It was Mudge (pictured on this page with former US President Bill Clinton) who in 1998 told the US Senate that hackers could take down the Internet in 30 minutes. Now he’s BBN Technologies’ technical director of national intelligence research and applications. BBN is a government contractor in the US, which provides services for several, unspecified US Government agencies.
He’s a cryptography and hacking expert. Read between the lines.
 |
| Pieter 'Mudge" Zatko |
As one of the members of L0pht Heavy Industries -- a Boston-based hacker collective that later formed the respected @Stake security company — Mudge was behind L0phtCrack, the creme de la creme of password crackers.
'L0phtCrack was a password-cracking tool I wrote for use on and against Microsoft Windows systems,' he told PC Authority. 'It ended up working extremely well, too well for many people's liking.'
At the time, he was responsible for auditing and maintaining several hundred systems. Most of them were Unix based, but increasingly he was being tasked with taking care of Windows boxes. 'There simply weren’t any tools to do the equivalent password cracking and auditing on MS Windows systems as there were for Unix,' he says. 'So I had to write my own ... during that time I started looking into what Hobbit, a legendary Boston area hacker, had been working on... he had pointed out to me that LANMAN, Microsoft’s legacy [password storage mechanism], didn’t look to be too well done. It sure wasn’t.'
What started out as an auditing tool turned into a demonstration that MS systems needed to be segmented on networks and treated as if their passwords were trivial to retrieve, which, thanks to L0phtcrack, they were. The tool completely broke Windows passwords. 'It was not a good tool, as many organisations and people claimed, for ensuring that users were choosing strong passwords based upon the amount of time that the program took to return the unencrypted password,' he says. 'It could, and usually did, return almost all of the passwords (on a targeted machine).'
With that in mind, it was no surprise that Mudge was a tad miffed when L0phtcrack became a successful commercial product. He’d demonstrated just how bad Windows passwords were -- auditing them became moot -- yet the market lapped up the tool as an auditing suite. 'Originally I released L0phtCrack free of charge for most uses under a BSD style licence,' he says.
Commercial users were supposed to pay a $25 fee, but no one was paying, and the tool had been downloaded hundreds of thousands of times from government networks. 'That didn’t bother me as much as the support emails that started showing up, primarily from the US Government,' he says. 'We put a trivial timeout mechanism in to the next release of the software, and when I say trivial we went out of our way to make sure it was easily "crackable".'
 |
| Mudge, (with long hair) at the White House. He is Technical Director, National Intelligence Research and Applications at BBN Technologies. |
The people who were going to crack the software were not people who would have paid for it in the first place, so Mudge let them use it and spread the word about how effective it was. Within a very short period of time, the software was pulling in revenues 'well into the six figure range'.
So what would Mudge say to those who’d charge him with writing a tool that can be used by the bad guys? 'Don’t eat anything but strained food. Outlaw hammers. Arrest anyone who owns or drives a car... these tools [can be] used by bad guys,' he says. 'The tool is not the issue. It’s the person behind the tool that one needs to worry about.'
In other words, password crackers don’t kill people, people kill people.
But it’s not just passwords that he’s known for breaking. Mudge also pioneered the techniques used to discover and exploit buffer overflow vulnerabilities. These are the class of vulnerabilities that lead to all the superworms -- Code Red, Slammer, Blaster and more. 'I’ll probably get a few thousand years tacked on to my Purgatory sentence for my contribution to the field of buffer overflows,' Mudge jokes.
Perhaps due to his relatively diverse expertise, Mudge is happy to weigh in on the Apple versus Windows security debate, a topic many sway away from.
Unfortunately, he says, there’s no clear winner. 'I’m a bit disappointed in Apple as they seem to be handling the security issue in the same marketing and PR fashion that Microsoft initially handled its security PR angle,' he says.
He has nothing against the company, he says, and is a fan of Steve Jobs. Likewise, he’s been impressed by the inroads Microsoft has made in its war on vulnerabilities. 'I’m also very impressed with how Microsoft, a very large organisation, has changed in how it handles security reports and patches in comparison to its initial "that vulnerability is completely theoretical" responses,' he says. '[But] the simple fact is that both OSes have security problems.'
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
