Transcription of L0pht Testimony
Senator Thompson: And if you got the testimony this morning… if there are any points, in the process, that you want to make, very briefly, with regard to some of the previous questions or testimonies, feel free to do that also.
Mudge: Definitely will..
Weld: Huh! Good morning, my name is Weld Pun, I’m a hacker, programmer, 13 yrs experience, working as a software developer, in the soft commercial software industry. My college training is as a Computer engineer. At the L0pht I specialize in writing software programs for exploiting computer network security and operating systems security. My current projects include; finding vulnerabilities in Microsoft windows, anti-security. I am actively working on L0pht Crack, a program that we’ve created to exploit the weaknesses in windows, and to use anti-password security. We just use cryptography to secure the passwords but we have found vulnerabilities in their implementation. These programs have been extremely well received by the military government and corporate security groups, who use it to test their own passwords for weaknesses. Ehm! Prior to the release of this program, security experts claim to have taken thousands of years to uncover windows anti-password, our program can do it in days and sometimes, some cases, hours.
As a licensed amateur radio operator, I also enjoy radio communications. Future project plan is collaborating with the L0pht hardware people to create secure public wireless networks, something we’re very interested in.
Kingpin: Good morning! my name is King Pin, I am the youngest member of the L0pht and one of the electrical engineers and hardware hackers. Some of the L0pht members concentrate on software programming, I work with hardware design and implementation of electronic circuits. My interests include embedded system design, surveillance and counter-surveillance tools, and wireless data transmissions. My current research project involves experimentation with the monitoring and eavesdropping of stray electromagnetic fields from computer terminals, otherwise known as Tempest Monitoring. Using low cost electronic equipments, one can capture the contents of computer screens from more than 200km away, possibly gaining passwords and other sensitive information. The phenomenon of Tempest monitoring has been known to the industry for decades but there’s not much unclassified information available on how to both capture the omissions, and also protect oneself from becoming an eavesdropping victim. My research will not only help me learn about the monitoring technology, it’ll enable me to educate others to help them protect their computer systems from prying eyes.
John Tan: My name is John Tan, at 28, I’ve been involved with computers, telecommunications and security for 14 yrs now, the last it of which have been spent in the financial services industry. My involvement with the L0pht is primarily been nondescript but I have achieved some notoriety in terms of documentation of some of the existing problems of Novell Netware, and a compilation of manually created Palm pilot document library. Recently, I have consulted for various manufacturing financial services and management-consulting firms regarding information securing policy, and how to establish a corporate security effort. I will continue in the future to pursue an understanding of the rest to the information age and communicate those findings to the government, the industry, and the media to provide a clear consistent message of where we are and where we need to go.
Space Rogue: Good morning! I am Space Rouge, although my background contains no formal computer training, I amassed a great deal of knowledge in the area of computer security, and the use of technology applications in the area of physical security. Currently, I am working on assessing the vulnerabilities in various proximity detection devices such as those used by EZ Pass, —, and controlled assess cards. In conjunction with Stephen Von Neumann, seated here today and others of the hacking community, — seeking vulnerabilities in Apple’s share IP by Apple computers. I wish to take this opportunity to thank members of this community for inviting us here today.
Brian Oblivion: My pen name is Brian oblivion. My focus currently is microprocessor system design, satellite communications equipment, wireless communications architecture, and systems administration. Over the past few years, I’ve conducted research on cellular networks, exploring the encrypted the data channels and the protocols explored — bypassed hardware-based 9 cryptographic, authentication used to track call expenses. Recently, I’m researching various digital coding methodologies involving both dedicated hardware and software analysis via digital signal processor. This will result in the exposing of claimed secure wireless messaging and communications systems and thus increasing the requirement of a more secure communications infrastructure. As an amateur radio operator, I am exploring authentication methods for amateur radio data networks. Technology developed in this area arena will be applied to commercial wireless networking products, protocols and equipments that we utilize not only authentication but encryption of the radio channel as well. The L0pht for me provides the much-needed avenue for the dissemination of the present state of insecurity of various consumer-networking products. If it wasn’t for groups such as ours and other motivated individuals in the security community, the state of awareness we have today would be years behind. Thank you!
Stephen Von Neumann: My name is Stephen Von Neumann, I have working with the L0pht since 1993, focusing primarily on high power electronics, flaws in data networks and increasing convergence of power distribution and data distribution. My professional background includes supporting users on common computing products and networks which gives me first hand experience with how relatively unaware of computing risks most users are. Even worst for software publishers, Internet providers and utility companies are tight-lipped about flaws or risks inherent in products and services that touch the daily lives of most Americans. For example in many areas the country including Boston-area, electric utility companies are using radio transmissions and/or power lines to transmit data, meter data, from customers locations. The same utility companies are also using such data transmissions for controlling their power systems. Even public water companies are using radio transmissions for controlling our water systems. In the same way that the so-called phantom controller was able to impersonate an airport control tower and issue instructions to a pilot, one could impersonate a legitimate utility company and disrupt water or electric service. Another example is Internet data sent over cable television systems. Most customers of these services are not aware of the potential for another user to watch their “private” communications across the cable TV network and worse the users are not aware of the possibility that an improperly configured computer could make available their data without their knowledge. I would personally like to see the same type of independent review process that should exist for software companies extended to utility companies and Internet service providers. Finally customers and end-users should be made aware of the risks. Thank you for having us here!
