
L0pht’s warnings about the Internet drew notice but little action - weld
http://www.washingtonpost.com/sf/business/2015/06/22/net-of-insecurity-part-3/
======
tptacek
The more I think about this story, the dumber it seems to me.

The narrative seems to be, L0pht testifies, world ignores them, chaos ensues.
But Mudge's testimony coincides almost perfectly with a software security
renaissance. The reality is more like: L0pht testifies, world ignores them,
gigantic sea-change in security leads to 9-figure investment in securing
Windows, the near eradication of SQL injection from popular applications,
universal deployment of TLS in financial applications, chaos ensues anyways.

What, exactly, would be different if people _had_ "listened" to the L0pht?
Would we have S-BGP? DNSSEC?

The simple fact is: in 1998, when this happened, _nobody knew how to fix any
of the problems_. If we had known, we'd have been doing that. There were still
servers in 1998 that used deslogin.

I'm very happy that a bunch of people I like got to put their handles on
nameplates and get recorded testifying to dummies in Congress. I do not,
however, think it was an event with much meaning.

 _Later._

I think it's literally the opposite of the gist of this story. Everything is
much, much better than it was in 1998. We have made surprising progress, and
addressed security problems with an improbable seriousness:

1\. Most new software is no longer shipped in C/C++.

2\. The devastating bug class introduced with new languages (SQLI) was, for
public-facing software, ratcheted back from "universally prevalent" to "rare"
within a decade.

3\. 3 billion Internet users all run software that downloads unsigned code in
a complex, full-featured language with a dizzying variety of local C library
bindings, right off web pages, executes it locally, and it's _a news story_
when Pinkie Pie wins Pwn2Own with a working reliable Chrome clientside.

4\. Anyone who wants strong crypto can have forward-secret elliptic-curve DH
AEAD transports with a config file tweak on their servers.

5\. Microsoft went from MSDOS levels of security to "you can live like an
investment banker if you can reliably produce a couple Windows exploits a
year" levels of security, again inside a decade.

6\. Despite its emergence as an entire new category of computing platform,
with its own new feature set, the most popular mobile OS has --- it appears
--- zero effective malware outbreaks.

7\. Remember Sendmail? Remember BIND? Probably only if you're a security nerd.
The last working SSH vulnerability was how many years ago?

As usual: everything's amazing and nobody cares.

~~~
afarrell
> dummies in congress

Are the folks in congress actually stupid? Or do they practice a different
profession than you? Namely: the structure and interpretation of laws and
policies.

How much do you know about, say... the field of nursing?

~~~
Qwertious
The problem is that they deal with making laws on a variety of subjects, which
necessitates understanding said subjects. They don't understand the subjects.

Say what you like about programmers, but most of them don't actually have any
job-related responsibilities in the field of nursing, breaking the analogy.

~~~
afarrell
It isn't meant to be an analogy but a contrast.

They are indeed required to understand the subjects, but they have no
realistic way to. There are simply too many subjects. If we want to sit around
saying "legislators are dumb and don't understand us", fine. It won't solve
anything, but it will make us feel really nice about how smart and special we
are. I like feeling smart and special too.

But if we actually want to fix anything, we have to think about the system
wholistically and understand what motivations and pressures a legislator is
under. There are simple too many subjects for a legislator to understand all
of them well. Committees help somewhat, but are flawed. Lobbyists are the
current way that legislators gain information about industries but that comes
at the cost of drastically warping priorities. If anyone wants to comment with
some actual insight and detail into those problems, that would be nice.

------
Animats
l0pht is a successor to Cult of the Dead Cow, which goes back to the 1980s.[1]
Their "Tao of Buffer Overflow"[2] is still a good read.

The two big problems in computer security used to be Microsoft and C. Amit
Yoran said that publicly when he was Homeland Security's head of computer
security. That made him unpopular, and he resigned in 2004. Yoran was then
replaced by a Cisco lobbyist who kept his mouth shut. (Yoran did OK; he's now
the CEO of RSA.)

[1] [http://www.cultdeadcow.com/](http://www.cultdeadcow.com/) [2]
[http://www.cultdeadcow.com/cDc_files/cDc-351/](http://www.cultdeadcow.com/cDc_files/cDc-351/)

~~~
tptacek
Yoran wasn't making a philosophical point about Microsoft. He was responding
to the news cycle: we had just suffered the "Summer of Worms", which, because
of Microsoft's position in the market, involved almost exclusively Microsoft
systems.

