Show 115: Peiter “mudge” Zatko Discusses the L0pht and Government Influence

October 28, 2015

Gary talks to Peiter Zatko, better known as “mudge” in hacker and security circles, about the evolution of the L0pht hacker collective and how his work in security influenced key agencies within the U.S. government to ramp up their cybersecurity efforts. During his time as a Program Manager with DARPA, mudge worked to fund much needed research for the speedy development of technology that would allow the government to protect against cyber attacks. From his experience with the L0pht and the Cult of the Dead Cow, to federal and commercial tech-industry giants including Google, mudge shares his experience and lessons learned along the way.

Listen to Podcast


Gary McGraw: This is a Silver Bullet Security podcast with Gary McGraw. I’m your host, Gary McGraw, CTO of Cigital and author of Software Security. This podcast series is co-sponsored by Cigital and IEEE Security and Privacy Magazine where a portion of this interview will appear in print. This is the 115th in a series of interviews with security gurus, and I’m super pleased to have with me today mudge. Hi mudge.

Peiter “mudge” Zatko: Hi Gary. How’re you doing?

McGraw: mudge, who is really Peiter Zatko, is best known to me and everyone else as ‘mudge’ is currently working on what he calls the Cyber UL project. mudge has worked at Google as a researcher, at DARPA as Program Manager, at the start-up @stake and at BBN Technologies. But just as important as all that, mudge was one of the leaders of the L0pht hacker collective at Cambridge. mudge received the Office of the Secretary of Defense Exceptional Public Service Award in 2013. He is also guitar adept and a recovering kubuki violin player [both laugh] who has a degree from the prestigious Berklee School of Music. mudge lives in Boston with his wife Sarah. Thanks for joining us today.

mudge: My pleasure.

McGraw: I thought we would do this chronologically, just because. I think I first crossed paths with you in Ithica, New York at Suzuki summer camp. I don’t even know how old we were at the time.

mudge: Yeah. We must have been wee toddlers. What was it called? Something like the ‘Young Prodigies’? Dr. Suzuki would go around touring and then all of the parents would drag their 3,4,5,6,7,8-year-olds. I think you had me by only a couple of years—that was a long time ago. Was that the 70s?

McGraw: 1976.

mudge: Wow.

McGraw: So, some years after that, I came up to visit.

mudge: We were like ‘you want to become great hackers? Yeah. Cool. See you in 20 years’.

McGraw: That was more like 1996 that I came up there. So, tell us about the legendary L0pht. Who was it? What was it? Where did it come from? And so on.

mudge: So the L0pht started out as essentially a place just to store equipment. I think it started out primarily with Brian Oblivion and Count Zero and their significant others telling them to get their broken computers out of the hallways and out of the kitchen sinks, etc. So they rented a place with some other friends and their wives. It was really just a little hangout, and more than anything, just a dumping ground for tech stuff. The wives and significant others were doing this almost Etsy-ish sort of craft thing. After a while, some of the folks there knew me, I think it was White Knight and some of the other guys invited me in. So, I chipped in and paid a little bit for the rent so I had a little spot to unload some of my dumpster stuff as well. It didn’t take too long before—it was great to hang out and be with everybody, but I just saw too much potential; so, long story short, I was involved in morphing it from some little hangout group to actually having that drive to become some sort of Rachel Carson, pre-crazy Ralph Nader and kind of like consumer reports. Let’s share how things break and the technology. There wasn’t anywhere to go to learn about the strengths and weaknesses in software systems.

McGraw: Yeah. I was breaking Java with Ed Felten at the time. And you guys were really annoying the heck out of Microsoft, I recall. But when I came up there in ’96, there was lots of stuff; there were people working on projects. There were what, seven of you at the time?

mudge: In ’96, that was in the second location. It had been going since ’92 or ’91. The first year or two was more like that club hangout. After I got involved—it wasn’t all me; everyone liked the vision that I had to try and make the place self-sustaining and actually give it a mission. At that point, when you came up, we got to jam around a bit and hang out. We were already on that sort of ‘we’ve got hardware, we’ve got software, we’ve got communication, we’re trying to break everything, we’re trying to publish everything we do’ because we didn’t want other people to have to struggle to learn how things work the way we did. We wanted other people to say ‘here’s what the L0pht guys have published so now I know that as a foundation. How can I take if further’?

