Peiter Zatko

Last updated

Peiter "Mudge" Zatko
Peiter Zatko at DARPA.jpg
Mudge during his tenure at DARPA
Born (1970-12-01) December 1, 1970 (age 53)
Alabama, U.S. [1]
Citizenship American
Alma mater Berklee College of Music
Known for L0pht, L0phtcrack, DARPA Cyber Fast Track, testimony to the Senate, Cult of the Dead Cow
Awards Secretary of Defense Exceptional Civilian Service Award, Order of Thor
Scientific career
Fields Computer Science
Public administration
Hacker
Institutions Google, Motorola, DARPA, L0pht, Twitter

Peiter C. Zatko, better known as Mudge, is an American network security expert, open source programmer, writer, and hacker. He was the most prominent member of the high-profile hacker think tank the L0pht [2] as well as the computer and culture hacking cooperative the Cult of the Dead Cow.

Contents

While involved with the L0pht, Mudge contributed to disclosure and education on information and security vulnerabilities. In addition to pioneering buffer overflow work, the security advisories he released contained early examples of flaws in the following areas: code injection, race condition, side-channel attack, exploitation of embedded systems, and cryptanalysis of commercial systems. He was the original author of the password cracking software L0phtCrack. [3]

In 2010, Mudge accepted a position as a program manager at DARPA where he oversaw cyber security research. [4] In 2013, Mudge went to work for Google in their Advanced Technology & Projects division. [5] [6] In 2020, he was hired as head of security at Twitter. [7] He currently works at the security consulting firm Rapid7 that develops Metasploit. [8]

Biography

Born in December 1970, Mudge graduated from the Berklee College of Music at the top of his class [9] and is an adept guitar player.

Mudge was responsible for early research into a type of security vulnerability known as the buffer overflow. In 1995 he published "How to Write Buffer Overflows", one of the first papers on the topic. [10] He published some of the first security advisories and research demonstrating early vulnerabilities in Unix such as code injection, side-channel attacks, and information leaks, and was a leader in the full disclosure movement. He was the initial author of security tools L0phtCrack, AntiSniff, and l0phtwatch. [11] [12]

Mudge was one of the first people from the hacker community to reach out and build relationships with government and industry. In demand as a public speaker, he spoke at hacker conferences such as DEF CON [13] and academic conferences such as USENIX. [14] Mudge has also been a member of Cult of the Dead Cow since 1996. [15] [11] He was one of the seven L0pht members who testified before a Senate committee in 1998 about the serious vulnerabilities of the Internet at that time. [16] The L0pht became the computer security consultancy @stake in 1999, and Mudge became the vice president of research and development and later chief scientist. [17] [18]

In 2000, after the first crippling Internet distributed denial-of-service attacks, he was invited to meet with President Bill Clinton at a security summit alongside cabinet members and industry executives. [19]

In 2004 he became a division scientist at government contractor BBN Technologies, [20] where he originally worked in the 1990s, and also joined the technical advisory board of NFR Security. [21] In 2010, it was announced that he would be project manager of a DARPA project focused on directing research in cyber security. [4] In 2013 he announced that he would leave DARPA for a position at Google ATAP. [6] [22] In 2015 Zatko announced on Twitter he would join a project called #CyberUL, a testing organisation for computer security inspired by Underwriters Laboratories, mandated by the White House. [23]

Career

DARPA

At DARPA he created the Cyber Analytical Framework the agency used to evaluate DoD investments in offensive and defensive cyber security. During his tenure he ran at least three Department of Defense (DoD) programs known as Military Networking Protocol (MNP), Cyber-Insider Threat (CINDER), and Cyber Fast Track (CFT).

