WASHINGTON — The seven young men sitting before some of Capitol Hill’s most powerful lawmakers weren’t graduate students or junior analysts from some think tank. No, Space Rogue, Kingpin, Mudge and the others were hackers who had come from the mysterious environs of cyberspace to deliver a terrifying warning to the world. Your computers, they told the panel of senators in May 1998, are not safe — not the software, not the hardware, not the networks that link them together. The companies that build these things don’t care, the hackers continued, and they have no reason to care because failure costs them nothing. And the federal government has neither the skill nor the will to do anything about it.
“If you’re looking for computer security, then the Internet is not the place to be,” said Mudge, then 27 and looking like a biblical prophet with long brown hair flowing past his shoulders. The Internet itself, he added, could be taken down “by any of the seven individuals seated before you” with 30 minutes of well-choreographed keystrokes. The senators — a bipartisan group including John Glenn, Joe Lieberman and Fred Thompson — nodded gravely, making clear that they understood the gravity of the situation. “We’re going to have to do something about it,
” Thompson said. What happened instead was a tragedy of missed opportunity, and 17 years later the world is still paying the price in rampant insecurity. The testimony from L0pht, as the hacker group called itself, was among the most audacious of a rising chorus of warnings delivered in the 1990s as the Internet was exploding in popularity, well on its way to becoming a potent global force for communication, commerce and criminality. Hackers and other computer experts sounded alarms as the World Wide Web brought the transformative power of computer networking to the masses.
This created a universe of risks for users and the critical real-world systems, such as power plants, rapidly going online as well. Officials in Washington and throughout the world failed to forcefully address these problems as trouble spread across cyberspace, a vast new frontier of opportunity and lawlessness. Even today, many serious online intrusions exploit flaws in software first built in that era, such as Adobe Flash, Oracle’s Java and Microsoft’s Internet Explorer. “We have the same security problems,” said Space Rogue, whose real name is Cris Thomas.
“There’s a lot more money involved. There’s a lot more awareness. But the same problems are still there.” L0pht, born of the bustling hacker scene in the Boston area, rose to prominence as a flood of new software was introducing such wonders as sound, animation and interactive games to the Web. This software, which required access to the core functions of each user’s computer, also gave hackers new opportunities to manipulate machines from afar. Breaking into networked computers became so easy that the Internet, long the realm of idealistic scientists and hobbyists, gradually grew infested with the most pragmatic of professionals: crooks, scam artists, spies and cyberwarriors.
They exploited computer bugs for profit or other gain while continually looking for new vulnerabilities. Tech companies sometimes scrambled to fix problems — often after hackers or academic researchers revealed them publicly — but few companies were willing to undertake the costly overhauls necessary to make their systems significantly more secure against future attacks. Their profits depended on other factors, such as providing consumers new features, not warding off hackers. “In the real world, people only invest money to solve real problems, as opposed to hypothetical ones,” said Dan Wallach, a Rice University computer science professor who has been studying online threats since the 1990s. “The thing that you’re selling is not security. The thing that you’re selling is something else.” The result was a culture within the tech industry often derided as “patch and pray.” In other words, keep building, keep selling and send out fixes as necessary. If a system failed — causing lost data, stolen credit card numbers or time-consuming computer crashes — the burden fell not on giant, rich tech companies but on their customers.
The members of L0pht say they often experienced this cavalier attitude in their day jobs, where some toiled as humble programmers or salesmen at computer stores. When they reported bugs to software makers, company officials often asked: Does anybody else know about this? – – – – The hackers met online, mostly on the bulletin boards that provided computer enthusiasts with freewheeling forums for trading tips, jokes and insights about how various systems worked — and in some cases could be made to do things their creators never intended. This is the essence of hacking. It is not inherently good or evil. It can be either, or in some cases a combination of both, depending on the motives of the hackers. L0pht’s members — the exact list shifted year to year but averaged seven or eight — shared a fascination with technology and a knack for testing its limits. They would decode the program running a piece of hardware or repeatedly flood a password field with too many characters, a hack known as a “buffer overflow” that often caused systems to fail, opening the door to further manipulation.