McGraw: It was very cool.  It was a lot of fun, actually. You guys were having more fun than anything else, from what I recall.

mudge: Well, that’s because you came up and we were just playing music and that was just kind of an off night on a weekend.

McGraw: I don’t know. I didn’t bring my laptop on purpose. [both laugh]

mudge: Less fun to cart the PC-2000 massively processing super computer up the stairs and take apart the VAX-1170 to make all the wall separators. If you’re not having fun, why do it?

McGraw: So you are also active in this thing called the Cult of the Dead Cow. What was the relationship between the Cult of the Dead Cow and the L0pht?

mudge: The Cult of the Dead Cow is this—and I use the word lovingly—ancient hacker group that I remember reading some of their posting, some of them very humorous, some of them with some technical detail. Some of those folks were in the Boston/Cambridge area as well. We knew each other from the summer conferences. The older conferences. The ones that pre-date DEFCON. At one point, we were all hanging out and they said ‘hey, would you mind donating a technical paper to us to publish because we’ve been doing more media hacking and exploration. Seeing how that world works, we haven’t done anything on the technical side’. So, I said ‘sure’. I threw them a paper I had done on attacking Bellcor’s Esky implementation. The tool I wrote was called Monkey Monitoring all the Keys. From that point on, it’s pretty much just been a name. But there was an interesting crossover. Back Orifice. And Back Orifice was a remote administration tool. It was originally done by Sir Dystic out of The Cult of the Dead Cow (CDC) and then Dildog at the L0pht, a colleague of ours. He did B02K, the next version, and really kind of souped it up. And I stopped and I looked into that and I said, ‘this is ridiculous’. It’s the exact same—it’s actually more capable than PC Anywhere and other commercial remote desktops. I said, ‘let’s put a professional service pack for file manipulation’—all the stuff that you’d want in a business organization and release it and see how the media handles it. We’ll do it through the CDC because it’s got this spin of evil on it. But in actuality, it was the exact same software as these commercial ones. It was just amazing to watch the media and the corporate and commercial world assume that the commercial software was actually much more vulnerable and had much fewer security controls in it. Those were fine, but this other thing which was not. That was the dance between the CDC and the L0pht. I used the two to figure out how people would interpret things. How final is the initial spin you put on something that you release? What’s the functional fixation—using another term from psychology—on something being presented as to its particular uses and I do that through the CDC and I’d go back over to the L0pht I’d use that as a learning for how we wanted to position the technical papers and the work we were publishing so that it would be as easily consumed without people just discarding it or dismissing it as evil hackers. But, still having a little bit of that fun.

McGraw: So, while you were still at the L0pht, you guys testified before Congress, and I think you guys visited my family at our log cabin too. I don’t know if you were in that crowd or not.

mudge: I was indeed, yep.

McGraw: I thought you were a pillow island, I seem to recall.

mudge: That’s right. A pillow island with your kids.

McGraw: So, do you think the lawmakers you were testifying before got it back then? And, what about now?

mudge: Well, it was an interesting situation because even the other L0pht guys really didn’t know the details as to how that testimony came about. It was through relationships that I was starting to build in the government. I was trying to educate decision makers and law makers. I needed them educated because they were making really bad decisions. The FAA is a classic example. CFAA. ECPA. All those which pre-date this but I was an aficionado of—all the way from their time going into law, pre them being law. So I had access to the White House. I had access to other folks and I would do free teachings or courses to anybody in the government, or any organization, as long as they didn’t pay me other than travel and lodging, and that I didn’t have to talk about anything I didn’t want.

McGraw: I recall flying you down one time and I had to get your real name which you were really playing close to the vest so you could get on the airplane.

mudge: Oh yeah. And that actually worked pretty well. I held that one close to the vest until the White House accidentally leaked it.

