Make a dent in the universe. Find something that needs improvement: go there and fix things. If not you, then who? {he/they}

DARPA^2|Stripe|Google|L0pht
Pinned Tweet
Today is the anniversary of the testimony I and other members of the l0pht gave to the US Senate in 1998. It was the first time the US Govt. publicly referenced “hackers” in a positive context. The coverage was national and even international. Come behind the scenes. /Thread
88
802
3,346
Looks like the cat is out of the bag. I’m very excited to be joining the executive team at Twitter! I truly believe in the mission of (equitably) serving the public conversation. I will do my best!
Here you go: Twitter names "Mudge" Zatko head of security. Priors at DARPA, Google, L0pht and Cult of the Dead Cow. reuters.com/article/idUSKBN2…
452
428
4,338
Oh, fwiw - I got the imaging / scans back. Cancer free Down a kidney, but 1 is better than none... which is still better than 💀
108
26
2,025
If you have a 2013 Mercedes S-class you have libtiff, netcat, and libpcap, pre-installed. Pre-hacked-car :)
50
1,510
1,945
In an interview the person leaned over to me and whispered that he was Mudge from the l0pht and that he wrote l0phtcrack... don’t tell anybody. I never told him who I was, but I had fun asking about some of the horrible coding choices I... errr... he had made in l0phtcrack.
44
247
1,613
I’m back at DARPA, but this time part of the leadership team as DARPA’s Chief Information Officer (CIO). I’ll be at Defcon this year on stage with the Agency Director talking about larger picture items, and hopefully even greater ambitions than when I last keynoted BlackHat/DefCon as a DARPA PM. We all pulled off real magic the first time I was at DARPA (~ 2010-2014). In addition to helping stand up I2O as the agency “Cyber” office, a lot of the magic created through things like Cyber Fast Track (CFT) were due to the direct participation of this community. The projects, designed to ensure they gave back to this community, continue to evolve and grow today! Let’s see if we can make an even bigger dent in the universe this second time around! Kindest, Mudge
86
140
1,610
133,667
So... I suppose it’s time to share a bit. I have always worked to try to educate the government so they can make better informed decisions that will benefit all citizens. 1/n documentcloud.org/documents/…
31
721
1,392
This Cray computer doesn’t appear to be working. Although pushing the button does make the whole room warmer, which is expected behavior. #oldcomputerjokes
27
246
1,373
Great 'what if?' series. Some hit too close to home...
45
1,214
1,388
Don’t disclose information such as your date and year of birth publicly.
I made it to 30 today. If you're above 30, give me your best advice to 40.
29
143
1,227
It was 20 years ago on this day that my true identity, which until then had been a tightly held secret, was unintentionally leaked by the White House. Rob’s write up, linked here, is a quasi-factual humorous take. Here’s what actually happened. Thread. 1/n
Replying to @vmyths
THIS DATE IN HYSTERIA White House reveals @dotmudge's true identity web.archive.org/web/20110521…
20
349
1,173
A favorite part of being a hacker: people seeing that you are honestly interested in their work and hence they share their knowledge.
31
242
1,165
People inside the IC and DoD begged for this, but it would have required direct presidential approval and was too risky/contentious. Someone seems to have just gone and done it on their own?!?! Wow. Still hasn’t sunk in. I’m going to leave this here: archive.is/PQAnU
18
672
1,060
With YouTube banning “Instructional hacking and phishing: Showing users how to bypass secure computer systems or steal user credentials and personal data." It’s time to post video walkthroughs for Google Project Zero advisories... and see how Google responds.
18
249
1,048
A story... Back in the l0pht days, I ran/configured/maintained the Unix system that was “the L0pht”. Here are the tricks, and here’s how it was attacked... 1/N
I’m so happy to have missed the infosec drama. Back in the day we had more exciting stuff to bicker about, like who leaked 0days and who hacked who...
10
307
949
MSFT has recently released: full vulnerability details on bugs (that they found!), a decent Linux subsystem, the best/most uniform security hygiene in dev/compile/build of the major OSes (Windows 10), and now tease an awesome CLI? I don’t think I survived that tumor...
