Peiter C. Zatko, aka Mudge, a well-known former member of the L0pht and ex-researcher at DARPA, tells a few stories from his past experience at Defcon.
Just so we’re clear, I’m only speaking as myself today. I am not a representative of the U.S. Government; I am not a representative of my current employer. I’m pretty sure neither one of them would be really with me up here talking. But I feel it’s part of my duty as part of this community to kind of give you some stories that are personal stories from this community as what I took into the Government, what I learned while I was in the Government, what I saw that was a little bizarre while I was in the Government, and what I’m taking back out of it.
There are four stories I’m going to tell you that all have that all have some kind of unexpected outcomes and unexpected twists. You’ve probably heard about some of these stories in the media, but these are kind of different back origins to them that you haven’t heard before. I’ll do my best to be as accurate as possible, but I’m going from memory from some of these, and some of these go back several years. Memory isn’t perfect, so I apologize in advance.
I’m not trying to piss off or be pro or con any particular community, but I want understanding, which is why I’m trying to tell these kind of nonobvious stories. Somebody had tweeted me something encouraging me to do this talk, saying anything we can do to help people understand each other is good, because of course prejudice is bred from ignorance and exclusion. So you can kind of consider this my transparency/trip report from three years inside the DoD.
Not long after I started working at DARPA, I got funding approval for the first of one of many programs that I would actually run. I know most folks are only familiar with a few of them. The first program was something called CINDER, and it was focused on super evolved advanced persistent threat. The program had nothing to do with whistleblowers; it had nothing to do with humans. It was targeting autonomous software. And there was an author, Forbes Magazine, Andy Greenburg, who found out that Julian Assange and I knew each other and have kind of known each other for, I don’t know, 20 plus years. And he wrote an article that, the way I read the article, attempted to pit me and Julian against each other, claiming that CINDER was a response to WikiLeaks. You know, a sexy story of hacker friends who find themselves at odds, one trying to spill the Government secrets, one trying to protect the Government secrets. Yeah, it’s a sexy story, the problem is it’s entirely untrue because CINDER had nothing to do with that.
There was this talk that I wanted to see at the Congress. And I watched it. It was great. There was a gap between the next talk that I wanted to see, and the whole decision was: “Do I go back to the hotel and go out in the frigid Berlin winter, or do I find something else to kind of pass the time?” It’s CCC; it’s easy to find things to pass the time there. And there was a talk that was going on about WikiLeaks. Remember, 2009. No State Department cables, no nothing like that at this point. WikiLeaks had been around, but it wasn’t really in the popular vernacular, it wasn’t a household name.
So I look and I go: “Oh, what it’s taking to run WikiLeaks, how do we do it behind-the-scenes operationally?” And I’m, like: “That’s cool!” And it talks in English and it’s inside. So yay! And I’m looking at it, and I’m like: Julian Assange, Julian Assange… The name was ringing a bell but it didn’t mean anything again, because of course, you know, hadn’t hit it. Now I saw him up on stage, and, you know, he’s a kind of physical – the kind of shocking blonde white hair, sharply dressed, and I’m recognizing the voice. And it took almost the entire talk before it dawned on me that I knew him by a different name. I knew him as Prof. Some of you remember Prof, some of you remember Strobe that he wrote ages ago. You know, he was over at suburbia.net, I think, or profitsuburbia.net.
I was like: “Holy crap!” This is the same guy who I’ve known for years. I hadn’t seen him in, like, a decade or I hadn’t interacted with him online. At one point I think he was even managing Sun’s security updates and patches for all of the distributions for SunOS at sunsite.unc.edu. So we should have nominated that for possible or potential epic ownage. That’s kind of cool if you think about that. After the talk I was all excited. I went up to him, waited till the crowds kind of died. He was outside having a cigarette. I thought this was going to be fun because I had cut my hair, I didn’t have the…if you’ve seen the shirts, most people remember me looking slightly different. And I’m like – oh, I’m going to play with this a little bit.
