P eiter Zatko is a black belt in martial arts. The day before his complaint against the social media company was published, Zatko was sitting in his lawyer's office in Washington scrolling through his camera roll to find a picture of his legs locked around someone's neck. There is a side-triangle. The opponent will black out before a lack of blood flow to the brain can cause lasting damage. One of the things Zatko likes about martial arts is that it is less about brute strength than it is about maneuvering your opponent into a weaker position.
That talent can be used in the field of cyber security. In November of 2020, Zatko, the hacker known as "Mudge", was hired as the security lead at the micro-messaging platform. He was terminated 14 months later. A damning portrait of a company in crisis was painted by a whistle-blower complaint six months later. He made an 84-page complaint to federal regulatory agencies and the Department of Justice, which was first reported by the Washington Post and CNN, and which Time obtained from a congressional source.
Zatko felt obliged to come forward. He told Time that being a public whistle-blower is the last resort after exhausting all other options. I view it as continuing to help improve the place where I worked.
The social networking site hit back. The CEO of Zatko wrote in an email to employees that the disclosures were a false narrative that was presented out of context. udge was responsible for many aspects of this work that he is now inaccurately portraying more than six months after his firing.
The tale of how a top official turned whistle-blower is not easy to tell. There are more than a dozen interviews with Zatko's friends, family, and current and former coworkers. Many aspects of Zatko's disclosures rang true to their experience, particularly his allegations of security deficiencies and shortcomings in company leadership. Zatko was straying into areas of the company into which he had only basic insight according to some of the same sources.
The biggest allegations from the Whistle-Blower were about egregious deficiencies.
At a critical time for the company, Zatko's allegations have come to light. The accuracy and credibility of Zatko's claims are the subject of considerable debate by his former colleagues. Is Mudge usually right? A person who worked with Zatko said yes. Is Mudge right about the negligent creation of the security infrastructure for the company that has the most impact? Yes, also. There's a lot of sour grapes.
From a long line of jobs, Zatko had carte blanche to tear up organizational structures and prioritize security above all else. Current and former colleagues say that he had to navigate tense internal politics at a corporation bent on boosting revenue without support from his superiors. Some employees who were caught up in the tumult thought Zatko to be a figure hired by Jack Dorsey for publicity reasons. Zatko was an iconoclast stepping into a corporation. It's like asking a doctor who's been trained to do brain surgery to become a Podiatrist.
A tech whistle-blower like Zatko is atypical. Hundreds of thousands of pages of internal company documents were disclosed last year by a former Facebook product manager. Readers don't have to take Haugen's word for it, they can read the words of Facebook's own safety teams. Zatko is not the same as everyone else. He was responsible for hundreds of staff in some of the most high priority work streams when he was a senior executive at the company. Zatko provided some exhibits to support his claims, including internal emails, but he didn't release the same breadth of documentation as Haugen. He wants the public to believe that his version of events is correct.
Zatko could lose money if he comes forward. Half of Zatko's compensation was in cash, but the rest was in stock, according to the lawyer representing Zatko. When news of Zatko's allegations broke, the value of those shares plummeted. Zatko wants the company to succeed in the long term, not his own financial self-interest, according to Tye.
A cascading series of consequences from Zatko's disclosures could cause the stock price to fall. His argument that there is a bigger bot problem than executives admit may prevent them from completing the Musk deal. The client wants to stay a public company for the good of the public. There is one less law enforcement lever if the company goes private. It's a problem for accountability. Zatko didn't give Musk any information before his disclosures became public knowledge.
Washington and beyond could be affected by Zatko's accusations. He is going to testify in Congress about the allegations that could lead to investigations by the SEC and FTC. That could lead to further erosion of public faith in social media companies, as they face increasing questions about their influence on politics and society, as well as global efforts to rein them in. The question of what kind of whistle-blower Peiter "Mudge" Zatko is has consequences that go far beyond the future of the social networking site.
