Chris Wysopal is the founder and CTO of Veracode, a firm focused on ensuring the development of secure code. Two decades ago, he was better known as Weld Pond, a member of the hacker collective L0pht Heavy Industries.
Weld Pond: hacker
Is he a hacker? “Absolutely,” he says. “A hacker is someone who wants to understand how a system works, and then explore how that system can be manipulated to do something unintended by the developer. The interesting part is this exploration of technology uncovers functions and possibilities that typically weren’t designed into the system by its creators.”
The driving personal motivation is curiosity. “The hacker explores the technical world – how things were built and connected and put together. And there’s a ton of unknown and unintended consequences to be discovered. Hacking is exploring these and understanding them.”
It is the use of these unintended consequences that distinguishes the ethical hacker (whitehat) from the malicious hacker (blackhat). The former wishes to help the vendor to prevent misuse, while the latter seeks to manipulate the unintended consequences for personal benefit. The boundary between these two is not always clear-cut — individual hackers can be either, neither, or both. Nor is it unknown for hackers to change hats mid-career.
For whitehats, the temptation to become blackhat is always there. “If you have the knowledge and the power… it’s there as a temptation,” said Wysopal. “It’s like the kid looking at the cookie jar and being told you can’t have the cookie until after dinner.”
But for him, “There was always a strong pull to do something that could help the world. The idea of doing something criminal and getting caught would ruin all the positive things I wanted to do in the world. So, I think that the temptation was there, but there was a stronger pull to be helpful.”
The motivation for the hacker is curiosity; the direction is guided by that elusive concept, the personal moral compass.
L0pht Heavy Industries
The work of L0pht Heavy Industries is pivotal to the evolution of cybersecurity. In 1998, Weld and fellow L0phter Peiter Zatko, aka Mudge, testified to the Senate they had found a flaw in the border Gateway Protocol (BGP) that could be exploited to redirect traffic toward malicious websites. They estimated that 70% of the internet could be affected within approximately 30 minutes.
The group urged greater government involvement in cybersecurity, including R&D, a national cybersecurity policy, and greater public awareness of cyber risks. Arguably, it was this testimony that first brought cybersecurity to the forefront of government thinking.
The problems that Lopht highlighted 25 years ago have only worsened with the increasing complexity and pervasiveness of the internet. Government has yet to solve the issues, and a direct line can be drawn from Lopht Heavy Industries to the current government insistence on zero trust and security-by-design.
Enter LophtCrack and the greyhat
Despite the Senate testimony, L0pht is better remembered as the author of L0phtCrack – a password auditing tool that could be used by sysadmins, the public, and malicious attackers to recover weak passwords.
“L0phtCrack started off as a proof of concept,” explains Wysopal. “It started as a command line tool to show how easy it was to crack Microsoft passwords. It was released as a proof of concept to demonstrate there was a vulnerability in Microsoft’s password system.” The purpose was to persuade Microsoft to improve its software.
L0pht had discovered implementation errors that made it possible to recover cleartext passwords from their hashes. L0phtCrack demonstrated this. But Microsoft did nothing, presenting Lopht with the perennial problem of what to do with a responsibly disclosed serious vulnerability that is ignored by the vendor.
“If, within the next few months, Microsoft had said, ‘You’re right. We’re going to improve our password system and we’re going to make it state-of-the-art secure as is available on some Unix systems’, there never would have been a 15-year lifetime of L0phtCrack. Microsoft could have responded to our vulnerability report or proof of concept and fixed the issue. What happened was Microsoft did not fix the issue.”
L0pht was concerned that Microsoft’s inaction placed the onus of security on the user rather than the vendor. Compare this to the March 2023 National Cybersecurity Strategy’s desire to ‘rebalance the responsibility’: “Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens.”
L0pht’s solution was to develop and release L0phtCrack as a password auditing tool. Its purpose was auditing, so that users could discover which of their passwords were too weak. Its method was to demonstrate this by cracking the passwords. In the hands of ‘good’ people, this was beneficial; but in the hands of bad people, it could facilitate malicious hacking – unless the good people used it and acted upon it first. It was a dual use tool. The hope was that this would help Microsoft improve their system (but it was five years before Microsoft did anything).
Wysopal uses the common analogy of the lockpick to explain the dual use dilemma. A lockpick is dual purpose: in the hands of a burglar, it is a weapon; in the hands of a householder, it is a beneficial tool. “Locksmiths don’t want you to be able to pick your own lock. Lock manufacturers don’t want you to understand how easy it is to pick the lock,” he explained. “Lock manufacturers would be happy if lockpicks were unavailable to both the general public and burglars.”
Knowledge is power. If the public believes locks are unbreakable, people will continue to buy them. And locksmiths will continue to sell their services in extremis. Similarly, it is no benefit to software developers if their customers understand how truly easy it is to break their software — and this potentially makes the ethical hacker a threat to company profits.
Before this time, hacking was binary: either whitehat (good) or blackhat (bad). Development and release of a dual use hacking tool like L0phtCrack crossed, or at least, straddled that divide. Dual use is a part of life. Without it, we would have no nuclear energy, nor fireworks, nor air travel, nor arguably even the internet. Development, progress, and innovation would be stymied by a ban on dual use.
