Posts

Three Things: Twitter Death Watch in Progress

[NB: check the byline, thanks. /~Rayne]

This could be hyperbole but it’s difficult to imagine a social media platform the size of Twitter surviving nearly 90% loss of employees across the organization inside a three-week time frame.

I certainly wouldn’t bet any of my money on it.

~ 3 ~

Thursday was the deadline Twitter’s owner Elon Musk set for remaining Twitter employees to commit to being “hardcore” for Elmo.

They were supposed to have clicked/not clicked by 5:00 p.m. to take an offer of termination with severance.

Many are choosing to walk away, their goodbyes recorded in this ongoing thread (link active at time of posting but no guarantees how long it will stay up):

Kylie Robison for Fortune Magazine reported in a Twitter thread that as much as 88% of the staff Twitter had when Musk took over on October 27 has either been fired or opted to leave.

There were employees on vacation, on medical leave, and under H1-B visa who have questions which haven’t been answered; they will not have been able to make a fair election of hardcore for Elmo or nope, thanks.

The number of employees which may fall under this category could be about 1000.

At one point it was said Musk was negotiating with a handful of key engineers critical to keeping Twitter running.

Zoe Schiffer at Platformer reported at 6:52 p.m. ET badge access had been suspended and the Twitter office buildings closed.

Her tweets leave open the possibility some of the employees who opted to leave may yet be asked to remain.

I wouldn’t hold my breath after reading BusinessInsider’s Kali Hays.

How does a company operate without payroll?

If Twitter has virtually no information security personnel, likely has no documented plan in place for dealing with this scenario, let alone failures all along the way for handling roll out of the Twitter Blue verification system which was a mess of violations all on its own, Twitter could be hammered hard by the Federal Trade Commission for failing to meet the terms of the 2011 consent agreement.

I don’t think it’d be unreasonable to say FTC has grounds to shut Twitter down right now if no users’ or advertisers’ data is secure; the FTC has shut down businesses before. Taking any money from advertisers at this point let alone users for Twitter verification or Twitter Blue would shortchange them if they expected data security.

As Alex Stamos, Facebook’s former CISO notes in this Twitter thread, it’s not just the FTC with whom Musk and Twitter will be in trouble. Twitter’s former outside counsel Riana Pfefferkorn agrees there are big problems and has more to add.

And Elmo’s response to all of this is shitposting.

Not even his own shitposting; he stole the meme from another user.

With total staffing and capabilities up in the air, will Twitter survive into the World Cup which begins on this coming Sunday November 20?

I won’t even put money on that.

~ 2 ~

Marcy wrote recently about Elmo’s forced marriage. Looking at the timeline of events leading up to the closing of the Twitter acquisition, there was certainly something iffy in the way Elmo avoided a background check and due diligence when offered a seat on the board of directors in April, and in the way he hustled out of Delaware’s Chancery Court in October where discovery might have revealed all that wasn’t back in April.

@capitolhunters found some embarrassing information about Elmo which might explain his skittishness. It’s public record but unless one is determined to find it, it won’t surface readily.

Read the entire thread at the Internet Archive; I wouldn’t count on it being available at Twitter. It may have been shadow banned at one point earlier Thursday evening as I couldn’t pull it up.

Is it possible the lack of qualifications and credentials as well as his former status as an illegal immigrant are the reasons why Musk appeared to avoid a background check and due diligence?

Is this a compelling reason he should not have been able to purchase Twitter to begin with — because he could be compromised because of repeated misrepresentations about his background?

~ 1 ~

If you’re a regular Twitter user, you may wish to see something constructive done and soon. There are entire communities of people who can’t just switch to another platform because they’ve had small businesses built up around their Twitter presence. There are minority groups who have difficulty switching to different platforms; without Twitter they lose contact with others in their minority community.

One only need look at the mass shooting at University of Virginia last weekend and the confusion about verification on Twitter to realize how serious the loss of Twitter’s integrity as a utility is to much of the U.S. — and it’s not just the U.S.

