When seven young men from Boston wearing borrowed or newly purchased suits walked into a Senate hearing room in May 1998 to talk about the emerging threats to the world’s computer networks, the Internet as we think of it today was just stumbling out of the cave on shaky legs, blinking at the bright lights. Few people--and almost none in Washington--understood the fragility and vulnerability of this network. But when those men walked out of the hearing a couple of hours later, it was painfully clear to everyone in the room that Internet and computer security needed to be a national priority.
The men who sat at the witness table in front of the Senate Committee on Governmental Affairs were members of the L0pht hacker group and they were not there on a lark. They appeared by invitation, driving down I-95 in a rented van, making an unscheduled and somehow-not-disastrous accidental pit stop at the NSA headquarters in Maryland. When they told the members of the committee that the Internet’s weaknesses were manifest and had serious national security implications, they spoke with the authority that comes from experience. They had probed, tested, and broken the software and protocols that ran the network and they knew what was possible.
They knew and they shared that knowledge, hoping it would make a difference.
“We were the hackers using our outsider, attacker perspective to try to make changes,” Chris Wysopal, CTO of CA Veracode and one of the L0pht members who testified that day 20 years ago, said during a panel in Washington Tuesday that brought four of the members back together: Cris Thomas, Wysopal, Peiter Zatko, and Joe Grand.
The problems that the L0pht members warned the senators about in 1998 were serious weaknesses with core protocols such as BGP and those that handle satellite communications. These protocols and systems could be abused in ways that could have painful, cascading consequences for the entire network, they said. Twenty years on, those warnings still hold true and also can be applied to several new generations of technology.
“We didn’t learn our lessons. We made the same mistakes with mainframes, then client-server, then desktops, then mobile, and now IoT,” said Thomas, known as Space Rogue.
All of those mistake-ridden platforms have been squished together to form the global network we call the Internet. It’s an amalgam of bits and pieces and patches and somehow it works. For the most part. But it’s far from ideal and it’s not much more secure than it was in 1998. It works just well enough.
“We have an Internet built on rock and roll and silly string,” said hacker Katie Moussouris, CEO of Luta Security and a longtime friend and colleague of the L0pht crew, who moderated Tuesday’s panel.
“We’re still building new technology on an old foundation that’s insecure. We keep building new things on an old infrastructure that never seems to change,” Wysopal said. “That’s why I feel my job still isn’t done.”
“We need to stop thinking something is secure just because it feels like it should be."
One of the things that has changed in the two decades since the original hearing is the public perception of hackers and their relationship to the software and hardware makers whose products they poke and prod. In the late 1990s, to the extent that a relationship existed at all, it was not a cordial one. Actual and threatened lawsuits were common responses when researchers reported vulnerabilities or published the details on a mailing list. Now, companies large and small have bug bounty programs that offer significant rewards for bug finders.
“Over a ten year period, we went from, ‘You’re horrible, please go away,’ to ‘Thank you very much, here’s some money.’ That’s a big change,” Wysopal said.
The even bigger change, though, has been the ways in which the Internet and technology have become completely intertwined with virtually every aspect of daily life for many people. What began as a platform for communication among research institutions is now the foundation of modern society. But that foundation has cracks, both visible and hidden.
“We need to stop thinking something is secure just because it feels like it should be. It’s time to accept that security hygiene is a public safety issue and treat it that way,” said Zatko, known as Mudge.
As technology has become unavoidable in the past two decades, the security of our devices and data on has gone from being the domain of a small group of professionals to the responsibility of product designers, software engineers, and even individual users. The shift has given people more control in some sense, but it’s also opened up more opportunities for mistakes.
“Engineers are not generally security professionals. We put these expectations on products we expect to be secure, but they’re not,” said Grand, founder of Grand Idea Studio and a hardware hacker who uses the handle Kingpin.
“Security is hard and doing it in a way that makes people want to use it is even harder.”
The government, vendors, and users all have learned a good deal about security since the L0pht materialized in Washington, D.C., 20 years ago. Many of those lessons have been painful and some have had to be learned many times over. But there’s still plenty of work to do.
“We’re not applying that knowledge evenly. For every organization that’s implementing two-factor authentication, there’s another that’s running old, outdated software. We can’t make anything one hundred percent secure but hopefully over the next twenty years we can keep trying,” said Thomas.