I worked on a support team for a company that that had some major financal institutions as a customer.
We had remote access to their networks at times. My very first day I was amazed how much access I had at will.
One day it was announced that a customer had come to us and demanded everyone had to meet X requirements to be able to work on their networks.
Not long after another financal institution made a similar request.
Some folks inside the company were a bit riled up by the requirements (background checks, some other things). They felt the requirements were absurd.
Considering the access we had I thought they weren't strict enough. As just a lowly support dude hired during the dot com boom because the company needed warm bodies (who could do some independent thinking / troubleshooting) ... I had a lot of access.
I don't know if they were thinking about spying like this, but I'm always amazed how much access people have to data and etc just from a technical support perspective (forget developers...).
Later the company outsourced support to other countries... I'm not even sure you need spies in the US / would know anyone was spying under those circumstances.
Support teams are probabbly a hell of a lot cheaper / easier to infiltrate / they get little / poor management / oversight. I saw tons of strange choices by our outsourced technical support staff, every single time I raised concerns it was discarded by something to the effect of "yeah they suck".
And that doesn't account for all the financial institutions who outsourced their own direct ops teams to other countries ... I'd call them and if they ever were capable of following instructions 9x out of 10 they'd open up the wrong network / modems / etc.
This is a very common answer to these stories on hackernews but this one is from a humble point of view that truly brings home the point.
My side is that I worked for a bank on the brokerage side for ten years in different positions. What always struck me was that my access was very carefully controlled, I was a background checked employee and had to meet with compliance once a year, etc etc.
However when a law firm asked for anything or consultants said they needed more data they just sent massive data dumps to the network admin guy, no questions further asked. At least not at my pay grade.
As I've consulted I ask for only what I need to keep my own risk down but it is always a surprise to my clients I don't want PII I don't need and only the data that my model will help enhance.
It's a tale that plays out in many forms. In the early 80's I worked for a goverment entity and had tough physical security to enter the building - however, monthly fire drill would see this large building empty onto the open carpark that was easily accessible as no perimeter fence and with that and the aspect that when re entering the building after the fire-drill, there was always one fire door open to circumvent the bottleneck at reception and with that - no security checks then.
Though many instances of weak links in process due to human nature that get overlooked and only come to light once there is an incident.
Which is the crux, incidents cause things to change, yet if you see that potential flaw the gravatas you have in flagging that issues is often dismissed because it hasn't happened. That is sadly often a pattern we see play out time and time again in many forms.
Literally yesterday we had an issue with someone trying to piggyback into the office behind an employee who had badged in. Said person was intoxicated and removed his pants in the elevator, so it was immediately apparent there was a problem, but what happens when it's someone more nondescript?
About two years after my company was bought by a larger one, I was the first person at the office one morning, only to find someone waiting outside the doors. Before I could ask, he introduced himself as an employee from an out-of-town office, and produced a company ID, so I let him in with me.
We had been told to expect some visitors from that office, but I was almost hoping he was not legit, since most of us at my location still do not have a company ID, so I couldn't really say if his was real or not.
Working with some massive insurance companies to build a technologically interesting product for them to reduce fraud, I was given their entire claims data sets for the previous decade as an outside consultant with zero background checks involved. I even raised that as a scary issue but was told to pipe down haha
Seen the same working with hospital datasets. We only used them on site (office of third party provider, not the hospital) and anonymized them, but from what I now know about fingerprinting our anonymizations wasn't strong enough and it was also up to us to do, after we received the real data. We mostly did it because we had friends, family and possibly ourselves in some of the hospitals.
We were told it was ok and all the paperwork had been done (we had a somewhat legitimate need), but if that's the case the standards are far too loose and there are far too many copies of patient data around.