Mudge: I am one of the network system — at the L0pht, basically I am the person who breaks into
the systems and undermines the network security and that’s what I do with my day job… companies like that. Some of my previous projects were L0pht crack, along with Weld Pun in which we developed a tool for showing administrators and users the insecurities in Microsoft passwords. I’ve released several security advisories on various pieces of commercial software, which has prompted vendor patches, which means they improved the software after we pointed out to them. Unfortunately, many times they would not improve the software until we actually went public with the findings, companies do indeed want to ignore problems as long as possible it’s cheaper for them. Recently, I conducted training courses at NASA’s geo-propulsion lab to try and raise their level of awareness as to the vulnerabilities especially with the name brand recognition. In the very near future, I’ll be conducting training courses over the NSA. Shortly after that, the L0pht will be releasing a white paper on new cryptographic weaknesses that I along with one other top United States cryptographers have found in a very prominent commercial operating system which remain nameless.
If you’re looking for computer security then the Internet is not the place to be. If you think that you’re an exception to the normardy to have a secure setup to communicate over the Internet you probably mistaken. Further more, if you feel that the government is giving you access to the enabling technology you need to combat this problem you’re wrong yet again. The foundation of the Internet is over 20 years old at this point and while the technology still works it’s being asked to perform tasks that was never intended to via secure fashions nonetheless. How can we be expected to protect the system and the network when either of the seven individuals seated before you can tear down the foundation that the network was built upon, let alone the systems that are sitting on top of it. So even if computer systems and other peripherals on the network were secure, the problem still moves. Can the systems be secured? Well in many cases they actually can be for instance the problem with the enemy air traffic controllers could be remedied by incorporating relatively trivial an inexpensive cryptographically secure authentication. The same would hold true for MDC 4800, which is protocol most commonly, used by mobile police data terminals to remotely pull an update records. Personal paging protocols? Yeah! Everybody has little personal pager now day, such as —, which the White House communications agency uses to coordinate movement of the president, would also benefit from this relatively trivial modification. Why don’t strong authentication properties exist in these protocols? Most likely the same reason that simple security mechanisms are missing from all of the software or almost all the software sold corporations and agencies today, it’s cheaper and its easier for companies to sell in secure software. There’s no liability attached to the manufactures and there’s no policing done to stop companies from selling and secure software under the guise of secure.
In an industry where ‘time to market’ matters, who wants or cares to add security or even thoroughly test the product? Now, you should you the government consumer should carry or want software products to include security authentication mechanisms and I think you do. You should incur the companies to include this in their products and hold them liable when the products fail. There are parts to the situation that the government can directly help. Lived in the constraints on cryptographic export would encourage companies to more readily include authentication encryption in the products, the Cellular Telecommunications Protection Act is an example legislation that is in place right now that hinders consumer watch groups such as ourselves, I’m just perpetuating the insecurity status quo that’s out there.
In conclusion, hopefully you having us here is not a fluke and hopefully we’ve not offended in anyway, but this might be the beginning of an ongoing dialogue between the government and hacker groups such as ourselves. Perhaps the information from such meetings will end up becoming an enabling mechanism for future change that will help organizations of all sizes not just large government organizations. We encourage you to read the written testimony and we are more than happy to answer any questions in as much detail where technical detail or non-technical detail as you see fit and expel to clarify upon any concerns. Thank you very much.
Senator Thompson: Thank you very much. And you’ve not offended any of us, and just the contrary I think it’s probably appropriate the gentleman such as yourself are the ones who want to come forward and demonstrate that the emperor has no clothes. So we appreciate your coming here, especially, I love the fact that the Washington post describes you as rock stars on the computer hacking elite. So we appreciate you’re being with us here today. I am informed that, you think that within 30 minutes the seven of you could make the internet unusable for the entire nation, is that correct?
Mudge: That’s correct. Actually one of us with just a few packets. We’ve told a few agencies about this, it’s kinda funny because we think that this is something that the various government agency should be actively going after, we know that the Department of Defense at very large, investigation into what’s known as denial of service attacks against the infrastructure. In our various day jobs we contributed a large portion of the information to that actual investigation. Much to our chagrin, the learning from it were instantly classified which we were giving them largely public information. It is very trivial with the whole protocols to segregate and separate the different major long-haul providers which would then be the national access points, the metropolitan area, ether sections, AT&T can talk MCI can talk to PSI net can talk to alternate et cetera et cetera and keep it down that way as long as we really wanted to. It would definitely take a few days for people to figure out what was going on.
