 Yeah, no, I think we're gonna have to do it tomorrow. We'll do it tomorrow. I gotta go, I gotta go. I'm giving a presentation at DefCon. The cool thing is I'm recording it now and it's gonna be presented 20 years into the future in 2020, isn't that cool? All right, I'll talk to you tomorrow. All right, bye. Yeah, hi everyone. It's good to be here. Coming to you from the past to talk about the 90s and how pen testing really came from the hacker community and just wouldn't really be there if it wasn't for the hacker community. So I have some slides and I'm gonna share my screen here so we can see them. All right, great. I hope everyone can see the slides. So yeah, I'm happy to be here. My name is Chris Weissopel. Some people might know me as Weldpond and I'm gonna talk about how red teaming was born from the hacker community. Some of you may have seen this picture. This is a picture of the group of us from the loft which was a hacker group that I'm part of and we actually got these t-shirts made up to commemorate the event, Feds Love Loft. But we testified at the Senate. It was a little controversial at the time. We were the first hackers to talk about computer security and try to help the US government understand what was going on. I don't know if you can see our placards there in front of us, but they have our hacker names, not our real names, which I thought was pretty interesting. They let us testify with our hacker names because of course, back in the 90s, it was kind of risky to be called out as a hacker with a hacker handle and posting about vulnerabilities and things like that. So we didn't wanna risk our day jobs. We were all, a lot of us were in IT and if you said bad things about a big vendor, it might be bad for you and your job. Unfortunately, or fortunately, I'm not sure what, but our pictures were posted with our, it was posted in the newspapers the next day and people at work kind of knew what we looked like. So the jig was kind of up that we did this, but that's me there. And here's a little different. I've made it a little bit shorter, but a lot of people say, how did this happen? How did you get there? And it really was doing things the hacker way, reverse engineering, exploring, looking at hosts and networks, but we did it on our own machines and we did it in order to publicize the insecurity in software and hardware and took on a really kind of a consumer advocacy approach. And I think while making trouble for vendors, a lot of other people saw the benefit of what we were doing and that's how we got invited to go speak at the Senate and famously, Mudge, who's there next to me said we can take down the internet in 30 minutes and we were talking about BGP vulnerabilities which are still a problem. BGP hijacking is still definitely an issue a few years later, but I wanna go back to sort of the beginning of sort of computer security. And when I go back to the beginning of computer security, I think of the orange book. This was a book that talked about design and security features, authentication, authorization, encryption, auditing. It really talked about security features and the book was kind of made famous in the hacker community because it made an appearance in the movie Hackers, but it really was the way that people thought about computer security in the early and even in the mid 90s. It was all about security features. There's nothing in here about bugs and code, right? And we all know that that blows a hole right through any security feature. So there was a huge part of building secure systems that was completely missing until hackers started exploring and probing things. The other big way people thought about computer security was cert, which was formed after the Morris worm. And in the early 90s, cert said, we'll start taking a look at these vulnerabilities. If someone finds a vulnerability, send it to cert. We'll understand it, we'll look at it, we'll talk to the vendors and we'll try to get them to fix it. But one of the things we found at the loft is when we first started dealing with cert, if we found vulnerabilities that we would send it to cert and it would just become a black hole. We didn't know if the vendor fixed it, if they fixed it in a silent fix, the general public didn't know about it. So there was no way for them to know that they should be patching. And there was sort of no consequences for vendors who wrote buggy, insecure code because the general public didn't know about it. It was just something between cert and the vendor. And I think that was pretty broken until hackers basically didn't end run around that whole model. In the early days, there were some hackers that tried to start companies. The earliest company that I know of and is a company called Comsec Data Security. And here's actually the press release from 1991. So the contacts here are Scott Chason and Chris Goggins, two of the founders of Comsec. And they're quite proud to say that they're comprised mainly of the now defunct computer group, the Legion of Doom and they plan to offer full scale security package to private and industry. I don't know if people remember Legion of Doom, but several members actually went to jail for CFA violations. So maybe not the best group to be saying, this is the basis of our company. But what they were saying also is they were bringing a fresh approach to the security consulting and the corporate marketplace that they know how systems are compromised and what actions need to be taken to secure them. So this was actually a totally new thing. They were really kind of pioneering here saying that