>That's what "zero tolerance" means: no excuses, not even "someone tricked me." That doesn't necessarily follow, as it depends on exactly what they have zero tolerance for. They say they have zero tolerance for "misuse of credentials." Misuse conceivably may not include insecure storage of credentials or accidentally exposing them, but only actively using them, eg logging in and using them for an inappropriate purpose.

I'm not trying to split hairs or be a Twitter apologist here but there is a meaningful distinction here. Intentional misuse of credentials is ultimately subordination (which is immediately fireable in most situations), whereas accidental exposure is a mistake. Twitter is effectively reinforcing that employees are forbidden to puruse private data. They are not making the point that they will fire anyone accidentally involved in a security breach.

> That doesn't necessarily follow, as it depends on exactly what they have zero tolerance for.

It does depend on that, you're right. "Zero tolerance" sounds so clear, it even has a number in there! But, nevertheless, one can rationalize just about any outcome by invoking it.

Specifically, any administrator who hasn't worked out a detailed meaning will have to crystalize their understanding when it comes time to apply the idea. This process of rationalizing will be different depending on the situation and their biases.

The supposedly clear policy becomes capricious or arbitrary. And if it's not arbitrary because they have some actual doctrine that can be consistently applied, then it would make more sense to use that doctrine.

> I'm not trying to split hairs or be a Twitter apologist here...

Splitting hairs is the raison d'etre of this site.

I'm not annoyed at Twitter specifically as they're hardly the inventors of the phrase. My issue is with concept itself, and the broader mindset that you see in legal concepts like strict liability.

> Intentional misuse of credentials is ultimately [in]subordination...

Well, intentional is your head-canon since they didn't use that word. But intent is useful to the discussion; let me explain why I don't think zero tolerance allows for intent and other mitigating factors.

The point of tolerance is that some harm is done, and the injured party is going to limit their response to it.

Law typically breaks it out as the action that caused the harm, the intent to cause that harm, and the certainty of your knowledge of the facts.

As soon as you bring intent into the equation, you're willing to tolerate a great deal of harm. Someone can get hurt in a car crash, and if it's clearly an accident, the injured party is generally not going to hold a grudge.

If there's sufficient uncertainty, we aren't even sure we can direct our response to the harm at the correct party. Then we're stuck tolerating it, or taking it out on some scapegoat. And I'd even argue that the fact that we inevitably have to tolerate some harm makes the concept of zero tolerance fundamentally contradictory.

Tolerance is what civilized people do in response to real life situations, and when they don't you get feuding and war. This isn't a new problem, the point of "an eye for an eye" in Mosaic law was to limit vengeance and vigilanteism with a doctrine of proportionality. Not surprisingly, people still didn't get it, which was why Christ revised it to "turn the other cheek."

It’s possible to have zero tolerance and not fire anyone here. My understanding is that no employee misused their credentials or tools. The attackers misused them. I suppose you could argue that accidentally exposing credentials is misusing them, but I don’t think that’s what Twitter means there.

Maybe attackers/phishers are the same people who's accounts were used? Easy bypass.

It’s like when motorcyclists say “safety first” about wearing a helmet and other protective gear. If they really put safety first, they’d choose a safer form of transportation. They mean “given that I’m going to engage in this risky activity, I’m going to try to make this activity as safe as possible”.

In this case “zero tolerance” is short for something like, “except for understandable slip-ups that aren’t fully your fault, we’re not going to tolerate any slip-ups”.

I think you can honestly say you follow safety first in terms of what is available to safely ride your bike.

Just like when I used to rock climb, I felt like we were basically following safe practices - but there was no one to adjudicate them, probably far less testing of various practices with stats than bikes. Also, where we climbed there wasn't expected rockfall. I had barely heard of that being an issue, and we never wore helmets. Later on I realized that was something I might have missed out on. And then the next step was "what other safety practices was I unaware of" ;-)

And of course I get that rock climbing is much more dangerous than hiking.

It's pretty meaningless on motorcycle too. Even aviation with their culture and checklists isn't that.

I don't really trust Twitter at all. When you consider how they shape public opinion on so many things, it gets scary.

They have been caught banning people based on their political stances, and refuse to remove the algorithmic timeline sorting method which is designed to strip adolescents (and easily persuaded adults) of their critical thinking skills.

Well besides claims of restricting access to the tools they obviously need to further have restricted access to certain user accounts. We have support persons whose account support is locked from superior accounts or special users and this seems like something Twitter should be doing.

Perhaps have another layer where each use of specific functions require unlocking through an incident management tool?

Intent matters here. They ultimately fell prey to social engineering, they didn't give out their credentials or do this themselves.

'Zero tolerance' doesn't in itself imply anything qualitative about the the actions that are taken as a result of that intolerance.

'Zero tolerance' only means that some action would happen without any subjective application of the rule.

Indeed... one can imagine scenarios were maybe attackers/phishers are the same people who's accounts are being used? This seems like the easiest way to get away with misusing your access. Just send yourself a phishing mail....