Security Scene Errata



From jericho@attrition.org Fri Jan 21 17:03:49 2000
From: cult hero 
To: john_taschek@zd.com
Cc: eric_lundquist@zd.com, john_dodge@zd.com, linda_bridges@zd.com,
    rob_oregan@zd.com, susan_troy@zd.com, stan_gibson@zd.com,
    peter_coffee@zd.com, ken_siegal@zd.com, michael_zimmerman@zd.com,
    Doctor Mudge , Space Rogue ,
    Weld Pond , errata submission 
Date: Fri, 21 Jan 2000 12:58:36 -0700 (MST)
Subject: "I can't believe what I am reading"

http://www.zdnet.com/pcweek/stories/news/0,4153,2420340,00.html

Mr. Taschek & ZD Editors:

You sum up it up best with "I can't believe what I am reading".  I am
guessing your piece would be an excellent primer for "What is a fluff
piece" at a third rate journalism school. 

As I read your article, I still can't figure out how Attrition (a hobby
web site) comes into this. That an information security web site with a
wide variety of pages ranging from Calamari Rating to Music Reviews to
Security Advisories has an opinion worth noting in a piece like this.
Surely you could have found a bigger and more known site that supports
l0pht to help your weak assertions? Either way, we are flattered to be
recognized as such an important opinion.

	But by far the oddest thing to happen is that the hackers (or, as
	the fundamentalist technologists say, crackers) who went by the
	name L0pht Heavy Industries have now become full-scale security
	consultants. Does this bode ill for the nation's security, or
	what? Is everyone off their rocker? 

Only you are. To date, I have seen no one claim that a single l0pht member
is a cracker. Further, I hate to burst your bubble but most of the l0pht
members *have* been security consultants for many years. If you take the
time to actually READ their web page
(http://www.l0pht.com/products.html#consult), you would see they have
offered all of the standard security consulting practices for some time. 

	I can't believe what I'm reading. I also can't believe I'm writing
	about it, since dealing with people who have exhibited criminal
	tendencies is not a business I want to be in. 

They have exhibited criminal tendencies as much as you have. Do you forget
that libel and slander are crimes?

	L0pht was a highly publicized group of hackers who started out
	cracking security systems and then, somewhere along the line,
	became somewhat legitimate because they began to document what
	they were doing on the L0pht.com Web site. L0pht also develops
	software that allows users to crack operating system passwords in
	a matter of hours. 

"Became somewhat legitimate"? Excuse me, but once again they were never
criminals, never malicious, and never broke the law to begin with. This is
outright libel.

	To get an idea how strange it is for a security firm to hire L0pht
	personnel, you only need to look at the Attrition.org Web site,
	which highlights L0pht. 

What?! Attrition is a hobby web site. How does that give anyone an idea
how strange it is? Further, we link to Hacker News Network (HNN), not the
l0pht. At one point we linked to the l0pht along with 9 other sites, but
they were all links of the same kind. Certainly not 'highlighted'. 

	Attrition's motto is, "We're easy to get along with once you learn
	to worship us." 

Since you are obviously fresh out of school, it might be wise for you to
link to us to support your comments. That is not our motto. We have
amusing quotes on our front page but they rotate frequently. If you had
bothered checking in the last couple of weeks, you would see it has
changed again. Perhaps we will put up ZDNet's motto next: "We write fluff
pieces to steal your money moron". That seems fair.

	Lo and behold, the vice president of R&D at @Stake is none other
	than Professor Mudge, the chief scientist at L0pht. I can just
	imagine Mudge hacking and cracking to his heart's content, simply
	to find weaknesses at those multinational companies, which then
	would become @Stake's new customers.

You have a bad sense of timing. You should have committed this libel
before they had a ten million dollar backing. Now they have the financial
resources to sue the living hell out of you. I am sure they will not waste
the time on a third rate media outlet such as ZDNet, but one can certainly
hope. Your implications that Mudge hack companies to get them as clients
is a very dangerous one. The FBI is currently investigating any such claim
over any security company. If one of their lesser than clued in agents
read this and got a bug up his ass, he could easily start an investigation
into Mudge or the l0pht, all because of your petty fluff piece.

	But L0pht's history shows that the group is not ethical,
	maintained practices that bordered on being illegal and is simply
	downright scary. 

And of course, like a third rate journalist you don't back up this
statement. Care to point out a single part of their history that backs
these claims? Of course not, you're with ZDNet. We stopped expecting
quality material from them some time ago.

	I wouldn't want any organization that hired the brain trust of
	L0pht as my security consultant.

So who would you hire? ISS? NAI? Do you really think they operate without
a single hacker employed? Only difference is the REAL unethical hackers
work for other companies.

To sum it up, this piece is completely unfounded, libelous, and poorly
written. Not only do you make these absurd claims, drag our site which has
nothing to do with the l0pht into it, you don't even link to either site
to *attempt* to back your weak claims.

I thought journalists learned these basic practices early on in school.
Fact check, quote your sources, back your claims. Seems logical to do so
rather than risk a lawsuit for libel.

Well, all I can say is "welcome to errata"
(http://www.attrition.org/errata/). As soon as we are done 'highlighting'
the l0pht, we'll be adding your piece to the collection.


Brian Martin
Attrition Staff