Security news that informs and inspires

Thirty Minutes Or Less: An Oral History of the LØpht, Part Three

Today is the 25th anniversary of the L0pht's groundbreaking Senate testimony. To commemorate that, we are resurfacing this portion of our oral history series on the group.

By the beginning of 1998, the national media had decided that cybersecurity was something worth paying attention to and the members of the L0pht were ready and willing to help explain the issues and weaknesses that all of this new technology brought with it. Pieces in The Washington Post, Wired, and many other outlets raised the group's profile and brought its work to the attention of people far outside the hacker community, including those on Capitol Hill. Congress was just beginning to try and get its arms around the Internet's effects on national security and some of the people working behind the scenes in Washington let lawmakers know it might be a good idea to talk to this group of hackers up in Boston and see how bad things really were. What the eight members of the L0pht told the Senate Committee on Governmental Affairs on May 19, 1998, was that the Internet was dangerously fragile and vulnerable to attacks that could cripple the network, words that still ring true 20 years later.

(Read Part 1, Part 2, and Part 4.)

Weld Pond: It's still a little bit of a mystery exactly how the [Senate staff] contacted us. I mean, I hear stories that it was Richard Clarke. He had taken an interest in the L0pht, and he had sort of whispered to the Senate, saying, "You really should talk to some hackers. They have a viewpoint of this." At some point, a Senate staffer for Senator Thompson contacts us and says, "I'd like to come." He came up to the L0pht in Watertown and said, "I want to meet you guys and see if you guys want to come testify." We talked to him, and we said yeah. One of the more brilliant things that actually Mudge did was, he said, "Well, we'll only testify if we use our hacker names."

Space Rogue: So they agreed, and we got to the hotel, they provided us lodging to come down there. And when we got to the hotel, and I go up to the counter and I go to check in, and the guy behind the counter is like, "I need to see some ID please." And I'm like, "I'm Space Rogue." And some other guy behind the counter heard me, came over, pushed this guy aside, and says, "I'll take care of this," and checked me in.

Mudge: One of the things that I did at the L0pht that I didn't take any money for from people is if there was an opportunity to go to the Department of Defense or the Armed Forces or the intelligence community, CIA, NSA, even Quantico a couple times, or anything inside the government, if they were like, "Hey, can you come and lecture?" or, "Can you come and run a course on how the technology works or how you're breaking things?", I would do it pro bono. The Senate thing was an opportunity where they had approached me several times and I said, "No. I'm uncomfortable with that, and there's no way I'm going to try and convince the L0pht folks for it," because the group was very wary about the government. And then ultimately, one of the times Dick and some other folks reached out, and they said, "Well, here's the message that we're trying to send. We want public awareness here, and that's kind of your mission. And what if we actually go over here's what the questions are going to be." I was like, "This is an opportunity."

Weld Pond: It was sort of a once in a lifetime opportunity. We also felt like it was something where the hacker community was going to have a voice through us. I don't think there was much questioning whether we should do it or not. We really wanted to do it.

Space Rogue: We were all petrified. Some of us handled it better than others. But I remember before we went down, we were having a discussion in one of our meetings beforehand of like what are we were gonna wear. And I just put a stake in the ground, "We're wearing suits. Like, we're going to the Senate. Everybody's buying a suit and we're wearing suits."

Weld Pond: You never know if they're going to come and just haul us away or something to a black site. I mean, you just never know.

Space Rogue: There was a vulnerability that we had found in BGP, Border Gateway Protocol. And Mudge had found it, specifically, and it was basically Mudge's idea to incorporate that into the testimony. By the time it had gotten to the testimony, it had already been disclosed to the vendors and the vendors had already patched it. It just hadn't made the press, that's all. But yeah, that was Mudge's idea to release that during the testimony.

You never know if they're going to come and just haul us away to a black site.

When the L0pht testified before the Senate Committee on Governmental Affairs in 1998, the group wanted to explain the weakness of the Internet's security model and how susceptible it was to attack.

Weld Pond: I think after that hearing, they started working on secure BGP. Things move slowly with the IETF. A couple of years later, they came out with the standard. Here we are, eighteen years later or something, and no one has implemented it.

Mudge: I had trained some of the aides and educated them, they were doing policy, but they needed to understand the technology underneath it in order to make policy that was effectual. So I would always help, I didn't care if it was a Republican or a Democrat. Yeah, if you're trying to put policy in place, I'm not going to tell you what policy is good or bad. I just want you to understand how it works under the hood so that the policy has a chance in hell of actually being meaningful.