Military Networking Protocol (MNP) provided network prioritization with full user-level attribution for military computer networks. [24]

CINDER focused on identifying cyber espionage conducted by virtual insider threats such as future variants of Stuxnet or Duqu. CINDER is often mistakenly associated with WikiLeaks in the media. [25] [26] This is possibly due to the confusion between DARPA programs focused on identifying human insider threat such as ADAMS [27] and the identification of software espionage posed by malware in the CINDER program. [28] This issue was clarified by Mudge in his Defcon 2011 keynote at 46 minutes and 11 seconds into the talk. [29]

Cyber Fast Track (CFT) provided resources and funding to security research, including programs run by hackers, hackerspaces, and makerlabs. The program provided an alternative to traditional government contracting vehicles that was accessible to individuals and small companies previously unable to work within the cumbersome and complicated DARPA process. The novel contracting effort had an averaging time of 7 days from receipt of proposal to funding being provided to the proposing research organization. [30] The program was initially announced at Shmoocon during his 2011 keynote.

Twitter

Zatko was hired by Jack Dorsey  Twitter's CEO – in November 2020 to lead the company's information security approach, after a July 2020 hack that compromised multiple high-profile accounts. [31] [32] He was terminated by the company in January 2022, [33] with Twitter claiming it was after "an assessment of how the organization was being led and the impact on top priority work".

On 23 August 2022, the contents of a whistleblower complaint made by Zatko to the United States Congress were published. [31] The complaint alleges Twitter committed multiple violations of United States securities regulations, the Federal Trade Commission Act of 1914, and a 2011 enforceable consent decree reached with the Federal Trade Commission after several issues between 2007 and 2010. [34] He also accused Twitter of "extreme, egregious deficiencies" in its handling of user information and spam bots. [35] Zatko accused several Twitter executives, including Parag Agrawal and certain board members, of making false or misleading statements about privacy, security, and content moderation on the platform in violation of the Federal Trade Commission Act of 1914 and SEC disclosure rules. These included misrepresentations to Elon Musk made during the course of his acquisition bid, with the complaint specifically calling Agrawal's May 16 thread deceptive. [36] [37] [38] The Wall Street Journal reported that Twitter reached a confidential $7 million settlement with Zatko in June, following his firing. [39] The settlement prohibits Zatko from speaking publicly about his time at Twitter or disparaging the company, with the exception of Congressional hearings and governmental whistleblower complaints. [39] On 13 September 2022, Zatko testified before the Senate Judiciary Committee. [40] [41]

Personal life

On 11 August 2007 he married Sarah Lieberman, a co-worker at BBN and former mathematician at the National Security Agency. Remarking about her husband’s time at Twitter in an article in Time Magazine, she said, "dishonesty is definitely something that frustrates him." [42]

Awards

Refereed papers

L0pht Security advisories and software

Mudge published numerous papers and advisories detailing security problems across different applications and operating systems and was a pioneering champion of full disclosure.

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">L0pht</span> American hacker collective

L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. The L0pht was one of the first viable hackerspaces in the US, and a pioneer of responsible disclosure. The group famously testified in front of Congress in 1998 on the topic of ‘Weak Computer Security in Government’.

<span class="mw-page-title-main">Raytheon BBN</span> American research and development company

Raytheon BBN is an American research and development company based in Cambridge, Massachusetts, United States.

L0phtCrack is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

Christien Rioux, also known by his handle DilDog, is the co-founder and chief scientist for the Burlington, Massachusetts based company Veracode, for which he is the main patent holder.

<span class="mw-page-title-main">Chris Wysopal</span> American computer security expert

Chris Wysopal is an entrepreneur, computer security expert and co-founder and CTO of Veracode. He was a member of the high-profile hacker think tank the L0pht where he was a vulnerability researcher.

ATstake, Inc. was a computer security professional services company in Cambridge, Massachusetts, United States. It was founded in 1999 by Battery Ventures and Ted Julian. Its initial core team of technologists included Dan Geer and the east coast security team from Cambridge Technology Partners.

Cain and Abel was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel was maintained by Massimiliano Montoro and Sean Babcock.

<span class="mw-page-title-main">Pwnie Awards</span> Information security awards

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws. The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation, with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.

<span class="mw-page-title-main">Tamer Şahin</span>

Tamer Şahin is a Turkish white hat hacker.

Cyber Insider Threat, or CINDER, is a digital threat method. In 2010, DARPA initiated a program under the same name to develop novel approaches to the detection of activities within military-interest networks that are consistent with the activities of cyber espionage.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

HackingTeam was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their licence to do business with countries outside Europe.

