Slashdot Mirror
L0pht And The FBI
A reader recently submitted a story from The Reg concerning some questioning of l0pht ? , @stake ? , and the general business of security. The article itself is harsh, but raises some interesting points.
← Back to Stories (view on slashdot.org)
this insn't allowed in legth.... I just noticed I saw it before it got potentially /.'ed so forgive me if.
-upg
'Hacker' security biz built on FBI snitches
By Thomas C Greene in Washington
Posted: 17/07/2002 at 18:59 GMT
I can prove it to ya,
Watch the rotation;
It all adds up to
A fucking situation
- - Public Enemy
On Monday I reported a speech by Gweeds at H2K2, in which the grand hypocrisy of hackers weaseling their way from the scene to the mainstream by forming security outfits was denounced very nicely. A torrent of e-mail denouncing him soon followed, some of which I've posted here.
Even I was attacked merely for reporting what he'd said. Suffice it to say that Gweeds has managed to piss off a large number of scene denizens past and present, though I suspect this is connected to his apparently athletic promiscuity: he's tied for second in the hacker sex chart v. 9.28, with 27 links. No doubt he's 0wned the wrong bitch from time to time, steadily adding to his enemies list.
He also named names in the speech, in particular ISS, L0pht/@Stake and Sir Dystic, three prime examples of energetic blackhat pimping for venture capital and cushy jobs, Gweeds believes. In particular, he expressed a suspicion that L0pht/@Stake was somehow connected to NIPC (the National Infrastructure Protection Center), which may have helped the h4x0r glam rockers gain credibility and rise in profile among influential members of the federal bureaucracy. This connection also helped get Mudge a high-profile hacker-hysteria FUD session before Congress, he suspects.
On Monday, when I posted the first item in this series, I didn't know personally if the speech was punctiliously accurate, but it absolutely rang true to me. All too true.
Surely no one imagined that I wouldn't dig deeper into this deliciously nasty confluence of FUD, favors and venture capital flowing between the blackhat community and the Feds, with the cons serving as a handy, mediating conduit.
And indeed, Gweeds appears to have hit on a number of dirty little secrets, though with a few minor inaccuracies, none of which is sufficient to undermine his basic thesis. There does indeed appear to be a circle jerk between commercialized blackhat sellouts and the Feds; and the cons do appear, perhaps inadvertently, to provide the venue and privacy needed for such liaisons. And finally, there does seem to be a significant amount of snitching for favors and 'trust' building going on between the two 'communities', a la the despised JP model.
Flamboyant anti-establishment gestures and costumes do not a blackhat make. Your friendly neighborhood hacker turned young security businessman may well be looking to 'develop' your exploit, hack out a patch and pimp for proppies on BugTraq, and then rat you out to the Feds for gain and favor. This is how it works:
FUD platform
Soon after I posted my report Monday, @Stake's Chris Wysopal (aka Weld Pond) vehemently denied any connection with NIPC to me in an e-mail exchange. He further insisted that I 'correct' the inaccuracies in Gweeds' statements. I explained that it wasn't proper for me to edit someone else's words, or even to express doubt, unless I believed or at least suspected that the statements were inaccurate. In this case I didn't.
"I'm going to let it stand, again because any inaccuracies are his, not mine, and I prefer to let readers make up their own minds about it. However, last night I did post your and several other people's letters criticizing his talk," I replied.
I'd also put a link to that letters page in the original story so readers can easily find the counterpoint. Finally, I invited Wysopal to write a rebuttal, which I offered to publish on The Register.
"I am not going to write a 'point of view' piece that is parallel to an article that leads the reader to believe that patent falsehoods are true. Letters to the editor are much different than qualifying statements where they stand or issuing an errata," he replied. "[Several] statements by Gweeds are false. They were spoken by a man with an agenda. You have become his FUD platform."
Me, a FUD platform -- right. There's a definite pot/kettle equation in play here, as we'll see.
dann0
According to Wysopal, Gweeds got a number of facts wrong. "There is no evidence that the L0pht testified at the behest of NIPC. NIPC was formed two months prior to our testimony. We didn't even speak to anyone from NIPC until much, much later. The L0pht testified at the request of Senator Thompson. This coincided with a GAO report on the weaknesses of government security. Our testimony did not mention a criminal solution to the government security problem. We were not advocating an increased cyber police force or increased penalties."
And that is strictly correct, though not entirely true. NIPC is not where L0pht's Fed relationship was developed. But according to documents I've received, L0pht did have a relationship with FBI Special Agent Dan Romando, or 'dann0' as they called him, a Boston agent with a cybercrime-enforcement background. Our dann0 was an old friend of Mudge's from high school; and our dann0 had also been an intern in Senator Thompson's office before joining the FBI.
If you want to know how L0pht got an invitation to testify "at the request of Senator Thompson," you'll find Agent Romando's hand all over that one. Ditto for Mudge's famous meeting with then-President Bill Clinton.
And why did dann0 Romando bother to help the L0pht cyber-ninjas gain national fame? Was it out of friendly loyalty?
I wish it were. I have evidence indicating that L0pht members served as confidential FBI informants and actively solicited dirt on fellow blackhats. I have evidence indicating that they've offered to pay cash for such information. And they name dann0 Romando specifically as their FBI handler. That's right, those anti-establishment pop-underground h4x0r heroes have at least attempted, probably with success, to rat out their friends and enemies in service of good relations with the FBI.