I recommend checking @Celeste_pewter’s Twitter thread for action items including calling your senator.

(There’s a copy of her thread at the Internet Archive just in case the original one at Twitter becomes unavailable.)

~ 0 ~

I can’t help think of two things:

— Oil producing countries Saudi Arabia, Qatar, and UAE financed a considerable portion of Musk’s purchase of Twitter, with Prince al Waleed being the second largest investor. Did they do it for an investment, for access to a media space to promote their agenda, or because they saw a way to screw with one of the most popular electric car manufacturers by giving its compromised CEO the means to fuck himself?

— Text messages produced as part of discovery in Twitter’s lawsuit against Musk included messages between Musk and his ex-wife Talulah (Jane) Riley in which she begged him to buy Twitter and delete it because Twitter had banned conservative satire site Babylon Bee. Riley had discussed the banning with her close friend Raiyah Bint Al-Hussein, wife of British journalist Ned Donovan, and half-sister to King Abdullah II of Jordan. Why would a British actress like Riley be so upset about an American conservative website’s banning by a U.S. social media platform?

Three Things: The Early Bird Got Wormed

[NB: Check the byline, thanks. /~Rayne]

The self-ownage continues at Twitter. I don’t even know where to start because there’s just so much damage in the bird app’s debris field.

Let’s go with the problems closest to deaths.

~ ~ ~

The brilliant billionaire who overpaid for Twitter, who thought his Tesla engineers were qualified to determine staffing levels on software created over 16 years they didn’t write, had another brilliant idea.

He played Jenga with code within the platform because the application was too slow.

(I haven’t heard anyone complain about Twitter’s speed in ages, and when there’ve been complaints they’re usually in tandem with a major event flooding the network and system with user requests and tweets.)

Twitter’s speed hasn’t been a bottleneck to increasing users or profitability.

In the process of unplugging stuff to see if the platform would speed up, a worker who actually knew something about all the legacy code criticized Musk’s absurd efforts.

Free speech absolutist Musk fired him, egged on by his fanboi trolls.



And then users began to experience problems with Two-Factor Authentication (2FA) over Short Message Service (SMS), otherwise know as text messages.

The security system which allows users to ensure their account can’t be accessed by unauthorized persons was broken, preventing users from accessing their accounts.

This also prevented users from checking their accounts to make sure they weren’t hacked and their verification worked.

~ ~ ~

Which is why during Sunday’s night’s mass shooting at University of Virginia, students as well as the public following the story were reportedly confused about UVA’s emergency message. They couldn’t be sure after Elon Musk’s back-and-forth changes to its verification system whether the message they read in Twitter from UVA-Emergency Management was legitimate.

Fortunately students used their own student-developed thread in a mobile app called Yik Yak to validate the emergency. Yik Yak has been problematic in the past, pulled from app stores because of unmoderated toxic behavior, but it was relaunched in 2021 and valuable to students during the shooting lockdown at UVA because Yik Yak limits reach to five miles. In other words, the students knew whoever was using the app was local to campus.

It’s possible the students could have deduced the UVA-Emergency Management tweet was legitimate because it displayed the source of the message – Rave Mobile Safety, an emergency messaging system. Had UVA-Emergency Management’s account been spoofed, a phone or desktop might have appeared instead of Rave.

This detail may not be available for much longer. Musk thinks identifying the source of tweets by device or application is just inconvenient bloatware.

Should we ask UVA students and their parents about Twitter’s bloatware problem?

~ ~ ~

As I noted in my previous Twitter acquisition timeline post, the company has been subject to a Federal Trade Commission consent decree since 2011 because of its failures to assure users’ personal data was secure.

From the FTC’s 2011 statement:

…The FTC alleged that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account.

A $150 million penalty had been levied by the FTC only a month after Twitter and Musk agreed on terms for the acquisition.

