Hacker boss exposes Twitter's 'security bomb'

When he joined Twitter at the end of 2020, Peiter Zatko, a famous security expert and hacker, was surprised by what he discovered.

Zatko, 51, joined as Chief Security Officer at the invitation of then-Twitter founder and CEO Jack Dorsey. He found Twitter, which has hundreds of millions of users, is "more than a decade behind industry security standards".

Zatko, nicknamed Mudge, stands in front of a screen showing his Twitter account in November 2020. Photo: CNN

According to court documents obtained by Bloomberg , from the early days of 2021, Zatko urged top Twitter executives to deal with what he described as a "bomb of security holes". He also provided a full account of the platform's security flaws to the board.

Before joining Twitter two years ago, Zatko was a security expert at electronic payments company Stripe. He also worked with Google, as well as a cybersecurity expert at the Pentagon's Defense Advanced Research and Projects Agency (DARPA).

Used to be a famous hacker

Zatko's career dates back to the 1990s. In Joseph Menn's Cult of the Dead Cow about the early hacking landscape of the cybersecurity industry, Zatko is the leader of Boston-based L0pht - a notorious hacker group that specializes in launching Windows hacking tool. The group's actions caused a lot of trouble for Microsoft, but also prompted the company to strengthen the security of its operating system.

As a young computer programmer, Zatko had the opportunity to interact with top officials. He once stood before the US Congress, saying "the Internet is horribly unsafe". He also told the US Senate that software and e-commerce companies "want to ignore security for as long as possible because it makes it cheaper".

Dug Song, Chief Strategy Officer of Cisco Security, commented: "L0pht has created a new hacker model, frankly and possibly worthy of honor." Cris "Space Rogue" Thomas, a former L0pht member, said Zatko and L0pht have always tried to do everything they could to get the companies to fix the software problem the team found.

From Twitter's Chief Privacy Officer...

In November 2020, Zatko joined Twitter after a famous hack nearly a year earlier. In July 2020, the social network was hacked by a teenager in Florida, causing a series of famous accounts to be compromised, including the accounts of US President Joe Biden and Elon Musk.

When coming to Twitter, Zatko affirmed "will do my best" to ensure the safety of the social network. However, he quickly realized that the mission was more difficult than he expected. According to documents he provided to the court, a series of structural problems and misinformation incentives prevented the platform from handling many major issues, including properly protecting user data. ways, address foreign manipulation and ensure the security of the physical infrastructure within the company.

In January, Twitter CEO Parag Agrawal fired Zatko after he began raising concerns about the platform's privacy and security practices. Later, a Twitter representative confirmed that the reason for his dismissal was because of "poor performance".

... to the person who confronts Twitter

Two months ago, Zatko came back to denounce the old company. In a complaint filed with federal regulators in August, including the US Securities and Exchange Commission (SEC), Zatko said the former company was dishonest about the rate of spam accounts, automated bots. out of 238 million daily users. He also accused the social network of not being transparent in its reports to shareholders.

"This is not my first choice," he said. "I've exhausted all the internal options."

In a complaint filed with US government agencies, Zatko also accused Twitter of trusting too many employees, allowing them to gain access to a lot of sensitive user data. This creates a fragile security posture that bad guys can exploit to sabotage the platform.

Even, Zatko revealed that Twitter has more than one employee who may be working for a foreign intelligence agency, potentially threatening user data and US national security. He also took aim at CEO Agrawal, alleging that he misled the board of directors by preventing Zatko from fixing security weaknesses on the platform, as well as Agrawal's criticism of him and defending himself against external allegations. outside.

"In view of the real harm to users and national security, I determined it was necessary to accept the professional and personal risk to myself and my family by becoming a whistleblower," said Zatko, recognized by hackers. known as Mudge, spoke before the US Senate in September.

Since publicizing Twitter's "secret history" security issue, Zatko has received more attention. He must testify before the US Senate, as well as in the sights of many regulators, both US and foreign.

Zatko's disclosure also coincides with the period of the sale and purchase dispute between Twitter and Elon Musk. Initially, Zatko was seen as a key factor in helping Musk terminate the deal. But in the end, the US billionaire "turned the car", and Zatko also confirmed that he did not have any relationship with Musk. He said the decision to criticize the old company had nothing to do with the deal.

Twitter denies most of Zatko's allegations. The social network's representative affirmed that security and privacy "has long been a top priority of the whole company", commented that the testimony of the former security director "has many contradictions and inaccuracies, drawing a untrue story".

But those who had worked with Zatko believed him. According to some former colleagues, Zatko for nearly 30 years was a very principled person, always trying to fix problems seriously and thoroughly. "He told the truth not to get attention. That's what he really wanted to improve on the system after a close look," said Dave Aitel, formerly a computer scientist at the Department of Science and Technology. National Security Agency and Zatko's colleague at cybersecurity consulting firm ATstake, commented.

John Tye, founder of the nonprofit Whistleblower Aid and Zatko's attorney, says his client goes public about everything to make Twitter better. "Getting attention or wanting a reward is not what determines what Zatko is doing," Tye said.