Welcome to the new Windows Terminal. #MSBuild @KevinTGallo
13
144
945
We found no consistency in a vendor or product line doing better or showing improvement. There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products - Sarah Zatko Evaluating 15 years, 6000 updates securityledger.com/2019/08/h…
29
475
930
Nothing inspires confidence like waiting for takeoff on an international flight watching the Linux kernel being pulled via tftp. #/bogusdir
31
322
815
a) I need to cancel my appointement. b) One week notice; there’s a fee. a) How much to reschedule? b) No charge. a) Please reschedule to next month. b) Anything else? a) Please cancel next month’s appointment. Pro tip: do it across two phone calls. /HT @x0rz @flrntlptr
14
158
709
Doc 1: Do you smoke? A: no, would it help? Doc 2: do you do drugs? A: no, would it help? Polygrapher: ever had a homosexual experience? A: no, but I’m willing to consider it if it would me get through all this easier. Them: We can’t tell when you’re joking. Me: Neither can I.
18
74
656
A 🧵 L0phtCrack has been a really wild ride. As of version 7.2 L0phtcrack is now open source. Released on GitLab. gitlab.com/l0phtcrack l0phtcrack.gitlab.io It is actively seeking maintainers. Many thanks to @dildog, @WeldPond, and all others. Story time…
8
205
634
So many people leave keyfobs next to the door. If you happen to have a bedroom further away take your keyfob and keep it by your bedside. Not only does it make near field amplification attacks more difficult but it can provide you a panic button within reach from your bed ;)
Another key fob amplification attack. on 0:30 you see successful door unlock, but if i understand correctly, for engine start something not worked.
19
326
610
[Thread] The kind folk at cyber-itl.org shared a new @zoom_us security issue with me. I want to take this opportunity to describe: The issue How Zoom et al should fix it How purchasers should identify it before corporate purchasing What individuals should do 1/
12
308
630
People asked, or assumed they knew, why I cut off my long hair in 2001. There were several factors, but the one that tipped the scales was the charity. I found this letter in a drawer I was cleaning out today. Before. After. Scale tipper.
20
38
613
One of the most remarkable *people* in the field. Full stop. Not “one of the most remarkable women”.
#OTD 10 May 1927: Elizebeth S. Friedman became a cryptanalyst for the Bureau of Prohibition. The U.S. Coast Guard credits her with deciphering over 12k encoded radio missions & calls her “one of the most remarkable women to ever work for the U.S. Gov't.”: bit.ly/2Vg4ZNS
9
130
570
When my daughter recently needed an ambulance, that’s a *need*, not a luxury. Even with insurance for-profit ambulance companies’ cost is obscene ($2k after insurance). I’m aware of how lucky I am to be able to afford/navigate it and of how many other families aren’t so lucky.
32
45
582
The Boeing 787 has a 32bit clock register and it overflows. Fix: Reboot plane every 50hrs. Seems familiar 🧐. Oh yeah... The Patriot Missile system had a 24bit clock that overflowed. Fix: Reboot missile system every 20hrs. (Good thing neither are critical systems 😬)
17
269
584
Dear world: This *is* how things work on the backend for much of our connected world. I recall conversations about SpaceX having issues with stale NFS handles scrubbing launches. Think it’s hard to intentionally disrupt ststems? Not much harder than keeping them running as is.
13
238
578
The paper that moved the needle was by @aleph_one. I am honored to have contributed in some small way.
1995: Mudge published "How to Write Buffer Overflows", one of the first papers about buffer overflow exploitation. Then @dotMudge sent a copy to @aleph_one, who wrote "Smashing the Stack For Fun and Profit" in 1996. Seminal paper to seminal paper. Mudge's: insecure.org/stf/mudge_buffe…
15
119
566
Reminder: SMS 2FA is still meaningful. Large scale account take over study (3.3Billion accounts): SMS Auth was effective against: 100% Automated password stuffing 96% Bulk phishing 76% Targeted attacks U2F is *even* better! Use it! Mudge & Niels: piped.video/SOQgABDSYZE?t=4m10s
17
161
539
Due to Floating Point emulation, Linux MIPS (Kernels 2.4.3.4 through 4.7 2001-2016) have executable stacks. The patch, released in 2016 and still present - Kernel 4.8, introduces a universal DEP and ASLR bypass. cyber-itl.org/2018/12/07/a-l… cyber-itl.org/assets/papers/…
11
300
573
DoD data (cleared for release) shows on average 1/3 of vulns in government systems is in the security software.
