Slashdot Mirror
L0pht And The FBI
A reader recently submitted a story from The Reg concerning some questioning of l0pht ? , @stake ? , and the general business of security. The article itself is harsh, but raises some interesting points.
← Back to Stories (view on slashdot.org)
Don't ever pick a fight with a person who buys ink by the barrel.
In Murphy We Turst
I'm sure if the contents were included in a comment here they'd be modded as flamebait.
:
A typical quote from this article
"There does indeed appear to be a circle jerk between commercialized blackhat sellouts and the Feds; and the cons do appear, perhaps inadvertently, to provide the venue and privacy needed for such liaisons."
There is no substance whatsoever for any of the wild claims this bloke is making. Leet-speak junk.
And not doing a very good job at it...
In Murphy We Turst
It seems that a lot of people have problems with this article because it suggests that hackers and their heroes might posess anything less than perfect integrity. But don't let your personal pride in the accomplishments of people you admire and to which you relate prevent you from also acknowledging their flaws and shortcomings.
All the author of this article is doing is reposting a very important rant made by someone at H2K2. The substance of that rant is: the rewards a hacker or hacker group can receive for ratting out malicious hackers is strong, and it is more than likely that a high profile hacking group has done so at one time or another. We are all human.
I make a hell of a lot of money off viruses. Stupid users are my bread and butter. Virus wipes out their system, I bring it back.
Norton's makes a killing on viruses. It would not suprise me to find out that they write them too... or hire people that have written them.
As long as Microsoft can't make a secure system and corporations keep buying into their line of FUD and crap products, they create thousands of jobs that are nothing but leaches on the system.
The beauty of linux is you only have to pay your administrators to make your systems better, and not hire extras just to do disaster recovery.
One full time admin for every 50 windows machines just because of security holes and viruses compared to 1 admin for every 150 Mac/Linux/FreeBSD boxes.
Do the math: Windows initial price is higher, and upkeep is higher even if you have to pay twice as much to hire a good unix admin than you have to pay for a dime a dozen MCSE
Execs must get some great kickbacks from Microsoft.
If voting were effective, it would be illegal by now.
Why did I get the feeling I was in Junior High again? Black hat hackers squabbling about the "importance" of their craft, tit and tat arguing about UTTERLY STUPID SHIT! This is exactly why mainstream people laugh publicly at hard core computer guys. Classic case of TOO MUCH TIME ON ONE'S HANDS. We live in the best country in the world, and the best these guys do with it is base their lives and hates on the excrutiating useless minutiae and politics of computer hacking and it's culture? These guys make rednecks look like models of common sense.
The rush to publish and take credit for discovering and patching a new exploit hobbles the positive efforts of blackhats with a social conscience (though admittedly no one knows how big a category that is).
Exploits are getting disclosed (and patched) more rapidly. How is this a bad thing? Wasn't it just a week ago that Slashdot was running articles deriding Microsoft for attempting to prevent the dissemination of vulnerability info?
I must agree that the whole find-exploit-get-VC thing is nonsense, but the losers in that game are the investors, and I really don't care if they get screwed.
Please slashdot keep up with the news flow.
P.S. this Mudge guy seems to me a bit of a poser
Fuck it
Everyone here knows how the Reimann Zeta function relates to hacking.... Except me.. Care to explain-- or were you just flaunting your "knoweldge" of math to make others feel stupid?
Oh, if you'd been logged in that would have been worth a +1, Funny. That song's great. Thanks for reminding me.
I would be thrilled to know how the Riemann (not Reimann) zeta function relates to being a real security expert. As far as I can see, this post was no different than the "1337er-than-U" pissing-contest that formed the majority of this article.
This article as far as I can see is an opinion not an report of facts. So the merits of it are the relevance you give to the writer. And this writer is well-known by the community, recommended by someone, as a relevant cv for the matter? Doesn't seems so. So why is this here withou the necessary explanation?
