'90s hacker collective man turned infosec VIP: Internet security hasn't improved in 20 years

[steven36]

L0pht luminary Chris Wysopal talks to The Reg

 

 

Interview It has been 20 years since Chris Wysopal (AKA Weld Pond) and his colleagues at the Boston-based L0pht* hacker collective famously testified before the US Senate that the internet was hopelessly insecure.

 

Youtube Video

 

Wysopal, now a successful entrepreneur and computer security luminary, recently went back to Capitol Hill, Washington**, with three of his colleagues (Space Rogue, Kingpin and Mudge) to mark the anniversary of the first cybersecurity hearing in Congress.

 

Not much has improved in the two decades since, as we discovered when El Reg caught up with Wysopal, co-founder and CTO of application security firm Veracode, at the recent Infosec conference in London.

John Leyden, for The Register: I'd like to start by asking you how L0pht (the band) got together?

 

Chris Wysopal (AKA Weld Pond): L0pht had just started when I joined. It had only been in existence for less than a year. And I ran into one of the founding members, Brian Oblivion, on a bulletin board system because it's free. This is pre-internet, 1992. If you were on the internet then you've [either] got a corporate or academic connection.

 

I was working at Lotus at the time and I was dabbling with understanding the internet. But there was no way to talk to other people really that I knew of. So I was on the local bulletin board. Some of them were kind of hacker-oriented and I ran into this guy Brian Oblivion. He had some you technical files. He was hardware oriented. He was basically taking apart cell phones and looking at the firmware and figuring out how they worked.

 

I didn't know anyone else doing that, so I started an online friendship with him and then we met in person and he got to know me over just a few weeks. He said: "We've got this place in Boston called the loft. Why don't you come by there?"

 

There was a kind of like a vetting process to be like a credible hacker, I guess. I got invited over there and it was just this really rough space – an old factory on the second floor. There was five other guys there and they had set up desks and they had all this old computer equipment there.

 

When I started to talk to them they said: "We started this place because our wives and girlfriends kicked us out of apartments because we had so much computer equipment."

 

El Reg: And weren't the telephone bills of the time quite high? [This was the era of dial-up internet connections.]

 

Wysopal: Sure, having some shared resources [was important]. Back then it was paper manuals. We actually had binders of manuals. They had a library. The idea was: let's share all of our resources and computers because not everyone can have a Mac and have a BT 100 terminal and have a PC.

 

And so I thought the place was really cool and I said: "Can I join with you guys?" I shared a desk with this guy Kingpin. He was the youngest member. I think I was probably like 26, 27 at the time; I was the oldest. Kingpin was the youngest. He was 16.

 

That was the age span. People were in their early 20s.

 

I joined up with them and it was really just a place to just play with the technology and just explore it. And then over time we started to sort of get a little bit more serious about it. We said: "Let's install a network, let's put a Linux gateway in and let's build a website. Let's build a shell machine so we can let other people use our computers. People can log in remotely."

 

It started to go from just a shared space to sort of feeling like an organization, over time. There was never really any hierarchy. We each had our own areas of expertise: some people were hardware guys, some were software guys.

 

I was a Windows programmer. The transition from DOS to Windows was happening at that time, actually Windows NT. That was what I had to offer in programming. I learned Linux from the other guys. So I learned Linux. I actually set up the first gateway and the first web server. I was a system administrator.

 

So that's sort of how we got into this mode of being an organization and organizing different skills. Around '93 we got connected to the internet when the public internet was available. We had a 56K modem and we were on the internet.

 

We had all the bulletin board files that Brian [Oblivion] had on his bulletin board and other things.

 

El Reg: How did you come to be invited to testify before the Senate?

 

Wysopal: So what happened was once we started to get organized we started down this path of doing vulnerability research. We started looking at a lot of Microsoft products because we did see other people analyzing Microsoft. People were looking at Unix and Linux. We started looking at Microsoft and we found vulnerabilities in Windows, and in their Internet Explorer, and we said, well, this is like a consumer operating system. People are using Windows 95. People have no idea that the software they're using has many vulnerabilities. They don't know they need to patch their machine. They don't know anything about this.

 

So we started publicizing this online on our website and at some point reporters started to come to our website and say L0pht is saying Windows isn't secure.

This was new back then. We were one of the first people calling them [Microsoft] out. And so we got we got some notoriety about hacking Microsoft although we weren't hacking their network – we were hacking their software.

 

El Reg: I started writing about security around that time. L0pht had the slogan of making the theoretical possible.

 

Wysopal: Microsoft were saying "this is a theoretical vulnerability" so what they were saying was you're going to have to write an exploit or we're not going to fix it.

