The seven young men sitting before some of Washington DC’s most powerful lawmakers weren’t graduate students or junior analysts from some think tank. No, Space Rogue, Kingpin, Mudge and the others were hackers who had come from the mysterious environs of cyberspace to deliver a terrifying warning to the world.
Your computers, they told the panel of US senators in May 1998, are not safe – not the software, not the hardware, not the networks that link them together. The companies that build these things don’t care, the hackers continued, and they have no reason to care because failure costs them nothing. And the US federal government has neither the skill nor the will to do anything about it.
“If you’re looking for computer security, then the internet is not the place to be,” said Mudge, then 27 and looking like a biblical prophet with long brown hair flowing past his shoulders. The internet itself, he added, could be taken down “by any of the seven individuals seated before you” with 30 minutes of well-choreographed keystrokes.
The senators – a bipartisan group including John Glenn, Joe Lieberman and Fred Thompson – nodded gravely, making clear that they understood the gravity of the situation. “We’re going to have to do something about it,” Thompson said.
What happened instead was a tragedy of missed opportunity, and 17 years later the world is still paying the price in rampant insecurity.
Hackers and other computer experts sounded alarms as the World Wide Web brought the transformative power of computer networking to the masses. This created a universe of risks for users and the critical real-world systems, such as power plants, rapidly going online as well.
Officials in Washington and throughout the world failed to forcefully address these problems as trouble spread across cyberspace, a vast new frontier of opportunity and lawlessness. Even today, many serious online intrusions exploit flaws in software first built in that era, such as Adobe Flash, Oracle’s Java and Microsoft’s Internet Explorer.
Peiter Zatko, a k a Mudge, once delighted in tweaking Microsoft as he described cracking its password security on Windows. Years later, the decline of the hacker group L0pht took a toll on him.
L0pht, born of the bustling hacker scene in the Boston area, rose to prominence as a flood of new software was introducing such wonders as sound, animation and interactive games to the Web. This software, which required access to the core functions of each user’s computer, also gave hackers new opportunities to manipulate machines from afar.
Breaking into networked computers became so easy that the Internet, long the realm of idealistic scientists and hobbyists, gradually grew infested with the most pragmatic of professionals: crooks, scam artists, spies and cyberwarriors. They exploited computer bugs for profit or other gain while continually looking for new vulnerabilities.
Tech companies sometimes scrambled to fix problems – often after hackers or academic researchers revealed them publicly – but few companies were willing to undertake the costly overhauls necessary to make their systems significantly more secure against future attacks. Their profits depended on other factors, such as providing consumers new features, not warding off hackers.
“In the real world, people only invest money to solve real problems, as opposed to hypothetical ones,” said Dan Wallach, a Rice University computer science professor who has been studying online threats since the 1990s. “The thing that you’re selling is not security. The thing that you’re selling is something else.”
The result was a culture within the tech industry often derided as “patch and pray.” In other words, keep building, keep selling and send out fixes as necessary. If a system failed – causing lost data, stolen credit card numbers or time-consuming computer crashes – the burden fell not on giant, rich tech companies but on their customers.
A loft above a carpentry shop in Boston’s South End neighbourhood provided the inspiration for the hacker group L0pht’s name. Much of the computer hardware in the space was scavenged from Boston-area dumpsters.
L0PHT INSPIRED BY A LOFT
The hackers met online, mostly on the bulletin boards that provided computer enthusiasts with freewheeling forums for trading tips, jokes and insights about how various systems worked – and in some cases could be made to do things their creators never intended. This is the essence of hacking. It is not inherently good or evil. It can be either, or in some cases a combination of both, depending on the motives of the hackers.
Cris Thomas, a k a Space Rogue, had a day job at the computer retailer CompUSA when he was a member of the “grey hat” hacking group L0pht.
“The difference between how it’s supposed to work and how it really works is where the vulnerabilities happen,” said Chris Wysopal, known as Weld Pond in his L0pht days.
The group’s first clubhouse – and the inspiration for the name – was an actual loft above a carpentry shop in Boston’s South End neighbourhood, rented after the girlfriend of one of the hackers grew weary of all of the old computer gear littering their apartment (including several pieces resting semi-permanently in their bathroom).
“The market didn’t solve the problem of cities burning down,” Wysopal said, predicting that Internet security may require a historic disaster to force change. “It seems to me that the market isn’t really going to solve this one on its own.”
But here’s a frightening fact: The push to create tough new fire-safety standards did not start after the Great Chicago Fire in 1871, which killed hundreds of people and left 100,000 homeless. It took a second fire, nearly three years later in 1874, to get officials in Chicago to finally make real changes.