------I can please only one person per day. Today is not your day. Tomorrow isn't looking good either.------
I didn't go to H2K2, although I looked over the itinerary and this speech caught my eye because of it's title and because of who was giving it. I know most of the people involved in this.
As far as the specific finger pointing at specific people, I don't really care and there probably was both truth and falsehoods contained in them. I don't care about that part of it, the specifics. As far as the *general* tone, I tend to agree with it.
Hackers break into systems and networks despite whatever technical roadblocks and threatened legal roadblocks are in their way. On the other side is law enforcement, who imprisons them, and corporate security people who try to prevent breakins from a technical standpoint and who work with law enforcement. These two sides are in *conflict* and as laws become more draconian (the recent retroactive hacker laws, or the life imprisonment hacker laws in the US) and hysteria about "cyber-attacks" or whatever they're called on the news grows, this only sharpens the definitions between the two conflicting groups.
This notion that there is a kind of continuity, with "black hats", "grey hats" and "white hats" and law enforcement all blending into one another is ridiculous. For that part, anyone actively engaged in the type of law breaking that the government is interested in enforcing would be crazy to go to these cons, or being a known person in these circles.
The skilled hackers I have known usually had regular contact with a handful of people and never went to cons. And even many of them got busted. Don't forget TAP's 3rd commandment of phreaking - "every 3rd phreak is an FBI agent".
There's a circle of people who always have, and always will, keep to themselves, get into systems and stay there unobtrusively, who are usually very good at programming, hacking, or social engineering. They seize the means of production, for a short time, from the bourgeoisie for themselves. Some of them don't even hack, they just look for buffer overflows, race conditions, or whatever the hell people look for nowadays, and pass them on to the people who do hack when they do find them. Security always exists so a small elite can hoard to themselves ownership and control of most of the pie, usually directly for, if not, as a side result of. For those like me who agree with Proudhon that "property is theft", what is obscene is not that some 16 year old wants to get into Monsanto's network, but what is obscene is Monsanto, it's profits which it expropriates from the surplus labor time of it's workers, it's frankenfood, toxic dumping and poisoning of the environment, and the security apparatus it employs, from it's software and hardware security, to it's onstaff security, to the state security apparatus, that maintains and continues it's existence. Most of the computer community is repulsive to look at, but at least there's some hope.
This all sounds too familiar. Employees with skills are relegated to to the real work and be treated like crap. Meanwhile, the incompetants and backbiters are promoted into managment and oversight. I call this the "turds float" theory.
Sad to see even h4x0rZ can't avoid it.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
i just listened to the song before i posted to make sure and he says "It all adds up to a fuckin' situation" not "fucked up" or "fucking" but "fuckin'"
unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep
I don't think security will be ever 100% and as we all know whit enough processing power we can break any encryption.
It's not about protecting, it's about avoiding.
For example I can own a gun and kill somebody but I won't because I know that isn't right and that I appreciate things for the effort that has been put into them.
Making people understand the value of everything is our key initiative because blocking everything from happening is the worst way we can go and will block us from being free just as in comunism.
Honestly, all the security breaches and exploits have to be explained on the main page of any publication.
"The most beautiful thing we can experience is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: his eyes are closed." Einstein
The blackhats we read about in the 70s, 80s, and early 90s are making serious bank as reformed hackers(which means they went to jail and would never hack again unless alot of venture capital is involved) ... Security Focus, $8000 Crunch Boxes, Kevin Mitnick's former talk radio show
the more recent ones are busy pimping the trendy image and building "black hat street cred" by sitting in front of the camera in their anonymity hoods or shocking choice in hair colors and facial piercings
then we have foundstone ... making a living off the fortune 500 while selling the overpriced book and cdset at Barnes and Nobles to the script kids that use them to hack the fortune 500
and lets not forget eeye who's been playing a rather questionable game of ethical hacking with Microsoft as of late ... and no doubt cashing in every time they wait for the patch to come out before they expose the flaw with the aide of a news reporter or two from the washington post
the l0pht FBI rumor isn't new ... and its obvious they're milking their established cred for all its worth ... they haven't developed any NEW security software in quite a while ... just updates for their classics
as for snitching ... exactly how long do you think you would last out there hacking and releasing deadly exploit code independantly without telling the puppet masters at least something? those that don't play by the rules pay for it and there are plenty of convicted felons who's work made that bugtraq top ten
Ahh, the ultimate in security is to not only stop a would be attacker, but also to make that attacker not want to attack.