Relations, I should add, that paved the way for their splashy media hagiography. We can safely infer a pretty significant haul of snitch-work behind dann0's generosity in assisting this monumental fraud.
And as for not advocating increased penalties for cyber-wrongdoing, that's just window dressing. L0pht was in fact spreading cyber-terror FUD to fuel expensive national cyber-defence measures and increased penalties for hackers while exhibiting themselves as both the emblem of the Dark Forces America has to fear, and her White Knights of salvation.
When a guy like Mudge addresses a gaggle of naive, technically-illiterate Congressmen, claiming to be able to break into any network on Earth, only a fool will imagine that the consequence will be anything other than more Draconian laws. That's how Congress deals with threats. That's how Congress has always dealt with threats: give more money to the Feds for investigation and enforcement, bump up the penalties, and let the evil bastards rot. There is no other outcome to be expected from testimony like that. And sure enough, nowadays hacking can lead to a life sentence.
And Wysopal calls me a FUD platform....
'Sploits for me, jail for you
So how does some cheese-eater gang of l4m3r blackhats-turned-security-advisors make its bones in the wider world of legitimate security services? Gweeds talked about a 'model' of selling out, and I'd like to add my own contribution to it. It goes like this:
Since you really don't have any skillz worth mentioning, no background in computer science, no military cryptography training, you'll have to learn to talk the talk. Outrageous clothes and piercings (preferably from a nail gun), blue hair and bad skin freely exhibited at cons are a big plus here. Journalists love this kind of shit and will usually assign you a high, imaginary threat level. Teenagers will too.
Develop relationships with members of the real blackhat underground. Hit them up for kewl new 'sploits they're using. Maybe pay cash for them; maybe barter for them with other kewl 'sploits or illegal gear you're cobbling up in your basement, like pager monitoring devices, say.
Rely on the fact that your grateful FBI handler will see that you never get raided. When you do receive a new exploit, either by paying cash or through barter, pretend it's yours. Don't worry; the real blackhat doesn't want publicity, believe me. Develop the exploit, refine it, and at the same time develop a patch or at least a workaround. Post to BugTraq and PacketStorm. Receive proppies from envious wannabes and be worshiped by dumbfuck security journalists. Apply for VC, and develop a shell corporation containing people with actual business experience to receive and manage the money for you.
Hire eager PR flacks who can tell your fascinating story to the press in the simplistic, hagiographic terms they prefer to be fed, the way ABC News drones lapped up this drivel:
"[L0pht], described as a 'hacker think tank,' testified about lax computer security before the Senate Governmental Affairs Committee in May 1998. They said any of them could easily bring down the Internet in North America, although other experts dismissed the claims as exaggerated. Committee Chairman Fred Thompson allowed L0pht's members to use only their on-line handles 'due to the sensitivity of their work.'"
And be sure to get your peers to pimp for you; remember, the more 31337 they think you are, the better for everyone else in the biz:
"Russ Cooper, who publishes the NTBugtraq newsletter exposing security risks in Microsoft products, called the group "eight brilliant geniuses."
Like Mudge, call yourself a "Chief Scientist," or like Marc Maiffret, a "Chief Hacking Officer" or like Russ Cooper, a "Surgeon General". Only journos like myself will actually laugh in your face, so it's a pretty safe practice.
Keep trading with the blackhats, and release your occasional 'discoveries' which they make possible. Ensure that your PR flacks spam the living shit out of every journo on the planet whenever this occurs.
Go in front of Congress every chance you get: remind them of how scared they should be. Tell them that the Internet is about to be brought down, along with planes and trains and power grids, and tell them how you can hack the Apache server at www.MinuteMan.mil and launch a withering nuclear assault on Kansas City with your lame Windoze box.
And don't be wasteful with precious resources. Just as a cook will use the bones from a carcass to make delicious stock, if a blackhat whose work you've been plagiarizing runs out of new tricks, you can always toss him to the FBI for additional mileage. Maybe you can even get him busted for the shit you sold him, haha.
Now that's what I call a business model. ®
Note: L0pht/@Stake declined two invitations to comment for this article.
Related Link
Mudge's hilarious hagiography, telling us among other things that he's "a renowned scientist in cryptanalysis." And asserting that he's "consulted and even conducted training courses for members of Congress, the Department of Justice, NASA, the US Air Force, and other government agencies."
Cash'n'Carrion Reg Shop Register Recruitment -- Real jobs for real people
Big deal, so the guys at L0pht are snitches. To anyone who is in the know, this is hardly news.
You're just figuring this out now?
L0PHT SELls out to the feds. i never would have seen that coming, not from a mile away.
Someone please correct this story so that it makes sense please.
I skimmed over the article pretty fast, but I still feel the need to make a comment about it.
All I noticed was phrases such as "Johnny said I did this, I didn't, but Johnny did this".
Please grow up.
these articles are too informing, please be more vague!
Don't ever pick a fight with a person who buys ink by the barrel.
In Murphy We Turst
I'm sure if the contents were included in a comment here they'd be modded as flamebait.
:
A typical quote from this article
"There does indeed appear to be a circle jerk between commercialized blackhat sellouts and the Feds; and the cons do appear, perhaps inadvertently, to provide the venue and privacy needed for such liaisons."