23
652
526
Back when I first wrote L0phtcrack (1999), if you suggested that MSFT would become an organization with some of the best software build hygiene (code hygiene to application hardening) *and* that they would find their own RCEs and release details... Wow! Nice turnaround MSFT!
Some Windows DHCP remotes coming out from the team I work on at Microsoft! Patch yer stuff. portal.msrc.microsoft.com/en…
11
125
525
For a few months, they defended the heck out of that system 😅
10
13
514
I met Hobbit while he was writing Netcat. He was backdooring backdoors to track break-ins in some systems. I was in awe. Hobbit is a genuinely nice, decent, and inclusive person. He was (is) a role model for me. OBHack: some of my code is in netcat 🤩
1995: The networking utility Netcat was first released by Hobbit as Netcat 1.0.
13
75
491
It’s his place to say something first on the topic before I say anything at all :)
Fresh U.S presidential candidate @BetoORourke was a member of the country’s oldest hacking group, which has kept his role a secret for decades – until now. My story is up on Reuters at reuters.com/investigates/spe…, but let me say a little more in this thread. (1/10)
18
77
481
Wow. Looks like the malicious code was introduced via a compromised build process. That way it doesn’t show up in the source repositories. Modern CI/CD processes have lots of opportunity for such trickery...
Confirmed by Webmin team now. 1.882 - 1.920 contain RCEs introduced due to compromised build infrastructure. 1.890 contained the real deal: Remote unauthenticated code execution with default config (commands executed as root). Compromised builds date back until July *2018*!
14
247
486
I claim there is some value in SMS 2FA. It is not appropriate for high value targets. There are better choices. Here are links to Google research studies showing SMS 2FA prevents large numbers of account takeover. Refuting? Cite your sources. security.googleblog.com/2019…
Reminder: SMS 2FA is still meaningful. Large scale account take over study (3.3Billion accounts): SMS Auth was effective against: 100% Automated password stuffing 96% Bulk phishing 76% Targeted attacks U2F is *even* better! Use it! Mudge & Niels: piped.video/SOQgABDSYZE?t=4m10s
18
133
471
Mommy SPARC Do doo doo doot de do Mommy SPARC Do doo doo doot de do Mommy SPARC Do doo doo doot de do Mommy SPARC /cc @DavidSchenet
21
110
468
Aleph took it much further and made it much more accessible. I’m proud to have contributed in even the slightest way.
1995: Mudge published "How to Write Buffer Overflows", one of the first papers about buffer overflow exploitation. Then @dotMudge sent a copy to @aleph_one, who wrote "Smashing the Stack For Fun and Profit" in 1996. Seminal paper to seminal paper. Mudge's: insecure.org/stf/mudge_buffe…
20
78
488
I can think of a many more deserving than I: All of the people I’ve looked up to and learned from. Some folk at Stripe and CITL. Some folk forever behind the green door... Still...flattered to be in Forbes’ Top 20 Influential Hackers! forbes.com/sites/daveywinder…
25
62
457
Hey @moxie, I can only imagine it must be frustrating sometimes. You handle it all with grace, respect, and aplomb. You have tirelessly worked for the right goals, and done so with great technical acumen and a large scale systems awareness. I believe in you. Thanks Moxie
9
36
446
Oh dear lord. I’m in the airport and the person who will be sitting next to me has said ‘blockchain’ on the phone 4 times in 3 minutes. He’s also been rude to everyone around him. Flight is delayed: I’m going to co-opt 51% of the passengers to remove him from the flight.
