Mudge
@dotMudge
Followers
66,888
Following
343
Media
471
Statuses
4,692
Make a dent in the universe. Find something that needs improvement: go there and fix things. If not you, then who? {he/they}
TWTR|Stripe|Google|DARPA|L0pht
Joined September 2011
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#LCDLF4
• 262476 Tweets
Renzo
• 149302 Tweets
SAROCHA REBECCA ON RED CARPET
• 76411 Tweets
Maripily
• 54873 Tweets
FELIX ENAMORA A BARCELONA
• 38849 Tweets
BLINDAJE FURIOSO
• 37285 Tweets
Oilers
• 27831 Tweets
定額減税
• 27126 Tweets
Keys For Healthy Life
• 24277 Tweets
梅雨入り
• 23580 Tweets
Birds Nurturing
• 21997 Tweets
Gunther
• 21008 Tweets
給与明細
• 19892 Tweets
Vancouver
• 18648 Tweets
#Canucks
• 17939 Tweets
#ファンパレハーフアニバーサリー
• 17596 Tweets
Edmonton
• 16006 Tweets
राजीव गांधी
• 15602 Tweets
金額明記
• 15284 Tweets
Amber Rose
• 14089 Tweets
Lyra
• 12212 Tweets
キングダムハーツ
• 12120 Tweets
#ゴンチャの新作
• 12008 Tweets
Pinned Tweet
Today is the anniversary of the testimony I and other members of the l0pht gave to the US Senate in 1998.
It was the first time the US Govt. publicly referenced “hackers” in a positive context.
The coverage was national and even international.
Come behind the scenes.
/Thread
115
915
4K
Looks like the cat is out of the bag.
I’m very excited to be joining the executive team at Twitter!
I truly believe in the mission of (equitably) serving the public conversation.
I will do my best!
Here you go: Twitter names "Mudge" Zatko head of security. Priors at DARPA, Google, L0pht and Cult of the Dead Cow.
44
335
1K
492
470
5K
Oh, fwiw - I got the imaging / scans back.
Cancer free
Down a kidney, but 1 is better than none... which is still better than 💀
116
28
2K
If you have a 2013 Mercedes S-class you have libtiff, netcat, and libpcap, pre-installed.
Pre-hacked-car :)
57
2K
2K
In an interview the person leaned over to me and whispered that he was Mudge from the l0pht and that he wrote l0phtcrack... don’t tell anybody.
I never told him who I was, but I had fun asking about some of the horrible coding choices I... errr... he had made in l0phtcrack.
48
281
2K
So... I suppose it’s time to share a bit.
I have always worked to try to educate the government so they can make better informed decisions that will benefit all citizens.
1/n
34
849
2K
This Cray computer doesn’t appear to be working.
Although pushing the button does make the whole room warmer, which is expected behavior.
#oldcomputerjokes
27
314
2K
I missed this a few days back.
A moment of silence, to respect the fact he may have prevented an eternity of it.
24
524
1K
It was 20 years ago on this day that my true identity, which until then had been a tightly held secret, was unintentionally leaked by the White House.
Rob’s write up, linked here, is a quasi-factual humorous take.
Here’s what actually happened. Thread.
1/n
21
405
1K
A favorite part of being a hacker:
people seeing that you are honestly interested in their work and hence they share their knowledge.
34
280
1K
People inside the IC and DoD begged for this, but it would have required direct presidential approval and was too risky/contentious.
Someone seems to have just gone and done it on their own?!?! Wow.
Still hasn’t sunk in.
I’m going to leave this here:
20
756
1K
With YouTube banning “Instructional hacking and phishing: Showing users how to bypass secure computer systems or steal user credentials and personal data."
It’s time to post video walkthroughs for Google Project Zero advisories...
and see how Google responds.
20
295
1K
A story...
Back in the l0pht days, I ran/configured/maintained the Unix system that was “the L0pht”.
Here are the tricks, and here’s how it was attacked...
1/N
I’m so happy to have missed the infosec drama. Back in the day we had more exciting stuff to bicker about, like who leaked 0days and who hacked who...