 

So we started to get notoriety for calling out big corporations like Microsoft, IBM [and] Oracle. We got an article written about us in The New York Times Magazine. They came and interviewed us all, [took] pictures and explained what we were. Someone in The Washington Post saw that and then like a month or two later there was an article about us in The Washington Post. And I guess someone on Capitol Hill, they all read The Washington Post, they read it and there was a hearing.

 

It was the very first hearing on government security. It was the committee on governmental affairs. Senator [Fred] Thompson was the majority leader: he is a Republican. His committee directed the Government Auditing Office to audit all the government agencies. This was in 1998: the very first audit of government agencies. Before then they had no idea how insecure they were.

 

So they were going to have the GAO people come and speak to give their findings. They [also] wanted some people that are outside of the government. They invited Dr Peter G Neumann, who worked at SRI and ran this mailing list [called] comp.risks. He was one of the first people to highlight bugs in software. They invited him to come.

 

We don't know exactly how this happened but this is a story that I've heard. We had been meeting with Richard Clarke. Richard Clarke was the cyber-czar for Clinton.

 

We had a couple of meetings where Dick Clarke came up and met with us in Boston. He wanted to learn from us. The way Dick met us was he called the FBI and said: "I know there are some good hackers out there, they're not all criminals, do you know of any good hackers?" And the FBI said: "You've got to go talk to the L0pht guys".

 

El Reg: Had you been been speaking to the FBI prior to that, then?

 

Wysopal: Informally. We had some conversations with them. So they knew about us and we were probably on their radar because of course they're investigating computer crime which is being caused by all these vulnerabilities, which we're publicising. We were on their radar.

 

We were vetted as good guys, so Richard Clarke felt comfortable coming from the National Security Council and come meet with us. So we knew at least he and the FBI knew about us. And then somehow we got invited to testify. I can only imagine it was a combination of that Washington Post article and some people in the executive branch knowing who we were.

 

We didn't want to be the bad guys, pilloried up there... Why would we want to come and voluntarily do that?

So we got an email from a staffer for Senator Thompson saying: "We're putting together a hearing to talk about computer risks to the US government and in general. We think you guys will bring a different viewpoint." So he came to our location up in Boston. We met with him. He explained what he thought it [the hearing] was going to be about. But it's all, you know, a little sketchy when, you know, "I'm from the government and I want to talk with you."

 

So we said: "OK, well, what's the hearing about?" We didn't want to be the bad guys, pilloried up there, as [in] "you guys are the problem". Frankly, why would we want to come and voluntarily do that?

We got the feeling that they really genuinely wanted to hear what we had to say and we were going to be the good guys.

 

So we agreed to come and talk on one condition. Well, first we didn't have a lot of money, so they had to pay our expenses...

 

El Reg: Did you not think to ask your contact at The Washington Post how it might go down?

 

Wysopal: No, we were very naive. Senator Thompson's staffer was the only person we really talked to about it.

 

So they [sent] our expenses down. We didn't have a lot of money, and we wanted to testify under our hacker aliases. We said this is the only reason we'd do it because we have day jobs and a lot of companies don't like what we do. Or it might be companies that our [employers] might be doing business with. Like my company might be doing business with Microsoft and Microsoft might try to get me fired. Or we're not going to do a contract with you because you hired these hackers which we don't like.

 

El Reg: Did your employer know what you were doing on the side?

 

Wysopal: Not until after the testimony. Our thing was we'll testify with our hacker name. It was very naive because there were photographers there.

 

So it made for a great visual because on the table we have all our placards with our hacker names. We didn't look like businessmen.

 

El Reg: What was the main idea you were putting across at the time and what kind of reception did it receive?

 

Wysopal: The main idea was there were two root causes of all these [cybersecurity] problems. One was software isn't secure. The vulnerabilities in software are the root cause of most of the problems.

Vendors have no liability, so they can ship vulnerable software with impunity. There's no reason they can't ship. And they can know about it.

 

They can knowingly ship vulnerabilities. They're like "we didn't have time to fix that" so they can knowingly ship it. They have no liability. A consumer has no way of knowing what vulnerabilities are in their software. They have no way of testing it. There's no independent third-party testing.

 

We brought in an analogy to things like crash-testing for cars. You used to be able to ship an unsafe car but after Ralph Nader in the '60s, his Unsafe At Any Speed book, he raised consumer awareness around how unsafe cars were.

 

The manufacturers were saying "this is all we can do". He was saying "no, that's absolutely not true". You can design a safe car. It's possible. Just because you could look and some cars were safer than other cars.

We basically had that same message. The manufacturers say: "This is just how software is, it's vulnerable and... you're always going to have bugs."

