cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tmekelburg1
Community Champion

Twitter's Whistleblower

What are your thoughts on this? Is this just a disgruntled employee who couldn't make the case for better security or was it gross negligence on Twitter's part? I've always worked in a regulated environment so I have zero experience working for a tech company. 

 

There are some pretty serious security allegations being reported such as:

 

  • Broad access to the production environment and user data
  • Minimal to no logging on changes to the production environment
  • Access to resources from unpatched work and BYOD devices
  • Datacenters didn't support data at rest (In their defense, not a lot of places have that setup)
  • Engineers tested on production environment instead of test environment

https://www.wired.com/story/mudge-twitter-whistleblower-security/ 

https://s3.documentcloud.org/documents/22186782/whistleblower_disclosure.pdf 

 

2 Replies
ericgeater
Community Champion

Y'all remember the breach of those 100+ high-profile accounts?  I heard that was because they shared priv credentials in a slack-type environment.  The whole of these complaints, writ large, points to a culture of severe sloppiness.  I envision their offices all looking like Wayne Knight's workstation in Jurassic Park.

--
"A claim is as good as its veracity."
tmekelburg1
Community Champion

The Twitter security team asking the Engineers not to test in the production environment:

 

tmekelburg1_0-1661448160071.png