Senator Thompson: You state that, with regard to commerce over the Internet, which is a rapidly growing as we all know, that the internet was not designed for it. What you mean by that?
Mudge: The internet was designed out of the Defense Department Advanced Research Project agency to simply have computers talk to each other. This was a very laudable act; a very laudable goal and I think they succeeded fantastically. This was largely an academic environment with some government research organizations, it drew up, it flourished, it struck everybody by surprise and now big businesses saying let’s jump on board and make some money off of this. Well! you know this this is kinda like, you’ve be driven in Boston, you know the streets are tremendously designed in a wonderful fashion because they follow the cars around and laid the pavement down. I mean, you can get it to work but it can be really painful and that’s the stage we’re in right now.
Senator Thompson: You say that you’ve been working with the some governmental agencies with regards to some of these problems, and of course with commercial and traditional. It occurs to me in listening to you and listening to our prior witness that there doesn’t seem to be an inducement for industry to do much about this at this stage the game, is what you’re saying essentially isn’t?
Senator: And I hope that there are some more forward-looking people as some of these industries that we’ve had in times past. You can look at the mobile industry or the tobacco industry and a number of industries. We’ve kept our heads in the sand — executives about problems on the horizon and uh this is going to be something as much as we dislike lawsuits and there’s too many of them in this country, this is clearly going to be something that is going to hit somebody big-time, one these days before day long and hopefully it won’t take economic disaster you know, the calls and all that. But you can see it on the rise in, can’t you? I mean they’re gonna have to come to terms with the fact that their ability to do something about this is out there and they’re turning their backs on the way to make their systems more secure than not doing and we’re gonna be clearly having to answer for that. You say that the Internet and commute computer security is almost non-existent, could you elaborate on that a moment? What more do you mean literally?
Mudge: There are many aspects that make that up. The operating system says, we just heard testimony from Dr. Nueman, very correctly they aren’t incorporating any sort of real security mechanisms, there is a lack of education, there’s a lack of understanding as to what the problems are out there, there are no mechanisms for places to keep abreast of current findings. I mean, the security rail network security in particular is very rapidly changing so it’s kind of difficult. It’s not like with the cars, What’s the analogy? Somebody give the recall, they send you a letter if your Ford Explorer is going to have a very serious problem. The number of operating systems out there, they aren’t sending people letters, they’re saying you have to do your own due diligence and come to us and find out what we’ve made publicly available or what we’ve decided to alert you to, at the same time keep in mind that if we don’t alert you to it, we save a lot of money and we save our top engineers times by not having to throw them at the product where they can add new bells and whistles and to whatever…
Space Rogue: The analogy is… the Volkswagen battle just got recalled; evidently they found 3 cars that had a problem, 3. They didn’t cause any serious deaths or injuries, but they just found 3 potential problems in the vehicles. They sent out 8,500 letters to every purchaser of the vehicle in United States. If there’s a software company that has 3 hack attempts against with three successful hack attempts against it’s particular piece of software or operating system, they’re not gonna go call every single one of their people that just spent a lot of money to buy their software, telling them, hey! There’s a problem and we need to call back our software so we could fix it… right now it doesn’t happen.
Weld Pond: Some other problems that are found are reported to the manufacturers and they don’t even make a fix publicly available. They work on the fix internally and if you have the same problem and you come to them and you say, you know, I’m getting broken into someone’s attacking my system in this way. They’ll say, okay! We have this behind the scenes fix that you can apply to your system but we haven’t even made it publicly available yet and until the problem mushrooms up and enough people complain about it then they’ll come out with the public fix but if it’s behind-the-scenes people this contacting the manufacturer, we’ve seen that they don’t really come public and even tell the other users of this system that the problem exists and here’s the fix for it.
Mudge: This is one of the main problems with the computer emergency response team.
Brian Oblivion: In the industry where the systems administrators claim that the software provided them isn’t shipped in a secure manner the industry says that they shouldn’t be responsible for that and I’m not quite sure because I’m not a lawyer even in nearly skilled in political matters but I don’t know if there’s any legislation that can could fix the liability problem, I don’t know, but I
know that this is one of the issues out there.
Kingpin: I just want to add one thing to that, in the point of liability, the car manufactures will be and are held liable if something goes wrong in a product. If something goes wrong in one of the ten thousand cars, and it explodes they will be held liable. If something breaks in the software the companies aren’t held liable and they feel, why? You know why did they have to tell people when they are not responsible?