Kingpin: The L0pht was this outlet where we could do cool stuff, and try to spread this hacker message, and I'd learned about how to deal with the media and talking in public, and my first talks were on behalf of the L0pht. I think the Senate testimony was my second public speaking engagement ever. But it didn't really totally hit me, not only the importance of what we were doing, but also the impact of the Senate testimony, until a year ago.

Space Rogue: I look back on it and I have to think, they knew who we were, right? They had to have had the FBI do background checks on us. They're not gonna just let seven random people into the Senate. At least, they wouldn't today. This was a different time. But I have to think they knew who we were, they must've done background checks on us, and so all of this handle stuff had to have been for show.

Weld Pond: Any time you were quoted or your picture was in the news, you would always get that sort of backlash, but it was all a little bit joking. It wasn't as bad as being called a sellout. But we lived through that too.

Space Rogue: It blew up pretty big, pretty quick. The whole thirty minutes or less thing was kinda huge. Then we made Conan, I think. Conan O'Brien. That was like, "Oh my god," and there were headlines all over the place. AP and Reuters all picked it up, so it was all over the country. I think HOPE [Hackers on Planet Earth] was that year, and so it was a big deal when we got to HOPE and people were like, "Oh my god." And I'm like, "What the? This is nuts." I didn't really fathom it, I still don't. It's still kinda nuts to me now that we're twenty years later and we're still talking about it.

It blew up pretty big pretty quick. The whole thirty minutes or less thing was kinda huge.

The L0pht's Senate testimony was a landmark for the group.

Jason Scott: It was just a matter of time when inevitably there’d be some sort of press. They were already kind of set to be noticed. That kind of celebrity hacker concept was super big in the ‘90s and there’s a few people like that now. Twenty years of this has revealed what a hacker is. The L0pht was perfectly poised to come off that.

Weld Pond: We were in the New York Times magazine section. It's one of those things where, when you get to that point, you've got a lot of media people who read that on Sunday. The exposure to the people who could then take us to the next level was huge. I think that's got us involved with the whole Senate thing. That was one of the pieces that got us there.

Kingpin: At the second L0pht in Watertown, we had a big board with pins of where everybody would send us letters. So we’re getting mail from people, people would donate hardware to us as we started selling Black Crawling Systems and the POCSAG decoder kits, Whacked Mac Archive, and t-shirts, and stuff. We would get pins and put them in all the places around the world. And that's when I was like, "This is really pretty cool."

Weld Pond: We started selling L0phtCrack, and then we started doing things like selling consulting services. This was how we made our money, was people would do ten dollars for a shell account. They would get an email account that was, whatever, xfirst@loft. It was sort of a vanity email address for people to have. It would be a shell account, so they could log in.

It was just a matter of time when inevitably there’d be some sort of press. They were already kind of set to be noticed.

The New York Times Magazine profiled the L0pht in 1999.

Kingpin: It was so much a part of me, because those were the guys. The other friends I had were non-technical, and then I had the L0pht guys. It was just an amazing chunk of time that, so many things from that shaped me in the future, good and bad. There's a reason why I don't work with people anymore, and especially working with friends, because of the stuff I saw at @stake, and people sort of changing.

Space Rogue: We had L0pht.com that was getting like 20,000 unique hits a day, like an obscene number. And you gotta remember, this is back in '91, '92. There's no Internet at that time. There's maybe 10,000 websites on the entire Internet. Maybe a little bit more. And we're getting 20,000 unique hits a day, which is obscene. We would think about all that traffic and we'd think about, "Well, maybe we could make a lot of money." So I kinda got the idea, "Well, why don't I create a different website that's not L0pht.com that can host ads and we can try to make a few dollars off of that to pay the rent, and the electric bill, and the Internet bill, and whatnot?" And I figured out, "I'm gonna call it the Hacker News Network and I'm just gonna gather URLs every day like I'm doing anyway and I'm gonna post the URLs up on this site." Hacker News Network started out as just links and I would write blurbs for each link, and I would update it every day, Monday through Friday. And I would oftentimes wake up at 5 o'clock in the morning to collect these links so that I could have them posted by 9 A.M. Everybody would get to work, they would check HNN, and it kinda got to be a rather popular site.

Silicosis: I mean, it was pre-Google. It was before people were going around and indexing all of the news sites in real time. Space Rogue would get up at, what, three in the morning? He'd hit the news site for every major media organization and look for security related stuff.

Space Rogue: And then, of course, @stake happened and it all went to shit.

Tomorrow: Part Four. Read Part 1 and Part 2.

Header image: CC By 2.0 license photo by Joe Grand; HNN logo courtesy of Cris Thomas.

Hacker News Network was a concept ahead of its time.