So I walk up to him. I know he doesn’t know my voice, and of course he’s not going to physically recognize me. So I do that whole hacker jerk sort of, you know, say something like: “What the hell! How did they know that?” Kind of to set up the state of detente. I go: “Hey, when was the last time somebody called you Prof?” He looks at me weird, and I’m like: “Well, if you think that’s weird, did they ever find out why the MD5 checksums on those Solaris update patches didn’t match the actual patches that people installed? It was SunSITE, right?” And he’s just looking at me like “Who the heck is this guy?” Possibly because he hadn’t heard the phrase “Prof” for a while and it could very well be that he had no clue what I was talking about with the latter one.
And I go: “Hey, it’s me, it’s Mudge, Mudge from the L0pht sort of thing,” and he kind of relaxed and we chuckled about it. And I said: “Hey, you know, you were really, really passionate up on stage about WikiLeaks. What was the real impetus? What was the turning point that made you do that? Because the last I had seen you, you were leaving the hack scene, going off to academia to do your advanced degree.” He was working on cryptographically based file system, a rubber-hose file system for duress-based decrypting.
And I said: “Where did you go? You know, the old gang and everything, I haven’t seen you.” So we chatted and he said: “Let’s go out and have dinner.” We spent the next several hours over food in Berlin. And I wanted to know just how passionate he was and how far he was willing to go on it. So I asked him a hypothetical question, I said: “Let’s suppose back in the day my thing was I collected packet captures of everything. Let’s assume some of those packet captures have you going into other systems, you know, beyond a shadow of a doubt. If I submitted those packet captures, kind of incriminating you to WikiLeaks, would you release them?”
And he looked at me, it only took a couple of seconds, and he said: “Hey, we get some very similar sorts of questions, because people ask us on a parallel: if someone were to send us a list of the contributors to WikiLeaks, would we publish it? And the answer is that we don’t want to know who our contributors are, because we want to keep the protection,” – “we” being WikiLeaks, I’m speaking as him from memory here. He went: “We try to get in touch with the folks that contributed, but we won’t know who they are. So, ultimately, in case that list is real, we would have to publish it.” I was like: “Oh, that’s cool.” And then we moved on to the next topic. Now, if any of you have actually interacted with him or know somebody who has, they’ll tell you that he is a very smart person, and that’s absolutely right. It took me probably an hour to realize that he never answered my question.
But he told me a really interesting story. He told me – and this is what stuck with me in 2009 from that dinner – what the turning point was. Maybe this was a story just for me, maybe it was kind of the appropriate thing. But I took this to be ground truth, and it stuck with me, which is why I’m telling you. And I used to tell people inside the Government the same question when later WikiLeaks kind of popped up. He said: “I had gone off, I was over at university doing my graduate work,” – some essentially fundamental research, which means something to the Government folks. He said it was funded by the U.S. Government, it was a grant from, like, NSA type DARPA sort of funding. I don’t know if those were the actual agencies.
And he said it was during that time period where there was a big pullback from the DoD. And the message that universities received was: “We’re not funding you to do basic research anymore. It’s all classified now.” His work got rolled up in that. Now, whether that was actually why it was being pulled back or if that was just the perceived message, I don’t know. So if you think about it, here’s a non-U.S. citizen who’s made a life decision to go to graduate work, kind of leave the community that we knew him in. And all of a sudden his funding gets pulled and he’s told that he’s not allowed to know what it was that he was doing, not allowed to know what it was that he discovered and know the actual reason as to why the funding ceased. That’s kind of what it’s like when you’re a graduate student and somebody pulls your funding sort of thing.
This just really, really rubbed the wrong way. He said this is the wrong reason for classification, if that’s why he lost his funding. This was designed to keep people ignorant and withhold information to keep folks disadvantaged. He said it was at that point that he decided that he was going to devote his life to exposing people who try to keep secrets. And hence WikiLeaks was born.
So, when folks in the DoD would ask me: “Hey, do you know this WikiLeaks thing and what are your thoughts on how we could address it?” – they were a little surprised with my answer going: “Well, by some accounts, the Government actually created it in the first place.” It was at that point during the night in the restaurant, Julian says: “Well, that’s what I’ve been doing for the past ten years. What are you up to?” And I said: “Oh, I’m about to go work at DARPA…” So, that’s my first story.