WASHINGTON—It was not the usual Congressional scene in room 2237 of the Rayburn House Office Building on Tuesday afternoon.
More people in the audience than usual had hair dyed pink or green, and opted for T-shirts instead of button-down attire. And the name tags on the table in front of the room sported an unusual set of monikers: Kingpin, Mudge, Weld Pond, and Space Rogue.
The occasion was a reunion of four members of the hacking collective L0pht Heavy Industries, organized by the Congressional Internet Caucus Academy and the Senate Cybersecurity Caucus, almost 20 years after L0pht members warned of rampant insecurity online in the Senate’s first cybersecurity hearing.
Kingpin (Joe Grand, today product designer and founder at Grand Idea Studio), Mudge (Peiter Zatko, now chairman of Cyber-ITL and head of security at the payments firm Stripe), Weld Pond (Chris Wysopal, chief technology officer at Veracode), and Space Rogue (Cris Thomas, strategy lead at IBM’s X-Force Red shop) offered hope and renewed warnings to the packed room in a session that went on for 15 minutes past its scheduled hour.
There’s been real progress
All four L0pht veterans, interviewed by Luta Security founder Katie Moussouris, agreed that the state of cybersecurity is considerably stronger than it was in 1998, when Zatko counseled that “if you’re looking for computer security, then the Internet is not the place to be.”
Instead, he praised Google’s Chrome and Microsoft’s Edge on Tuesday as “some of the better-built products, when it comes to security,” and called iOS, macOS, and Windows 10 “quantifiably harder targets” than their predecessors, noting that exploits for them are sufficiently rare to sell for hundreds of thousands of dollars.
Thomas pointed to widespread, if still uneven, recognition of the virtues of such security techniques as network segmentation, strong encryption (the U.S. did not end regulations mandating weaker, export-grade crypto until 2000), and multifactor authentication.
“Today we have a lot more information available to us—if we want it,” he said.
Grand and Wysopal said organizations have grown far more open to vulnerability reports, to the point that many now pay bug bounties.
“Eventually, the hacker world got accepted,” Wysopal said. “We went from, you know, ‘please go away, you’re horrible,’ to ‘thank you very much, here’s some money.’”
Zatko’s accessorization testified to that spirit of cooperation. He wore two medals to the talk: an Exceptional Public Service medal from the Secretary of Defense and an Order of Thor from the Military Cyber Professionals Association.
Customers still have trouble shopping for secure products
But, the four warned, customers continue to struggle to find secure products.
“It’s extremely difficult for the consumer—and the consumer could be be you, or it could be an entire corporation or government—to actually differentiate products and solutions with good security hygiene from those lacking it,” Zatko said.
He added that too many vendors continue to bundle “flashy security products” such as anti-malware utilities that “introduce new attack surfaces,” when they should be working to simplify their code.
(A sign seen in a tunnel connecting the Rayburn Building to the Longworth House Office Building across the street reminded House staffers of a looming deadline to install Lookout Mobile Security on their smartphones.)
Grand teed off on the poor state of security in Internet of Things devices. “Everything is connected to the Internet,” he said. “And I don’t know why that is; I don’t know how that became.”
He called such IoT security failures as hard-coded passwords, unencrypted communications, and unsigned code the kind of vulnerabilities that his L0pht colleagues once considered too easy—”they shouldn’t even be allowed to be used to hack something,” he joked.
A missed threat: Nation-state actors
While many of the critiques the L0pht contingent voiced in 1998 have held up, Wysopal admitted to not foreseeing the rise of nation-state attackers then.
“It all seemed so theoretical—that a nation-state would have a team of guys like us, and they would be attacking the United States,” he said. “Twenty years later, this is happening constantly.”
“Nation-state attackers have become the predominant threat,” Thomas said, and he called out disinformation and propaganda campaigns practiced by other countries on social media.
The risk of offensive infosec operations by foreign powers becomes even more significant in light of President Trump’s refusal to surrender either of his two iPhones for security sweeps, first reported by Politico on Monday.
“He’s basically choosing to live with the risks of having a hacked phone because he feels the convenience is more important than security,” he said.
Zatko noted that he had worked with the Defense Advanced Research Projects Agency to engineer a secure smartphone for President Obama and said he hoped Trump had also enlisted DARPA’s help.
Our laws need work
In the 1998 hearing, the L0pht hackers voiced little confidence in the market’s ability to compel companies to ship secure products—“it’s cheaper, and it’s easier, for companies to sell insecure software,” Zatko said then—and they sounded no more optimistic in 2018.
“Where’s the equivalent of the National Transportation Safety Board crash test results for the software that you’re consuming?” Zatko asked Tuesday.
He characterized core systems like domain name service, site encryption, and Border Gateway Protocol routing as “public-safety issues” and complained, “Why has this been almost entirely left to the free market to secure and make safe?”
Zatko and Wysopal endorsed mandating disclosure of a product’s bill of materials, including the tools used to create it and the software libraries it embeds.
“If people can start to see what’s inside,” Zatko said, “we can start making informed decisions as to not buying that crap.”
We might not need legislation, if the Federal Trade Commission and other regulatory agencies could step up their enforcement, Thomas suggested.
The government’s existing, flawed security laws—in particular, the Computer Fraud and Abuse Act and the Electronic Communications Privacy Act of 1986—offer one reason to be wary of Congressional action.
Thomas said both laws’ overly broad definitions of computer crime “are overused by overzealous prosecutors.”
The CFAA is “used selectively, and it’s used unevenly,” Zatko concurred, adding that the anticircumvention provisions of the Digital Millennium Copyright Act of 1996, intended to stop digital intellectual-property infringement, suppress security research too.
“We live in a very litigious society,” Grand said. The risk of lawsuits has made security research in some ways riskier than it was in 1998—when every member of L0pht felt compelled to testify under their hacker handles instead of their real names, he said. “Now that I have kids, and I don’t want to go to jail, I’m very nervous.”