Unlocking Digital Doors: On the Hacker Group That Told Congress They Could Take Down the Internet
Walter J. Scheirer on L0pht Heavy Industries and the Origins of Modern-Day Online Deception
Early computer users were consumed with the idea of being able to go places that ordinary people could not. There was something tantalizing about the vast complexity of computer technology. Peering into the digital nooks and crannies, sometimes one could find oneself making a discovery that unlocked a door to a realm of the impossible. The most familiar example of this effect from the classic era of computing is the video game cheat code.
Cheat codes allowed the player of a game to do things that were not achievable in normal gameplay. In most cases, this simply meant gaining an unfair advantage to beat the game more easily, but any number of miraculous things could happen after entering one. For instance, if the secret code for games made by the publisher Konami was in a player’s bag of tricks, they could get thirty extra lives in Contra or nearly all of the power-ups offered in Gradius.
Cheat codes existed for a variety of reasons. They were often intentionally programmed into a game by developers to use for debugging or for players to make use of for fun. It was also possible for cheat codes to be unintentionally introduced into the source code of games as bugs, which were then serendipitously located and exploited by players.
“Cheat codes were the currency of cool,” according to Dan Amrich, an editor of GamePro magazine in the 1990s. Regardless of whether a code was deliberately introduced into a game by the developers, it was always treated as underground knowledge by the players. Rumors of new codes were whispered across high school cafeteria tables, eventually landing in a BBS post or Internet website after school. If one was in the know, one could gain quite a bit of respect within a technically savvy peer group by sharing the secret of a new code.
The popularity of some games was even propelled by the intensity of the conversation around the ways to cheat them. The more extreme the effect of a cheat code, the more players could be whipped into a frenzy (and ultimately a buying spree). The infamous cheat code that unlocked a series of grisly “fatality” actions in the Sega Genesis version of Mortal Kombat led to a full-blown moral panic in the early nineties. Suburban mothers were appalled that their children were deliberately changing the play of the game to witness various characters being murdered in spectacularly violent fashion.
Yet as the controversy grew, so too did demand for both the game and the fatality cheat code. Mortal Kombat, of course, did not lead to any meaningful societal harm, and it is now considered a cultural touchstone for the millennial generation. For our purposes, the cheat code is a terrific illustration of a social phenomenon even more prevalent today: the increasing desire for subversive information that enables the impossible through computer technology while simultaneously contributing to a broader culture. And it is by no means the only example from the early days of personal computing.
Some of the gamers trading cheat codes were exchanging other pieces of underground information as well—a great deal of which was far more alarming to outsiders than any video-game violence. Nearly everything that is considered subversive on the Internet today could be found on computer networks as early as the 1980s, but in a much different format: the textfile.
textfiles were digital texts, often authored anonymously, which covered a broad range of topics: from UFO lore to instructions on how to break into computers. By sticking to just text, writers of these files got around the bandwidth and storage constraints of early computers, thus maximizing the potential of sharing. And the way these files were written and disseminated lent them an air of the mystical, as if they were arcane writings meant to be discovered only by a chosen few.
Internet historian Jason Scott has described the textfiles as “the cheat codes for life,” because they let the reader go places others cannot by manipulating reality. Remarkably, this material was massively influential in kickstarting the careers of many well-known technologists.
Scott’s own history is relevant to the story here. Beginning in the mid-1980s, he was the system operator (SYSOP) of a hacker BBS based in New York called “The Works.” By his own telling, Scott was just a teenager when the board debuted in 1986, and his father was not pleased by the inordinate amount of time he was dedicating to it. By the time Scott left for college in Massachusetts, his family had expressly barred him from all distractions while he was enrolled in school—no part-time jobs and absolutely no BBSs.
Thus, The Works was disconnected in 1988. It reappeared shortly after as a Boston-area board, this time under the control of a SYSOP going by the handle “Dave Ferret.” Scott very visibly continued his affiliation with The Works, organizing meet-ups of users around Boston and recruiting volunteers to help run the board.
In his self-described role of “master of lore” of the hacker scene, Scott obsessively collected textfiles that he considered gateways to places where ordinary people could not tread. This meant that several genres of subversive material were available for browsing on The Works. In its heyday of the early nineties, the board advertised itself as having 10 megabytes of storage space for over nine hundred textfiles—a veritable trove of underground information.
It became a popular gathering spot for Boston-area hackers, many of whom were initially drawn to the scene via the discovery of the textfiles and were looking to connect with other local hackers to trade information with. Joe Grand (aka Kingpin), a hacker and influential in the maker movement, described wading into the board’s content to Decipher in 2018: “The Works had all those text files, and it was sort of hacker related, but it wasn’t evil hacker related. So I think The Works is the spot.”
