Axios Login: Twitter's security alarm

Plus: Fitbit's new gear | Wednesday, August 24, 2022

Open in app View in browser     Axios Login By Ina Fried · Aug 24, 2022 There's going to be a BlackBerry movie! 🤔 Situational awareness: Facebook reportedly suffered a strange bug this morning that filled users; feeds with nonstop celebrity posts. Today's newsletter is 1,269 words, a 5-minute read.     1 big thing: Twitter's security alarm Illustration: Rebecca Zisser/Axios   Twitter security is a huge mess, its former security boss charged in a whistleblower complaint — but huge security messes are all too common in the online world, Axios' Scott Rosenberg and Sam Sabin report. What they're saying: "Regulators, media and users of the platform will be shocked when they inevitably learn about Twitter's severe lack of security basics," Peiter "Mudge" Zatko, who had just been fired as Twitter's security head, wrote in a report he intended to deliver to the company's board in February. Driving the news: Zatko's complaint — filed with the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission — landed with explosive force on the already high-stakes legal battleground between Twitter and Elon Musk. Yes, but: You wouldn't have to hunt too hard to find plenty of other companies that would flunk the sort of basic scrutiny Zatko applied to Twitter's practices. Between the lines: Many of the security issues Zatko identified in that report sound jaw-dropping, but may not be that far outside the norm. He found that: more than half of Twitter employees had direct access to the service's live code and data; 30% of employees' computers were not set up for automatic updates; 60% of data center servers ran out-of-date operating systems; and Twitter "dealt with more than ~50 incidents in the past year," primarily as a result of these three "systemic areas of risk." None of that is good. But findings from SecurityScorecard — a company that studies the public online infrastructure of companies to figure out how vulnerable they are to hackers — suggest that Twitter's cybersecurity performance is probably about average. Typically, Twitter has had a score in the 80s (out of 100), matching those of similar companies in the industry that SecurityScorecard measures. The big picture: Twitter's security woes are longstanding, and since 2011 it's been operating under a Federal Trade Commission consent decree requiring it to up its game. Zatko's complaint puts the company once more in the FTC's sights, and lawmakers' staff — including aides for Sen. Chuck Grassley (R-Iowa), the top Republican on the Senate Judiciary Committee — have already had briefings from the whistleblower. Zatko's complaint is also being evaluated in terms of whether it will benefit Musk or Twitter in their high-stakes and brightly spotlit legal fight. Observers say Zatko's security alarms and arguments about Twitter's failings in measuring spam and bots appear to bolster Musk's critique of the company, but it's less clear that they help his legal case that Twitter broke the terms of its deal. But John Tye, Zatko's lawyer, said Tuesday that Zatko began working on his complaint in March, before Musk told the world he wanted to buy Twitter. That suggests Zatko's story is less about Musk's lawsuit and more of a classic boardroom pattern that the tech industry keeps repeating. In this scenario, corporate management invites a highly credentialed and widely respected expert into its ranks to help it clean house — then ends up rejecting the expert's recommendations and showing him the door. Alex Stamos joined Facebook as chief security officer in 2015 and quit in 2018 after the Cambridge Analytica scandal. Before he left he shared a memo urging the company to change course. "We need to listen to people (including internally) when they tell us a feature is creepy or point out a negative impact we are having in the world," the note said. After Stamos' departure, Facebook said it would not replace him and reassigned its security personnel to different parts of the company. Be smart: Stamos' story and Zatko's are more parallel than matching — Stamos' internal conflict at Facebook was largely over fighting disinformation, not everyday security hygiene. But the dynamic that pits CEOs against security heads is common in the industry, SecurityScorecard CTO Christos Kalantzis told Axios. "Security requires engineering attention, and in a lot of hyper-growth companies, there's an over-indexing on new feature velocity vs. 'Let's make sure everything is as secure as possible,'" he says. The other side: A statement by Twitter CEO Parag Agrawal said that Zatko had been fired for "ineffective leadership and poor performance" and that his claims "so far" are "a false narrative that is riddled with inconsistencies and inaccuracies."     2. Google unveils a new crop of Fitbit gear The fall 2022 Fitbit lineup: the Inspire 3, Versa 4 and Sense 2. Image: Google   Google this morning announced three new Fitbit wearables, packing additional sensors along with other software and hardware updates. Why it matters: With the launch, Google is showing its commitment to continue the Fitbit line of trackers even as it works to incorporate some of Fitbit's technology into other products, such as the forthcoming Pixel Watch. Details: The new products represent the first family of products developed under Google, though they are incremental updates to products introduced prior to last year's acquisition. At the high-end, the Sense 2 smartwatch ($299) packs a body response sensor, a continuous stress-monitoring sensor as well as FDA-cleared heart rhythm detection. The mid-range Versa 4 smartwatch ($229) includes built-in GPS and 40 different exercise modes. The entry-level Inspire 3 ($99) offers up to 10 days of battery life along with stress management features, sleep-tracking and fitness capabilities All three new Fitbit models include six months of the company's premium service and are available for pre-order. The Inspire 3 will start shipping next month, with the other two models promised for some time this fall. The big picture: Google's launch comes ahead of the latest Apple Watch models, which are expected to debut at an Apple event on Sept. 7. Google has teased (but not formally announced) a Wear OS-based Pixel Watch, due this fall, that will incorporate some of Fitbit's technology.     3. Meta settles $37.5M location tracking lawsuit Facebook parent company Meta has reached a $37.5 million settlement in a lawsuit that accused the company of violating user privacy by tracking location data through smartphones without asking users to do so, Axios' Herb Scribner reports. The big picture: Meta continues to face legal challenges and recently reached a separate $90 million settlement over location tracking. Details: The new settlement resolves accusations that Facebook used IP addresses to determine users' locations, even though those users had turned off location services, per Bloomberg Law. Facebook was accused of using the data for targeted ads, per Reuters. The preliminary settlement was filed in a San Francisco federal court Monday. Facebook spokesperson Emil Vazquez confirmed the settlement in an email to Axios. Of note: The lawsuit covers Facebook users in the U.S. who used the social network any time after Jan. 30, 2015, per Reuters. Separately: The FTC agreed in a court filing to drop Mark Zuckerberg as a defendant in its antitrust complaint that seeks to block Facebook from buying VR fitness company Within, so long as Zuckerberg agrees not to personally acquire the startup. Meanwhile, both Snapchat and TikTok reached settlements with Illinois this month over accusations of violating the state's Biometric Information Privacy Act. Snapchat settled for $35 million following a suit that alleged its photo filters and lenses stored users' biometric data without their consent. And TikTok settled for $92 million over claims that the platform illegally collected biometric data from users and shared it with third parties.     A message from Axios NEW: Subscribe to Axios Communicators     Get the latest topics and trends impacting the way leaders, organizations and employers communicate. Why it matters: Axios Communicators will help inform your strategy and offer insight into the rapidly evolving world of sharing and receiving information. Subscribe for free     4. Take note On Tap Nvidia, Snowflake and Salesforce are all reporting quarterly results after the markets close today. Trading Places AMD executive vice president Mark Papermaster is joining the board of publicly traded Smart Global Holdings. ICYMI Intel is partnering with a Canadian asset manager to help fund its factory expansion. (WSJ) Capitol Records has dropped its deal with an AI-powered rapper bot following backlash. (XXL Magazine)     5. After you Login I don't have strong feelings on dogs using slides, but these pups certainly seem to be having a good time.     A message from Axios NEW: Subscribe to Axios Communicators     Get the latest topics and trends impacting the way leaders, organizations and employers communicate. Why it matters: Axios Communicators will help inform your strategy and offer insight into the rapidly evolving world of sharing and receiving information. Subscribe for free   Are you a fan of this email format? It's called Smart Brevity®. Over 300 orgs use it — in a tool called Axios HQ — to drive productivity with clearer workplace communications.   Axios thanks our partners for supporting our newsletters. If you're interested in advertising, learn more here. Sponsorship has no influence on editorial content. Axios, 3100 Clarendon B‌lvd, Arlington VA 22201   You received this email because you signed up for newsletters from Axios. Change your preferences or unsubscribe here.   Was this email forwarded to you? Sign up now to get Axios in your inbox.   Follow Axios on social media: