: my new pivot.
Yea, wow, I had no idea someone would pay that much simply for an ex-employee to spin a bunch of bullshit about their former company or colleague. Incredible!
I remember a surreal experience after having left a Silicon Valley tech company. I was contacted over LinkedIn by someone wanting to "do research" about that company. Reading between the lines, he wanted company dirt, secrets, and so on. Having no intention of violating my (very serious) NDA, I declined, but he was insistent and offered to buy me dinner. I figured I could just go, chew my food and not answer questions, so why not get a free meal out of it? We met, I started chowing down, not answering anything, and just treating it like a lovely dinner date. He eventually excused himself to the bathroom, and then disappeared, leaving me with the bill. So, I guess my plan didn't work, but I got a stupid story out of it so I've got that going for me.
Lesson learned: if anyone wants to try the same move, choose someplace where the host pays at the counter, before sitting down with the food. (What are some of the best Bay Area eateries that work that way?)
Lots of stories like this in finance. In Flash Boys book, it discuss finance firms laying 800 miles of fiber across mountains just for trading. Bloomberg terminal tracks oil tankers. Hedge funds using satellite photos to see how busy shopping malls are. To take that even further, a hedge fund hired hundreds of people to sit in Luckin Coffee stores to track traffic and what customers purchased... on and on.
It feels intuitive that the tanker tracking is relevant to traders, but how would they really use this information? Does the arrival schedule of individual oil tankers really noticeably move energy prices in a particular country or particular region? Like, does crude oil locally get $0.001/gallon or $0.001/barrel cheaper each time a tanker arrives somewhere?
Or is it more like "a storm is delaying 30 tankers' arrival" or "a war is delaying 20 tankers' departure", to understand industry-wide or market-wide patterns?
It's a $44 billion deal. The current market cap is $32 billion. There is $12 billion of winnings sitting there on the table if you choose "it will close" and are right.
At this point, the Twitter board needs to bring in an outside investigatory team.
Mudge, who is well respected in the industry, is saying the executives are lying to the board.
Twitter’s CEO publicly mocks him, refuses to testify to Congress, and instead we hear that people are being offered money to dish dirt on their respected colleague.
If Twitter’s board does not act, then they’re willfully ignorant to the behavior and that negligence is going to harm investors. Lastly, if the board does not act, then the investors need to bring this to vote at the next shareholder meeting.
Why did Twitter pick Agrawal for their CEO. I hadn't read anything about him before Mudge's revelations and every single thing I've read since has not been kind to him. He seems to be doing a really bad job navigating this event and nobody appears to have any respect for the guy.
But you don't get to be CEO of a company the size of Twitter if you are this bad at managing. So, what's going on?
I've wondered the same thing. He had one of the most epic upward trajectories of anyone ever going from rank and file to CEO of a multibillion dollar company. Did he even have any other job on his resume?
I assume he has some connections that let him shoot up through the ranks. I think his wife is a general partner at a16z, maybe that has something to do with it? But a lot of people fit that bill who might want to get their bestie listed as CEO
His LinkedIn "Experience" sure is unusual; seems like he basically held a few internships until joining Twitter as an engineer. 10 years later, he's CEO.
To be honest this whole thing seems overblown to me, Zatko is complaining that the board weren't aware that Twitter had massive security holes. There is one small problem with this accusation. Twitter's board hired famous ethical hacker Mudge to tackle their security issues. Maybe Zatko will eviscerate Mudge's failings under oath, but that doesn't get you very far since Zatko is Mudge*.
Zatko was hired by the CEO (Dorsey) and reported to the CEO and CTO, not the board.
Zatko says an inaccurate and misleading security report was going to be made to the board at their Dec 9/21 meeting and he was able to stop it. Agrawal let the report go to the board's Risk Committee a week later.
Zatko then reported that the Risk Committee meeting report was fraudulent (because of the inaccuracies?) and was fired two weeks later. Twitter then paid him $7 million to shut up but an NDA can't block an SEC whistleblower complaint.
Yes, but if you read his complaint, he makes clear direct statements that Agrawal lied about things that are clearly jdugement calls, so he's already established himself as over-reaching. It's also worth noting $7m is not a big severence for this kind of departure - Swisher weighed in on this and her reaction to 7m was "that's not a big severence for this sort of thing", let alone to cover up wrongdoing.
