L0pht And The FBI

A reader recently submitted a story from The Reg concerning some questioning of l0pht ^? , @stake ^? , and the general business of security. The article itself is harsh, but raises some interesting points.

They seem to try to fight back

[heikkile]

Looks like someone is pissed at Thomas Greene from the Register

And not doing a very good job at it...

Viruses

[Perdo]

I make a hell of a lot of money off viruses. Stupid users are my bread and butter. Virus wipes out their system, I bring it back.

Norton's makes a killing on viruses. It would not suprise me to find out that they write them too... or hire people that have written them.

As long as Microsoft can't make a secure system and corporations keep buying into their line of FUD and crap products, they create thousands of jobs that are nothing but leaches on the system.

The beauty of linux is you only have to pay your administrators to make your systems better, and not hire extras just to do disaster recovery.

One full time admin for every 50 windows machines just because of security holes and viruses compared to 1 admin for every 150 Mac/Linux/FreeBSD boxes.

Do the math: Windows initial price is higher, and upkeep is higher even if you have to pay twice as much to hire a good unix admin than you have to pay for a dime a dozen MCSE

Execs must get some great kickbacks from Microsoft.

Re:Viruses

[Sangui5]

All the AV vendors I know of have strict policies about their employees: they can never have written a virus. Ever. Even if it was harmless, or never released into the wild.

The liability it would open them up to is way too high for it to be worth it. They'd rather pass on hiring an otherwise perfect candidate than expose themselves to that sort of legal risk.

Now, that's not to say that some Norton employees haven't written a virus before, just that Norton doesn't know, and said employees are (wisely) keeping their traps shut.

How is this a bad thing?

[adam_megacz]

The rush to publish and take credit for discovering and patching a new exploit hobbles the positive efforts of blackhats with a social conscience (though admittedly no one knows how big a category that is).

Exploits are getting disclosed (and patched) more rapidly. How is this a bad thing? Wasn't it just a week ago that Slashdot was running articles deriding Microsoft for attempting to prevent the dissemination of vulnerability info?

I must agree that the whole find-exploit-get-VC thing is nonsense, but the losers in that game are the investors, and I really don't care if they get screwed.

Already a bunch of updates...

[Kafka_Canada]

There's already been a lot more news on this story, everythings from some feedback to thomas.greene spam making the rounds.

Please slashdot keep up with the news flow.

P.S. this Mudge guy seems to me a bit of a poser

Re:Who cares ?

[SamBeckett]

Everyone here knows how the Reimann Zeta function relates to hacking.... Except me.. Care to explain-- or were you just flaunting your "knoweldge" of math to make others feel stupid?

Re:misquotin' the Flav, holmes

[packeteer]

i just listened to the song before i posted to make sure and he says "It all adds up to a fuckin' situation" not "fucked up" or "fucking" but "fuckin'"

Security

[ehiris]

I don't think security will be ever 100% and as we all know whit enough processing power we can break any encryption.

It's not about protecting, it's about avoiding.

For example I can own a gun and kill somebody but I won't because I know that isn't right and that I appreciate things for the effort that has been put into them.

Making people understand the value of everything is our key initiative because blocking everything from happening is the worst way we can go and will block us from being free just as in comunism.

Honestly, all the security breaches and exploits have to be explained on the main page of any publication.

"The most beautiful thing we can experience is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: his eyes are closed." Einstein

security sellouts

[The+Smoking+Man]

The blackhats we read about in the 70s, 80s, and early 90s are making serious bank as reformed hackers(which means they went to jail and would never hack again unless alot of venture capital is involved) ... Security Focus, $8000 Crunch Boxes, Kevin Mitnick's former talk radio show the more recent ones are busy pimping the trendy image and building "black hat street cred" by sitting in front of the camera in their anonymity hoods or shocking choice in hair colors and facial piercings then we have foundstone ... making a living off the fortune 500 while selling the overpriced book and cdset at Barnes and Nobles to the script kids that use them to hack the fortune 500 and lets not forget eeye who's been playing a rather questionable game of ethical hacking with Microsoft as of late ... and no doubt cashing in every time they wait for the patch to come out before they expose the flaw with the aide of a news reporter or two from the washington post the l0pht FBI rumor isn't new ... and its obvious they're milking their established cred for all its worth ... they haven't developed any NEW security software in quite a while ... just updates for their classics as for snitching ... exactly how long do you think you would last out there hacking and releasing deadly exploit code independantly without telling the puppet masters at least something? those that don't play by the rules pay for it and there are plenty of convicted felons who's work made that bugtraq top ten