There is no substance whatsoever for any of the wild claims this bloke is making. Leet-speak junk.
Does the word 'huh?' sum the article up?
Oh wait... Do I have to say 'l33t huh?' to get my point across now.
Comment removed based on user account deletion
And not doing a very good job at it...
In Murphy We Turst
///I can prove it to ya,
Watch the rotation;
It all adds up to
A fucking situation
- - Public Enemy///
Naw, G, he says, "it all adds up to a fucked up situation."
From the early 90's hit '911 Is a Joke', indubitably.
Palaces, barricades, threats, meet promises
Shit, man, beat it! It's the fuzz!
Word on the street (well, on theregister.co.uk) says that Gweeds is way the hell up there on the hacker STD chart.
Attaboy, Gweeds!
Man, that story was on The Register, with sites in bot UK and US. Highly unlikely that you will slashdot this page... /.db
All you did was to waste space in the
Excellence: Moderate (mostly affected by comments on your karma)
It seems that a lot of people have problems with this article because it suggests that hackers and their heroes might posess anything less than perfect integrity. But don't let your personal pride in the accomplishments of people you admire and to which you relate prevent you from also acknowledging their flaws and shortcomings.
All the author of this article is doing is reposting a very important rant made by someone at H2K2. The substance of that rant is: the rewards a hacker or hacker group can receive for ratting out malicious hackers is strong, and it is more than likely that a high profile hacking group has done so at one time or another. We are all human.
I make a hell of a lot of money off viruses. Stupid users are my bread and butter. Virus wipes out their system, I bring it back.
Norton's makes a killing on viruses. It would not suprise me to find out that they write them too... or hire people that have written them.
As long as Microsoft can't make a secure system and corporations keep buying into their line of FUD and crap products, they create thousands of jobs that are nothing but leaches on the system.
The beauty of linux is you only have to pay your administrators to make your systems better, and not hire extras just to do disaster recovery.
One full time admin for every 50 windows machines just because of security holes and viruses compared to 1 admin for every 150 Mac/Linux/FreeBSD boxes.
Do the math: Windows initial price is higher, and upkeep is higher even if you have to pay twice as much to hire a good unix admin than you have to pay for a dime a dozen MCSE
Execs must get some great kickbacks from Microsoft.
If voting were effective, it would be illegal by now.
Why did I get the feeling I was in Junior High again? Black hat hackers squabbling about the "importance" of their craft, tit and tat arguing about UTTERLY STUPID SHIT! This is exactly why mainstream people laugh publicly at hard core computer guys. Classic case of TOO MUCH TIME ON ONE'S HANDS. We live in the best country in the world, and the best these guys do with it is base their lives and hates on the excrutiating useless minutiae and politics of computer hacking and it's culture? These guys make rednecks look like models of common sense.
Immature hackers dissing and backstabbing each other. It's like wrestling... only lamer.
-a
How to rationalize theft.
Some people will now say: "ohn, p0rn has found the 3xpl017 for the buffer overflow at IIS 576.37376SGHAF 54678"
But sorry sonny, this is no skill.
In fact any kiddie with a debugger can create an buffer overflow exploit. If you analyze the "h4x0r" tool these groups publish, you'll soon notice that they are basically based at extremely low technological levels, usually stuff like brute-force password crackers (around since the 70ies) like l0phtcrack and bo-exploits etc.
Any CS undergrad with decent programming skills could do these things.
It's no surprise that the most famous "h4x0rs" got their fame from with breack-ins done by social engineering or at boxen with extremely low security.
For being a real security expert you need extremely broad scientific knowledge and not just a long list of memorized UNIX commands. And these dudes don't have this knowledge at all, e.g. I would be surprised if one of them knows the Riemannian Zeta function at all.
There is a good sign for a bad security company: if they start to hire h4x0r5, then they have no clue at all. And of course we don't need to discuss the issue of "security companies" founded by h4x0r5 at all.
Personally I not surprised of these claims that they sold out each other to the FEDs. These guys are a bunch of no clue wannabe experts with a pathological hang for gaining attention. Such people do such things.
Owner of a Mensa membership card.
The rush to publish and take credit for discovering and patching a new exploit hobbles the positive efforts of blackhats with a social conscience (though admittedly no one knows how big a category that is).
Exploits are getting disclosed (and patched) more rapidly. How is this a bad thing? Wasn't it just a week ago that Slashdot was running articles deriding Microsoft for attempting to prevent the dissemination of vulnerability info?
I must agree that the whole find-exploit-get-VC thing is nonsense, but the losers in that game are the investors, and I really don't care if they get screwed.
Please slashdot keep up with the news flow.
P.S. this Mudge guy seems to me a bit of a poser
Fuck it
if i ever meet you, i'll CTRL-ALT-DELETE you!!!
Well, I just popped over to E2 for the first time since I 'quit' the site a year and a half ago, and I see that it's gotten somewhat lamer in my absence, to the point where even one or two of the chief editors on the site have also quit.
Who the FUCK uses gender neutral pronouns? I have yet to meet one person doing so whose ass I wouldn't just love to kick. Although, to tell the truth, I've never met a single person who is so great a loser in real life. They do seem to congregate in a few fora on the internet, though.
I feel for you, Wharfinger and Dannye. The community had great promise, but the iron heel was not quite successful in crushing the idiots.