Weld Pond: Just another, — analogy which we’ve found which sort of makes sense is some; Kryptonite makes bicycle locks and they say our lock is so good if your bike get’s stolen, it’s a $30 -40 locket, if your bike gets stolen will pay up to a thousand dollars to replace your bicycle. So, basically they’re saying our security works and we’d stand behind it, software vendors do not stand behind their security. They say, well if it’s broken then the problems maybe we will fix it but if you lose thousands of dollars, say you have an e-commerce site up on the Internet your whole business is built around their software which they’ve told you is secure they’ve told the only bad at all these great features and you can run your business on our software and then your business fails because of their… they caused your business to fail essentially if it’s ecommerce, your site’s down you know making money they say sorry!
Mudge: one of the things about the Kryptonite locks is, they’re not unbreakable and they’re not un-pickable, and the company knows that but they’ve raised the bar. They’ve raised enough that the ankle biters, the novices, you know, will go to the next bike that’s on lock. The same thing with car alarms, you get a discount on your insurance for doing or performing due diligence. You just raise the bar and you get a get away from the noise level.
Senator Thompson: Thank you very much. I have one more question, and all the other members have questions. Part of what you’re trying to do is demonstrate something that you feel like the American people need to know and that’s part of our job also and I’m curious… if a foreign government was able to assemble a group of gentlemen such as yourself, and paid them large amounts of money and got them in here or hired him here to wreak as much havoc on this government as they could in terms of infrastructure, the governmental operations, whatever! how much damage can they do?
Mudge: We’ve had some of your aides come to talk to us to source us out at the beginning and I think they were relatively impressed with what we’ve managed to put together without any funding whatsoever. Brian do you want to talk about some of the satellite communications or let alone just taking us down from the financial aspects. There’s so many different ways that havoc could be wrecked.
Brian Oblivion: Regarding satellite communications, you could, if you’re highly paid enough, you could assemble jamming gear to temporarily knockout uplinks, you could the take an area, I’m sure you’re aware of like the — guns and the EMP blasts and typical informational warfare, it’s more on the physical level rather than just the information security where you would be able to disable equipment by generating high energy pulse, and disable the clock which controls everything in the computer system to malfunction…
Senator Thompson: What would be the effect of that?
Brian Oblivion: …it would be like, well! it depends on equipment. It would be… You could do it to a telephone switch or, generally, national access points for the Internet or in unshielded buildings sometimes they’re in just regular commercial buildings without any type of electromagnetic protection.
Senator Thompson: What would be the effect of that? How would we feel that?
Brian Oblivion: You would feel that by an instant disruption of Internet service on that point including…
Senator Thompson: What’s another area?
Mudge: I’ll let Kingpin talk about Tempest… Some of the areas that you could, should worry about, our new phone systems are down, the electricity is gone and your financial markets? We recently had a very close call on the financial markets. The disruption of services is a wonderful way of messing people up. And in addition, by disrupting service in certain patterns you can force people to take other routes. Let’s say that I have taken over MCI’s networks which would not be a tremendously difficult thing to do, I mean, most people can get access to the metropolitan area — in the national access points, physical access even. So, I can watch everything that goes through this major backbone providers transitory networks but I can’t watch Sprint. Well! What am I gonna do? I’ll disrupts Sprint service so that everybody routes through me now I can learn everything you’re doing, I can watch your movements, I can stop your movements, I can issue requests on your behalf. You’d be surprised how much stuff is tied to the general networks now.
Space Rogue: I think if a Nations State funded a group of people to attack the United States electronically, the number of systems that can be disrupted a compromised is so great that it would probably wreak a lot of havoc in the country. Whether or not the country can recover from that in inadequate period of time or defend against it is a good question. But there’s definitely some potential there for her abuse.
Kingpin: Mentioned in my initial statement about Tempest monitoring which would allow outsiders or insiders to receive emissions from computer terminals. One can see the screens of people’s… the can read the email safe off the screen or maybe if they’re accessing some confidential system or looking up some kind of criminal records or something like that. And the outside or inside or intruder could then become familiar with the system and access it in a different way.
Mudge: What would you do to them with the mobile data terminal stuff?
Kingpin: With the mobile data terminal, the same type of thing can happen. You can either intercept the dated via just wireless transmissions or you can monitor the terminals with tempest technology and by just monitoring the transmissions you can view what the police are transmitting and receiving about criminals or internal government agencies are or something…
Senator Glenn: Thanks much gentlemen. I think I had, — names here, but I think I had the pleasure of talking to a couple of you gentlemen some 24 years ago in a different venue and that was a fascinating conversation and this fascinating this morning. I’m not quite clear now, does the L0pht do this on a business basis now too? Or you just amateurs that get together doing this… because it says in your testimony here, “Space — what you do is to have fun, pushing the envelope, examining security systems, providing full disclosure to all those in the security industry our findings.” Is this strictly an amateur group or you are available for hire from people who wanted to avail themselves of your expertise?
