Who is Peiter ‘Mudge’ Zatko? The whleblower who accused Twitter of cyber malpractices
Former Twitter head of security Peiter ‘Mudge’ Zatko has nudged the US federal regulators that the company has put “extreme, egregious deficiencies” in its handling of user information and spam bots. This development comes a day after Elon Musk has dragged former Twitter CEO Jack Dorsey to court as part of the ongoing litigation with the social media company. The Twitter co-founder has been asked for documents and agreements to buy the company and about spam accounts on the platform, according to a copy of the subpoena viewed Reuters.
According to a joint report CNN and The Washington Post, Zatko in a scathing whleblower complaint stated that the microblogging platform has deceived users, board members and the federal government about the strength of its security measures.
“Twitter is grossly negligent in several areas of information security,” Zatko wrote in the complaint. “If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.”
But, who is Zatko, and why has he accused Twitter of violating federal laws? Here we explain.
Early life and Career
Zatko, 51, was born in Boston, USA in Alabama. He graduated at the top of his class from Berklee School of Music in 1992. According to reports, he was a guitar but his love for cyber security made him join the field of computer science. ‘Mudge’ is his hacker nickname.
He developed the venerable L0phtCrack Windows password cracker, and this became a big reason for his popularity in cyberspace. In the 90s he joined the hacker think tank L0pht and another organisation called Cult of the Dead Cow (cDc) to keep his hacking activities anonymous. Mudge is also best known as part of the seven hackers who warned the US Senate committee about fundamental weaknesses in the internet’s infrastructure back in 1998.
In 1999, L0pht made the transition to a formal security company called Stake, and Zatko become a part of them. After which, he even met then US President Clinton at a summit in 2000, where he discussed the waves of DoS attacks that were hitting the internet regularly, as predicted him. He has also worked for DARPA, the US Defense Department’s research-and-development agency. He has worked with tech giants like Google, Stripe and BBN Technologies. At Google he worked on special projects, according to a Reuters report. However, his last stint was with Twitter.
Twitter stint
Zatko joined Twitter in November 2020, as per his LinkedIn profile after which he was fired in January 2022 CEO Parag Agrawal for “poor performance and ineffective” leadership.
According to The Guardian, Zatko was allegedly fired Twitter after he began documenting all the violations Twitter made. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be,” Twitter said in a public statement.
Accusations against Twitter
Zatko’s complaint alleges that the company does not have the resources to understand the true number of bots on its platform, as per CNN. He alleged that the company even lacked basic security protocols.
As per TechCrunch, thousands of laptops of Twitter employees had complete copies of Twitter’s source code and over one-third of the devices had blocked security fixes as well as had firewall turned off. “Employees were repeatedly found to be intentionally installing spyware on their work computers at the request of external organizations,” the complaint read, as reviewed TechCrunch.
Further, a report CNN notes that Zatko also alleges that he discovered that half of the company’s data centres run outdated software that does not contain basic features like “encryption for stored data, or no longer received regular security updates from their vendors”. This means that Twitter is susceptible to high-risk attacks. He compared the vulnerability to an “Equifax-level hack”, a 2017 credit agency hack that resulted in the theft of close to 150 million Americans’ personal information.
Meanwhile, Zastko alleged that that Twitter had approximately one security incident every week that is serious enough that to report it to government agencies, something which isn’t currently happening.