Worked as a hospital clerk at one of the top hospitals in my country. This was in the mid 2000s. I thus had access to the system and all the information contained in the same. One day, I got an opportunity to serve a certain female legislator who was/is married to someone from my small city. A nephew of the the legislator's husband is a good friend. Now, I actually needed help from the legislator and thought it was unethical of me to get her contact details from the hospital's system. I eventually got the contact details from my friend. But, while I was careful about this ethical issues, I knew of a colleague of who didn't. While I didn't get the help I wanted from the legislator, I sometimes ask myself whether getting in touch with her, regardless of how I got the contact, was ethical. This dilemma is as a result of the fact that I only met the legislator courtesy of the privilege accorded me by the hospital.
Oh gosh yes. I couldn't have done the project without it, to be honest, not in the time frames needed. Still makes me a little queasy though, although I was the only person given access to said data sets and met with executives from said companies prior to, so I suppose it's not quite as crazy as I made it sound...
Senior managers don't need to control the servants' access because they won't take your job, they're lesser beings in the caste system. The control is there for those who might take your job or customers because they are caste equivalents.
At no stage are customers' concerns so much as considered. Control is not of the data, it's the vital control of peers and rivals. If you're not a rival, who cares?
I worked at a charter school for a while, and had access to the test scores and demographic data (including dob and ssn) not just for our students, but for every public school student in Texas, past and present.
The knowledge level on those staff's is often near 0, they operate with wonky budgets (here is a gazillion dollars for ipads... no money to maintain them or the rest fo the systems), and are just making do the best they can.
The IT staff at one complained to me the librarian at one elementary school kept changing things on them. In reality she had a clue and they couldn't even operate rudimentary role based access type system to stop her.
This is a function of how schools are funded in the US. This is the system you asked for through voting and tax policy (maybe not you, but you being the broad citizen).
Living inside the beast for my entire career - We have just enough funding to keep the doors open, and remain staffed at a minimal level. Additional funding, above what we can raise through local taxes, ALWAYS comes with an asterisk.
So we can get access to $50,000 supplemental funding this year, awesome. But we have to buy I-pads. Nevermind that literally every other piece of technology in the building is windows based. Oh, and we cannot spend that on infrastructure upgrades to the wi-fi system to support the extra capacity. And it has to be spent in six months or you lose it.
It's the way we're funded in the US. It isn't necessarily a function of the schools or the staff therein. Those people are generally trying to do their best.
It's the shit system and it needs to be burnt to the ground.
This is a function of how schools are funded in the US.
Not just schools. A lot of government-related sectors.
Transit is a big one. Back when I used to follow this sort fo thing, I would see a lot of municipalities turning down federal grants because the money could only be spent on buses, trains, an related infrastructure; and the towns and cities didn't have the money to pay for the people involved.
Maybe when self-driving vehicles become common, this won't be so much of a problem anymore.
Several years ago, one of our competitors implemented a public-facing web-based form for a local ISD. When the form loaded, the user was prompted with two pieces of info: a student's last 4 digits of SSN and their birthdate. The form then performed an AJAX request to the server, which did a DB lookup and pulled in ALL the transcript data of the matching student record to send back to the front-end.
Said competitor then presented this "solution" at a vendor conference and bragged about how amazing and easy to use it was and how the parents loved it because they no longer had to call the school to request transcripts yadda yadda. When casually asked about security/privacy concerns, their engineer basically said "well, how likely is it that an unauthorized party will know both a student's birthdate and the last 4 digits of SSN? Probably not very."
It's not a U.S. thing. It's a state thing. Not every state funds its schools through real estate taxes.
Nevada, for example, is funded by sales taxes, ad valorem property taxes ("property" as in things, not houses and land), gambling taxes, federal money, estate taxes, and mining taxes.
Currently reading snowden book, "Permanent record". At one point he says that private companies do a huge amount of work for the NSA & Co, and have ridiculous level of access to vast arrays of personal data, which they proceed to give to their employees or subcontractors for processing.
Not being a smart ass but how do background checks work for foreign persons? Say for a former student that came to USA 5 years ago and is 23 years old? Odds are that he will look clean in every way. Even if he's a spy all traces are covered.
My other comment was sent to oblivion because it is politically incorrect, but the reality is that a lot students have loyalties to the old country. Also when you add the family back there and corruption being a normal way of getting things done, these things are bound to happen. I don't suggest to freeze them out, just don't be surprised.
