back to article '90s hacker collective man turned infosec VIP: Internet security hasn't improved in 20 years

It has been 20 years since Chris Wysopal (AKA Weld Pond) and his colleagues at the Boston-based L0pht* hacker collective famously testified before the US Senate that the internet was hopelessly insecure. Youtube Video Wysopal, now a successful entrepreneur and computer security luminary, recently went back to Capitol Hill, …

  1. hplasm Silver badge
    Meh

    Internet security hasn't improved in 20 years

    In other news, Windows is still a thing.

  2. Anonymous Coward
    Anonymous Coward

    Anyone else have a wonderful sense of nostalgia about those 10-15 years from '85 to 1998, when everything was changing on a daily basis and computing still so exciting. We the geeks and nerds ran things, we were like gods. The world and his wife all bought a PC or a Mac and they had no idea what to do with any of this kit. We strode the world like colossi ( is that a word? ).

    Now it seems that the only new things are that some company releases a new website with a variation of an old idea, Trello pushed aside for Monday.com. Or in gaming, it's gone back to who can come up with the biggest market share of a new rip off of Unreal Tournament.

    We can still hack at the grassroots level, there's still fun to be had but somehow it seems that reading about the great times we lived through, for me at any rate, the sparkle of something new in computing each day simply died somewhere back along the road in the late 2000's.

    1. m0rt Silver badge

      RE: Nostalgia - I remember reading a lot about L0pht in 99/2000. I may even remember the senate hearing. Was it in computer weekly? Certain names cetainly popped out, Mudge, Space Rogue - those, and others, certainly came up time and time again.

      Anyone else read, or used to read, Attrition.org? Still going.

    2. Anonymous Coward
      Anonymous Coward

      Nostalgia : absolutely. I got hooked online in 94, after a decade of tinkering on what can only be called computers, and I remember L0phtCrack fondly. I helped me sell the idea of 2FA for VPN connections in the late nineties.

      But if you feel that the “something new each day in computing simply died” you’re doing it wrong. I can still have loads of fun with a Raspberry Pi and my son.

      Let’s face it, we were maybe “collosi”, but only because there were giants before us. Let us now be the giants on whose shoulders our offspring will stand.

      Thus spoke AC, end of sermon (cue tolling bells)

      1. chuckufarley
        Joke

        Nostalgia...

        ...just ain't what it used to be.

    3. Gene Cash Silver badge

      > Anyone else have a wonderful sense of nostalgia

      Nope... because a ton of shit didn't work.

      I remember having to compute modelines to get X11 working for a particular monitor/graphics card combination, and if you got it wrong, you could damage your monitor.

      And while I'm at it, I remember shitty fixed-sync monitors. And monochrome monitors. And burn-in. And focus/degaussing problems.

      I remember the nightmare of getting RS-232 working between devices that weren't a computer and a modem, and playing "guess the pinout" and trying to figure just what parts of the "standard" each side supported.

      I remember slow-as-shit networking. When it worked. I remember Winsock issues.

      I remember if you wanted to play this cool game, you HAD to have THAT graphics card. And not just a particular brand, but a particular model.

      I remember if you wanted something faster than 9600 baud, you had to buy the same brand of modem as the other end of the connection.

      Fuck all that broken shit.

      1. jake Silver badge
        Pint

        It's official, Gene.

        You're a curmudgeon. Welcome to the ranks. Beer? :-)

      2. Aitor 1

        Agree

        Tell everyone to move the 10 base 2 cable.. one of the Ts must be the problem...

    4. AdamWill

      Hmmm.

      "We the geeks and nerds ran things, we were like gods. The world and his wife all bought a PC or a Mac and they had no idea what to do with any of this kit. We strode the world like colossi"

      Yes, and look what "we" did. Bit more critical introspection might go a long way there...

    5. nevarre

      You just got old. Don't feel bad, I did too. Things are still exciting as hell, the focal points have just changed a little and I don't have the energy to get as excited about it as I did when I was in my late teens... also, I want my damn flying car!

    6. jake Silver badge

      "We the geeks and nerds ran things, we were like gods. The world and his wife all bought a PC or a Mac and they had no idea what to do with any of this kit. We strode the world like colossi"

      Does anybody actually talk like that?

