Twitter whistle-blower won hacker kudos, fired over performance

The former Twitter Inc. security chief alleging that the company misled investors about data protection issues is no stranger to high-pressure situations.

Peiter Zatko, also known by the hacker nickname “Mudge,” is a longtime cybersecurity executive who over the years has held various technology-related roles with the US Defense Advanced Research Projects Agency, Google and the payment service Stripe Inc. It’s a resume that’s earned Zatko a distinguished cyber pedigree, and a career that began in earnest with congressional testimony about vulnerabilities in global technology.

Here’s what you need to know.

He became a public figure more than two decades ago. Zatko, testifying as Mudge, was one of seven young hackers who in May 1998 warned a Senate committee about fundamental weaknesses in the internet’s infrastructure. As a member of L0pht, an early hacking collective that functioned as kind of a think tank, Mudge told lawmakers that attackers could shut down the functionality of the net within 30 minutes due to weaknesses in technologies called Border Gateway Protocol and the Domain Name System protocol.

In 2018, members of the same group, including Zatko, again warned Congress that many of those technologies remained insecure. Zatko went on to join Twitter in 2020, after another group of teenage hackers allegedly breached a number of high-profile accounts, including the page of then-presidential candidate Joe Biden.

Mudge went on to work for DARPA. After winning acclaim as a hacker Zatko went on to work for DARPA, the US Defense Department’s research-and-development agency.

There, he helped create the Cyber Fast Track, a program designed to accelerate the rate at which the government awarded contracts to independent cyber researchers. The goal was to foster collaboration between the bureaucratic Defense Department and boutique cyber firms that could provide the US with stronger defenses by approving contracts within seven days, as Wired reported.

In 2016, Mudge and his wife, Sarah, unveiled their own method for assessing the security of software, an attempt to help technology companies and consumers distinguish between reliable and insecure programs. The operation, known as the Cyber Independent Testing Lab, eventually helped users to compare the security of one program, such as a browser or a piece of cybersecurity software, with others.

The basic concept gained credence when Anne Neuberger, the Biden administration’s Deputy National security advisor for Cyber and Emerging technology, in 2021 suggested a “ cleanliness rating” for software security.

Zatko had stints in Silicon Valley. Between stints in the US government and at Twitter, Zatko also held cybersecurity jobs at Google and the payment company Stripe. At Google, he worked on special projects, according to Reuters, moving to Stripe in 2017 as the unicorn startup emerged as a ripe target for cybercriminals.

Twitter poached Zatko from Stripe in 2020, after hackers commandeered high-profile accounts as part of a scheme to raise cryptocurrency. Twitter had struggled for years to police the growing number of employees and contractors capable of resetting user accounts and overriding company security settings, Bloomberg reported in 2020.

In his whistle-blower complaint, according to the Washington Post, Zatko alleged that thousands of Twitter employees still had deep internal access to core software, a major security issue.

He was fired from Twitter in January. In a statement to Bloomberg Tuesday, Twitter said Zatko was dismissed from his role earlier this year for ineffective leadership and performance. The company described Zatko’s complaint as “opportunistic” and suggested the allegations were designed to “inflict harm on Twitter.”

Zatko’s departure from the company coincided with the exit of chief information security officer Rinki Sethi. Both executives joined Twitter in late 2020. They departed the company following “an assessment of how the organization was being led and the impact on top priority work,” according to a memo that CEO Parag Agrawal sent to employees, the New York Times reported at the time.

“Mudge stands by everything in his disclosure, and his career of ethical and effective leadership speaks for itself,” John Tye, chief disclosure officer at Whistleblower Aid, which is representing Zatko, said in a statement to Bloomberg News. “The focus should be on the facts laid out in the disclosure, not ad hominem attacks against the whistleblower.” Bloomberg