Slashdot Mirror
L0pht Gives FAQ of @Stake Merger
Duke of URL writes "The gray hat hacker think tank L0pht Heavy Industries has provided a FAQ list on their recent merger with @Stake. It sounds like there will be a few more changes than I personally previously thought, (i.e. Web site changes, etc.) but the good news is that L0pht 'will continue to act as a Consumer Reports style organization in posting our general findings through analysis and evaluation as general customers reviewing software.' Also Hacker News Network will still be run by L0pht/@Stake and will receive more time and resources.
"
The white ones, I mean. The grey was a bit dingy, y'know.
But seriously, this is fantastic. Hackers get VC, story at 11--network security gets accepted as a real, actualy important thing. ohmigosh! What a concept! I've always admired the l0pht's methods of impriving security, and their general air of professionalism (with the normal caveats).
Returned Peace Corps IT Volunteer
Well unfortunately there is no one book to sum up breaking into systems that is along the lines of Applied Cryptography.
Some books to get you on the right direction follow:
1. A good C book if you do not already know C. I personally learned with C Programming, A Modern Approach, it's a good book. Knowledge of C is essential because you will need it to write your test exploits and most of the following books assume knowledge of C.
2. Advanced Programming in the UNIX Environment and a good OS theory book such as Operating Systems by Stallings or "the dinosaur book". This is necessary so that you understand the both the nature and implementation of modern operating systems.
3. TCP/IP Illustrated Volumes 1 and 2. These are necessary so that you understand TCP/IP at a very low level. Most attacks involve a network and that network usually runs TCP/IP, a lower level network book covering such topics as Ethernet may be necessary as well.
4. The Tao of the Buffer Overflow by Aleph1. This can be found in the Bugtraq archives. Stack based overflows remain the most common method of compromise (besides social engineering). This article does an excellent job of explaining how to exploit and find them. Dildog wrote an NT version for the l0pht which you may also need.
5. w00w00 published an article on heap based overflows which you may need.
6. A general Internet + Systems security book, O'Reilly has one I have heard good things about, I can't recall it's title. Note however that a general security book is not enough.
7. Various academic pubications and thesis papers. These can be an invaluable resource for descriptions of more esoteric attacks not covered in published books. These also have the benefit of assuming a much higher level of knowledge than most papers/websites/books for dummies.
8. OS Specific docs and books. In order to secure or break an OS you need to know everything about that OS.
9. Mailing lists such as Bugtraq and OS specific security lists will provide a history of previous vulnerabilities and solutions.
Security is a very broad and difficult subject requiring its practitioners to be skilled in many different areas. I hope this is a good transition and you enjoy your new post.
Cheers
One of the better sites for security related issues is: http://securityportal.com. Definitely check it out and get on the mailing list.
----------------
"Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
Co-founder and designer at Music Nearby: http://musicnearby.com
It's up at my site (defiance.darktech.org/merger.html) -- please try not to hammer it, it's a lowly 300k DSL line :)
WWJD? JWRTFM!!!
I think they do it so that the UNIX people can get a good chuckle out of MS' continuous errors. A sort of comic relief.
b1tChn00g1tZ4nDl33t455b45tRdZf0rM3r1YKn0Wn4Zl0pht
'Bitch nuggets and elite ass bastards formerly known as l0pht'?
Sorry, I didn't take Skr1ptk1dd13 as my elective foreign language in college.
.sig: Now legally binding!
Here's the full text of the article:
:)
1. Is it true? Did L0pht Heavy Industries actually merge with @Stake?
YES. L0pht Heavy Industries was incorporated, had employees on the payroll, and sold
software products and consulting services. In short, we were a real company and had
been operating that way for a couple years. L0pht Heavy Industries legally merged
with @Stake in the beginning of 2000 so we are all one company now. The new
company will go by the name of @Stake.
2. Why did you do it? You seemed to have a perfect club-house environment.
We strived to be (and achieved) a pure R&D environment. Unfortunately pure research
and development is not a very profitable arena. In addition, one needs business people,
sales and productization of services. So, while we tried to keep the research and fun
environment we were fighting a losing battle in making ends meet.
To summarize, we had problems scaling. Everyone was spending more money and
effort doing less research and experiments. The L0pht wanted desperately to avoid
having to compromise our goals and ideals which would have happened if we had
continued to go the route we were. The solution was obvious. We needed to find an
organization that valued the R&D work that we did, could benefit from it, profit from it,
and enable us to keep contributing to the community.
