Skip to main content

Security pros are rallying to defend the Twitter whistleblower

Security pros are rallying to defend the Twitter whistleblower

/

Peiter ‘Mudge’ Zatko has been a mainstay of the cybersecurity field for decades

Share this story

Peiter Zatko - Washington, DC
Photo by Matt McClain/The Washington Post via Getty Images

Peiter “Mudge” Zatko, the former Twitter security chief who has alleged that the company covered up negligent security practices and lied to regulators about data management, was a credible, capable, and brutally honest security expert, according to peers and colleagues.

The assessment of Zatko’s work and character — culled from public messages of support and recollections shared directly with The Verge — is at odds with statements made by current Twitter CEO Parag Agrawal, who has claimed that Zatko is presenting a false narrative of the inner workings of the company after being terminated for poor performance in January.

The assessment of Zatko’s work and character is at odds with statements made by current Twitter CEO Parag Agrawal

In a whistleblower disclosure filed with the SEC and first reported by CNN and The Washington Post, Zatko accused Twitter of numerous severe security lapses and claimed that the executive team frequently misled government regulators and its own board of directors about the extent of vulnerabilities on the platform. The filing also claims that the company violated a privacy agreement made with the FTC that required it to delete the data of any users who decided to cancel their Twitter accounts and that the company intentionally manipulated data on the number of bot accounts on the platform.

In a response provided to CNN — language from which was echoed in an email sent by Agrawal to Twitter staff — a Twitter spokesperson said that Zatko’s allegations were “riddled with inconsistencies and inaccuracies” and seemed “designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”

But Twitter’s fierce pushback against Zatko’s criticism prompted a backlash from many leading voices in the field, who spoke out to endorse the security expert’s credentials and track record. Alec Muffett, an internet security expert and software engineer who worked on Twitter’s efforts to launch a Tor service, told The Verge that he had known Zatko for decades and trusted the claims made in the SEC disclosure.

“I’ve known Mudge since the mid 1990s when he — and the other members of the L0pht — were capable and scrappy hackers,” Muffett said. “He demonstrated enormous creativity and drive towards improvement of internet security overall ... I have no hesitation about supporting his observations as being both highly credible and concerning.”

Zatko first gained prominence as part of the L0pht, a Boston-based hacker collective known as an influential computer security research group in the 1990s. Notably, while the L0pht released software, the group also advised on policy, even giving testimony before the Senate on internet security in 1998. In his earlier hacking days, Zatko was also a member of the notorious hacker group Cult of the Dead Cow, which also counted former presidential candidate (and current Texas gubernatorial candidate) Beto O’Rourke as a member.

As his profile grew, Zatko took on roles with Defense Advanced Research Projects Agency (DARPA) and Google’s Advanced Technologies and Projects research group. He was hired by Twitter in 2020 in the months after a major security incident that saw hackers take over some of the platform’s most-followed celebrity accounts. But he stayed only just over a year, being fired by incoming CEO Agrawal in January 2022.

One of Zatko’s specific claims — that too many employees are given access to critical software within the company — seemed to be supported by details shared by Al Sutton, a former software engineer at Twitter. In a tweet, Sutton said that he was still able to commit code in the employee group fo Twitter’s open-source software repositories on the code hosting website GitHub, despite having left the company 18 months ago.

The tweet linked to Twitter’s organization page on GitHub, showing that Sutton’s account was still listed as one of only 34 contributing members. Shortly after The Verge reached out to Twitter for comment, Sutton’s account was removed as a contributor.

In response to questions, Lindsay McCallum, a spokesperson for Twitter, said: “We use GitHub as a way to publicly collaborate with the open source community — including current and former Twitter employees.”

Contacted by The Verge, Sutton declined to comment further on Twitter’s security posture but said of Zatko, “I had very little overlap with Mudge, but from what overlap I did have, and other folk I know who know him pretty well, he’s brutally honest and I have zero reason to doubt his claims.”

Already, leaders in the security space have rushed to Zatko’s public defense. Industrial security specialist Robert M. Lee accused Twitter of a smear campaign, saying Mudge’s skills and leadership were “some of the most beloved and well documented in the community.” Prominent cybersecurity journalist Kim Zetter echoed the sentiment, saying  there was “probably no security exec with more ethics, more credibility than Mudge.”

The Verge reached out to Mudge for comment but did not receive a response. A statement sent from Whistleblower Aid, a nonprofit organization that supports whistleblowers and is representing Zatko, said that “legal obligations prevent Mudge and Whistleblower Aid from discussing events during Mudge’s time at Twitter, except through lawful, properly authorized disclosures including subpoenas to testify which he would of course honor.”

Update August 24th, 10:50 AM ET: Article updated with response from Twitter.

Today’s Storystream

Feed refreshed Two hours ago Dimorphos didn’t even see it coming

R
Twitter
Richard LawlerTwo hours ago
A direct strike at 14,000 mph.

The Double Asteroid Redirection Test (DART) scored a hit on the asteroid Dimorphos, but as Mary Beth Griggs explains, the real science work is just beginning.

