Twitter Hires Famed Hacker 'Mudge' as Security HeadPeiter Zatko Will Help Social Media Firm That Faces Security Concerns
Twitter has hired network security expert Peiter Zatko to serve in the newly created position of head of security following a series of high-profile cyber incidents at the social media firm over the last year.
See Also: 5 Ways to Rapidly Reduce Risk
In September, Twitter hired industry veteran Rinki Sethi as the company's new CISO, a positon that had been vacant since December 2019.
Zatko, who is better known by the handle “Mudge,” gained fame as a member of the “Cult of the Dead Cow” ethical hacking collective in the 1990s and later moved to top cybersecurity research positions at the Defense Advanced Research and Projects Agency, aka DAPRA, and Google. He confirmed his appointment in a Tweet Monday following news media reports that he accepted the job.
Looks like the cat is out of the bag.— Mudge (@dotMudge) November 16, 2020
I’m very excited to be joining the executive team at Twitter!
I truly believe in the mission of (equitably) serving the public conversation.
I will do my best! https://t.co/ZQkhYTXLQZ
At Twitter, Zatko will work on a host of issues, including information security, site and platform integrity and physical security, according to Reuters, which first reported the news. Zatko will report directly to CEO Jack Dorsey.
A Twitter spokesperson confirmed Zatko's appointment, but did not provide additional details. Dorsey also Tweeted out his support for the hiring.
Welcome, Mudge! https://t.co/hl9HiRjGtg— jack (@jack) November 16, 2020
Fallout From Crypto Scam
The appointment of Zatko follows several high-profile security incidents at Twitter that have led to criticism of the company's security practices.
In July, three suspects, including a Florida teenager, were charged in connection with hacking 130 high-profile Twitter accounts, including those belonging to Bill Gates, Barak Obama and Joe Biden, to pull off a cryptocurrency scam (see: 3 Charged in Twitter Hack).
The hackers allegedly gained control of several high-profile Twitter accounts, reportedly by using phone phishing and SIM-swapping techniques, and sent fake messages to steal about $120,000 in bitcoin from victims. It's also believed that the suspects gained access to some Twitter account user data, including information stored in the Direct Message feature (see: Twitter Hack: Suspects Left Easy Trail for Investigators).
Zatko, 49, was one of the first computer security researchers to gain a following for his hacking abilities and his understanding of cybersecurity. In one of his first papers in 1995, he described how a buffer overflow works and the threat this flaw posed to networks at the time.
Later, Zatko joined the ethical hacking collective Cult of the Dead Cow and also began speaking at events such as DEF CON about a range of security issues. In 1998, he testified before a U.S. Senate hearing about internet vulnerabilities. Later, he briefed then-President Bill Clinton about the dangers of distributed denial-of-service and other nascent attacks, according to reports from the time.
Zatko would later go on to work for the U.S. Defense Department's DARPA program, working on a variety of research projects around security. In his book "Cult of the Dead Cow," Reuters reporter Joseph Menn noted that during Zatko’s time with the government, he was able to bridge the gap between Pentagon officials and the hacking community about the dangers facing networks and why better cybersecurity was needed.
"Mudge got the Pentagon to stop seeing hackers as the natural enemy,” according to the book. “In fact, Mudge showed that people who grew up knowing exactly where the line was were habitually more careful about not crossing it that the people constantly protected by their uniforms, bureaucracy and lawyers. An employee asked Mudge if the agency could just hack into a system in order to get information Mudge was deducing. 'Absolutely, you could do that,' Mudge told him. 'But just suggesting that is illegal, and it's wrong.' Even within DARPA, Mudge provided a moral compass."
Jake Williams, president of cybersecurity consultancy Rendition Infosec and a former member of the U.S. National Security Agency's elite hacking team, says that when Zatko moved to DARPA, it wasn't clear how that would affect his reputation in the hacking community.
"I wasn't sure how his time at DARPA would play out - would working for the government in that capacity put an end to his clout in the field or be seen as 'selling out?'" Williams says. "That definitely didn't happen. If anything, it seems that Mudge emerged from DARPA with more clout in the community."
After his time in government, Zatko went on to work for Google in the company's Advanced Technology and Projects division. He then went on to work at electronic payments startup Stripe, which he's leaving to join Twitter.
His appointment Monday to the newly created role at Twitter received praise from former Facebook CISO Alex Stamos, who is now advising companies, including Zoom, on cybersecurity issues and serving as an adjunct professor at Stanford University.
Congratulations to Mudge, who is taking on one of the most important challenges in our industry. I hope he is successful in creating a model of "Chief Risk Officer" for big tech. https://t.co/JZpQDs3hm9— Alex Stamos (@alexstamos) November 16, 2020
Other Twitter Issues
In addition to the cybersecurity issues raised by this summer's hack and cryptocurrency scam, Zatko will face other issues that have damaged Twitter's reputation.
The U.S. Justice Department is investigating a case where two former Twitter employees are accused of using their access to the company's internal network to spy on users and gather data on behalf of the Saudi Arabian government (see: Former Twitter Staffers Face Additional Charges).
On Wednesday, Twitter CEO Dorsey and Facebook CEO Mark Zuckerberg are scheduled to testify before a Senate Judiciary Committee hearing about social media, the 2020 election and issues of censorship.