How a famous 51-year-old hacker revolutionized one of the world’s most influential social networks

New York
CNN business

When Peiter Zatko joined Twitter as head of security in late 2020 at the behest of founder and then-CEO Jack Dorsey, he was surprised by what he found. Twitter, a social network with hundreds of millions of users, was “more than a decade behind industry security standards,” he later testified.

Less than a year later, Zatko was urging his management to address what Twitter’s top executives described as “a ticking bomb of security vulnerabilities” and provide a full accounting of its shortcomings.

His concerns, initially private and then public in a whistleblower disclosure, would upend one of the world’s most influential social networks and raise new questions about the acquisition of the world’s richest man, Elon Musk. Besides, he later testified, it would put his career and his family at risk.

In a July filing with various US government agencies, Zatko alleged that Twitter ( TWTR ) trusted too many employees with access to sensitive user data, creating a fragile security posture that could have been used by an outsider to wreak havoc on the platform. The disclosure also said that one or more current Twitter ( TWTR ) employees may work for a foreign intelligence service, putting user data and US national security at risk, and that Twitter ( TWTR ) CEO Parag Agrawal misled the company’s board of directors by recommending Zatko. From providing a full account of Twitter’s (TWTR) security vulnerabilities. (Twitter (TWTR) has criticized Zatko and has defended itself against the allegations.)

“Given the real harm done to users and national security, I decided it was necessary for me and my family to take the personal and professional risk of becoming a whistleblower,” said Zatko, better known as “Mudge” in cybersecurity circles and highly regarded. in that community, he said in a Senate hearing on his notification in September. “I did not make my whistleblower disclosure out of contempt or harm to Twitter, far from it, and I continue to believe in the company’s mission and its success.”

Since going public with his concerns, Zatko, who has held numerous positions in the private and public sectors, has found himself at the center of renewed scrutiny at Twitter. He testified to a Senate committee last month about his disclosure, and his allegations have drawn the attention of several regulators both in the United States and abroad. Meanwhile, his former colleagues received requests for paid interviews from investigative firms apparently seeking information and dirt on Zatko, according to a New Yorker report last month.

The disclosure also coincided with Musk’s fight to get out of his $44 billion deal to buy Twitter. Musk’s team deposed Zatko and allowed the billionaire to add some of Zatko’s allegations to his argument for ending the deal. While Musk now appears to want to go ahead with the purchase, the timing of Zatko’s allegations raised questions about his motives. (Zatko denies any relationship with Musk and says his decision had nothing to do with the deal; Musk’s legal team says it was unaware of the disclosure until it was publicly announced.)

Twitter pushed back against Zatko’s allegations, saying security and privacy “have long been the company’s top priorities.” Twitter said its disclosure was “riddled with inconsistencies and inaccuracies” and painted a “false narrative” of the company. Twitter has also tried to paint Zatko as a disgruntled ex-employee with an ax to grind against the company.

But some who have worked with Zatko over the past three decades portray him as a principled technologist with a knack for making the complex accessible and a burning desire to solve problems, as he has for much of his career. They say the decision to blow the whistle is in line with that approach.

“He’s not doing this for fun. It doesn’t get him anything,” said Dave Aitel, a former National Security Agency computer scientist and Zatko’s colleague at the @stake cybersecurity consulting firm. “That’s when you have to look closely at the integrity.”

As a result of its advertising activities, Zatko may be eligible to receive a monetary award from the US government. John Tye, founder of Whistleblower Aid and Zatko’s attorney, previously told CNN, “The possibility of an award was not a factor. [Zatko’s] decision”.

Almost 25 years ago, as a young computer programmer with much longer hair, Zatko told Congress that the Internet was not very secure. A big part of the problem, Zatko told a Senate panel, is that software and e-commerce companies “want to ignore the problems for as long as possible. It’s cheaper for them.”

Several years earlier, Zatko had joined the Boston hacking collective known as L0pht, “The Cult of the Dead Cow,” according to Washington Post reporter Joseph Menn’s book about how the early hacking scene shaped the cybersecurity industry.

L0pht members worked with companies that built computer systems and then solved problems. While it is now an established practice for companies to work with outside researchers to fix software bugs, at the time it was seen as provocative and upsetting to the software giants.

Zatko “bent the industry to his will,” Dug Song, Cisco Security’s chief strategy officer, who has known Zatko since the 1990s, previously told CNN. “L0pht created a model of how to do that that was, frankly, respectable and honorable.”

Zatko was part of a hacker group that participated in a Senate hearing on government computer security in May 1998.

Cris “Space Rogue” Thomas, another former L0pht member who testified alongside Zatko that day, said L0pht would do everything it could to get companies to work together to fix software problems discovered by the hacking group.

Thomas, who, like Zatko, goes by his hacker name professionally, told CNN in August that he and Zatko “have had our differences in the past,” adding that @stake, Zatko’s chief scientist, was fired from the cybersecurity consultancy. 2000. “Feelings were hurt, but that doesn’t change who he is [Zatko] is and what he believes in and what he does. So I still think his moral standards haven’t really changed…in the 30 years I’ve known him.”

Over the next few years, Zatko, now 51, led an influential cybersecurity grant program at the Pentagon, worked in a cutting-edge technology development division at Google, helped build the cybersecurity team at fintech company Stripe and advised US lawmakers and officials. To cover Internet security holes.

His career has shown that “there was more to hacking than one-upmanship, that there was real social benefit and impact,” Song said.

Twitter hired Zatko in November 2020 to bolster cybersecurity and privacy at the company following a July 2020 hack allegedly led by a Florida teenager that compromised the Twitter accounts of some of the planet’s most famous people. , including then-presidential candidate Joe Biden. According to the release, Zatko reported directly to Dorsey.

When he was hired to join Twitter, Zatko framed the move in terms of public benefit. “I really believe in the mission of serving the public conversation (fairly),” he said he tweeted at that time “I’ll do my best!”

Zatko, seen here presenting a portrait in August, was hired by Twitter in November 2020 to help improve the company's cybersecurity and privacy.

But Zatko quickly discovered that accomplishing that Twitter mission would be difficult. According to its disclosure, structural issues and misaligned incentives prevented Twitter from addressing many of its biggest issues, including adequately protecting user data, combating foreign manipulation of the platform and ensuring the security of the physical infrastructure that supports the company.

Agrawal — Dorsey’s successor as Twitter’s boss and the former CTO who oversaw much of the company’s recent technical development — fired Zatko in January. after raising concerns about the company’s security and privacy practices, including concerns that misrepresentations made by executives to its board may constitute fraud, the disclosure says. (Twitter says an internal investigation found Zatko’s fraud claims unfounded and that it fired Zatko for poor performance; Zatko says his firing was in retaliation for speaking out.)

“This is something that everyone with big companies should be concerned about, which is the honesty and truthfulness of the data they’re sharing publicly, the national security implications, and whether users can trust their data with those organizations,” Zatko said on CNN. In August of the decision to submit disclosure.

Now, as he publicly takes over Twitter, Zatko finds himself in the public conversation like never before.

“This was not my first choice,” he previously told CNN. “I exhausted all internal options.”

“But ethically, and with who I am, I saw that I was forced to comply with the law and follow legal channels, legal disclosure, because [Twitter] it is a very important platform,” said Zatko. “I think it’s important to address some of these challenges. I honestly believe that I am still fulfilling the mission I was led to fulfill.”