McGraw: Great. Well you needed to fly after a while, right?

mudge: Yeah, but I mean [both laugh] we drove a lot. I mean, I had a horrific fear of flying. I’m still not that great with it.

McGraw: I remember that. I remember the story about going to the cryptographic museum(ish) in the van through the wrong entrance. [both laugh]

mudge: Yeah, lots of fun stories. We were essentially doing signals intelligence in this Dodge Ram 3500 green 17 passenger van with black tinted-out windows. Just an antenna farm on the roof. I took them through a wrong turn into the actual NSA parking lot, impeaching the I4 and C4 groups there, which ultimately kind of merged into TAO which now is in the news a bunch. It took a while for the other L0pht guys—how close we got to being in a lot of trouble because the security guard there just waved us through without checking any credentials.

McGraw: Exactly.

mudge: They were like ‘this is great’, and I was like ‘no, turn around. Leave now. Leave now’.

McGraw: So the lawmakers sort of maybe kind of got it back then, but what about now? I mean, you were more deeply involved in the government later. Are we just doomed because those guys don’t even believe in evolution?

mudge: Well, yeah. So, I’ll skip the story about when we went there and who got it and who didn’t. Here’s the big challenge that I see: The U.S. government spends a tremendous amount of money and throws some smart people at the cybersecurity problem. But the smart people that they’re putting at it are not in leadership positions. I’m not saying they’re dumb people, but check this out. You have a cyber czar. I don’t care which one you choose. Present one all the way back to the first one; the first one being Richard Clark. When he was the national coordinator of counter-terrorism, critical infrastructure. Look at their backgrounds. You say yes or no, that this person should be in charge of policy or the expert in that field. And none of them had histories. None of them had backgrounds. None of them had been in the weeds or had spent their time knowing how this works inside out. I’m not saying that they have to be in the weeds presently.

McGraw: Yeah, but you should have to pay your dues as a technologist I think.

mudge: Well, you need to for a couple of reasons: 1) you need to be able to tell when someone is pulling the wool over your eyes, and since there’s money involved that happens a lot. And 2) you want the person to be able to make informed decisions as to what’s actually practical, and what the level of effort is to pull it out. Compare how they treat let’s say the surgeon general. The surgeon general does not have a passing knowledge of medicine that they learn on the fly in that position. And, I’m not picking on the current cyber czar, in particular. Any of the leaders that they’ve put in place at a high enough level, it’s like, ‘oh, you’ll learn cybersecurity. You don’t really need to do it to do this job, or you don’t really need to understand it. You can’t have a chairperson of the Federal Reserve come in and be like ‘well, I don’t really understand economics, but I’ll figure it out as I go along’. Because they aren’t treating those positions with the same importance and realism that they do the other ones, they’re dismissing it and saying ‘this isn’t a real field and you don’t really need to know what you’re doing there’. And then they wonder why they’re spending billions of dollars and nothing’s panning out.

McGraw: Well, I think that part of it has to do with not just security but any aspect of technology, really. I mean, there are very few real scientists in Congress.

mudge: Yeah. Correct.

McGraw: It’s not a zero number, but it’s a really small number.

mudge: And, in any of the leadership positions. They used to call General Alexander a mathematician in cryptanalysis when he was in the NSA. He wasn’t. Not by the classic sense. The closest I’ve seen is, you know—I was very successful in DARPA, not just on the DARPA projects but the Joint Chiefs and the Pentagon. All sorts of folks would call me in because I didn’t have a horse in the game and I was just happy to explain to them ground truth. If one agency or one service was claiming capability X and the other one is claiming it Y, and it’s largely about a budget sort of thing, I could go in and say ‘well, here’s what they have in X, here’s what’s in Y and here’s what’s aspirational about it; then they can make informed decisions. But other than that it’s all about PowerPoints.

