Twitter whistleblower won hacker acclaim for exposing software flaws
From the L0pht and Cult of the Expressionless Cow to DARPA and Google, Peiter ‘Mudge’ Zatko took unorthodox approaches to ‘make a dent in the universe’
The document, obtained past The Washington Post from a senior Democratic aide on Capitol Loma, could affect Twitter’s legal and financial prospects as well equally its battle with Elon Musk, the Tesla CEO trying to become out of buying Twitter for $44 billion on the grounds that the company misled him and shareholders.
But Zatko, who was fired in January, less than two years subsequently and so-main executive Jack Dorsey brought him on, says he is just trying to fulfill his commitment to make Twitter and its users, including dissidents of authoritarian regimes, safer through any legal means.
That tracks with why Dorsey hired him in the offset identify — as an practiced known for post-obit his own moral compass and telling the truth to urge change, even at personal chance. His longtime motto: “Make a dent in the universe.”
Zatko told The Post that he jumped at the gamble to bring together the platform “to amend the health of the public conversation” after a teen hacker hijacked the verified Twitter accounts of political leaders in 2020. “At that place was no fashion I wasn’t going to step up to the plate and have some swings.”
But co-ordinate to Zatko’southward complaint, after Dorsey stepped downwardly every bit CEO in Nov 2021, and Zatko informed members of Twitter’s lath that protections for sensitive user data were weaker than they had been told, new CEO Parag Agrawal fired him.
Twitter said that Zatko’south claims were imitation, exaggerated or out of engagement.
“Mr. Zatko was fired from Twitter more than six months ago for poor functioning and leadership, and he now appears to be opportunistically seeking to inflict damage on Twitter, its customers, and its shareholders,” said Rebecca Hahn, Twitter’due south global vice president of communications. Agrawal, who declined to comment, emailed employees after the publication of this commodity that Zatko was terminated for poor performance.
Attorneys for Zatko denied that his aim is to harm Twitter or that he was being opportunistic. Zatko “repeatedly raised concerns about Twitter’s grossly inadequate data security systems to the Visitor’s Executive Committee and Board of Directors,” his attorneys wrote. “Zatko put his career on the line because of his concerns nearly Twitter users, the public and the company’s shareholders.”
Zatko, 51, has a long track tape of forcing secrets into the open up, especially when they protect malicious activity or corporate irresponsibility.
By age xxx, he had written one of the well-nigh powerful tools for cracking passwords, notwithstanding in utilise, testified to Congress under his hacker handle about the susceptibility of the internet to drastic hacks, and co-founded one of the first hacking consultancies backed by venture majuscule, aiming to bring insights from the cyber underground into major companies with the most to lose.
Although he declined to discuss Twitter specifics, the documents Zatko’s attorney at Whistleblower Assist gave to regulators, forth with interviews with current and former employees and associates, explicate how his career fabricated it unlikely he would leave the San Francisco tech platform quietly.
“I joined Twitter considering it’s a critical resource to the globe,” Zatko said from his dwelling house in the New York City area. “All news seems to be either from Twitter or goes to Twitter for the coloring and context, and as such, it non only paints public opinion, it tin alter governments.”
The son of a chemistry professor and a mining scientist, Zatko grew up in Alabama and Pennsylvania, playing violin and guitar, breaking digital copyright locks on electronic games and participating in the early on online world of dial-upwards text discussion boards.
Picking both virtual and physical locks was fun, and equally he entered Berklee Higher of Music in 1988, Zatko kept exploring online, sometimes trading his admission to Berklee studio infinite for admission to the computer labs enjoyed by budding hackers at the Massachusetts Institute of Technology.
Remaining in Boston, Zatko turned a temporary tech-back up assignment into a real security job at what was then called BBN Technologies, an aristocracy government contractor responsible for the early
net’southward basic plumbing. In those days, the well-nigh serious hacking was done inside such large labs, experimenting on mainframes and networks of smaller computers.
The outside hacking scene was more crude and tumble and more fun, an alternative universe of causeless names, shared secrets about manipulating phone and computer systems, and roaming around within individual companies.
In 1996, Zatko joined the L0pht (pronounced “loft”), often held up equally the first U.S. hackerspace. The collective included a handful of hardware, software and wireless tinkerers who won renown for issuing public warnings near security flaws in programs.
At the fourth dimension, almost of those warnings were about business software, considering the consumer internet was merely beginning. Microsoft was helping drive that wave, and it took offense when the L0pht dropped new bug alerts that told talented hackers where to wait to break into its wares.
The software giant suggested that the L0pht would do more good if it provided advance notice to let the visitor develop a software patch for flaws before publishing the findings, letting criminals abuse them, according to records from the time. The grouping agreed, establishing a model for coordinated disclosure now used past most researchers.
