Peiter C. Zatko, better known as Mudge, is an American network security expert,
open source programmer, writer, and
hacker. He was the most prominent member of the high-profile hacker
think tank the
L0pht[2] as well as the computer and culture hacking cooperative the
Cult of the Dead Cow.
While involved with the
L0pht, Mudge contributed to disclosure and education on information and security vulnerabilities. In addition to pioneering
buffer overflow work, the security advisories he released contained early examples of flaws in the following areas:
code injection,
race condition,
side-channel attack, exploitation of embedded systems, and
cryptanalysis of commercial systems. He was the original author of the
password cracking software
L0phtCrack.[3]
In 2010, Mudge accepted a position as a program manager at
DARPA where he oversaw cyber security research.[4] In 2013, Mudge went to work for
Google in their
Advanced Technology & Projects division.[5][6] In 2020, he was hired as head of security at
Twitter.[7] He currently works at the security consulting firm Rapid7 that develops
Metasploit.[8]
Mudge was responsible for early research into a type of security
vulnerability known as the
buffer overflow. In 1995 he published "How to Write Buffer Overflows", one of the first papers on the topic.[10] He published some of the first security advisories and research demonstrating early vulnerabilities in Unix such as code injection, side-channel attacks, and information leaks, and was a leader in the
full disclosure movement. He was the initial author of security tools
L0phtCrack, AntiSniff, and l0phtwatch.[11][12]
Mudge was one of the first people from the hacker community to reach out and build relationships with government and industry. In demand as a public speaker, he spoke at hacker conferences such as
DEF CON[13] and academic conferences such as
USENIX.[14] Mudge has also been a member of Cult of the Dead Cow since 1996.[15][11]
He was one of the seven L0pht members who testified before a
Senate committee in 1998 about the serious vulnerabilities of the Internet at that time.[16] The L0pht became the computer security consultancy
@stake in 1999, and Mudge became the vice president of research and development and later chief scientist.[17][18]
In 2004 he became a division scientist at government contractor
BBN Technologies,[20] where he originally worked in the 1990s, and also joined the technical advisory board of
NFR Security.[21] In 2010, it was announced that he would be project manager of a DARPA project focused on directing research in cyber security.[4] In 2013 he announced that he would leave DARPA for a position at Google ATAP.[6][22] In 2015 Zatko announced on Twitter he would join a project called #CyberUL, a testing organisation for computer security inspired by
Underwriters Laboratories, mandated by the White House.[23]
Career
DARPA
At DARPA he created the Cyber Analytical Framework the agency used to evaluate DoD investments in offensive and defensive cyber security. During his tenure he ran at least three
Department of Defense (DoD) programs known as Military Networking Protocol (MNP),
Cyber-Insider Threat (CINDER), and
Cyber Fast Track (CFT).
Military Networking Protocol (MNP) provided network prioritization with full user-level attribution for military computer networks.[24]
CINDER focused on identifying cyber espionage conducted by virtual insider threats such as future variants of
Stuxnet or
Duqu. CINDER is often mistakenly associated with
WikiLeaks in the media.[25][26] This is possibly due to the confusion between DARPA programs focused on identifying human insider threat such as ADAMS[27] and the identification of software espionage posed by malware in the CINDER program.[28] This issue was clarified by Mudge in his Defcon 2011 keynote at 46 minutes and 11 seconds into the talk.[29]
Cyber Fast Track (CFT) provided resources and funding to security research, including programs run by
hackers,
hackerspaces, and
makerlabs. The program provided an alternative to traditional government contracting vehicles that was accessible to individuals and small companies previously unable to work within the cumbersome and complicated
DARPA process. The novel contracting effort had an averaging time of 7 days from receipt of proposal to funding being provided to the proposing research organization.[30] The program was initially announced at
Shmoocon during his 2011 keynote.
Twitter
Zatko was hired by
Jack Dorsey –
Twitter's CEO – in November 2020 to lead the company's information security approach, after a
July 2020 hack that compromised multiple high-profile accounts.[31][32] He was terminated by the company in January 2022,[33] with Twitter claiming it was after "an assessment of how the organization was being led and the impact on top priority work".