11
37
358
11
364
1K
MSFT has recently released:
full vulnerability details on bugs (that they found!),
a decent Linux subsystem,
the best/most uniform security hygiene in dev/compile/build of the major OSes (Windows 10),
and now tease an awesome CLI?
I don’t think I survived that tumor...
14
162
1K
We found no consistency in a vendor or product line doing better or showing improvement. There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products - Sarah Zatko
Evaluating 15 years, 6000 updates
31
544
1K
Nothing inspires confidence like waiting for takeoff on an international flight watching the Linux kernel being pulled via tftp.
#/bogusdir
32
354
892
a) I need to cancel my appointement.
b) One week notice; there’s a fee.
a) How much to reschedule?
b) No charge.
a) Please reschedule to next month.
b) Anything else?
a) Please cancel next month’s appointment.
Pro tip: do it across two phone calls.
/HT
@x0rz
@flrntlptr
15
191
817
Doc 1: Do you smoke?
A: no, would it help?
Doc 2: do you do drugs?
A: no, would it help?
Polygrapher: ever had a homosexual experience?
A: no, but I’m willing to consider it if it would me get through all this easier.
Them: We can’t tell when you’re joking.
Me: Neither can I.
19
86
753
So many people leave keyfobs next to the door.
If you happen to have a bedroom further away take your keyfob and keep it by your bedside.
Not only does it make near field amplification attacks more difficult but it can provide you a panic button within reach from your bed ;)
Another key fob amplification attack.
on 0:30 you see successful door unlock, but if i understand correctly, for engine start something not worked.
22
281
511
19
375
690
One of the most remarkable *people* in the field.
Full stop.
Not “one of the most remarkable women”.
#OTD
10 May 1927: Elizebeth S. Friedman became a cryptanalyst for the Bureau of Prohibition. The U.S. Coast Guard credits her with deciphering over 12k encoded radio missions & calls her “one of the most remarkable women to ever work for the U.S. Gov't.”:
0
40
87
10
160
673
People asked, or assumed they knew, why I cut off my long hair in 2001.
There were several factors, but the one that tipped the scales was the charity.
I found this letter in a drawer I was cleaning out today.
Before. After. Scale tipper.
21
42
684
The Boeing 787 has a 32bit clock register and it overflows.
Fix: Reboot plane every 50hrs.
Seems familiar 🧐. Oh yeah...
The Patriot Missile system had a 24bit clock that overflowed.
Fix: Reboot missile system every 20hrs.
(Good thing neither are critical systems 😬)
they put a millisecond clock with a 32-bit register, in a plane, and it overflows
128
2K
5K
19
312
673
Dear world: This *is* how things work on the backend for much of our connected world.
I recall conversations about SpaceX having issues with stale NFS handles scrubbing launches.
Think it’s hard to intentionally disrupt ststems? Not much harder than keeping them running as is.
A former Tesla employee, who worked on their IT infrastructure, is posting in a subforum of a subforum, a little-known place for funy computer forgotten by time. His NDA has expired.
He has such sights to show us. Join me and I will be your silent guide into a world of horror.
456
12K
28K
15
275
661
When my daughter recently needed an ambulance, that’s a *need*, not a luxury.
Even with insurance for-profit ambulance companies’ cost is obscene ($2k after insurance).
I’m aware of how lucky I am to be able to afford/navigate it and of how many other families aren’t so lucky.
35
54
669
Reminder:
SMS 2FA is still meaningful.
Large scale account take over study (3.3Billion accounts): SMS Auth was effective against:
100% Automated password stuffing
96% Bulk phishing
76% Targeted attacks
U2F is *even* better! Use it!
Mudge & Niels:
Even if the current Twitter authentication problems turn out to be something different, its a good time to re-iterate: 2FA that is based on SMS or in other ways tied to mobile phone numbers is a seriously bad idea. Phone number assignment processes were never designed for this.
6
70
215
21
199
623
The paper that moved the needle was by
@aleph_one
. I am honored to have contributed in some small way.
1995: Mudge published "How to Write Buffer Overflows", one of the first papers about buffer overflow exploitation. Then
@dotMudge
sent a copy to
@aleph_one
, who wrote "Smashing the Stack For Fun and Profit" in 1996. Seminal paper to seminal paper. Mudge's:
9
357
863
17
134
621
Due to Floating Point emulation, Linux MIPS (Kernels 2.4.3.4 through 4.7 2001-2016) have executable stacks.