Zatko has long brown hair and a ring of light above his head. It has been more than two decades since he swapped his long hair for a clean cut. As Zatko sat down for an interview with Time on the eve of the allegations becoming public, he had a goatee, gray, wired glasses, and a pin depicting the logo of his lawyers.
The picture is perfect. The defining era of Zatko's life was the 1990s, and he says his morality is based on that time. He asked himself if the Mudge of the late ‘90s would think about what he was doing now. I want to make sure that my ethics are still strong and that I am still fighting for people.
Zatko knows how to nurture the mythology around him. His father used to hang over his crib a mobile made of circuit boards. He told a trade magazine that he was not afraid of technology. He started hacking at the age of 5, picking locks and reverse-engineering computer games with his dad to get around copyright protections. He used to surf ARPANET, the predecessor to the modern internet, along with the bulletin boards where communities of online hackers were beginning to form.
The social activist and musician Frank Zappa were two of his childhood heroes. Zatko attended the Berklee College of Music in Boston, majoring in music education. He worked with a high-profile hacker called the L0pht to expose corporate security flaws, but he also played in a progressive metal band called Raymaker. He joined the cult of the dead cow and became its most prominent member.
Zatko pioneered a strategy of publicly embarrassing companies that refused to patch vulnerabilities that he and his fellow hackers had flagged to them. Microsoft was his biggest opponent in the 90s. Microsoft ignored Zatko's show that it was possible to install malicious code on any machine. The L0pht released a user-friendly tool that allowed anyone to break into Windows users personal accounts in order to get the company to fix its vulnerabilities. It was a success. Microsoft has one of the most advanced security programs in the world.
Responsible disclosure is a bit of a misnomer. Criminals could steal credit-card or medical data from innocent users using unpatched machines if they were able to crack passwords in less than a day. Even if some people got hurt in the short term, Zatko decided that releasing the tool was the only way to change Microsoft's ways.
Sarah was a mathematician at the National Security Agency. If you can get things fixed through proper channels, it is always easier on everyone. If that isn't possible, there's always something else.
The L0pht agreed to testify about internet security on Capitol Hill. They were identified by their hacker names on their placards. Most of the talking was done by Zatko, who was in the center of the group. He flashed a flair for the dramatic, getting attention by saying he could take down the internet in 30 minutes. The assembled Senators were asked by Zatko if they could be expected to protect the system and the network.
He was in his 20s when he began to work as an unofficial adviser on internet-security issues. A photo from 2000 shows Zatko talking to Bill Clinton.
Cyber security became an important part of the counterterrorism strategy after the 9/11 attacks. The bad actors and gangs in Russia and Eastern Europe were making havoc with systems that were not prepared to fight them. Zatko began giving free advice to the military.
When he started digging, Zatko was frightened by what he found. The financial sector was knocked down by him. It became clear to me that I could wreak havoc as an individual actor. This is a short time after 9/11. He had a bad reaction to the drugs he was given to deal with his anxiety. He took a long time to get over it. Sarah Zatko says that every security professional has a moment when they have to make a decision. You either have to figure out a way to get past it or you have to fix it.
Zatko was tapped in 2010 to lead cybersecurity efforts at the Defense Advanced Research Projects Agency. I didn't go because I liked it. He told the audience at the DEF CON hacker conference that he didn't go there because he wanted to work for the government. I went there because I thought they had lost their way and I had the chance to fix it.
Renee Rush, a U.S. Air Force veteran who worked with him at the agency, said that he brought in hackers and forced career officials at the military office to stay in a conference room with them. "Mudge could go anywhere and get a big paycheck, but you'll never find him in a job that doesn't have a distinctive mission."
Zatko has a way of engendering loyalty among his many subordinates because of his sense of principle. Ryan Hall, a champion mixed martial artist, became friends with Zatko after Zatko joined Hall's gym in Arlington, Va. He remembers seeing Zatko at a coffee shop wearing jeans and a shirt surrounded by men in suits. Peiter has very little time to think.