they know how systems are compromised. And so that's the fresh approach. Isn't that amazing in 1991 that that was brand new and I have to applaud them for pioneering in the industry here. But in the press release, I thought this part was actually pretty interesting. They said that they were aware of the possible shockwave among the hacking underground over this venture. The firm maintains that they are security consultants and not informants or hacker trackers. We're not gonna go after people. We are gonna ensure that no one hacker or corporate spy can compromise the security of our clients' computers. So there was this idea that like if a hacker worked for a corporation, it was sort of narking, right? The only reason you're there is to tell them about the other hackers that were out there that you knew about from underground bulletin boards and mailing lists and bridges and things like that. And they were claiming that's not what they're doing. That's not what they're doing. But that was definitely a concern back then, this whole can the hacker community trust someone who goes into corporate world? So it really kind of went both ways. There was an interview afterwards or by ISP News. And I thought this was actually kind of interesting. ISP News was saying, given where you're coming from, why should a potential client trust you? And the CG here is Chris Goggins, one of the founders. He says, I know it's a natural question, just the very nature of creating a company should project an image that we are trying to come out of the shadows, out of the underground. We're saying, look everybody, you've been doing this for a long time. Now we want to help. And ISP News says, I'm sure you understand the natural suspicion that people have. And Goggins says, no, that's what I don't understand. If we had Comsec, we're out to compromise information from an existing company's computer network, we wouldn't have incorporated. We could have done that and someone else could have already done so. Then the information would be available from one hacker to another. So he's really trying to say, hey, we understand that people are gonna be skeptical. But you can trust us. Unfortunately, Comsec didn't go very far. It was just too early. They couldn't get any customers. And some things had to happen between 91 and the late 90s before people could start to trust hackers and hacker techniques. To secure their systems. One of the big seminal papers and something that was very seminal for me when I was starting out doing computer security was this paper by Dan Farmer and Witte Venema in 93. So just a couple of years after Comsec and they wrote this paper improving the security of your site by breaking into it. And they published this as a paper I'm not sure if it was published in USENIX security but it was an academic paper that was in the form of something that a government security person or a corporate security person could kind of understand. It wasn't all shady like Frack Magazine, et cetera. And basically it just talked about, look at the way that attackers are breaking into it. Look at the way that attackers are breaking into networks. Collect all of those things together and try them on your own network. Weak passwords, probing open ports, try exploiting trust, exploit known bugs. Imagine that exploiting known vulnerabilities to see if you have them. This was a new concept in 93. And then they talked about locking down networks based on understanding how hackers were and attackers were going after networks. And then a little bit later, well, not the first one with Crack, but a little later these hacker tools started to show up. Really the first hacker tool that was sort of well known and well available was Crack by Alec Muffet. Came out in 1991. And his whole idea was do a dictionary attack or a brute force attack on Unix passwords. Seemed like a reasonable thing to do if attackers were guessing passwords. Why not guess them first and just do it right on the password file, the encrypted passwords. Seems to make complete sense now. But back then this was considered only an attack tool. Why would a legitimate person use this kind of tool? Randall Schwartz was an admin at Intel that was actually fired and was charged with a felony for using Crack on the systems that he administered purely to tell the users of his system that they should pick a stronger password. Thankfully later the felony was charges were reversed after a few years, but not so good for Randall Schwartz's career in the beginning. And of course we know now with Have I Been Pwned and lots of different things. You know, figuring out if people are reusing passwords or weak passwords is critical. Satan was a tool created by Dan Farmer and Weetsy Venema a few years after they wrote their paper basically automating those techniques that they said. So let's try all those vulnerabilities. Let's target all those misconfigurations. Let's automate the process of finding these problems on your network. Guess what? Dan Farmer got fired from his job at SGI for releasing this tool. He actually got fired for writing a tool which is now a multi-billion-dollar industry from the likes of, you know, Rapid Seven and Qualis and Tenable. Dan got fired for pioneering the idea of network scanning for vulnerabilities. Little bit of trivia there. That logo on the right is the logo of Satan and it was actually sketched by Neil Gaiman, the author of Sandman. So Dan was friends with him. And then just the final tool I wanted to mention was Netcat by Hobbit came out in 96 really as this network Swiss Army knife. I'm