 

We were saying that that's not the case. If we can find the bugs, then they can find the bugs and they can fix them before they ship the software.

 

So the big message was about insecure software. The software ecosystem is broken. You need to call [on] vendors and hold them accountable. Make them ship more secure software. You, as a government, shouldn't buy insecure software.

The internet wasn't made for business

That was one message. The other one was the foundations of the internet have big vulnerabilities. It was never designed [for business]. These are the systems we have.

 

The whole "[we could] take the internet down in 30 minutes" [a claim L0pht made while testifying to the Senate] was basically the routing protocols have huge gaping vulnerabilities in them.

 

El Reg: Your testimony that you could take the internet down in 30 minutes is what got reported.

 

Wysopal: That was the soundbyte. I wish it was "software is unsafe at any speed", or something like that.

 

We didn't have a catchy line for the software problem.

 

El Reg: What was the main networking problem you explained?

 

Wysopal: We talked about an attack that would make all the major network peering points send traffic to the wrong place. That would quickly saturate the network and it would fall apart. That has happened but people now are using it as more of a tactical attack.

 

As opposed to taking down the internet, they are redirecting traffic to do surveillance over it or they there redirecting it so they can host a fake website somewhere and it looks real. That happened with the MyEtherWallet website about a month ago.

 

Route 53 is a DNS service. Someone did a BGP (Border Gateway Protocol) attack to route everything that was going to Route 53 to go to a fake DNS server in Russia. When someone was looking up MyEtherWallet it sent them to a fake server in Russia. Basically they took over the DNS for MyEtherWallet not by taking over the domain, but by taking over the whole [Route] 53 DNS server.

 

So people thought were depositing their Bitcoin into their wallet but they were [actually] depositing it into an attacker's wallet. That was a network layer attack.

 

One of our points was that the network foundation is insecure: BGP is insecure, DNS is insecure and SSL is insecure. All these things that are foundations of someone's computer talking to another computer which is what the internet is supposed to do.

 

The internet is not supposed to secure the endpoints. It's just supposed to be able to reliably get traffic from one place to another. The problems with BGP, DNS and SSL make it so that's not true.

We were really focused on BGP and a little bit about DNS. SSL hadn't really taken off yet [back in 1998].

 

El Reg: What was the outcome from your testimony?

 

Wysopal: I think we raised a lot of awareness. I think it did cause people to start to ask questions of their their vendors. Even though this was probably four years before the Microsoft Trusted Computing memo, I think it gave a nudge in that direction, basically telling the government you need to ask better from your OS vendors.

 

From what I hear one of the final straws that caused the Trustworthy Computing movement at Microsoft to start was the Air Force CIO saying: "I can't just constantly be patching and fixing my systems, guys. You need to deliver something more secure or I'm going to go to Linux."

 

I think that our testimony helped the governments to start thinking about pushing back on the vendors even though they didn't do nearly enough. They still don't do enough.

 

El Reg: Did the committee put forward any legislation?

 

Wysopal: There was no legislation on this either on the regulation side [or elsewhere]. We said: "We're not experts in this but can't there be tax incentives for making secure software?" Some way of incentivizing secure software either carrot or stick. We said: "We're not lawmakers but there needs to be incentives to create secure software or we're going to be constantly in the state of always being vulnerable."

 

El Reg: So fast-forwarding 20 years here, was the second meeting of L0pht in the Senate commemorative? How was it all put together?

 

Wysopal: Space Rogue and I got together and we said 20 years later, it seems like enough time that we should get together and have a look back. We should do a formal look back and we should be doing it on Capitol Hill and not just be renting a hotel in Boston. We're all distributed anyway.

 

Let's do it on Capitol Hill because that's where we did it the first time. We know more people up there now. Mudge and I have had meetings with Senator [Mark] Warner. We know Senator [Cory] Gardner. These guys are on the Senate Intelligence Committee. That's one of the committees that forms the Congressional cyber caucus. The cyber caucus is any committee whose members cover cyber, [for example] the Homeland Security, Intelligence or Armed Forces committees. There are a bunch of committees that have a cyber aspect to them so they can educate themselves. They come have people speak about [for example] secure medical devices.

 

I was up there last year talking about "how does an attack chain work?" So I knew some of the staffers there. And so we started talking to them and saying "can we put together something?" It wasn't going to be a formal hearing, it wasn't going to be senators, but we could get the staff to come. We could get people who work up on the Hill to come.

 

El Reg: Where did the meeting take place?

 

Wysopal: It was in the Rayburn House office building. It was a hearing room, right? We put it together and at the last minute Senator Gardner couldn't come. We learned afterwards that he was going to come and just make a statement but he got called back to Colorado. So I was really bummed about that. It's a shame because it would have given it a little more import.