"How did person C get this position? Oh he's just a fall guy for person D." will start to be believable to me when I see it happen in the real world at least once. So far it's only something I've seen in Game of Thrones and Japanese Animes.
Maybe every other possible executive at the company knew how to read the tea leaves? A lot of people don't want to be company CEOs because it's a lot more visible and higher-pressure than merely being CXO or SVP of X.
Also can carry serious criminal liability via Enron Response Regulation Sarbanes Oxley "The Sarbanes-Oxley Act of 2002 requires the CEO and CFO of publicly traded companies to issue a statement certifying that the accompanying financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the company."
No. We've had a generation of tech companies with Unparalleled relative lobbying power in DC rewrite the rules in Non-GAAP accounting. The pendulum swings both far and fast.
>>being offered money to dish dirt on their respected colleague.
that dirt also better be security related, not digging up ex's or that he told an offensive joke one time at a conference years ago which seems to be the SOP for "dirt" these days
The board's behavior is a really interesting point. On one hand, they are doing the owners (stockholders) a dis-service by first being gullible enough to be successfully kept ignorant about the company's security situation, and then not making rapid management changes upon being alerted to it(by Mudge, it seems). On the other hand, if they can successfully get Musk to pay the offer price, they have then represented the owners interests very effectively.
The fact that the case is coming up soon makes me think that the board thinks they can focus on the case for now, and fix the company's problems later, after the case, if they win it. If the case looses, they'll be out of a job anyway and it will be some other board's problem.
> The board's behavior is a really interesting point
The board know about the poor security. But they also see the Equifax leak (far worse than the data twitter holds), and how small that fine was, and they make the conscious decision not to invest in security.
They also know they might be given government incentive money/contracts to increase security against foreign agents. If they do the work now, they won't get paid that money.
Thank you for pointing out that the Equifax data breach was much worse. Twitter is just an easy target because politicians use the platform to spread their political message, and so if they can threaten them then that only helps the platform cater to their cause.
The board and the shareholders are massively incentivized not to show that the execs are lying though, even if they know for certain that they are lying.
Only if the truth comes out. If you can control the narrative long enough, it becomes indistinguishable from reality, at least as far as the markets are concerned.
You are speaking from the alternate universe where people care if any of this stuff is ethical. In reality only a tiny cohort of message board nerds (I'm including myself) care and 95% of twitter users, if they ever hear about it all will be over it in about 5 seconds.
But activist shareholders could sue the board / executives for breach of their duties and get money out of it. Whether or not they actually care, they could pretend to care in order to profit from it.
Regardless if it’s true, they could say they lost out on Elons buyout because the board acted inappropriately before and during the buyout negotiations.
You are making the risk assessment the expected value of legal action is higher than the expected value of market returns or other applications of that same fund.
Fiduciary responsibility is not an alternate universe. Neither are ethics rules. Publicly traded companies have many rules they need to follow, and executives & board members can face suits & fines for breaking them
Keep in mind, although he's classed as an 'ethical' hacker, many whitehats come from blackhat backgrounds, and turned whitehat because of fear of getting caught up in draconian CFAA[0] trials. Every hacker in their youth done some stupid stuff that could haunt them later. If you didn't do stupid stuff in your youth, you never really grew or learned from it.
Mudge was a DARPA PM; that's a significant position in the sense that he led DARPA-funded research programs, but I don't think it's one that actually requires a clearance.
Source: currently do DARPA-funded research. No PM has ever mentioned having a clearance to me, and the work itself is entirely uncleared.
To be fair, marshray did not mention clearance, just that some skeletons would be looked for. Getting cleared is not the only time or the only way the federal government does that sort of thing.
Sure. I actually wouldn’t doubt that Mudge was already a known entity to USG. I just wanted to dispel some of the clearance voodoo that comes along with “significant position within the Department of Defense.”
In his most recent testimony, Mudge mentioned that he was in the leaked OPM database with his details and clearance level leaked which implies he had clearance.
That doesn't necessarily mean Mudge had a Secret clearance or something. For all we know, he could have had a Public Trust position, which meant he handled sensitive but unclassified information. Anybody in IT or infosec would have that kind of clearance.
Did he mention a clearance level, or just being in the OPM breach? My understanding is that the OPM breach included plenty of uncleared employeesas well.
(I’m not trying to be stubborn! If he really did hold a clearance as a DARPA PM, then I’m wrong in his case.)