The patch, released in 2016 and still present - Kernel 4.8, introduces a universal DEP and ASLR bypass.
13
336
618
Back when I first wrote L0phtcrack (1999), if you suggested that MSFT would become an organization with some of the best software build hygiene (code hygiene to application hardening) *and* that they would find their own RCEs and release details...
Wow! Nice turnaround MSFT!
Some Windows DHCP remotes coming out from the team I work on at Microsoft! Patch yer stuff.
5
97
175
13
139
584
DoD data (cleared for release) shows on average 1/3 of vulns in government systems is in the security software.
http://t.co/5tAQqvcSgZ
28
721
568
I met Hobbit while he was writing Netcat.
He was backdooring backdoors to track break-ins in some systems.
I was in awe.
Hobbit is a genuinely nice, decent, and inclusive person.
He was (is) a role model for me.
OBHack: some of my code is in netcat 🤩
1995: The networking utility Netcat was first released by Hobbit as Netcat 1.0.
2
66
174
13
82
548
It’s his place to say something first on the topic before I say anything at all :)
Fresh U.S presidential candidate
@BetoORourke
was a member of the country’s oldest hacking group, which has kept his role a secret for decades – until now. My story is up on Reuters at , but let me say a little more in this thread. (1/10)
439
3K
5K
20
89
543
Wow. Looks like the malicious code was introduced via a compromised build process. That way it doesn’t show up in the source repositories.
Modern CI/CD processes have lots of opportunity for such trickery...
Confirmed by Webmin team now. 1.882 - 1.920 contain RCEs introduced due to compromised build infrastructure.
1.890 contained the real deal: Remote unauthenticated code execution with default config (commands executed as root).
Compromised builds date back until July *2018*!
5
223
247
16
292
538
I claim there is some value in SMS 2FA. It is not appropriate for high value targets.
There are better choices.
Here are links to Google research studies showing SMS 2FA prevents large numbers of account takeover.
Refuting? Cite your sources.
Reminder:
SMS 2FA is still meaningful.
Large scale account take over study (3.3Billion accounts): SMS Auth was effective against:
100% Automated password stuffing
96% Bulk phishing
76% Targeted attacks
U2F is *even* better! Use it!
Mudge & Niels:
21
199
623
19
158
541
Aleph took it much further and made it much more accessible.
I’m proud to have contributed in even the slightest way.
1995: Mudge published "How to Write Buffer Overflows", one of the first papers about buffer overflow exploitation. Then
@dotMudge
sent a copy to
@aleph_one
, who wrote "Smashing the Stack For Fun and Profit" in 1996. Seminal paper to seminal paper. Mudge's:
4
302
843
24
89
536
Mommy SPARC
Do doo doo doot de do
Mommy SPARC
Do doo doo doot de do
Mommy SPARC
Do doo doo doot de do
Mommy SPARC
/cc
@DavidSchenet
22
127
527
I can think of a many more deserving than I:
All of the people I’ve looked up to and learned from.
Some folk at Stripe and CITL.
Some folk forever behind the green door...
Still...flattered to be in Forbes’ Top 20 Influential Hackers!
29
66
499
Those clever Canadians…
In Quebec, in order to boost vaccination rates, they made it a requirement to be vaccinated to go into liquor and cannabis stores.
Results: immediate 400% increase in vaccinations.
Those very clever Canadians :)
20
105
498
Hey
@moxie
, I can only imagine it must be frustrating sometimes.
You handle it all with grace, respect, and aplomb.
You have tirelessly worked for the right goals, and done so with great technical acumen and a large scale systems awareness.
I believe in you.
Thanks Moxie
11
41
501
Oh dear lord.
I’m in the airport and the person who will be sitting next to me has said ‘blockchain’ on the phone 4 times in 3 minutes. He’s also been rude to everyone around him.
Flight is delayed: I’m going to co-opt 51% of the passengers to remove him from the flight.
16
46
485
DNC creates Cybersecurity board made up of well meaning people with no cybersecurity expertise. Your move Russia...
