[ISN] LOpht in Transition

From: InfoSec News (alerts@private)
Date: Tue Apr 24 2007 - 00:08:55 PDT


http://www.csoonline.com/read/040107/fea_lopht.html

By Michael Fitzgerald
CSOonline
April 2007 Issue

Brian Oblivion. Kingpin. Mudge. Space Rogue. Stefan von Neumann. Tan. 
Weld Pond. Thats how the hacker group called the L0pht appeared before 
the Senate Subcommittee on Government Cybersecurity on May 19, 1998. 
They said, among other things, that they could take down the Internet in 
30 minutes. The senators listened closely and afterward praised them 
effusively.

It was a landmark moment for hackers, shunned, derided and loathed by 
the technology industry. And it was a landmark for the L0pht too. Though 
the group was already known for its vulnerability disclosures, for the 
Hacker News Network, for tools like the hash cracking tool L0phtCrack, 
now everybody [in the hacking community] wanted to be the L0pht, 
remembers Jeff Moss, founder of the Black Hat and Defcon security 
conferences.

Not bad for a group that got its start when someones wife said it was 
time to get his computers out of the bathtub.

The L0pht shaped the way disclosures are handled and helped force 
vendors like Microsoft to change the way they address software security 
flaws. Theres no question, either, that by raising the visibility of 
security problems, the group spurred companies to begin paying more 
attention to security. You knew youd better rattle your own doorknobs 
before the hackers did, says John Pescatore, a longtime information 
security analyst at Gartner.

Some think, though, that visibility has hurt software security. They 
were the Led Zeppelin of gray hat hacking, says Marcus Ranum, who is 
credited with creating the first commercial firewall product and is now 
CSO at Tenable Network Security. By releasing gray hat tools and 
techniques they were able to get a tremendous amount of attention. And 
they opened the floodgates for all the bottom feeders that followed 
them.

Ironically, it was Ranum himself who helped give the L0pht credibility. 
As CEO of NFR, which made software to find intruders on corporate 
networks, Ranum used the L0phts vulnerability research to strengthen his 
product, and hired the L0pht both to do a code review and to write 
modules for his product, giving the group a legitimate corporate client 
to tout. He says he considers the L0pht members his friends and says 
they are great guys. But he thinks those who have followed them find 
vulnerabilities almost as a way to blackmail corporations. He blames the 
L0pht, saying, They have changed the industry for the worse.

Nothing in the L0phts emergence from Bostons bulletin board community in 
1992 suggested it would achieve any more notoriety than other hacker 
collectives of the day. Brian Oblivion, a hacker with strong interests 
in radio communications, founded the group. Oblivion declined to be 
interviewed for this article, saying via Space Rogue that he was too 
busy. Chris Wysopal, who joined the L0pht in late 1992 as Weld Pond (a 
handle chosen by pointing at random at a map of the Boston area, because 
the bulletin board The Works forbade members to use real names), says 
that Oblivion had so many computers in the bathroom that his wife 
couldnt use it anymore. She gave the group space in the South End 
artists loft where she made hats. And for several years, the L0pht was 
just a place for Oblivion and his friends to hang out after work and 
store their growing collection of computing equipment.

Among those friends were Space Rogue and a teenage hacker and 
skateboarder named Joe Grand, who went by the handle Kingpin (named for 
the bolt that runs through the truck, or axle, of a skateboard).

Grand calls from the road. Hes often on the road, literallyhe is a 
triathlete good enough to have a sponsor. Hes 31 now and runs his own 
San Diego design shop, Grand Idea Studio, which has designed RFID and 
GPS modules for Parallax, an in-game videocamera for Gamecaster, and his 
best design yet, a video game accessory that he has licensed but cant 
talk about.

Grand, an electrical engineer, has also written two books on hardware 
hacking and is a technical adviser to Make magazine. If all goes well 
with a pilot hes recently shot, this fall well see him on an engineering 
show on the Discovery Channel. Yet hes nostalgic about the L0pht.

Im having a really hard time with realizing that Im twice as old as when 
I joined the L0pht, he says. We did so many great thingswhat can I do to 
top that?

The L0pht originally built a network so they could play Doom against 
each other. But they got more serious in 1994 and 1995, shedding some 
members and adding others with specific technical skills that 
complemented the group. They moved to a larger space in Watertown, Mass.

Excepting Grand, who was still in high school, all of the L0pht held 
various day jobs, often working together at places like CompUSA, 
Massachusetts General Hospital or BBN Technologies, the fabled research 
lab (Weld Pond, Brian Oblivion, Mudge and Silicosis all worked there at 
some point). They kept their identities hidden, in part to keep their 
day jobs. Everyone in the hacking community knew Dan Farmer had been 
fired from his job for releasing the Satan network analyzer. But the 
group wanted to turn the L0pht into a day job.

The charismatic, long-tressed Peiter Mudge Zatko had emerged as the 
groups public face, if not its de facto leader. He developed, along with 
Wysopal, L0phtCrack, a tool that revealed weak passwords. Released in 
1997, its still available on some websites today. Back then, the 
companies would pretend [vulnerabilities] werent real, says Bruce 
Schneier, the noted cryptographer and CTO of BT Counterpane. Schneier 
says the L0phts ability to build tools like L0phtCrack forced vendors to 
address security problems. Thats the reason we have more secure software 
today. If it wasnt for that, Microsoft would still be belittling, 
insulting and suing researchers, he says.