Not being a smart ass but how do background checks work for foreign persons?
Note that there are many different types of background checks, varying from things like "working with children" checks, to financial status checks, to security checks of different kinds.
You are correct - it's very hard for a foreign person to pass some types of these. In some cases that means it's very difficult for them to get one of these jobs.
Your other comment says different things though. I think it's a fair question "how do background checks work for foreign persons" vs "IMO, it's wayyy much easier to corrupt people from second or even third world countries, there corruption is the norm".
It is wayyyyyyy much easier, I'll repeat. To get things done corruption is used and the government can make or break, virtually everything in your life. Or your families'.
A lot of things are broken in USA but it's light years away in that department compared to a lot of countries.
I mean, you're not wrong that corruption is a bigger problem in many countries than it is in the USA (which I guess you see similar to how I've heard many Chinese see the CCP). But saying all "second or third world countries" (whatever would even fit that definition) is quite a generalisation. Even within your definition of first world countries where there isn't (much/any) corruption, why should an Austrian be loyal to Sweden and pass any background checks?
Companies who offshore also run across this dilemma. This is how companies can lose IP to competitors.
Let’s say an IC designer offshores some work, that company has other clients as well and the off shore company has access to a lot of the R&D of the client company. Lots of things can happen in that situation and does happen.
> My very first day I was amazed how much access I had at will.
Another branch where you might expect security awareness is anti virus companies. I'm a pentester and in smallish companies everyone knows everyone, but nobody knows me, yet most days I can tailgate into the office without question. This morning a lady asked suspiciously "are you looking for someone?" and I just replied that I know where to go, thanks. I walked on and she didn't pursue. Free rein.
I don't have to mention any specific company, this happens everywhere. Helpful, trusting that everything will be alright, clicking links... Vulnerabilities help but they are optional.
I wish I could tell people that having that much access raises legal issues for me.
It's not enough to have them sign a contract limiting liability because as a business they have far more lawyers than I do.
When I work on a contract I want to be able to say in court that I couldn't possibly be in any way related to the event of a bug, security breach or data loss because I simply do not have access.
It is genuinely worrying on my part to carry around credentials with that much data.
What if my laptop is hacked or stolen?
I do not want to be sued (again it doesn't matter if they have a valid case or not, I don't want to deal with legal fees or anything.)
A few months ago in Quebec we got a big cooperative bank "hacked" that way by an employee that got offered money by some insurance reseller.. He was able to export the data of 4.5 millions persons out and sell it to them. We recently found out that they were offering 40k$ to get it. Sure you could infiltrate them, but seems like even buying the data is quite accessible too.
BMO and another org in 2018. BMO's security was atrocious, for a while they had you use your 4-digit pin to log into online banking. One of the reasons I ended up switching to Tangerine...
Years ago, the key code to one of the back doors of a very large and well known financial institution in SF was extremely simple and consequetive and 4 digit sequence that everyone including contractors knew. I wonder if they ever fixed it?
I'd also remind that Twitter is surprisingly leaky for Chinese using it, even for people who can get foreign simcards to register an account.
API leak is one hypothesis, another one is that they got a mole there too.
The same goes to Facebook. A number of FB users got detained in China with no better explanation than MSS getting access to FB's internal information like phone ID and IMSI data in user database.
The most probable explanation people have crafted is following:
1. Using internal or external tips, MSS gets user account info of a person of interest
2. Their mole accesses the user database for info on cookies, IMSI, advertising ID and such
3. MSS than cross-references the data with data on the open market, like IMSI databases sold by mobile advertising companies
4. One way ticket to Heilongjiang is issued the next day, once the identity of the person is confirmed using logs of phone companies or ISPs.
Why would a serious government not walk through the open door and take what they needed while their agents collect two salaries? It's just a win-win for foreign intelligence. They would be negligent in their duties to NOT infiltrate US companies with open doors and permissive, trusting internal policies about user data.