16
36
424
Those clever Canadians… In Quebec, in order to boost vaccination rates, they made it a requirement to be vaccinated to go into liquor and cannabis stores. Results: immediate 400% increase in vaccinations. Those very clever Canadians :) montreal.ctvnews.ca/first-do…
20
82
415
DNC creates Cybersecurity board made up of well meaning people with no cybersecurity expertise. Your move Russia... thehill.com/business-a-lobby…
15
366
407
It’s beginning to look a lot like burn bag Christmas :)
21
25
429
May 19th was the anniversary of testimony I, and colleagues, provided to the US Senate in 1998. In it we even described ways to disable satellites. The next day 90% of pager traffic stopped due to a satellite (Galaxy) going offline. Can’t tell that story, but here’s the trip:
Today is the anniversary of the testimony I and other members of the l0pht gave to the US Senate in 1998. It was the first time the US Govt. publicly referenced “hackers” in a positive context. The coverage was national and even international. Come behind the scenes. /Thread
15
84
424
This is my boss. He makes me happy ;) Btw: Stripe Security is hiring (open DMs)
My new card just arrived! 😍
11
44
444
In 1999 Cult of the Dead Cow (cDc) released Back Orifice 2000 (Bo2k) at DEFCON 7. I played a (tasteless) shred guitar solo on stage and then smashed a bunch of monitors[0]. Anyone have the video (with audio)? [0] Like there was any way would say “no” to that opportunity :)
29
63
412
If whoever had control of L0phtCrack ever stopped selling, working on, and supporting the tool for a period of 1 year… The 3 of us could buy it back. How much $$$? Oh, the same amount the product had grossed in sales for the 12 months that it hadn’t been sold ($0) 😗
16
35
406
I’ve come across two special tech books. How to Ace Calculus, The Streetwise Guide (Adams, Thompson, Hass) Deep C Secrets (van der Linden) Whimsical, irreverent, and downright funny while making deep technical subjects accessible and enjoyable. Anyone know others like these?
26
55
413
Hey, Hacker-Con folks: I created, and ran, the TCP/IP drinking game (DefCon, SummerCon, etc.) Don’t do this! @IanColdwater is right. Don’t lean on people who aren’t drinking. Not cool.
11
43
392
Cyber-ITL IoT data dump and analysis is posted! 15 years of data: no positive trends from any one vendor Security hygiene got worse more often than better 22 Vendors 1,294 Products 4,956 Versions 3,333,411 Binaries Dates: 2003 to 2019 Raw data linked cyber-itl.org/2019/08/26/iot…
14
208
393
I spent New Year’s Eve on a call with the White House as I and National Security Council members ticked away time zones rolling into Y2K. People worked really hard on that issue, which is partly why it was a non-issue... and why a lot of source trees were able to be stolen.
Y2K was real, everybody just worked to fix it instead of complain on Twitter
18
57
391
At #Shmoocon2019 a bunch of us May have “secretly” replaced the NSA charging station’s hardware with a similar looking “variant”. Let’s see which group figures it out first... We’re giving this experiment the code words FOLGERS CRYSTALS.
9
105
378
Biggest pushback, from people now touting themselves as candidates for security advisors to new politicos, was surprising: They refused to require 2fa: it would be annoying. They pushed back on gsuite to enable document control/access/auditing: another email is too much. 6/n
9
74
335
When you think of privacy engineering @leakissner is top of the list. I’m excited to be working with them (again!) as Twitter’s new Head of Privacy Engineering! I can’t think of many who are more devoted to being in service of the public conversation and the greater good!
15
20
372
I caught them on the system trying to elevate their privileges, and broke into a conversation... I congratulated them. And immediately, and without being asked, I gave them the root password. I told them if anything happened to the system I would assume it was their fault. 😈
5
42
350
For the record, from my vantage point, @aleph_one received early work from myself, ReDragon, and possibly others. He took that work, combined it with his own, and made it much more accessible. I’m honored to have been in the right place and time to have contributed.
1995: Mudge published "How to Write Buffer Overflows", one of the first papers about buffer overflow exploitation. Then @dotMudge sent a copy to @aleph_one, who wrote "Smashing the Stack For Fun and Profit" in 1996. Seminal paper to seminal paper.
9
75
362
Found another 5G system that has been bugged.
10
27
359
This is a brilliant tactic. There are so many others like this because the AV community keeps thinking this is a one-move game... Kudos!
