Peiter ‘Mudge’ Zatko on Why He Blew the Whistle on Twitter
Peiter Zitko (the Twitter whistleblower) is a blackbelt in jiu jitsu. The day before his complaint against the social media company was published, Zatko was sitting in his lawyer’s office in Washington, scrolling through his camera roll to find a photo of his legs locked around someone’s neck. This is known as a side triangle. It’s totally safe, he says, because the opponent will black out before a lack of blood flow to the brain can cause any lasting damage. One of the things Zatko likes about the martial art, he explains, is that it’s less about brute strength than finding creative ways to maneuver your opponent into a weaker position.
It’s a talent that can translate into cybersecurity. In Nov. 2020, Zatko, the hacker known as “Mudge,” was hired as Twitter’s security lead, with a global remit to fix gaping vulnerabilities in one of the world’s most important communications platforms. However, 14 months later, Zatko was fired. He filed a whistleblower complaint six months later that painted a grim picture of a company facing crisis. The Washington Post first published the 84-page complaint against federal regulator agencies and the Department of Justice. Post and CNN and which TIME obtained from a congressional source, he describes Twitter as crippled by rudderless and dishonest leadership, beset by “egregious” privacy and security flaws, tainted by foreign influence, a danger to national security, and susceptible even to total collapse.
Zatko claims he felt an ethical obligation to make the disclosures. “Being a public whistle-blower is the last resort, something that I would only ever do after I had exhausted all other means,” he told TIME in a lengthy interview on Aug. 22. “It is not an easy path, but I view it as continuing to help improve the place where I was employed.”
Twitter quickly responded. Zatko was fired for “ineffective leadership and poor performance,” CEO Parag Agrawal wrote in an email to employees, calling the disclosures a “false narrative that is riddled with inconsistencies and inaccuracies” and presented out of context. “Mudge was accountable for many aspects of this work that he is now inaccurately portraying more than six months after his termination,” Agrawal said.
This is the story of how one top Twitter official became a whistle-blower. It’s not a simple tale. In more than a dozen interviews with Zatko’s friends, family, and current and former colleagues, the portrait that emerges is more complicated. Eight current and former Twitter employees, who spoke with TIME on condition of anonymity in order to discuss issues they were not authorized to speak publicly about, said that many aspects of Zatko’s disclosures rang true to their experience, particularly his allegations of security deficiencies and shortcomings in company leadership. Some of the same sources, many of whom professed to like and admire Zatko, suggested that various allegations were misleading, overblown, or lacking context—in part because Zatko was straying into areas of the company into which he had only basic insight.
Continue reading: ‘Egregious Deficiencies,’ Bots, and Foreign Agents: The Biggest Allegations From the Twitter Whistle-Blower
Zatko’s allegations have emerged at a pivotal moment for Twitter, which is locked in a legal battle over an agreement to sell the company to Elon Musk. That makes the accuracy and credibility of Zatko’s claims a multibillion-dollar issue, and the object of considerable debate by his former colleagues. “Is Mudge generally correct? Yes,” says one current Twitter employee who worked with Zatko. “Where he is correct is that Twitter has absolutely been negligent in creating the appropriate security infrastructure for a company that has the level of impact it has … Is Mudge wrong about lots of things? Yes. I think there’s a lot of sour grapes.”
Zatko came from a family of jobs that gave him the freedom to destroy organizational structures and place security first. According to former and current colleagues, Zatko found himself in an entirely different setting at Twitter. He was tasked with navigating the internal politics of a company that is determined to increase revenue without any support. Some workers caught up in the turmoil believed Zatko was an employee hired by Jack Dorsey to make a splash, and step on the feet of colleagues who had more institutional knowledge. Zatko, who was both technically brilliant and morally straightened, was an iconoclast for stepping into corporate bureaucracy. “It’s like asking a doctor who’s been trained to do brain surgery to suddenly become a podiatrist,” says a former Twitter colleague.
