Twitter HQ
Photo: David Paul Morris/Bloomberg via Getty Images

Twitter has a security problem

Protocol Enterprise

Hello, and welcome to Protocol Enterprise! Today: why revelations about Twitter’s internal security infrastructure from a respected source are so damaging, why DigitalOcean just parted with $350 million and why Intel is choosing an unconventional path to finance its Arizona expansion.

Mudge sounds the alarm, again

After the disclosure today that Twitter's former security head, Peiter "Mudge" Zatko, had filed a whistleblower complaint with numerous major accusations against his former employer, the social media company attempted to paint the action as that of a disgruntled ex-employee.

But that's not Mudge, numerous members of the cybersecurity community quickly sought to make clear — where else — on Twitter.

  • For those who aren't steeped in infosec history, Zatko's credibility in the security community dates back more than two decades, when he and fellow ethical hackers famously testified before Congress in 1998 to warn of massive security vulnerabilities in the internet of the time.
  • "There are [a] fairly small number of folks in #infosec who i (and broadly, we) trust to act as canaries in the coalmine," tweeted Bugcrowd founder Casey Ellis. "@dotMudge is one of them."
  • "Mudge has repeatedly, faithfully, and publicly demonstrated that he will do the right thing to keep people safe," Red Queen Dynamics CEO Tarah Wheeler tweeted.

With his return to the spotlight today, Zatko is once again looking to sound the alarm bell — this time about the security and resiliency of a social media platform that has become a key center of public communications.

  • His complaint alleges that more than half of Twitter's servers run out-of-date software and are potentially vulnerable as a result. Additionally, many of the servers cannot support encryption at rest — a standard form of protection against a data compromise, according to the complaint.
  • Zatko's other security-related allegations include claims that more than 30% of Twitter employee devices have software and security updates disabled; mobile device management software was nonexistent for employee phones; insider threats "were virtually unmonitored"; and "far too many" employees have access to systems and user data that they shouldn't have.
  • In terms of resiliency, Zatko's complaint contends that he learned in the second half of 2021 that "no Twitter employee computers were being backed up at all.”
  • Twitter also lacked a “workable disaster recovery plan” in the event of even a partial data-center outage, which is considered table stakes for most companies operating services at Twitter’s scale.

The complaint suggests that Twitter misled its own board about the security vulnerabilities and raised a number of other issues, including around data privacy, bots and a potential violation of Twitter's consent decree with the FTC.

  • Zatko, who reportedly worked for Twitter from November 2020 until January 2022, ultimately alleges that he "uncovered extreme, egregious deficiencies by Twitter in every area of his mandate."
  • And while lots of companies have internal security issues they don’t like to talk about, Zatko’s report suggests Twitter was indifferent — at best — to the effort that would have been required to correct those issues.
— Kyle Alspach (email | twitter)

Sponsored content from DataRobot

DataRobot's AI Cloud for Financial Services Unlocks the Art of the Possible: DataRobot continues to attract clients in financial services who want to de-risk their AI investments and rapidly scale AI to almost every part of their operations, resulting in improved productivity and higher customer satisfaction.

Read more from DataRobot

This is the Cloudways

Cloud infrastructure provider DigitalOcean plans to amp up its support for small and mid-size businesses with its proposed $350 million acquisition of Cloudways, a managed cloud hosting and SaaS provider catering to SMBs.

DigitalOcean, which targets developers, startups and SMBs looking for a simpler, narrower and more affordable set of cloud computing services in lieu of AWS, Microsoft Azure or Google Cloud, said the purchase would simplify workflows for SMBs that want easier ways to build and scale their digital businesses.

Cloudways serves more than 72,000 customers on 570,000-plus websites and has worked closely with DigitalOcean since 2014. Customers including ecommerce stores, design agencies, developers and bloggers use Cloudways to host their websites on top of cloud infrastructure providers, including DigitalOcean — which is used by about half of Cloudways’ customers — AWS, Google Cloud, Vultr and Linode. The platform’s web app management function is designed to make it easier to launch cloud servers for the deployment of WordPress, Magento and PHP-based applications.

DigitalOcean went public in March 2021, raising $775 million. It reported $133.9 million in revenue, a 29% year-over-year increase, for the three months ending in June 30, and a net loss of $6.2 million. Its acquisition of Cloudways, which expects its revenue to exceed $52 million in the current fiscal year, is slated to close in September.

— Donna Goodison (email | twitter)

Intel cuts a deal

To help pay for the hundreds of billions of dollars that Intel’s potential chip factory expansion plans will cost, the company said Tuesday that it has reached an agreement with Brookfield Asset Management for up to $30 billion in funding. The cash is for two new fabs at the Ocotillo campus in Chandler, Arizona that will be operated and built by Intel.

It’s part of the company’s “Smart Capital” approach to paying for its expansion plans in the U.S. and abroad. That plan combines government incentives and the use of third-party contract chipmakers, among other things, and is part of the company’s overall strategy to regain some of the ground it has lost to TSMC and Samsung. Brookfield, a Canadian asset management company, will own 49% of the new factories, while Intel will retain a 51% ownership stake.

For Wall Street, the deal was met with mild positivity. The additional cash from Brookfield will ease the burden of the ambitious capacity expansion plan set in motion under CEO Pat Gelsinger. After a brutal quarterly report card — which included the company’s first net loss in decades — the deal appears to preserve Intel’s ability to pay its dividend to shareholders, and potentially generate more cash in the future.

But the maneuver is an unusual one for the chip industry, which typically funds expansion plans with the enormous amount of cash generated by the high-margin business. Intel has fought hard to convince the U.S. government to pay for some of its expansion plans, and the company intends to use mechanisms such as the deal with Brookfield to ultimately offset as much as 30% of its capital spending.

— Max A. Cherney (email | twitter)

Around the enterprise

Cloudflare is once again taking fire for serving a controversial customer, this time after an anti-transgender rights harassment campaign coordinated by users of Kiwi Farms, a notorious platform for violent, right-wing causes.

Hackers built a hologram of Binance’s chief communications officer in order to trick leaders of cryptocurrency projects into thinking Binance supported their efforts, as concerns about deepfake attacks continue to grow.

Sponsored content from DataRobot

DataRobot's AI Cloud for Financial Services Unlocks the Art of the Possible: Banks need to secure a competitive advantage in an increasingly tight race to harness best-in-breed technology. Decision makers need to not just plan a future-ready strategy, but also recognize the value of AI that could boost not just their performance in-house but also their reputation among their global customers.

Read more from DataRobot

Thanks for reading — see you tomorrow!

Recent Issues

The Dreamforce hangover