With few exceptions, all of my contemporary users on e2 are gone. Quite sad.
Oh, if you'd been logged in that would have been worth a +1, Funny. That song's great. Thanks for reminding me.
A reader recently submitted a ?, @stake?, and the general business of security. The article itself is harsh, but raises some interesting points.
Search first, ask questions later.
This is definately age old news. Hackers are portraid by the media as Robin Hoods of the internet, which is not the case. After few years of fucking around with code, exploits and remote servers, they need to pay bills and move out of their parent's basements. Of course they are going to make deals with the feds.
All that "ethics" bullshit is just underground PR for the ignorant folks who have no clue as to what real hacking is.
and poorly formatted space at that.....
- HeXa
This article as far as I can see is an opinion not an report of facts. So the merits of it are the relevance you give to the writer. And this writer is well-known by the community, recommended by someone, as a relevant cv for the matter? Doesn't seems so. So why is this here withou the necessary explanation?
------I can please only one person per day. Today is not your day. Tomorrow isn't looking good either.------
I didn't go to H2K2, although I looked over the itinerary and this speech caught my eye because of it's title and because of who was giving it. I know most of the people involved in this.
As far as the specific finger pointing at specific people, I don't really care and there probably was both truth and falsehoods contained in them. I don't care about that part of it, the specifics. As far as the *general* tone, I tend to agree with it.
Hackers break into systems and networks despite whatever technical roadblocks and threatened legal roadblocks are in their way. On the other side is law enforcement, who imprisons them, and corporate security people who try to prevent breakins from a technical standpoint and who work with law enforcement. These two sides are in *conflict* and as laws become more draconian (the recent retroactive hacker laws, or the life imprisonment hacker laws in the US) and hysteria about "cyber-attacks" or whatever they're called on the news grows, this only sharpens the definitions between the two conflicting groups.
This notion that there is a kind of continuity, with "black hats", "grey hats" and "white hats" and law enforcement all blending into one another is ridiculous. For that part, anyone actively engaged in the type of law breaking that the government is interested in enforcing would be crazy to go to these cons, or being a known person in these circles.
The skilled hackers I have known usually had regular contact with a handful of people and never went to cons. And even many of them got busted. Don't forget TAP's 3rd commandment of phreaking - "every 3rd phreak is an FBI agent".
There's a circle of people who always have, and always will, keep to themselves, get into systems and stay there unobtrusively, who are usually very good at programming, hacking, or social engineering. They seize the means of production, for a short time, from the bourgeoisie for themselves. Some of them don't even hack, they just look for buffer overflows, race conditions, or whatever the hell people look for nowadays, and pass them on to the people who do hack when they do find them. Security always exists so a small elite can hoard to themselves ownership and control of most of the pie, usually directly for, if not, as a side result of. For those like me who agree with Proudhon that "property is theft", what is obscene is not that some 16 year old wants to get into Monsanto's network, but what is obscene is Monsanto, it's profits which it expropriates from the surplus labor time of it's workers, it's frankenfood, toxic dumping and poisoning of the environment, and the security apparatus it employs, from it's software and hardware security, to it's onstaff security, to the state security apparatus, that maintains and continues it's existence. Most of the computer community is repulsive to look at, but at least there's some hope.
You fucking can't trust h4x0rs. They'll talk open source, root your box then squeal like a pig when Uncle Sam drops their drawers.
Once I start, I never end.. In just 5 minutes i've already clicked enough to reach..
a st node_id=158877
http://www.everything2.com/index.pl?node=oily&l
This all sounds too familiar. Employees with skills are relegated to to the real work and be treated like crap. Meanwhile, the incompetants and backbiters are promoted into managment and oversight. I call this the "turds float" theory.
Sad to see even h4x0rZ can't avoid it.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
I really don't know. Thanks.
I don't think security will be ever 100% and as we all know whit enough processing power we can break any encryption.
It's not about protecting, it's about avoiding.
For example I can own a gun and kill somebody but I won't because I know that isn't right and that I appreciate things for the effort that has been put into them.
Making people understand the value of everything is our key initiative because blocking everything from happening is the worst way we can go and will block us from being free just as in comunism.
Honestly, all the security breaches and exploits have to be explained on the main page of any publication.
"The most beautiful thing we can experience is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: his eyes are closed." Einstein
The blackhats we read about in the 70s, 80s, and early 90s are making serious bank as reformed hackers(which means they went to jail and would never hack again unless alot of venture capital is involved) ... Security Focus, $8000 Crunch Boxes, Kevin Mitnick's former talk radio show
the more recent ones are busy pimping the trendy image and building "black hat street cred" by sitting in front of the camera in their anonymity hoods or shocking choice in hair colors and facial piercings
then we have foundstone ... making a living off the fortune 500 while selling the overpriced book and cdset at Barnes and Nobles to the script kids that use them to hack the fortune 500
and lets not forget eeye who's been playing a rather questionable game of ethical hacking with Microsoft as of late ... and no doubt cashing in every time they wait for the patch to come out before they expose the flaw with the aide of a news reporter or two from the washington post
the l0pht FBI rumor isn't new ... and its obvious they're milking their established cred for all its worth ... they haven't developed any NEW security software in quite a while ... just updates for their classics
as for snitching ... exactly how long do you think you would last out there hacking and releasing deadly exploit code independantly without telling the puppet masters at least something? those that don't play by the rules pay for it and there are plenty of convicted felons who's work made that bugtraq top ten
Hacking is for boys, wait till they grow up and enter a more challenging game... business!