Mudge: We’ve been a strictly amateur group for a long time, it’s a very monetarily taxing for us so…
Senator Glenn: You all have day jobs
Mudge: We all have day jobs and this all comes out of our pockets, for all the equipment that we try and salvage together and the different projects we want to learn about. We do one, the purse strings become very tight, go out the and take consulting jobs or/and do different consulting works. Quite unhappy that you can’t help a lot of people out, unfortunately a lot of people are scared to come talk to us, we have to end up beating people over the head publicly in order to get them to even fix their problems which doesn’t endear with them tremendously.
Senator Glenn: Let me expand the area of vulnerability just a little bit here and get your comments on this. A sink of communications satellites here and talking about that, can you get into the command structure, the command signals that look to position those satellites, could you relocate them and foul up the whole system not by destroying them or by fouling up the computers necessary but take him out their positions.
Brian Oblivion: Actually, companies like Comsat and other — telemetry command control systems are using authentication for their command structure which is what we would recommend to other more commercial, or actually just the other areas of Wireless telemetry in control. That would increase the bar of the state of security of radio-controlled to entry system.
Senator Glenn: How about the GPS system? is it vulnerable also? The global positioning system, we’re going to be relying a lot more on that, we’re relying on that for some weapons systems are used to be highly classified now there’s been lot of writings about them. We’re using that to tremendously increased degree these days for our military and for commercial aviation, everything else. I have a little Magellan hand-held I use model airplane flying back and forth and it’s great.
Space Rogue: The problem with GPS is very weak signal, it’s very easy to jam that signal. As a matter of fact, there was an incident few months ago in upstate New York where a test was being conducted by the Air Force. The test unbeknownst to the Air Force personnel was interfering with the GPS signals of two aircraft landing in New Jersey, luckily it was during the daytime and the aircraft was trying to rely on GPS signals to land but they lost their GPS so they went on and man-landed that way.
Senator Glenn: — to get into the GPS system and actually relocate some of those satellites slightly which would throw off up a large and screw up all the information that you’re getting, is that possible?
Brian Oblivion: Traditionally the military has been very good about authentication methods on telemetry, and command and control systems. So, I think you’d be more your worried about setting up, you know, 2.6 gigahertz Kammer rather than somebody actually moving the satellites round or colliding them in a manner…
Senator Glenn: …easier to jam it than relocate it.
Dr. Neumann: on August 21st, I believe it is 1999 a lot of the receivers sale, they have a year 2000 type problem, where they run out of bits and it resets to January 1980, just thought I would toss that one in.
Senator Glenn: Don’t be flying that day if I want to be going where I’m supposed to be going is what your telling me, I’ll check that one out. How about could you get in and transfer Federal Reserve funds to someplace?
Mudge: Just about everything is possible it depends on how much money wanna throw at it, time and effort. From the amount of time and effort and the money which is non-existent for us and the fact that we know we like not being in jail, we’d say No we wouldn’t do that if we really wanted to and really had to, Yes! Because if you make it easy enough for yourself or somebody else to use it you make it vulnerable.
Senator Glenn: I look at you guys as the white hats in this whole thing. Yeah! I think your motivations as far as I know is excellent, I think you wanna be considered that way. But let’s say we have a bunch of bad guys now, can you with your expertise, trackback and find out who the bad guys if they are trying to foul up GPS for federal reserve or something else, can you track that back and locate the people that are not of good will?
Mudge: Backtracking, reverse hacking is a relatively tricky area. Based upon the route to the antiquated protocols that you’re dealing with, there’s not a tremendous amount of information as to where things came from just that they came. It’s kinda like, you know, giving confession to a priest, you have this big blind in between you and you’re just hoping and trusting that the person is actually there listening to you and that they can do anything about it you.
Space Rogue: …no return address and nothing inside you receive something but there’s no way to know where it came from.
Senator Glenn: Okay! That’s what I’m afraid of. Mr. Neumann is still here and I think his answer when I asked, is a secure system possible? that could not be actin, I think his answers was he didn’t think so. Do you gentlemen agree with that? Do you think a system can be designed that would be fool proof that we could use for defense and for key elements such as the northeast grid or our financial, the Federal Reserve or whatever is it possible to design a foolproof system?
Space Rogue: I don’t think it’s possible to design a foolproof system but I don’t think that should be the goal. The goal should be to make it very difficult to get in. The more difficult you make it the less risk you assume from someone, foreign nation state or teenage kid from breaking into that system. So that the goal is to raise the bar and then have a plan to reconstitute after that fact if it does happen.
Senator Glenn: Mr. Neumann I think maybe you’re in power distribution, I think you said so. Can you blow a computer? Can you overpower it? Can you put enough material in it and just blow it? You don’t need to worry about getting the material up for fouling up and just put it in and blow up the computer. Can you do that?
Stephen Von Neumann: Not so much an issue of blowing a computer, destroying it over power line, there’s high energy radio frequency, there’s EMP they can do that from means other than a power line. Maybe more of a concern would be interruption of power. We were in the course of one of our investigations, able to use a power interruption that was nothing to do with us, it happened to be — but to our benefit. A power interruption that was and deliberate could be.
