[ISN] 'Hacker' security biz built on FBI snitches

From: InfoSec News (isnat_private)
Date: Thu Jul 18 2002 - 05:16:29 PDT

  • Next message: InfoSec News: "[ISN] Selling secure laptops no open, shut case"

    http://www.theregister.co.uk/content/55/26247.html
    
    By Thomas C Greene in Washington
    Posted: 17/07/2002 at 18:59 GMT
    
    On Monday I reported a speech by Gweeds at H2K2, in which the grand
    hypocrisy of hackers weaseling their way from the scene to the
    mainstream by forming security outfits was denounced very nicely. A
    torrent of e-mail denouncing him soon followed, some of which I've
    posted here.
    
    Even I was attacked merely for reporting what he'd said. Suffice it to
    say that Gweeds has managed to piss off a large number of scene
    denizens past and present, though I suspect this is connected to his
    apparently athletic promiscuity: he's tied for second in the hacker
    sex chart v. 9.28, with 27 links. [1] No doubt he's 0wned the wrong
    bitch from time to time, steadily adding to his enemies list.
    
    He also named names in the speech, in particular ISS, L0pht/@Stake and
    Sir Dystic, three prime examples of energetic blackhat pimping for
    venture capital and cushy jobs, Gweeds believes. In particular, he
    expressed a suspicion that L0pht/@Stake was somehow connected to NIPC
    (the National Infrastructure Protection Center), which may have helped
    the h4x0r glam rockers gain credibility and rise in profile among
    influential members of the federal bureaucracy. This connection also
    helped get Mudge a high-profile hacker-hysteria FUD session before
    Congress, he suspects.
    
    On Monday, when I posted the first item in this series, I didn't know
    personally if the speech was punctiliously accurate, but it absolutely
    rang true to me. All too true.
    
    Surely no one imagined that I wouldn't dig deeper into this
    deliciously nasty confluence of FUD, favors and venture capital
    flowing between the blackhat community and the Feds, with the cons
    serving as a handy, mediating conduit.
    
    And indeed, Gweeds appears to have hit on a number of dirty little
    secrets, though with a few minor inaccuracies, none of which is
    sufficient to undermine his basic thesis. There does indeed appear to
    be a circle jerk between commercialized blackhat sellouts and the
    Feds; and the cons do appear, perhaps inadvertently, to provide the
    venue and privacy needed for such liaisons. And finally, there does
    seem to be a significant amount of snitching for favors and 'trust'
    building going on between the two 'communities', a la the despised JP
    model.
    
    Flamboyant anti-establishment gestures and costumes do not a blackhat
    make. Your friendly neighborhood hacker turned young security
    businessman may well be looking to 'develop' your exploit, hack out a
    patch and pimp for proppies on BugTraq, and then rat you out to the
    Feds for gain and favor. This is how it works:
    
    FUD platform
    
    Soon after I posted my report Monday, @Stake's Chris Wysopal (aka Weld
    Pond) vehemently denied any connection with NIPC to me in an e-mail
    exchange. He further insisted that I 'correct' the inaccuracies in
    Gweeds' statements. I explained that it wasn't proper for me to edit
    someone else's words, or even to express doubt, unless I believed or
    at least suspected that the statements were inaccurate. In this case I
    didn't.
    
    "I'm going to let it stand, again because any inaccuracies are his,
    not mine, and I prefer to let readers make up their own minds about
    it. However, last night I did post your and several other people's
    letters criticizing his talk," I replied.
    
    I'd also put a link to that letters page in the original story so
    readers can easily find the counterpoint. Finally, I invited Wysopal
    to write a rebuttal, which I offered to publish on The Register.
    
    "I am not going to write a 'point of view' piece that is parallel to
    an article that leads the reader to believe that patent falsehoods are
    true. Letters to the editor are much different than qualifying
    statements where they stand or issuing an errata," he replied.  
    "[Several] statements by Gweeds are false. They were spoken by a man
    with an agenda. You have become his FUD platform."
    
    Me, a FUD platform -- right. There's a definite pot/kettle equation in
    play here, as we'll see.
    
    dann0
    
    According to Wysopal, Gweeds got a number of facts wrong. "There is no
    evidence that the L0pht testified at the behest of NIPC. NIPC was
    formed two months prior to our testimony. We didn't even speak to
    anyone from NIPC until much, much later. The L0pht testified at the
    request of Senator Thompson. This coincided with a GAO report on the
    weaknesses of government security. Our testimony did not mention a
    criminal solution to the government security problem. We were not
    advocating an increased cyber police force or increased penalties."
    
    And that is strictly correct, though not entirely true. NIPC is not
    where L0pht's Fed relationship was developed. But according to
    documents I've received, L0pht did have a relationship with FBI
    Special Agent Dan Romando, or 'dann0' as they called him, a Boston
    agent with a cybercrime-enforcement background. Our dann0 was an old
    friend of Mudge's from high school; and our dann0 had also been an
    intern in Senator Thompson's office before joining the FBI.
    
    If you want to know how L0pht got an invitation to testify "at the
    request of Senator Thompson," you'll find Agent Romando's hand all
    over that one. Ditto for Mudge's famous meeting with then-President
    Bill Clinton.
    
    And why did dann0 Romando bother to help the L0pht cyber-ninjas gain
    national fame? Was it out of friendly loyalty?
    
