When the "Show Me" fails
What crypto scams have in common with E.U. scandals and Twitter shadow bans.
There’s a couple of concepts from the cybersecurity world, not to mention the financial world, that seem to form a thread linking many of the stories above the fold in the news lately. There’s FTX; Sam Bankman-Fried was supposed to testify before Congress Tuesday, but he didn’t since he’s been arrested in the Bahamas, awaiting extradition on U.S. charges of wire fraud, money laundering, along with a basket of securities violations. There’s the growing scandal of the EU and Qatar. And there’s Twitter and Elon Musk.
The news stories you’re reading today are invariably linked to a lapse of what we in the risk world call “technical controls.”
FTX and Sam Bankman-Fried is probably the most heinous example of a lack of controls since Bernie Madoff and Enron. FTX lacked even an accounting department. The company, on paper worth billions, was set up by well-connected former Wall Street hedge trader Bankman-Fried, and depended on a network of companies including Alameda Research, a trading company, the Bahamas-based international exchange, and the U.S. based exchange, all backed by cryptocurrency and funded by VC cash. There were no controls—and no oversight—on how the company, and its founder, used actual cash versus cryptocurrency, which was secured in digital wallets using the ultra-secure blockchain. But FTX could get into everyone’s wallet, and Alameda had unlimited access to FTX money, converting real cash into high-risk investments.
Meanwhile, Bankman-Fried took the VC money and kept it for himself. He lavished it in donations to Democrats (and Republicans). He built homes for himself and his mother. He did all that with real money, and when Alameda’s bets went sour, they simply reached into the piggy bank of customer money to pay the margin call. Then when customers demanded their money in the crypto equivalent of an old-fashioned bank run, it all came crashing down.
In cybersecurity, “technical controls are better than policy controls” is not just a saying, it’s a concept applied by auditors and security assessors. When you’re dealing with mega-corporations and their vendor risk departments, you always get a “show me” to prove that a policy is enforced. “Where’s the evidence?” No evidence, no control. And then you get “show me under the hood.” It’s not enough to say that you require 18-character pass phrases that are vetted against known cracked blacklists, you have to show the auditors how you enforce it, and what the user sees.
Another cybersecurity concept is called “zero trust.” This came from the principle of “least privilege,” which itself came from the military classified system of compartmentalization and “need-to-know.” You shouldn’t have access to things that you don’t need to know, and “zero trust” takes that concept all the way from the keyboard to the data, assuming that there’s no longer such a thing as a “trusted” network since everyone is in the cloud, or working from some remote place these days. Every access needs to be vetted against “who are you,” and “do you need to know.” Every time, no exceptions.
These are not new concepts, really. The military has had them in place for decades. The Marine lance corporal guarding his vault isn’t going to let the major in, even if he personally knows the major, if the major doesn’t have the proper credentials, and he is going to check those credentials every single time the major shows up. If the major tries to make an exception one time, the lance corporal is well within his orders to put the major on the ground with an M-16 barrel in his ear. Don’t test this—these guys are drooling for you to try it.
There’s no better technical control than the armed Airman/Soldier/Marine/Sailor with a “use of deadly force is authorized” sign behind him. The policy is “zero trust,” the and control is the guard who will shoot you.
A few basic controls at FTX, say a risk management department (even one person), and an accounting department to handle daily settlements, would likely have avoided all of this. But the VCs who piled cash into the FTX empire never asked Bankman-Fried to prove he had them. They just believed that someone with the right credentials—Wall Street—would naturally do it correctly. They were wrong to trust him, and worse, they knew they were wrong. But the VCs are not going to jail; Sam Bankman-Fried will be their example to themselves to be more careful next time.
On to the EU.
What a mess. Here, it’s a culture issue. In Brussels, it’s far more important to pretend everyone in the stuffed-shirt European Parliament is a trusted friend and committed internationalist than it is to, you know, not be corrupt. They play pretend the Qataris would never bribe high EU elected officials, when the Qataris have a history of bribes to get what they want. They are shocked, positively shocked, that Greek Vice President Eva Kaili, assistant Francesco Girgi, a former member of the European Parliament Antonio Panzeri and Luca Visentini, head of the International Trade Union Confederation, would be corrupt.
Not everyone is surprised. Law professor Alberto Alemanno tweeted, “#Qatargate is self inflicted damage.”
A large, diverse organization with little accountability, like the EU Parliament, or the U.N. for that matter, is always subject to corruption. These people have no loyalty to each other and the knives come out quickly when they are threatened. Many of them are in the internationalist game to feather their own beds. This is why these kinds of organizations are top-heavy, bloated and reliant on massive policies that are rarely enforced with technical controls, other than some bloviating pooh-bah signing off on something shiny.
A side note. Honestly, the most effective technical control on the U.N. is the stone cold stupid Trump play—get out (he he, the UK did with the EU, didn’t it?). Of course, they say, we need the U.N., but few can tell me for what? Even the U.N.’s most respected arms could easily function (and better) as NGOs, where risk management, transparency, and donor relations form a good bed for technical controls. A bad charity is no different than a scam, and so are most U.N. organizations—of which the EU Parliament is a poor replica—when it comes to effective spending and tight controls.
