Despite security coming a long way from warnings of the internet being able to be taken down in fewer than 30 minutes, it has “still got a long way to go.”
Reuniting six members of the L0pht hacker team at the DEFCON conference in Las Vegas, moderator Elinor Mills asked Dildog, Space Rogue, Mudge, John Tan, Weldpond and Kingpin, who used their hacker names as they had done 20 years ago when testifying to the US Senate and had done again when visiting again this year, whether they felt that the original testimony had worked.
Weldpond, aka CA Veracode CTO Chris Wysopal, said that their appearance was a “visceral representation of what the adversary viewpoint was” and their appearance made hacking a reality to the government, but it also “conveyed the poor state of software security.”
Mudge, aka Cyber ITL director Peiter Zatko, said that the greatest achievement was that two years later it was leveraged to create Presidential Directive 63, “so if anyone got a scholarship, it was largely driven by that testimony.”
Asked by Mills how things have changed since then, Dildog, CA Veracode co-founder and chief scientist Christian Rioux, said that exploits have got harder to create “and the cost associated has sky rocketed,” while the profile of the attacker has changed and exploits are now turned around in months rather than weeks.
Mudge cited examples such as Windows 10 and Google Chrome as being “huge steps” about how hardened targets had become, while Weldpond said that the adversary is now more recognized as you “wouldn’t ask about governments [attacking] in 1998, but in 2018 it is in the news everyday.”
Kingpin, aka author, presenter and consultant Joe Grand - who was only 16 at the time of the testimony, said that bugs are now being named, and there is a conveyor belt of media frenzy about vulnerabilities.
Asked if such a group could exist today, Kingpin said that we see hacker spaces now, and while L0pht were not completely private, they did have a physical location. Mudge cited the Chaos Computer Club and Google Project Zero as examples of hackers working together, and said: “Who doesn’t want to be a part of that? It exists in organizations and it is much better than it used to be.”
Concerning the well-cited comment about the internet being taken down in fewer than 30 minutes, Mudge said that the original Senate question was on why it had not been done, and the reason why it had not been done is because there “is no value in taking down all of the internet as you would take down all of the targets as well.”
Space Rogue, aka Cris Thomas head of IBM’S X-Force Red, said that while IoT and electronic voting has shown how far technology has come, and we “are not dealing with the same doom and gloom, we have got a long way to go.”
Weldpond said that despite the advances, there are still flaws and we still have problems, and this year’s Senate meeting showed that we have become more and more dependent on the technical infrastructure. “No one going is going to fix the foundations.”