    7. MonkeyCee Silver badge

      Nostalgia

      "Anyone else have a wonderful sense of nostalgia about those 10-15 years from '85 to 1998,"

      Yes. On account of being nearly 40 now :)

      1. ravenviz

        Re: Nostalgia

        I remember when we ‘got the internet’ at work in 1996, Luddite I was sharing the office with’s first comment was, “So, can you get porn on that?”. A quick check at playboy.com revealed that indeed you could!

  3. Robert Helpmann?? Silver badge
    Childcatcher

    Hollywood Education System

    The seat of the US Congress, comprising the Senate and the House of Representatives, for anyone who has never seen an American movie.

    And for those individuals, congrats on getting your education from a more reliable source*.

    *Any other source is a more reliable source

    1. jake Silver badge

      Re: Hollywood Education System

      Any? Facebook? Twitter? (etc., I'll stop. You're welcome.)

      1. hplasm Silver badge
        Holmes

        Re: Hollywood Education System

        " Any? Facebook? Twitter?"

        Secondary sources: Primary Source- Hollywood Movies...

  4. GnuTzu Bronze badge
    Coat

    The Whole Liability Thing

    We're not going to see any significant change in the law until cyber crime and/or cyber war start doing much more damage then they are now. I don't like to put out suggestions that might inspire bad actors, though I wouldn't actually be telling any big secrets. But, some day we're going to start hearing some really horrific things--much more terrifying than any of these mass shootings we're seeing. And, those selling us this technology that we're using are going to have to deal with a seriously angry consumer culture--especially, when the wrongful-death law suites start flying.

    1. Scott Broukell

      Re: The Whole Liability Thing

      @ GnuTzu

      Except that you will most probably find that lawyers acting for, <insert named software/hardware corporation>, can clearly demonstrate beyond any meaningful doubt that any such matters, of which you foretell, are all comprehensively covered in the associated EULA(s).

      You and I et al, as end users, will just have to soldier on and keep paying out for SaaS, together with so-called malware protection and monthly updates. I agree, such outcomes are likely to be very messy, but it won't be the peeps at the top who get shafted, it never is.

    2. nevarre

      Re: The Whole Liability Thing

      We're not going to stop seeing a significant change until people stop using cyber as a prefix for everything technology related.

      1. jake Silver badge

        Re: The Whole Liability Thing

        I actually rather like cyber as a prefix. It's a handy filter ... people who use it are rarely worth listening to from a technological perspective.

      2. ravenviz

        Re: The Whole Liability Thing

        Yay, cyberblockchain!

  5. J.G.Harston Silver badge

    "This is pre-internet, 1992"

    BZZZTTT!! 1992 is *not* pre-internet, I was using the internet in 1987 and existed for over a decade before then. 1992 isn't even pre-web, the web started in 1989.

    1. AdamWill

      bzzt yourself

      "BZZZTTT!! 1992 is *not* pre-internet"

      did you try reading *the next goddamn sentence of the quote* or did you just skip immediately to the comment section with a big smile of anticipation at just how fucking clever you were about to prove yourself to be? That's pretty fking insufferable, you know. Jesus, just keep it in your pants and read the context.

      "This is pre-internet, 1992. If you were on the internet then you've [either] got a corporate or academic connection. I was working at Lotus at the time and I was dabbling with understanding the internet..."

      1. jake Silver badge

        Re: bzzt yourself

        BIX and Delphi both had some commercial Internet access in ''92. I knew of several BBSes that offered shell accounts with full Internet access (such as it was) in late '84 or early '85 ... I ran one of 'em. It was coloed at the old CO on Bryant Street in Palo Alto, which allowed connection to both the NSFNet and the ARPANet via connection to the fledgling BARRNet. Over all of 6 USR HST modems, at a blistering 9,600. And trust me, I was neither corporate nor academic in that venture. My several dozen subscribers paid just barely enough to keep the lights blinkin.

        It wasn't strictly legal, but it wasn't strictly illegal either. The PTB knew what I was doing, and pretty much looked on me as an anomaly that they tolerated with some bemusement. My friends elsewhere with similar setups were seen pretty much the same way. Two of those friends were in Boston. The "brilliant" kids in the loft (I can't bring myself to type skiddie/haxor today, sorry) somehow managed to miss their local resources. Sad, that.

        1. Michael Wojcik Silver badge

          Re: bzzt yourself

          BIX and Delphi both had some commercial Internet access in ''92.