Choose a malware signature as your username. Gets logged, and server-side anti-malware will delete whole log file :) sec.cs.tu-bs.de/pubs/2017-as…
5
218
337
I wrote a security tool that had a security vulnerability in it. I then did the right thing and wrote a security advisory about my own code to publicly shame the author and get a fix released. 🤦‍♂️ At least I treated everyone the same.
12
35
340
When your NSA webcam cover... isn’t. /HT @EFF, @MaxGraey
8
122
337
So let me get this right... The people who were screaming about would be death panels if universal healthcare happened... are the ones who caused 100s of thousand of deaths through delay, and will cause more refusing to follow the advice of medical and disease experts. And...
10
47
297
So what I ‘choose’ to take from all of this is: A) Occasionally I warrant nation state interest (yay?) B) I don’t warrant high end stuff (that I know of) C) The recent indictment is very forthcoming compared to what the IC/DoJ normally reveal. documentcloud.org/documents/…
2
34
301
Most people don’t realize that at Starbucks, and elsewhere, they ask: “May I have *a* name?” Not: “Give me *your* name.” Sure, here’s *a* name... My name changes frequently, and randomly, and everybody is fine with it... <wink> #ownthesystem
64
39
310
Thanks everyone! I'm excited to be reporting to the CEO at Rapid7 as an Executive in Residence! For clarification this is not full time and it is not exclusive. This does not change existing relations I have with other orgs.
4
308
78,775
I went *into* the government, and military, for the same reason. It’s a complex world. Have a strong moral compass, and follow it. I understand what @IanColdwater is saying here, and I support it.
16
21
289
Remember: compilers may think differently than developers. Source code is the intent, the binary is the truth. Awesome example :) nitter.app/volatile_void/status/1…
9
109
321
The cryptanalysis paper I wrote with @schneierblog and submitted to ACM was: Accepted based on content Rejected when I refused to provide my actual name (Ultimately was accepted thanks to Bruce fighting for my privacy) That paper re-org’d MSFT ;) #shareyourrejections
6
61
310
5 words? Well, since you asked: A) Security vendors selling insecure products B) security solutions not solving problems Choose one 😉
22
53
285
End of Line /HT MCP
15
15
281
Better yet write it up and send the acknowledgement and gratitude to the employee’s manager and CC the employee. These things stand out during performance reviews and are easy to do with disproportionate impact. Not only is it easy to do, it’s the right thing :)
Remember to acknowledge your coworkers when they do something impressive or forward-thinking. Especially in front of their manager.
8
40
285
Yup. I’m encouraging you all to install software recommended by a person who was the manager of (one of) NSAs offensive teams... and who is still at the Agency. Much better purpose than mining for crypto-currencies. ❤️
For my tech friends, consider using your GPUs to help analyze Coronavirus. The Folding at Home effort (remember SETI@Home?) is working on COVID-19 research. Install the software and donate cycles to the cause. foldingathome.org/2020/02/27… Use the link at the top "start folding."
5
80
287
This is a fascinating and challenging time. I was here throughout this. I can attest to the fact that what @jack shares is truthful and honest. I joined, recently, because I believe I can positively impact Twitter’s ability to serve the public conversation. (Not overnight)
I do not celebrate or feel pride in our having to ban @realDonaldTrump from Twitter, or how we got here. After a clear warning we’d take this action, we made a decision with the best information we had based on threats to physical safety both on and off Twitter. Was this correct?
14
19
287
Apparently *this* is how to secure all the cybers! I'm... uh... I'm going to go walk over there now... (?!?)
14
119
288
The types of bugs we continue to see from Palo Alto Networks in their products are disconcerting. They are basic. They are identifiable through static analysis (format strings?!). And some products are built on risky foundations (Linux on MIPS lacks basic safety features). ??
12
92
295
During early L0pht days I was a Unix admin for ~50 DoD/USG systems. The government would not let me make needed changes to secure them (1/N)
6
177
287
Stripe has hired renowned security researcher Peiter ‘Mudge’ Zatko - Recode google.com/amp/www.recode.ne…
27
69
287
What’s the best security advice you’ve heard (or given) to a startup or small business? Especially that helps the company accelerate their mission at that stage and later... G-suite Isolate functions/systems Minimalism (Chromebook/container OSes) Inventory and mapping Docs ???