Yeah, that’s the part I’m curious about: there are plenty of “public trust” or SBU roles that I’d expect to have been leaked with the OPM breach that are “cleared” in the pop sense of the word, but are not actual clearances in the US Government’s sense.
Right. The context in question is I2O, since that’s the office that Mudge was a PM in. I’d expect other offices to have different expectations around clearances, particularly the ones that do ballistic or aerospace research.
It's maybe possible I2O didn't require clearances when Mudge was a PM. Certainly at least since they moved to their current location everyone who works in the building or for the organization is cleared*.
Most programs themselves are unclass, and there are lots of collaborations in fundamental research where it's completely open, not even controlled unclass (CUI). That doesn't imply anything about the PM's clearance status. Not sure why a PM would go out of their way to talk about clearance status unless they were specifically planning for classified discussions. Your point about having a clearance not being some huge deal is certainly true though.
*Some support service people like janitorial may not be - I don't know, but then those people are escorted by people who are.
I have had several friends go through the interviews to get TS-level clearance. The point of getting a clearance is to get the dirt out on the table, not to find dirt. You can get one with many skeletons, and if you are honest about their presence, nobody minds.
None that I'm aware of (or can find on DARPA's site). DARPA might help a PM maintain their clearance if they already have one, but I don't think they require one for new PMs (unless the project directly requires classified information, which of course some do).
I'm not doubting so much as asking curiously: I've participated in what I'd guess are fairly sensitive Pentagon projects (commercially, over about a year and a half†) and I've never been cleared for anything.
† None of it involved vulnerability research; this was back in my anti-DDOS days.
Same, except I was directly involved in vulnerability research and mitigation and didn't need clearance. You only need a clearance if you are directly privy to information requiring said clearance.
> That doesn't happen without having any skeletons in your closet identified and investigated.
Yup. They would have gone in with a proctoscope, and would not have tossed him an ID card, unless he could completely convince them that he's good for it.
If they are looking for dirt, they won't get it. I assume they are intelligent people, and know that, so maybe they are actually doing what has been suggested; looking for as much accurate information as possible -either way.
NPD is a multibillion-dollar company, because they sell accurate information; not information that people want to hear (how they get that information, well, that's another matter).
> Yup. They would have gone in with a proctoscope, and would not have tossed him an ID card, unless he could completely convince them that he's good for it.
This is a mild overstatement. DARPA doesn't necessarily require clearances for PMs; even if a particular project does, it's not necessarily one that requires the "full-scope" process (meaning polygraph and the rest of the works).
I wound't be surprised if Mudge had to fill out an SF-86, but that's not that invasive as far as background investigations go. It's nearly identical to the process used for Global Entry.
Not only that, but we know fabrications happen and take years to dispel. If a powerful entity wants to ruin your reputation, they can and do not need truth behind them.
It's courageous for him to speak the truth (at least his observations) when they were unwilling to and actively try to undermine it.
> They would have gone in with a proctoscope, and would not have tossed him an ID card, unless he could completely convince them that he's good for it.
Astronauts undergo detailed psyche exams, personality evaluations, and usually have some level of security clearance. And yet..
I got into infosec consulting perfectly cleanly, as did most of my peers. Sure some of them were involved in shenanigans in the distant past, but that is a very broad brush to paint with and seems out of place here given zero specific knowledge about Mudge and what he may or may not have done just because he is in an industry where some people occasionally did some questionable things in the past.
>If you didn't do stupid stuff in your youth, you never really grew or learned from it.
So, he's... just like most people? Do you have any specific incident(s) to point to, re: Mudge, or is this just speculation that can be applied to nearly everyone?
That's why you don't request your personal file from the FBI, either they have a file on you from your youth or you have given them reason to suspect you did something at some point. I'm curious, but not that curious.
Tens of thousands of people FOIA their DOJ files each year. Unless you're already pinged for something, I doubt the FBI is going to expend any additional effort solely because you've asked for some personal files.
This is a no-true-Scotsman argument where none was asked for, but thank you for linking to Wikipedia properly.
“Ethical” hacker is also a nonsense term. Ethics means the study of moral philosophy, it is not a synonym for “good” and to use it as such belies a superficial understanding of both morality and hacking.
Back in the 80s and early 90s, we didn't wear hats. And if we had, exactly zero of them would have been white.
It was basically impossible to be a security "researcher" in that era by following all the rules. Many of the laws didn't exist yet, but lines were grey at best, and everyone knew it.