If hacking can now get you life in prison, you might as well kill anyone that tries to arrest you like you were on your third strike.
eh?
Unfortunately, everything in that article pretty much speaks for itself after you get past the first few pages of drivel and leetspeak. These guys have spoken before Congress. These guys have met with Presidents. And these guys are more or less indirectly responsible for the draconian BS laws Congress passes. It rings true.
Yes, they're fakes. But they're fakes with a good PR people, and they're good at scaring the shit out of those in power. Has anyone seen the kind of things they claim to be able to do? It's ridiculous.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
the truth always hurts.
Such are the ways of karma whoring...
(Yeah, posting anonymous, can't be bothered to log in, it's not my box, and yes, I'm capped)
It means 'no text' as in 'there's no text in the body of this message.' Usually people stick it in the subject of the message on threaded forums so people don't waste time and bandwidth clicking on their post if there's nothing there.
1.) Right click, view source
2.) Copy text from webpage source to retain layout/form for maximum karma whoring potential
3.) Paste
Slashdot - News for Herds. Stuff that Splatters.
The hypocracy. You get these people that say "ya, screw the government, information was meant to be free" and so on BUT then are willing to be governmantal lapdogs when it acts to line their pocketbooks. That's the aspect I mind of some of these "hacker" companies. They like to play pretend that they are in it for idealistic reasons, but are prefectly willing to throw ideals out the window if it will serve to make them more money.
The Turds Float theory doen't make the assumption that the employee was ever competant at any level.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
welcome to the internet. which actually spans outside the borders of usa, though most americans seem to be completely ignorant to that fact.
best country in the world ? lol, give me a fucking break.
I am not sure I would consider searching for buffer overflows the work of "hard core computer guys". Hard core computer guys are people who write interesting software, and advance the state of the art. These guys spend their time griping about how crap Microsoft is, and how 31337 they are, all while bickering amongst themselves like 13 year old schoolgirls.
Actually, credit card fraud, warez and their associate porn banners make a tidy revenue. Hacking is business. Illegle (sans the porn) and pretty stupid, but business none the less.
You need a FREE iPod Nano
Well, "Hack the Planet" immedietly slashes any credibility you had by 3D6. Second, you're right. Your handle doesn't mean anything. Third, anybody can claim anything through "serious evidence" and "credible sources". Especially on the net. Back it up. Put up or shut up.
All of which leaves you at about a Dumbass: -1
You need a FREE iPod Nano
i guess i should take off the l0pht shirt that im wearing now huh? HEH
l0phtcrack 100% g0v3rnment.
Everybody knows space aliens love prime numbers. Especially Space Alien hackers. Which must be who these security experts are protecting against since most people here (including myself) seem to have only the vaguest notion of who Reimann Zeta is. (wink)
Seriously, encryption is my best guess, but it sounds like another one of those "that's what computers are for" deals. I could be wrong. Maybe. Not likely, but it is an infintesimal possibility.
You need a FREE iPod Nano
Come on, don't just give him a funny, Mod Parent Up!
You need a FREE iPod Nano
"as we all know whit (sic) enough processing power we can break any
encryption."
We certainly don't "all know" that, since it's false.
Do you even know what a one time pad is?
Alot of you are mixing up the term "hacker" with "h4x0r" or script kiddie, etc. A Hacker is someone who wants know about computers and systems and limits. Their curiosity drives them to discover things, reverse engineer, etc. warez kiddies, password crackers, etc are just a small outshoot of this. This article was written on a speech given about hackers, who are joining security companies based on their scene cred, and then selling out their friends. Black hat, grey hat, white hat, it doesnt matter. Those are just labels to try and put things in recognizable boxes. If you are a hacker, in the true sense of hacking, working from curiosity and whatnot, you are going to do something illegal at some point, just like if you drive, you will probably eventually speed or break some stupid law (cutting someone off, etc) But there are many instances in which heavy jail time isn't justified, just like you shouldn't get a ticket everytime you go two mph above the speed limit. And now with the threat of life sentences for hacking, well you can see how this can and will rapidly get out of hand. Plenty of people have been jailed or threatened with such simply for being curious and testing the limits of a system, but not actually causing any damage. (re: kevin mitnick, DeCSS)
Don't be so quick to badmouth the so called hackers that you think you are so better then. Because we all do something "illegal" every day and pretty soon, it could be you up on trial, being made an example of. How many of us harbor illegal mp3s on our systems? port scanned friends machines as a favor? have divxed movies? Tried to reverse engineer software to improve it? As the laws become more draconian, the lines between those of you high and mighty sysadmins who think you are so much better then the dirty illegal hackers become more grey. Don't fall prey to the media or accepted portrayal of hackers. Hackers come in all shapes and sorts. Let he who is without sin, cast the first stone.
Read it more carefully.
I used to be proud to be a geek (1987 when I broke into my school's small network of PCjr's run on a JANET Network just to prove I could, and play games of course). I relished the idea of figuring things out. Hacking for the sake of challenging myself. I enjoyed the ordered logic of the world of computers. It was a place where I could be logical and straight forward and no one took offence or suggested that I was "socially uncool" or some other such dribble.