16
416
460
May 19th was the anniversary of testimony I, and colleagues, provided to the US Senate in 1998.
In it we even described ways to disable satellites. The next day 90% of pager traffic stopped due to a satellite (Galaxy) going offline.
Can’t tell that story, but here’s the trip:
Today is the anniversary of the testimony I and other members of the l0pht gave to the US Senate in 1998.
It was the first time the US Govt. publicly referenced “hackers” in a positive context.
The coverage was national and even international.
Come behind the scenes.
/Thread
115
915
4K
16
96
478
If whoever had control of L0phtCrack ever stopped selling, working on, and supporting the tool for a period of 1 year…
The 3 of us could buy it back.
How much $$$?
Oh, the same amount the product had grossed in sales for the 12 months that it hadn’t been sold ($0)
😗
16
42
472
In 1999 Cult of the Dead Cow (cDc) released Back Orifice 2000 (Bo2k) at DEFCON 7.
I played a (tasteless) shred guitar solo on stage and then smashed a bunch of monitors[0].
Anyone have the video (with audio)?
[0] Like there was any way would say “no” to that opportunity :)
31
70
454
Hey, Hacker-Con folks:
I created, and ran, the TCP/IP drinking game (DefCon, SummerCon, etc.)
Don’t do this!
@IanColdwater
is right.
Don’t lean on people who aren’t drinking. Not cool.
I'm sorry, but I honestly think that saying "if you don't like drinking, you're in the wrong place!" is a shitty thing to say from stage at an infosec con even if you are at the afterparty
To the sober folks and the ones in recovery: no, you're not. You belong here too
105
357
3K
14
53
449
I’ve come across two special tech books.
How to Ace Calculus, The Streetwise Guide (Adams, Thompson, Hass)
Deep C Secrets (van der Linden)
Whimsical, irreverent, and downright funny while making deep technical subjects accessible and enjoyable.
Anyone know others like these?
27
69
452
Cyber-ITL IoT data dump and analysis is posted!
15 years of data: no positive trends from any one vendor
Security hygiene got worse more often than better
22 Vendors
1,294 Products
4,956 Versions
3,333,411 Binaries
Dates: 2003 to 2019
Raw data linked
14
241
439
I spent New Year’s Eve on a call with the White House as I and National Security Council members ticked away time zones rolling into Y2K.
People worked really hard on that issue, which is partly why it was a non-issue... and why a lot of source trees were able to be stolen.
Y2K was real, everybody just worked to fix it instead of complain on Twitter
34
128
1K
18
70
432
At
#Shmoocon2019
a bunch of us May have “secretly” replaced the NSA charging station’s hardware with a similar looking “variant”.
Let’s see which group figures it out first...
We’re giving this experiment the code words FOLGERS CRYSTALS.
10
116
419
Biggest pushback, from people now touting themselves as candidates for security advisors to new politicos, was surprising:
They refused to require 2fa: it would be annoying.
They pushed back on gsuite to enable document control/access/auditing: another email is too much.
6/n
10
91
399
I caught them on the system trying to elevate their privileges, and broke into a conversation...
I congratulated them.
And immediately, and without being asked, I gave them the root password.
I told them if anything happened to the system I would assume it was their fault. 😈
6
49
397
When you think of privacy engineering
@leakissner
is top of the list.
I’m excited to be working with them (again!) as Twitter’s new Head of Privacy Engineering!
I can’t think of many who are more devoted to being in service of the public conversation and the greater good!
19
23
406
For the record, from my vantage point,
@aleph_one
received early work from myself, ReDragon, and possibly others. He took that work, combined it with his own, and made it much more accessible.
I’m honored to have been in the right place and time to have contributed.
1995: Mudge published "How to Write Buffer Overflows", one of the first papers about buffer overflow exploitation. Then
@dotMudge
sent a copy to
@aleph_one
, who wrote "Smashing the Stack For Fun and Profit" in 1996. Seminal paper to seminal paper.
5
432
943
9
82
393
This is a brilliant tactic. There are so many others like this because the AV community keeps thinking this is a one-move game... Kudos!
Choose a malware signature as your username. Gets logged, and server-side anti-malware will delete whole log file :)
31
1K
2K
6
251
383
I wrote a security tool that had a security vulnerability in it.
