War Stories

The People Looking for Dirt to Discredit Twitter Whistleblower “Mudge” Are Not Going to Find It

Zatko looks super serious in a suit and tie.
Peiter “Mudge” Zatko, former head of security at Twitter, testifies before the Senate Judiciary Committee on data security at Twitter, on Capitol Hill, September 13, 2022 in Washington, DC. Kevin Dietsch/Getty Images

Peiter Zatko, a.k.a. ”Mudge,” the Twitter whistleblower, appeared before the Senate Judiciary Committee on Tuesday, elaborating on his widely covered report that his former employer’s laxity and lies on cybersecurity pose a danger to personal privacy and the national defense.

His testimony has become entangled with the lawsuit between Twitter and Elon Musk, making some wonder whether Mudge’s critique might stem from ulterior motives or nefarious connections.

I don’t know the ins and outs of Twitter or Tesla, but as someone very familiar with the history of Mudge, I would say this: it’s a good bet to consider anything Mudge says about cybersecurity to be highly credible.

Advertisement

No one mentioned it during Tuesday’s hearing, but Mudge’s reputation not just as an expert in the field but as “the Paul Revere of cybersecurity” was struck in another Senate hearing, held by the Governmental Affairs Committee, nearly a quarter-century ago. That hearing took place on May 19, 1998, back when the term cybersecurity—and the whole idea of vulnerable computer networks—was barely known. In fact, so obscure and esoteric was the subject that just three senators showed up.

Advertisement
Advertisement
Advertisement

At the time, Mudge testified alongside his five colleagues in a Boston-based hackers’ group called the L0pht. Like Mudge, they swore in using their hacker handles—Brian Oblivion, John Tan, Space Rogue, and Weld Pond—not their real names. They were a disheveled bunch; Mudge had long golden hair and a long beard. “He looked like Jesus,” one official who met him at the time recalled. (You can watch the ’98 hearing on YouTube.)

Advertisement
Advertisement

At that earlier hearing,  they sounded the alarms that this thing called the Internet—still fairly new at the time—could easily be hacked by criminals, spies, and troublemakers; that network software programs were riddled with holes; and that military communications were just as vulnerable as civilians.

This was all new, at least to the general public. Just one year earlier, a blue-ribbon commission came to the same conclusions in a report to President Bill Clinton. Just a few months before the hearing, Air Force specialists detected the first hack of military networks by Russian intelligence—a fact that was classified until many years later.

The 1998 hearing was barely covered in the news. It took a few years before the message from Mudge and his colleagues was taken seriously. Even now, the vulnerabilities they revealed have barely been patched. Still, the hearing was where it all began. It was one of the three senators in attendance, Joseph Lieberman, who likened the L0pht witnesses to digital-era Paul Reveres.

Advertisement
Advertisement

How Mudge and the crew were discovered was a stranger story. (More details about the story, and the entire history of cyber war, can be found in my 2016 book, Dark Territory.)

In October 1997, a staffer in the Clinton white House named Richard Clarke—who later became famous as a 9/11 whistleblower in the Bush administration—was put in charge of finding out more about computer security. (The blue-ribbon commission’s report had just come out, and nobody in officialdom knew what to do about it.) Clarke called a friend in the FBI to ask if there were any “good-guy hackers.” The agent put Clarke in touch with “our Boston group,” as he put it—a team of eccentric computer geniuses who occasionally helped out with law-enforcement investigations. That was Mudge and the L0pht.

Advertisement
Advertisement
Advertisement
Advertisement

Clarke met them in a bar in Cambridge, Mass., and they took him to their headquarters, a deserted warehouse in Watertown near the Charles River. They took him upstairs, unlocked a door, and turned on the lights, which revealed a high-tech lab crammed with dozens of mainframe computers, desktops, laptops, modems, and a few oscilloscopes, all wired to an array of antennas and dishes on the roof.