Other Member: I want to think so much of overpowering, so many high power electric currents coming in I was thinking of getting in and fouling up circuits in such a way that will dump its programming and things like that, can you do that?
Stephen Von Neumann: Yes! Mudge care talk about buffer overflow?
Mudge: I think what, maybe they’re talking a bit more about bit shifting in. There’s been a tremendous amount of improvement in actual analysis of cryptographic protocols by bombarding with X-rays to actually flip bits inside. The trick is to be able to control this little black box and watch the information you’re sending in and the information that you getting out from it. As you change it — even if you don’t necessarily know what you’re changing, precisely. Buffer overflows are extremely common coding problem. Many of the problems that are out there, that contribute to this lack of security are extremely simple, buffer overflows are spotable in source code by a first-year college computer programmer, by people without any gonna college computer programming skills. The notion of race conditions where there’s a certain amount of time between what I tell you, something in between what you tell another senator that I could go in and change that information, so Senator Lieberman believes that you said something else. These are all very straightforward problems, they weren’t addressed because computers really came out of a tremendous amount of fun and joy in research and exploration they didn’t think about the commercial ramifications and aspects. Probably didn’t answer the question at all there.
Senator Glenn: You may want to run for public office one day. —Blew my whole train of thought… I know what it was. Little just a while ago Mr. Neumann was here about would it be possible to set up a whole different system for defense, for intelligence matters, for a CIA, for NSA, for people doing very highly classified work that we don’t want out. Would there be an advantage to us funding and setting up a whole separate system and how long would it be invulnerable if we did such a thing? Is it worth the effort to be very expensive to do it? How would we… Would it be worth doing?
Mudge: One of the things that was said earlier was, there are no easy answers, maybe not any answers at all. But what I believe is there are answers they’re just quite painful. Yes! I think that is one of the ways to do it. Several the agencies within the government currently do that. It is very expensive. If you had extremely sensitive information you do not trust it with other networks that are less sensitive, that are less trusted. The actual computer systems can be made to be relatively secure, the physical hardware in it becomes very costly, it’s cost-benefit… the analysis that you end up doing here. The software can be improved upon the software doesn’t have to be fantastic. One of the things that strikes me is there’s a tremendous amount up interest in the year 2000 problem and every time I hear it I have to sit back and I chuckle to myself because we’re worried about the year 2000 when the systems crash but they’re crashing left and right right now and nobody cares. The systems, you can work with them right now. They do crash, I mean, how many times has somebody in here run Windows and had to reboot it or a Macintosh? I mean, left and right they still work. If you put them in a secluded room put a guy with a gun next to it and don’t let it talk to other systems its relatively secure.
Senator Glenn: I’m not quite sure what we’d do if we required the computer industry to do something. You say there are no incentives for the industry to do much I’m not quite sure what they do, this is like some people may want to buy the equivalent of a Model T Ford, or buy a tiny car, other where people want to buy more security and so they buy a great bigger… Lot of people going to — now because they are bigger and heavier show less fatalities in an accident, things like that. You can have different levels that people want to go. How would you go about the computer industry? What would you require them to do that would make this program better or would it just be making government agencies and people know that if they’re gonna go to certain types of information or banks or the federal, whatever, that they have to buy a computer that is upgraded to a certain level and we should be much more cognizant of these security levels when you purchase a secure a computer than ever before, that’s kind of like the — statement but you know what I’m driving at, I think. How do we regulate this? I’m not sure we could.
Weld Pond: Actually in the industry now, Microsoft sort of does the Model-T in another car. For example they have windows which this so the Model-T that’s for your individual user at home and they have Windows NT which is a more secure system. The problem is, it’s just more secure doesn’t mean it is his really good enough for doing what you to say is a secure system that’s good enough. And the problem is they, you know, we get back to we have no liability in the… to say our, you know, it doesn’t work sorry we’ll fix in the next release. They don’t have any way of telling you, the customer, or no one really does, that I know of… what they did to make this system secure. You can’t say show me your security architecture, show me the development process that went through and looked for the problems and show me that the system is secure. No one’s doing that, no one’s really selling a commercial product that does that, that can assure you the buyer that you are buying the Cadillac with the bullet proof glass. So no one’s really selling that and no one’s really assuring anyone, that that’s true.
Space Rogue: …Microsoft is just saying trust us and there’s really no way to test the product to find if in fact it is secure by the end user or the consumer. So, unlike the Cadillac with the bulletproof glass you can go up and you can look at the glass to see how thick it is. You can’t do that with software.
Senator Glenn: My time is running up, we don’t have lights here. Just one more question here. What seem to me, maybe all of our concern and maybe this overstate, our concern about whether people get in, have access or can manipulate the system and transfers something to another spot or something maybe this isn’t our biggest danger maybe it’s, Stephens thing over here, when you just get anyone to do harm to our country or just get in fact blow the computer or do the transfers as you said about by x-ray or whatever it is and you’ve dialed up the whole thing irretrievably, rather than going in and trying to manipulate the system, is that, should our biggest worry be in this area? It would seem to me that, that might be something that’d be easier to protect against than all this getting in and fouling up some specific software program. Is that? Or am I over-optimistic?
