Cloud Hosting

Peiter Mudge Zatko, the former Twitter security chief who has alleged that the company covered up negligent security practices and lied to regulators about data management, was a credible, capable, and brutally honest security expert, according to peers and colleagues.

The assessment of Zatkos work and character culled from public messages of support and recollections shared directly with The Verge is at odds with statements made by current Twitter CEO Parag Agrawal, who has claimed that Zatko is presenting a false narrative of the inner workings of the company after being terminated for poor performance in January.

In a whistleblower disclosure filed with the SEC and first reported by CNN and The Washington Post, Zatko accused Twitter of numerous severe security lapses and claimed that the executive team frequently misled government regulators and its own board of directors about the extent of vulnerabilities on the platform. The filing also claims that the company violated a privacy agreement made with the FTC that required it to delete the data of any users who decided to cancel their Twitter accounts and that the company intentionally manipulated data on the number of bot accounts on the platform.

In a response provided to CNN language from which was echoed in an email sent by Agrawal to Twitter staff a Twitter spokesperson said that Zatkos allegations were riddled with inconsistencies and inaccuracies and seemed designed to capture attention and inflict harm on Twitter, its customers and its shareholders.

But Twitters fierce pushback against Zatkos criticism prompted a backlash from many leading voices in the field, who spoke out to endorse the security experts credentials and track record. Alec Muffett, an internet security expert and software engineer who worked on Twitters efforts to launch a Tor service, told The Verge that he had known Zatko for decades and trusted the claims made in the SEC disclosure.

Ive known Mudge since the mid 1990s when he and the other members of the L0pht were capable and scrappy hackers, Muffett said. He demonstrated enormous creativity and drive towards improvement of internet security overall ... I have no hesitation about supporting his observations as being both highly credible and concerning.

Zatko first gained prominence as part of the L0pht, a Boston-based hacker collective known as an influential computer security research group in the 1990s. Notably, while the L0pht released software, the group also advised on policy, even giving testimony before the Senate on internet security in 1998. In his earlier hacking days, Zatko was also a member of the notorious hacker group Cult of the Dead Cow, which also counted former presidential candidate (and current Texas gubernatorial candidate) Beto ORourke as a member.

As his profile grew, Zatko took on roles with Defense Advanced Research Projects Agency (DARPA) and Googles Advanced Technologies and Projects research group. He was hired by Twitter in 2020 in the months after a major security incident that saw hackers take over some of the platforms most-followed celebrity accounts. But he stayed only just over a year, being fired by incoming CEO Agrawal in January 2022.

One of Zatkos specific claims that too many employees are given access to critical software within the company seemed to be supported by details shared by Al Sutton, a former software engineer at Twitter. In a tweet, Sutton said that he was still able to commit code in the employee group fo Twitters open-source software repositories on the code hosting website GitHub, despite having left the company 18 months ago.

The tweet linked to Twitters organization page on GitHub, showing that Suttons account was still listed as one of only 34 contributing members. Shortly after The Verge reached out to Twitter for comment, Suttons account was removed as a contributor.

Contacted by The Verge, Sutton declined to comment further on Twitters security posture but said of Zatko, I had very little overlap with Mudge, but from what overlap I did have, and other folk I know who know him pretty well, hes brutally honest and I have zero reason to doubt his claims.

Already, leaders in the security space have rushed to Zatkos public defense. Industrial security specialist Robert M. Lee accused Twitter of a smear campaign, saying Mudges skills and leadership were some of the most beloved and well documented in the community. Prominent cybersecurity journalist Kim Zetter echoed the sentiment, saying there was probably no security exec with more ethics, more credibility than Mudge.

The Verge reached out to Mudge for comment but did not receive a response. A statement sent from Whistleblower Aid, a nonprofit organization that supports whistleblowers and is representing Zatko, said that legal obligations prevent Mudge and Whistleblower Aid from discussing events during Mudges time at Twitter, except through lawful, properly authorized disclosures including subpoenas to testify which he would of course honor.

Twitter did not provide a comment by time of publication.

Excerpt from:
Security pros are rallying to defend the Twitter whistleblower - The Verge