Interview It has been 20 years since Chris Wysopal (AKA Weld Pond) and his colleagues at the Boston-based L0pht* hacker collective famously testified before the US Senate that the internet was hopelessly insecure.
Wysopal, now a successful entrepreneur and computer security luminary, recently went back to Capitol Hill, Washington**, with three of his colleagues (Space Rogue, Kingpin and Mudge) to mark the anniversary of the first cybersecurity hearing in Congress.
Not much has improved in the two decades since, as we discovered when El Reg caught up with Wysopal, co-founder and CTO of application security firm Veracode, at the recent Infosec conference in London.
John Leyden, for The Register: I'd like to start by asking you how L0pht (the band) got together?
Chris Wysopal (AKA Weld Pond): L0pht had just started when I joined. It had only been in existence for less than a year. And I ran into one of the founding members, Brian Oblivion, on a bulletin board system because it's free. This is pre-internet, 1992. If you were on the internet then you've [either] got a corporate or academic connection.
I was working at Lotus at the time and I was dabbling with understanding the internet. But there was no way to talk to other people really that I knew of. So I was on the local bulletin board. Some of them were kind of hacker-oriented and I ran into this guy Brian Oblivion. He had some you technical files. He was hardware oriented. He was basically taking apart cell phones and looking at the firmware and figuring out how they worked.
I didn't know anyone else doing that, so I started an online friendship with him and then we met in person and he got to know me over just a few weeks. He said: "We've got this place in Boston called the loft. Why don't you come by there?"
There was a kind of like a vetting process to be like a credible hacker, I guess. I got invited over there and it was just this really rough space – an old factory on the second floor. There was five other guys there and they had set up desks and they had all this old computer equipment there.
When I started to talk to them they said: "We started this place because our wives and girlfriends kicked us out of apartments because we had so much computer equipment."
Chris Wysopal (AKA Weld Pond) has become a successful computer security businessman and infosec luminary
El Reg: And weren't the telephone bills of the time quite high? [This was the era of dial-up internet connections.]
Wysopal: Sure, having some shared resources [was important]. Back then it was paper manuals. We actually had binders of manuals. They had a library. The idea was: let's share all of our resources and computers because not everyone can have a Mac and have a BT 100 terminal and have a PC.
And so I thought the place was really cool and I said: "Can I join with you guys?" I shared a desk with this guy Kingpin. He was the youngest member. I think I was probably like 26, 27 at the time; I was the oldest. Kingpin was the youngest. He was 16.
That was the age span. People were in their early 20s.
I joined up with them and it was really just a place to just play with the technology and just explore it. And then over time we started to sort of get a little bit more serious about it. We said: "Let's install a network, let's put a Linux gateway in and let's build a website. Let's build a shell machine so we can let other people use our computers. People can log in remotely."
It started to go from just a shared space to sort of feeling like an organization, over time. There was never really any hierarchy. We each had our own areas of expertise: some people were hardware guys, some were software guys.
I was a Windows programmer. The transition from DOS to Windows was happening at that time, actually Windows NT. That was what I had to offer in programming. I learned Linux from the other guys. So I learned Linux. I actually set up the first gateway and the first web server. I was a system administrator.
Back then the threat actors were basically were basically the teenage hacker; those people defacing websites and the occasional criminal. It wasn't the organized crime of today where people set out – or even governments set out – to steal money and monetise attacks...
So that's sort of how we got into this mode of being an organization and organizing different skills. Around '93 we got connected to the internet when the public internet was available. We had a 56K modem and we were on the internet.
We had all the bulletin board files that Brian [Oblivion] had on his bulletin board and other things.
El Reg: How did you come to be invited to testify before the Senate?
Wysopal: So what happened was once we started to get organized we started down this path of doing vulnerability research. We started looking at a lot of Microsoft products because we did see other people analyzing Microsoft. People were looking at Unix and Linux. We started looking at Microsoft and we found vulnerabilities in Windows, and in their Internet Explorer, and we said, well, this is like a consumer operating system. People are using Windows 95. People have no idea that the software they're using has many vulnerabilities. They don't know they need to patch their machine. They don't know anything about this.
So we started publicizing this online on our website and at some point reporters started to come to our website and say L0pht is saying Windows isn't secure.
This was new back then. We were one of the first people calling them [Microsoft] out. And so we got we got some notoriety about hacking Microsoft although we weren't hacking their network – we were hacking their software.
El Reg: I started writing about security around that time. L0pht had the slogan of making the theoretical possible.
Wysopal: Microsoft were saying "this is a theoretical vulnerability" so what they were saying was you're going to have to write an exploit or we're not going to fix it.
So we started to get notoriety for calling out big corporations like Microsoft, IBM [and] Oracle. We got an article written about us in The New York Times Magazine. They came and interviewed us all, [took] pictures and explained what we were. Someone in The Washington Post saw that and then like a month or two later there was an article about us in The Washington Post. And I guess someone on Capitol Hill, they all read The Washington Post, they read it and there was a hearing.
It was the very first hearing on government security. It was the committee on governmental affairs. Senator [Fred] Thompson was the majority leader: he is a Republican. His committee directed the Government Auditing Office to audit all the government agencies. This was in 1998: the very first audit of government agencies. Before then they had no idea how insecure they were.
So they were going to have the GAO people come and speak to give their findings. They [also] wanted some people that are outside of the government. They invited Dr Peter G Neumann, who worked at SRI and ran this mailing list [called]
comp.risks. He was one of the first people to highlight bugs in software. They invited him to come.
We don't know exactly how this happened but this is a story that I've heard. We had been meeting with Richard Clarke. Richard Clarke was the cyber-czar for Clinton.
We had a couple of meetings where Dick Clarke came up and met with us in Boston. He wanted to learn from us. The way Dick met us was he called the FBI and said: "I know there are some good hackers out there, they're not all criminals, do you know of any good hackers?" And the FBI said: "You've got to go talk to the L0pht guys".
El Reg: Had you been been speaking to the FBI prior to that, then?
Wysopal: Informally. We had some conversations with them. So they knew about us and we were probably on their radar because of course they're investigating computer crime which is being caused by all these vulnerabilities, which we're publicising. We were on their radar.
We were vetted as good guys, so Richard Clarke felt comfortable coming from the National Security Council and come meet with us. So we knew at least he and the FBI knew about us. And then somehow we got invited to testify. I can only imagine it was a combination of that Washington Post article and some people in the executive branch knowing who we were.