Stephen: It’s much simpler for someone to perform a deniable service than it is to change the data and insert their own or to, to manipulate…
Other Member: — you’d know it when it happens, that’s for sure?
Stephen: Yes! Much less expensive to do that kind of damage and much simpler. Easier to prevent against? Perhaps and perhaps more straightforward in the short term to harden the major network access points, to the extent of military facility. Tempest making more tempest proof facilities.
Senator Glenn : Or x-ray proof sheildings, something like that.
Stephen: Yeah! Maybe simpler in the short term.
Kingpin: There is documentation on that. And it is possible to shut down the sheens with the high-energy. Protecting against it has been done, it is done and it’s fairly simple. You can basically includes something in a gaint metal box, which will prevent the, you know, the outside. Or if, I don’t know if that’s done a lot inside the government, some military computers need to be tempest proof.
Brian Oblivion: Think I was just going to say that the box needs to be grounded.
Kingpin: Yes! They should be grounded. Thank you.
John Tan: One of the things I think is coming out here is, got to do with the… it’s not just the encryption, the strong encryption, it’s not just the Network or the operating system. It’s all these things have to be applied across the board in order for one person to actually have enough responsibility. To be able to tackle the problems themselves they have to be in an environment where there are others, not only in their own industry but in other industries that are trying to raise that bar so as a whole the security goes up.
Senator Lieberman: Thanks Mr. Chairman. Thanks to all of you. Senator Thompson indicated that somebody referred to your group as rock stars of the new computer age. It’s probably not what you came to hear, but I think you’re performing an act of very good citizenship and I appreciate it. I’d compare you, I hope you don’t mind I’m not gonna call you rockstars, I’d compare you more to Rachel Carson who’s sounded some real warnings about what environmental pollution was doing to the environment and in the defense context you may be modern-day Paul Reveres except in this case it’s not the British coming. We all know who’s coming, that’s the problem. Yeah! Well, the chairman’s question before was — I mean you are obviously very bright and very creative and work at this but if there’s anything we have learned to the modern age, is that you don’t, you cannot, particularly in this age, particularly because the computers where knowledge and information travel so quickly, just as you have been able to do this at L0pht. There could be, there’re people all around the world who are able to do this and they may not be good citizens. They maybe up for higher to people who don’t wish to swirl. So I appreciate what you doing and I must say in this regard, it may be the appropriate metaphor here, not Chernobyl but unfortunately Oklahoma City where if we looked at it we would’ve understood as some did that there was real vulnerability. But we didn’t do anything about it and I think that’s what you’re telling us and I hope we can continue to work with you to try to raise our guard. I think the other thing you’ve helped me to understand is that there is no such thing that’s absolute secure, nothing, no system is foolproof. I think what you said is that the aim here should be to make it more difficult to break the system, to infiltrate it. — there never has been absolute security, I suppose it’s just that the consequence of insecurity in an age in which we’re also reliant on computers, are more consequential, they’re more massive, they are more widespread. Let me ask you a couple of questions following up on that thing of accepting that there’s no, no system is foolproof. You’ve said here in your testimony that, given thirty minutes you might be able to render the Internet unusable, not forever obviously but for some some period of time. What can we do, what can the system do, what can the government do, what can private do, what can folks do to try to protect against that?
Mudge: The one method of doing that, that we were referencing, there are several, there are dozens of them actually, but this is a good example; you can prevent and you can stop that particular attack from happening however, the nature of the internet and the companies that are providing the long haul backbone connections of it is to move the information as quickly as possible across that because that’s money. Every packet, millions of packets go buy a second is worth a little bit of money if you even stop to look at the packets you have to send slightly less than your maximum capacity might be in which case your competitor, now has an edge on you because they can offer faster more efficient service. So in order to protect yourself you very slightly I know one millisecond per packet, degrade service but that definitely cascades into a noticeable financial hit which the companies aren’t willing to take so they remain vulnerable.
Senator Lieberman: Let me just compare things and go to you Stephen Von Neumann. You talked about your work in utility systems. Let me ask you just to compare, for instance today — said who talked about said ten or fifteen years ago somebody wanted to do damage to utilities system could cut wires, could if they were more aggressive, blow up a power station, substation. So compere that, the effects, something more primitive like that from somebody with hostile intent to the possibilities that you envision in the new world.
Stephen Von Neumann: It could be more well times or more specific of an impact I mean where the detonation of an explosive in a substation could take down entire grid, where specific computer control of an area, you may be able to interrupt only one customer service say if there was commercial entity that was a target. That one commercial entity or that one government building could become the denied of electric service, or water service, or whatever this utility service was that was going to benefit the attacker.