We feel very fortunate in having come across such people in @Stake. We see this as a
win-win situation where we will be able to do a lot of the research that we were unable
to do while just being the L0pht. We also feel very fortunate in finding an organization
that did not expect us to about-face in the way we approach sharing our findings with
people.
3. So, how's the cultural fit with @Stake? How do the L0pht's values fit in there?
Here is a PARTIAL list of components that we find work very well with our VALUES and
make us very comfortable about the merger:
@Stake is aiming to be completely product / vendor neutral. This enables them to
make the best design decision and recommendations possible to the customer
without unknown biases. This is accomplished in the following ways:
@Stake will not take commissions / kick-backs from product vendors for
recommending a product into a customer.
@Stake is in the business of providing strategic services rather than
tactical ones. What this means is that they see the benefit in helping design
/ implement solutions with security and functionality from the beginning
rather than looking for known problems and helping to only remediate them
when they could have been avoided all together.
@Stake will not sell products. Thus they do not have customers being
worried that they will recommend their own product even if it might not be
the best solution. What this means to us is that we get to continue coming
out with tools and programs but are forced to give them away for free!
How cool is that! We are completely non-biased in out opinions of products
and technologies, and we are able to continue our experimentation and
reverse-engineering of such. This also allows us to continue our "consumer
reports"-style announcements, papers and research.
@Stake is committed to a strong research and development leg as a method of
always being a leader and not just a follower.
@Stake wants smarter customers rather than dumber ones in the community. By
helping to educate everyone as much as possible it not only helps differentiate
the company but allows more interesting and thorough solutions to be deployed
for customers. This is the same belief that the L0pht has always held.
4. So what's going to happen to the old L0pht space you were in?
We still have the space. Some of the hardware projects that were going on over there
are just not practical to move. We are also setting up new lab space that has many of
the things that we could not manage at the old location.
5. And what about the webpage? Is it going to go away? Is it going to be put on
'atstake.com'?
Not in the immediate future. There will obviously be a period of time before we manage
to fully integrate everything. As was stated in a previous response one of the reasons
we embarked upon this merger is due to the like-minded beliefs. So, when the two web
sites finally merge you can expect to find the same sort of information that is currently
published in an even better format. It might even be that they stay as individual web
sites, one focusing more on R&D and the other on business angles. What it boils down
to is that you can expect some changes but the main focus will be quite similar to what
it currently is.
6. What exactly is L0pht doing over at @Stake? Are you consulting now?
The L0pht forms the nucleus of the Research and Development group in @Stake. By
continuing to push the envelope in security research we can help productize new
services to the consulting and business legs of @Stake.
7. What's going to happen to all the advisories? Are you still going to publish them?
The L0pht will continue to publish advisories. This will not change. The L0pht never did
and never will publish an advisory based upon insider information that would betray
someones trust. However, we will continue to act as a Consumer Reports style
organization in posting our general findings through analysis and evaluation as general
customers reviewing software.
We still beleive in Full-Disclosure in our advisories. We are also happy that we will be
better able to work with companies in giving them advance notice before posting
publicly to the world.
8. Are you still going to sell L0phtCrack? And AntiSniff? Will there be new versions?
Since @Stake is purely a consulting services company, it did not acquire the products
that were sold commercialy from the L0pht. L0phtCrack and AntiSniff are being moved
to a holding company independent of @Stake and will continue to be sold. We will be
donating the proceeds (after operational expenses) to non-profit and educational
organizations.
The free versions will continue to be free and include source code. A new version of
L0phtCrack was 95% complete at the time of the merger. The authors will probably
finish the last bit and release L0phtCrack 3.0 but the schedule is uncertain.
A Linux version of the researchers version of AntiSniff is underway and will be released
under the same free researchers license that the command line AntiSniff currently has.
9. What's the deal with Hacker News Network anyway? Is that actually part of L0pht, and
was it picked up by the merger?
Hacker News Network was run by l0pht employees on l0pht equipment so it certainly
was a part of l0pht. We feel it provides a valuable news source to the security
community so it will continue to operate as part of @Stake. We expect to be able to
spend more time and resources in making it an even better resource for the community.
10. How does it feel working with a bunch of business stiffs?
@Stake is definitely not populated with a bunch of business stiffs. One of the reasons
L0pht merged with @Stake was the quality of the people there. They understand our
vision of computer security. Some of them would even be considered hackers exactly
the same way we think of ourselves as hackers.
Things are a bit more businesslike at the merged company but the place is a place that
values openness, diversity, creativity, thinking outside of the box, and coming up with
non-conventional solutions.