The 2014 Russian hacker password theft is an alleged hacking incident resulting in the possible theft of over 1.2 billion internet credentials, including usernames and passwords, with hundreds of millions of corresponding e-mail addresses. The data breach was first reported by The New York Times after being allegedly discovered and reported by Milwaukee-based information security company, Hold Security.

<span class="mw-page-title-main">Cris Thomas</span> American cybersecurity researcher and hacker

Cris Thomas is an American cybersecurity researcher, white hat hacker, and award winning best selling author. A founding member and researcher at the high-profile hacker security think tank L0pht Heavy Industries, Thomas was one of seven L0pht members who testified before the U.S. Senate Committee on Governmental Affairs (1998) on the topic of government and homeland computer security, specifically warning of internet vulnerabilities and claiming that the group could "take down the internet within 30 minutes".

Sam Curry is an American ethical hacker, bug bounty hunter, and founder. He is best known for his contributions to web application security through participation in bug bounty programs, most notably finding critical vulnerabilities in 20 different auto manufacturers including Porsche, Mercedes-Benz, Ferrari, and Toyota. In 2018, Curry began working as a security consultant through his company Palisade where he disclosed vulnerability publications for security findings in Apple, Starbucks, Jira, and Tesla.

References

  1. Lyngaas, Sean (24 August 2022). "Meet the former Twitter exec blowing the whistle on the company". CNN Business .
  2. Security Scene Errata Archived 2 May 2005 at the Wayback Machine
  3. "LOPH-TCRACK". 2009. Archived from the original on 4 March 2012.
  4. 1 2 "Hacker 'Mudge' gets DARPA job". 10 February 2010. Archived from the original on 9 January 2011. Retrieved 12 February 2010.
  5. "Peiter "Mudge" Zatko To Join Motorola Mobility's Advanced Technology & Projects (ATAP)". Archived from the original on 5 December 2013. Retrieved 9 September 2013.
  6. 1 2 "Mudge goes to Google". Twitter. 12 April 2013. Archived from the original on 1 February 2015.
  7. Menn, Joseph (16 November 2020). "Twitter names famed hacker 'Mudge' as head of security". Reuters. Retrieved 16 November 2020.
  8. Menn, Joseph (4 January 2023). "Twitter whistleblower Zatko lands new job at a security consulting firm". The Washington Post . Retrieved 4 January 2023.
  9. "Other Paths - Berklee College of Music". Berklee.edu. Archived from the original on 10 October 2014. Retrieved 1 October 2014.
  10. "L0pht Heavy Industries Services". insecure.org. Archived from the original on 3 September 2006. Retrieved 24 August 2006.
  11. 1 2 Perrigo, Billy; Chow, Andrew R.; Bergengruen, Vera (25 August 2022). "The Twitter Whistleblower Needs You to Trust Him". Time. Retrieved 31 January 2023. After graduating, he split his time between playing at clubs with his progressive metal band Raymaker, part-time tech-support work, and working with a high-profile hacker "think tank" called the L0pht (pronounced Loft) to expose corporate security flaws. He would soon become its most prominent member and went on to join a hacking cooperative known as the Cult of the Dead Cow.
  12. Kovacs, Eduard (18 October 2021). "Password Auditing Tool L0phtCrack Released as Open Source". SecurityWeek. Retrieved 31 January 2023. L0phtCrack was originally developed by Peiter Zatko, also known as Mudge, of the L0pht hacker think tank.
  13. "DEF CON V Archives". www.defcon.org. Archived from the original on 14 June 2006. Retrieved 18 April 2006.
  14. "USENIX - The Advanced Computing Systems Association". www.usenix.org. Archived from the original on 24 September 2006. Retrieved 18 April 2006.
  15. "CULT OF THE DEAD COW: CULT OF THE DEAD COW". Cult of the Dead Cow. Archived from the original on 17 April 2006. Retrieved 18 April 2006.
