[ad_1]
From L0pht and the Cult of the Dead Cow to DARPA and Google, Peiter ‘Mudge’ Zatko is using unorthodox approaches to “make a breakthrough in the universe”
The document, obtained by The Washington Post from a senior Democratic aide on Capitol Hill, could affect Twitter’s legal and financial prospects, as well as its battle with Elon Musk, Tesla’s chief executive, who is trying to get out of the buyout of Twitter for $44 billion on the grounds that the company misled him and shareholders.
But Zatko, who was fired in January, less than two years after then-CEO Jack Dorsey hired him, says he was simply trying to fulfill his commitment to make Twitter and its users, including dissidents of authoritarian regimes, more -safe by any legal means.
It has to do with why Dorsey hired him in the first place—as an expert known for following his own moral compass and telling the truth to push for change, even at personal risk. His longtime motto: “Make a breakthrough in the universe.”
Zatko told The Post that he jumped at the chance to join the platform “to improve the health of the public conversation” after a teenage hacker hijacked the verified Twitter accounts of political leaders in 2020. “There was no way not to step up to the plate and take a few swings.”
But according to Zatko’s complaint, after Dorsey stepped down as CEO in November 2021 and Zatko informed Twitter’s board members that protections for sensitive user data were weaker than they had been told, new CEO Parag Agrawal fired him.
Twitter said Zatko’s claims were false, exaggerated or outdated.
“Mr. Zatko was fired from Twitter more than six months ago for poor performance and leadership and now appears to be opportunistically seeking to harm Twitter, its customers and its shareholders,” said Rebecca Hahn, Twitter’s global vice president of Communications Agrawal declined to comment.
Zatko, 51, has a long track record of bringing secrets to light, especially when they protect malicious activity or corporate irresponsibility.
By the age of 30, he had written one of the most powerful password-cracking tools still in use, testified before Congress under his hacker leadership about the Internet’s susceptibility to drastic hacks, and co-founded one of the first hacking consulting companies. venture-backed capital that aims to bring cyber insights to big companies that stand to lose the most.
Although he declined to discuss Twitter specifics, documents that Zatko’s attorney at Whistleblower Aid provided to regulators, along with interviews with current and former employees and associates, explain how his career made it unlikely that he would quietly leave the San Francisco tech platform .
“I joined Twitter because it’s a critical resource for the world,” Zatko said from his home in the New York area. “All news seems to either come from Twitter or go to Twitter for color and context, and as such they not only paint public opinion but can change governments.”
The son of a chemistry professor and a mining scientist, Zatko grew up in Alabama and Pennsylvania, playing violin and guitar, cracking digital copyrights on electronic games, and participating in the early online world of dial-up text message boards. Staring at both virtual and physical locks was fun, and when he entered the Berklee College of Music in 1988, Zatko continued to explore online, sometimes trading his access to Berklee’s studio space for access to the computer labs that cheer budding hackers at MIT.
Remaining in Boston, Zatko turned a temporary technical support assignment into a real security job at what was then called BBN Technologies, an elite government contractor responsible for the early the main plumbing of the internet. In those days, the most serious hacking was done in such large labs, experimenting on mainframes and networks of smaller computers.
The outside hacking scene was rougher and more fun, an alternate universe of made-up names, shared secrets for manipulating phone and computer systems, and roaming private companies.
In 1996, Zatko joined L0pht (pronounced “loft”), often considered the first US hackerspace. The collective included a handful of hardware, software and wireless geeks who gained notoriety for issuing public warnings about program security flaws.
At the time, most of these warnings were for business software, as the consumer Internet was just beginning. Microsoft was helping to drive this wave and took offense when L0pht dropped new bug warnings that told talented hackers where to look to break into its products.
The software giant suggested that L0pht would do more if it provided advance notice to allow the company to develop software fixes for flaws before publishing the findings, allowing criminals to abuse them, according to records at the time. The group agreed, creating a coordinated disclosure model that is now used by most researchers.
Senior government officials, even those outside the intelligence agencies, were just beginning to worry about what hackers from another country might do to the United States. countries. So Clinton White House staffer Richard Clarke helped arrange for Zatko and others from L0pht to testify before Congress in 1998, even though they insisted on using pseudonyms.