92
56
294
The full testimony recorded from CSPAN has been up on YouTube for a while. It’s worth a watch. When you’re done, come on back here and I’ll finish the anniversary date storytime and picture show (spoiler alert: White House shenanigans...) piped.video/VVJldn_MmMY
12
33
279
When data contradicts security: @NielsProvos and I challenge security field common beliefs: *SMS Challenge works *Password complexity doesn’t work *Security products can make it worse *You can measure security *”Always update”, needs updating @stripe piped.video/watch?v=SOQgABDS…
5
89
280
Someone tweeted asking for weird technical items stuck in your head yet now largely useless. Some of mine DOS: debug.exe - wcs: 100 2 1 100 (Blow away the C: drive’s MBR/FAT) Apple ][: call -151 (enter machine monitor) c600g (reboot) 3d0g (execute BASIC CLI) What are yours?
147
52
282
Now the press had two copies of the attendance list. One with my real name and a second one with my cover name where my real name had been before. That was the only change. So not only did the WH leak my real name, they essentially highlighted it in neon lights. 🤷‍♂️ 16/16
5
9
268
Anthony Bourdain was someone whom I respected and looked up to tremendously. My friend, author and bjj training partner, @combatcodes just wrote a great article about Anthony’s anonymous BJJ postings to Reddit. Enjoy: jiujitsustyle.com/bourdains-…
4
71
269
I’m going to say a few things to the Internet about Alan Sonnenberg. Why am I telling you and not him? I waited too long.. Thread… thesunchronicle.com/foxboro_…
8
42
258
Grateful for those who put the well-being of others first; who take a shot at helping, who fail, learn, reinvent, take another shot, and another, and another... As Teddy Roosevelt said: “No one cares how much you know, until they know how much you care.” #Grateful #OneTeam
4
33
265
I would have to describe the mood and feeling in Philadelphia tonight as: Blade Runner.
15
18
266
It may be year before people realize what we managed to release today. Video: piped.video/watch?v=mpbWQbkl… Verilog: github.com/ProjectVault/orp
41
222
275
I've gone head to head with Microsoft, the NSA, and the DoD; cancer didn't have a chance. (And It was more fun than watching the debates)
11
31
267
My heart skipped a beat when I walked into the in-laws garage. I had to do a double take. What I briefly mistook, in my peripheral vision, for a burn bag full of papers... ...turned out to be a Trader Joe’s holiday shopping bag. 😅
19
19
260
The people who asked for my counsel fought basic hygiene, which made the subsequent compromises easier/possible. The new administration considered me an enemy because I tried to educate the opposition party (even though I was willing to educate anyone). and then..
2
38
242
Nothing wrong with a music grad as CSO, but: Humbly suggest also have 20+ years track record (Off & Def) cyber at high tech && mgmt levels.
17
72
260
And the winner for the “Best use of spreadsheet cell border lines” award is… 🏆
Doing some FPGA work recently and I found Microsoft Excel quite handy for drawing timing diagrams.
4
36
268
29,813
I dislike flying, so we rented a Dodge Ram 3500 15 passenger van to drive down to the US Senate. As a bonus, we could stop by the NSA Crypto Museum! We met at the L0pht around 4am to load up. Group picture (L to R): Brian Oblivion, Stefan, Weld, Tan, Kingpin, Spacerog, Mudge
4
7
259
On stage today, during the Cyber-ITL talk at ShmooCon, Patrick dropped a little 0day that speculative execution executed data (ignoring non-execute markings). That’s r-x... for those keeping track. (rowhammer for the write anyone?)
13
117
255
Regarding F5-Big-IP (CVE-2020-5902) ask the following: Where is the vendor statement describing the change in practices going forward to prevent such trivial exploits in their products? Quick acknowledgement and patch is a bare minimum. Customers deserve more from vendors.
8
68
251
"We have discovered a keylogger in an audio driver package by Hewlett-Packard." modzero.ch/modlog/archives/2…
10
287
242