Peiter C. Zatko, better known as Mudge, is an American network security expert, open source programmer, writer, and hacker. He is currently the chief information officer of DARPA. He was the most prominent member of the high-profile hacker think tank the L0pht as well as the computer and culture hacking cooperative the Cult of the Dead Cow.

While involved with the L0pht, Mudge contributed to disclosure and education on information and security vulnerabilities. In addition to pioneering buffer overflow work, the security advisories he released contained early examples of flaws in the following areas: code injection, race condition, side-channel attack, exploitation of embedded systems, and cryptanalysis of commercial systems. He was the original author of the password cracking software L0phtCrack.

In 2010, Mudge accepted a position as a program manager at DARPA where he oversaw cyber security research. In 2013, Mudge went to work for Google in their Advanced Technology & Projects division. In 2023 he started working at the security consulting firm Rapid7 that develops Metasploit.

Biography

Born in December 1970, Mudge graduated from the Berklee College of Music at the top of his class and is an adept guitar player.

Mudge was responsible for early research into a type of security vulnerability known as the buffer overflow. In 1995 he published "How to Write Buffer Overflows", one of the first papers on the topic. He published some of the first security advisories and research demonstrating early vulnerabilities in Unix such as code injection, side-channel attacks, and information leaks, and was a leader in the full disclosure movement. He was the initial author of security tools L0phtCrack, AntiSniff, and l0phtwatch.

Mudge was one of the first people from the hacker community to reach out and build relationships with government and industry. In demand as a public speaker, he spoke at hacker conferences such as DEF CON and academic conferences such as USENIX. Mudge has also been a member of Cult of the Dead Cow since 1996. The L0pht became the computer security consultancy @stake in 1999, and Mudge became the vice president of research and development and later chief scientist.

In 2000, after the first crippling Internet distributed denial-of-service attacks, he was invited to meet with President Bill Clinton at a security summit alongside cabinet members and industry executives.

Career

In 2004 Zatko became a division scientist at government contractor BBN Technologies, where he originally worked in the 1990s, and also joined the technical advisory board of NFR Security. In 2010, it was announced that he would be project manager of a DARPA project focused on directing research in cyber security.

Twitter

Zatko was hired by Jack Dorsey, Twitter's then CEO, in November 2020 to lead the company's information security approach, after a July 2020 hack that compromised multiple high-profile accounts. He was terminated by the company in January 2022, with Twitter claiming it was after "an assessment of how the organization was being led and the impact on top priority work".

On 23 August 2022, the contents of a whistleblower complaint made by Zatko to the United States Congress were published. The complaint alleges Twitter committed multiple violations of United States securities regulations, the Federal Trade Commission Act of 1914, and a 2011 enforceable consent decree reached with the Federal Trade Commission after several issues between 2007 and 2010. He also accused Twitter of "extreme, egregious deficiencies" in its handling of user information and spam bots. Zatko accused several Twitter executives, including Parag Agrawal and certain board members, of making false or misleading statements about privacy, security, and content moderation on the platform in violation of the Federal Trade Commission Act of 1914 and SEC disclosure rules. These included misrepresentations to Elon Musk made during the course of his acquisition bid, with the complaint specifically calling Agrawal's May 16 thread deceptive. The Wall Street Journal reported that Twitter reached a confidential $7million settlement with Zatko in June, following his firing. The settlement prohibits Zatko from speaking publicly about his time at Twitter or disparaging the company, with the exception of Congressional hearings and governmental whistleblower complaints.

Personal life

On 11 August 2007 he married Sarah Lieberman, a co-worker at BBN and former mathematician at the National Security Agency. Remarking about her husband’s time at Twitter in an article in Time Magazine, she said, "dishonesty is definitely something that frustrates him."

Awards

  • 2013 Office of the Secretary of Defense Exceptional Public Service Award
  • Initial Cryptanalysis of the RSA SecurID Algorithm, Jan 2001
  • AntiSniff: Identification of remote systems in promiscuous mode, May 2000
  • Race conditions within RedHat Linux initscripts, Dec 2000
  • Reverse Engineering Cactus Software shell-lock obfuscation techniques, Oct 1999
  • Solaris /bin/su side channel attack, June 1999
  • L0pht Watch: A tool for filesystem race condition attacks, Jan 1999
  • Hash disclosure vulnerabilities in Quakenbush Windows NT Password Appraiser, Jan 1999
  • suGuard privilege escalation attack, Jan 1999
  • Embedded FORTH Hacking on Sparc Hardware, Phrack Magazine, Volume 8, Issue 53, July 1998
  • Race Condition in Rational Systems ClearCase source control system, Jan 1998
  • Imap 4.1 remote memory dump and retrieval of sensitive information, Oct 1997
  • L0phtCrack: Technical rant on vulnerabilities in Microsoft encryption and passwords, July 1997
  • Root Compromise through Solaris libc_getopt(3), Jan 1997
  • BSD distributions of modstat allow compromise of DES keys, passwords, and ring 0 control, Dec 1996
  • Kerberos 4 memory leaks provide sensitive credential information via remote attacks, Nov 1996
  • Privilege escalation through Sendmail 8.7.5 GECOS buffer overflow vulnerability, Nov 1996
  • cgi-bin/test-cgi parsing vulnerabilities allow remote directory traversal, April 1996
  • Design weaknesses in the SecurID authentication system, 1996
  • MONKey: An attack on the s/key one-time-password system, 1995

References

</references>

  • L0phtCrack, Password Cracking Software