Why anyone trusts the ripe sausage that gets made in the EU Parliament is beyond me. And most critical-thinking people don’t trust it. They shouldn’t because of a lack of internal controls. On another Qatar-related thread, FIFA learned this lesson the hard way, and they’re still learning it.
Last, there’s Twitter. From a business perspective, Twitter is one of those ideas that always had me scratching my head, asking “how do you monetize this?” The company amazingly has $3.7 billion in annual revenue. But in 8 of the last 10 years, Twitter has failed to turn a profit, losing $650 million in 2013, and nearly half a billion in 2021. Over that 10 years, Twitter’s cumulative net loss is just over $2 billion.
Their revenue is in the form of selling advertising space in people’s timelines as “promoted tweets,” and in selling analytics. The more real eyeballs that look at tweets, the more money Twitter makes. Bots looking at retweeted bot tweets should not make money for anyone. And this is a perverse incentive to look the other way at some of the most viral—and awful—content because it generates a lot of eyeballs. Investopedia breaks it down.
Twitter measures its user base using a metric it calls monetizable daily active users (mDAU), which is broadly defined as the total number of user accounts that were logged in and accessed Twitter on any given day. Twitter's average mDAU in the fourth quarter of FY 2021 rose approximately 13% YOY to 217 million.
Twitter wanted to be addictive, and at the same time, its employees wanted it to serve people who fit the general outline of their own politics and worldview. Which means it attracted a lot of media types, journalists, and a goodly number of trolls. It’s the bot and troll count that had Elon Musk worried, and he felt that the company had underestimated the number for years to bulk up its mDAU.
In social media, the monetizable portion of eyeballs lacks strict controls. I searched and could find no set AICPA standard for measuring mDAU. Twitter spent its cash building more and more staff, to do less and less actual innovation, adding secret controls that pull hidden levers all over the service to control what appears to be “trending” and from whom. The biggest breakthrough Twitter has made in the last five years is the go from 140 to 280 character tweets.
Twitter’s biggest policy control to keep it from becoming a sewer of racism, cannibalism, Lord of the Flies-level bullying, doxxing and crowd dogpiles was supposed to be its Trust and Safety advisory group. These are the outsiders who were pledged to oversee Twitter’s internal controls and efforts to combat “hate speech, child exploitation, suicide, self-harm and other problems on the platform.” Elon Musk saw it as a useless body and disbanded it Tuesday.
The best controls against evil uses of Twitter are technical controls, linking the person at the keyboard to the tweets being sent. This means a more aggressive stance against bots and troll accounts, regardless of what they tweet and retweet. The old Twitter was more interested in uniformity of deciding what is “good,” though they did make a decent effort at combating large-scale bot nets. Musk has his work cut out for him as he tries to employ advanced tools and AI against AI designed specifically to defeat these controls.
What he has in his corner is a much smaller staff, which means more operating revenue per employee. What he has against him is a ticking time bomb in debt which financed his $44 billion social media foray to preserve his version of being a “free speech absolutist.”
The technical controls inside Twitter to prevent powerful employees from shadow banning, limiting reach, and unequally enforcing broad and vague policies were effectively non-existent. The new Musk-run Twitter will likely develop much more robust internal technical controls, along with Elon’s refined eye on the numbers and cash. Externally, transparency will be the rule, and that itself might help to stem the flood of garbage, by removing the incentive to influence real people, who themselves will have to sacrifice some level of anonymity in order to use the most advanced features (or perhaps use a crippled version of the site that limits the number of retweets, etc.). The goal is to stop bots from running the show and crafting what is trending.
Twitter’s former management doubled down on secret external controls, with little internal limits on who used them. The new management seems to be focused on doing the opposite. Whether that will make money is an open question.
It’s funny how when dealing with elections and voting, many self-styled conservatives are so focused on controls, down to an almost ridiculous level, to prevent even one illegal vote from being counted. But when dealing with such precious rights as free speech, scams embedded in religious garb, protecting reputations of favored individuals and organizations from scandal, or corporate cronyism, those controls get a whole lot fuzzier.
There’s no room for fuzzy controls, even if “the other side” uses them. Conservatives, and liberals alike, should insist on the “show me” and “under the hood” versions of “zero trust.” If we don’t there’s no end to the Bankman-Frieds, E.U. scandals, and secret Twitter collaborators in our future.
"The new Musk-run Twitter will likely develop much more robust internal technical controls, along with Elon’s refined eye on the numbers and cash."
I'll take the other side of this bet, assuming that any policies remain post-Elon to enforce. From what I've seen thus far, Elon was eager to purge anyone from the company that had expertise in these matters and despite happy talk about controls, just ends up being the arbiter himself. His own proposal for a content moderation council didn't make it out of the planning stages before being exposed as phony[1].
I wish Elon good fortune in rescuing Twitter from the mess he inflicted on it, but won't be holding my breath.
[1] https://www.techdirt.com/2022/11/23/elon-admits-his-content-moderation-council-was-always-a-charade-to-hopefully-bring-advertisers-back/
Thanks for the education. The article is very informative.