... VERY sad.
Today's hacking community largely, I say largely NOT completely, consists of people who have seen Hackers, Lawnmower Man, The Matrix, etc. or have read Snowcrash, The Long Run, or Neuromancer. These people suggest that there is some sort of romance to computing. That in some way it is "cool". I am offended by this! These were fun and interesting sorts of literature, but they are based on a the "Football Jock" and "Class President"'s view of computers, NOT reality.
Yeah I used to proud to be a geek, but now when I say that people think I'm trying to be cool and that MAKES ME SICK! It's too bad that what was once a community of people just interested in expanding their minds and that of others in figuring out problems and "sharing" the solutions with those that helped them has turned into a bunch of people who's only commonality is that they use a slang form of language that is designed purely to make them look "cool".
Yeah, I used to be proud to be a geek, but I'm afraid I'm just not "cool" enough to be one. I am truly sorry if this offends any of my "actual" peers, but I suppose I am just tired of being associated with this "new" breed of geeks. I just like the ordered world of 0 or 1. It WAS soooo peaceful there. Sad
Greene, Gweeds and the like are oversimplifying a very complex situation. First of all, while l0pht was acquired by @stake, they do not direct it. In fact, several l0pht members are no longer with @stake, including the group's founder, and Mudge has been 'away on personal leave' since February.
Yes, I know all of the l0pht guys, many others from @stake, and I know gweeds. I do not trust gweeds' motives in this supposed expose, he seems to have become obsessed with publicity, and destructive rhetoric seems to be the easiest way to achieve it ("fuck up the goons" at last year's defcon for instance).
I'd like to see the so-called documents that gweeds, greene, etc. have -- to ferret out the truth.
Uh there is no honour among thieves.
Cmon guys, you seriously think these guys have integrity? Integrity takes too much work!
My mail posted to the ISN news list, point for point commentary on Greene's article.
Date: Fri, 19 Jul 2002 11:00:44 -0500 (CDT)
From: InfoSec News
To: isn@attrition.org
Subject: Re: [ISN] 'Hacker' security biz built on FBI snitches
Message-ID:
x-url: http://www.c4i.org/isn.html
Forwarded from: Aj Effin Reznor
William/All. While these articles may be timely, they're highly inaccurate. Mr. Greene all but admits to publishing little more than rumour and crap with no fact checking or basis in reality.
I would hope that bile of this nature does not pollute what is perhaps one of the few non-corporate security mailing lists left today.
"InfoSec News was known to say....."
> On Monday I reported a speech by Gweeds at H2K2, in which the grand
> hypocrisy of hackers weaseling their way from the scene to the
> mainstream by forming security outfits was denounced very nicely. A
> torrent of e-mail denouncing him soon followed, some of which I've
> posted here.
Posted unattributed. Perhaps in the future showing the author of a given mail may make it worth a little more; carry more weight or legitmacy. It can be assumed that since things like "facts" can easily errode all of this series of articles, Mr. Greene may find it in his best interest to not actually mention where anything came from.
> Even I was attacked merely for reporting what he'd said. Suffice it
> to
Lest we go from reporting with integrity to tabloid journalism, reporting what someone said should be maybe replaced with fact checking. Reporting rumours is hardly newsworthy.
> He also named names in the speech, in particular ISS, L0pht/@Stake
> and Sir Dystic, three prime examples of energetic blackhat pimping
> for venture capital and cushy jobs, Gweeds believes. In particular,
> he
I don't see Sir Dystic having made a fortune off of Back Orifice, what may be his most well-known application to date. I see him behaving
rather responsibly to the newfound attention it garnered him. Were he writing for a techy-based news site, he'd probably also check for the
reality behind statements issued to him, unlike *some* people that come to mind.
> expressed a suspicion that L0pht/@Stake was somehow connected to
> NIPC (the National Infrastructure Protection Center), which may have
> helped the h4x0r glam rockers gain credibility and rise in profile
> among influential members of the federal bureaucracy. This
> connection also helped get Mudge a high-profile hacker-hysteria FUD
> session before Congress, he suspects.
Sure, he *suspects* it. Clever to just tag that on to the end. He may also *suspect* that aliens live under the White House and that Al Gore created the Internet. Suspicion of ideas does three things: Jack. Shit. Produce salivation in marginal journalists.
> On Monday, when I posted the first item in this series, I didn't
> know personally if the speech was punctiliously accurate, but it
> absolutely rang true to me. All too true.
It rang true? Then you believe the content regardless of accuracy? It only rang loudly, because someone who admits sociopathic tendcies
decided to stand in front of acrowded room and make alarming accusations.
Pop sensationalism is the fix, and Mr. Greene behaved like a junkie.
> Surely no one imagined that I wouldn't dig deeper into this
> deliciously nasty confluence of FUD, favors and venture capital
> flowing between the blackhat community and the Feds, with the cons
> serving as a handy, mediating conduit.
No, I'd fully imagine (and expect) that you wouldn't do a damn thing unless required to.
