clock menu more-arrow no yes mobile

Famed Security Researcher Mudge Leaves Google

The legendary hacker says his incipient agency takes inspiration from the 111-year-old Underwriters Laboratories.

Peiter Zatko, a respected computer security researcher better known by the nickname Mudge, says he’s leaving his job at Google to explore ways to help U.S. government make software more secure.

Zatko announced the move on Twitter.

https://twitter.com/dotMudge/status/615506197479882752

The first tweet was greeted with a mix of enthusiasm and confusion as it implied that Zatko might be involved with setting up a new government body. He later clarified his statement — a little — in another Tweet.

https://twitter.com/dotMudge/status/615654277953007619

Zatko didn’t immediately return messages seeking further comment but sources familiar with this plans say he’s looking at setting up an independent non-profit organization devoted to software security that may in time get some government funding. Sources familiar with the matter confirmed that he’s talked to administration officials about the idea, but described those conversations as exploratory in nature.

Still in mentioning a CyberUL, Zatko referred to a body that many security pros have wished existed for nearly two decades, one inspired in by Underwriters Laboratories, the 111-year-old company that tests products of all kinds for safety, but dedicated to cyber security.

An Obama Administration official tells Re/code that recent advances in using automated methods to analyze software code for vulnerabilities have spurred interest in government circles to see if there’s a way to standardize how software is tested for security and safety. “The Administration has had some discussions about the potential pros and cons of such a system and how it might be implemented,” the official said. The administration is interested supporting a feasibility study to determine if such techniques could work, the official said, but stressed that no plans have been finalized.

A former researcher with DARPA, the research arm of the U.S. Department of Defense, he joined Google along with fellow DARPA alum Regina Dugan to work on security research at the search giant’s Advanced Technologies and Projects Group.

The idea for a CyberUL was first proposed in 1999 by L0pht Heavy Industries, a hacker think tank based in Cambridge, Mass., of which Zatko was a member.

When L0pht first proposed the idea, the sudden popularity of the Internet both among consumers and businesses was putting public safety at risk. Security software isn’t always as good as its creators claim. “The lack of standards and meaningful certification has allowed the sale of products that are either intentionally or unintentionally snake-oil,” the group argued at the time.

Underwriters Laboratories is an apt inspiration if you compare the growth of the Internet to that of electricity. When it began operations in 1894, UL’s primary focus was on researching and establishing fire and electrical safety standards. Today, the distinctive circled “UL” mark appears on more than 22 billion individual items; the firm has evaluated more than 97,000 products and operates in 113 countries.

“Just as in the late 1800s, the consumers have little understanding of the inventions they are purchasing,” the L0pht proposal reads. “They are presented with claims by the product’s marketers and have no way of proving those claims to be true or false. Just as it was back then, this has not stopped the large-scale application of these inventions, regardless of public safety.”

Zatko seems to be a logical person to lead such an effort. In the mid-1990s, he published some of the first papers on a type of computer security vulnerability known as a buffer overflow. Later, he was the principal creator of some important security tools, including L0phtcrack, a widely-used password-auditing program. In 1998, he and other members of L0pht testified before the U.S. Senate, famously claiming that the group could, with its combined expertise and capabilities, “bring down the Internet in about 30 minutes.”

The following year, the group went legit and joined up with the Cambridge-based computer security firm @Stake, which in 2004 became part of Symantec. In 2005, Zatko joined BBN Technologies as a research scientist.

In 2010, he joined DARPA as a program manager in its Strategic Technologies Office, where he oversaw research intended to help government agencies fend off cyber attacks. Inside DARPA, an agency known for its secrecy and, occasionally, for the cool things it does, Zatko created a Cyber Fast Track Program, through which hackers and security researchers who work outside government agencies could obtain funding for projects to help improve the security of military systems.

Correction: We initially said that Zatko was slated to up a new government agency focused on software security.

This article originally appeared on Recode.net.