On 23 August 2022, the contents of a whistleblower complaint made by Zatko to the
United States Congress were published.[31] The complaint alleges Twitter committed multiple violations of
United States securities regulations, the
Federal Trade Commission Act of 1914, and a 2011 enforceable consent decree reached with the Federal Trade Commission after several issues between 2007 and 2010.[34] He also accused Twitter of "extreme, egregious deficiencies" in its handling of user information and spam bots.[35] Zatko accused several Twitter executives, including
Parag Agrawal and certain board members, of making false or misleading statements about privacy, security, and content moderation on the platform in violation of the
Federal Trade Commission Act of 1914 and SEC disclosure rules. These included misrepresentations to
Elon Musk made during the course of
his acquisition bid, with the complaint specifically calling Agrawal's May 16 thread deceptive.[36][37][38]The Wall Street Journal reported that Twitter reached a confidential $7million settlement with Zatko in June, following his firing.[39] The settlement prohibits Zatko from speaking publicly about his time at Twitter or disparaging the company, with the exception of Congressional hearings and governmental whistleblower complaints.[39] On 13 September 2022, Zatko testified before the
Senate Judiciary Committee.[40][41]
Personal life
On 11 August 2007 he married Sarah Lieberman, a co-worker at BBN and former mathematician at the
National Security Agency. Remarking about her husband’s time at Twitter in an article in Time Magazine, she said, "dishonesty is definitely something that frustrates him."[42]
Awards
2013 Office of the Secretary of Defense Exceptional Public Service Award[43]
2011 SC Magazine Top 5 influential IT security thinkers of the year[44]
An Architecture for Scalable Network Defense, Proceedings of the 34th Annual IEEE Conference on Local Computer Networks (LCN), Strayer, Miliken, Watro, Heimerdinger, Harp, Goldman, Spicuzza, Schwartz, Mankins, Kong, and Zatko., Proceedings of the 34th Annual IEEE Conference on Local Computer Networks (LCN), October 2009.
SLINGbot: A System for Live Investigation of Next Generation Botnets, Alden Jackson, David Lapsley, Christine Jones, Mudge Zatko, Chaos Golubitsky, and W. Timothy Strayer, Proceedings of Cybersecurity Applications and Technologies Conference for Homeland Security (CATCH), Washington, D.C., March 2009.
Security Analysis of the Palm Operating System and its Weaknesses Against Malicious Code Threats,
Joe Grand and Mudge, 10th Usenix Security Symposium, Washington, D.C., August 2001.
Cryptanalysis of Microsoft's PPTP Authentication Extensions (MSCHAPv2),
Bruce Schneier, Mudge, and
David A. Wagner, Secure Networking CQRE [Secure] 1999, International Exhibition and Congress, Springer Lecture Notes in Computer Science, no. 1740, pp. 192–203, Nov/Dec, 1999.
Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol (PPTP),
Bruce Schneier and Mudge, Fifth ACM Conference on Communications and Computer Security, pages 132–141, March 1998.
L0pht Security advisories and software
Mudge published numerous papers and advisories detailing security problems across different applications and operating systems and was a pioneering champion of
full disclosure.
Crontab buffer overflow vulnerabilities, Oct 2001[46]
Initial Cryptanalysis of the RSA SecurID Algorithm, Jan 2001[47]
AntiSniff: Identification of remote systems in promiscuous mode, May 2000[48]
Race conditions within RedHat Linux initscripts, Dec 2000[49]
Reverse Engineering Cactus Software shell-lock obfuscation techniques, Oct 1999[50]
Solaris /bin/su side channel attack, June 1999[51]
L0pht Watch: A tool for filesystem race condition attacks, Jan 1999[52]
Hash disclosure vulnerabilities in Quakenbush Windows NT Password Appraiser, Jan 1999[53]
^
abPerrigo, Billy; Chow, Andrew R.; Bergengruen, Vera (25 August 2022).
"The Twitter Whistleblower Needs You to Trust Him". Time. Retrieved 31 January 2023. After graduating, he split his time between playing at clubs with his progressive metal band Raymaker, part-time tech-support work, and working with a high-profile hacker "think tank" called the L0pht (pronounced Loft) to expose corporate security flaws. He would soon become its most prominent member and went on to join a hacking cooperative known as the Cult of the Dead Cow.
^Kovacs, Eduard (18 October 2021).
"Password Auditing Tool L0phtCrack Released as Open Source". SecurityWeek. Retrieved 31 January 2023. L0phtCrack was originally developed by Peiter Zatko, also known as Mudge, of the L0pht hacker think tank.
^Lyngaas, Sean (24 August 2022).
"Meet the former Twitter exec blowing the whistle on the company | CNN Business". CNN. Retrieved 31 January 2023. Thomas, who, like Zatko, uses his hacker name "Space Rogue" professionally, said he and Zatko "have had our differences in the past," adding that he was fired from @stake, the cybersecurity consultancy where Zatko was chief scientist, in 2000.