That said, Mudge has been an upright player in the industry since at least the BBN days (1995?). He was one of the first to see that cred in the scene is worth $0, but cred in the industry is worth a whole lot more.
Searching for dirt on Mudge is like talking to a 60 year old politician's high school friends to find out that they trespassed and smoked some pot when they were 15.
If you honestly care about that dirt, it says much more about you than it does about them.
Some of this digging might not be to discredit Mudge, but to estimate how well his claims will hold up in the crossfire. That would be useful information to some hedgie looking to make a big play on twitter stock (or tesla stock, indirectly).
Almost all of it will be that. The companies looking for the information are all expert networks, where the paying customer is almost always a hedge fund or private equity. There are billions of dollars at stake, of course they are looking for any insight they can get on the guy.
> He also said that the company was led by executives willing to cover up the platform’s security issues, including by discouraging Zatko from informing its board of directors about them. (Hahn, the Twitter spokesperson, told me that Zatko’s portrayal of the company was “riddled with inconsistencies and inaccuracies, and lacks important context.”)
I'm guessing the missing context is that Twitter's board itself did not want to know (plausible deniability), otherwise they would also become liable for breach of fiduciary duty.
Twitter's board itself did not want to know (plausible deniability)
Oh seems plausible and I'd guess Mudge would expect that. And I'd also guess that when making a complaint, you gotta pretend that going through channels is the proper thing only few bad apples will try to stop, IE that everyone involved here isn't implicitly in on the scheme.
And I doubt Twitter would raise this explicitly the "lacking context", to say the least.
The basic claim (from someone I understand was reasonably senior and worked reasonably closely to Mudge) is basically that the guy was not good for Twitter security and so to a great extent his whistleblower complaint is ‘Twitter put me in charge of security which was highly negligent of them’ eg https://nitter.fly.dev/igb/status/1562087069391785984
Meh. There’s no indication that those Twitter accounts are of people who are any better or worse. I’ll take mudge’s reputation over two unknowns whose motivations are unknown.
This isn't great reporting. A much simpler explanation is that hedge funds betting on the outcome of the twtr/musk case are trying to understand the situation so they can make bets on the outcome of the deal.
With so many people willing to dismiss this kind of prying as simply being hedge funds and nothing to worry about for some reason why wouldn't anyone who really did want to find dirt to discredit a whistleblower take advantage of the situation and join in?
Good reporting would have shown the obvious motivation and some not so obvious motivations. They could cover who would want to discredit a whistleblower, how that would work practically and so on. It could have been an interesting read.
Almost as bad as eBay's campaign of harrassment against David and Ina Steiner. It's long past time for executives to face personal criminal liability for their misdeeds on the company's dime.
> Ina and David Steiner say eBay employees tortured them for two years because they posted online reviews about the site. Staffers allegedly sent the couple bizarre items, including a pig Halloween mask, insects and a book on losing a spouse.
The oppo research mentioned in the article surely leaves a bad taste in one's mouth, but it's not even in the same league as what the Steiners say they faced.
Edit/additional thoughts: Mudge is a well-known executive who held high-profile position in several organizations, and who released very serious accusations about Twitter, where he was an officer of a public company, in the midst of a multi-billion dollar business dispute. Whereas the Steiners were just two of millions of eBay sellers who were allegedly criminally harassed by senior staff for the content of their newsletter (IIRC). So there's also an enormous difference in the relationship between these individuals and the entities opposing them.
Let's just agree that both are the result of private stalking gone wild. I'd agree the Steiners' eBay harassment was much worse but silencing of any critical voices is definitely in the authoritarian playbook and bad for a functioning society.
A bit shocked that the top comment is an archive.ph URL. www.newyorker.com articles have looked perfect in a Javascript-free text-only browser (links) for nearly 15 years. Heck, I even tested this article in a popular graphical browser with Javascript disabled. Looks fine. The only domains required are www.newyoker.com and media.newyorker.com.
The high cost of always-on Javascript and always-on cookies these days is astounding. Either that or folks really love archive.ph for some reason.^1
1. https://en.wikipedia.org/wiki/Archive.today The site gets blocked in certain countries. It appears the operator uses Cloudflare "bot" protection, too, in an attempt to force users to enable Javascript.
The archive.ph URL is archived at archive.org where one can see the Cloudflare interstitial requiring the user to enable Javascript and solve a CAPTCHA
One category would be to acquire information -- uses of which include predicting business outcomes of legal proceedings, and affecting legal proceedings by discrediting a witness.