 

People don't really realize the staffers write all the legislation, so getting them to understand something is getting these senators to understand something. But they [the senators] are the figureheads. They are the people who make the decisions, so it would have been good to see them there.

 

What we talked about was about how fundamentally not much has changed. On the internet side, the BGP protocol hasn't been improved, there's [just] more people watching. As opposed to having prevention with a secure protocol, it's more a response where people are looking for these BGP changes and they're hoping someone notices it if something looks wrong. This works if it's an attack but it doesn't work in a DDoS situation. In a DDoS situation it'd quickly cascade and the whole internet would be down.

 

I don't know enough about it to know how quickly they could recover. It could be down for 30 minutes. It could be done for an hour but that would be really bad, [especially] if you could be continuously doing that from different parts of the world and not just once.

 

El Reg: Is there a secure BGP protocol?

 

Wysopal: There is a secure BGP protocol where the messages are signed and there's a whole certificate infrastructure. It just hasn't been implemented. I believe it got designed two years after our testimony. So our testimony did spur that. People started taking it seriously but it hasn't been implemented.

 

There's a secure DNS but that hasn't been implemented. We still have the problem with fake certificates or people accepting certificates that they shouldn't, like self-signed certificates.

 

El Reg: How do you feel, as an expert, about this lack of progress you've just described?

 

Wysopal: Essentially what we're doing is we're tolerating a certain amount of damage. We're tolerating a certain amount as a society or as, you know, an economy or as a government – however you want to put it. We're tolerating a certain amount of damage. But the problem is the way we're using the internet keeps getting more and more risky. We keep getting more and more dependent on it, [especially as] we start to hook up devices to it.

 

Those same vulnerabilities have a bigger impact when you have a bigger dependence on something. That's one dimension that is getting worse.

 

The other dimension that's getting worse is the threat space. It's easier for criminals to monetize risk. And we have nation state attackers now. Back in '98 there were no nation state attackers that were known. Maybe the CIA or the NSA knew about it but I didn't know about it.

 

El Reg: If you're a foreign government or corporation then the NSA have always been a threat.

 

Wysopal: Perhaps. This is one of the things that came up in the testimony [20 years ago]. It was actually theoretical.

 

One of the senators asked us what would happen if a foreign government hired a team of people like you to take down the internet and wreak havoc. We said they could do that. It was a theoretical question which now we know they are doing.

 

We know the Iranians and the North Koreans and the Russians are doing DDoS attacks. [For example], the Shamoon virus for Saudi Aramco. Destructive nation state attacks. Or NotPetya. We know it's happening now.

 

It was interesting that it was theoretical then, it was something we weren't thinking about. We weren't thinking about the threat actors while the senators were. We were thinking about the vulnerabilities and the damage but not the threat actors. Back then the threat actors were basically the teenage hacker; those people defacing websites and the occasional criminal.

 

It wasn't the organized crime of today where people set out – or even governments set out – to steal money and monetize attacks. So the threat space is completely changed. So you know the fact that these vulnerabilities at the internet level are still there: it's 10 times worse than it was in '98 because of the risk level has increased.

 

It's the same thing on the software side. I think we have gotten somewhat better in building secure software. There were some really standout examples. This is something we really talked about when we were up there on [Capitol Hill] for the 20th anniversary.

 

There are examples of secure software that can be built. Look at the operating system. Look at iOS. Look at Windows 10. Look at Chrome OS.

 

We can see at the operating system level that if you try hard enough and you have a good team you can do it. So let's learn from what they did to build a secure operating system. We didn't have operating systems that secure 20 years ago. Now we do.

 

At the application level, look at the Chrome browser. Look at the Edge browser now. Look at a lot of the apps on the iPhone. You can build secure software. It can be done. Obviously these companies are making money and are successful. Let's learn from how they do it.

 

The thing is: it's uneven. There are funny startups putting out software that's horribly broken without even thinking about it. There are even companies that have been shipping the software for 10 years that are putting out horribly broken software.

Bootnotes

*L0pht, or L0pht Heavy Industries, to give the group its full name, released numerous security advisories and developed L0phtCrack, a password cracker for Windows NT. L0pht Heavy Industries merged with the startup @stake in 2000.

 

When Microsoft said a vulnerability was only theoretical, L0pht responded by creating an exploit and adopted the slogan "Making the theoretical practical since 1992".

 

** The seat of the US Congress, comprising the Senate and the House of Representatives, for anyone who has never seen an American movie.

 

Source

 

 

[Archanus]

In my opinion that's not true at all  Because Hackers, Malware and the new CryptoMiner has increased too :S