11. What are the financial makings of this merger?
@Stake is not a publicly traded company right now and as such we are not able to give
those details. We are happy to say that the main impetus for the merger was the ability
to engage in much more grandious research work and not compromise our morals in the
process. We started into this field in order to learn, educate, and contribute and are
happy to say that we should only be able to do this things even better now.
12. You talk about 'Strategic Security Solutions' on the @Stake webpage, and you talk about
being truly 'vendor-neutral'... isn't that what everyone else is doing? What makes @Stake
different? Explain in small words.
The answer to question #3 should help on the vendor-neutral aspect being more than
just lip service.
As for the 'Strategic Security Solutions' this is similar to how the L0pht always handled
customers. An example in the software world between tactical and strategic might help:
Problem:
A buffer overflow was found in a section of code. The offending call was the
unbounded strcpy().
Tactical approach:
Replace that particular strcpy() call with the bounded strncpy(). If a
similar problem is found elsewhere later on fix that one after it is reported.
Repeat as necessary.
Strategic approach:
From the design point help model with security involved. Use bounded
string functions to remove that class of future problems.
Obviously the above is just an example of the way we see tactical being different from
strategic approaches. This is how we view all projects be they in the infrastructure,
content, operational, network, etc. fields. It also does not preclude us from
implementing tactical solutions as necessary but the main focus is enabling, not only
reacting.
13. I don't trust hackers like you. Why should I?
We call ourselves hackers using the original, positive meaning of the word. A good
definition can be found in Eric Raymond's Hacker's Dictionary. We think hackers have
higher ethical standards than most in the business world. We do not do anything illegal
with our computers or anyone else's. We get our kicks finding and solving security
vulnerabilities in products and technologies using our own networks, hardware, and
other resource. This is the way we have always operated and that is the way we will
continue to operate. If you can't relate to this, then you should probably reinvestigate
the meaning of the word 'hacker'.
14. Are you still going to get drunk and rant at cons? What about your 'professional image'?
We will continue to be involved in conferences the way we always have. Don't you
think that if @Stake had told Mudge he would not be able to have a beer with his friends
and talk about crypto-systems that would have been a show stopper for the merger
right there?
15. Are you hiring? Can I be a L0pht Member?
We are definitely hiring. We cannot thrive and be the leader in security without the
best people on the planet. Submit your resume to jobs@atstake.com if you are
interested. We want to work with the best and you probably do, too. If you have top
notch security skills in consulting or research we urge you to apply. That being said, we
cannot accept everyone that applies but will do our best to make sure everyone gets a
fair shake.
The L0pht is fully integrated with @Stake so there is no seperate group of people called
"L0pht Members". We are proud to call ourselves members of the @Stake team. We
will now be known as 'The Hackers Formerly Known As The L0pht', or perhaps some
unpronouncable symbol.
16. Does @Stake have an open-door policy?
@Stake operates in a similar fashion to most other professional service organizations.
The reason we went to the closed door policy at the L0pht was to enable ourselves to
get work done and not just have the place be a local hang-out for people wanting to
kick back with a beer and watch TV. While we will be more accesible at @Stake, we are
there to do R&D work and as such it will continue to not be an open-door-hangout type
environment.
Keep in mind, however, that L0pht has not had a true open-door policy for many years.
At our original location, the L0pht was more of a club-house and place for general
hanging-out of hackers from around the world. When we moved to our new location
and decided to do real research and provide to the community, the L0pht was not open
for everybody. We occasionally gave tours and threw parties, but the space was not
open for visitors 24 hours a day.
17. Are you still going to the MIT Swapfest and selling funky stuff?
We will still be going to the MIT Swapfest to see people and pick up various things. We
hope we won't have to sell our scraps at it anymore in order to make ends meet
However, as most people going to the MIT flea, we will also want to "upgrade our junk
pile". We will be selling, just not every month as in the past.
18. Are you still using your handles? Or are you going to use your real names now?
We have been using our handles for over 10 years now. It is what we have published
under in academic journals, magazines, books, given training courses under, and
provided recommendations to the US Senate under. As such they are as much our
recognized names in the security community and we will continue to use them. Many
companies seem to be scared of doing business with people using pseudonyms or
handles. This is a problem that we would like to solve. We are not really hiding from
anyone, but this is how we've been known for a long time, and for some, is what our
parents call us. We hope to educate those companies by showing them that its not the
name that's important, rather the information and services that can be provided.
19. What's up with Guerilla Net? Are you guys still doing hardware projects over at @Stake?
@Stake has committed to enabling the R&D labs to work on hardware related projects
as well as protocol and software ones. We see an ultimate marriage between all of
these areas as technology is progressing and would be remiss if we turned a blind eye
towards any of them.
