The Spokesman-Review Newspaper
The Spokesman-Review Newspaper The Spokesman-Review
Spokane, Washington  Est. May 19, 1883
Current Temperature
50°F
Current Conditions
Few clouds
View complete weather report
Subscribe now

Twitter whistleblower won hacker acclaim for exposing software flaws

Peiter Zatko, known by his hacker name, Mudge, filed a complaint that says Twitter is violating its agreement to maintain solid security practices. (Washington Post )
By Joseph Menn Washington Post

For three decades, security pioneer Peiter “Mudge” Zatko has exposed the risks facing technology users as a hacker. Now he’s doing it as a whistleblower.

Zatko, the former head of security at Twitter, filed a complaint with the Securities and Exchange Commission last month accusing the company of violating its agreement with the Federal Trade Commission to maintain solid security practices.

The document, obtained by the Washington Post from a senior Democratic aide on Capitol Hill, could affect Twitter’s legal and financial prospects as well as its battle with Elon Musk, the Tesla CEO trying to get out of buying Twitter for $44 billion on the grounds that the company misled him and shareholders.

But Zatko, who was fired in January, less than two years after then-chief executive Jack Dorsey brought him on, says he is simply trying to fulfill his commitment to make Twitter and its users, including dissidents of authoritarian regimes, safer through any legal means.

That tracks with why Dorsey hired him in the first place – as an expert known for following his own moral compass and telling the truth to urge change, even at personal risk.

His longtime motto: “Make a dent in the universe.”

Zatko told the Post that he jumped at the chance to join the platform “to improve the health of the public conversation” after a teen hacker hijacked the verified Twitter accounts of political leaders in 2020.

“There was no way I wasn’t going to step up to the plate and take some swings.”

But according to Zatko’s complaint, after Dorsey stepped down as CEO in November 2021, and Zatko informed members of Twitter’s board that protections for sensitive user data were weaker than they had been told, new CEO Parag Agrawal fired him.

Twitter said that Zatko’s claims were false, exaggerated or out of date.

“Mr. Zatko was fired from Twitter more than six months ago for poor performance and leadership, and he now appears to be opportunistically seeking to inflict harm on Twitter, its customers, and its shareholders,” said Rebecca Hahn, Twitter’s global vice president of communications.

Agrawal, who declined to comment, emailed employees after the publication of this article that Zatko was terminated for poor performance.

Attorneys for Zatko denied that his aim is to harm Twitter or that he was being opportunistic.

Zatko “repeatedly raised concerns about Twitter’s grossly inadequate information security systems to the Company’s Executive Committee and Board of Directors,” his attorneys wrote.

“Zatko put his career on the line because of his concerns about Twitter users, the public and the company’s shareholders.”

Zatko, 51, has a long track record of forcing secrets into the open, especially when they protect malicious activity or corporate irresponsibility.

By age 30, he had written one of the most powerful tools for cracking passwords, still in use, and testified to Congress under his hacker handle about the susceptibility of the internet to drastic hack.

He also co-founded one of the first hacking consultancies backed by venture capital, aiming to bring insights from the cyberunderground into major companies with the most to lose.

Although he declined to discuss Twitter specifics, the documents Zatko’s attorney at Whistleblower Aid gave to regulators, along with interviews with current and former employees and associates, explain how his career made it unlikely he would leave the San Francisco tech platform quietly.

“I joined Twitter because it’s a critical resource to the world,” Zatko said from his home in the New York City area.

“All news seems to be either from Twitter or goes to Twitter for the coloring and context, and as such, it not only paints public opinion, it can change governments.”

The son of a chemistry professor and a mining scientist, Zatko grew up in Alabama and Pennsylvania, playing violin and guitar, breaking digital copyright locks on electronic games and participating in the early online world of dial-up text discussion boards.

Picking both virtual and physical locks was fun, and as he entered Berklee College of Music in 1988, Zatko kept exploring online, sometimes trading his access to Berklee studio space for access to the computer labs enjoyed by budding hackers at the Massachusetts Institute of Technology.

Remaining in Boston, Zatko turned a temporary tech-support assignment into a real security job at what was then called BBN Technologies, an elite government contractor responsible for the early internet’s basic plumbing.

In those days, the most serious hacking was done inside such big labs, experimenting on mainframes and networks of smaller computers.

The outside hacking scene was more rough and tumble and more fun, an alternative universe of assumed names, shared secrets about manipulating phone and computer systems, and roaming around inside private companies.

In 1996, Zatko joined the L0pht (pronounced “loft”), often held up as the first U.S. hackerspace.

The collective included a handful of hardware, software and wireless tinkerers who won renown for issuing public warnings about security flaws in programs.

At the time, most of those warnings were about business software, because the consumer internet was just beginning.