And yet Musk noodled around with Twitter Blue and the blue check verification system, affecting the verification status of organizations as well as individuals – none of the changes done with documentation prepared in advance, or with red team testing for quality assurance.

Musk’s ham-handed mucking around in microservices temporarily affecting 2FA SMS – some accounts are apparently still affected – was likewise done without advance preparation, and in the face of criticism by seasoned employees who understood the system.

It’s worth noting in that same statement by the FTC these last two paragraphs:

NOTE: A consent agreement is for settlement purposes only and does not constitute an admission by the respondent that the law has been violated. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics. “Like” the FTC on Facebook and “follow” us on Twitter.

Though the FTC might want to rethink that last Follow, persons who felt their personal data was at risk over the last three weeks might want to drop the FTC a note.

~ ~ ~

After reading about the acquisition and the subsequent mass terminations along with the manifold fuck-ups like verification and 2FA SMS, I wonder if Musk and Twitter executives ever notified the FTC of the change in ownership as required by the consent decree.

Lasciando il matrimonio di Elmo

[NB: check the byline, thanks. /~Rayne]

My moderation team counterpart bmaz is a bit put out at people who are flouncing Twitter dramatically. We don’t see eye to eye about the topic of departing Twitter now. I’m among those who are unwinding their accounts now that Elmo has been forced into marrying Twitter, Inc.

Elmo’s turbulent management style is one reason I’d like to leave. Who knows what any given day will yield – will a new policy pop up out of the blue insisting users must pay for services to which they’ve become accustomed for years?

Security is another matter of concern, and in saying security I mean I have my doubts about personal data security now that Elmo has capriciously announced he’s going to fire 75% of Twitter’s personnel…and now 50% this Friday…and maybe with or without compliance with state or federal WARN Act.

Does anyone really think Twitter personnel are at top form right now when they’re looking over their shoulder for their pink slip? Could you blame them if they aren’t?

But my biggest single reason for wanting to leave Twitter is this: I do not want to be Elmo’s product.

~ ~ ~

Artist Richard Serra said of his experience viewing the painting Las Meninas (c. 1656) by Diego Velázquez:

“I was still very young and trying to be a painter, and it knocked me sideways. I looked at it for a long time before it hit me that I was an extension of the painting. This was incredible to me. A real revelation. I had not seen anything like it before and it made me think about art and about what I was doing, in a radically different way. But first, it just threw me into a state of total confusion.”

When one first sets eyes upon the painting, it appears to be one of the young Infanta Margaret Theresa of Spain and her ladies in waiting, standing next to a portraitist at work. It takes a moment to realize that the portraitist isn’t painting the Infanta but whomever the Infanta is observing, and yet another moment to realize the subject of the portrait and the Infanta’s gaze can be seen in the mirror behind them.

The painting’s observer will then realize they are standing in for the Infanta’s parents who are being painted by the portraitist — and the painting is a self portrait of Velázquez at work. The painting’s observer is a proxy who has not fully consented to their role but nonetheless becomes the subject of the painter at work.

It is this same inversion which must be grasped to understand why I refuse to be Elmo’s product.

I know that I am not Twitter’s customer. I’m not the consumer.

If I remain I am the consumed in Elmo’s forced marriage scenario.

~ ~ ~

Serra and director Carlota Fay Schoolman produced a short film in 1973 entitled, “Television Delivers People.” It was considered video art, using a single channel with a text scroll to critique television.

This excerpt explains the relationship between the audience and television:

Commercial television delivers 20 million people a minute.
In commercial broadcasting the viewer pays for the privilege of having himself sold.
It is the consumer who is consumed.
You are the product of t.v.
You are delivered to the advertiser who is the customer.
He consumes you.
The viewer is not responsible for programming —
You are the end product.

What television did in the 1970s, social media does today. It consolidates access to disparate individuals over distances into audiences of varying sizes and offers them to advertisers.