> And indeed, Gweeds appears to have hit on a number of dirty little
> secrets, though with a few minor inaccuracies, none of which is
> sufficient to undermine his basic thesis. There does indeed appear
> to be a circle jerk between commercialized blackhat sellouts and the
> Feds; and the cons do appear, perhaps inadvertently, to provide the
If Mr. Greene has not noticed yet, many companies, esp. those focusing on security, in particular computer/network/internet security, are
commonly contacted by the Feds for a variety of reasons. Can we expect l0pht to sellout into something as high-profile as @stake and NOT talk to Feds?
> venue and privacy needed for such liaisons. And finally, there does
> seem to be a significant amount of snitching for favors and 'trust'
> building going on between the two 'communities', a la the despised
> JP model.
Care to share? I haven't seen anything yet beyond suggestion and speculation.
> Flamboyant anti-establishment gestures and costumes do not a
> blackhat make. Your friendly neighborhood hacker turned young
> security businessman may well be looking to 'develop' your exploit,
> hack out a patch and pimp for proppies on BugTraq, and then rat you
> out to the Feds for gain and favor. This is how it works:
I'm not even sure what is attempted to be said here.
> Soon after I posted my report Monday, @Stake's Chris Wysopal (aka
> Weld Pond) vehemently denied any connection with NIPC to me in an
> e-mail exchange. He further insisted that I 'correct' the
> inaccuracies in Gweeds' statements. I explained that it wasn't
> proper for me to edit someone else's words, or even to express
> doubt, unless I believed or at least suspected that the statements
> were inaccurate. In this case I didn't.
Of course not! Stated earlier it "rang true" to you, and was everything you were looking for. When blindly following the cult leader, disciples rarely stop to check references along the way.
> "I am not going to write a 'point of view' piece that is parallel to
> an article that leads the reader to believe that patent falsehoods
> are true. Letters to the editor are much different than qualifying
> statements where they stand or issuing an errata," he replied.
> "[Several] statements by Gweeds are false. They were spoken by a man
> with an agenda. You have become his FUD platform."
>
> Me, a FUD platform -- right. There's a definite pot/kettle equation
> in play here, as we'll see.
No, not really. Weld has always been something of a straight shooter. I don't see Mr. Greene shooting straight here at all.
> And that is strictly correct, though not entirely true. NIPC is not
> where L0pht's Fed relationship was developed. But according to
> documents I've received, L0pht did have a relationship with FBI
> Special Agent Dan Romando, or 'dann0' as they called him, a Boston
> agent with a cybercrime-enforcement background. Our dann0 was an old
> friend of Mudge's from high school; and our dann0 had also been an
> intern in Senator Thompson's office before joining the FBI.
Shocking news, Mr. Greene. It's typical for Federal agents to approach workers in the security industry. Why? Typically, they know
more. They have a better feel for the pulse of what's really happening. We aren't shielded by layers of firewalls or on protected networks. Many of us are hanging out in the wind, taking hits, watching what happens.
It should be of little news *to anyone with a clue* that Feds and private sector rub elbows. Call it knowledge transfer, if you'd like,
but many of us in the private sector are happy to share conceptual knowledge with a goverment that really needs help. If our gov gets spanked, the whole nation gets spanked.
> If you want to know how L0pht got an invitation to testify "at the
> request of Senator Thompson," you'll find Agent Romando's hand all
> over that one. Ditto for Mudge's famous meeting with then-President
> Bill Clinton.
Any documentation to share this one, or is the shot in the dark?
> And why did dann0 Romando bother to help the L0pht cyber-ninjas gain
> national fame? Was it out of friendly loyalty?
It's been known to happen.
> I wish it were. I have evidence indicating that L0pht members served
> as confidential FBI informants and actively solicited dirt on fellow
> blackhats. I have evidence indicating that they've offered to pay
> cash for such information. And they name dann0 Romando specifically
> as their FBI handler. That's right, those anti-establishment
> pop-underground h4x0r heroes have at least attempted, probably with
> success, to rat out their friends and enemies in service of good
> relations with the FBI.
Put up or shut up.
> When a guy like Mudge addresses a gaggle of naive,
> technically-illiterate Congressmen, claiming to be able to break
> into any network on Earth, only a fool will imagine that the
> consequence will be anything other than more Draconian laws. That's
> how Congress
No, the claim was that they could take down the entire Internet. Even a gaggle of naive, technically-illiterate journalists could recognize the difference between compromising any machine or network and taking the Internet itself into non-existance.
I see that history, not facts and conjecture, but document history, cannot even be reflected properly by the funhouse mirror that is Mr.
Greene.
> And Wysopal calls me a FUD platform....
Hint: You are.
> 'Sploits for me, jail for you
The Sploits rock! Ever seen them play live?
> Since you really don't have any skillz worth mentioning, no
> background in computer science, no military cryptography training,
> you'll have to learn to talk the talk. Outrageous clothes and
> piercings (preferably from a nail gun), blue hair and bad skin
> freely exhibited at cons are a big plus here. Journalists love this
> kind of shit and will usually assign you a high, imaginary threat
> level. Teenagers will too.
Funny, sounds like you are describing Gweeds, your own pipeline to unfounded claims.
> Develop relationships with members of the real blackhat underground.
> Hit them up for kewl new 'sploits they're using. Maybe pay cash for
> them; maybe barter for them with other kewl 'sploits or illegal gear
> you're cobbling up in your basement, like pager monitoring devices,
> say.
Once upon a time pager monitoring devices were legal. Point is moot.
