photo: www.engadget.com
Although perhaps not well-known today, among cybersecurity professionals of a certain age, mention of the name L0pht Heavy Industries will induce a certain sort of nostalgia. If you can remember the May day in 1998 when the seven current members of the once-famous hacker collective sat in front of a U.S. Congressional committee and testified that they could, in 30 minutes, completely shut down the Internet, then you’re definitely a Gen-Xer with a good memory.
One of those seven men was a long-haired fellow incongruously clad in a conservative gray suit and sitting behind a name plate that read only “Mudge.” After introducing himself and his colleagues, each with equally improbable names and outfits, Mudge went on to calmly describe their typical days at the L0pht offices in Boston: looking through code, at network packets, at computing devices… and devising ways to break into systems using them.
Then, equally calmly, he described to a panel of shocked senators a technique that almost no one had heard of at the time that could completely shut down the Internet, possibly for days on end. He or any single one of his compatriots, Mudge claimed, could unleash that cataclysm.
It was called, he said, a denial of service attack. And, according to Mudge, neither the government nor commercial computer firms were taking it – or most other security threats – seriously enough.
Just over a year later, a hacker used a tool called Trinoo to take the University of Minnesota offline for more than two days with a DoS attack. Since then, many other even larger DoS attacks have indeed shut down parts of the Internet, even taking the entire country of Estonia offline in 2007.
Mudge and the L0pht had been prophets of the coming cybersecurity apocalypse.
A Musical Prodigy Turned Password Cracker
Mudge’s real name was Peiter Zatko and he hadn’t started out as a hacker. Instead, he had graduated at the top of his class from the Berklee School of Music in 1992. But although he could play a mean guitar riff, Zatko’s innate curiosity took him into computer science.
Employed at BBN, the birthplace of the original ARPAnet, when Zatko became involved with L0pht and another well-known hacker and media organization, the Cult of the Dead Cow (cDc) in the mid-90s he thought it prudent to keep his hacking activities anonymous so as not to endanger his job.
But before long, the hacking became the job. Mudge was one of the programmers that had developed the venerable L0phtCrack Windows password cracker. He also authored twenty other technical advisories outlining major security vulnerabilities in major protocols or software packages.
His view, and that of other L0pht and cDc members, was that the best way to address such vulnerabilities was to shine a light on them. Mudge had seen companies consistently sweep private advisories about security problems under the carpet, counting on security through obscurity, the hope that no nefarious attacker would find them.
That hope was consistently proven false, and repeated L0pht projects embarrassing major manufacturers from Sun to Microsoft helped shape today’s culture of frequent security updates and public disclosure of vulnerabilities.
The Face of The Movement Goes Behind The Scenes
Mudge proved to be one of the most articulate spokesmen for the gray hat hacking movement—security researchers working outside the establishment, but on the side of the good guys—and when L0pht made the transition to formal security company @stake in 1999, he went along with them.
He met with President Clinton at a security summit in 2000, discussing the waves of DoS attacks that were then hitting the Internet regularly, just as he had predicted.
After @stake was purchased by security giant Symantec in 2004, Zatko drifted back to BBN, where he worked on other security projects. In 2010, his drift into the security establishment became complete when he took a position at DARPA.
While there, he worked on a variety of projects, many involved with detecting security threats or hardening military networks against penetration. But his belief in the utility of having outside eyes reviewing and testing security protocols was undiminished.
He was placed in charge of a DARPA initiative called Cyber Fast Track (CFT). The program was designed to provide research and funding to security research efforts outside the agency, but with a twist: many of the funded programs were small-scale efforts based out of hackerspaces and maker labs… modern incarnations of the original L0pht. Turnaround for the average CFT contract was only seven days.
A Cybersecurity Pied Piper Marches Toward a Longtime Dream
CFT was phased out in 2013, but for his work at DARPA, Zatko received the Exceptional Public Service Award from the Secretary of Defense, the highest non-career civilian award possible. In 2013 he moved to Google’s Advanced Technology and Projects Division, an in-house skunkworks team with wide latitude to take on ambitious projects with almost any focus.
But two years later, Zatko got the opportunity to take on a project originally advocated by L0pht itself. The Cyber Independent Testing Laboratory, operated by Zatko and his wife (also a one-time BBN researcher) was funded by a DARPA grant in collaboration with the Department of Homeland Security and the technology industry as part of the Obama Administration’s Cybersecurity National Action Plan (CNAP).
The idea behind the initiative was to create an independent testing and standards body for cybersecurity that would operate in the same way that Underwriters Laboratory has long done for electrical and mechanical equipment. By providing safety assurances and standards, CyberUL could address a vast range of widespread vulnerabilities in critical infrastructure… vulnerabilities that are likely to become even more widespread with the advent of the Internet of Things (IoT).
Although the ratings aren’t a reality yet, Mudge has made presentations at Defcon and BlackHat conferences outlining how the system will work, and CITL has collaborated with Consumer Reports on how to assess and present security risks in consumer products.
If it’s successful, it will just be one more case of Mudge pulling the technology industry toward safer waters.