Could another category be to intimidate a whistleblower? Presumably, if you blanket the whistleblower's colleagues with requests for info/dirt about them, the witness is going to hear about that. Presumably they're going to feel threatened, by the fact of powerful interests not even hiding that they're out to get the whistleblower.
Separate from intent, an additional possible effect is adding to the cumulative chilling effect on whistleblowers in general. We keep learning, from news and TV/movie fiction, that whistleblowers usually lose big.
It's just a bunch of hedge funds trying to bet on the outcome of the case, nothing more nothing less. Paying $1000/hour is small change compared to billions in bets on stock prices.
Honestly while it's a little bit scummy I don't think there's anything especially wrong with what these research companies are doing.
> We keep learning, from news and TV/movie fiction, that whistleblowers usually lose big.
Even when they do, the public is usually better off after knowing the truth. Whistleblowing isn't something most people do to for personal gain (although some suspect this one might be). I think most whistleblowers expect that at least some sacrifice will be required if they come forward.
It seems likely that when he was starting out as a security researcher he did some more "legally shady" things... and I'm sure someone out there is willing to share information about that for enough money...
His only hope is that computers in the 80's/90's were typically far less interconnected, and any records of mudge's hacking may have been lost to history.
I always questioned his openness to share his handle considering his association with cDc. But I guess there is enough plausible deniability, or his utility is so great, that people will look past it.
I doubt anyone would be shocked a hacker was involved in "legally shady" things. If they want dirt they're probably going to be looking for other things of a more personal nature.
No, but I'm suggesting that when starting out writing password cracking tools he or his friends might have been testing those tools on computers that they perhaps shouldn't have been...
> Mudge was responsible for early research into a type of security vulnerability known as the buffer overflow. In 1995 he published "How to Write Buffer Overflows", one of the first papers on the topic.
> He was one of the seven L0pht members who testified before a Senate committee in 1998 about the serious vulnerabilities of the Internet at that time.
And they say he wasn’t doing a good enough job at a company whose only job is to pass some text back and forth lol. Didn’t the breach happen because some slack channel inside Twitter had the password pinned to the top?
The first public modern overflow exploit, following the Morris Worm itself, was Thomas Lopatic's 1995 HP-UX httpd exploit.
It was followed shortly thereafter by 8lgm teasing a syslog stack overflow in Sendmail 8.6.12. New Sendmail vulnerabilities were the gold standard of the underground at the time, and 8lgm set off a race to work out how to reliably exploit overflows. I posted about this on Twitter a year or two ago, and Neil Woods showed up and posted the exploit, which is a highlight for me.
The first blueprint for a stack overflow exploit on a widely-available architecture --- really, the first how-to of how to implement a stack overflow for ordinary security researchers --- was probably vicm and daveg's Linux splitvt exploit.
To my lights, if we're spreading credit for overflows around, primary credit goes to Lopatic, and then to vicm and daveg, whose exploit was cut-and-pasted a bunch of times for the 1996 userland bloodbath. The most important document of these attacks was Aleph One's "Smashing The Stack For Fun And Profit", which is the one that's taught in college courses.
Er, the (in)famous Robert Tappan Morris worm of 1988 used a buffer overflow. Zatko may be a renowned security expert but he didn't invent the buffer overflow.
I'm inclined to believe everything he says about Twitter from my experience implementing Twitter APIs then constantly working around their incessant random breakage.
The earliest documented hostile exploitation of a buffer overflow was in 1988. It was one of several exploits used by the Morris worm to propagate itself over the Internet. The program exploited was a service on Unix called finger.
(source code here https://0x00sec.org/t/examining-the-morris-worm-source-code-... )
Later, in 1995, Thomas Lopatic independently rediscovered the buffer overflow and published his findings on the Bugtraq security mailing list.
A year later, in 1996, Elias Levy (also known as Aleph One) published in Phrack magazine the paper "Smashing the Stack for Fun and Profit", a step-by-step introduction to exploiting stack-based buffer overflow vulnerabilities.
> We discussed for a long time who in the hacking world today best
exemplifies everything that is right with hacking today, and we came
up with a unanimous conclusion that it was Mudge. And so we were quite
happy that our first choice for the first pro-phile that we have done
accepted our invitation. He cracked your Apple warez when you couldn't,
he wrote buffer overflows before they were cool, he owned your Sendmail
(and probably still does), and he still manages to give more back to the
community than anyone else around.