McGraw: The National Academies are supposed to be providing some of that role too—like the National Academy of Science, the National Academy of Engineering. Did you ever cross paths with those guys or were you pretty much relegated to DoD stuff?

mudge: I was primarily over on the DoD side because DARPA is pretty much directly out of DoD. I would brief Ash Carter frequently and all the Joint Chiefs; Cartwright, etc. Definitely some interactions with the Defense Science Board, but often times I see they use those groups as little panels that they’ll convene quarterly to get a report or something. But what they ended up using me for—which I was super privileged and honored to do was—they’d just call up and be like ‘come over and walk me through this because I need to figure out what’s real and what’s BS’. And I’m like, well that’s not a call I’m going to turn down.

McGraw: Of course. Sounds like fun.

mudge: Yeah, and I wouldn’t advertise it because if folks had known that that was going on in the background, at certain levels, the large defense industrial base folks who this was either going to make or break, or cost tens or hundreds of millions of dollars of work for them, would have spent all their time lobbying. But, because they had an expert who was working for the court, essentially, as an expert witness that works for the judge rather than for the plaintiff or the defendant, all I cared about was giving them factual, technical information which they could then use for forming their decisions.

McGraw: So let’s switch gears a little bit. The L0pht core was rolled into @stake along with Ted Julian and Dan Geer in the beginning and it was a classic start-up that was eventually sold to Symantec for a pittance really. What was the biggest lesson you learned personally from your time at @stake?

mudge: Well, I’m not sure I could limit it down to one. I can’t do everything. I nearly cracked trying to because not only was I running the R&D group of L0pht, but then they took IP away from Dan Geer and gave that to me and then I was doing a lot of their sales. Way too many hats. And the other part was that I expected more out of other folks in a way that might not have been realistic. I was comparing them to the level of effort that I was putting in and not saying that other people weren’t trying really hard.

McGraw: It was your passion.

mudge: Exactly. A lot more tactical moves, a lot less strategic moves. Since I was the only person at the table in the room that was fighting for the strategic aspect, I was outgunned and outnumbered.

McGraw: Right. So, some tough lessons really.

mudge: Of course.

McGraw: So let’s shift. The next big shift was DARPA which you’ve been talking about a little bit. You seemed to really have shaken things up a bit. What was your work at DARPA like other than the expert witness-y type stuff? As a Program Manager, what did you do?

mudge: The expert witness-y thing was just this nice little perk once folks met me and other agencies made use of. It’s strange how I went into DARPA because I felt that DARPA had lost its way. The Director prior to Regina Dugan, Tony Tether, had been there for an unprecedented amount of time. I actually think that doesn’t work well for agencies. Tether was there during the entire Bush administration. He was there 8 years. The average tenure there for a director is about 2. Same thing happened with Alexander over at NSA. While they have done great things, I think that cycling the leadership and not letting one outlier be there so long is very important. So, Regina Dugan came in as the Director and I went in and I said ‘alright, I think you’ve lost your way, but I’m willing to work to the bone to figure out if we can salvage it. What are your thoughts on that’? She was like ‘here, I’ll give you enough rope to hang yourself’. And that’s what I wanted. She’s a really impressive woman. So I was interviewing with her and the Deputy Director, Ken Gabriel, who is now the CEO and President of Draper Labs. And, at the end of the interview, they were like ‘what can we do to convince you to come here’? I was like ‘an offer letter would probably be a good first step’. It’s like I set them up and they just slid it right across the table.

McGraw: What project that you were associated with while you were there are you the most proud of?

mudge: For the project, it’s two. A lot of people would immediately say Cyber Fast Track because it shook them up so much. But the other one that I’m super proud of, and people get to see a little bit of because I was allowed to present it at conferences, was the Cyber Analytic Framework that I created for the agency. And the result of that was, I went up to the Director’s office and said ‘hey, I’ve got bad news for you. There’s nothing in the pipeline’. Everyone spun tactical during the previous director and you don’t really have a lot of program managers that understand cyber. Same problem as many other areas in the DoD. So, your baby’s ugly. I’ll work it really hard or you can just let me go if you’re not willing to give me the gas and the juice to do it and we’ll separate on good terms. I didn’t realize that Regina was about to double down on the budget for cyber and this was a real surprise for her to hear. So she said, ‘you have 4 weeks to put together the new way for the agency and you’re briefing the Deputy Secretary of Defense, so it better be good. The sub-text of that is ‘I will fire you after that if it’s not’.

