The hackers warned us

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.durangoherald.com/article/20150623/NEWS04/150629855/-1/taxonomy/The-hackers-warned-us-

The seven young men sitting before some of Capitol Hill’s most powerful
lawmakers weren’t graduate students or junior analysts from some think
tank. No, Space Rogue, Kingpin, Mudge and the others were hackers who had
come from the mysterious environs of cyberspace to deliver a terrifying
warning to the world.

Your computers, they told the panel of senators in May 1998, are not safe –
not the software, not the hardware, not the networks that link them
together. The companies that build these things don’t care, the hackers
continued, and they have no reason to care because failure costs them
nothing. And the federal government has neither the skill nor the will to
do anything about it.

“If you’re looking for computer security, then the Internet is not the
place to be,” said Mudge, then 27 and looking like a biblical prophet with
long brown hair flowing past his shoulders. The Internet itself, he added,
could be taken down “by any of the seven individuals seated before you”
with 30 minutes of well-choreographed keystrokes.

The senators – a bipartisan group including John Glenn, Joe Lieberman and
Fred Thompson – nodded gravely, making clear that they understood the
gravity of the situation. “We’re going to have to do something about it,”
Thompson said.

What happened instead was a tragedy of missed opportunity, and 17 years
later the world is still paying the price in rampant insecurity.

The testimony from L0pht, as the hacker group called itself, was among the
most audacious of a rising chorus of warnings delivered in the 1990s as the
Internet was exploding in popularity, well on its way to becoming a potent
global force for communication, commerce and criminality.

Hackers and other computer experts sounded alarms as the World Wide Web
brought the transformative power of computer networking to the masses. This
created a universe of risks for users and the critical real-world systems,
such as power plants, rapidly going online as well.

Officials in Washington and throughout the world failed to forcefully
address these problems as trouble spread across cyberspace, a vast new
frontier of opportunity and lawlessness. Even today, many serious online
intrusions exploit flaws in software first built in that era, such as Adobe
Flash, Oracle’s Java and Microsoft’s Internet Explorer.

“We have the same security problems,” said Space Rogue, whose real name is
Cris Thomas. “There’s a lot more money involved. There’s a lot more
awareness. But the same problems are still there.”

L0pht, born of the bustling hacker scene in the Boston area, rose to
prominence as a flood of new software was introducing such wonders as
sound, animation and interactive games to the Web. This software, which
required access to the core functions of each user’s computer, also gave
hackers new opportunities to manipulate machines from afar.

Breaking into networked computers became so easy that the Internet, long
the realm of idealistic scientists and hobbyists, gradually grew infested
with the most pragmatic of professionals: crooks, scam artists, spies and
cyberwarriors. They exploited computer bugs for profit or other gain while
continually looking for new vulnerabilities.

Tech companies sometimes scrambled to fix problems – often after hackers or
academic researchers revealed them publicly – but few companies were
willing to undertake the costly overhauls necessary to make their systems
significantly more secure against future attacks. Their profits depended on
other factors, such as providing consumers new features, not warding off
hackers.

“In the real world, people only invest money to solve real problems, as
opposed to hypothetical ones,” said Dan Wallach, a Rice University computer
science professor who has been studying online threats since the 1990s.
“The thing that you’re selling is not security. The thing that you’re
selling is something else.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!