[Infowarrior] - LOpht in Transition

Thu Apr 19 21:49:25 UTC 2007

>From CSOonline.com
Information Security
LOpht in Transition

http://www.csoonline.com/read/040107/fea_lopht_pf.html

Most of the '90s hacking group have emerged in legitimate roles. Was their
work ultimately boon or bane for security?

By Michael Fitzgerald

Brian Oblivion. Kingpin. Mudge. Space Rogue. Stefan von Neumann. Tan. Weld
Pond. That’s how the hacker group called the L0pht appeared before the
Senate Subcommittee on Government Cybersecurity on May 19, 1998. They said,
among other things, that they could take down the Internet in 30 minutes.
The senators listened closely and afterward praised them effusively.

It was a landmark moment for hackers, shunned, derided and loathed by the
technology industry. And it was a landmark for the L0pht too. Though the
group was already known for its vulnerability disclosures, for the Hacker
News Network, for tools like the hash cracking tool L0phtCrack, now
“everybody [in the hacking community] wanted to be the L0pht,” remembers
Jeff Moss, founder of the Black Hat and Defcon security conferences.

Not bad for a group that got its start when someone’s wife said it was time
to get his computers out of the bathtub.

The L0pht shaped the way disclosures are handled and helped force vendors
like Microsoft to change the way they address software security flaws.
There’s no question, either, that by raising the visibility of security
problems, the group spurred companies to begin paying more attention to
security. “You knew you’d better rattle your own doorknobs before the
hackers did,” says John Pescatore, a longtime information security analyst
at Gartner.

Some think, though, that visibility has hurt software security. “They were
the Led Zeppelin of gray hat hacking,” says Marcus Ranum, who is credited
with creating the first commercial firewall product and is now CSO at
Tenable Network Security. “By releasing gray hat tools and techniques they
were able to get a tremendous amount of attention. And they opened the
floodgates for all the bottom feeders that followed them.”

Ironically, it was Ranum himself who helped give the L0pht credibility. As
CEO of NFR, which made software to find intruders on corporate networks,
Ranum used the L0pht’s vulnerability research to strengthen his product, and
hired the L0pht both to do a code review and to write modules for his
product, giving the group a legitimate corporate client to tout. He says he
considers the L0pht members his friends and says they are “great guys.” But
he thinks those who have followed them find vulnerabilities almost as a way
to blackmail corporations. He blames the L0pht, saying, “They have changed
the industry for the worse.”

Nothing in the L0pht’s emergence from Boston’s bulletin board community in
1992 suggested it would achieve any more notoriety than other hacker
collectives of the day. Brian Oblivion, a hacker with strong interests in
radio communications, founded the group. Oblivion declined to be interviewed
for this article, saying via Space Rogue that he was too busy. Chris
Wysopal, who joined the L0pht in late 1992 as Weld Pond (a handle chosen by
pointing at random at a map of the Boston area, because the bulletin board
The Works forbade members to use real names), says that Oblivion “had so
many computers in the bathroom that his wife couldn’t use it anymore.” She
gave the group space in the South End artist’s loft where she made hats. And
for several years, the L0pht was just a place for Oblivion and his friends
to hang out after work and store their growing collection of computing
equipment.

Among those friends were Space Rogue and a teenage hacker and skateboarder
named Joe Grand, who went by the handle Kingpin (named for the bolt that
runs through the truck, or axle, of a skateboard).

Grand calls from the road. He’s often on the road, literally―he is a
triathlete good enough to have a sponsor. He’s 31 now and runs his own San
Diego design shop, Grand Idea Studio, which has designed RFID and GPS
modules for Parallax, an in-game videocamera for Gamecaster, and his best
design yet, a video game accessory that he has licensed but can’t talk
about.

Grand, an electrical engineer, has also written two books on hardware
hacking and is a technical adviser to Make magazine. If all goes well with a
pilot he’s recently shot, this fall we’ll see him on an engineering show on
the Discovery Channel. Yet he’s nostalgic about the L0pht.

“I’m having a really hard time with realizing that I’m twice as old as when
I joined the L0pht,” he says. “We did so many great things―what can I do to
top that?”

The L0pht originally built a network so they could play Doom against each
other. But they got more serious in 1994 and 1995, shedding some members and
adding others with specific technical skills that complemented the group.
They moved to a larger space in Watertown, Mass.

Excepting Grand, who was still in high school, all of the L0pht held various
day jobs, often working together at places like CompUSA, Massachusetts
General Hospital or BBN Technologies, the fabled research lab (Weld Pond,
Brian Oblivion, Mudge and Silicosis all worked there at some point). They
kept their identities hidden, in part to keep their day jobs. Everyone in
the hacking community knew Dan Farmer had been fired from his job for
releasing the Satan network analyzer. But the group wanted to turn the L0pht
into a day job.

The charismatic, long-tressed Peiter “Mudge” Zatko had emerged as the
group’s public face, if not its de facto leader. He developed, along with
Wysopal, L0phtCrack, a tool that revealed weak passwords. Released in 1997,
it’s still available on some websites today. “Back then, the companies would
pretend [vulnerabilities] weren’t real,” says Bruce Schneier, the noted
cryptographer and CTO of BT Counterpane. Schneier says the L0pht’s ability
to build tools like L0phtCrack forced vendors to address security problems.
“That’s the reason we have more secure software today. If it wasn’t for
that, Microsoft would still be belittling, insulting and suing researchers,”
he says.

