Re: [ISN] 'Hacker' security biz built on FBI snitches

From: InfoSec News (isnat_private)
Date: Fri Jul 19 2002 - 09:00:44 PDT

  • Next message: InfoSec News: "[ISN] Lawmakers propose volunteer corps to guard nation's technology"

    Forwarded from: Aj Effin Reznor <ajat_private>
    William/All.  While these articles may be timely, they're highly
    inaccurate.  Mr. Greene all but admits to publishing little more than
    rumour and crap with no fact checking or basis in reality.
    I would hope that bile of this nature does not pollute what is perhaps
    one of the few non-corporate security mailing lists left today.
    "InfoSec News was known to say....."
    > On Monday I reported a speech by Gweeds at H2K2, in which the grand
    > hypocrisy of hackers weaseling their way from the scene to the
    > mainstream by forming security outfits was denounced very nicely. A
    > torrent of e-mail denouncing him soon followed, some of which I've
    > posted here.
    Posted unattributed.  Perhaps in the future showing the author of a
    given mail may make it worth a little more; carry more weight or
    legitmacy. It can be assumed that since things like "facts" can easily
    errode all of this series of articles, Mr. Greene may find it in his
    best interest to not actually mention where anything came from.
    > Even I was attacked merely for reporting what he'd said. Suffice it
    > to
    Lest we go from reporting with integrity to tabloid journalism,
    reporting what someone said should be maybe replaced with fact
    checking.  Reporting rumours is hardly newsworthy.
    > He also named names in the speech, in particular ISS, L0pht/@Stake
    > and Sir Dystic, three prime examples of energetic blackhat pimping
    > for venture capital and cushy jobs, Gweeds believes. In particular,
    > he
    I don't see Sir Dystic having made a fortune off of Back Orifice, what
    may be his most well-known application to date.  I see him behaving
    rather responsibly to the newfound attention it garnered him.  Were he
    writing for a techy-based news site, he'd probably also check for the
    reality behind statements issued to him, unlike *some* people that
    come to mind.
    > expressed a suspicion that L0pht/@Stake was somehow connected to
    > NIPC (the National Infrastructure Protection Center), which may have
    > helped the h4x0r glam rockers gain credibility and rise in profile
    > among influential members of the federal bureaucracy. This
    > connection also helped get Mudge a high-profile hacker-hysteria FUD
    > session before Congress, he suspects.
    Sure, he *suspects* it.  Clever to just tag that on to the end.  He
    may also *suspect* that aliens live under the White House and that Al
    Gore created the Internet.  Suspicion of ideas does three things:  
    Jack.  Shit. Produce salivation in marginal journalists.
    > On Monday, when I posted the first item in this series, I didn't
    > know personally if the speech was punctiliously accurate, but it
    > absolutely rang true to me. All too true.
    It rang true?  Then you believe the content regardless of accuracy? It
    only rang loudly, because someone who admits sociopathic tendcies
    decided to stand in front of acrowded room and make alarming
    Pop sensationalism is the fix, and Mr. Greene behaved like a junkie.
    > Surely no one imagined that I wouldn't dig deeper into this
    > deliciously nasty confluence of FUD, favors and venture capital
    > flowing between the blackhat community and the Feds, with the cons
    > serving as a handy, mediating conduit.
    No, I'd fully imagine (and expect) that you wouldn't do a damn thing
    unless required to.
    > And indeed, Gweeds appears to have hit on a number of dirty little
    > secrets, though with a few minor inaccuracies, none of which is
    > sufficient to undermine his basic thesis. There does indeed appear
    > to be a circle jerk between commercialized blackhat sellouts and the
    > Feds; and the cons do appear, perhaps inadvertently, to provide the
    If Mr. Greene has not noticed yet, many companies, esp. those focusing
    on security, in particular computer/network/internet security, are
    commonly contacted by the Feds for a variety of reasons.  Can we
    expect l0pht to sellout into something as high-profile as @stake and
    NOT talk to Feds?
    > venue and privacy needed for such liaisons. And finally, there does
    > seem to be a significant amount of snitching for favors and 'trust'
    > building going on between the two 'communities', a la the despised
    > JP model.
    Care to share?  I haven't seen anything yet beyond suggestion and
    > Flamboyant anti-establishment gestures and costumes do not a
    > blackhat make. Your friendly neighborhood hacker turned young
    > security businessman may well be looking to 'develop' your exploit,
    > hack out a patch and pimp for proppies on BugTraq, and then rat you
    > out to the Feds for gain and favor. This is how it works:
    I'm not even sure what is attempted to be said here.
    > Soon after I posted my report Monday, @Stake's Chris Wysopal (aka
    > Weld Pond) vehemently denied any connection with NIPC to me in an
    > e-mail exchange. He further insisted that I 'correct' the
    > inaccuracies in Gweeds' statements. I explained that it wasn't
    > proper for me to edit someone else's words, or even to express
    > doubt, unless I believed or at least suspected that the statements
    > were inaccurate. In this case I didn't.
    Of course not!  Stated earlier it "rang true" to you, and was
    everything you were looking for.  When blindly following the cult
    leader, disciples rarely stop to check references along the way.
    > "I am not going to write a 'point of view' piece that is parallel to
