L0pht at the Senate: Perspectives on the Past and the Future by Peter The Great When I entered the briefing room in the Dirksen Senate building at 9:30am, oak and elegance surrounding my shabby summer-clothed body, I couldn't shake the thought that this event would be remembered as a significant turning point for the hacker community. The senate Committee on Governmental Affairs was about to hold a hearing on computer security failures in government systems which would be attended by the seven members of the now-famous L0pht think tank. All around me reporters in suits and smart skirts readied themselves for the conference and cameras were positioned to record the event. I took a seat in the left rear of the audience, and slouched comfortably. As I mulled over the significance of this event in my head, imagining what it might be like in a generation or two when the field of 'hacking' fully matures -- when its methods merit the precise classification presently accorded to science and engineering -- when its primitive 'cons' evolve towards academic conferences akin to IEEE or ACS events, I had to take a moment to reminisce about the 'good old days'. I first met members of the L0pht on the board scene in Boston (617) around 1990. In those years we were certainly juveniles. I was 16, Kingpin was 15, and the underground scene we inhabited was, if nothing else, alive and vibrant. Information seemed to abound. Journals written in 206, 713, 617 (most notably the RL) and elsewhere flourished. Posts to the boards were spirited and laden with salacious facts, and the conference calls could last all night. Everyone we knew, it seemed, was exploring some aspect of 'the scene' with an approach that mixed academic methodologies with lawless pragmatism. Fundamentals of System Penetration may as well have been a lecture course. Reading the abundant literature already available on the subject we would scan entire exchanges, catalog the carriers, and explore each one on the list. To do so was endlessly thrilling. You never knew what you might happen across with scans like this and penetration was surprisingly frequent. One might find a hotel whose reservations system was online for some reason and penetrable with a simple brute force attempt. One might find a food wholesaler who neglected to put a password on the root account of his primitive unix system. You might find a health club whose registration records were stored as simple text files in an old-style Prime OS. Anything might pop up. You never knew until you screwed around with them and every time was an adventure. The codes and cards scene in Boston at that time, as in my home state of Washington (206), was even more prolific and could only be properly described as decadent and utterly reckless. If you didn't know three or four people who were pirating all manner of consumer goods by some devious means then surely you were in the minority. If you weren't doing it yourself it was only a matter of time. Credit card numbers (and indeed entire credit reports) scammed from CBI, from hacked systems, and even the classic dumpster approach proliferated with no control. Archives grew, password lists grew, user lists to the boards grew, and enthusiasm was boundless. We hacked long distance codes for the various 950s and 800 services in vogue at the time on our lunchbreaks from school and they were passed around with such abandon that I thought little more of calling a board across the country in Boston for an hour and a half than I would of calling a local board in 206. It just didn't matter. It was insane. Too insane. It had to stop. For me, the end came with an arrest in 1992. Doped up on adrenaline and farvergnugen, a foolishly bold and ill- planned credit card scam of mine went awry and brought my world tumbling down around me. I was a senior in high school then and, despite the best efforts of my overpaid attorney (courtesy of my parents: Thanks Dad!), I had to spend a bit of my summer in the sterling correctional facilities of the King County youth detention center in Seattle. That was the end of my serious involvement with underground activity. I wasn't reformed but rather, in the words of Al Pacino in Carlito's Way, I had just gotten "tired". News of my bust had been made public along with my real name and handle and everyone in my small suburban town knew of my troubles. The teachers at school regarded me with contempt, the local cops began to pull me over 'just to chat' and issued me citations for everything under the sun and my internment in juvy left me shamed to say the least. Once freed, I left suburbia for academia and have resided there ever since. I moved on from fraud to physics and from scanning exchanges to simulating circuits. I finished a B.S. in electrical engineering in 1997 and am now undertaking graduate work at a well- respected school in the mid-Atlantic. For some of the others however, inspite of similar arrests, the decadence of 'the day' ended not catastrophically but gradually, and ultimately evolved into something which I can only liken to the academia which now surrounds me. Others it seems kept the faith. Kingpin for example had always been interested in electronics. Even in the days that engulfed our souls with chaos I recall his tinkerings with the analog cell phones of that period (and other communications equipment) and with magnetic encoding and keeping his cool while he did it. He always was smooth. Indeed after the Fall, as it were, Kingpin undertook the study of electrical engineering just as I had, but with one great difference. Whereas I had occupied the free time of my undergraduate years with a study of English literature and classical Latin, studying engineering merely for expedience in attaining post-graduation employment, Kingpin engrossed himself in the world of engineering and pursued his studies and his hobbies with vigor. The result need not be described here, for it is seen in his work with the L0pht. The POCSAG decoder, the wireless IP network, and the L0pht security briefs all speak beyond my capacity to the level of evolution that Kingpin and others have undergone since the collectively mad days of our youth. Returning now to the senate, it's 9:45 am, and the hearing is to begin at 10:00 am. Reporters are shuffling in regularly now and chatting with their colleagues. Sitting silent and slouched, I realize that in all the audience, I am the only one not wearing a suit. I had expected a few active hackers (sporting body piercings and alternative hairstyles) or at least some school kids to show up for the hearing but it seems this was not to be. This was a crowd almost exclusively of journalists. At about 9:50, the L0pht boys filed in and took their seats in the reserved section behind the large tables that would seat them during