          True, and we could certainly quibble about whether 1992 was pre-commercial-Internet. I think most people who remember the historical details would be more likely to call 1991 the watershed year for commercial Internet; that's when CIX was formed and ANS CO+RE opened for business.

          But 1992 was when ANS and CIX agreed to interconnect, and when the SAT Act changed the NSFNET usage terms to allow general commercial traffic. (There had been limited "experimental" use of NSFNET for some commercial traffic as early as '88.)

          So it's while it's inaccurate to say that there were no commercial Internet users in 1992, most commercial users got connections after that year.

  6. Anonymous Coward
    Anonymous Coward

    Liability

    There is no consequence for writing insecure software. No vendor therefore gives a shit.

    There is also no consequence for deploying that insecure software and not keeping it patched against whatever holes they found last month. The small amount they pay in fines when hacked is still cheaper than mitigating the risk, and customers have very short memories.

    As I've said before:

    All code is written by offshore idiots to the lowest price

    This shitty code is in your medical devices, cars, industrial systems, phones, apps and most devices in your homes. It's present on every website you visit.

    Insecure by negligence and stupidity, it's everywhere in your life.

    But hey - psychopaths are running the companies that make this stuff & they don't give a shit. They are cutting cost to get paid. You are not the 1%, so fuck you.

    1. Joe_the_geek

      Re: Liability

      Software EULAs that generally very few people read are their protection.

    2. Michael Wojcik Silver badge

      Re: Liability

      All code is written by offshore idiots to the lowest price

      Even just the "offshore" part of this is patently untrue, probably for any continent. I haven't verified that there's anyone writing code in Antarctica at the moment, but unless that's where you live, you're prima facie wrong.

  7. adnim Silver badge

    Well

    Just as a software application has it's exploitable bugs removed and is made secure, more features are added, which are buggy and exploitable. And by the time these newly introduced flaws are fixed, new features are added...

    Humans can be manipulated into breaking secure software or passing on login credentials to strangers just has they always have been.

    Ergo, I am not surprised Internet security has not improved.

    1. Michael Wojcik Silver badge

      Re: Well

      I am not surprised Internet security has not improved.

      There's probably no useful definition of "Internet security" that's acceptable to actual security experts, and claiming the security of any non-trivial system has or has not "improved" is a dubious proposition as well. But under any reasonable threat model, software security has improved significantly over the past few decades, in the senses of removing many prominent branches from the attack tree and increasing costs for attackers. It simply has a long way to go yet.

  8. jake Silver badge

    Security was never intended.

    On Flag Day, January 1, 1983, TehIntraTubes (note: no "Web") switched from NCP to TCP/IP. It wasn't secure. We knew it wasn't secure. And we knew it couldn't be made secure. But that was the entire point ... it was designed to make it easy to share stuff globally, not to block the sharing of that stuff. To this day, it's still not secure, and still can't be made secure. Not without another Flag Day, when we change from TCP/IP to whatever comes next.

    The first Flag Day went without a hitch. The next one will probably be be globally traumatic. I'm not looking forward to it.

  9. bigtreeman

    56k bullshit

    I was smoking some good weed back then and can remember 19k2 was as fast as you got back in 1993, what were you guys smoking ?

    56k modems didn't come out till '98-2000.

    Back in 95 we had a max 28k bulletin board connection to a small local ISP which had an ISDN line back to the local university. Log on daily, do an up/down load then logout.

    1. jake Silver badge

      Re: 56k bullshit

      Switched 56 was still very common back then, and it was also fairly common to split a 2B+D ISDN line with another party (would have been 64K, easy enough to misremember as 56K after 25ish years).

      1. BinkyTheMagicPaperclip Silver badge

        Re: 56k bullshit

        ISDN terminal adapters run at 56K (probably 57600 to match the serial port speed, to be pedantic), an ISDN routed connection runs at 64K per channel. That may account for the memory. Towards the end of dialup this caused problems, because some TAPI profile creators forgot terminal adapter mode existed.

        V.90 was late 90s, yes, because it needed an ISDN endpoint. Plenty of places were still using standard phone lines.

    2. Androgynous Cupboard Silver badge

      Re: 56k bullshit

      I was about to refute that but found an old BBS list, and apparently in 1993 I was in fact dialling the Cave in Wellington NZ at 14400. God, the patience I must have had.

      1. jake Silver badge

        Re: 56k bullshit

        No patience required, it was text only. How fast can you read, anyway?