  16. "Press Releases". 31 March 2005. Archived from the original on 31 March 2005.
  17. "The L0pht, renowned 'hacker think-tank,' becomes @stake". Archived from the original on 30 June 2004. Retrieved 7 September 2018.
  18. Lyngaas, Sean (24 August 2022). "Meet the former Twitter exec blowing the whistle on the company | CNN Business". CNN. Retrieved 31 January 2023. Thomas, who, like Zatko, uses his hacker name "Space Rogue" professionally, said he and Zatko "have had our differences in the past," adding that he was fired from @stake, the cybersecurity consultancy where Zatko was chief scientist, in 2000.
  19. Clinton fights hackers, with a hacker. Archived 10 September 2005 at the Wayback Machine
  20. "Hacker 'Mudge' Returns to BBN". Archived from the original on 28 September 2007. Retrieved 6 July 2007.
  21. "NFR Security Adds Leading Security Industry Experts to Technology Advisory Board". Archived from the original on 26 September 2006. Retrieved 12 July 2006.
  22. "Google goes DARPA". Fortune Magazine. 14 August 2014. Archived from the original on 1 October 2014. Retrieved 27 September 2014.
  23. "Famed Security Researcher Mudge Leaves Google". Recode. 29 June 2015. Archived from the original on 3 July 2015. Retrieved 2 July 2015.
  24. "Military Networking Protocol". 16 October 2011. Archived from the original on 17 December 2011. Retrieved 12 February 2012.
  25. Ackerman, Spencer (31 August 2010). "Darpa's Star Hacker Looks to WikiLeak-Proof Pentagon". Wired. Archived from the original on 1 December 2013. Retrieved 12 February 2012.
  26. An Interview with WikiLeaks' Julian Assange Archived 16 August 2011 at the Wayback Machine , Andy Greenberg, Forbes, November 29, 2010
  27. "Anomaly Detection at Multiple Scales". 16 October 2011. Archived from the original on 21 January 2012. Retrieved 12 February 2012.
  28. "Cyber Insider Threat". 27 August 2011. Archived from the original on 11 January 2012. Retrieved 12 February 2012.
  29. "BlackHat USA 2011 Keynote". Archived from the original on 21 January 2012. Retrieved 12 February 2012.
  30. Lim, Dawn (14 November 2011). "New Fast Track Program Okays Hacker Projects in Just Seven Days". Wired Magazine. Archived from the original on 15 March 2014. Retrieved 12 February 2012.
  31. 1 2 Vincent, James (23 August 2022). "Twitter's former security chief says company lied about bots and safety". The Verge.
  32. Liam Tung, "Peiter 'Mudge' Zatko: CSO-turned-whistleblower says Twitter security was in a shambles", Aug. 24, 2022, ZDnet https://www.zdnet.com/article/peiter-mudge-zatko-cso-turned-whistleblower-says-twitter-security-was-in-a-shambles/
  33. "Twitter shakes up its security team". The New York Times. 21 January 2022.
  34. Chow, Andrew R.; Bergengruen, Vera; Perrigo, Billy (23 August 2022). "'Egregious Deficiencies,' Bots, and Foreign Agents: The Biggest Allegations From the Twitter Whistleblower". Time . Archived from the original on 24 August 2022. Retrieved 24 August 2022.
  35. "Twitter whistleblower alleges 'egregious deficiencies' in security measures". The Guardian. 23 August 2022. Retrieved 23 August 2022.
  36. Menn, Joseph; Dwoskin, Elizabeth; Zakrzewski, Cat (23 August 2022). "Former security chief claims Twitter buried 'egregious deficiencies'" . The Washington Post . Archived from the original on 23 August 2022. Retrieved 23 August 2022.
  37. Siddiqui, Faiz; Dwoskin, Elizabeth (23 August 2022). "New whistleblower allegations could factor into Twitter vs. Musk trial" . The Washington Post . Archived from the original on 23 August 2022. Retrieved 23 August 2022.
  38. Bursztynsky, Jessica (16 May 2022). "Twitter CEO explains how the company actually fights spambots in rebuttal to Musk". CNBC. Archived from the original on 16 May 2022. Retrieved 28 May 2022.