I then did the right thing and wrote a security advisory about my own code to publicly shame the author and get a fix released. 🤦♂️
At least I treated everyone the same.
This is your unscheduled reminder that telling early-in-career engineers stories of times you messed something up real bad is a good way to help them combat their own impostor syndrome.
775
1K
7K
12
40
384
So what I ‘choose’ to take from all of this is:
A) Occasionally I warrant nation state interest (yay?)
B) I don’t warrant high end stuff (that I know of)
C) The recent indictment is very forthcoming compared to what the IC/DoJ normally reveal.
2
44
352
So let me get this right...
The people who were screaming about would be death panels if universal healthcare happened...
are the ones who caused 100s of thousand of deaths through delay, and will cause more refusing to follow the advice of medical and disease experts.
And...
12
61
364
Most people don’t realize that at Starbucks, and elsewhere, they ask:
“May I have *a* name?”
Not:
“Give me *your* name.”
Sure, here’s *a* name...
My name changes frequently, and randomly, and everybody is fine with it... <wink>
#ownthesystem
76
55
351
Thanks everyone!
I'm excited to be reporting to the CEO at Rapid7 as an Executive in Residence!
For clarification this is not full time and it is not exclusive. This does not change existing relations I have with other orgs.
0
4
348
Remember: compilers may think differently than developers.
Source code is the intent, the binary is the truth.
Awesome example :)
9
120
344
I went *into* the government, and military, for the same reason.
It’s a complex world. Have a strong moral compass, and follow it.
I understand what
@IanColdwater
is saying here, and I support it.
Hey, because this comes up every once in a while:
I am never ever EVER gonna work for the government or military to use my skills to help do evil at scale. Absolutely never. I literally do not care how much you offer to pay me
Thanks, but no thanks. Have a great day!
35
39
570
19
28
343
Bad: systemd gives root privilege to user names starting with a number (e.g. 0xCharlie)
Worse: Blaming the username
14
259
325
The cryptanalysis paper I wrote with
@schneierblog
and submitted to ACM was:
Accepted based on content
Rejected when I refused to provide my actual name
(Ultimately was accepted thanks to Bruce fighting for my privacy)
That paper re-org’d MSFT ;)
#shareyourrejections
5
62
340
5 words? Well, since you asked:
A) Security vendors selling insecure products
B) security solutions not solving problems
Choose one 😉
24
68
333
Yup. I’m encouraging you all to install software recommended by a person who was the manager of (one of) NSAs offensive teams... and who is still at the Agency.
Much better purpose than mining for crypto-currencies.
❤️
For my tech friends, consider using your GPUs to help analyze Coronavirus. The Folding at Home effort (remember SETI
@Home
?) is working on COVID-19 research. Install the software and donate cycles to the cause.
Use the link at the top "start folding."
41
699
996
7
99
332
Better yet write it up and send the acknowledgement and gratitude to the employee’s manager and CC the employee.
These things stand out during performance reviews and are easy to do with disproportionate impact.
Not only is it easy to do, it’s the right thing :)
Remember to acknowledge your coworkers when they do something impressive or forward-thinking. Especially in front of their manager.
13
166
993
8
55
328
This is a fascinating and challenging time. I was here throughout this.
I can attest to the fact that what
@jack
shares is truthful and honest.
I joined, recently, because I believe I can positively impact Twitter’s ability to serve the public conversation.
(Not overnight)
I do not celebrate or feel pride in our having to ban
@realDonaldTrump
from Twitter, or how we got here. After a clear warning we’d take this action, we made a decision with the best information we had based on threats to physical safety both on and off Twitter. Was this correct?
41K
14K
97K
14
23
328
Apparently *this* is how to secure all the cybers!
I'm... uh... I'm going to go walk over there now... (?!?)
15
133
315
During early L0pht days I was a Unix admin for ~50 DoD/USG systems. The government would not let me make needed changes to secure them (1/N)
6
209
320
The types of bugs we continue to see from Palo Alto Networks in their products are disconcerting.
They are basic. They are identifiable through static analysis (format strings?!). And some products are built on risky foundations (Linux on MIPS lacks basic safety features).
