Corporate interests trump security
Although the security landscape has changed and evolved over the past 20 years, the state of IT security has arguably gotten worse.
This is the view of Joe Grand, president of Grand Idea Studio, speaking at ITWeb's fifth annual Security Summit, taking place in Sandton this week.
Grand was a member of the renowned hacker group L0pht, which started in the early 1990s as a clubhouse for local hackers to store computer equipment, tinker with projects, and just hang out. It evolved into a group that discovered security flaws and challenged vendors to fix the problem and, finally, ended rather anti-climatically in 2000, when it joined forces with VC to start security consulting firm @stake.
“In the early days, being a hacker was something an individual did at his own risk, it was neither a cool, nor a sexy thing to do,” said Grand. “Computer security was not often in the mainstream media - it was not publicised at all. In those days, anyone involved in computers more than likely had a passion for technology.”
According to Grand, this is something that has definitely changed. “There is a lot more corporate influence now and a lot of media involvement. People involved in this today may not have the passion - it's become a job, not a life.”
In1996, L0pht became more focused on discovering security flaws in software applications and hardware products and challenging the vendors to not only acknowledge the problems, but to fix them - something that was practically unheard of at the time.
“L0pht focused more on research and disclosing vulnerabilities, with a 'no holds barred, tell it like it is' approach. We started making small amounts of money to cover expenses such as rent, and utilities,” stated Grand.
He said the group had full disclosure of its discovered vulnerabilities, and didn't play favourites. “There was no corporate backing, no greased palms. We weren't looking to make money; we wanted to force the vendor to fix the problem.”
The landscape today is a totally different picture, Grand noted. “There is vendor pressure to prevent release of information. They threaten legal action. Talks are pulled from major conferences. Advisories are used as marketing by consulting companies to gain more clients. Unfortunately, corporate interests determine what is publicly released.
“In the beginning, there were no accepted practices like there are now, and no responsible disclosure. We were making it up as we went along. We realised that if we were able to figure it out, chances are other people have figured it out too, and could well be using it for nefarious purposes.”
He explained that if L0pht didn't push the issue, and publicly release the information, nobody would have paid attention. Most times, the vendor would keep stretching the time needed to fix the problem or just blow it off. “Microsoft would claim the research was purely theoretical, and L0pht would write an exploit to prove it could be done. We called it 'making the theoretical practical'.”
However, Grand said nothing is clear-cut about this industry anymore, and it is risky to release information these days. Corporates want to protect their interests and their shareholders, even though people are at risk and affected by these problems.
In 1998, L0pht caught the public eye when it was asked to testify before the US Senate Governmental Affairs Committee on the state of IT security, where the group warned just how dire the situation was.
“We discussed multiple threat vectors and worst-case scenarios against computer and communication systems. The Internet was designed to share information and, although not designed with security in mind, it was being used and trusted in that manner.”
Grand said that, although Internet security is a well publicised topic today, not much has actually changed. “In 1997, we could listen in on various wireless interfaces. Today, wireless networks are just as insecure. The problem has never been addressed. Who is responsible for the design, creation and release of insecure products? Vendors are still free to make erroneous claims.
“Things have arguably gotten worse,” states Grand. “The online presence of people, companies, and organisations has grown tremendously. Users and vendors alike are not learning from history.
“Many companies are involved in this industry, selling security products that give us a false sense of security. People assume someone else is looking out for the technology we use and is keeping track of problems. We put too much faith in others, and we don't validate and verify for ourselves. We have a long way to go.”