Off Camera: computer service?
…Yes! Exactly. So, in the past where it simply was destruction it might not have had the specific focus on the attack point but now it allows that.
Space Rogue: I think another issue is, if somebody goes out and cuts the line of a place we send in the repairman to fix the line and we’re all set, you blow up a building, we rebuild it. If we attack the computer systems how do we reconstitute from that? There are no plans in place right now to recover from that.
Stephen Von Neumann: And there maybe no way to anticipate the follow-up. If there’s an attack, a physical attack, an explosion against or a line cutting then there can be increased security in that area on those same facility so the same thing wouldn’t happen again. If it’s a computer issue, I mean the attacker could be sufficiently skilled that they could simply change their methods slightly and go around any defense that’s put up in the place of the first tech.
Senator Lieberman: And the ability to find the attacker would be compromised and will be harder to find the attacker.
Stephen: Simply because the nature of the internet as it is with the no authentication, no proof of where you are, or who you are.
Space Rogue: In your line cutting analogy, the guy who snoops the wire, maybe somebody saw him and we can track him through witness. If he comes in over the internet and attacks the computer systems you don’t know where it came from and nobody saw him.
Senator Lieberman: Final question. Somebody used a VW example and it’s an interesting one, you know as you said, three cars show some signs of the impact of the — the effect, the recall 8500 of the new beetles that they sold in the US. And as you should correctly, so as I know, the 3 indications of hacking into a system and nobody is under obligation to do it. I haven’t a looked at this in a while, but the automobile companies, the recalls are not motivated simply by, let e use the term here “good citizenship”, there’s law and there is the fear of liability. So, this is complicated area, and as Dr. Neumann said, we have to be real careful not to jump too quickly without thinking about it but is there a way in which we should be setting some standards here? I mean for instance very simplistic standard would be to require our systems operators or service providers or manufacturers to give public notice over instances of hacking, successful hacking into their system.
Mudge: Or this public notice of vulnerabilities that they found their system, this is definitely a double-edged sword because when you give the information out, other people can figure out how to exploit it. However if you don’t give the information out the people out there can’t protect themselves I think we’ve tried it, the route where we have kept the information secret, the computer emergency response team at Carnegie Mellon does that I think and I know a whole bunch of people in the commuter industry agree with me on this that they’ve become more detrimental than beneficial by a long shot, couple words of encouragement from right behind me. Full disclosure is very important and you have to educate people. Education is one of the largest things that’s really missing out of this. If I’m an administrator and there’s a problem in what I have to control but the companies don’t let me know about it I can’t be expected to fix it. Even if the companies don’t have a fix themselves, if I know of the problem I might be able to put other things in place in front of it so I can catch it, I might have a different setup. Not everybody has exact same setup…
WeldPond: You might disconnect your system from the network.
Mudge: Yeah! I might say, hey! that’s really bad I need to get off of there right now. But I’d be able to do that.
Stephen Von Neumann: I’d go one further, not only to point out the flaws but also to point out the inner workings this may be rehashing some of the well-known but the UNIX environment being around for many years being public being able to be examined has mostly fixes on quite well-known.Microsoft Windows NT all their code is completely hidden from public eyes they don’t release it. Has as been said, a black box to the public even if even if an end-user wanted to go and look inside the internals of say, Windows NT, they’re not allowed to its illegal according to the software licensing put forth by Microsoft to disassemble to try and reverse engineering that kind of a limitation is just putting the brakes on investigation of the flaws.
Senator Lieberman: Good comparison to close. I wanna thank you again. This is another classic example of what we find very often who undecided as lawmakers which is that we see a problem we want to make it better week kind of play law but this isn’t an area of very developed expertise which most of us don’t have. So we rely, we often rely on science and on the people who have more expertise and then try to make the best judgment we can. I, in thinking I really want, I know you’ve already, you to go your day jobs and night vocations. But to the extent that you find time I really ask you request you think about what the government, we as lawmakers, if anything, I mean, it maybe the you want to come back and say you’re only going to mess it up here. What we might do through law to deal with some of the, to protect ourselves from some of the vulnerabilities that you’ve identified. Thanks very much.
Senator Thompson: Thank you very much for being here with us today I Like that Senator Lieberman thinks that you are performing a valuable service to your country and we appreciate that, and want you to continue to help us. I think the liability question is a very good one, I wonder for example whether or not it’s a matter of laws, whether or not there are already laws under the common law, under state laws, the law of —, law of negligence and fraud, Uniform Commercial Code and all those things. The first time some big company has been compromised because of this, that it may fix itself because it’ll be a massive lawsuit and everybody will wonder why we didn’t address this in the beginning but the fascinating issues and you know you’ve pointed out that our computer security is virtually a non-existent and how easy it is to obtain sensitive information and shutdown liable governmental operations and we going to have to do something about it, it is that simple.