McGraw: Or kind of like this ‘I gave you some rope before but here’s even more’.

mudge: And here’s a really heavy weight to carry with you as you put the rope around you and keep walking around in that water as it gets deeper and deeper.

McGraw: Let me ask you a bit of a far off question. There’s this thing called the Valley of Death which happens when technology gets invented scientifically and then it just doesn’t make it all the way to the stage where it’s ready for say an early stage start-up even. Did you experience that Valley of Death in your own tech/dev. work among the projects you were funding? I remember when we did code review for security, that was a DARPA project, and then we used ATP funding to get it across the Valley of Death to Kleiner Perkins. But we needed that ATP funding. It was like 2 more years of development to turn the science stuff into prototype stuff.

mudge: Yeah. It’s an interesting situation that DARPA is in. I’ve read more proposals than I think any other program manager has there, but that’s also because Cyber Fast Track pulled in almost 600 of them alone. I’ve read 50 or 100 of them from my other programs as well. They’re only allowed to fund things that are innovative. You can’t do like an incremental improvement. I’d get a lot of proposals that would say things like ‘hey we’ve got this. We’ve already done it. We think we need to tweak it a little bit to make it really useful’. That’s out of bounds. I can’t fund that.

McGraw: Yeah. So there is a Valley of Death. Where do you go in the government now to get over the Valley of Death?

mudge: The nice thing about the government, and what I tried to do with Cyber Fast Track, was to give people the initial funding to get a prototype so that they controlled their own destiny. Maybe it was 150K. Maybe it was 200K. Just to prove it out that it wasn’t just a wacky idea. Here’s existing proof, because then the venture capital world or the commercial world or anybody else—they want to know if it is technical risk or is it turn the crank product typing risk? The latter they can accept and evaluate, but the former they all stay away from. Kleiner Perkins wouldn’t have touched it.

McGraw: Even at a basic prototype, it’s too early for most VCs.

mudge: Some of that panned out in CFT. The small business innovative research grants which Arbor Networks I believe came out of, they are designed to try and create new defense industrial-based contractors. There’s three stages to SBIR. The first stage here’s the money. Start getting used to our processes and procedures. How to do the billing and stuff with the government. The second stage, if you want that follow on money, you’re going to have to have government controlled accounting systems in place. The third stage is now you’re acting as a traditional government contractor. And it’s very important for the DoD to build up new lines of government contractors. But a lot of universities or small businesses, yours included, probably went to that going, ‘this is a great way to kick start a small business and turn it into an external business without realizing the cross incentive structure’. There’s a little bit of a perverse incentive structure there where Party A wants one thing and Party B wants the other.

McGraw: Ours is through the National Science Foundation. And what happens at the NSF is that the panels would switch out and you wouldn’t cite somebody’s favorite paper so all the stuff you wanted to do—they would still not give you phase 2 or phase 3 or whatever. So we found out that funding from DARPA and the ATP in much bigger chunks like the 5 million to 7 million dollar range was what we were looking at, not SBIRs.

mudge: Yeah. And I preferred to play in the 6-2, 6-3 funding rounds primarily. For those folks who aren’t familiar, it’s the color of the money. 6-1 is fundamental research; it’s a grant that largely goes to universities. 6-2 is applied and then 6-3 is normally not palatable for public consumption.

McGraw: Yeah, we would call it red, blue and purple money. [both laugh] So let’s switch gears again. What was it like to go to Google from the government?

mudge: Well let’s see. It was easier for me to get approval from the DoD to talk publicly at events than it was at Google.

McGraw: Wow!

mudge: I know. That sounds more sensationalistic than it actually is. They’re just a huge organization. They don’t want everyone running around, especially the group that I became Deputy Director of which was ATAP (Advanced Technology and Projects Group).

McGraw: ATAP was based in Motorola, was that right?

mudge: Yeah. So Initially, what happened is I called up folks and I said, ‘I’m interested’. They said, ‘yep. Great. There’s this this new thing starting up in Google. Come on out.’ And then I get the offer and it’s like Motorola?! They had just acquired Motorola so I went over as a Corporate Vice President of Engineering at Motorola.