> Past handles: Many old Apple ][ crackers remember me by a different handle. That handle is long put to rest thanks to the government.
And just the other day I learned that Steve Wozniak got kicked out of UC Boulder, Colorado for hacking their mainframe. Tried to figure out what it was named - but sadly couldn't find the name. Thought it'd make a good name for my new laptop.
Literally every "researcher" in 1995 was working on this problem. I was in the room with Mudge at Pumpcon while he was doing the research work for this, with like a dozen other people. All of them were I believe primarily motivated by 8lgm --- that's why Mudge's post uses a contrived syslog(3) example instead of a real bug, because the 8lgm Sendmail exploit was an overflow in syslog(3).
It's fine, it's a solid post, it's an early post. But Lopatic and 8lgm set this in motion, and the actual blueprint for this attack was probably splitvt.
Yeah I’m with you, once the friends group clued in that it was a bunch of financial types trying to make trades on a feeling, they should have spit all kinds of divergent information into that idiot machine.
You can do that once, at best. Most of them have a phone system which counts the minutes and you get prorated. The people paying the money aren't idiots. They'll cut you off after 10 minutes if it seems like you are full of it. Then the relevant expert network never calls you again.
The other side (the people that pay) do reviews etc.
I think perhaps more accurately Musk wants to make ungodly amounts of money on selling the dream of settling Mars. Mars settlement is a monorail.
And I don't think Twitter is just noise. It appears to me that Musk knew exactly what he was doing and got the results he desired, knocking the value of Twitter down 11% for his own personal political and/or narcissistic agendas.
He already had ungodly amounts of money before he got involved in SpaceX, which at the time looked far more likely to burn money than make it. I'm no fan of the guy but I do think he's serious about the space stuff.
LEO is proven; there's a need, thus a market, and the science is sound. Mars, not so much. No need, just dreams for an irresponsible solution to Earth-bound problems that still will need solved.
The lack of air on Mars can be solved; we could terraform it, over a long time, create the air needed to support life. The lack of a planetary dynamo and magnetic shield from radiation probably can't be solved.
What is the difference between tin cans in LEO using centripetal force for artificial gravity and tin cans on Mars? One is a lot less expensive, and if something goes wrong, there is at the very least a possibility of escape or rescue. Mars is somewhat of a death trap.
So no doubt Musk cares about space stuff, which has been profitable for him. I'm just not sure he's really serious about Mars or if it is his version of a reality distortion field. It really looks like a monorail to me.
> then he realized it was overpaying when the market crashed.
His initial security filing announcing stake seems to be related to Twitter's value increasing 27%. If knowledge of Musk owning a stake in Twitter increases the value of all shares, we can forgive Musk for believing that the value would continue to increase if he made an offer to buy Twitter above that amount, which he did. If he had just kept his mouth shut, but his statements had the opposite effect than intended, and Twitter's share started dropping following his stated intentions to change specific things at Twitter, and never rose again to his estimation based on his extrapolating from the positive effect of his initial security filing. He screwed the pooch, his mouth was causing shares to fall, and then he wanted out.
> There's no need for overcomplicated conspiratorial explanations that are unlikely.
I see that now, appreciated. Hanlon's razor provides a simpler explanation.
That's almost certainly not what happened. What happened was the broader market crashed after the deal was signed. TWTR's intrinsic valuation is largely driven by other listed tech stocks. So when those crashed, TWTR's intrinsic valuation also crashed, which meant the deal price became unattractive. Merger arbitraguers, in light of the crash, started shorting in anticipation of the deal being reneged on. Musk was initially happy to pay some premium above market price, which is normal in acquisitions, but it no longer made financial sense for him to continue with the deal following the sell-off in the broader market. There almost certainly was no prior plan to sneak out of the acquisition agreement irrespective of developments in the broader market. If the broader market had rallied instead of crashed, Musk would be licking his lips at the opportunity to scoop up a relatively cheap TWTR.
> Hanlon's razor provides a simpler explanation.
It's not Hanlon's razor, which presumes incompetence. It's Occam's razor. There's no incompetence to making a deal that is good given the available information at the time that the deal was signed. New information presented itself (in the form of an unexpected broader market crash) after the deal, which altered the optimal decision.