Microsoft, to their credit, responded admirably to the events: they invested a
spectacular amount of money shoring up the nuts-and-bolts quality of their
software, training their entire development team (one of the largest in the
world) on secure coding standards, hiring researchers to revise their
libraries and deprecate unsafe interfaces, and adopting hardened C/C++
runtimes.

------
dnlongen
Rather encouraging to see mainstream media describe hacking accurately:
"...insights about how various systems worked — and in some cases could be
made to do things their creators never intended. This is the essence of
hacking. It is not inherently good or evil. It can be either, or in some cases
a combination of both, depending on the motives of the hackers."

------
jessaustin
_The Internet itself, he added, could be taken down "by any of the seven
individuals seated before you" with 30 minutes of well-choreographed
keystrokes._

If this wasn't exaggeration, we should study the fortunate circumstances by
which this calamity has been avoided for 17 years.

~~~
tptacek
Peiter was talking about BGP. In 1998, you had to be somewhat diligent to get
to a vantage point from which you could inject bogus BGP, and the Venn diagram
between those people and "nihilistic assholes" is not that scary. In 2015, you
can still _technically_ fuck up BGP, but probably not for very long, and not
without burning a lot of assets. Why would anyone bother?

The hunting and taxidermy of corrupted BGP advertisements is basically what
got the NANOG crowd out of bed every morning; it's a pretty big chunk of the
job. I always felt like the alarmism over BGP was a bit tone-deaf. Certainly,
nothing Peiter said came as any surprise to anyone who'd ever managed default-
free peering.

~~~
vezzy-fnord
Further, I recall several of the L0pht members were heavily interested in
TEMPEST and van Eck phreaking at the time. Really played it up in an ominous
tone.

~~~
roel_v
Well, that sort of scaremongering was part of the PR aspect of the whole
thing. Back then (I've been out of the scene for a decade and a half now, I
don't know if it's still as bad) the amount of money you could sell your
'company' (read: two guys in a basement) for, was directly correlated to the
scariness of the stories you could get into the press.

~~~
tptacek
I think this happened right before @stake "acquired" L0pht, but I'm not sure
how lucrative that really was for them.

------
kwhitefoot
It was an exaggeration.

But it is certainly not especially hard for _governments_ to take down the net
in their own country and in many cases reduce the degree of interconnectedness
with other countries so far as to effectively take down large chunks of the
Internet. The problem is that we do not truly have a network, instead we have
a tree structure connected to a very small number of fat pipes. As originally
envisaged the internet would be resilient in the face of the failure of one
route because there would be many alternative routes but that is not what we
have today.

This is a much bigger threat than the cracking of individual machines.

~~~
mentat
Depends on what you think you're trying to protect against. Having foreign
powers or foreign mafias in control of large parts of your infrastructure
seems like a big threat.

------
acqq
The title picture is wonderful.

~~~
robg
And the name plates.

~~~
WalterGR
Yeah, that's an amazing image. I thought it _must_ be doctored... but in the
intro to the recording of their testimony, the person speaking ("chairman"?)
says:

"Due to the sensitivity of the work done at the L0pht they'll be using their
hacker names of Mudge, Weld, Brian Oblivion, Kingpin, Space Rogue, Tan, and
Stefan."

[https://www.youtube.com/watch?v=VVJldn_MmMY](https://www.youtube.com/watch?v=VVJldn_MmMY)

------
fapjacks
The picture is worth a million dollars. Especially their nameplates, and the
way they've dressed but are still very clearly pure fucking hackers, just by
the looks on their faces. I want this framed.

------
kbenson
> Even today, many serious online intrusions exploit flaws in software first
> built in that era, such as Adobe Flash, Oracle’s Java and Microsoft’s
> Internet Explorer.

Isn't that like saying "Many accidents happen to models of cars first built
during that era?" Just because they debuted then doesn't mean they are
substantially, or even remotely the same thing. How many complete rewrites of
Internet Explorer have we had since then?