“The difference between how it’s supposed to work and how it really works is where the vulnerabilities happen,” said Chris Wysopal, known as Weld Pond in his L0pht days. The group’s first clubhouse — and the inspiration for the name — was an actual loft above a carpentry shop in Boston’s South End neighborhood, rented after the girlfriend of one of the hackers grew weary of all of the old computer gear littering their apartment (including several pieces resting semi-permanently in their bathroom). Like the Internet itself, there seemed to be peril on the down-and-out streets all around L0pht’s loft in this pre-gentrification era. But inside was geek heaven, with cast-off computers, a television, a couch, cold beer, a 1980s-vintage “Battlezone” arcade game and a curious array of second-hand mannequins wearing unusual adornments, including a skirt,
a gas mask and the charred remnants of police uniform that the hackers found. In a stroke of luck, the landlord paid the electrical bill each month, keeping an endless lifeline of electrons flowing to what amounted to a power-hungry computer lab. “It was totally scary to get there, but once you got there it was like, ‘Ahhhhh,’ ” recalled Joe Grand, a mischievous skateboarding enthusiast who was L0pht’s youngest member. “It really was a refuge in a lot of ways. It really shaped my life.” Much of the gear they used — and tried to bend to their wills — had been collected from dumpsters around the tech-heavy Boston area. L0pht’s members refurbished some hardware to sell at flea markets to help pay the bills, but they kept the most useful pieces, including a giant VAX computer — a hunk of 1970s-vintage technology featuring two units, each the size of a washing machine — that they somehow hauled up steep stairs and into the loft. They came to particularly disdain what they considered security-by-checklist, when companies declared a product safe merely because they had implemented a specified number of standard features, such as passwords and basic cryptography. “We’d say, ‘Give us one. We’re going to try to break into it,’ ” recalled Wysopal.
They almost always did, usually after toiling late into the night in a frenzy of discovery, flooding systems with inputs that programmers had not anticipated or in any way prepared for. Paul Nash, whose hacker name was Silicosis, once discovered that he could knock computers using Microsoft’s Windows operating systems offline by sending a single command — a trick he happily showed off to visitors. When members of L0pht weren’t trying to find their own bugs, they were supporting others in doing so, including through regular gatherings at a Boston bar in which anyone who revealed a new computer vulnerability got a free beer. L0pht also spread the word about security discoveries though the Hacker News Network, a popular online newsletter run by Space Rogue, a born tinkerer who had rigged up makeshift flashlights so he could read in bed at night as a kid. (He still routinely uses his hacker name today). Hacker News Network grew popular enough that it drew interest from advertisers. The group didn’t want to sully its main website, L0pht.com,
but was happy to collect revenue from Hacker News Network. One of the earliest ads touted the availability, for a fee, of Russian brides. – – – – L0pht partially embraced the bad-boy image of hackers, calling themselves “gray hats,” a middle ground between the avowedly virtuous “white hat” hackers and the openly outlaw “black hats.” The group took particular relish in trying to shame big companies, such as Microsoft, for selling products with security flaws to unsuspecting customers. When L0pht discovered a way to crack the cryptography protecting user passwords for the Windows operating system, Mudge publicly chastised Microsoft for what he called “kindergarten crypto” and, along with Wysopal, created an easy-to-use software tool to help anyone defeat it. L0pht member Dildog developed a program with another hacker group, called Cult of the Dead Cow, to remotely control office networks running Microsoft software. The name, a spoof on the company’s popular “BackOffice Server 2000″ program, was “Back Orifice 2000″; the promotional materials featured an equally crude logo. But the reality of L0pht was more conventional than the public image.
Wysopal was a programmer for Lotus. Space Rogue and two others worked at CompUSA, a chain store. Several had jobs at BBN Technologies, a venerable tech company that years earlier helped build the most important forerunner to the Internet, a Pentagon-funded project called the ARPANET. The men used their hacker names mainly because they feared getting fired if their employers learned of their nocturnal activities. (The other reason, nearly as important, was that they wanted to make it harder for companies facing embarrassing disclosures to sue them or call the cops — real threats, then and now, for anyone doing freelance security research.)
View the original content and more from this author here: http://ift.tt/1ddCaev
from hacker samurai http://ift.tt/1K9nj3o
via IFTTT
No comments:
Post a Comment