The polarized reactions to Zatko’s disclosures illustrate just how atypical a tech whistle-blower he is. Frances Haugen (a former Facebook product manager) disclosed thousands upon thousands of pages from company internal documents last year that showed a company that prioritized profits over safety. But readers didn’t have to take Haugen’s word for it; they could read the words of Facebook’s own safety teams. Zatko has a different perspective. As a former senior executive, he had a bird’s-eye view into Twitter’s decisionmaking, ultimately responsible for hundreds of staff in some of Twitter’s most high-priority work streams. But he didn’t release the same breadth of documentation as Haugen; while Zatko supplied some exhibits to support his claims, including internal emails, his partially redacted disclosures rely largely on his own credibility as one of the most celebrated figures in cybersecurity. He implicitly asks the public for trust in his account of events, while Twitter lies.
Zatko might lose money if they come forward. John Tye from Whistleblower Aid who is representing Zatko, states that half his Twitter compensation came in cash and the remainder in stock. The value of those shares dropped by about 9% when news of Zatko’s allegations broke. Tye insists Zatko’s motivations are rooted in a desire to see the company succeed in the long term, not his own financial self-interest.
The fate of Twitter’s stock price may be just the first of a cascading series of consequences from Zatko’s disclosures. The Musk deal may be stalled by his assertion that Twitter has more bot issues than its executives acknowledge. Tye states that Tye wants Twitter to continue being a public company. “We have concerns if the SEC were to lose jurisdiction if the company goes private, because there’s one less law-enforcement lever,” Tye says. “That’s a problem for accountability.” Zatko told TIME he has never met Musk and did not provide any information to him in advance of his disclosures becoming public knowledge.
Zatko’s allegations could ripple out even further, in Washington and beyond. The allegations against Zatko could be investigated by the SEC as well as the FTC. He is scheduled to testify at Congress on Sept. 13. As social media companies face increasing scrutiny about how they influence politics, society, and the global effort to restrain them, this could lead to a further erosion of public trust. All of which means the question of what kind of whistle-blower Peiter “Mudge” Zatko is has consequences well beyond Twitter’s future.
His Twitter profile photoZatko is known for his long, flowing brown hair that reaches to the shoulders and a light ring hovering over his head. But it’s been more than two decades since he traded this long-haired look—“hacker Jesus,” his wife Sarah Zatko jokes—for a clean-cut mien befitting a man who’s done tours at the highest levels of government. On the day of the public allegations, Zatko was dressed in a neat, gray-colored goatee, wired glasses, and a lapel pin that displayed the logo for Whistleblower Aid, his legal team.
This profile picture was not accidental. Zatko points to his 1990s work as the turning point in his life, and also the foundation for his moral values. “I always ask myself: What would the Mudge of the late ‘90s think about what I’m doing now?” he says of his decision to blow the whistle on Twitter. “I want to make sure I haven’t lost that drive, that my ethics are still just as strong, that I’m fighting for people just as hard.”
Sarah Zatko, at her home in August 23, 2022
TIME: Dina Litovsky
Zatko can be both skilled and attuned in nurturing mythology around him. As a child, Zatko’s father placed a small mobile of circuit boards over his crib. “He wanted me not to be afraid of technology,” he said in a 2011 interview with a trade magazine. In an interview with a trade magazine, he said that hacking began at age five. His dad used an Apple II late-1970s computer to reverse-engineer computer games and pick locks. This was in order to circumvent copyright restrictions. He spent his teenage years surfing ARPANET and the bulletin boards that hosted online hacker communities.
In the 1980s in Alabama and Pennsylvania, Zatko grew up idolizing Frank Zappa and Abbie Hoffman as social activists. Zatko was a guitarist and a violin player. He attended the Berklee College of Music, Boston, to study music instead of computer science. After graduating, he split his time between playing at clubs with his progressive metal band Raymaker, part-time tech-support work, and working with a high-profile hacker “think tank” called the L0pht (pronounced Loft) to expose corporate security flaws. He was soon to become the most well-known member of the group and joined the Cult of the Dead Cow hacking collective.