sure everyone has used Netcat. Didn't do anything except set up connections and send data to those connections. I ported it to Windows and it actually turned out that started getting flagged as something that was malicious code. By antivirus. So if you actually wanted to use that to scan systems and test systems, you had to make sure that you didn't run a file of antivirus. So there's a lot of misunderstandings in the early days. And hackers created the first real true information sources about bugs in software, vulnerabilities, bug track with its full disclosure policy, famously went around what CERT was trying to do. It was a place where people could publish information of vendors weren't listening to you. You could just publish it publicly. And it was a place where like-minded security people could find that really radical in the beginning years. It was actually created in 1993 by Scott Chasen, someone who one of the founders of Comsec. So I think we have a lot to thank Scott Chasen for, for pioneering and pushing the limits. He was also one of the early editors of Frack, along with Chris Goggins, was one of the early editors of Frack, which started in the late 80s and still goes today, very popular in the mid-90s, issues coming out on a monthly basis, all kinds of exploits and tools. And of course we all know about DEFCON as a place where people can gather and give presentations and that's where we are here today. The first computer security presentations about sort of real security were created by hackers. And the other big change I think we saw with hackers entering the realm here of computer security was they made computer security a participatory sport. Capture the flags became a way to learn, learn by doing, learn by training with your adversaries, learn from your adversaries and make it fun, right? Up until then security was sort of set it and forget it. You know, maybe there was an audit by a, an audit and accounting firm to make sure you had, you know, passwords turned on and you had logging and all that, but it was very static. It was very set it and forget it and wait for the attackers to come where the hacking community really birthed this notion of the pen test and the red teaming and adversarial, the, bringing in the adversarial nature for, for securing systems. And we know that that's made a huge, huge difference. So I was a member of the law starting in 93 and, you know, four or five years later we said, hey, you know, this is all fun. We're releasing things and that, but, you know, maybe this could be a business. Maybe we could actually do consulting. Maybe we could sell software and actually in 97 we started selling loft crack and we thought about, you know, maybe this could be a full-time gig. So let's try, let's try consulting. And we knew about Comsec back in 91 and they, we knew that, you know, the loft was a known hacker group and we used our hacker names but, you know, maybe times have changed. Maybe we could have a go at this. And so we tried our hands at consulting and one of the ways we did this was we found a local consulting company in the Boston area and we talked to them and we said, you know, maybe you should start a consulting business and the loft could, you know, be your security consulting business unit. And so we started talking to them about coming on as employees. And we said, there's no better way for us to demonstrate what our capabilities are than to try to hack, try to hack your company, right? Let's do a full-on penetration test of your company. So we talked them into letting us do this. We did it pro bono, you know, because we were trying to explain to them the value we had. So we did that and we were actually negotiating with them at the time, right? We were negotiating with them saying, you know, what would our salaries be? What would the business look like? You know, what would be the parameters around us coming to work at your company? And we just did a no-holds-barred full-spectrum, you know, voicemail, wireless, physical security, internet connection, you know, you name it. It was on the list. It was in scope. We actually didn't do any email social engineering or voicemail social engineering, but we did do things like physically penetrate in order to do things like, you know, see what was in the trash and things like that. So here's the cover page of our security audit. We went, we didn't go by the law. We went by LHI technologies. We took the loft heavy industries and made it LHI technologies. And because we were doing some consulting, selling some software at the time, and that was a part of the loft history where we were actually sort of becoming a company. And we did this between August 20th and September 8th, 1997. It was a completely black box test. And, you know, we use a combination of tools and network probing. I've blanked out the name of the company. It's been a few years, but just, you know, make sense to keep them confidential. Security in 1997 was a lot different than it is now. So just, if we look at the executive summary here, you can see that from the internet, we were pretty much able to totally own everything. All these critical corporate systems, Oracle databases, got corporate credit cards, voicemail, the network routers, the dial-up systems, personal email, their intranet site. So basically total-ownage. And we did this without any kind of inside accomplices, no previous knowledge, completely black box. So, you know, I could do a whole presentation on the gory details of this, but I just wanted to highlight a couple things which I thought were interesting, things