Social media is mass media.

Social media, however, doesn’t serve audiences to advertisers alone. Given the right kind of incentives and development, audiences can be bought for other purposes.

There are almost no regulatory restrictions on audiences being identified, aggregated, bought, and resold, and very little comprehensive regulation regarding data privacy.

Elmo so far doesn’t appear to understand any of this between his uneducated blather about free speech and his ham handedness about Twitter’s business model.

I do not want to be sold carelessly and indifferently by Elmo.

~ ~ ~

If you are a social media user, even if validated or a celebrity with millions of followers, you are the product. You are being sold by the platform to advertisers.*

There may even be occasions when you’re not sold but used – recall the access Facebook granted to researcher Aleksandr Kogan in 2013 as part of experimentation, which then underpinned the work of Cambridge Analytica ahead of the 2016 election.

Facebook was punished by the Federal Trade Commission for violating users’ privacy, but there’s still little regulatory framework to assure social media users they will not be similarly abused as digital chattel.

What disincentives are there to rein in a billionaire with an incredibly short attention span and little self control now that he’s disbanded Twitter’s board of directors? What will prevent Elmo from doing what Facebook did to its users?

I’ve raised a couple kids with ADD. I don’t want to be on the other end of the equation, handled as digital fungible by an adult with what appears to be ADD weaponized with narcissism.

I deserve better.

I’m only going to get it if I act with this understanding, attributed again to Serra:

If something is free, you’re the product.

~ ~ ~

By now you should be used to hearing this, but I’m leaving this marriage, Elmo.

Treat this as an open thread.

__________

* We do not sell data about our community members.

Wednesday Morning: If It Ain’t Baseball, It’s Winter

It may be sunny and 90F degrees where you are, but it’s still winter here. A winter storm warning was issued here based on a forecast 12 inches of snow and 35 mph winds out of the northeast off Lake Huron. For once, Marcy’s on the lee side of this storm and won’t be blessed with the worst of this system.

I’ll cozy up in front of the fireplace and catch up on reading today, provided we don’t have a power outage. Think I’ll nap and dream of baseball season starting in roughly five weeks.

Before the snow drifts cover the driveway, let’s take a look around.

Hey Asus: Don’t do as we do, just do as we say
Taiwanese computer and network equipment manufacturer Asus settled a suit brought by the Federal Trade Commission over Asus leaky routers. The devices’ insecurities were exposed when white hat hacker/s planted a text message routers informing their owners the devices were open to anyone who cared to look. Terms of the settlement included submitting to security auditing for 20 years.

What a ridiculous double standard: demand one manufacturer produce and sell secure products,while another government department demands another manufacturer build an insecurity.

Ads served to Android mobile devices leak like a sieve
Researchers with the School of Computer Science at the Georgia Institute of Technology presented their work yesterday at 2016 Network and Distributed System Security Symposium, showing that a majority of ads not only matched the mobile user but revealed personal details:

• gender with 75 percent accuracy,
• parental status with 66 percent accuracy,
• age group with 54 percent accuracy, and
• could also predict income, political affiliation, marital status, with higher accuracy than random guesses.

Still some interesting work to be presented today before NDSS16 wraps, especially on Android security and social media user identity authentication.

RICO – not-so-suave – Volkswagen
Automotive magazine Wards Auto straps on the kneepads for VW; just check this headline:

Diesel Reigns in Korea as Volkswagen Scandal Ebbs

“Ebbs”? Really? Au contraire, mon frère. This mess is just getting started. Note the latest class-action lawsuit filed in California, this time accusing VW and its subsidiaries Audi and Porsche as well as part supplier Bosch of racketeering. Bosch has denied its role in the emissions controls defeat mechanism:

…The company has denied any involvement in the alleged fraud, saying it sold an engine control unit to Volkswagen, but that Volkswagen was responsible for calibrating the unit.

The scandal’s only just getting going when we don’t know who did what and when.