Then the company can do the liability minimization dance when the FBI comes and points out that they are running a cheap data service for foreign spies. "We, uh, had no idea..."
But what should large tech companies do? Avoid hiring people from certain countries/heritages? Obviously that's not fair and not a good look. Same for putting extra monitoring on them. This is independent of Twitter apparently trying to downplay this and cover it up, which of course is wrong. It just seems like preventing this is really tough unless you state "we won't hire anyone who's lived in, was born in, or whose parents are from China, Iran, Saudi Arabia, or Russia", which is untenable.
Instead of targeted monitoring monitor everyone who has certain level of access regardless of origin? It's not like it's not scalable, obviously they are capable of widescale automation.
It's really not that easy to monitor for every possible violation/exfiltration, especially at that scale. Of course those need to be monitored for, but they're never perfect. NSA obviously had mechanisms to detect this, but it didn't work for Snowden.
They likely have already had such monitoring in place for years, and are probably augmenting it now. It just didn't work.
Given that the Chinese government uses coercion (esp. threats to family back home) on foreign workers in the US, every Chinese national working at any company in the US can be a potential mole. Think about that.
"If these contractors can't breach a target, intelligence officers assigned to specific cases come into action. They operate on the ground, near targets, by recruiting company insiders, or even coercing Chinese employees to aide their hacking efforts using blackmail or threats against families living at home." [1]
> Given that the Chinese government uses coercion (esp. threats to family back home) on foreign workers in the US, every Chinese national working at any company in the US can be a potential mole.
They also use money[1] on domestic workers in the US, everyone at any company in the US can be a potential mole. Think about that.
> Ali Alzabarah was panicked. His heart raced as he drove home from Twitter’s San Francisco headquarters in the early evening on Dec. 2, 2015.
Ok, how could you possibly know that? That's a pretty good guess, but writing it like it was the start of a novel… fells like read bait, really. Especially given the following:
> Alzabarah, Abouammo, and al-Asaker did not respond to requests for comment.
It’s not to verify identity. It’s more like imprimatur (anointed by Twitter as whatever). And that is stupid because it’s basically up to the whims of the company and becomes open to abuse internally and externally.
The original purpose was definitely to verify identity. Since parody accounts are allowed, it's valuable to be able to tell the real X from a parody X. This was especially true early on in Twitter's history. It was also useful in encouraging famous people to get on Twitter. "Look, if you start you own account, we'll clearly distinguish it for you. No more fakes!" And having famous people on Twitter was hugely valuable to encouraging growth.
Unfortunately, there's a strong correlation between "useful to verify" and "important", so pretty quickly it became a status symbol, especially for marginally notable people. And some people really like status! It's very similar to the problem Wikipedia has, where they daily have to delete a lot of BS biographies from the would-be famous.
This means that the program has been a headache for Twitter for a long time. I know when I worked there in 2017 they announced that they were suspending the program pending a major revamp of how it works. As far as I know nothing came of that; I think they quietly started giving out blue checkmarks again a while back.
Personally, what I'd like to happen is that they make it much broader and roll it up in a "Premium Twitter" feature. I pay them $50/year, they verify that I'm who I say I am, get rid of ads, and throw in a few other features. But I doubt that will happen, as IMHO Twitter is incredibly bad at getting anything done.
I agree with your take and suggestions. They probably feel it would dilute the value. As you suggest, they could add “Premium” or “Pro” labels to distinguish people who pay for status. Maybe charge them by audience or reach as well.
IIRC it was originally to verify celebs real accounts. Then they said anyone with more than a certain number of followers and now it seems to be just a status symbol.
I guess it was originally intended to get people to reveal their real identities. Especially for celebrities that often had fake accounts with their name.
There are some groups that take it as a warning sign for craziness. Funnily, it often seems they are onto something.
I think that is precisely the purpose. If you’re looking for Donald Trump’s Twitter profile the idea is the blue tick helps you find the right one rather than a parody.
It originally was to verify identity. Then they started withdrawing it from controversial figures, as if those people stopped being who they really were overnight. Nowadays it just means “this persons views are endorsed by Twitter staff”.