Zatko and fellow L0pht Christian Rieux, later co-founder of the security company Veracode, also joined a larger and wilder group, the Cult of the Dead Cow, which coined the term hacktivism, a portmanteau of hacking and activism that according to the group, it promotes human rights by disseminating information and fighting censorship and surveillance. (One early member of that group was Beto O’Rourke, now running for governor of Texas.)
As hacking emerged as a cultural phenomenon that big companies ignored at their peril, the Cult of the Dead Cow pulled stunts like throwing code CDs to hack Microsoft Windows from the stage at the Def Con hacking conference in Las Vegas.
Microsoft executives downplayed the potential harm to ordinary users, but after major customers threatened to move more operations to Linux, the company devoted more resources to security. Some Microsoft security experts said in private interviews that they were grateful for the Cult of the Dead Cow’s antics.
Professionally, Zatko helped turn L0pht into a for-profit @stake, the early consulting firm that went into big banks and software companies, even Microsoft, to advise them on what to worry about and suggest improvements like digitally signing legitimate programs.
Later, Zatko also joined the Pentagon’s innovation center DARPA, the Defense Advanced Research Projects Agency. There, he created a “fast track” program to quickly distribute small grants, giving lone hackers a way to help the government.
Zatko returned to the corporate world, working on special projects at Motorola Mobility and Google, which soon bought the company. Zatko also advised members of Google’s security team, including distinguished engineer Nils Provos, who leads hundreds of specialists.
His next stop was e-payments startup Stripe, which had a small security team but became a huge target for criminals as its popularity soared.
Zatko tightened controls “by making sure improvements were principled and measurable and fixed the most pressing gaps,” said Provos, who succeeded Zatko as Stripe’s head of security.
Until that handoff, Provos said, every Stripe employee had a hardware token as a second factor to authenticate access, and every laptop had its own identity, dictating what a user was allowed to do.
After the Twitter hack in 2020, Dorsey lured Zatko away from Stripe, telling him he was inspired by Zatko’s career, two sources familiar with the conversation said.
“Jack loves hackers and Mudge is a hacking legend,” one of them said on condition of anonymity to discuss internal company matters.
The documents submitted by Zatko’s proxy from the SEC, FTC and Justice Department say he began a thorough review of the company’s serious internal security issues.
Zatko hired top engineers and pushed for more transparency and accountability. “He can talk geek but also communicate so effectively,” said Rene Rush, a DARPA veteran who came out of retirement to work with Zatko again on Twitter. “He goes between the worlds and has a vision that he can fulfill. It’s a unicorn.”
The challenge he faced came into sharp focus less than two months into the job, during the attack on Congress on January 6, 2021.
With debate raging on Twitter over whether to suspend President Donald Trump’s widely followed account for inspiring insurgents, Zatko asked how Twitter could secure its production environment so that no hacker or disgruntled engineer could sabotage the service.
Zatko claims in his whistleblowing complaint that he was told that could not be done and that thousands of employees would still be able to wreak havoc if they chose.
That same day came a call from on high President-elect Joe Biden’s transition team offered Zatko the job of chief information security officer for the entire federal government effective Jan. 20, the complaint said.
Zatko says in his complaint that he considered it for a day and then turned it down, thinking he could do more on Twitter.
But Zatko didn’t blend in with Twitter culture. Some who dealt with him said he seemed arrogant, especially when he dared to go beyond his areas of expertise.
“He’s a total brainiac, but also a bit of a bull in a china shop,” said a person who worked with him on Twitter, speaking on condition of anonymity because of a confidentiality agreement.
Zatko lasted almost another year before arguing with Agrawal about what the board of directors should know, according to the legal complaint.
Once out, Zatko looked for a way to legally alert regulators in a position to force changes. His whistle-blowing documents exposed what he considered dangerous flaws at the company and invited regulators to step in, particularly the FTC.
“This will never be my first step, but I believe I am still fulfilling my duty to Jack and to the users of the platform,” Zatko said. “I want to finish the job Jack brought me to do, which is to improve the place.”
Elizabeth Dvoskin contributed to this report.
[ad_2]
Source link