Published daily by the Lowy Institute

'LOpht' and the inherent vulnerabilities of the internet

'LOpht' and the inherent vulnerabilities of the internet

Over the past month The Washington Post has published an awesome series on the internet's inherent vulnerabilities, and how its founders never envisioned its users 'attacking one another.' Here is part 1 and part 2. Below are extractions from part 3, which follows the 1990s hacking collective 'LOpht' and its early efforts to get the US Government to pay attention to cybersecurity.

LOpht's main point was this: it was not in the immediate interests of tech companies to make secure hardware and software for users; it was in their interests to get it out the door as fast as possible. Much of the technology the internet is based on, and what we use to browse it, still uses many of these inherently flawed systems. This, in part, explains why hackers have consistently outrun those trying to plug the holes behind them. It's difficult to retrofit a vulnerable system.

First, a description of Lopht's 'loft', where the group worked:

Like the Internet itself, there seemed to be peril on the down-and-out streets all around L0pht’s loft in this pre-gentrification era. But inside was geek heaven, with cast-off computers, a television, a couch, cold beer, a 1980s-vintage “Battlezone” arcade game and a curious array of second-hand mannequins wearing unusual adornments, including a skirt, a gas mask and the charred remnants of a police uniform that the hackers found. In a stroke of luck, the landlord paid the electrical bill each month, keeping an endless lifeline of electrons flowing to what amounted to a power-hungry computer lab.

It's worth reading the series, particularly its scathing indictment of Microsoft: [fold]

Microsoft pulled thousands of engineers off of product development to overhaul the company’s systems for designing and building software. Gates sent one group of officials to a retreat at a historic wooden home more commonly used for weddings, in nearby Bellevue, Wash., about a 15-minute drive from Microsoft’s headquarters in Redmond. Charney said, “Basically some people were sent there and told, don’t come back until you have an answer”...

...But the Internet did not suddenly become secure. The company’s newfound focus on security took years to bear fruit, most notably with the arrival of Windows Vista in 2006 and Office 2010 a few years later. Because of a need for “backward compatibility” — meaning older and newer versions of Microsoft products work easily together — old flaws lingered in the online world for many years after they were fixed in newly released software.

 And finally, one of the original members of the group, 'Weld Pond' or Chris Wysopal, offers this assessment:

Wysopal offered this grim precedent: Cities were once vulnerable to disastrous fires, which raged through dense clusters of mostly wooden buildings. It took a giant fire in Chicago to spur government officials into serious reforms, including limits on new wooden structures, a more robust water supply for suppressing blazes and an overhaul to the city’s fire department.

“The market didn’t solve the problem of cities burning down,” Wysopal said, predicting that Internet security may require a historic disaster to force change. “It seems to me that the market isn’t really going to solve this one on its own.”

But here’s a frightening fact: The push to create tough new fire-safety standards did not start after the Great Chicago Fire in 1871, which killed hundreds of people and left 100,000 homeless. It took a second fire, nearly three years later in 1874, to get officials in Chicago to finally make real changes.

You may also be interested in