you don't always see in a pen test. So one is, you know, one of the first ways we got in was through the web server. And if anyone had been doing hacking in 1996, you probably heard of the PHF vulnerability. It was a CGI bin that came pre-installed with Apache. And it had command injection, right? So you could just put a delirator character in there and put your command. But of course, Apache should be running as its own user, right? It should be running as HTTPD, shouldn't allow you to compromise the system through this vulnerability, right? Maybe it's basically an information leakage if permissions are set correctly. But we were poking around and we actually saw that someone didn't set the permissions on HTTPD.conf file correctly. So the configuration file shouldn't be owned by the HTTPD process because, you know, then any code that executes from the web server could change the configuration. And guess what part of the configuration of the server is? It's what user the server should run as. So we use this command injection to edit that file and change it so that the next time the server came up, the web server came up, it would be running as root. Nice little technique there. But then we did uptime on the system and we saw that the system had been running for over 100 days. And, you know, we tried DDoSing it. But, you know, we basically had to wait for someone to reboot the server. And so we didn't think we were going to go, we weren't going to get in this way. We started probing some other systems and actually found some other vulnerabilities and were able to get in. But a few days later, I was listening to the news and I actually saw that there was a manhole explosion in Cambridge where this company was located. And unfortunately, an employee of the power company actually died in the manhole explosion. But it downed power in Cambridge for five hours. And after this happened, I started probing, you know, the system and started looking at their web server. And it was up after an hour. It was up after a couple hours. So they obviously had backup. But after about three hours, the system went down and they didn't have enough backup for this five-hour power outage. And when the power came back up, it rebooted and we were now doing command execution as root. So I just thought that was a little bit. I had never come into a situation like that before in a pen test, but you just never know how things are going to go and what's going to go your way. The other thing I thought was pretty interesting was we, you know, looked at the voicemail, the voicemail systems. And you can see there on the left, the extension, we have the username in the middle. I've grayed out some of them. And then the password on the right, and you can see the new employee voicemail box gets a one, two, three, four password. And you can see that some people never changed it, like IT and facility service line was one, two, three, four. The travel line was one, two, three, four. Directions was one, two, three, four. But there's some other accounts on there where the extension and the password are the same, that 4069. And if you look down, there's 18629 where the extension was the same as the password. That actually happened to be the vice president that was negotiating with us at the time about joining the company. And we sort of listed out what we were expecting for salaries, benefits, you know, how we wanted the jobs to work. And one of the things we really wanted was we wanted that step van, or I don't know if it was a bread truck or whatever, that was in sneakers. We wanted a sneakers van so that we could outfit it with electronic equipment to do wireless and surveillance and have a mobile, you know, the mobile hacking unit. It looked totally awesome, right? I think everyone who watched sneakers loved that. We put in that, we wanted that. And we heard on this voicemail, so we captured a couple of voicemails as evidence that we were able to get in the account. And one of the voicemails was talking about, you know, those loft guys and he said, you know, these guys wanted f-ing when a bago and they were not happy with us. They thought we were asking for the world. Sort of just didn't understand what we were going for. So you don't always have a situation where you're negotiating with your potential future employer while you're doing a no holds barred pen test with your get out of jail free card, right? So again, another bit of an interesting situation. But, you know, we didn't end up joining there. And a couple years later, the loft ended up joining a startup company called Atstake, which just did information security consulting. And I'm sure you've, some of you have heard of Atstake. This was an article from January 2000, where, you know, the way the news looked at it was using good hackers to battle bad hackers. If you have a murky past and doubt you could become a dot com millionaire, I think again. And I thought, you know, what a change from the 1991 with Comsec really not being thought of as credible. So a lot of things had to happen over the 90s for really us to join Atstake and be perceived as a legitimate company. And so that's my story. That's my story from 2000. I hope that you enjoy this in 2020. And here's my contact information. There's this thing called Twitter is going to get invented, I think, and I'm going to found this company called Veracode in 2006, just some of my future plans. So hope you enjoyed it. I'm going to join on the Discord, which is another technology is just going to be invented and hopefully we can chat. So bye bye everyone.