Zatko, along with his hackers, pioneered the L0pht strategy. This consisted of embarrassing corporations that refuse to fix vulnerabilities they had reported to them. Microsoft was Zatko’s biggest enemy in the 1990s. Microsoft ignored the fact that Zatko, his team and others had shown it was possible for malicious code to be run secretly on every machine. So the L0pht released a user-friendly tool that allowed anybody to break into Windows users’ personal accounts, reasoning that it was the only way to force the company to finally fix its vulnerabilities. It worked. Zatko claims that Microsoft today has the best security program in the world.
Still, “responsible disclosure,” as the tactic of public embarrassment became known, is a bit of a misnomer. The hacking tool he gave away could be used by criminals to break passwords within 24 hours. This would allow them to take credit card or other sensitive data from unpatched users. Zatko says that he thought “long and hard” before deciding that releasing the tool was the only way to make Microsoft change its ways and protect its users, even if some people got hurt in the short term.
“Dishonesty is definitely something that frustrates him,” says his wife Sarah, a former mathematician at the National Security Agency. “It doesn’t mean he’s always trying to make a big public fuss, because if you can get things fixed … through proper channels it’s always easier on everybody. But if that’s not possible, there’s always this fallback.”
Zatko, along with other L0pht members, agreed to give evidence on Capitol Hill’s internet security in May 1998. On their placards, the hackers’ names were all that was used to identify them in the hearing room. Zatko, who sat in central position among the seven hackers, did the majority of the speaking. Even then, he flashed a flair for the dramatic, getting lawmakers’ attention by infamously claiming he could take down the internet in 30 minutes. “How can we be expected to protect the system and the network,” Zatko asked the assembled Senators, “when all of the seven individuals seated before you can tear down the foundation that the network was built upon?”
Before a Senate Governmental Affairs hearing about government computer security, May 19, 1998 (May 19, 1998), L0pht computer hackers testified before it.
Douglas Graham—Congressional Quarterly/Getty Images
In his 20s, Zatko began working unofficially as an adviser on Internet-security issues for Richard Clarke. He would later become the cyber security czar of three U.S. presidents. In 2000, Zatko was at the White House’s first meeting about cybersecurity and was pictured with then-President Bill Clinton.
Following the 9/11 terrorist attacks, cybersecurity became a critical part of any counterterrorism strategy. Bad actors and “spam gangs” run out of Russia and Eastern Europe were releasing viruses and other malware, wreaking havoc on systems unprepared to counter them. Zatko started advising the U.S. military and intelligence agencies for no cost.
Zatko was stunned by the things he discovered when he got started to dig. “I started to figure out numerous ways of knocking the financial sector down,” he says. “It just started to dawn on me that I, as an individual actor, could wreak serious havoc. And this is shortly after 9/11.” He had a bad reaction to drugs that his psychiatrist prescribed to deal with his rising anxiety, which only made things worse. His emotional recovery took time. “Every security professional has the moment where they have started to learn enough about the field that all of a sudden they have this existential crisis,” says Zatko’s wife Sarah. “Then you either become [nihilistic] and everything’s hopeless, or else you have to figure out a way to get past it and try to fix your corner of things.”
Zatko broke out of his routine and took a different approach to cybersecurity. He was recruited by the Defense Advanced Research Projects Agency in 2010, where he will lead security efforts. “I didn’t go there because I thought it was cool. I didn’t go there because I wanted to be a part of the government,” he told the audience at the DEF CON hacker conference in 2013. “I actually went there because I thought they and other parts of government had kind of lost their way, and I had an opportunity to go in and fix it.”
Renee Rush is a U.S. Air Force veteran and worked alongside him at the agency. One of his initial moves was to bring in hackers. “Mudge could go anywhere and get a big paycheck,” Rush says, “but you’ll never find him in a job that doesn’t have a distinctive mission.”
President Clinton meets with technology leaders, including Peiter “
Alamy
Zatko’s sense of principle has a way of engendering loyalty among his many mentees, both inside and outside his field. Ryan Hall, a champion mixed martial artist, became close friends with Zatko after Zatko joined Hall’s gym in Arlington, Va., in 2010 to practice jiu-jitsu. Zatko, who was wearing jeans and a Tshirt in a cafe a block away from his gym, was seen by Hall, who was also surrounded with men dressed in professional suits. “Peiter has very little time for moral waffling,” Hall says.