So, L0pht coined the phrase ‘greyhat’ as a reaction to the concept of pure whitehat. “Greyhats don’t want to restrict themselves by saying we won’t ever build a tool that can be used for bad,” explained Wysopal. “Password crackers like L0phtCrack are a good example. In the hands of a system administrator or a hired pentester, they can uncover weaknesses in the way passwords and authorization systems are used, and those weaknesses can be fixed. In the hands of criminals, that same tool can be used to compromise people’s accounts and steal their information. So that’s why we came up with ‘greyhat’.”
Incidentally, the subsequent, and possibly consequent, rise in the activity of greyhats correlates closely to the improved ‘patching’ response by vendors. Responsible disclosure and the better acceptance of ethically disclosed vulnerabilities may not have been caused by L0pht and L0phtCrack, but they were certainly invigorated.
Whitehats, greyhats and the law
Despite the experience of L0phtCrack, and despite the current federal push for security by design, vendors still occasionally invoke the law to deter the activity of greyhats. Whether these laws, the CFAA in the US, are fit for purpose remains an open question.
“They are a bit vague,” suggests Wysopal. “I still think the idea of ‘Are you authorized to use this computer?’ is really vague in the internet age. I can send a ping to an IP address and that computer will run some code to respond to the ping. If it’s responding to pings, then it’s authorizing me to send it a ping and get a response from it.”
This much, he thinks, is clear. “But then it gets pretty grey when it’s a website. You get into cases where, when the website was designed to do something, the developers purposely left out authentication and authorization. Maybe they just thought they didn’t need it; maybe they needed to get to market quickly, and they made a risk based decision and said, you know, we’re not going to authorize that function. It’s going to slow us down. It’s going to take another week to get the code done. We don’t need that. Then someone comes in and uses the fact that authorization isn’t required.” The question is whether ‘not preventing’ is synonymous with ‘allowing’.
Wysopal cites the case of Andrew Auernheimer (aka weev) in the early days of the iPad. Auernheimer was arrested at the behest of AT&T, prosecuted under the CFAA, and sentenced to 41 months in jail. Fundamentally, he made use of how AT&T’s website had been designed to operate faster by prepopulating the authentication page with the email address used to register the iPad for its 3G service.
“Auernheimer realized he could just sign up for any iPad Id [and get the iPad owner’s email address] because that was the way the system was built. Did he break the law to do that? AT&T purposely built the system that way. But they didn’t like the fact that he figured it out, and that’s why they took him to court.”
The facts: Auernheimer collected approximately 120,000 user email addresses in around four days in June 2010. He made no attempt to profit from these. He gave the details to Gawker. Gawker published a sensational article. (Gawker Media was later sued by Hulk Hogan for publishing a sex tape. Hogan was awarded $140 million damages. Gawker Media filed for bankruptcy and shut down its website. It could be said that Auernheimer made some unfortunate decisions in his actions with the email addresses, but were they illegal?)
AT&T filed a criminal complaint against Auernheimer and his colleague Daniel Spitler, and they were arrested in 2011. Auernheimer was convicted by a jury in 2012 and sentenced to 41 months in prison. He appealed. After serving around 13 months of the sentence, the conviction was vacated by the United States Court of Appeals for the Third Circuit, which declared that the government had failed to prove that he had violated the CFAA.
But to Wysopal’s point, the court still did not define what is and what is not allowed under the CFAA, given the ambiguity of what is and is not allowed by a website.
“That’s the grey area of the CFAA I don’t like. It potentially precludes someone who is a whitehat or a greyhat from discovering vulnerabilities and letting people know that there’s a risk to using the iPad and this whole sign-up mechanism – you might have your information stolen. There are vagaries around what’s authorized and what is not. I think it puts a chilling effect on a lot of vulnerability research in the age of the internet, where you’re using someone else’s computer all the time. In a lot of cases, the CFAA puts that off limits for inspection. Good faith security research should be allowed, and I think the CFAA should be changed to allow it.”
In May 2022, the DOJ announced that it would no longer charge good faith ethical hackers under the CFAA. This it defined as research “carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services…” The problem here is it amounts to a subjective decision made by prosecutors outside of the court system. The CFAA itself remains unchanged. Subjective opinions can vary, and the chilling effect of the law continues.
The lessons learned
History is full of outliers ahead of their time. The supersonic airliner, Concorde, is one example – developed too early and abandoned even though others will surely follow. L0pht Heavy Industries is another – solutions to its 20th Century recommendations are still sought today in 2023’s National Cybersecurity Strategy.
But L0pht also demonstrates something perhaps more controversial: the University of Hackerdom is possibly the best cybersecurity educational establishment available. Consider some of the alumni of Lopht. Today, Weld Pond (Chris Wysopal) is the founder and CTO of Veracode; Space Rogue (Cris Thomas) is the global lead of policy and special initiatives at IBM, and Mudge (Peiter Zatko), a former CISO at Twitter and head of security at Stripe, was hired by CISA in September 2023 to advise on ‘security-by-design’.
Related: Hacker Conversations: