> When the conversation concluded, management seized Alzabarah’s laptop, put him on administrative leave, and escorted him out of the building.
> At 5:17 p.m. he called a handler, identified as Associate-1 in the FBI complaint, who arrived in a white SUV two hours later. Driving around Alzabarah’s neighborhood, the two men called “Foreign Official-l” — al-Asaker, according to the Washington Post — at 7:20 p.m., and again at 7:22 p.m. and 7:31 p.m. They then called Dr. Faisal Al Sudairi, the Saudi consul general in Los Angeles, at 8:30 p.m., 8:38 p.m., and 9:26 p.m. Shortly after midnight, the consul general called Alzabarah back and spoke with him for three minutes.
> Early the next morning, Alzabarah, his wife, and daughter boarded a plane for Saudi Arabia.
https://www.buzzfeednews.com/article/alexkantrowitz/how-saud...
Twitter basically let him walk out. Probably afraid of backlash in case they called the cops on him.
I’m curious about it if the authorities act on it as an urgent situation.
Internal controls at a company of the size of Twitter is no longer optional. You don't have to intend malice to be guilty of negligence.
Equifax never gave guarantees of security and data safety either, but it's understood that they should be responsible.
Wait until you hear about cell site location data...
[...]
During his employment at Twitter, Mr. Alzabarah had grown increasingly close to Saudi intelligence operatives, Western intelligence officials told executives. The operatives eventually persuaded Mr. Alzabarah to peer into the accounts of users they sought information on, including dissidents and activists who spoke against the crown, multiple people have told The Times.
https://web.archive.org/web/20191107003511/https://www.nytim...
Mr. Khashoggi’s online attackers were part of a broad effort dictated by Crown Prince Mohammed bin Salman and his close advisers to silence critics both inside Saudi Arabia and abroad. Hundreds of people work at a so-called troll farm in Riyadh to smother the voices of dissidents like Mr. Khashoggi. The vigorous push also appears to include the grooming — not previously reported — of a Saudi employee at Twitter whom Western intelligence officials suspected of spying on user accounts to help the Saudi leadership.
https://web.archive.org/web/20191107062324/https://www.nytim...
Charges were for acting as foreign agent without notice and records falsification.
https://web.archive.org/web/20200920010209/https://www.washi...
They are required to turn over data to the US federal authorities without a warrant (under FAA702), and they do this over 30,000 times per year per their own transparency report.
The mind reels. Can you imagine how much this is used for blackmail, extortion, coercion, parallel construction, etc?
I'm sure the death toll is large and the harassment tool even higher.
Access controls are just not a priority while blitz scaling and then very difficult to patch on after the fact.
That's why the app that I'm writing now, started off as seriously tinfoil. In fact, I've had to [reluctantly] loosen some of the armor, in order to add a few features.
I won't say that it's Fort Knox, but it ain't gonna be easy to crack.
The demographics of its target user base are pretty paranoid, so I have to do my homework.
We don’t convict in absentia. This is the one who got left behind.
Apparently “Alzabarah [is] believed to be in Saudi Arabia” [1].
What the fuck?! Sooner we can decouple from that regime the better in my book.
[1] https://www.justice.gov/opa/pr/two-former-twitter-employees-...
"The Saudis, a despotic, murderous regime who... er, what's that? Gas prices are where? The Saudis, a heroic, brave people, living in a wonderful country with a deep culture of..."
"Yeah, hey, buddy, pal, MBS-o, think you could maybe squeak out a couple more MBPD? Elections coming up and... oh... really? Few hundred thousand, tops? Well, I guess, see what you can do... thanks!"
sigh :(
https://www.economist.com/1843/2022/07/28/mbs-despot-in-the-...
1) Completely out of his f---ing mind!
2) Indisputably important and in control.
3) Remarkably easy to please.
Now, sure, I could be wrong about any of these -- my sources of information are almost exclusively the US/EU press, which are not free of bias and might hold a globally minority definition of "truth."
But when you consider what's at stake, and which other famous defenders of Human Rights we're in bed with, I honestly can't understand why we (US/EU) are not working more actively with the most transparent one.
They didn’t.
“Abouammo was arrested in Seattle, Washington, on Nov. 5, 2019, and made his initial federal court appearance in Seattle at 2:00 p.m.on Nov. 6, 2019” [1]. He is the one they left behind.
[1] https://www.justice.gov/opa/pr/two-former-twitter-employees-...
https://www.ojp.gov/ncjrs/virtual-library/abstracts/trial-ab...
It seems like he largely got off on what is effectively a technicality, but I doubt anyone would seriously argue what he did _should_ be legal.