After 3½ years, Zatko left DARPA for stints doing security research at Google and the payment processor Stripe. Both were companies that took security seriously, Zatko said. “The executives actually back security and let us do things differently (otherwise I wouldn’t be there!),” he tweeted approvingly in 2018 while at Stripe.
The internet’s security is becoming more complicated over the years. Its impact has expanded beyond hackings of corporate security systems and scams. Zatko publicly expressed his frustration that veteran security experts’ advice was being ignored in the lead-up to the 2016 election. The Democratic National Committee reached out to him for help to improve its network and information security, but even his most basic suggestions were considered too “annoying,” he said. “DNC creates Cybersecurity board made up of well-meaning people with no cybersecurity expertise,” he tweeted in August 2016. “Your move Russia…”
Here we are four years laterAfter the Trump era demonstrated how crucial security on social media platforms is for protecting democracy, Zatko was sitting at his New Jersey home office. This room is situated in an extended with no central heating and cooling. In the winter, it is warmed by “way too many” computer cores—over 100, he estimates. It’s a messy space, with dog-eared textbooks strewn across the floor and framed letters of praise from national security luminaries on the walls. Zatko’s phone rang. Dorsey answered the phone. The man who had co-founded Twitter addressed him as Mudge, and told Zatko the hacker’s work during the 1990s was one of the reasons he pursued a tech career. “That just blew my mind,” Zatko recalls. “I’m talking to the guy who created, let’s face it, a platform that is critical worldwide. This platform influences social change and governments. It is how many people perceive the world. And he was telling me that he was interested in me.”
Zatko eventually decided to accept the unorthodox job Dorsey was offering, overseeing Twitter’s entire security operations, both data and physical. Zatko saw the protection of a platform as influential as Twitter as perhaps his most effective way to “make a dent in the universe”—a personal motto originating from his time at the L0pht.
The move was hailed by experts as a sign of Twitter’s serious commitment to fixing long-standing security issues. As one security analyst put it, “A rare moment of cybersecurity sunshine where it seems the right person is put in the lead on addressing a major issue.”
Twitter was in dire need of him. It was coming off one of the worst incidents it had seen in its 16 year history. A trio of teenagers, including two teens, used basic phishing techniques to access the accounts and passwords of Twitter employees in July 2020. The trio were able to use the Twitter accounts of Joe Biden and Barack Obama as well as Elon Musk. They also set up an elaborate scam which netted them more than $100,000 in Bitcoin.
The incident was hardly the company’s first major security lapse. Two Twitter workers were accused by the U.S. of having been moles for Saudi Arabia’s government a year prior. Federal court found one of them guilty. In 2011, Twitter was accused of failing to safeguard consumer data. This complaint was to have led to Twitter developing a solid security program to resist cyberattacks. The July 2020 hacker attacks proved how weak the platform was. “While Google, Microsoft, Apple, and Meta consistently put out new features to help people protect their accounts and information, Twitter’s focus seemed to be a bit stale,” says Runa Sandvik, a privacy and security researcher. “It’s unclear what Twitter was doing in that space, if anything at all.”
Zatko’s whistle-blower complaint says he expected to spend the remainder of his career working at Twitter. But it quickly became apparent that the company was “a decade behind” its competitors, he wrote in a staff memo included in the disclosures. He claims that bot-fighting teams were overworked and understaffed, while internal security measures Twitter had promised to implement in response to the FTC’s 2011 mandate hadn’t been implemented. Zatko’s complaint claims that a serious security breach was occurring at Twitter on average every week.
Continue reading: Elon Musk: What does the twitter whistle-blower disclosure mean for him?.
On Jan. 6, 2021, Zatko was watching the Capitol insurrection unfold online and asked a Twitter engineering executive to curtail employees’ access to internal systems. He found that far too many people had unrestricted access to the systems. Zatko claims in his disclosure that one engineer who had the system privileges needed to sabotage the platform could have done so, sowing disinformation and misinformation.
These holes were patched by Zatko. In favor of Confidence, a new department called Confidence, he shuttered many existing privacy and security programs. A three-year plan was created to strengthen defenses and combat spambots. He claims that they were rampant across the platform. According to his disclosure, he was met with continual pushback at senior levels of the company, and when it came to security issues, he says, “deliberate ignorance” was the norm. Some product managers were “encouraged” to override security and privacy issues in order to release new products more quickly, his complaint alleges. Current and former Twitter employees who spoke with TIME corroborated the general sweep of Zatko’s allegations that Twitter often prioritized profit over security. “Unless you can make a compelling trade-off argument for why improved security or privacy will benefit the business more than their cost,” says one former Twitter employee, “it’s very hard to enforce change.”
Zatko’s complaint adds that his efforts to inform Twitter’s board about various security issues were met with alarm or anger, and that at least twice he was asked by executives to withhold information from the board. Twitter declined multiple requests from TIME to address specific parts of Zatko’s allegations. In his email dated Aug. 23, Agrawal said Zatko’s disclosures as a whole had many inaccuracies in them. Meanwhile, Dorsey, the man who Zatko thought would be his main ally, was increasingly absent and unfocused, Zatko’s disclosure says. A representative for Dorsey’s company, Block, did not respond to a request for comment for this story.
When Dorsey, the senior executive in charge of security issues before Zatko arrived, resigned in November 2021. Agrawal, who was formerly the senior executive responsible for security before Zatko’s arrival, took his place. The tensions quickly escalated between them. In his disclosures, Zatko states that he was concerned about Agrawal’s plans to make the board meeting less stressful by reducing the severity of security concerns. He wrote to Agrawal on Dec. 15, arguing that there were “numerous, and some significant, misrepresentations” in materials for an upcoming presentation, according to emails contained in the complaint.
Agrawal brushed him off, Zatko’s complaint alleges, and the next day, the documents were presented at a high-level Risk Committee board meeting. In a Jan. 4, 2022, email to Agrawal, Zatko called the documents “at worst fraudulent,” and wrote, “I was hired to achieve certain goals and to fix problems here at Twitter. In order to do that, we need to recognize the actual state of affairs at the company.”
A few days later, Agrawal wrote back to Zatko, saying that the company had launched an internal investigation into Zatko’s allegations of “fraud.” Zatko was asked for a detailed report to back up his claims, which he began to pull together. Two weeks later, Zatko was fired.
Zatko retained Whistleblower Aid, March 17,,Musk made the offer to buy Twitter one month prior. He decided he couldn’t help but blow the whistle. “Change sometimes requires, you know, kicking the hornet’s nest a little bit,” he says. “Ethically and morally, I had to pursue this.”
In interviews, current and former Twitter officials had differing perspectives on Zatko’s allegations. Many people agreed that Zatko was correct about many issues including platform vulnerabilities, data management, chaos leadership and data-management. However, some people felt that Zatko misrepresented or exaggerated details in his disclosures, particularly those relating to topics he did not personally work on. “He didn’t know what was happening with the bots stuff,” says a current employee who worked with Zatko. “That did not fall under his security purview.” Zatko’s attorneys dispute this, arguing that he did in fact have insight into and authority over the bots issue as the ultimate supervisor of Twitter Services, which oversees global content moderation at scale. The disagreement can be chalked up to Twitter’s messy organizational structure, in which different arms of the company have competing claims to ownership of the bots issue.
Jack Dorsey, chief executive officer of Twitter, testifies remotely during a Senate Judiciary Committee hearing on “
Hannah McKay—AFP/Getty Images
Other parts of Zatko’s disclosures simply pit his word against Twitter’s. One of his most explosive claims is that Twitter “knowingly” hired “agents” of the Indian government. According to Zatko’s disclosure, the alleged agents had access privileges that were granted to many Twitter employees. They could also access sensitive user information. The hires came at a time when the Indian government was bristling at Twitter’s refusal to identify details about people using the platform to criticize the nation’s ruling party. Zatko, who was responsible for Twitter employees’ physical security, would probably have been informed about the espionage allegations. It is revealed that Zatko gave more detail about this incident the Department of Justice as well to the Senate Select Committee on Intelligence.