  39. 1 2 Lombardo, Cara (8 September 2022). "Twitter Agreed to Pay Whistleblower Roughly $7 Million in June Settlement" . The Wall Street Journal . Archived from the original on 8 September 2022.
  40. Bond, Shannon; Dillion, Raquel Maria (13 September 2022). "Twitter may have hired a Chinese spy and four other takeaways from the Senate hearing". NPR . Archived from the original on 15 September 2022.
  41. Dang, Sheila; Shepardson, David (13 September 2022). "Twitter whistleblower reveals employees concerned China agent could collect user data". Reuters . Archived from the original on 15 September 2022.
  42. Perrigo, Billy; Chow, Andrew R.; Bergengruen, Vera (25 August 2022). "The Twitter Whistleblower Needs You to Trust Him". Time. Retrieved 26 August 2022.
  43. "Mudge receives Office of SecDef highest non-career civilian award". Twitter. Archived from the original on 30 January 2015. Retrieved 28 September 2014.
  44. Moscaritolo, Angela (1 December 2011). "SC Magazine Top 5 Influential IT Security Thinkers of 2011". SC Magazine. Archived from the original on 9 March 2012. Retrieved 12 February 2012.
  45. "BBN Technologies' Peiter "Mudge" Zatko Honored With Boston Business Journal '40 Under 40' Award". BBN Press Release. 15 October 2007. Archived from the original on 5 July 2014. Retrieved 27 September 2014.
  46. "Crontab buffer overflow vulnerabilities, Oct 2001". Archived from the original on 3 March 2016. Retrieved 28 September 2014.
  47. "Initial Cryptanalysis of the RSA SecurID Algorithm" (PDF). Archived (PDF) from the original on 10 October 2015. Retrieved 28 September 2014.
  48. "NMRC L0pht Antisniff Product Review". Archived from the original on 4 March 2015. Retrieved 28 September 2014.
  49. "OpenNET security: L0pht Advisory: initscripts-4.48-1 RedHat Linux 6.1". www.opennet.ru. Archived from the original on 10 January 2016. Retrieved 28 September 2014.
  50. "L0pht Advisory: Cactus Software de-obfuscate and retrieve shell code". Archived from the original on 10 January 2016. Retrieved 28 September 2014.
  51. "discuss@menelaus.mit.edu: [10792] in bugtraq". diswww.mit.edu. Archived from the original on 10 January 2016. Retrieved 28 September 2014.
  52. "l0phtwatch Advisory". Archived from the original on 4 March 2016. Retrieved 28 September 2014.
  53. "NT Password Appraiser hash disclosure". Archived from the original on 17 April 2013. Retrieved 28 September 2014.
  54. "IFS trojan path vulnerability". Archived from the original on 4 March 2016. Retrieved 28 September 2014.
  55. ".:: Phrack Magazine ::". phrack.org. Archived from the original on 10 October 2014. Retrieved 28 September 2014.
  56. "BuddhaLabs/PacketStorm-Exploits". GitHub. Archived from the original on 10 January 2016. Retrieved 28 September 2014.
  57. "Imap core dump information disclosure". Archived from the original on 4 March 2016. Retrieved 28 September 2014.
  58. "Vulnerabilities in Microsoft password encryption". Archived from the original on 11 February 2017. Retrieved 28 September 2014.
  59. "Solaris 2.5 libc exploitation". Archived from the original on 3 April 2013. Retrieved 28 September 2014.
  60. "Modstat exploit". insecure.org. Archived from the original on 23 September 2015. Retrieved 28 September 2014.
  61. "L0pht Kerberos 4 remote memory leak". Archived from the original on 10 January 2016. Retrieved 28 September 2014.
  62. "Sendmail 8.7.5 GECOS buffer overflow vulnerability". Archived from the original on 3 March 2016. Retrieved 28 September 2014.
  63. "remote inventory via test-cgi vulnerability". Archived from the original on 4 March 2016. Retrieved 28 September 2014.
  64. "Weaknesses in the SecurID (RSA Token) authentication system". Archived from the original on 4 March 2016. Retrieved 28 September 2014.
  65. "S/Key password cracker". Archived from the original on 3 March 2016. Retrieved 28 September 2014.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.