If Musk made an offer when the market was up, and didn't get a response, then walked the offer back when the market fell, that is perfectly ok. But once an offer is made and then it is accepted, I call that a contract. Markets can't be predicted accurately very far in the future, that is their nature. As you say, had the market stayed strong, Musk wouldn't have waffled... then it should be equally fine if instead Twitter reneged on their acceptance, but I don't think that is the case. Musk would have sued, which is exactly what Twitter is doing.
But I think Musk must have expected the share price to climb past what he was offering, and whether his stating his plans to monkey with Twitter had any effect on the share price, it seems obvious that was his intention, to effect the price of Twitter shares. Clearly it either backfired, or it had no effect, or it had the intended effect.
> But once an offer is made and then it is accepted, I call that a contract
I also call that a contract. Musk should be held to it, or he should pay a multi-billion dollar exit penalty. But this isn't relevant to what we were discussing.
> But I think Musk must have expected the share price to climb past what he was offering, and whether his stating his plans to monkey with Twitter had any effect on the share price, it seems obvious that was his intention, to effect the price of Twitter shares. Clearly it either backfired, or it had no effect, or it had the intended effect.
This is the same conspiratorial misunderstanding of what happened that we've already gone through. There was no sneaky plan to pump TWTR shares by making a disingenuous acquisition offer. Such a scheme makes no logical sense. He didn't own enough of the TWTR float for the risk of such a grandstand to be anywhere near positive expectancy.
But there is a perfectly logical and simple explanation that you keep disregarding, which I've outlined twice. I will outline it a third time now.
He wanted to buy TWTR. Then the market crashed by surprise. Then he changed his mind, because doing so is logical after the market crashes. It's so simple, and it fits so well, it lines up with all the available circumstantial evidence, and it makes so much sense.
I see that is possible, reasonable, and a valid explanation. It is undeniable, however, that Musk knew he would have effect on Twitter's share price because he delayed 11 days in revealing his stake, saving him ~$140M on Twitter shares while everyone was in the dark. Now, maybe the market subsequently declined everywhere, but it is reasonable to assume that Musk's public statements after Twitter accepted his offer were intended to affect the share price to increase above his offer, sweetening the deal for him. It is also possible that, even though or if the market declined everywhere, that Musk did have an effect opposite to his intention: it would be incompetent to publicly announce intentions to fix something that was already profitable, which if unpopular enough, may have affected share prices negatively.
> Zatko told me, “These tactics should be beneath whoever is behind them.”
Hahahaha! Probably time to get a padlock for your garbage cans.
edit: apparently I should clarify, this was a humorous suggestion that the people who do research for hedge funds will stoop considerably lower than the tactics Mudge was referring to, not a serious suggestion that he actually padlock his garbage cans
DIN 66399 P-5 shredders (1.9x15mm micro-cut) are not that expensive, I paid less than £300 for my HSM Securio C18. Just get the good kind, not the made-in-China junk. The NSA requires P-7, which can still be had for slightly over $1200.
Lots of small businesses have padlocks on their garbage bins to prevent others from filling their (paid)bin. Getting rid of a pickup-truck load of garbage (from a house renovation or something) is actually quite expensive.
The garbage area at a lot of retail stores is fenced off behind a padlock. Those places live in constant fear of someone making use of their trash for reasons other than making the trash problem worse.
If we used Congress hearings and feelings of Republicans as a testament of honesty, then at this point Mudge shares as much credibility as the election being rigged. We have literal breaches of credit reporting agencies storing all your data but this is what Congress wants to focus on.
Heck, I saw worse than what Mudge is reporting in actual GovCloud environments involving PHI.
Wake me up when people are not so easily manipulated by the news cycle and their self-interests.
I watched the committee hearing, and there didn't seem to be much partisan politicking going on. The primary focus was protecting the privacy of users, which impressed me. However, at one point Lindsey Graham mentioned he and Elizabeth Warren were in agreement enough to start fleshing out some kind of social media operator licensing regime, which sounds terrible.
What bothered me the most is that they vaguely referred to Europe's data protection having more teeth, even though the GDPR has all but been neutered via Legitimate Interest.
Most GDPR popups now classify "building a personal profile", "serving personalized ads" and "linking multiple devices" as legitimate interest, and they still default it to on, without a clear and equally-visible "No" button next to the "Agree". This is so obviously against the intended spirit of the legislation but it's everywhere.
So yeah, large targets like Twitter might need to watch out, but third parties are still harvesting data left and right, so what's the point?
