Now, Zatko is once again sounding the alarm about online vulnerabilities — but this time he’s focusing on one of his former employers.
In a nearly 200-page disclosure sent to US lawmakers and regulators last month, which was exclusively reported by CNN and the Washington Post on Tuesday, the former Twitter security executive alleged that the social media company committed a series of security mistakes. Indulging in what he says has misled the Twitter board, shareholders and the public.
Zatko’s disclosure alleges that Twitter relied on too many employees with access to sensitive user data, creating a fragile security posture that an outsider could wreak havoc on the platform. It also claims that one or more current Twitter employees are working for a foreign intelligence service, and Twitter CEO Parag Agarwal discouraged Zatko from providing a full account of Twitter’s security vulnerabilities as the company’s directors. Mislead the board.
Twitter hit back at the allegations, saying security and privacy “have long been top company-wide priorities.” The company said: “While we have not received a copy of any specific allegation, what we have seen so far is a narrative about our privacy and data protection practices that is riddled with inconsistencies and inaccuracies, and lacks significant context.” Is.”
Some of those who have worked with Zatko over the past three decades paint a picture of him as a theoretical technologist with a sincere desire to make the complex accessible and fix problems, as he has seen in his work with the public. Most have done careers in the private sector. He says that the decision to blow the whistle has been taken keeping that vision in mind.
“He’s not doing it for fun. It doesn’t get him anything,” said Dave Attel, a former computer scientist at the National Security Agency and an associate of Zatko at cybersecurity consulting firm @stake. “That’s exactly what integrity looks like when you have to look at it up close.”
As a result of his whistleblower activities, Jatco may be eligible for a monetary award from the US government. The SEC has said that “basic, timely and reliable information that leads to a successful enforcement action” can be cut by up to 30% in agency fines related to the action, if fines exceed $1 million. can be done. The SEC has awarded more than $1 billion to nearly 300 whistleblowers since 2012.
Zatko filed its disclosure to the SEC “to help the agency enforce laws” and to gain federal whistleblower protections, John Tye, the founder of Whistleblower Aid and Zatko’s attorney, told CNN. “Reward Possibility Wasn’t a Factor [Zatko’s] decision, and in fact he didn’t even know about the bounty program when he decided to be a legitimate whistleblower.”
Prior to joining Twitter, Zatko, now 51, led an influential cybersecurity grant program at the Pentagon, worked in a Google division to develop cutting-edge technology, helped build the cybersecurity team at fintech firm Stripe, and advised US lawmakers and officials on how to plug security holes in the Internet. Born in Alabama, where his father was a professor of chemistry at the University of Alabama in Tuscaloosa, Zatko told CNN that he began tinkering with technology like the early Apple computers from a young age.
Doug Song, chief strategy officer at Cisco Security, said, “Their careers have shown that “there was more to hacking than just raising each other up, which was really a social good and impact.” “The 1990s.
Twitter hired Zatko in November 2020 to enhance cybersecurity and privacy at the company in the wake of a high-profile hack, which was allegedly carried out in July 2020 by a Florida teen, which left some of the most vulnerable people on the planet. Twitter accounts of famous people were compromised. Including then-presidential candidate Joe Biden. According to the disclosure, the senior executive role meant Zatco reported directly to then-CEO Jack Dorsey.
Dorsey’s successor as Twitter chief Agarwal fired Zatko in January after expressing concerns about the company’s security and privacy practices, the disclosure said. (Twitter says it fired Zatko for poor performance.)
“This is something that everyone at large companies should care about, which is the integrity and truthfulness of the data… the publicly represented, national security implications and whether users can trust their data with these organizations.” can,” Zatko told CNN of his decision to disclose about Twitter’s alleged security practices to Congress and regulators.
A long history of pushing for reforms
Before he cut his hair and put on a suit, Zatko joined a Boston-area hacking collective in the mid-1990s called “The Cult of the Dead Cow,” according to Washington Post reporter Joseph on the early hacking scene. Known as L0pht according to the Book of Maine. Shaped the cyber security industry.
L0pht members broke into computer systems and then worked with companies that made tools to fix problems. What is now a well-established practice for companies to work with outside researchers to fix software flaws was seen as provocative and troubling for the software giants at the time.
Zatko “bending the industry to his will,” Song told CNN. “L0pht built a model for doing it in a way that was, frankly, respectful and respectable.”
Zatko’s frankness and idealism was on display when he testified before the Senate with fellow L0pht members in 1998. “If you’re looking for computer security, the Internet is not the place,” Zatko told the senators. “If you think the government is giving you access to the enabling technology needed to tackle this problem, you are wrong again.”
Chris “Space Rogue” Thomas, another ex-L0pht member who testified with Zatko that day, said that L0pht would do everything he could to help the companies collaboratively fix software problems the hacker group found. could do
Thomas, who, like Zatko, uses his hacker name “Space Rogue” professionally, said that he and Zatko “we’ve had differences in the past,” adding that he was fired from @stake was, in the cyber security consultancy where Zatko was chief scientist, in 2000. “Feelings were hurt, but that doesn’t change the fact who [Zatko] and who he believes and what he does. So I still think his moral standards haven’t really changed… in the 30 years that I’ve known him.”
“This is normal [Zatko],” he said of the whistleblower complaint. “This is normal for L0pht. It’s normal for the way we used to do things.”
In 2010, Zatko went to work for the Defense Advanced Research Projects Agency (DARPA), the R&D arm of the Pentagon, which had a founding role in setting up the Internet as we know it. There, he led a program that quickly raised money for cybersecurity researchers interested in finding and fixing vulnerabilities in computer systems found in cars and other critical infrastructure.
Starting at DARPA in 2010, Zatko called Song and other hackers to Booz Allen Hamilton’s office in Virginia for a brainstorming session, according to Song. A hacker known as The Hobbit, invited by Zatko, slept in a van outside the office and attended the meeting barefoot, Song said.
The ability to summon misfits and military is what stuck with Song.
“In an important or prominent place, [Zatko is] Authentic to the hacker spirit in a way that many people who converted to commercial or public service on our behalf couldn’t do without cheers [or] Corny,” Song told CNN.
Now, as he takes to Twitter, Zatko may find himself in a public conversation like never before.
“It wasn’t my first choice,” he told CNN. “It was not the path I wanted to take. I exhausted all internal options.”
“But I found that morally, and with whom I am, that I was bound to obey the law and pursue the legal path, through lawful disclosure, because [Twitter] is a critically important platform,” Zatko said. “I think it’s important to address some of these challenges. I sincerely believe that I am still doing the mission I was brought to do.”
— CNN’s Claire Duffy, Brian Fung and Donny O’Sullivan contributed to this report.