Re:security sellouts

[$carab]

I think "sell-out" is an excellent term with l0pht. I remember when l0pht crack was free.....a free GUI password cracker...It was tremendous to me. But then they sold-out, and the next version of their software wasnt free, it had all sorts of little catches unless you wanted to shell out the 200 bucks to get the real thing. So I went looking for the previous version of their software, and it turns out they deleted the GUI version from their archives, so that people couldnt download that for free and take away from their buisness.

It was at that moment that I knew L0pht had sold out. As punishment, I suggest officially taking the leetness out of their name: Loft.

If that were only true...

[Otto]

Unfortunately, everything in that article pretty much speaks for itself after you get past the first few pages of drivel and leetspeak. These guys have spoken before Congress. These guys have met with Presidents. And these guys are more or less indirectly responsible for the draconian BS laws Congress passes. It rings true.

Yes, they're fakes. But they're fakes with a good PR people, and they're good at scaring the shit out of those in power. Has anyone seen the kind of things they claim to be able to do? It's ridiculous.

I think the problem lies in

[Sycraft-fu]

The hypocracy. You get these people that say "ya, screw the government, information was meant to be free" and so on BUT then are willing to be governmantal lapdogs when it acts to line their pocketbooks. That's the aspect I mind of some of these "hacker" companies. They like to play pretend that they are in it for idealistic reasons, but are prefectly willing to throw ideals out the window if it will serve to make them more money.

Today I am embarassed to be a geek ...

[thealphageek]

I used to be proud to be a geek (1987 when I broke into my school's small network of PCjr's run on a JANET Network just to prove I could, and play games of course). I relished the idea of figuring things out. Hacking for the sake of challenging myself. I enjoyed the ordered logic of the world of computers. It was a place where I could be logical and straight forward and no one took offence or suggested that I was "socially uncool" or some other such dribble.

Today's hacking community largely, I say largely NOT completely, consists of people who have seen Hackers, Lawnmower Man, The Matrix, etc. or have read Snowcrash, The Long Run, or Neuromancer. These people suggest that there is some sort of romance to computing. That in some way it is "cool". I am offended by this! These were fun and interesting sorts of literature, but they are based on a the "Football Jock" and "Class President"'s view of computers, NOT reality.

Yeah I used to proud to be a geek, but now when I say that people think I'm trying to be cool and that MAKES ME SICK! It's too bad that what was once a community of people just interested in expanding their minds and that of others in figuring out problems and "sharing" the solutions with those that helped them has turned into a bunch of people who's only commonality is that they use a slang form of language that is designed purely to make them look "cool".

Yeah, I used to be proud to be a geek, but I'm afraid I'm just not "cool" enough to be one. I am truly sorry if this offends any of my "actual" peers, but I suppose I am just tired of being associated with this "new" breed of geeks. I just like the ordered world of 0 or 1. It WAS soooo peaceful there. Sad ... VERY sad.

more complex than presented

[drwho]

Greene, Gweeds and the like are oversimplifying a very complex situation. First of all, while l0pht was acquired by @stake, they do not direct it. In fact, several l0pht members are no longer with @stake, including the group's founder, and Mudge has been 'away on personal leave' since February.

Yes, I know all of the l0pht guys, many others from @stake, and I know gweeds. I do not trust gweeds' motives in this supposed expose, he seems to have become obsessed with publicity, and destructive rhetoric seems to be the easiest way to achieve it ("fuck up the goons" at last year's defcon for instance).

I'd like to see the so-called documents that gweeds, greene, etc. have -- to ferret out the truth.