        And of course, binaries were batched for overnight transfer ... Not a lot of cute cats & pr0n in the days of Procomm & Qmodem[0]. Odd that they were still a good percentage of the traffic, though ...

        [0] tip or cu, if you were more enlightened.

        1. Michael Wojcik Silver badge

          Re: 56k bullshit

          the days of Procomm & Qmodem

          Telebit Trailblazers were my drink of choice, before I had a 56K leased line. SLIP over those for interactive stuff, then drop the SLIP connection and use the modems' uucp g-mode spoofing for bulk transfer. Worked fine for editing code with vim and the like.

  10. DropBear Silver badge

    It's easy to pin this on the Big Bad Companies more than willing to take your money peddling sub-par unfinished wares left and right - and they totally do deserve everything they get blamed for and more; but the truth is* all their cost-cutting and greed contributes to the problem of insecure software only peripherally - it does not create it.

    Simply put, I don't think there's any field of human endeavour where piled-up complexity is comparable even within orders of magnitude with what is happening inside computers today; and it has long ago reached and far exceeded the limit of what we - or the tools we were able to create - can cope with.

    Once it was feasible to write a piece of code on a Spectrum that did all you wanted done and exactly that, without any bugs. It was incredibly hard, but it could be done. It still can be done with a microcontroller with a few kilobytes of RAM and ROM. But not with any OS-driven PC or smartphone, with its gigantic spider-web of layers upon layers of libraries and frameworks and services all full of unforeseen edge cases and imperfect joints.

    And that's only the parts that - against all our efforts such as they are - end up too rickety to support their own weight; we have yet to account for the myriad of other places where the bracing is more or less reasonably sound, but not armour-plated: all the code that manages to not collapse on its own but remains vulnerable to deliberate malicious interference. How much time does it take to create the best, most solid code we can possibly create, such as that governing spaceships and aeroplanes and weapons...? Years and years - and even so that code doesn't typically need to withstand getting picked apart and abused by adversaries, since most of it remains inaccessible to tampering.

    Bottom line, since this rant is getting to long anyway: we would need to stop releasing ANY new software for a whole decade. Everything frozen in time. NO new features whatsoever - none. The world's entire IT industry, only hunting and fixing bugs and vulnerabilities. And you know what? After ten years, having gotten rid of everything we could find, there would still be countless bugs and countless vulnerabilities still remaining in all that code, only now a number of "Y" instead of "X". Not "some". Not "few". Not even necessarily "fewer".

    I don't know what the solution is - what I do know it's definitely not "focus harder", nor "patch harder". Neither of those will ever get us anywhere NEAR "no-bugs" or "no-vulns" nirvana. Not soon - EVER. We need something completely different if we are to ever get there, assuming it is even possible at all...

    * Needless to say, all of the above is "IMHO".

  11. frank 3

    99 bugs on the board today

    99 bugs on the board today, 99 bugs on the board.

    Take one down, fix it quick,

    103 bugs on the board today...

    1. ds6 Bronze badge
      Flame

      Re: 99 bugs on the board today

      What, our bugfix introduced 4 regressions? Better fix that...

      What, our regression patches introduced 19 bugs? Better fix that...

      What, our bugfixes for our regression patch features for our bugfix introduced...

  12. mwnci

    "We the geeks and nerds ran things, we were like gods. The world and his wife all bought a PC or a Mac and they had no idea what to do with any of this kit. We strode the world like colossi"

    Albeit like slightly pedantic, gauche and "on the spectrum" deities ...The hubris in the above is palpable.

    More on topic, Security has improved vastly, but the world has moved on even quicker. Relatively we are still behind, but we are still massively ahead collectively on where we were in the year 2000.

  13. Jabberwocky
    Pint

    9,600 baud? Luxury!

    Looking at the nostalgia over speeds like 56k, 28k and even 9,600, I have my own nostalgic moment remembering back to the early 80's when I bought my first modem for my Commodore 64 to connect to the South African version of Prestel called BelTel which was barely more than text with colours.

    A mini version of the Internet. We did our banking over that and sent electronic messages all over the place as well as connecting to various BBS - I was even a Sysop on one for a while.

    The speed of my modem? Split-speed 75/300! I could type faster than the uplink.

    As mentioned, we did all our personal and business banking over that, with never a thought of security, and never any reports of any miscreants stealing data or funds either.

    *Sigh* the good old days!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019