After 312 years at the Defense Advanced Research Projects Agency, Zatko left for work at two companies. Both companies took security advice seriously, he said. He said that the executives back security and that he wouldn't be there if they didn't.
Internet security has grown more complicated over the years as its impact has expanded. Veteran security experts were being ignored in the lead up to the 2016 election, according to Zatko. He said that the Democratic National Committee reached out to him for help to improve its network and information security, but even his most basic suggestions were not appreciated. The DNC created a Cybersecurity board made up of people with no expertise. You moved Russia...
Zatko was sitting in his home office in New Jersey four years after the Trump era showed how important the security of social media platforms was. There is no central heating or cooling in the room. He says it is warm in the winter because of too many computer cores. There are dog-eared textbooks on the floor and framed letters of praise on the walls. Zatko got a call. One of the reasons he pursued a tech career was because of the hacker's work during the 1990s. Zatko was blown away by that. A platform that is critical worldwide is what I am talking to the creator of. The perception of the world is influenced by it. He told me that he was interested in me.
Zatko decided to accept the job that was offered to him by Dorsey. From his time at the L0pht, Zatko's motto was "Make a dent in the universe" and he believed the protection of a platform as influential asTwitter was his most effective way to do that.
Experts hailed the move as a sign of the seriousness of the problem. One security analyst said it was a rare moment of sunshine where the right person was put in the lead on addressing a major issue.
He was needed by the social media site. One of the most embarrassing incidents in the company's 16-year history was taking place. In July 2020, a trio that included two teenagers used extremely basic phrasal methods to gain access to the accounts ofTwitter employees They were able to set up a scam that netted them over $100,000 in digital currency.
The company has had a number of security issues. The Saudi Arabian government was accused by the U.S. government of molesting two employees of the social networking site. One of them was found guilty. The FTC had filed a complaint against the social networking site. A robust security program was supposed to be implemented. The July 2020 hackers were able to penetrate the platform. A privacy and security researcher says that while other companies put out new features to help people protect their accounts and information, the focus seemed to be a bit outdated. It was not clear what was happening in that space.
According to Zatko's whistle-blower complaint, he expected to work at Twitter the rest of his life. He wrote in a staff memo that the company was 10 years behind its competitors. He claims that teams fighting bots were understaffed and that internal security measures promised after the FTC mandate had yet to be implemented. According to Zatko, a serious security breech was occurring on average every week at the micro-messaging service.
The disclosure of a whistle-blower could affect Musk.
Zatko asked a Twitter engineering executive to stop employees from accessing internal systems after he watched the Capitol insurrection unfold online. Too many employees had unrestricted access. Zatko claims that one rogue engineer with the right privileges could have sabotaged the platform.
Zatko tried to fix them. He shut down several security and privacy programs in favor of a new department. He came up with a three-year plan to improve defense efforts and measure the amount of junk mail. He says that when it came to security issues at the company, there was a lot of ignorantness. According to his complaint, some product managers were encouraged to ignore security and privacy issues in order to release new products quicker. According to current and former employees who spoke with Time, Zatko's allegations are true. It's difficult to enforce change unless you can make a compelling trade-off argument for why improved security or privacy will benefit the business more than their cost.
According to Zatko's complaint, his efforts to inform the board about various security issues were met with alarm or anger, and that at least two times he was asked to not give information to the board. Time asked for specific parts of Zatko's allegations, but was denied. He said in his email that Zatko's disclosures had many errors. The man who Zatko thought would be his main ally was no longer present. A representative for Block did not reply to a request for comment.
The situation came to a head in the fall of 2021. Prior to Zatko's arrival, he had been the most senior executive in charge of security issues. The two began to argue. According to his disclosures, Zatko became concerned that the first meeting of the board would be used to diminish security issues. According to the complaint, he argued that there were misrepresentations in the materials for the presentation.
The documents were presented at a high-level Risk Committee board meeting after Agrawal brushed him off. Zatko wrote that the documents were fraudulent and that he was hired to fix problems. The state of affairs at the company needs to be recognized in order for that to happen.
