This article is more than 1 year old

'90s hacker collective man turned infosec VIP: Internet security hasn't improved in 20 years

L0pht luminary Chris Wysopal talks to The Reg

We didn't want to be the bad guys, pilloried up there... Why would we want to come and voluntarily do that?

So we got an email from a staffer for Senator Thompson saying: "We're putting together a hearing to talk about computer risks to the US government and in general. We think you guys will bring a different viewpoint." So he came to our location up in Boston. We met with him. He explained what he thought it [the hearing] was going to be about. But it's all, you know, a little sketchy when, you know, "I'm from the government and I want to talk with you."

So we said: "OK, well, what's the hearing about?" We didn't want to be the bad guys, pilloried up there, as [in] "you guys are the problem". Frankly, why would we want to come and voluntarily do that?

We got the feeling that they really genuinely wanted to hear what we had to say and we were going to be the good guys.

The manufacturers say: "This is just how software is, it's vulnerable and... you're always going to have bugs"... We were saying that that's not the case. If we can find the bugs, then they can find the bugs and they can fix them before they ship the software.

So we agreed to come and talk on one condition. Well, first we didn't have a lot of money, so they had to pay our expenses...

El Reg: Did you not think to ask your contact at The Washington Post how it might go down?

Wysopal: No, we were very naive. Senator Thompson's staffer was the only person we really talked to about it.

So they [sent] our expenses down. We didn't have a lot of money, and we wanted to testify under our hacker aliases. We said this is the only reason we'd do it because we have day jobs and a lot of companies don't like what we do. Or it might be companies that our [employers] might be doing business with. Like my company might be doing business with Microsoft and Microsoft might try to get me fired. Or we're not going to do a contract with you because you hired these hackers which we don't like.

El Reg: Did your employer know what you were doing on the side?

Wysopal: Not until after the testimony. Our thing was we'll testify with our hacker name. It was very naive because there were photographers there.

So it made for a great visual because on the table we have all our placards with our hacker names. We didn't look like businessmen.

El Reg: What was the main idea you were putting across at the time and what kind of reception did it receive?

Wysopal: The main idea was there were two root causes of all these [cybersecurity] problems. One was software isn't secure. The vulnerabilities in software are the root cause of most of the problems.

Vendors have no liability, so they can ship vulnerable software with impunity. There's no reason they can't ship. And they can know about it.

They can knowingly ship vulnerabilities. They're like "we didn't have time to fix that" so they can knowingly ship it. They have no liability. A consumer has no way of knowing what vulnerabilities are in their software. They have no way of testing it. There's no independent third-party testing.

We brought in an analogy to things like crash-testing for cars. You used to be able to ship an unsafe car but after Ralph Nader in the '60s, his Unsafe At Any Speed book, he raised consumer awareness around how unsafe cars were.

The manufacturers were saying "this is all we can do". He was saying "no, that's absolutely not true". You can design a safe car. It's possible. Just because you could look and some cars were safer than other cars.

We basically had that same message. The manufacturers say: "This is just how software is, it's vulnerable and... you're always going to have bugs."

We were saying that that's not the case. If we can find the bugs, then they can find the bugs and they can fix them before they ship the software.

So the big message was about insecure software. The software ecosystem is broken. You need to call [on] vendors and hold them accountable. Make them ship more secure software. You, as a government, shouldn't buy insecure software.

The internet wasn't made for business

That was one message. The other one was the foundations of the internet have big vulnerabilities. It was never designed [for business]. These are the systems we have.

The whole "[we could] take the internet down in 30 minutes" [a claim L0pht made while testifying to the Senate] was basically the routing protocols have huge gaping vulnerabilities in them.

El Reg: Your testimony that you could take the internet down in 30 minutes is what got reported.

Wysopal: That was the soundbyte. I wish it was "software is unsafe at any speed", or something like that.

We didn't have a catchy line for the software problem.

El Reg: What was the main networking problem you explained?

Wysopal: We talked about an attack that would make all the major network peering points send traffic to the wrong place. That would quickly saturate the network and it would fall apart. That has happened but people now are using it as more of a tactical attack.

As opposed to taking down the internet, they are redirecting traffic to do surveillance over it or they there redirecting it so they can host a fake website somewhere and it looks real. That happened with the MyEtherWallet website about a month ago.

Route 53 is a DNS service. Someone did a BGP (Border Gateway Protocol) attack to route everything that was going to Route 53 to go to a fake DNS server in Russia. When someone was looking up MyEtherWallet it sent them to a fake server in Russia. Basically they took over the DNS for MyEtherWallet not by taking over the domain, but by taking over the whole [Route] 53 DNS server.

So people thought were depositing their Bitcoin into their wallet but they were [actually] depositing it into an attacker's wallet. That was a network layer attack.

One of our points was that the network foundation is insecure: BGP is insecure, DNS is insecure and SSL is insecure. All these things that are foundations of someone's computer talking to another computer which is what the internet is supposed to do.

The internet is not supposed to secure the endpoints. It's just supposed to be able to reliably get traffic from one place to another. The problems with BGP, DNS and SSL make it so that's not true.

We were really focused on BGP and a little bit about DNS. SSL hadn't really taken off yet [back in 1998].

El Reg: What was the outcome from your testimony?

Wysopal: I think we raised a lot of awareness. I think it did cause people to start to ask questions of their their vendors. Even though this was probably four years before the Microsoft Trusted Computing memo, I think it gave a nudge in that direction, basically telling the government you need to ask better from your OS vendors.

From what I hear one of the final straws that caused the Trustworthy Computing movement at Microsoft to start was the Air Force CIO saying: "I can't just constantly be patching and fixing my systems, guys. You need to deliver something more secure or I'm going to go to Linux."

I think that our testimony helped the governments to start thinking about pushing back on the vendors even though they didn't do nearly enough. They still don't do enough.

El Reg: Did the committee put forward any legislation?

Wysopal: There was no legislation on this either on the regulation side [or elsewhere]. We said: "We're not experts in this but can't there be tax incentives for making secure software?" Some way of incentivizing secure software either carrot or stick. We said: "We're not lawmakers but there needs to be incentives to create secure software or we're going to be constantly in the state of always being vulnerable."

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like