their testimony. Peter Neumann, also a featured speaker, sat comfortably among them. On my end, an adorable woman in a smart red business suit sat beside me, to my left, and commented as she settled in that she "thought hackers didn't wear suits". I laughed and she smiled and introduced herself as "Kelly". Her hand was warm, I noticed, and her countenance was truly delightful. She asked what had brought me here (obviously I didn't belong since I didn't wear a suit) and I told her that I had once known one of the L0pht members. "So then, you're hear to observe", she said, and I nodded, stunned by her beauty. She began then to fetch items from the bag she'd lain to her left and I shamelessly enjoyed a view of her figure. Her calves were as if sculpted from a dream, I thought, and her petite waist was so stunning in the suit she'd chosen that indeed I doubted a more beautiful woman has ever walked the earth. As she resumed her posture and crossed her legs to facilitate notetaking, her summer-length skirt exposed her right thigh almost to her buttocks. As I glanced down upon this, I almost lost control. Fortunately I had had little sleep the night before and thus I rested my eyes until the presentation began. I kept thinking "calm blue ocean... calm blue ocean.." The hearing commenced with Senator Thompson introducing the panel of senators and the guests. He said, with some laughter from the audience, that "considering the nature of their work", the L0pht men would "use their hacker names". And then invited Peter Neumann to give his spiel. Neumann spoke of insecurities existing in many networks due primarily to their interconnectivity and their use of insecure antiquated protocols. Under examination from the panel, he gave the impression that security in many government and commercial networks was trivial at best, virtually nonexistent at worst. To the panel's disappointment however, Neumann had "no easy answer" to the question posed him directly about how society should best address these security issues. He was asked what three or four ways he would attempt to solve the government's security problems should he, hypothetically, be made the US Computer Czar. To this, he re-iterated the notion that absolute security is unattainable but pointed out that existing encryption and secure verification technology is quite good but seldom brought maximally to bear. He repeatedly pointed out that commercial entities have little to gain by making their systems (or their software products) truly 'robust', which he defined as possessing of backups and strong security features to defend against non-trivial physical and electronic attacks. Though he didn't state it explicitly, he implied that it might be a proper role for government to provide such incentives through legislation. Wouldn't that be grand, I thought, maybe the government will pay Microsoft to force an OS which doesn't suck down our throats and everyone's tax dollars can support Bill directly! Rah! Oh Mickey you're so fine! As Neumann concluded and the L0pht members took the stage, I felt as though time had slipped back three centuries and I sat watching the colonial government's first meetings with the Indians. The seven had the aura of warriors, scarred from battle, seated now in council to make peace with the opposition. Indeed the analogy grew as Mudge, seated center among them, began his testimony. He cordially thanked the panel for having invited the L0pht to speak and introduced each his fellows. Following this, Mudge gave a short, elegant statement which set the tone for the rest of the day's talks. He expressed his hope for an end to the mutual animosity that has long existed between the hacker community and the government and his sincere desire that the ensuing dialogue would pave the way towards civility and further collaboration between the two sides. This was a beautiful moment. It was as if a firm hand of friendship was being extended from the hacker community to the senate. I was moved, truly. Mudge then explained the nature of the L0pht organization, and each member gave an account of his background and a summary of his work with the L0pht. Mudge characterized the L0pht primarily as an advocacy group for consumer rights in a techno-pervasive age, a sort of Consumer Reports for systems and software. Under questioning from the panel, L0pht gave a more optimistic outlook for future security than Neumann had. They knew, from experience and contacts, that steady improvement in the state of the security of any system could best be achieved by incrementally "raising the bar", to heighten the level of expertise required to penetrate a system. "To raise the noise floor", and to do so with your opponents' techniques in mind was the underlying theme in their testimony. As the L0pht concluded, the senators accepted, it seems, their offer of friendship. In closing, the L0pht were likened to modern-day Paul Reveres, boldly warning the public of impending dangers. With this statement, I knew things would forever be changed. The US Senate was openly embracing the techniques of the hacker as an important tool for national security. They honored the hacker's culture of anonymity by allowing the L0pht to be identified by their handles, and they expressed a desire for future collaboration -- open collaboration -- between hacker groups and the government. More significantly, they embraced not the work of an isolated hacker, threatened with imprisonment and made to ply his trade for the man under gross duress, but a self-funded, benevolent group of hackers operating in the classical sense. They had come, it seems, through the turmoil of the past decades and the hard realization of our dependence on technology, to accept hackers as a national asset and not as a national menace. This acceptance could lead future hackers in any number of unlikely directions. We could we see government funding allocated for "Research...by means of the Classical Hack" on security issues. We could see the appointment of a computer Czar. We could see this Czar's noblemen drawn from the ranks of the hacker community and known to the adoring public by their handles. Who knows where else collaboration might lead but it's bound to be a brave new world. Following the hearing, Kingpin, Brian Oblivion, Weld Pond, and I went out for some air while Kelly interviewed Mudge behind a CNN camera. That Mudge, I thought. He gets all the chicks. Weld Pond lit a smoke, a Marlboro Medium, and I had to bum a drag. As I exhaled with a cough, Kingpin cocked his head left at a party of young ladies entering the building. "That's it", he said, "we're moving operations to DC." Indeed. I thought to myself. Indeed. -Peter The Great obloquor@yahoo.com This article is Copyright 1998 Peter The Great and is reprinted by permission.