The company had launched an internal investigation into the allegations of fraud made by Zatko, according to the letter written by Agrawal. Zatko was given a detailed report to back up his claims. He was fired before he could file the report.
On March 17th, Zatko retained Whistleblower Aid. He decided to blow the whistle. He says that sometimes it is necessary to kick the hornet's nest. I had to do this.
Current and former officials had different opinions on Zatko. Several people said that Zatko was correct about a lot of things. When it came to issues that he himself did not work on, he mischaracterized or exaggerated certain details. A current employee says that Zatko was unaware of what was happening with the bots. It wasn't under his security purview. Attorneys for Zatko argue that he had authority over the bots issue as the ultimate supervisor of the global moderation of content on the social media platform. There are competing claims to ownership of the bots issue within the company.
Some of Zatko's disclosures pit his word against that of the social networking site. One of his claims is that the Indian government was behind the hiring of agents by the social networking site. Zatko said in his disclosure that the alleged agents could access sensitive user data because of the access privileges afforded to many employees of the social networking site. The hires came at a time when the Indian government was angry with the social networking site. Zatko was in charge of the physical security of employees at the social networking site. According to the disclosures, Zatko gave more information to the Department of Justice and the Senate Select Committee on Intelligence.
Zatko claimed on the record that Indian agents were involved in his case. The person with direct knowledge of the internal affairs of India told Time that they would not be surprised if the Indian government tried to hire an agent to work for them.
Experts think some of Zatko's claims are overstated. According to his disclosure, the failure to own the rights to training data of machine- learning models is fraud. Some people familiar with industry standards say that shortcoming is an industry-wide practice.
Zatko tells Time that he stands by his allegations and that he can't talk about his time at the micro-blogging site beyond what's in the disclosures. Zatko says that he was aware of the most common tactics that would happen and that there would be attempts to assassinate him.
The timing of the disclosures is notable. There will be a trial in Delaware in October to decide if Musk has to go through with his initial agreement to buy the micro-messaging service. From the opening pages of his disclosure, Zatko claims that the social networking site lied to him. Alex Spiro, Musk's lawyer, told Time that his team subpoenaed Zatko, but Zatko's lawyers say he has not received a subpoena.
Two legal experts don't think Zatko's claims will have a big impact on the case. He doesn't give a lot of new information about the subject, and what he claims about the subject has nothing to do with the merger. According to a law professor at a university, it will be difficult to prove Zatko's claims. "When a disgruntled employee disagrees with management decisions, that's often not taken as a sufficient basis for treating an SEC filing as false."
The credibility of the claims made by the whistle-blower is usually determined by the existence of hard evidence. Whether or not the documentary evidence, and not the potentially self-serving statements of a former employee, shows knowing or reckless misleading of regulators or investors is the real regulatory risk.
There could be long-term financial and political ramifications from the disclosures. The company's stock price dropped after the disclosures were published. Democratic Senator Dick Durbin and Democratic Representative Frank Pallone said they were investigating Zatko's claims.
Some current staffers at the company say that Zatko's allegations have demoralized them and may cause a brain drain as a result. According to a former employee of the company, those who are still working on the security and privacy teams will have to work three or four times harder.
Zatko knew that his actions would cause corporate chaos and government investigations, so he made his decision with that in mind. The public can only take him at his word at the moment. Zatko, who refused to discuss the meat of his complaint in his interview with TIME, will have the legal cover to expand on the allegations when he testifies before congress in September.
Zatko is older than he used to be. Two days before his interview with Time, he broke a toe while sparring with a jiu-jitsu opponent, an accident he says has been brought on by the stress of the last few months. If you are going to engage in a fight, you might need an injury. He says that if you just react to what an adversary is doing, they are the ones that are moving you around and manipulating you. It's all too common in this industry.
Reporting by Simmone Shah and Julia Zorthian.
Write to Billy Perrigo and Vera Bergengruen.