??
12
106
319
Stripe has hired renowned security researcher Peiter ‘Mudge’ Zatko - Recode
30
78
316
What’s the best security advice you’ve heard (or given) to a startup or small business? Especially that helps the company accelerate their mission at that stage and later...
G-suite
Isolate functions/systems
Minimalism (Chromebook/container OSes)
Inventory and mapping
Docs
???
102
69
313
Now the press had two copies of the attendance list. One with my real name and a second one with my cover name where my real name had been before.
That was the only change.
So not only did the WH leak my real name, they essentially highlighted it in neon lights.
🤷♂️
16/16
5
10
307
The full testimony recorded from CSPAN has been up on YouTube for a while.
It’s worth a watch.
When you’re done, come on back here and I’ll finish the anniversary date storytime and picture show (spoiler alert: White House shenanigans...)
12
39
307
Someone tweeted asking for weird technical items stuck in your head yet now largely useless.
Some of mine
DOS:
debug.exe
- wcs: 100 2 1 100
(Blow away the C: drive’s MBR/FAT)
Apple ][:
call -151 (enter machine monitor)
c600g (reboot)
3d0g (execute BASIC CLI)
What are yours?
168
59
306
When data contradicts security:
@NielsProvos
and I challenge security field common beliefs:
*SMS Challenge works
*Password complexity doesn’t work
*Security products can make it worse
*You can measure security
*”Always update”, needs updating
@stripe
5
101
309
Anthony Bourdain was someone whom I respected and looked up to tremendously.
My friend, author and bjj training partner,
@combatcodes
just wrote a great article about Anthony’s anonymous BJJ postings to Reddit.
Enjoy:
4
78
301
I would have to describe the mood and feeling in Philadelphia tonight as: Blade Runner.
18
20
299
I’m going to say a few things to the Internet about Alan Sonnenberg.
Why am I telling you and not him?
I waited too long..
Thread…
11
49
303
The people who asked for my counsel fought basic hygiene, which made the subsequent compromises easier/possible.
The new administration considered me an enemy because I tried to educate the opposition party (even though I was willing to educate anyone).
and then..
2
45
278
It may be year before people realize what we managed to release today.
Video:
Verilog:
http://t.co/JxvL3bgoFa
42
252
298
I've gone head to head with Microsoft, the NSA, and the DoD; cancer didn't have a chance.
(And It was more fun than watching the debates)
13
39
292
My heart skipped a beat when I walked into the in-laws garage.
I had to do a double take.
What I briefly mistook, in my peripheral vision, for a burn bag full of papers...
...turned out to be a Trader Joe’s holiday shopping bag.
😅
24
19
292
And the winner for the “Best use of spreadsheet cell border lines” award is…
🏆
Doing some FPGA work recently and I found Microsoft Excel quite handy for drawing timing diagrams.
74
256
2K
5
42
296
Nothing wrong with a music grad as CSO, but:
Humbly suggest also have 20+ years track record (Off & Def) cyber at high tech && mgmt levels.
18
77
293
Regarding F5-Big-IP (CVE-2020-5902) ask the following:
Where is the vendor statement describing the change in practices going forward to prevent such trivial exploits in their products?
Quick acknowledgement and patch is a bare minimum.
Customers deserve more from vendors.
9
79
285
I dislike flying, so we rented a Dodge Ram 3500 15 passenger van to drive down to the US Senate.
As a bonus, we could stop by the NSA Crypto Museum!
We met at the L0pht around 4am to load up.
Group picture (L to R): Brian Oblivion, Stefan, Weld, Tan, Kingpin, Spacerog, Mudge
6
7
287
On stage today, during the Cyber-ITL talk at ShmooCon, Patrick dropped a little 0day that speculative execution executed data (ignoring non-execute markings).
That’s r-x... for those keeping track.
(rowhammer for the write anyone?)
13
130
284
"We have discovered a keylogger in an audio driver package by Hewlett-Packard."
10
315
268
Only a few days later I start getting interesting iMessage spam (I don’t open it or click on anything). iMessage spam is relatively costly... good job Apple.
A few days later white screens of death (common for failed jailbreaks) each time shortly after I power cycle.
9
50
266