Respected in cybersecurity circles, former Twitter security chief Peiter “Mudge” Zatko is a wild card in Elon Musk’s legal gambit to break a $44 billion deal to buy the social network.
Zatko’s whistleblower complaint of “extreme, egregious deficiencies” in Twitter defenses against hackers plays into Musk’s quest to convince a judge that he was duped when he foisted his unsolicited offer on the company.
While testifying before members of US Congress on Tuesday, Zatko said his worries about possible harm to Twitter users and national security prompted him to come forward.
“I did not make my whistleblower disclosures out of spite or to harm Twitter,” Zatko said.
“Far from that. I continue to believe in the mission of the company.”
Twitter has dismissed 51-year-old Zatko’s complaint as being without merit, and vowed to show it did nothing wrong at an October trial in a Delaware court.
If the court focuses on the fact that the world’s richest man declined to do fact gathering typically associated with big-money mergers, Zatko’s allegations could wind up being moot.
Zatko first testified before Congress 24 years ago, when he was a long-haired hacker determined to warn about the perils of poorly protected government computer systems.
This time, he was called on to provide details about his accusations that Twitter hid flaws in its security as well as its fight against accounts run by spammers or software instead of genuine users.
He told the hearing that Twitter’s security failures threaten both national security and the privacy of users — but that the company’s leadership has refused to make tough but necessary changes, prioritizing profits over safety.
Musk has listed the number of inauthentic accounts on Twitter as among reasons to justify walking away from the buyout deal he made in April.
“Once both parties step into court it’s a high risk/high reward scenario for both parties with the major X variable now being the Zatko whistleblower claims,” Wedbush analyst Dan Ives said in a note to investors.
“We continue to view the Zatko situation as a Pandora’s Box scenario for Twitter.”
If Twitter prevails at trial, the judge could order the Tesla chief to pay billions of dollars to the company, or even complete the purchase.
– ‘Big problems’ –
“If Mudge says Twitter has cybersecurity problems, Twitter has big problems,” said Vectra cybersecurity firm chief technology officer Aaron Turner, who says he has known Zatko since the 1980s.
A son of scientists, Zatko grew up in the US states of Alabama and Pennsylvania, his passions including music and software.
In 1996, he joined a hacker collective called L0pht. He and other members of the group testified before Congress two years later.
“It was the first time the U.S. government publicly referenced ‘hackers’ in a positive context,” Zatko said in a 2019 tweet marking an anniversary of the testimony.
Zatko has done stints at Google and online payment services company Stripe, and also at Pentagon research arm DARPA.
Twitter founder and former chief Jack Dorsey recruited Zatko in July 2020 after a spectacular hack of the accounts of celebrities and political figures including Barack Obama, Musk and Kim Kardashian.
US President Joe Biden’s team offered Zatko a position as White House security director early last year but he declined the job, believing he had work left to do at Twitter, his attorneys said.
-House of cards? –
Twitter fired Zatko in January, citing “ineffective leadership and poor performance.”
Zatko’s lawyers have rejected Twitter’s claim, contending instead that he was terminated after a clash with top executives who refused to acknowledge his concerns about platform security.
“Mr Zatko put his career on the line because of his concerns about Twitter users, the public and the company’s shareholders,” his attorneys said.
Andrew Hay, director of operations at the Lares cybersecurity consulting firm, said “those in the industry who know Mudge know that his intentions have historically been honorable, non-partisan, and designed to benefit the world.”
Zatko’s whistleblower complaint, filed just days after Twitter agreed to give him a multi-million dollar severance package, is not necessarily evidence that the company misrepresented user numbers, according to analysts.
Musk’s lawyers will “try to prove that Twitter tried to sell him a house of cards,” but security flaws would have to be “really serious,” said University of California, Berkeley law school professor Adam Badawi.