> "Russ Cooper, who publishes the NTBugtraq newsletter exposing
> security risks in Microsoft products, called the group "eight
> brilliant geniuses."
What, pray tell, has Mr. Greene himself done? Clearly ignorant to the field of Information Technology Security, we can safely establish that
he wouldn't recognize genius if he liberally skewered it. Also taking for granted the words of a virtual unknown (whom Mr. Greene himself is
"pimping" as a fount of knowledge) seems to be propagating the very cycle he is trying to establish as bad. Bad reporter, bad! No
exclusive for you!
> Go in front of Congress every chance you get: remind them of how
> scared they should be. Tell them that the Internet is about to be
If you aren't scared, you're either ignorant, or blind, or dumb, or... a journo. But I repeat myself. (Apologies to Mark Twain.)
To those of you that read this far...HI! Seriously, I don't enjoy ranting like this, people. But the sad truth is that, as with other
FUD, there are people out there believing it. Some, I'm sure, on this list.
-aj.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
I have become, comfortably numb
At the beginning of the piece, he used the phrase "my boy Gweeds". Whether he explicitly said he believed Gweeds claims about l0pht and @stake is more or less irrelevant, since he didn't distance himself from Gweeds' claims at all in any of his articles. He should give up trying to pretend he's being objective, and admit that he's playing Devil's advocate, as he says it's healthy to.
Greene provides, in his articles, supporting evidence for claims that l0pht have "sold out". That pretty much makes it impossible for him to deny any responsibility for anything. Not that that's a bad thing: It's good when media people come up with stuff and stand behind it. If he's misinterpreted stuff, someone will say why and then we'll know what's really going on.
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
70% of Internet users wouldn't understand what and why it was said.
Looks like someone has an axe to grind and this week it's none other than someone they know of!
~ejunkie~ [Step outside and look at that huge yellow thing in the sky!]
sounds like a howard stern segment to me, bunch of people babbling about someone else who messed with someone and now a bunch of people are pissed. And none of it matters to the rest of the world...
ahh, the egg in the basket..
If I were called upon to answer the following question: What is slavery? and I replied: It is murder, my meaning would be comprehended immediately. There would be no need for amplification to demonstrate that the power to deprive a man of his thought, will, and personality is the power of life and death and that to make a man a slave is to kill him. Why, therefore, may I not meet this other question: What is property? by replying: It is theft, without feeling certain I shall be misunderstood, although this second proposition is no more than a transformation of the first?
r ty -is-theft.html
http://dhm.best.vwh.net/archives/proudhon-prope
The quote is in Ch 1.
New worlds are not born in the vacuum of abstract
ideas, but in the fight for daily bread --Rudolf Rocke
When you are a kid, you have skills and powers and the fire in your gut. And Mom & Dad pay for more than half your stuff. You don't worry about how you'll take care of yourself. You don't care about owning property and about how you will take care of your family. --You don't have kids yet, and probably don't plan to. Money is interesting and sexy, but it's not vital. In fact, it's kind of funny. It seems so many people take it far too seriously. It's fun to mock.
And so you hack. Or paint. Or busk. Or drink and smoke, or whatever young people do with their time and their fire and the money Mom & Dad gave them. --Or the few bucks earned from some lousy retail job.
And life is pretty good for about five to ten years. Rough and kinky and friendly around the edges. You can live on beer and pizza and Playstation and hope for a good romance/fuck with that girl you like, and maybe get some D&D in on every second Tuesday, cuz, you know, everybody has so little time these days, now that college is over.
But then. . .
You get the first of your grey hairs. Your body starts to do funny things. The mad fire of enthusiasm starts to flicker and you realize that your river of power is really NOT going to last forever!
And worse, you realize that true love has an unexpected price tag; one which is somewhat higher than the cruddy IKEA furnished room-mate situation you lived in when you were 25. Wives and families need proper bedspreads and New Car Smell purring from the AC. --And it always kind of sucked, but now you find yourself thinking more and more that working the Blockbuster counter just isn't as cool in your late twenties as it was when you were sixteen. And fuck! You're going to be thirty next year!
So you start to get scared, but this time you can't put off finding a solution. It's getting late. So what skills do you have? What can you turn into a lot of cash? The gun-wielding asshole at the border or in the patrol car or wherever, isn't going to let you get away with your stupid young shit just because you flash that caught-in-the-headlights "but I'm just a student," look at them anymore. You need credit cards and a fucking haircut buddy, or you're no place.
Sure, it's selling out. Sure it is. Hell, you had about 10 whole years to find a proper solution! And hell, if you were smart and diligent, you could have come up with something which would have steered you to financial comfort and self-reliance without darkening your soul; without caving in to the siren call of corporate slavery. But if you are like the other 99% of the spent sperm out there which never even found the road map to the lovely egg, then you're fucked like everybody else. Youth is powerful and wonderful and intoxicating, but then it's gone, and that's the way of things. It's not even sad. It's just how it is.
And this is one of the places where FBI sell-outs come from.
The rest is just stupidity and grandstanding. Cuz, you know, kids, eh?.
-Fantastic Lad
(Sorry. I'm painting a very negative picture of life here. You can change any of the above at any time. Corporate slavery can be left behind and moral high ground reached very easily any time you choose. But tonight, I've got the techno-ambient MP3's playing and I'm in a bad mood, so this is what I wrote. The sun'll come out tomorrow. . .)