On Tuesday, the Washington Post and CNN Business broke the news that a former Twitter executive filed a whistleblower complaint with three federal agencies last month, accusing his former employer of fraud, enabling dangerous security vulnerabilities, and maintaining ties with authoritarian countries. Twitter has pushed back on several of the allegations, but the news has already sent shockwaves through the industry.
The complainant is 51-year-old Peiter “Mudge” Zatko, a famous hacker and internet pioneer who was fired by Twitter in January. Observers were quick to compare Zatko’s actions to those of Frances Haugen, the Facebook whistleblower whose massive release of company documents fueled months of scrutiny of the social network. (Zatko is being represented by Whistleblower Aid, the legal organization that worked with Haugen.)
Just who is Peiter Zatko? What does his complaint reveal about Twitter? If what he alleges is true, what are the implications? Some answers.
Where Did This Guy Come From?
In the 1990s, Peiter Zatko was best known as “Mudge,” an anonymous hacker who researched security vulnerabilities in early web networks and joined influential hackerspaces like L0pht and Cult of the Dead Cow. (The latter once counted a young Beto O’Rourke among its ranks.) Sticking to his sobriquet, Mudge spoke at events like Defcon and testified to the Senate in 1998 about the internet’s susceptibility to large-scale cyberattacks; he eventually met with President Bill Clinton on the issue.
As Mudge, Zatko played an important role in connecting hackers with political officials, parlaying that matchmaking into security consulting and contracting with the government. In the 2000s, Mudge revealed his identity and eventually landed a job at DARPA, the Pentagon’s research arm whose work paved the way for the modern internet. He later worked on special projects for tech companies like Motorola, Google, and Stripe, helping to boost their security standards.
In July 2020, Twitter experienced its worst breach ever when a teenager hijacked the official accounts of figures like Barack Obama, Joe Biden, and Kanye West to make it appear as though they were shilling Bitcoin. Months later, then-CEO Jack Dorsey hired Zatko as Twitter’s head of security in order to enact much-needed changes to protect the platform. Zatko worked there until this January, when his position was terminated by Dorsey’s successor, Parag Agrawal. At the time, few details were given as to the reason; a Twitter spokesperson has now told CNN Business that Mudge was axed for “ineffective leadership and poor performance,” though Zatko believes he was ousted for bringing security issues to light. [Update, Aug. 25, 2022, at 11:55 a.m.: On Tuesday, Katz Banks Kumin, the law firm representing Zatko in a personal capacity, released a statement claiming that Twitter’s public reasoning for firing Zatko “of course is false.”]
Please Tell Me What “Mudge” Means.
According to a book on the Cult of the Dead Cow, it’s just a reference to a former classmate’s surname. Ah well.
What Are the Wildest Accusations?
The complaint—dispatched to the Federal Trade Commission, the Securities and Exchange Commission, and the Department of Justice—portrays a company negligent of urgent issues at best and guilty of actively misleading investors and regulators at worst.
Perhaps the most shocking accusation concerns India, whose repressive rulers have ordered thousands of tweet and account takedowns, censored protesters’ messages, and threatened the network’s Indian employees with force. (In turn, Twitter recently sued the Indian government.) Zatko claims that “the Indian government forced Twitter to hire specific individual(s) who were government agents, who … would have access to vast amounts of sensitive data,” without disclosing this fact to users. (A source told the Post that one employee in question was “probably” a government agent.) In addition, Zatko’s filing states that before he was fired, “Twitter received specific information from a U.S. government source” that at least one employee was also working for a foreign government’s intelligence agency. Neither claim is absurd, given that a former Twitter manager was indicted just this month for acting as a Saudi agent without proper disclosure.
Then there are the vulnerabilities. The complaint says Zatko had warned the company that half of its 500,000 servers were using unencrypted software, and that about 40 percent of employee laptops were not sufficiently protected from outside threats—in fact, about 30 percent of computers even blocked software updates with necessary fixes. The filing further alleges that thousands of these barely protected laptops also had access to Twitter’s source code, meaning any targeted hack could give malicious users full knowledge of the mainframe. (Employees claimed these vulnerabilities came about due to inadequate testing by company engineers.)