Worth noting Wards’ breathless excitement about VW passenger diesel sales uptick in South Korea. But then Wards ignores South Korea’s completely different emissions standards as well as the specifics in promotions for that market. Details, details…

Splash and dash

Don’t miss Ed Walker’s latest in his series on totalitarianism and Marcy’s fresh exasperation with polling on FBI vs Apple. Wind’s brisk out of the north, bringing the first wave of flurries. I’m off to check the gasoline in the snowblower and wax my snow shovels.

Under CISA, Would Wyndham Be Able To Pre-empt FTC Action?

The Third Circuit just issued an important ruling holding that the Federal Trade Commission could sue Wyndham Hotels for having cybersecurity practices that did not deliver what their privacy policies promised. The opinion, written by Clinton appointee Thomas Ambro, laid out just how bad Wyndham’s cybersecurity was, even after it had been hacked twice. Ambro upheld the District Court’s decision that FTC could claim that Wyndham had unfairly exposed its customers.

The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). In 2005 the Federal Trade Commission began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. The vast majority of these cases have ended in settlement.

On three occasions in 2008 and 2009 hackers successfully accessed Wyndham Worldwide Corporation’s computer systems. In total, they stole personal and financial information for hundreds of thousands of consumers leading to over $10.6 million dollars in fraudulent charges. The FTC filed suit in federal District Court, alleging that Wyndham’s conduct was an unfair practice and that its privacy policy was deceptive. The District Court denied Wyndham’s motion to dismiss, and we granted interlocutory appeal on two issues: whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.1 We affirm the District Court.

[snip]

Wyndham’s as-applied challenge falls well short given the allegations in the FTC’s complaint. As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, Compl. at ¶ 24(a), did not restrict specific IP addresses at all, id. at ¶ 24(j), did not use any encryption for certain customer files, id. at ¶ 24(b), and did not require some users to change their default or factory-setting passwords at all, id. at ¶ 24(f). Wyndham did not respond to this argument in its reply brief.

Wyndham’s as-applied challenge is even weaker given it was hacked not one or two, but three, times. At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the costbenefit analysis. That said, we leave for another day whether Wyndham’s alleged cybersecurity practices do in fact fail, an issue the parties did not brief. We merely note that certainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis.

The ruling holds out the possibility that threats of such actions by the FTC, which has been hiring superb security people in the last several years, might get corporations to adopt better cybersecurity and thereby make us all safer.

Which brings me to an issue I’ve been asking lots of lawyers about, without satisfactory answer, on other contexts.

The Cybersecurity Information Sharing Act prevents the federal government, as a whole, from bringing any enforcement actions against companies using cybersecurity threat indicators and defensive measures (or lack thereof!) turned over voluntarily under the act.

(D) FEDERAL REGULATORY AUTHORITY.—

(i) IN GENERAL.—Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this Act shall not be directly used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any entity, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators.

(ii) EXCEPTIONS.—

(I) REGULATORY AUTHORITY SPECIFICALLY RELATING TO PREVENTION OR MITIGATION OF CYBERSECURITY THREATS.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.

(II) PROCEDURES DEVELOPED AND IMPLEMENTED UNDER THIS ACT.—Clause (i) shall not apply to procedures developed and implemented under this Act.

Given this precedent, could Wyndham — and other negligent companies — pre-empt any such FTC actions simply by sharing promiscuously as soon as they discovered the hack?

Could FTC still sue Wyndham because it broke the law because it claimed its “operating defensive measures” were more than what they really were? Or would such suits be precluded — by all federal agencies — under CISA, assuming companies shared the cyberattack data? Or would CISA close off this new promising area to force companies to provide minimal cybersecurity?

Update: Paul Rosenzweig’s post on the FTC decision is worth reading. Like him, I agree that FTC doesn’t yet have the resources to be the police on this matter, though I do think they have the smarts on security, unlike most other agencies.