It's "end to end encrypted" but then the device's private iMessage syncing keys ("Messages in iCloud") are included in an iCloud Backup, which is not end-to-end encrypted, backdooring the crypto. This means that Apple can decrypt the iMessages as they transit Apple's servers in realtime, using the device private keys you backed up (without e2e) the previous evening.
Even if you turn off the non-e2e iCloud Backup backdoor, your iMessages will still get compromised because it's on by default and all of the other people you iMessage with haven't turned it off.
https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...
iCloud Photos isn't end to end encrypted at all. It syncs every photo you take to Apple servers effectively unencrypted. Apple can see all of them, and so can the US government (without a warrant). Turning off iCloud is indeed an effective mitigation for this, which keeps your photos on-device.
The backend is a modified version of my BAOBAB server[0], which was actually a "learning" project, for me, but it works quite nicely.
This is the Security document[1] for the generic BAOBAB server. The customization was to add support for a specific workflow that is designed for the app, itself, and the customization is proprietary, as is the source for the iOS app.
This is the dependency manifest of the iOS app:
// MARK: -
// MARK: - DO NOT TRANSLATE BELOW THIS LINE -
// MARK: -
"SLUG-VERSION-BMLT" = "BMLTiOSLib: 1.5.3";
"SLUG-VERSION-KEYCHAINSWIFT" = "KeychainSwift: 20.0.0";
"SLUG-VERSION-LGVCLEANTIME" = "LGV_Cleantime: 1.3.5";
"SLUG-VERSION-UICLEANTIME" = "LGV_UICleantime: 1.1.1";
"SLUG-VERSION-AUTOFILL" = "RVS_AutofillTextField: 1.3.0";
"SLUG-VERSION-GCD" = "RVS_BasicGCDTimer: 1.5.0";
"SLUG-VERSION-CHECKBOX" = "RVS_Checkbox: 1.2.1";
"SLUG-VERSION-OBSERVER" = "RVS_GeneralObserver 1.1.0";
"SLUG-VERSION-GST" = "RVS_Generic_Swift_Toolbox: 1.10.1";
"SLUG-VERSION-MB" = "RVS_MaskButton: 1.2.0";
"SLUG-VERSION-PP" = "RVS_Persistent_Prefs: 1.3.2";
"SLUG-VERSION-UKT" = "RVS_UIKit_Toolbox: 1.3.2";
"SLUG-VERSION-WHITEDRAGON" = "White Dragon SDK: 3.2.2";
It's from my Settings bundle localization file, so the syntax is strange. These are all open-source. I did not write KeychainSwift, but I wrote everything else (I have control issues. I don't like using code that other people wrote, unless it's really good, absolutely necessary, and is something I completely trust). They should be easy to find on GitHub. They are all SPM modules.The app, itself, is fairly large, at over 30 screens (it was a lot more, but I'm doing the "Thoreau" treatment -Simplify, simplify, simplify- to it). I have been working on it for over a year and a half.
[0] https://riftvalleysoftware.com/work/open-source-projects/#ba...
[1] https://riftvalleysoftware.com/BAOBAB/PDFs/Security.pdf (Downloads a PDF).
To me it sounds like it’s a civil case where domain specialists need to prove the wrongdoing in court.
https://pro.bloomberglaw.com/brief/data-privacy-laws-in-the-...
To be clear, I am not thrilled with this situation. But even if social networks were legally required to protect PII they would still suffer occasional breaches by advanced persistent threats and state intelligence agencies. Don't post anything important on social media. Just pictures of family vacations and such.
Twitter is an international company with international users, and the law protects the users of that country/legislation.
Under GDPR, and other international laws, PII is legally protected.
Even if you're an American company, you can't disregard laws of other countries if they're going to be using your product.
Some businesses do require their partners to have additional controls on PII handling. But that's purely a business issue and has no relationship to SOX.
Read the law. Seriously, it's posted online. You can just go look.
"SOX itself never mentions cybersecurity. However, in 2018, the SEC released a “Commission Statement and Guidance on Public Company Cybersecurity Disclosures (the Guidance).” (https://www.sec.gov/rules/interp/2018/33-10459.pdf) The SEC realized that increased technology use and data breach risk impact corporate financials. In fact, the Guidance lists several financial risks linked to cybersecurity:
Remediation costs Cybersecurity protection costs Lost revenue due to customer churn after an attack Litigation and legal risks, including regulatory fines Increased insurance premiums Reputation damage Damage to competitiveness, stock price, and long-term shareholder value In order to comply with SOX, public companies need to ensure that they establish appropriate controls and security monitoring programs that mitigate risk.
In 2020, the SEC released new guidance “Cybersecurity and Resiliency Observations” (Resiliency Guidance) (https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resil...) through its Office of Compliance Inspections and Examinations (OCIE). This revised guidance offered greater specificity for organizations that need to file public financial reports."