    > an article that leads the reader to believe that patent falsehoods
    > are true. Letters to the editor are much different than qualifying
    > statements where they stand or issuing an errata," he replied.  
    > "[Several] statements by Gweeds are false. They were spoken by a man
    > with an agenda. You have become his FUD platform."
    > Me, a FUD platform -- right. There's a definite pot/kettle equation
    > in play here, as we'll see.
    No, not really.  Weld has always been something of a straight shooter.
    I don't see Mr. Greene shooting straight here at all.
    > And that is strictly correct, though not entirely true. NIPC is not
    > where L0pht's Fed relationship was developed. But according to
    > documents I've received, L0pht did have a relationship with FBI
    > Special Agent Dan Romando, or 'dann0' as they called him, a Boston
    > agent with a cybercrime-enforcement background. Our dann0 was an old
    > friend of Mudge's from high school; and our dann0 had also been an
    > intern in Senator Thompson's office before joining the FBI.
    Shocking news, Mr. Greene.  It's typical for Federal agents to
    approach workers in the security industry.  Why?  Typically, they know
    more.  They have a better feel for the pulse of what's really
    happening.  We aren't shielded by layers of firewalls or on protected
    networks.  Many of us are hanging out in the wind, taking hits,
    watching what happens.
    It should be of little news *to anyone with a clue* that Feds and
    private sector rub elbows.  Call it knowledge transfer, if you'd like,
    but many of us in the private sector are happy to share conceptual
    knowledge with a goverment that really needs help.  If our gov gets
    spanked, the whole nation gets spanked.
    > If you want to know how L0pht got an invitation to testify "at the
    > request of Senator Thompson," you'll find Agent Romando's hand all
    > over that one. Ditto for Mudge's famous meeting with then-President
    > Bill Clinton.
    Any documentation to share this one, or is the shot in the dark?
    > And why did dann0 Romando bother to help the L0pht cyber-ninjas gain
    > national fame? Was it out of friendly loyalty?
    It's been known to happen.
    > I wish it were. I have evidence indicating that L0pht members served
    > as confidential FBI informants and actively solicited dirt on fellow
    > blackhats. I have evidence indicating that they've offered to pay
    > cash for such information. And they name dann0 Romando specifically
    > as their FBI handler. That's right, those anti-establishment
    > pop-underground h4x0r heroes have at least attempted, probably with
    > success, to rat out their friends and enemies in service of good
    > relations with the FBI.
    Put up or shut up.
    > When a guy like Mudge addresses a gaggle of naive,
    > technically-illiterate Congressmen, claiming to be able to break
    > into any network on Earth, only a fool will imagine that the
    > consequence will be anything other than more Draconian laws. That's
    > how Congress
    No, the claim was that they could take down the entire Internet.  
    Even a gaggle of naive, technically-illiterate journalists could
    recognize the difference between compromising any machine or network
    and taking the Internet itself into non-existance.
    I see that history, not facts and conjecture, but document history,
    cannot even be reflected properly by the funhouse mirror that is Mr.
    > And Wysopal calls me a FUD platform....
    Hint:  You are.
    > 'Sploits for me, jail for you
    The Sploits rock!  Ever seen them play live?
    > Since you really don't have any skillz worth mentioning, no
    > background in computer science, no military cryptography training,
    > you'll have to learn to talk the talk. Outrageous clothes and
    > piercings (preferably from a nail gun), blue hair and bad skin
    > freely exhibited at cons are a big plus here. Journalists love this
    > kind of shit and will usually assign you a high, imaginary threat
    > level. Teenagers will too.
    Funny, sounds like you are describing Gweeds, your own pipeline to
    unfounded claims.
    > Develop relationships with members of the real blackhat underground.  
    > Hit them up for kewl new 'sploits they're using. Maybe pay cash for
    > them; maybe barter for them with other kewl 'sploits or illegal gear
    > you're cobbling up in your basement, like pager monitoring devices,
    > say.
    Once upon a time pager monitoring devices were legal.  Point is moot.
    > "Russ Cooper, who publishes the NTBugtraq newsletter exposing
    > security risks in Microsoft products, called the group "eight
    > brilliant geniuses."
    What, pray tell, has Mr. Greene himself done?  Clearly ignorant to the
    field of Information Technology Security, we can safely establish that
    he wouldn't recognize genius if he liberally skewered it.  Also taking
    for granted the words of a virtual unknown (whom Mr. Greene himself is
    "pimping" as a fount of knowledge) seems to be propagating the very
    cycle he is trying to establish as bad.  Bad reporter, bad!  No
    exclusive for you!
    > Go in front of Congress every chance you get: remind them of how
    > scared they should be. Tell them that the Internet is about to be
    If you aren't scared, you're either ignorant, or blind, or dumb, or...
    a journo.  But I repeat myself.  (Apologies to Mark Twain.)
    To those of you that read this far...HI!  Seriously, I don't enjoy
    ranting like this, people.  But the sad truth is that, as with other
    FUD, there are people out there believing it.  Some, I'm sure, on this
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 12:29:59 PDT