[ISN] Hackers: Under the hood - Peiter Mudge Zatko

InfoSec News isn at c4i.org
Mon Apr 26 02:32:57 EDT 2004


http://www.zdnet.com.au/insight/security/0,39023764,39116620-6,00.htm

Name: Peiter Mudge Zatko
Handle(s): Mudge, PeiterZ
Marital status: Single
Current residence: New England, USA
Job: Chief Scientist, Intrusic
First computer: Tektronix 4051
Best known for: Creating L0phtCrack
Area(s) of expertise: "Thinking outside of the box"


It's hard to tell if Peiter Mudge Zatko was born eccentric or whether
he's just a stickler for privacy.

Take the response to ZDNet Australia's request for his age as an
example: "[I'm] not trying to be coy, but my age, race, religion,
etcetera, are always items I try not to divulge. The rationale is
probably quite different than what most people infer. It is as
follows: without irrelevant information such as skin colour and the
aforementioned items, people are stripped of data that normally would
encourage functional fixation."

It seems Zatko's brain has been over-clocking from a very young age.
 
"When I was growing up, around the age of five or so, I couldn't wrap
my head around 'life'.

"The notion of death being an accepted unknown without any further
details drove me bonkers," he told ZDNet Australia.

Some may argue that existentialist dilemmas such as these belong to
adults, or at the very least in the adolescent domain. But Zatko was
introduced to a myriad of advanced concepts at an extremely tender
age.

"In my crib, as an infant, my father sanded down the edges of early
60s-type computer components ... like the face plates of systems with
glowing [amber] numeric 'vacuum tube style' readouts," he recalled.

The way Zatko speaks of him suggests that his father was his mentor in
life.

"I asked my father what he believed in -- what his religious beliefs
were. He refused to tell me. Instead, he started taking me to churches
of different denominations each Sunday and would ask me what my
interpretations were.

"Several years later I came up with my own 'codified' religious
beliefs," Zatko said.

And he's fanatical about getting the job done. "Anything that I do, I
must engross myself in totally," he said.

To Zatko, there's no distinction between work and personal life, and
readily admits that his life knows no balance. "There's also no
difference between business and personal relationships. When I decided
to get into Golden Gloves Boxing and Muay Thai [boxing] it was to
master them. When I deal with computers it is to entirely comprehend
the socio-psychological interactions and weaknesses they introduce,"  
he revealed.

His parents, while educated, came from fairly blue-collar backgrounds.  
He said his mother "experienced the depression" while his father grew
up working on a farm. As a child, Zatko was given musical training,
and was taught science and mathematics while maintaining a "respect
for manual labour and living off the land".

He still holds dear to his heart the values his parents instilled in
him while growing up. "I was intentionally given freedom and a feeling
of independence at a young age. In looking back the rationale was
obvious: learn decision making and life choices while you are still
able to be protected paternally," he explained. "I watched people self
destruct at the tail-end of high school and in college -- where it was
obvious that that was their first taste of freedom."

In 2000, Zatko was invited to participate in a security summit chaired
by former US President Bill Clinton. "I was afforded the rare
opportunity to hang out with him afterwards and engage in some private
conversations," he said. "I have tons of stories but they're too
long."

As one of the founding members of grey hat outfit L0pht Heavy
Industries -- which later became the foundation for security firm
@Stake -- he was responsible for the creation of L0phtCrack, a product
still sold by @Stake.

L0pht Crack is a simple product and a remarkably affective password
cracker for Windows-based systems. Zatko insists he wrote it to prove
a point and not for commercial reasons.

"When I first created and wrote it, one of the goals was to show that
the Microsoft systems being deployed could not embody 'secure'
encrypted passwords ... not that there were some passwords that were
stronger than others.

"This didn't mean that people should not use Microsoft technology but
rather they should understand where their security perimeters needed
to be in order to take advantage of the [Microsoft] platform without
exposing undue risk to infrastructures," he said.

"Is something like L0phtCrack still useful? Yes. Is this an example of
people misinterpreting what a tool is showing them and potentially
having a false sense of security because of it? Unfortunately, the
answer is again yes," he added.

Zatko believes that example -- the misuse of a tool like L0phtCrack --
applies to many security products. He has some advice to help improve
the situation, though: "Share, be open, communicate, ask questions to
all, share the answers that help you with [everyone], do not think in
black and white, do not hurt others or yourself. Improve the world,
not your own self image -- the former is possible, and the latter is
not accomplished without being a part of the former." -- Patrick Gray





More information about the ISN mailing list