20. Will you be coming out with any more T-shirts?
The T-shirts were fun little projects that we did more out of amusement than anything
else. Should the opportunity and inspiration strike again we would not rule out the
possibility of coming out with some new designs.
> Well unfortunately there is no one book to sum
;)) but I've heard many good things about it. And compared to the rest of the "security" classes out there, this is by far the best.
> up breaking into systems that is along the
> lines of Applied Cryptography.
Sure there is. Hacking Exposed. Its already been mentioned in this thread, but its a great resource. I'm a security manager for a large ISP that is responsible for penetration testing as well as a bunch of other stuff, and being that its rather hard to find qualified security people for reasonable salaries, hiring a good unix/nt guy and making him read that book has proved pretty effective at making people 'think secure'
Also, the content of that book comes out of the security practice at Ernst and Young, where they offer a great 5 day course called "Extreme Hacking" (as well as courses on Incident Reponse and Computer Forensics) , taught by some of the authers of "Hacking Exposed". Its $5000, but well worth it if you don't have the white or grey hat background. I haven't taken the course (my grey hat saved me $5k
Another important point to consider is that you don't neccesarily need to have black hat skills to sucessfully secure a system. It helps, but you don't need it.
\w0zz - OpenBSD - A Better Solution
From the faq - (El Guapo quotes thusly) "The new company will go by the name of @Stake" I feel the L0pht name carried quite a bit of respect (I've been following these guys for a while, I think they're great). "@Stake" says "e-too" to me. You think they'd consider changing it if they got enough *polite* emails???
mas cerveza, por favor politically incorrect stu
post on www.ompages.com/news, it's free, no login required, and no moderators...
It's about time the public learned that not every computer-savvy individual is going to take over the world. It's good to see L0pht breaking some molds in the computer security industry as well.
There are four boxes used in defense of liberty: soap, ballot, jury, ammo. Use in that order.
This is only vaguely on-topic, but I would appreciate it if some of the more knowledgeable crowd could help me out.
:-)
In the next month and a half or so I'll be making a transition out of my current job into another post. This new position will require me, among other things, to crack our pre-deployment systems so that holes can be patched before release.
I don't think I'll have much trouble with the more prosaic "skript kiddie" side of the assignment, things like netcat and ping floods, but I'm concerned that I might miss some of the less glamorous holes due to lack of specific training in "white hat" cracking. This groups is more concerned about a coalition like the l0pht finding a vulnerability than they are about the more typical attacks.
Does anyone here have any expertise or suggestions about suitable books or webpages? Something along the lines of Applied Cryptography, except in the domain of cracking. Again, I'm looking higher-level material, not Online Hooliganism for Dummies
Thanks!
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
All these companies merge and then just take one of the names. Sometimes they put a slash (/) between the names & use the compound name. I think they should all come up with new names to use. What's with @stake? l0pht was a leet name and now they went and screwed it up. Yeah, I read that l0pht will still be around, but they should have given @stake a reet name before they merged. How about @5T4K3? Any ideas?
Cover: More bugs found in W2K. Microsoft denies problem exists and says they're working to fix it as quickly as possible.
MacOS: Most secure? Performance details p. 30
AOL users swindled (again)- passwords leak out by the thousand.
AOL 5.0 Upgrade of Death: Marketing ploy or gross incompetence?
Slashdot source released: Malda's e-mail was out for a few weeks, thus bypassing the mandatory "24 hour wait per request" problem.
L0pht drops SuperMegaCorp's pants with another vulnerability.
The Press: Getting it wrong again. HNN goes inside to reveal why "they didn't get it" again.
Buffer Overflow found in Cup 'O' Noodles. (After 2:30, the thing spills all over the inside of the microwave).
Also inside: A feature on Kevin Mitnick - Martyr or idiot, and an in-depth review of Emacs as an Operating System.
SmartFilter Control List Restriction
SmartFilter denied access to the URL http://WWW.L0PHT.COM/MERGER.HTML It matches the category 'Criminal skills content'.
If you have a business reason to access this site, in adherence to Company Internet Use policy, there may be an error in the category sites list. Please contact your Division IT Director to have the error corrected.
What is "@Stake"? Sounds like some flimsy fly-by-night buzzword startup (not to say it IS, just that that stupid @ symbol makes it look like that). I think the name "L0pht" held a lot of weight, if not respect, in the security community. They should have been able to keep the name somehow. I don't know what the hell "@Stake" is...is it some property claims company? is it an e-butcher store? I would hire a "L0pht" but not an "@Stake".
Jazilla.org - the Java Mozilla
It's 10 PM. Do you know if you're un-American?