~~~
WalterGR

        How many complete rewrites of Internet Explorer have we had since then?
    

None?

There's an ongoing one that was announced in January with a preview released
in March.
[https://en.wikipedia.org/wiki/Microsoft_Edge](https://en.wikipedia.org/wiki/Microsoft_Edge)

~~~
pnash
Spartan?

[https://twitter.com/dildog/status/612795030345007104](https://twitter.com/dildog/status/612795030345007104)

"It feels like 1996 again."

~~~
WalterGR
Microsoft Edge is Project Spartan.

"Microsoft Edge, initially developed under the codename Project Spartan..."
(same Wikipedia link as above)

------
themeek
There's two fundamental systemic blockers to investment in information
security.

The first is a problem is with incentives over time. (The same thing happened
with global warming, with overfishing, with deforestation, with cyber privacy
rights, etc.) The problem is that the immediate incentives do not align with
the long term incentives. If the country that can cut down the most forest or
burn the most oil is the one that wins, relative to the other, a global race
for power projection - no country will want to perform in the short term what
it must in the long term.

Alas, today the short term incentives in software and hardware development are
mostly the same. The security community has long preached that built in
security as a crucial and fundamental engineering design goal. Today, as it
has been for decades before, software is not competitive if it has security
built in. It raises the costs of development and it slows production and
building security awareness into every developer would require years of
additional professional experience or schooling: building in security is a
competitive disadvantage.

The second problem is that everyone's threat model is different:

\- Consumers want their computers to run quickly and do not want their
information or identity stolen. They want to have convenient and reliable
control over the privacy of their online interactions - from the public and
from law enforcement.

\- Industry does not want to spend more time and treasure creating fewer
visible features. Their existential threat model is losing their business by
being too slow at production. Corporations are also scared dumb of having a
SONY-style or Target-style breach.

\- Government wants to be able to peek into all communications of everyone
including its citizens. It wants to be able to hack into other countries -
both their industrial and their government sectors - and those of private
foreign citizens. It does not want the same to be true in reverse.

It's also true that the types of systems used by the military are different
than those used in industry which are further different than those used by
consumers. Where do you allocate investment in security? Consumer internet
browsers? Virtualization for enterprises? Network intrusion detection for
corporate LANs? Access control for government systems? Which do you
prioritize? (Granted, its true that some technologies are shared between these
classes, such as web browsers)

What's happening right now is that the discussion about threat model is being
negotiated (though not in those conscious terms). Governments make their case
about national security - how they need backdoors - and how they would like
computer security to work. Security professionals - many of them private
citizens - have separate threat models and can't agree with government.
Individual citizens want privacy - and can't agree with government or
industry. Industry wants to get customer and competitor data but also doesn't
want to leak their own.

To the degree that the threat models are compatible, some level of real
investment can be made (today there do happen to be large scale efforts to
mitigate cyber security risks - particularly threat intelligence sharing
programs).

Yet fundamental contradictions in threat models will keep the direction of
security in limbo and worse if some threat model 'wins' it will comes at he
expense of the others. Government's goals, even in so labeled 'free'
countries, are disaligned with their citizens on threat model. Government
goals themselves are further internally contradictory, as they would like
computer networks to be both secure and insecure (giving birth to phraseology
such as "NOBUS").

Today not only are we not able to secure the internet and computer systems, we
still don't really know what a secure internet would mean.

------
hoodoof
long hair: hacker credibility +1

beard: hacker credibility +1

nickname/handle: hacker credibility +1

glasses: hacker credibility +1

suit: hacker credibility -1

~~~
a3n
> suit: hacker credibility -1

Social engineering.

~~~
Qwertious
suit: hacker credibility -1

social engineering +1