That's surely not true. Lots of people have blue checks even though Twitter staff would never endorse their views - Ben Shapiro, Steven Crowder, Candace Owens, and so on.
I think the claim is a little more nuanced. Basically yes those people went over a line and got punished but at least some claim that others also go over that line but don’t get punished (as often).
> Nowadays it just means “this persons views are representative of Twitter staff”.
For example both Sanders and Trump have a blue tick. They obviously can’t simultaneously be representative of a majority of Twitter’s staff’s views, can they? And I’d estimate Trump isn’t representative of a substantial number of these west-coast tech workers at all. So that doesn’t seem to hold up.
Trump is a special case in that Twitter said that they would treat heads of state (both foreign and domestic) differently. They might have something internal for accounts with large followings (Kardashians).
Assange is an interesting case in that despite renown and following they refuse to give him a check mark and suspended the WL account as well.
Ok, excluding heads of state, and even other politicians, are for example the views of Jordan Peterson representative of Twitter employees? Seems unlikely.
I expect his is a holdover from before and it will be revoked as soon as they notice.
PS I tweaked my comment after you started to write your reply but before I saw it; the wording is better now but the meaning is basically the same. Sorry!
I remember serious concerns about Australian citizens suddenly being legally required to be spies for the Australian government regardless of where in the world they're working due to a new anti encryption law sometime in 2016. That and Twitter somehow being caught with their pants down regarding user phone numbers and other personal information makes it all the more important that all the engineers and product people on this site make it very clear to management that the systems must be set up in a way that simply doesn't allow people to access that information. It's morally good and it might prevent you from making the papers as a host of a bunch of spies that got your Chinese, Saudi Arabian, or Turkish users assassinated or jailed.
> regardless of where in the world they're working
I don't think this is correct. The legislation as drafted didn't seem to claim extra-territoriality and courts will basically never interpret legislation as being extra-territorial without an explicit clause.
There's also the point that if you are overseas and refuse to comply with a request by ASIO or whathaveyou, they can't legally arrest you outside of Australia. In theory they'd need to ask for your extradition, but that requires equivalent laws to be in operation in the country you're extraditing from. But you'd be at risk of arrest upon returning to Australia.
That doesn't stop it from being a terrible law. And it also doesn't stop me from not being a lawyer who isn't giving legal advice.
In 2018 those laws were actually passed, and there's a tonne of uncertainty around them (which is probably on purpose). It's had a chilling effect on exporting software from Australia, too, at least for two business I've worked with since, though that seems to be warming again lately for better or worse.
> At 5:17 p.m. he called a handler, identified as Associate-1 in the FBI complaint, who arrived in a white SUV two hours later. Driving around Alzabarah’s neighborhood, the two men called “Foreign Official-l” — al-Asaker, according to the Washington Post — at 7:20 p.m., and again at 7:22 p.m. and 7:31 p.m. They then called Dr. Faisal Al Sudairi, the Saudi consul general in Los Angeles, at 8:30 p.m., 8:38 p.m., and 9:26 p.m. Shortly after midnight, the consul general called Alzabarah back and spoke with him for three minutes.
Slightly off-topic: I feel that gives a good idea of how much information can be extracted from very simple metadata (here timestamp and number called) in that kind of context.
"Prince Alwaleed Bin Talal Bin Abdulaziz Alsaud, who in 2011 invested $300 million in the social network, now owns 34.9 million shares of Twitter’s common stock, according to a new regulatory filing (pdf)."
That is from 2015, but as far as I know he still owns a huge stake in the company. It would seem relevant when discussing SA's influence on Twitter, but I don't see it mentioned in the article for some reason.
Why should we focus exclusively on low level henchmen when there's a huge Saudi influence on Twitter like that one?
Why should we believe that owning the single largest stake--one even larger than the Jack's--isn't relevant when discussing how they influence Twitter to get what they want?
Well to start the actual information in the story is about the folks involved... and they got all that done without any overarching conspiracy from ownership.