Now planetary scientists will wait to see how the impact changed the asteroid’s orbit, and to download pictures from DART’s LICIACube satellite which had a front-row seat to the crash.


M
The Verge
We’re about an hour away from a space crash.

At 7:14PM ET, a NASA spacecraft is going to smash into an asteroid! Coverage of the collision — called the Double Asteroid Redirection Test — is now live.


E
Twitter
Emma RothSep 26
There’s a surprise in the sky tonight.

Jupiter will be about 367 million miles away from Earth this evening. While that may seem like a long way, it’s the closest it’s been to our home planet since 1963.

During this time, Jupiter will be visible to the naked eye (but binoculars can help). You can check where and when you can get a glimpse of the gas giant from this website.


Asian America learns how to hit back

The desperate, confused, righteous campaign to stop Asian hate

Esther WangSep 26
E
Twitter
Emma RothSep 26
Missing classic Mario?

One fan, who goes by the name Metroid Mike 64 on Twitter, just built a full-on 2D Mario game inside Super Mario Maker 2 complete with 40 levels and eight worlds.

Looking at the gameplay shared on Twitter is enough to make me want to break out my SNES, or at least buy Super Mario Maker 2 so I can play this epic retro revamp.


R
External Link
Russell BrandomSep 26
The US might still force TikTok into a data security deal with Oracle.

The New York Times says the White House is still working on TikTok’s Trump-era data security deal, which has been in a weird limbo for nearly two years now. The terms are basically the same: Oracle plays babysitter but the app doesn’t get banned. Maybe it will happen now, though?


R
Youtube
Richard LawlerSep 26
Don’t miss this dive into Guillermo del Toro’s stop-motion Pinocchio flick.

Andrew Webster and Charles Pulliam-Moore covered Netflix’s Tudum reveals (yes, it’s going to keep using that brand name) over the weekend as the streamer showed off things that haven’t been canceled yet.

Beyond The Way of the Househusband season two news and timing information about two The Witcher projects, you should make time for this incredible behind-the-scenes video showing the process of making Pinocchio.


R
External Link
Russell BrandomSep 26
Edward Snowden has been granted Russian citizenship.

The NSA whistleblower has been living in Russia for the 9 years — first as a refugee, then on a series of temporary residency permits. He applied for Russian citizenship in November 2020, but has said he won’t renounce his status as a U.S. citizen.


E
External Link
Emma RothSep 26
Netflix’s gaming bet gets even bigger.

Even though fewer than one percent of Netflix subscribers have tried its mobile games, Netflix just opened up another studio in Finland after acquiring the Helsinki-based Next Games earlier this year.

The former vice president of Zynga Games, Marko Lastikka, will serve as the studio director. His track record includes working on SimCity BuildIt for EA and FarmVille 3.


A
External Link
Vietnam’s EV aspirant is giving big Potemkin village vibes

Idle equipment, absent workers, deserted villages, an empty swimming pool. VinFast is Vietnam’s answer to Tesla, with the goal of making 1 million EVs in the next 5-6 years to sell to customers US, Canada and Europe. With these lofty goals, the company invited a bunch of social media influencers, as well as some auto journalists, on a “a four-day, multicity extravaganza” that seemed more weird than convincing, according to Bloomberg.


J
James VincentSep 26
Today, 39 years ago, the world didn’t end.

And it’s thanks to one man: Stanislav Petrov, a USSR military officer who, on September 26th, 1983, took the decision not to launch a retaliatory nuclear attack against the US. Petrov correctly guessed that satellite readings showing inbound nukes were faulty, and so likely saved the world from nuclear war. As journalist Tom Chivers put it on Twitter, “Happy Stanislav Petrov Day to those who celebrate!” Read more about Petrov’s life here.


Soviet Colonel who prevented 1983 nuclear response
Photo by Scott Peterson/Getty Images
J
The Verge
James VincentSep 26
Deepfakes were made for Disney.

You might have seen the news this weekend that the voice of James Earl Jones is being cloned using AI so his performance as Darth Vader in Star Wars can live on forever.

Reading the story, it struck me how perfect deepfakes are for Disney — a company that profits from original characters, fans' nostalgia, and an uncanny ability to twist copyright law to its liking. And now, with deepfakes, Disney’s most iconic performances will live on forever, ensuring the magic never dies.


E
External Link
Hurricane Fiona ratcheted up tensions about crypto bros in Puerto Rico.

“An official emergency has been declared, which means in the tax program, your physical presence time is suspended,” a crypto investor posted on TikTok. “So I am headed out of the island.” Perhaps predictably, locals are furious.


R
The Verge
Richard LawlerSep 26
Teen hacking suspect linked to GTA 6 leak and Uber security breach charged in London.

City of London police tweeted Saturday that the teenager arrested on suspicion of hacking has been charged with “two counts of breach of bail conditions and two counts of computer misuse.”

They haven’t confirmed any connection with the GTA 6 leak or Uber hack, but the details line up with those incidents, as well as a suspect arrested this spring for the Lapsus$ breaches.