By late 1998, the L0pht was actively trying to attract venture capital 
and turn itself into a real businessit had pushed out Stefan von Neumann 
and a couple of other short-lived members, and hired Christien Rioux 
(known as Dildog) and Paul Nash (known as Silicosis) to support 
L0phtCrack and do custom work for companies like NFR. The L0pht was not 
the first group of hackers to offer professional services or tools, but 
even in the giddy late 1990s, hackers still had an unsavory reputation. 
Finally, @stake, a security consulting firm, came to the group with $10 
million in VC money and told the L0pht it could continue its research. 
The members voted to join it.

Even so, that merger, announced Jan. 10, 2000, marked the symbolic end 
of the L0pht. Over the next few years, its members were fired or drifted 
away, and @stake itself was gobbled up by Symantec in 2004. The only 
member of the L0pht still there is Nash. The transition was particularly 
difficult for Zatko, who spent six months on disability and left @stake 
after just two years.

Today, Zatkos office at BBN is a rest area for sundry things. Theres a 
dead computer on a chair, and a working circa-1940s polygraph machine on 
a table. In a corner are two fishing rods and an antenna, part of an 
impromptu communications experiment. Theres a guitar signed by one-time 
porn stars Barbara Dare and Jamie Summers. A bound copy of the L0phts 
testimony in front of the Senate is on a shelf. On one wall hangs a 
picture of him with President Bill Clinton and Vinton Cerf, in which 
Zatkos light brown hair is still rock-star length. Its short now, parted 
in the middle. He has a goatee and wears glasses. Hes sore from a boxing 
workout the night before, a reminder that hes in his late 30s.

Zatko says he cant talk about what he does at BBN, other than to say its 
security-related and for some unmentionable three-lettered government 
agencies. He also says he returned to BBN, which employed him in the 
1990s, before the L0pht was his job, in part because BBN told him there 
could be no publicity about the projects he was working on. That was 
attractive as hell, he says.

But Zatko cant seem to stay out of the spotlight. He is the obvious 
model for Soxster, one of the main characters in former cyberczar 
Richard A. Clarkes new novel, Breakpoint (the L0pht itself appears as 
the Dugout). And he acknowledges that he still wants to make a dent in 
the universe, the old motto of the L0pht.

After an hour of talking about the L0pht, Zatko suggests a tour of the 
older parts of the BBN laboratory in Cambridge, dating from when it was 
an acoustics consultancy. He shows off the silent room, the 
amplification room, the sonar tank, the place where it developed 
Boomeranga technology being used in Iraq to help find snipersand he 
talks about how much he likes the variety of the cool ideas BBN pursues.

Originally, the L0pht was meant as a microcosm of here, he says, with a 
wistful expression.

The spirit of the L0pht lives on most directly at Veracode, the security 
software company started by Wysopal and Rioux after they left Symantec 
in 2005. The company launched at the RSA Security Conference in 
February.

Wysopal post-L0pht helped codify responsible disclosure policies and 
establish the Organization of Internet Safety, and while starting 
Veracode he also managed to be lead author of The Art of Software 
Security Testing, published in December 2006.

Wysopal, at a rangy 6 foot 2 inches, was the tallest member of the L0pht 
and the oldest (hes now 41). Rioux (whose handle Dildog was the original 
name Dilbert creator Scott Adams gave to Dogbert) was the shortest and 
youngest (now 29).

In early January, sitting in the conference room at Veracode, the two 
play Click-and-Clack about their time at the L0pht, and the purpose of 
Veracode, which in a real sense extends the L0phts mission: to make 
software more secure, in this case by offering a Web-based service that 
automatically checks software for security flaws, via a cleverand 
patentedtechnique for data flow modeling and modeling control flow 
analysis developed by Rioux.

Told of Ranums comments, Rioux makes a slight grimace. The days are over 
when we should be flinging mud over the Internet about vulnerabilities, 
he says.

Veracode has pulled in $19.5 million in capital from Polaris Venture 
Partners, Atlas Venture and .406 Ventures. While it has competitors, 
such as Coverity, Fortify and Ounce Labs, Veracodes approach is a cool 
spin on existing security technology, according to Gartners Pescatore.

Both Wysopal and Rioux believe Veracode is ready to sharply reduce the 
worlds total number of software vulnerabilities.

The L0pht, then, are all now unquestionably legitimate, and their 
evolution serves as a metaphor for the security business, which is now 
mainstream. Companies like Microsoft and Oracle have developed methods 
to take care of vulnerabilities, and the L0pht deserves some credit for 
that turn of events. While the disclosure wars are again raging, thanks 
to bug-a-day campaigns and other ploys by the hackers of today, the 
L0phts overall impact on corporate security has been positive, say many, 
including Howard Schmidt, who knew the L0pht both in his role as a 
computer forensics investigator at the Air Force and as CSO at 
Microsoft.

Still, some vendors continue to try to shove security issues under the 
rug, and there is no question that more of the Internet is under attack 
today than ever before. So what of that?

Peter Neumann (no relation to the L0phts Stefan von Neumann) is 74 and 
still a principal scientist at SRI, working on security issues. He also 
testified before the Senate subcommittee on that day in May 1998. He 
says security vulnerabilities are a part of a much bigger set of 
problems that have existed for 40 years and probably will exist 40 years 
from now. But he chuckles when asked about the L0pht, saying, They were 
pointing out that the emperor has no clothes on, and nobody wants to 
hear that, but they did it in a tasteful way that made people listen. 
They made a difference.

2002-2007 CXO Media Inc. All rights reserved.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Tue Apr 24 2007 - 00:24:06 PDT