    I wish it were. I have evidence indicating that L0pht members served
    as confidential FBI informants and actively solicited dirt on fellow
    blackhats. I have evidence indicating that they've offered to pay cash
    for such information. And they name dann0 Romando specifically as
    their FBI handler. That's right, those anti-establishment
    pop-underground h4x0r heroes have at least attempted, probably with
    success, to rat out their friends and enemies in service of good
    relations with the FBI.
    
    Relations, I should add, that paved the way for their splashy media
    hagiography. We can safely infer a pretty significant haul of
    snitch-work behind dann0's generosity in assisting this monumental
    fraud.
    
    And as for not advocating increased penalties for cyber-wrongdoing,
    that's just window dressing. L0pht was in fact spreading cyber-terror
    FUD to fuel expensive national cyber-defence measures and increased
    penalties for hackers while exhibiting themselves as both the emblem
    of the Dark Forces America has to fear, and her White Knights of
    salvation.
    
    When a guy like Mudge addresses a gaggle of naive,
    technically-illiterate Congressmen, claiming to be able to break into
    any network on Earth, only a fool will imagine that the consequence
    will be anything other than more Draconian laws. That's how Congress
    deals with threats. That's how Congress has always dealt with threats:  
    give more money to the Feds for investigation and enforcement, bump up
    the penalties, and let the evil bastards rot. There is no other
    outcome to be expected from testimony like that. And sure enough,
    nowadays hacking can lead to a life sentence.
    
    And Wysopal calls me a FUD platform....
    
    'Sploits for me, jail for you
    
    So how does some cheese-eater gang of l4m3r
    blackhats-turned-security-advisors make its bones in the wider world
    of legitimate security services? Gweeds talked about a 'model' of
    selling out, and I'd like to add my own contribution to it. It goes
    like this:
    
    Since you really don't have any skillz worth mentioning, no background
    in computer science, no military cryptography training, you'll have to
    learn to talk the talk. Outrageous clothes and piercings (preferably
    from a nail gun), blue hair and bad skin freely exhibited at cons are
    a big plus here. Journalists love this kind of shit and will usually
    assign you a high, imaginary threat level. Teenagers will too.
    
    Develop relationships with members of the real blackhat underground.  
    Hit them up for kewl new 'sploits they're using. Maybe pay cash for
    them; maybe barter for them with other kewl 'sploits or illegal gear
    you're cobbling up in your basement, like pager monitoring devices,
    say.
    
    Rely on the fact that your grateful FBI handler will see that you
    never get raided. When you do receive a new exploit, either by paying
    cash or through barter, pretend it's yours. Don't worry; the real
    blackhat doesn't want publicity, believe me. Develop the exploit,
    refine it, and at the same time develop a patch or at least a
    workaround. Post to BugTraq and PacketStorm. Receive proppies from
    envious wannabes and be worshiped by dumbfuck security journalists.  
    Apply for VC, and develop a shell corporation containing people with
    actual business experience to receive and manage the money for you.
    
    Hire eager PR flacks who can tell your fascinating story to the press
    in the simplistic, hagiographic terms they prefer to be fed, the way
    ABC News drones lapped up this drivel:
    
    "[L0pht], described as a 'hacker think tank,' testified about lax
    computer security before the Senate Governmental Affairs Committee in
    May 1998. They said any of them could easily bring down the Internet
    in North America, although other experts dismissed the claims as
    exaggerated. Committee Chairman Fred Thompson allowed L0pht's members
    to use only their on-line handles 'due to the sensitivity of their
    work.'"
    
    And be sure to get your peers to pimp for you; remember, the more
    31337 they think you are, the better for everyone else in the biz:
    
    "Russ Cooper, who publishes the NTBugtraq newsletter exposing security
    risks in Microsoft products, called the group "eight brilliant
    geniuses."
    
    Like Mudge, call yourself a "Chief Scientist," or like Marc Maiffret,
    a "Chief Hacking Officer" or like Russ Cooper, a "Surgeon General".  
    Only journos like myself will actually laugh in your face, so it's a
    pretty safe practice.
    
    Keep trading with the blackhats, and release your occasional
    'discoveries' which they make possible. Ensure that your PR flacks
    spam the living shit out of every journo on the planet whenever this
    occurs.
    
    Go in front of Congress every chance you get: remind them of how
    scared they should be. Tell them that the Internet is about to be
    brought down, along with planes and trains and power grids, and tell
    them how you can hack the Apache server at www.MinuteMan.mil and
    launch a withering nuclear assault on Kansas City with your lame
    Windoze box.
    
    And don't be wasteful with precious resources. Just as a cook will use
    the bones from a carcass to make delicious stock, if a blackhat whose
    work you've been plagiarizing runs out of new tricks, you can always
    toss him to the FBI for additional mileage. Maybe you can even get him
    busted for the shit you sold him, haha.
    
    Now that's what I call a business model.
    
    Note: L0pht/@Stake declined two invitations to comment for this
    article.
    
    Related Link
    
    Mudge's hilarious hagiography [2], telling us among other things that
    he's "a renowned scientist in cryptanalysis." And asserting that he's
    "consulted and even conducted training courses for members of
    Congress, the Department of Justice, NASA, the US Air Force, and other
    government agencies."
    
    [1] http://www.attrition.org/hosted/sexchart/sexchart.9.28 
    [2] http://www.hostingtech.com/security/01_00_mudge.html
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 07:57:09 PDT