McGraw: Did you have to live in Chicago?

mudge: Oh, no. no. I was out in Sunnyvale, California. Right next to Google. And then when Google sold Motorola, my group wasn’t on the table. Google was unwilling to part with that group and folded it back into Google.

McGraw: That was a pretty short stint, right? Like a year and a half or something like that?

mudge: It was 2 years, and by design. So, I’m not running ATAP. It wasn’t my baby to create. So Google has the ultimate say on this, but for all intents and purposes, what I liked about it is that it was very much modeled after DARPA. Whereas DARPA is designed to create new tech that’s strategic that’s going to feed back into the DoD ecosystem so that people don’t end up painting themselves into corners. I looked at ATAP as doing the same thing to feed back into the Google ecosystem. Whereas, Google X I equated more with NSF or some other ones which was interesting research. No real timeline and good things will come of it but we don’t really know what. Verses ATAP’s DARPA approach of ‘we need this’. This is a great thing and here’s how it might fit into the Google ecosystem and it’s on a 2-year timeframe. A lot of people don’t realize that DARPA program managers are only there for a maximum of 4 years.

McGraw: Yeah. And that got screwed up during the Tether time too.

mudge: Well, there were a lot of tricks that were being played. People would leave for a ‘cleansing period’ of a few months and then just come back in.

McGraw: Anup did that I think.

mudge: I like Anup, I’m not going to—

McGraw: I don’t want to be like these guys.

mudge: [laughs] Oh those horrible people (*sarcastically*).

McGraw: He was one of those guys who spent a long time at DARPA.

mudge: And those things are normally in place for a good reason. The same reason that you like to have some of the directors cycle over more frequently. You have such control over discretionary taxpayer money in those positions. You don’t want one person chasing a pet project that should have been put down years and years and years and millions upon millions of dollars later. And you don’t want people funding their buddies just because it’s their buddies. At the same time, you get somebody really good like Anup and you’re like ‘geez, I wish he could stay. You’re actually making a difference’.

McGraw: Exactly. There’s a real scientist here. Oh my. Last topic. You’re working on this project that’s inspired by Underwriters’ Lab that you’re calling the Cyber UL. What’s the vision for that? And is there a connection with actual UL? What kind of progress have you made?

mudge: So the correction is that it’s inspired by Consumers Union and it’s inspired by Consumer Reports. The scientific and the quantifiable and the comparative evaluation of products to give consumers information and capability and tools. A tool to be able to make informed decisions.

McGraw: Yeah, because security is too invisible—to somehow make it more visible.

mudge: Absolutely. And there are numerous straight forward ways of doing it. There’s measures of complexity. There’s well known horrible functions. There are compiler flags that you better be using for the past decade that Microsoft had in the Flash VS and we saw some of the most popular antivirus software disabled those because it was just easier to de-bug on their side. But ultimately that puts the consumer at risk. Think about what a consumer union does for their car reviews and then put that over in software.  The Underwriters’ Laboratory aspect was something that, way back at the L0pht, John Tan, who was one of the guys at the L0pht, he got inspired because I kept using the example of Consumer Reports. I said ‘I really wish I knew how Consumer Reports got started because they were so independent. No ads. No anything else. I actually brought a lot of that into @stake. @stake wouldn’t do partnerships, we wouldn’t accept freebies, we wouldn’t accept kickbacks for recommending somebody’s product which was entirely the norm for every other consultancy.

McGraw: I remember ICSA and NCSA which were completely pay for a good review.

mudge: Yeah, or Cisco Security Consulting Group which very well might have had great people on it but how much do you want to bet that the recommendation is going to be a bunch of Cisco products. And you want that unbiased aspect to it. So I asked Tan, ‘see what you can find out about Consumer Reports’. You know, there wasn’t a Wikipedia at the time. You could surf the whole web in a day and a half or two days. We used to do it. I had friends who—I’m not saying whether I did it or not as well but—Google got spammed, it used to crash with just a few packets going after it. Those poor guys in their room.