Twitter declined multiple requests from TIME to address Zatko’s claims about Indian agents on the record. One person with direct knowledge of Twitter’s internal affairs in India told TIME they had no knowledge of the supposed agent, but said they would not be surprised if the Indian government had at least tried to covertly appoint an agent to Twitter’s payroll, similar to the Saudi case.
Some of Zatko’s other claims strike experts as overstated. His disclosure argues that Twitter’s failure to own the rights to training data of machine-learning models constitutes “fraud,” for example. Two former Twitter employees, as well as others who are familiar with industry standards, claim that this shortcoming is industry-wide.
As the pushback mounts, Zatko tells TIME he stands by his allegations and for legal reasons is unable to talk about his time at Twitter beyond what’s in the disclosures. “I was aware of the most common tactics that would happen, that there would be attempts to character assassinate me or make things personal—anything that would distract from the data and the problem at hand,” Zatko says.
While Zatko describesThe timing of disclosures and Musk’s decision to publish his thoughts in idealistic terms is remarkable. On Oct. 17, Musk’s trial in Delaware will begin to determine whether he must continue with the initial deal to purchase Twitter. Zatko inserts himself into this battle from the opening pages of his disclosure, claiming that Twitter is “lying about bots to Elon Musk.” Zatko may be drawn directly into the court case: Musk’s lawyer, Alex Spiro, tells TIME his team has subpoenaed Zatko, although Zatko’s lawyers say he has received no such subpoena.
Two legal experts say they’re skeptical Zatko’s claims will have a major impact on the lawsuit. His claims about spam bots are not new and his information on them is very little related to the merger agreement. Ann Lipton, a law professor at Tulane University, says that Zatko’s claims that Twitter lied in its SEC filings will be hard to prove. “When a disgruntled employee disagrees with management decisions,” Lipton says, “that’s frequently not taken as a sufficient basis for treating an SEC filing as false.”
“The question ultimately boils down to the credibility of the assertions made by the whistle-blower, and that is usually determined by the existence of hard evidence,” says Howard Fischer, a former SEC attorney. “Twitter’s real regulatory risk lies in whether or not the documentary evidence, and not the potentially self-serving statements of a former employee, shows knowing or reckless misleading of regulators or investors in public filings and statements.”
Zatko attends meetings in Washington, Aug. 23, 2022
Greg Kahn for TIME
These disclosures may have long-term political and financial ramifications. The company’s stock price dropped by around 9% in the wake of the disclosures’ publication. The same day, Democratic Senator Dick Durbin and Democratic Representative Frank Pallone announced they were investigating Zatko’s claims, with Pallone calling for “the need to pass comprehensive privacy legislation.”
Zatko’s allegations have demoralized Twitter employees, some current staffers say, and may exacerbate a brain drain at a company that has lost many of its leaders and significantly slowed its spending while in Musk-induced limbo. Twitter still has a significant impact on elections and political discourse around the world, and those who are still working on its security and privacy teams will “have to work three or four times harder,” says a former Twitter employee.
Zatko said that while he was aware of how his actions could cause chaos in the corporate world and lead to government investigation, he decided that Twitter would be safer. While the public is able to take his word for now, this may change in the future. When he testifies before Congress in September, Zatko—who refused to discuss the meat of his complaint in his interview with TIME—will have the legal cover to expand on the allegations, potentially revealing new and damaging details about what happened within Twitter.
Zatko has become a less star-struck hacker than he once was. TIME spoke with Zatko two days before he injured his right toe in sparring matches with his jiujitsu opponent. The accident was partly due to paralysis of his back that he believes his doctor explained to him. Injury, however, may be necessary if you’re going to engage in the fight. “If you’re just reacting to what an adversary is doing, they’re the ones that are moving you around and manipulating you,” he says. “That’s all too common in this industry.”
—Reporting by Leslie Dickstein and Simmone Shah. Julia Zorthian.
Read More From Time