By late 1998, the L0pht was actively trying to attract venture capital and
turn itself into a real business―it had pushed out Stefan von Neumann and a
couple of other short-lived members, and hired Christien Rioux (known as
Dildog) and Paul Nash (known as Silicosis) to support L0phtCrack and do
custom work for companies like NFR. The L0pht was not the first group of
hackers to offer professional services or tools, but even in the giddy late
1990s, hackers still had an unsavory reputation. Finally, @stake, a security
consulting firm, came to the group with $10 million in VC money and told the
L0pht it could continue its research. The members voted to join it.

Even so, that merger, announced Jan. 10, 2000, marked the symbolic end of
the L0pht. Over the next few years, its members were fired or drifted away,
and @stake itself was gobbled up by Symantec in 2004. The only member of the
L0pht still there is Nash. The transition was particularly difficult for
Zatko, who spent six months on disability and left @stake after just two
years.

Today, Zatko’s office at BBN is a rest area for sundry things. There’s a
dead computer on a chair, and a working circa-1940s polygraph machine on a
table. In a corner are two fishing rods and an antenna, part of an impromptu
communications experiment. There’s a guitar signed by one-time porn stars
Barbara Dare and Jamie Summers. A bound copy of the L0pht’s testimony in
front of the Senate is on a shelf. On one wall hangs a picture of him with
President Bill Clinton and Vinton Cerf, in which Zatko’s light brown hair is
still rock-star length. It’s short now, parted in the middle. He has a
goatee and wears glasses. He’s sore from a boxing workout the night before,
a reminder that he’s in his late 30s.

Zatko says he can’t talk about what he does at BBN, other than to say it’s
security-related and for some unmentionable three-lettered government
agencies. He also says he returned to BBN, which employed him in the 1990s,
before the L0pht was his job, in part because BBN told him there could be no
publicity about the projects he was working on. “That was attractive as
hell,” he says.

But Zatko can’t seem to stay out of the spotlight. He is the obvious model
for “Soxster,” one of the main characters in former cyberczar Richard A.
Clarke’s new novel, Breakpoint (the L0pht itself appears as “the Dugout”).
And he acknowledges that he still “wants to make a dent in the universe,”
the old motto of the L0pht.

After an hour of talking about the L0pht, Zatko suggests a tour of the older
parts of the BBN laboratory in Cambridge, dating from when it was an
acoustics consultancy. He shows off the silent room, the amplification room,
the sonar tank, the place where it developed Boomerang―a technology being
used in Iraq to help find snipers―and he talks about how much he likes the
variety of the cool ideas BBN pursues.

“Originally, the L0pht was meant as a microcosm of here,” he says, with a
wistful expression.

The spirit of the L0pht lives on most directly at Veracode, the security
software company started by Wysopal and Rioux after they left Symantec in
2005. The company launched at the RSA Security Conference in February.

Wysopal post-L0pht helped codify responsible disclosure policies and
establish the Organization of Internet Safety, and while starting Veracode
he also managed to be lead author of The Art of Software Security Testing,
published in December 2006.

Wysopal, at a rangy 6 foot 2 inches, was the tallest member of the L0pht and
the oldest (he’s now 41). Rioux (whose handle Dildog was the original name
Dilbert creator Scott Adams gave to Dogbert) was the shortest and youngest
(now 29).

In early January, sitting in the conference room at Veracode, the two play
Click-and-Clack about their time at the L0pht, and the purpose of Veracode,
which in a real sense extends the L0pht’s mission: to make software more
secure, in this case by offering a Web-based service that automatically
checks software for security flaws, via a clever―and patented―technique for
data flow modeling and modeling control flow analysis developed by Rioux.

Told of Ranum’s comments, Rioux makes a slight grimace. “The days are over
when we should be flinging mud over the Internet about vulnerabilities,” he
says.

Veracode has pulled in $19.5 million in capital from Polaris Venture
Partners, Atlas Venture and .406 Ventures. While it has competitors, such as
Coverity, Fortify and Ounce Labs, Veracode’s approach is “a cool spin” on
existing security technology, according to Gartner’s Pescatore.

Both Wysopal and Rioux believe Veracode is ready to sharply reduce the
world’s total number of software vulnerabilities.

The L0pht, then, are all now unquestionably legitimate, and their evolution
serves as a metaphor for the security business, which is now mainstream.
Companies like Microsoft and Oracle have developed methods to take care of
vulnerabilities, and the L0pht deserves some credit for that turn of events.
While the disclosure wars are again raging, thanks to bug-a-day campaigns
and other ploys by the hackers of today, the L0pht’s overall impact on
corporate security has been positive, say many, including Howard Schmidt,
who knew the L0pht both in his role as a computer forensics investigator at
the Air Force and as CSO at Microsoft.

Still, some vendors continue to try to shove security issues under the rug,
and there is no question that more of the Internet is under attack today
than ever before. So what of that?

Peter Neumann (no relation to the L0pht’s Stefan von Neumann) is 74 and
still a principal scientist at SRI, working on security issues. He also
testified before the Senate subcommittee on that day in May 1998. He says
security vulnerabilities are a part of a much bigger set of problems that
have existed for 40 years and probably will exist 40 years from now. But he
chuckles when asked about the L0pht, saying, “They were pointing out that
the emperor has no clothes on, and nobody wants to hear that, but they did
it in a tasteful way that made people listen. They made a difference.”

Michael Fitzgerald is a freelance writer based near Boston. Send comments to
csoletters at cxo.com.