'90s hacker collective man turned infosec VIP: Internet security hasn't improved in 20 years

Back on the Hill...

El Reg: So fast-forwarding 20 years here, was the second meeting of L0pht in the Senate commemorative? How was it all put together?

Wysopal: Space Rogue and I got together and we said 20 years later, it seems like enough time that we should get together and have a look back. We should do a formal look back and we should be doing it on Capitol Hill and not just be renting a hotel in Boston. We're all distributed anyway.

Let's do it on Capitol Hill because that's where we did it the first time. We know more people up there now. Mudge and I have had meetings with Senator [Mark] Warner. We know Senator [Cory] Gardner. These guys are on the Senate Intelligence Committee. That's one of the committees that forms the Congressional cyber caucus. The cyber caucus is any committee whose members cover cyber, [for example] the Homeland Security, Intelligence or Armed Forces committees. There are a bunch of committees that have a cyber aspect to them so they can educate themselves. They come have people speak about [for example] secure medical devices.

I was up there last year talking about "how does an attack chain work?" So I knew some of the staffers there. And so we started talking to them and saying "can we put together something?" It wasn't going to be a formal hearing, it wasn't going to be senators, but we could get the staff to come. We could get people who work up on the Hill to come.

El Reg: Where did the meeting take place?

Wysopal: It was in the Rayburn House office building. It was a hearing room, right? We put it together and at the last minute Senator Gardner couldn't come. We learned afterwards that he was going to come and just make a statement but he got called back to Colorado. So I was really bummed about that. It's a shame because it would have given it a little more import.

People don't really realize the staffers write all the legislation, so getting them to understand something is getting these senators to understand something. But they [the senators] are the figureheads. They are the people who make the decisions, so it would have been good to see them there.

What we talked about was about how fundamentally not much has changed. On the internet side, the BGP protocol hasn't been improved, there's [just] more people watching. As opposed to having prevention with a secure protocol, it's more a response where people are looking for these BGP changes and they're hoping someone notices it if something looks wrong. This works if it's an attack but it doesn't work in a DDoS situation. In a DDoS situation it'd quickly cascade and the whole internet would be down.

I don't know enough about it to know how quickly they could recover. It could be down for 30 minutes. It could be done for an hour but that would be really bad, [especially] if you could be continuously doing that from different parts of the world and not just once.

El Reg: Is there a secure BGP protocol?

Wysopal: There is a secure BGP protocol where the messages are signed and there's a whole certificate infrastructure. It just hasn't been implemented. I believe it got designed two years after our testimony. So our testimony did spur that. People started taking it seriously but it hasn't been implemented.

There's a secure DNS but that hasn't been implemented. We still have the problem with fake certificates or people accepting certificates that they shouldn't, like self-signed certificates.

El Reg: How do you feel, as an expert, about this lack of progress you've just described?

Wysopal: Essentially what we're doing is we're tolerating a certain amount of damage. We're tolerating a certain amount as a society or as, you know, an economy or as a government – however you want to put it. We're tolerating a certain amount of damage. But the problem is the way we're using the internet keeps getting more and more risky. We keep getting more and more dependent on it, [especially as] we start to hook up devices to it.

Those same vulnerabilities have a bigger impact when you have a bigger dependence on something. That's one dimension that is getting worse.

The other dimension that's getting worse is the threat space. It's easier for criminals to monetize risk. And we have nation state attackers now. Back in '98 there were no nation state attackers that were known. Maybe the CIA or the NSA knew about it but I didn't know about it.

El Reg: If you're a foreign government or corporation then the NSA have always been a threat.

Wysopal: Perhaps. This is one of the things that came up in the testimony [20 years ago]. It was actually theoretical.

One of the senators asked us what would happen if a foreign government hired a team of people like you to take down the internet and wreak havoc. We said they could do that. It was a theoretical question which now we know they are doing.

We know the Iranians and the North Koreans and the Russians are doing DDoS attacks. [For example], the Shamoon virus for Saudi Aramco. Destructive nation state attacks. Or NotPetya. We know it's happening now.

It was interesting that it was theoretical then, it was something we weren't thinking about. We weren't thinking about the threat actors while the senators were. We were thinking about the vulnerabilities and the damage but not the threat actors. Back then the threat actors were basically the teenage hacker; those people defacing websites and the occasional criminal.

It wasn't the organized crime of today where people set out – or even governments set out – to steal money and monetize attacks. So the threat space is completely changed. So you know the fact that these vulnerabilities at the internet level are still there: it's 10 times worse than it was in '98 because of the risk level has increased.

It's the same thing on the software side. I think we have gotten somewhat better in building secure software. There were some really standout examples. This is something we really talked about when we were up there on [Capitol Hill] for the 20th anniversary.

There are examples of secure software that can be built. Look at the operating system. Look at iOS. Look at Windows 10. Look at Chrome OS.

We can see at the operating system level that if you try hard enough and you have a good team you can do it. So let's learn from what they did to build a secure operating system. We didn't have operating systems that secure 20 years ago. Now we do.

At the application level, look at the Chrome browser. Look at the Edge browser now. Look at a lot of the apps on the iPhone. You can build secure software. It can be done. Obviously these companies are making money and are successful. Let's learn from how they do it.

The thing is: it's uneven. There are funny startups putting out software that's horribly broken without even thinking about it. There are even companies that have been shipping the software for 10 years that are putting out horribly broken software. ®

Bootnotes

*L0pht, or L0pht Heavy Industries, to give the group its full name, released numerous security advisories and developed L0phtCrack, a password cracker for Windows NT. L0pht Heavy Industries merged with the startup @stake in 2000.

When Microsoft said a vulnerability was only theoretical, L0pht responded by creating an exploit and adopted the slogan "Making the theoretical practical since 1992".

** The seat of the US Congress, comprising the Senate and the House of Representatives, for anyone who has never seen an American movie.