Peiter “Mudge” Zatko, the former Twitter security chief who has alleged that the company covered up negligent security practices and lied to regulators about data management, was a credible, capable, and brutally honest security expert, according to peers and colleagues.
The assessment of Zatko’s work and character — culled from public messages of support and recollections shared directly with The Verge — is at odds with statements made by current Twitter CEO Parag Agrawal, who has claimed that Zatko is presenting a false narrative of the inner workings of the company after being terminated for poor performance in January.
In a whistleblower disclosure filed with the SEC and first reported by CNN and The Washington Post, Zatko accused Twitter of numerous severe security lapses and claimed that the executive team frequently misled government regulators and its own board of directors about the extent of vulnerabilities on the platform. The filing also claims that the company violated a privacy agreement made with the FTC that required it to delete the data of any users who decided to cancel their Twitter accounts and that the company intentionally manipulated data on the number of bot accounts on the platform.
In a response provided to CNN — language from which was echoed in an email sent by Agrawal to Twitter staff — a Twitter spokesperson said that Zatko’s allegations were “riddled with inconsistencies and inaccuracies” and seemed “designed to capture attention and inflict harm on Twitter, its customers and its shareholders.”
But Twitter’s fierce pushback against Zatko’s criticism prompted a backlash from many leading voices in the field, who spoke out to endorse the security expert’s credentials and track record. Alec Muffett, an internet security expert and software engineer who worked on Twitter’s efforts to launch a Tor service, told The Verge that he had known Zatko for decades and trusted the claims made in the SEC disclosure.
“I’ve known Mudge since the mid 1990s when he — and the other members of the L0pht — were capable and scrappy hackers,” Muffett said. “He demonstrated enormous creativity and drive towards improvement of internet security overall … I have no hesitation about supporting his observations as being both highly credible and concerning.”
Zatko first gained prominence as part of the L0pht, a Boston-based hacker collective known as an influential computer security research group in the 1990s. Notably, while the L0pht released software, the group also advised on policy, even giving testimony before the Senate on internet security in 1998. In his earlier hacking days, Zatko was also a member of the notorious hacker group Cult of the Dead Cow, which also counted former presidential candidate (and current Texas gubernatorial candidate) Beto O’Rourke as a member.
As his profile grew, Zatko took on roles with Defense Advanced Research Projects Agency (DARPA) and Google’s Advanced Technologies and Projects research group. He was hired by Twitter in 2020 in the months after a major security incident that saw hackers take over some of the platform’s most-followed celebrity accounts. But he stayed only just over a year, being fired by incoming CEO Agrawal in January 2022.
One of Zatko’s specific claims — that too many employees are given access to critical software within the company — seemed to be supported by details shared by Al Sutton, a former software engineer at Twitter. In a tweet, Sutton said that he was still able to commit code in the employee group fo Twitter’s open-source software repositories on the code hosting website GitHub, despite having left the company 18 months ago.
If you are wondering if the stuff about Twitter security being lapse is just one person complaining, you might be interested to know that, 18 months after being let go from the company, I’ve not been removed from their employees GitHub commiters group. https://t.co/j02GpKdKor pic.twitter.com/zqmj7PyaZM
— Al Sutton (@alsutton) August 23, 2022
The tweet linked to Twitter’s organization page on GitHub, showing that Sutton’s account was still listed as one of only 34 contributing members. Shortly after The Verge reached out to Twitter for comment, Sutton’s account was removed as a contributor.
Contacted by The Verge, Sutton declined to comment further on Twitter’s security posture but said of Zatko, “I had very little overlap with Mudge, but from what overlap I did have, and other folk I know who know him pretty well, he’s brutally honest and I have zero reason to doubt his claims.”
Already, leaders in the security space have rushed to Zatko’s public defense. Industrial security specialist Robert M. Lee accused Twitter of a smear campaign, saying Mudge’s skills and leadership were “some of the most beloved and well documented in the community.” Prominent cybersecurity journalist Kim Zetter echoed the sentiment, saying there was “probably no security exec with more ethics, more credibility than Mudge.”
The Verge reached out to Mudge for comment but did not receive a response. A statement sent from Whistleblower Aid, a nonprofit organization that supports whistleblowers and is representing Zatko, said that “legal obligations prevent Mudge and Whistleblower Aid from discussing events during Mudge’s time at Twitter, except through lawful, properly authorized disclosures including subpoenas to testify which he would of course honor.”
Twitter did not provide a comment by time of publication.