Peiter “Mudge” Zatko
Occupation: Program manager at the Defense Advanced Research Projects Agency (DARPA)
College: The Berklee College of Music
Recent accomplishments: Founding member of hacker think-tank, L0pht, pioneer of buffer overflow vulnerability research, leader in the “full disclosure” movement, author of numerous security tools, developor of DARPA's Cyber Fast Track program, referenced in the board game Trivial Pursuit.
Ask Peiter “Mudge” Zatko when he first realized that he wanted to turn hacking into a career and he'll tell you he didn't really have a choice in the matter. His passion for computers and technology was, after all, fostered all the way back to when he was a baby. Back then, he had a mobile hanging over his crib, not made of stars or animals, but constructed by his father out of circuit boards.
“He wanted me not to be afraid of technology,” Zatko says.
And afraid he was not. As a young child, tinkering with computers and helping his father write operating systems became a game. In fact, he first started hacking at the ripe old age of 5.
He's quick to point out, though, that when he uses the word hacking he's referring to the act of getting a system or device to do something it wasn't intended to do. Using an Apple II computer, which first appeared in 1977, Zatko and his father would reverse-engineer floppy disks to understand the copy protection schemes used to prevent software from being pirated.
Years later, during his time at Berklee College of Music, Zatko turned to his father for advice because, like many young adults, he didn't know what he wanted to do with his life.
“He said, ‘Don't worry, the field you're going to go into just doesn't exist yet.'” He was right, Zatko remembers.
Now, at 40 years old, Zatko can truly say he had a hand in helping to create the now-thriving IT security field.
Around 1992, he came together with a group of like-minded individuals, who were “curious and enthralled with the notion of security,” to form the hacker think-tank L0pht (pronounced loft). At the time, there were very few resources available to those wanting to learn about the burgeoning field, he says.
L0pht members set out with the goal to document their research and build up a body of knowledge about the subject so that others wouldn't have to replicate their work. Doing so was controversial, however, since their research often exposed flaws in products and systems.
But it was also extremely important. During his time at L0pht, Zatko conducted and documented early research about buffer overflows, a now well-known coding vulnerability that is still prevalent.
“It's been rewarding for me to see, in graduate classes, ideas I pioneered are part of the curriculum now,” he says.
Looking back at his career so far, Zatko says he's often had to dispel the belief that products are secure just because a company's marketing department says so.
“He's a bit of a contrarian, he doesn't accept conventional wisdom,” says Richard Clarke, former cybersecurity czar for President George W. Bush. “You're almost guaranteed to get a different perspective [from Zatko] than you would from anyone else.”
Since he was in his early 20s, Zatko has been Clarke's unofficial adviser on cybersecurity issues.
“When I was at the White House, every time there was a major cybersecurity incident, I would call him,” Clarke says of Zatko. “I always learned more from him than I did from anyone else.”
After being asked several times over the past few years, and turning down the offer every time, Zatko last February accepted the role of program manager at the Defense Advanced Research Projects Agency (DARPA), the U.S. Defense Department's central research and development (R&D) organization.
In this post, Zatko has led the development of Cyber Fast Track, a new initiative to fund small hacker groups and independent researchers in the development of cutting-edge solutions that can be created in short intervals for a low cost. Historically, federal security funding has been awarded to large contractors that often have whole teams dedicated to crafting proposals. In the past, it was next to impossible for a small group of researchers to receive such funding due to the time and cost of the application process alone.
Cyber Fast Track will allow talented researchers to compete for government funding and bring DARPA's cybersecurity R&D efforts up to speed with the rapidly evolving cyber landscape, he says. The goal of the undertaking is to fund between 20 to 100 cyber R&D programs each year, or the same amount of time it would normally take to run just one.
“All too often in the past, by the time the project was finished nobody cared about it anymore because the technology had moved on,” Clarke says.
Launched in August, the initiative has already garnered interest outside of DARPA, Zatko says. The U.S. military is considering adopting such an approach for its own R&D contracting processes.
Looking into the future, Zatko says he'll continue working for as long as necessary to educate people about computer security.
“Security is about trying to solve and fix problems,” he says. “The definition of success is to put myself out of a job, which is what I've always said and always have been striving to do.” – Angela Moscaritolo
Top 5 influential IT security thinkers
Peiter “Mudge” Zatko
From the - December 2011 Issue of SCMagazine »