Advertisement
Advertisement

The group had started in the early 1990s as a place where its members could store computers and play online games. In 1994, they turned it into a business, testing the big tech firms’ software programs and publishing a bulletin that detailed their security gaps. Some executives complained, but others were thankful that someone was looking for flaws. The NSA, CIA, and FBI were also intrigued by the group, which occasionally aided their investigations gratis. (L0pht helped them eagerly: some of the group’s activities were of dubious legality, and, if they were ever busted, it would be good to call directors of the leading intel and law-enforcement agencies to the stand as character witnesses.)

Advertisement

For a few hours that night, the group held Clarke’s attention, telling him—in some cases, demonstrating to him—all the things they could do. They could break the passwords stored on any operating system; they could decrypt any satellite communications. They could hack into someone’s computer and control it remotely, spying on the user’s every keystroke, changing his files, tossing him off the Internet. They had machines that could reverse-engineer any microchip. In hushed tones, they told him about a recent discovery involving the vulnerability of the Border Gateway Protocol, a super-router for all online traffic, which would let them—or any hacker—shut down the entire Internet in a half hour.

Advertisement
Advertisement

Clarke was dazed. Up until then, he’d been told—as officials who knew more than he did about all this had assumed—that only modern nation-states had the resources to do anything like this. Yet here were a half-dozen civilians who were doing this from a hole in the wall with little money and no outside support. Clarke realized, if Mudge and his crew used their talents to disrupt American society and security, they would be called “cyber-terrorists.” And so Clarke, who was already in charge of White House counterterrorism policy, added another threat to his growing portfolio. (More than a decade later, in 2010, he wrote a book called Cyber War. Even then, many, including technical specialists, thought the threat was exaggerated. A scabrous review of the book in Wired ended: “File [this] under Fiction.”)

Advertisement

It was 2 A.M. when Clarke and the gang walked out into the air. He asked them if they’d like to come to the White House sometime. They were stunned. At the time, “hacker” was still a nasty word in respectable circles. A month later, they came down for their White House tour—and Clarke, through his congressional contacts, had also arranged for them to testify before the Senate.

Advertisement
Advertisement

Three days after their testimony, Clinton signed a Presidential Decision Directive, PDD-63, written mainly by Clarke, called “Critical Infrastructure Protection,” laying out the problems and proposing some solutions. Some were gradually adopted; others, involving mandatory security requirements for private companies, never were.

Over the years, most of the L0pht members joined, or formed, professional cybersecurity firms. In 2010, Mudge was hired by the Pentagon’s Defense Advanced Research Projects Agency. One of his contributions was Cyber Fast Track, which awarded money to boutique firms and independent hackers for innovative solutions to problems in cyber offense and cyber defense. The project funded more than 100 successful contracts—all low-cost, some advancing from R&D to actual product in as little time as seven days.

Advertisement
Advertisement
Advertisement

In one of these projects, two former NSA analysts hacked into a Jeep Cherokee—which, like most modern cars, runs almost entirely on computer networks—and commandeered its brakes, accelerator, radio, heating system: everything in the car. (DARPA paid for the jeep and the analysts’ time.) Automobile companies made some adjustments to their systems, but not many.

In 2013, Mudge moved on to Google’s Advanced Technology and Projects Division; then, in 2020, became chief security officer at Twitter, and the rest, as they say, is history.

Advertisement

Ronan Farrow reports in the current New Yorker that various corporations are conducting a global hunt for any dirt on Mudge—any sign that might suggest his criticism of Twitter might be unreliable or even motivated by greed. (Given that his report and testimony are likely to be used in the lawsuit between Twitter and Elon Musk, the trustworthiness of Mudge’s report—or lack thereof—could swing the company’s market value by tens of billions of dollars.) Farrow interviewed several of Mudge’s former associates who were phoned—and offered hefty rewards—for any incriminating information. So far no one has come up with any damaging dish.

Two of my acquaintances, who once worked with Mudge and who have known him for years, told me that they have been “inundated” (both of them used that word) with similar calls and emails. Both told me that they had no reason to doubt what Mudge was saying—no reason to doubt anything that he says about anything.

Advertisement