High-ranking authorities officials, even those exterior the intelligence agencies, were just starting to worry about what another land’due south hackers could practise to the United
States. So Clinton White House staffer Richard Clarke helped conform for Zatko and others from the L0pht to show to Congress in 1998, even though they insisted on using pseudonyms.
Zatko and beau L0pht member Christien Rioux, later co-founder of security visitor Veracode, besides joined a larger and wilder group, Cult of the Dead Cow, which coined the term hacktivism, a portmanteau of hacking and activism that the group said promoted human rights by spreading information and fighting censorship and surveillance.
(An early member of that group was Beto O’Rourke, now running for governor of Texas.)
Equally hacking emerged every bit a cultural phenomenon that big companies ignored at their peril, the Cult of the Dead Cow pulled stunts like throwing CDs with code to hack Microsoft’s Windows from the stage at the Def Con hacking conference in Las Vegas.
Microsoft’s executives played downwardly the potential harm to ordinary users, but after major customers threatened to motion more than operations to Linux, the company devoted more resources to security. Some Microsoft security experts said in individual interviews they were grateful for the Cult of the Dead Cow’s antics.
Professionally, Zatko helped plow the L0pht into the for-profit @pale, the early on advisory firm that went within big banks and software companies, even Microsoft, to advise them on what to worry about and suggest improvements, such equally digitally signing legitimate programs.
Zatko later joined
the Pentagon innovation center DARPA, the Defense Advanced Inquiry Projects Agency. There he created a “fast track” program to dole out minor grants apace, giving lone hackers a way to help the government.
Zatko returned to the corporate earth by working on special projects at Motorola Mobility and Google, which shortly bought the visitor. Zatko likewise advised Google security team members, including Distinguished Engineer Niels Provos, who led hundreds of specialists.
His side by side terminate was electronic payments commencement-upwards Stripe, which had a minor security team despite becoming a massive target for criminals as its popularity soared.
Zatko tightened controls, “making sure the improvements were principled and measurable and fixing the nearly urgent gaps,” said Provos, who succeeded Zatko every bit Stripe’s head of security.
By the time of that handoff, Provos said, every Stripe employee had a hardware token as a second factor to authenticate themselves for access, and every laptop had its ain identity, dictating what the user had permission to practice.
Later on the 2020 Twitter hack, Dorsey lured Zatko abroad from Stripe, telling him he had been inspired by Zatko’s career, two sources familiar with the conversation said.
“Jack loves hackers, and Mudge is a hacker fable,” 1 of them said on the condition of anonymity to hash out internal company matters.
The documents filed by Zatko’s chaser
with the SEC, FTC and Justice Section say he began with a rigorous exam of the company’southward serious internal security issues.
Zatko recruited superlative engineers and pushed for more transparency and accountability. “He tin can speak geek but also communicate so effectively,” said Renee Rush, a DARPA veteran who came out of retirement to work with Zatko again at Twitter. “He goes betwixt worlds, and he has a vision he can execute. That’s a unicorn.”
The claiming he faced came into precipitous focus less than two months into the task, during the assault on Congress on January. vi, 2021.
With argue raging at Twitter over whether to append President Donald Trump’s widely followed business relationship for inspiring the rioters, Zatko asked how Twitter could secure its production environment then that no hacker or disgruntled engineer could sabotage the service.
Zatko alleges in his whistleblower complaint that he was told it couldn’t exist washed, and that thousands of employees would still exist able to wreak havoc if they chose.
That same day, a phone call came from high up in
President-elect Joe Biden’due south transition team, offering Zatko the job of primary information security officer for the entire federal government as of Jan. xx, the complaint says.
Zatko says in his complaint that he mulled it over for a 24-hour interval and and then turned it down, figuring he could practice more expert at Twitter.
But Zatko didn’t blend into Twitter’south civilization. Some who dealt with him said he came off as arrogant, especially when venturing by his areas of expertise.
“He’southward a total savant, but likewise a flake of a bull in a china store,” one person who worked with him at Twitter said, speaking on the condition of anonymity because of a confidentiality agreement.
Zatko lasted about a year more before arguing with Agrawal over what the lath of directors needed to know, according to the legal complaint.
In one case out, Zatko sought a way to legally warn regulators in a position to strength changes. His whistleblower papers betrayal what he considers dangerous lapses at the company and invites regulators to footstep in, specially the FTC.
“This would never be my first footstep, but I believe I am all the same fulfilling my obligation to Jack and to users of the platform,” Zatko said. “I want to finish the job Jack brought me in for, which is to improve the place.”
Elizabeth Dwoskin contributed to this report.