In another life, Peiter “Mudge” Zatko was one of the most influential hackers on the internet, having had a high-profile role in both L0pht and the Cult of the Dead Cow (cDc). His reputation for uncovering security issues, and then disclosing them, helped to define the way that security issues are disclosed to the public today.
In a way, Mudge never stoped innovating in the way he presented security issues to the public—as his career took him well beyond his hacker roots into roles at DARPA and Google, where he maintained the name “Mudge” as a part of his professional identity, along with his status as an ethical hacker.
And now, he’s innovating in a whole new way—as Twitter’s first true whistleblower, with the help of the organization Whistleblower Aid. He has accused the company’s leadership, particularly recently installed CEO Parag Agrawal of taking steps to downplay or even minimize security concerns—along with Mudge’s reporting on them. One email in the CNN Business piece highlights how Agrawal gave him conflicting instructions regarding how to report the company’s security challenges, forcing an oral report when he had offered to conduct a detailed written report.
While Jack Dorsey, who hired Mudge, was given a friendlier presentation per CNN Business (as highlighted by the tweet above), it did raise questions about how checked-out the Twitter founder was during his final months with the company.
The report accuses Twitter of having poor security standards, with outdated software on its fleet of machines and evidence the company does not follow traditionally accepted privacy standards. Additionally, if the company were to face downtime from some of those machines, redundancy is limited—meaning the company would be dealing with far worse than a failwhale.
In a way, it’s not totally a surprise that there were security problems—Mudge, already legendary, was hired after an infamous 2020 security incident in which many of Twitter’s most famous users, including Joe Biden and Elon Musk, were hacked—but it is surprising the depth of them, implying that many employees have direct or potential access to important platform controls, and that the company has failed to follow a privacy agreement with the Federal Trade Commission. Mudge described the mess as containing “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.”
The famed 1998 L0pht Heavy Industries Congressional testimony, which is now the second-most-famous thing Mudge is known for. Mudge is the one with the long hair.
Mudge’s whistleblowing also suggests that the company had gone out of its way to discourage reporting on bots, which have obviously been a bit of a pet issue for Musk, who is in the process of trying to get out of a plan to buy Twitter. The company uses some unusual numbers to count the exact number of bots, and while not the emphasis of Mudge’s whistleblowing (which started well before Musk got involved), he did suggest to CNN Business that there should be more of an appetite than there is to analyze the number of bots on the platform, suggesting that Twitter could do more to assuage these concerns.
“The executive team, the board, the shareholders and the users all deserve an honest answer as to what it is that they are consuming as far as data and information and content,” he said.
All in all, as a user of Twitter, this raises a whole bunch of red flags, and makes me wonder about the way security gets prioritized in organizations where growth at all costs. It took a lot of years for Twitter to get to the point of where it is, and that Mudge feels compelled to speak out in this way suggests that Twitter has never taken enough of a step back to question its own security practices.
And given that this platform plays such an important role in democracy and the dissemination of information, that doesn’t feel good enough.
Thanks for not letting this one slide, Mudge.
Time limit given ⏲: 30 minutes
Time left on clock ⏲: 35 seconds