Microsoft was helping drive that wave, and it took offense when the L0pht dropped new bug alerts that told talented hackers where to look to break into its wares.

The software giant suggested that the L0pht would do more good if it provided advance notice to let the company develop a software patch for flaws before publishing the findings, letting criminals abuse them, according to records from the time.

The group agreed, establishing a model for coordinated disclosure now used by most researchers.

High-ranking government officials, even those outside the intelligence agencies, were just starting to worry about what another country’s hackers could do to the United States.

So Clinton White House staffer Richard Clarke helped arrange for Zatko and others from the L0pht to testify to Congress in 1998, even though they insisted on using pseudonyms.

Zatko and fellow L0pht member Christien Rioux, later co-founder of security company Veracode, also joined a larger and wilder group, Cult of the Dead Cow, which coined the term hacktivism, a portmanteau of hacking and activism that the group said promoted human rights by spreading information and fighting censorship and surveillance.

(An early member of that group was Beto O’Rourke, now running for governor of Texas.)

As hacking emerged as a cultural phenomenon that big companies ignored at their peril, the Cult of the Dead Cow pulled stunts like throwing CDs with code to hack Microsoft’s Windows from the stage at the Def Con hacking conference in Las Vegas.

Microsoft’s executives played down the potential harm to ordinary users, but after major customers threatened to move more operations to Linux, the company devoted more resources to security.

Some Microsoft security experts said in private interviews they were grateful for the Cult of the Dead Cow’s antics.

Professionally, Zatko helped turn the L0pht into the for-profit @stake, the early advisory firm that went inside big banks and software companies, even Microsoft, to advise them on what to worry about and suggest improvements, such as digitally signing legitimate programs.

Zatko later joined the Pentagon innovation center DARPA, the Defense Advanced Research Projects Agency.

There he created a “fast track” program to dole out small grants quickly, giving lone hackers a way to help the government.

Zatko returned to the corporate world by working on special projects at Motorola Mobility and Google, which soon bought the company.

Zatko also advised Google security team members, including Distinguished Engineer Niels Provos, who led hundreds of specialists.

His next stop was electronic payments start-up Stripe, which had a small security team despite becoming a massive target for criminals as its popularity soared.

Zatko tightened controls, “making sure the improvements were principled and measurable and fixing the most urgent gaps,” said Provos, who succeeded Zatko as Stripe’s head of security.

By the time of that handoff, Provos said, every Stripe employee had a hardware token as a second factor to authenticate themselves for access, and every laptop had its own identity, dictating what thse user had permission to do.After the 2020 Twitter hack, Dorsey lured Zatko away from Stripe, telling him he had been inspired by Zatko’s career, two sources familiar with the conversation said.

“Jack loves hackers, and Mudge is a hacker legend,” one of them said on the condition of anonymity to discuss internal company matters.

The documents filed by Zatko’s attorney with the SEC, FTC and Justice Department say he began with a rigorous examination of the company’s serious internal security issues.

Zatko recruited top engineers and pushed for more transparency and accountability.

“He can speak geek but also communicate so effectively,” said Renee Rush, a DARPA veteran who came out of retirement to work with Zatko again at Twitter.

“He goes between worlds, and he has a vision he can execute. That’s a unicorn.”The challenge he faced came into sharp focus less than two months into the job, during the assault on Congress on Jan. 6, 2021.

With debate raging at Twitter over whether to suspend President Donald Trump’s widely followed account for inspiring the rioters, Zatko asked how Twitter could secure its production environment so that no hacker or disgruntled engineer could sabotage the service.

Zatko alleges in his whistleblower complaint that he was told it couldn’t be done, and that thousands of employees would still be able to wreak havoc if they chose.

That same day, a call came from high up in President-elect Joe Biden’s transition team, offering Zatko the job of chief information security officer for the entire federal government as of Jan. 20, the complaint says.

Zatko says in his complaint that he mulled it over for a day and then turned it down, figuring he could do more good at Twitter.

But Zatko didn’t blend into Twitter’s culture.

Some who dealt with him said he came off as arrogant, especially when venturing past his areas of expertise.

“He’s a total savant, but also a bit of a bull in a china shop,” one person who worked with him at Twitter said, speaking on the condition of anonymity because of a confidentiality agreement.

Zatko lasted almost a year more before arguing with Agrawal over what the board of directors needed to know, according to the legal complaint.

Once out, Zatko sought a way to legally warn regulators in a position to force changes.

His whistleblower papers expose what he considers dangerous lapses at the company and invites regulators to step in, especially the FTC.

“This would never be my first step, but I believe I am still fulfilling my obligation to Jack and to users of the platform,” Zatko said. “I want to finish the job Jack brought me in for, which is to improve the place.”