So is the risk here some unproven ownership influence, or the something any given dude can just go and do if he can get a job?
I think that's a very strong claim. What's your evidence for it?
I'm not saying the two things are related. But I'm happy to say that if I wanted to unduly influence a company, buying a significant part of it would be one of the things I'd look at.
You made a positive claim that the two had nothing to do with one another. The kind of evidence that could prove that might include logs of conversations between Twitter execs and reps of Saudi investors.
I agree that nothing has come to light demonstrating that their was behind-the-scenes influence in aid of this. But absence of evidence is not evidence of absence.
Sure. Nothing at all.
Except that Prince Walid surrendered his investment to the same people who ran moles at Twitter.
Nothing to see here.
It's just a coincidence.
Move along.
The story likely plays out just the same regardless...
I get what you're saying but the whole "it's a conspiracy here is some unrelated thing I can't connect but I'm suspicious" thing is such an easy to do, the internet is full of it... I don't think it adds anything, or is even accurate.
And let's say somehow that thing with the investment doesn't happen.... I don't think that changes the story or the lessons from it.
They didn't really need the investment to plant the spies. He just applied for a job and got it. Any foreign spy can do the same and nothing will change.
This seems to me like focusing on the trees instead of the forest. I would think that when discussing Saudi control over a company, we might be interested in more than just some low-level henchmen, but maybe the Saudi prince who owns a third of the company.
To hear some other people talk, this is "conspiracy" territory now. But c'mon, we're supposed to believe that some nobody henchmen are solely responsible for this and ignore the fact that the Saudis own a third of the company.
so my question is simple, did twitter engage the FBI or an auditing company to verify the rest of the staff who have access to sensitive data?
It would seem to be a concern they would have to follow up on. You can put in all the procedures you want and declare compliance to auditors but it only serves to make paper pushers happy.
I wonder - would such audit be in their interest? Perhaps it's easier for Twitter if foreign dissidents know that Twitter is not safe to use for them, and go elsewhere. Twitter then does not have a risk of politically charged situations, and can peacefully exist by serving the usual harmless inane chatter of general population.
I was wondering if it was an SRE when the original story came out.
I'd be interested in seeing perspectives on how you avoid this scenario. While you could isolate data access by team in many models, you're still going to have engineers who have access to valuable data. Random access audits? But what about the scenario where your database lives on someone else's hardware?
I guess you could always decide you want to use your cloud providers FedRAMP-compliant offerings.
OK, but please don't post unsubstantive comments to Hacker News. Maybe you don't owe shit-shows of companies better, but you owe this community better if you're commenting here.
People from certain countries are different, they have different values and some loyalties to the old country. IMO, it's wayyy much easier to corrupt people from second or even third world countries, there corruption id the norm.
Money is not an issue for a nation state and then they can fix things for family back home etc etc so they are bound to find people that say yes.
We had remote access to their networks at times. My very first day I was amazed how much access I had at will.
One day it was announced that a customer had come to us and demanded everyone had to meet X requirements to be able to work on their networks.
Not long after another financal institution made a similar request.
Some folks inside the company were a bit riled up by the requirements (background checks, some other things). They felt the requirements were absurd.
Considering the access we had I thought they weren't strict enough. As just a lowly support dude hired during the dot com boom because the company needed warm bodies (who could do some independent thinking / troubleshooting) ... I had a lot of access.
I don't know if they were thinking about spying like this, but I'm always amazed how much access people have to data and etc just from a technical support perspective (forget developers...).
Later the company outsourced support to other countries... I'm not even sure you need spies in the US / would know anyone was spying under those circumstances.
Support teams are probabbly a hell of a lot cheaper / easier to infiltrate / they get little / poor management / oversight. I saw tons of strange choices by our outsourced technical support staff, every single time I raised concerns it was discarded by something to the effect of "yeah they suck".
And that doesn't account for all the financial institutions who outsourced their own direct ops teams to other countries ... I'd call them and if they ever were capable of following instructions 9x out of 10 they'd open up the wrong network / modems / etc.