With Twitter code in the wild, DevSecOps doubts surface

Elon Musk’s remaining staff have open-sourced Twitter. Or, at least, they’ve put some of the code onto GitHub.

This is the crucial-to-some ranking algorithm. It’s responsible for promoting tweets from people you’re not following and hiding stuff you might not want to see.

Or stuff Twitter doesn't want you to see. In this week’s Secure Software Blogwatch, we ponder the unintended consequences of “transparency.”

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Marty Cooper FTW.

Blue bird b0rked

What’s the craic? A week ago, Jon Brodkin reported — “Twitter obtains subpoena forcing GitHub to unmask source-code leaker”:

On GitHub for months”
GitHub user "FreeSpeechEnthusiast" posted Twitter source code in early January, shortly after Elon Musk bought Twitter and laid off thousands of workers. Twitter reportedly suspects the code leaker is one of its many ex-employees.
…
With the subpoena now issued, GitHub has until April 3 to provide all identifying information, "including the name(s), address(es), telephone number(s), email address(es), social media profile data, and IP address(es), for the user(s) associated with" the FreeSpeechEnthusiast account. GitHub was also ordered to provide the same type of information on any "users who posted, uploaded, downloaded or modified the data" at the code repository posted by FreeSpeechEnthusiast.
…
The code was apparently on GitHub for months before Twitter executives became aware of the leak. … Twitter executives are concerned "that the code includes security vulnerabilities that could give hackers or other motivated parties the means to extract user data or take down the site.

Isn’t it moot now? Yes and no, says Sergiu Gatlan — “Twitter open-sources recommendation algorithm code”:

Two separate GitHub repositories
Twitter [is] open-sourcing the code behind the recommendation algorithm the platform uses to select the contents of the users' For You timeline. However, the code made public … doesn't include parts behind advertising recommendations, or [code] that would endanger Twitter's ability to keep threat actors' attempts to manipulate the platform under control.
…
Twitter has published two separate GitHub repositories containing the source code for its recommendation algorithm and some of the machine learning (ML) models powering it. … The end goal is for each user's For You timeline to show 50% of relevant and recent tweets coming from their followers and the other 50% from people not in their network based on what the user would find interesting.

Horse’s mouth? Mister Musk’s mysterious marketing mavens — “Twitter's Recommendation Algorithm”:

5 billion times per day
Twitter aims to deliver you the best of what’s happening in the world right now. This requires a recommendation algorithm to distill the roughly 500 million Tweets posted daily down to a handful. … The foundation of Twitter’s recommendations is a set of core models and features that extract latent information from Tweet, user, and engagement data.

[Way too much detail elided]

At this point, Home Mixer has a set of Tweets ready to send to your device. … The pipeline above runs approximately 5 billion times per day and completes in under 1.5 seconds on average. A single pipeline execution requires 220 seconds of CPU time.

Of course, people jumped in to look for juiciness. Pasha Kamyshev starts with the pachyderm in the parlor:

All must submit to current thing
Having something like author_is_elon is likely a consequence of some poor employee being afraid of losing their job. … Twitter removed this feature; … I believe it's a good move.
…
Twitter's approach to fighting spam is flawed: … It penalizes new-ish users who post links (except news links). [But] a dedicated spammer can easily beat this by having all of their bots like/retweet each other.
…
The big problem I have is with tweetHasTrendBoost = 1.1 — Why boost trends? … All must submit to current thing … has many negative effects on the quality of the discourse and the general hostility on the site. All because of this one line of code.

As did Steven Tey:

Twitter's "Tweepcred" PageRank algorithm reduces the page rank of users who have a low number of followers but a high number of followings. … Some negative feedback loops that will reduce your "reputation score" on Twitter: Getting blocked, getting muted, abuse reports, spam reports.

Which echoes something people have worried about for a while: Bots that can cancel tweets or accounts by mass reporting them. Sure enough, here’s a dew-fresh CVE-2023-29218:

The Twitter Recommendation Algorithm … allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited in the wild in March and April 2023.

On the other hand, swillden sees the flip:

I expect the production code to quickly diverge. The problem is that there are too many people and organizations who will benefit from being able to game the system and thereby ensure that their tweets get widely recommended. Heck, if I were running Twitter, I might publish incorrect recommendation code simply to waste the effort of Tweet "optimizers," and make the actual code more effective.

How can it be fixed? This Anonymous Coward thinks it’s possible, but …

Assuming the twit in chief hadn't fired everybody who knew how to do that of course (who would have been followed out the door by everybody else with transferable skills). … Those left [have] been picked primarily because their wages are cheap and … don't have transferable skills to easily get another job. Therefore they don't know how to do that and can't figure it out.

…

Somebody with even mediocre tech skills could reverse engineer [it] to figure out what needs to be done. However, you'd then have the problem that the people who can do that are needed to keep the entire thing running, and if they stop doing that then the entire show will collapse around them.

It’s still fashionable to say Twitter will die — especially among the Mastadon crowd. Dave Karpf thinks it won’t be because Dev(Sec)Ops:

The company will go bankrupt

How I expect Twitter will end: The finances are bad, the product is breaking down, the user base is decaying. That downward slide will continue at a slow, steady pace. But what will finally break Twitter is one of these financial time bombs self-detonating. It will probably be the regulatory fines, and that will have the knock-on effect of offering [Elon Musk] a face-saving story to tell.

…

I suspect he’ll declare bankruptcy and blame the regulators. He’ll say something like: “I was THIS CLOSE to turning around this important, innovative company that is a threat to the mainstream media and all those crooked politicians. But then the … bureaucrats stepped in and fined the company out of existence! … It all would’ve worked out if not for that meddling government.”

…

Certain corners of the internet would buy this tale—it has all the “right” villains. In this version of history, Elon Musk didn’t burn Twitter to the ground. He almost saved Twitter, until he was foiled by the machinations of the professional managerial class. … That’s how I expect Twitter will end. The company will go bankrupt with a bang, not a whimper.

Meanwhile, conorjh is a friend of Tom:

Nobody will care about Twitter in 10 years … (for the same reason nobody cares about MySpace anymore)

And Finally:

The first public demo of a handheld cellphone was 50 years ago this week

Previously in And finally

You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Katja Just (via Pixabay)