In addition, Zatko says that out of Twitter’s nearly 7,000 total employees, about half had unmonitored access to sensitive internal company software, giving them broad control over operations and user data. While an internal presentation said that this unfettered employee access may have been responsible for 7 percent of the company’s security breaches, Zatko put the number close to 60 percent. In the 2020 hack, for example, the teenage culprit reportedly impersonated a Twitter staffer in order to enter internal networks.
Such debunking of internal data appears to have been a constant of Zatko’s tenure. In his complaint, Zatko alleges that CEO Parag Agrawal dissuaded him from giving a full picture of Twitter’s security problems to its board of directors—instead, Agrawal and other executives apparently worked to censor any damning security data, misleading investors and regulators from various countries in the process. Zatko’s filing also mentions that the company had neglected to comply with a 2011 FTC consent decree ordering Twitter to beef up its security and ensure bad actors could not access private user information. (A source countered to CNN that “Zatko at times lacked understanding of Twitter’s FTC obligations.”)
Zatko didn’t just struggle with Agrawal. Employees told the Post that Zatko often had trouble conveying security threats to Jack Dorsey when he was still CEO, thanks to Dorsey’s general absence—he was simultaneously CEO of the payments company Square—and lack of communication in the period leading up to his resignation.
Are Any of Mudge’s Claims Credible?
Considering that Mudge has long been a trusted name in digital security, and Twitter has undergone high-profile hacks time and again, the complaint definitely should be taken seriously. At the same time, some Twitter workers told CNN they’d found Zatko’s claims “unpersuasive” and lacking credibility when he brought them to the company.
However, other unnamed current and former employees have backed Zatko up. According to the Washington Post, “current and former employees also agreed with the complaint’s assertion that past reports to various privacy regulators were ‘misleading at best.’ ” These Twitter workers also agreed that too many people had untrammeled access to sensitive internal software and company laptops lacked appropriate security measures.
What Does All This Mean for Twitter?
The government appears to be on it. The Washington Post reported that Connecticut Sen. Richard Blumenthal wrote a letter to the FTC on Tuesday asking it to investigate the report and take action as needed. In addition, a Senate Intelligence Committee spokeswoman stated that “the committee is trying to set up a meeting with Zatko to discuss the complaint.” Reportedly, Sens. Dick Durbin and Chuck Grassley have already spoken with Zatko.
Zatko says he hasn’t been in touch with Elon Musk, who’s currently embroiled in a legal dispute with Twitter over his self-sabotaged purchase of the company. However, the Tesla CEO’s legal team says it has “already” issued a subpoena to Zatko; the lawyers are likely to focus on a section of Zatko’s complaint headlined “Lying About Bots to Elon Musk,” which claims Agrawal was fibbing when he tweeted, in response to Musk’s complaint about automated accounts, that Twitter was effective at tracking down and expelling spam accounts. Musk initially wanted to pay a premium in order to buy Twitter, signed a contract to do so, and then changed his mind when Twitter’s stock plummeted. He’s been citing Twitter’s supposed obfuscation about how many bots are on the platform in order to get out of the deal, a claim that has been widely seen as a fig leaf. It’s possible Zatko’s complaint could bolster Musk’s defense in Twitter’s lawsuit hoping to force through the sale.
Meanwhile, a former FTC chair told CNN that if Twitter is “found to have violated its legal obligations,” it could be fined billions of dollars by government regulators. And if Twitter is confirmed to have knowingly employed unregistered foreign agents for authoritarian governments, it could further jeopardize trust—and invite even more government scrutiny. Whatever happens, Twitter is likely in for another ugly fight, thanks to a whistleblower who was high up in the company’s ranks and whose complaints implicate leaders all the way up to the CEO and his predecessor. Mudge: Not for nothing does it rhyme with grudge.
This piece has been updated to note a new statement from Katz Banks Kumin.