The Works brought together one particular group of hackers that would fundamentally change the way that companies and governments would think about securing computer systems and networks. Incorporating themselves as a think tank called L0pht Heavy Industries, they contributed to the development of the “hacker space” concept for collaborative technology projects by moving their base of operations off of the BBS and into a physical space in Boston’s South End neighborhood (later, suburban Watertown).
As a tight-knit group working in concert, the members of the L0pht were able to release a number of high-profile security advisories for various operating systems and networking technologies, as well as a now infamous password cracker (“L0phtCrack”) for Microsoft Windows. Crucially, in this period the L0pht’s output remained rooted in the textfile format, with the release of all of its information made in a mode that was instantly familiar to other hackers.
The L0pht’s files attracted the attention of the federal government, which was monitoring developments in computer security outside of the establishment (and not always making the distinction between fact and fiction). In what was a highly consequential moment in the history of the computer security, the members of the L0pht were invited to provide testimony to Congress, during which an astonishing disclosure was made that they had the ability to “take down the Internet” in a mere thirty minutes.
Politicians and reporters took this claim seriously, as here was a group of expert hackers that had been engaged precisely because they had technical knowledge far beyond that of the establishment. But there was intense speculation within the computer underground about whether it was actually possible to shut down the entire Internet. Hacking culture blended fact with fiction in bombastic ways, after all. Had the L0pht merely invoked a cheat code of their own making to hack Congress?
Following the Congressional testimony, members of the L0pht were approached by other hackers who had attempted to determine if there really was a way to shut down the Internet. A handful of brand-new attacks emerged out of this genuine curiosity, but not the one the L0pht actually had in hand. In the end, the hackers revealed that the attack they had described to Congress targeted a bug in the border gateway protocol, used by critical infrastructure at network providers to move packets of information around the Internet.
Yet though there had been a real attack, the L0pht had indeed hacked Congress: vendors were informed of the bug before the testimony happened, and fixes were already in place by the time senators learned it was possible to bring the entire Internet down. This incident was shaped by what the members of the L0pht had been exposed to on BBSs like The Works: the convergence of sensational storytelling with real technical information.
Watching the L0pht’s testimony today, one can see that this motley crew of technologists was on the verge of big things. Shortly after their appearance in Washington, the hacker think tank was acquired by the security firm @Stake. L0pht members Chris Wysopal and Christien Rioux (aka Dildog) would go on to become founders of Veracode, a software-auditing firm that was later acquired by CA Technologies for $614 million.
Peiter Zatko (aka Mudge) has had an influential career in government and industry, with stints at DARPA and Google. L0pht affiliate and denizen of The Works Katie Moussouris became famous in the security industry for popularizing “bug bounties,” sums of money paid out if security vulnerabilities were disclosed to vendors before becoming public. All are now senior leaders of the computer-security industry.Yet though there had been a real attack, the L0pht had indeed hacked Congress: vendors were informed of the bug before the testimony happened, and fixes were already in place by the time senators learned it was possible to bring the entire Internet down.
In another instance of a programmer making good use of the cheat codes for life, famed software engineer and Stack Overflow cofounder Jeff Atwood got his start as a teenager who learned how to manipulate the telephone network via textfiles. Writing in his popular blog Coding Horror, Atwood described his early experiences with BBSs: “I was always fascinated with the tales from the infamous hacker zine 2600. I’d occasionally discover scanned issues in BBS ASCII archives…and spend hours puzzling over the techniques and information it contained.”
That information eventually landed him in trouble with the law. After he wrote a program that let users make use of calling-card numbers they did not own (mainly so that he could make free long-distance calls to BBSs), Atwood received a visit from the police and a computer trespass charge. Yet he harbors no regrets over the incident, which only pushed him deeper into computing and the myriad directions it could take enthusiast: “I must confess I’ve grown to love my own bad judgment. It’s led me to the most fascinating places.” Atwood was certainly not alone in this regard.
The textfiles written by computer hackers would get progressively more technical from the late 1990s through the early 2000s, but they never stopped blending factual information with creative storytelling. Nor did they stop encouraging sensational behavior in the real world. In fact, the stakes were dramatically raised as the Internet became an indispensable resource for the entire globe and security threats began to manifest themselves within it and against it. By looking at the activities of computer hackers in this later period, we can develop a clearer picture of common deception techniques used in technical contexts today.
Excerpted from A History of Fake Things on the Internet by Walter J. Scheirer, published by Stanford University Press, ©2024 by Walter Jerome Scheirer. All Rights Reserved.