McGraw: It used to be that AltaVista was the best search engine back in the day. Remember that?

mudge: And they Lycos and all the other ones. But yeah, AltaVista was pretty good. But back to it. Tan came back and said ‘check out Underwriters’ Laboratory’ and this was the paper he wrote in 1998 I believe towards the Cyber UL. It was entirely focused on how the UL focused on locks and safes and vaults. They do it in a very similar way to how Consumer Reports does. And John Tan, which is his handle, a tip of the hat to John Tan safe and vault manufacturing company. No surprise his interest there. That’s where the similarity was. You could have a vault rated TL-15 or TL-30 and it wasn’t a certification. I’m not a big fan of certifications from the get-go, being like ‘I’m going to come up and certify stuff’ willy-nilly. But, I like the idea of comparative ratings—like when they say TL-15, this vault can stand drilling and manipulation for about 15 minutes.

McGraw: The funny thing about cyber is you find a vulnerability or an exploit in a certain amount of time. Why wouldn’t you just fix it?

mudge: So there’s the challenge. Let’s use this as a corollary. A car. You find a car and there’s a recall because the rear passenger seatbelt doesn’t latch correctly. Well that tells you about a specific problem. But the Consumer Report, an evaluation where you see that it’s a whole bunch of pulled rivet joints and that the gaps between it imply a really crude machining on the background. And, that the bumper test—you get an overall rating and just a few fixes of those things aren’t going to move the needle.

McGraw: Got it. That’s what happened to Tesla stock this week I guess. They got consumer reported.

mudge: Actually, I think that has more to do with the fact that they’re not cash flow positive and they’re looking at the energy production facilities to turn cash flow positive in Q4.

McGraw: The press was saying it was all about the Consumer Reports bad review.

mudge: That wouldn’t make sense because it started to turn the other way a little bit before that. Well, maybe there’s leaky press. You see what I’m saying. Microsoft has how many millions of lines of code and if they come out with a patch that touches 20 lines of code and they fix an unbounded string copy, they’ve fixed a particular instance most likely. They didn’t fix the fact that that’s something they do in common coding practices. Now I’m picking on Microsoft—they’ve actually improved a lot. That’s what you want to do. You want that overall rating that’s easy to do, it’s quick to do. You don’t’ have to prove an individual vulnerability, but you get a level of hygiene and you get that sort of safety feeling.

McGraw: Can you tell us how much progress you’ve made so far?

mudge: Lots but you’ll have to talk to our chief scientist about that.

McGraw: OK. Maybe we’ll set that up. So I think Sarah’s going to be a future victim.

mudge: Sounds good.

McGraw: Cool. Last question which has nothing to do with any of this. If you had to name your favorite piece of music from 2015 what would it be?

mudge: From 2015?

McGraw: Yeah.

mudge: Oh my goodness. Favorite piece of music from 2015.

McGraw: OK. Alright. Skip the year constraints.

mudge: My classics are any of the monster Zappa pieces.

McGraw: Absolutely.

mudge: You can just listen to it so many times and find so many different components in it.

McGraw: Those guys were some amazing players.

mudge: Those are the best players in the world. Actually the drummer I used to play with at Berklee, Joe Travers, was the drummer for Dweezil Zappa and is responsible for Frank Zappa’s music vault.

McGraw: Wow. Very cool. So give me one piece so that we can put a URL to it so people can experience Zappa who haven’t done so before.

mudge: Oh! Inca Roads. Absolutely. Frank Zappa’s Inca Roads.

McGraw: You got it. Well thanks. This has been fun.

mudge: Likewise, take care.

McGraw: This has been a Silver Bullet Security podcast with Gary McGraw. Silver Bullet is co-sponsored by Cigital and IEEE Security and Privacy Magazine and syndicated by SearchSecurity. The September/October 2015 issue of IEEE S&P is devoted to the economics of cybersecurity. The issue features our interview with European cryptographer Bart Preneel. 

show 115 - Peiter Zatko