There was this company — big company, well-known company at the time — that sold music online — selling music on physical media; in 1999’s August, Napster, the first major online music sharing service, wouldn’t attract the ire of the music industry for nearly four more months. This company was pretty big at the time, though I don’t even know if they’re around any more. Probably they were bought by somebody at some point.
Anyway, they’d received an email from someone who called himself a freelance information security consultant, about how they had this terrible information security problem. As evidence that there really was a problem, and that he knew what it was, he sent along a file listing tens of thousands of credit card numbers belonging to their customers. For a mere $100,000, wired to a foreign bank account number, he would tell them how to fix their security problem.
Naturally, they were unhappy people, throwing around words like “extortion”. So they had some connection which brought them to us, and we sent out a consultant to see how quickly they could figure out and close the breach.
Our consultant flew to their city that evening on the red-eye, arriving early enough in the morning to have to wait in their lobby while enough people dragged themselves in to work that he could finally gain access to the server room.
He was sort of expecting a bunch of machines, running such a large site. The operation was not a small one at that point. And they did have a bunch of machines holding things like album cover images and track listings and the like, though they only had one Web server that processed purchases. The pages that a user needs to see in order to complete a purchase are pretty lightweight and straightforward, so one beefy machine was able to do it for the whole site.
“And where’s the database?” our consultant asked. It was on the machine, he was told. On that same machine. Our consultant thought, “That’ll be problem — this machine has to be reachable from the public Internet, and the database probably has a port open, and they probably have a shit password on the database, if any, so this guy was probably able to connect straight into the database from wherever he is and trick its gag reflex into vomiting up everything it’s got.” But even though that was in his head, what asked was, “What’s all that beeping?” Because ever since they’d come into the server room, the computer had been beeping in an irregular pattern that did not sound like what you’d want from the machine that made your company millions of dollars every month.
The escorting employee beamed. “Oh,” he or she said, “that’s how we know we’re making money!”
I’m told that the consultant we’d sent did not say, “You’re kidding me,” out loud.
The employee went on. “Our CEO wanted us to have a connection to every sale, so we could understand that what we were doing was affecting people’s lives right then, exactly that second. So every time a sale goes through, he wanted the machine to beep.” I’m told he or she sighed. “Unfortunately, the only way we can know for sure that an order was completed in real-time is to verify with both the Web server and the database. So we needed the database and Web server on the same machine.”
“And the Web server connects to the database over a network port, right?” our consultant asked.
“Of course,” the employee said. “Normally the database would be on a separate box, but we put them on the same machine so we could make a ‘ding’ when an order went through. The Web server connects back to database, sitting on the same machine.”
“So you’ve got one machine, with Web ports and database ports open, sitting on the public Internet.”
The employee nodded. “Our firewall is supposed to be blocking that, though.”
I’m sure our consultant nodded patiently. The firewall, of course, was not. I heard that our guy was out of there after only a couple of hours, though we ended up charging them for a full day. We saved them 95% off of the hacker’s extortion racket, though, and I expect they were glad to pay it.
“So what happened?” I asked my boss.
“Fixed their firewall rules, I think,” said Phil.
“No,” I said, “I mean about all the credit cards that got stolen.”
He shrugged. “They’re already gone, right? And the breach is closed, right? So I don’t think they care.”
“But those card’ll just get sold to the Russian mafia—”
“Uzbekistani, I think,” my boss corrected.
“Whatever. They really don’t care?”
“They care that they took care of the exposure. That’s all they’re required to do.” It varies from state to state in the U.S., but in 1999 the reality was that the Internet had grown up pretty fast. If you hadn’t been paying attention to information security for the last fifteen years, you could be convinced that these problems never could have been predicted.
My eyes drifted to a middle distance, as they usually do when I convince myself that I’m thinking about something in many different ways at the same time. Whether or not I truly am, I have no idea. But sometimes, interesting things come out of these moments.
I said, “So, hackers are war-dialing common ports across a bunch of servers on the Internet — common database ports, for example. And when their script gets a response, it gets logged. Then the hacker comes home from work —”
“—or school, and they check the list of Internet-accessible databases that their computer found for them during the day. Then they start making money.”
My boss leaned forward. “What we’re wondering,” he said, “is how we get people to scan themselves. Think about it: if you were the CEO or the CIO of a company, and every month you got a report that told you what your network looked like from the outside, maybe you’d feel great. Maybe you’d be interested in paying some small amount for a monthly or weekly scan of your perimeter to make sure some new admin hasn’t opened you up to something horrible since the last time you checked.”
“Because how else would you know?” I said, fully gripped by nausea.
“How else?” Phil asked. “That’s what we’re going to do: we’re going to build a scanner that can check any location on the Internet for known vulnerabilities, assemble a report and tell them how to fix things, if possible.”
I thought about it. “We’re going to create a database of all known vulnerabilities to Internet-facing server software, with nice text describing what they are and how the exploit works, if known, and how to fix it, if there is a fix. And we’re going to scan a bunch of sites constantly, to help them stay secure.”
“That’s the plan.”
The nerve that this touched in me at that moment was old, and went deep.
“We’ll be finding and tracking the open ports on hosts all across the Internet,” I said. “We’ll be uncovering what the Internet truly looks like, its real shape.”
He thought for a moment. “That’s one way to look at it.”
“I’m in,” I said.