Look at this example:
"The Smirnov Metrization deal is going down at 8 Jordan Separation Theorms"
See? There is a hidden message here that no-one but the greatest security minds can crack. All others see this and go into a drooling daze as they're flooded with memories of high school algebra. Not only do they stop the attack, they will never try again for fear of visions of two trains traveling at different speeds...
Unfortunately, everything in that article pretty much speaks for itself after you get past the first few pages of drivel and leetspeak. These guys have spoken before Congress. These guys have met with Presidents. And these guys are more or less indirectly responsible for the draconian BS laws Congress passes. It rings true.
Yes, they're fakes. But they're fakes with a good PR people, and they're good at scaring the shit out of those in power. Has anyone seen the kind of things they claim to be able to do? It's ridiculous.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Slashdot - News for Herds. Stuff that Splatters.
The hypocracy. You get these people that say "ya, screw the government, information was meant to be free" and so on BUT then are willing to be governmantal lapdogs when it acts to line their pocketbooks. That's the aspect I mind of some of these "hacker" companies. They like to play pretend that they are in it for idealistic reasons, but are prefectly willing to throw ideals out the window if it will serve to make them more money.
The Turds Float theory doen't make the assumption that the employee was ever competant at any level.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
I am not sure I would consider searching for buffer overflows the work of "hard core computer guys". Hard core computer guys are people who write interesting software, and advance the state of the art. These guys spend their time griping about how crap Microsoft is, and how 31337 they are, all while bickering amongst themselves like 13 year old schoolgirls.
Actually, credit card fraud, warez and their associate porn banners make a tidy revenue. Hacking is business. Illegle (sans the porn) and pretty stupid, but business none the less.
You need a FREE iPod Nano
the only difference is the lack of large sweaty men grabbing each other, and i think the link to the hacker sex chart pretty much seals the deal :)
"Hey! You forgot the 'Riemannian Zeta function'", he noted.
Talk about a professional faus paux - that changed my entire ruleset. I knew then was the time to lock my screen and go get a coke from the break room. If I forgot such a mainstay to information security, I obviously needed a break.
The odd thing is that I was using the "Riemannian Zeta function" to harden a server that was going on the DMZ just that morning. And its also prominently featured in many of our infosec policies and best practices documentation - some of which I helped write. Hell - many arguments over infrastructure issues with the rest of the IT department has been solved by getting everyone in conference room and hashing out a zeta function on the whiteboard. I mean... sure, you still have a few dissenters. But its hard to maintain a rational stance in the face of pure mathmatics.
I used to be proud to be a geek (1987 when I broke into my school's small network of PCjr's run on a JANET Network just to prove I could, and play games of course). I relished the idea of figuring things out. Hacking for the sake of challenging myself. I enjoyed the ordered logic of the world of computers. It was a place where I could be logical and straight forward and no one took offence or suggested that I was "socially uncool" or some other such dribble.
... VERY sad.
Today's hacking community largely, I say largely NOT completely, consists of people who have seen Hackers, Lawnmower Man, The Matrix, etc. or have read Snowcrash, The Long Run, or Neuromancer. These people suggest that there is some sort of romance to computing. That in some way it is "cool". I am offended by this! These were fun and interesting sorts of literature, but they are based on a the "Football Jock" and "Class President"'s view of computers, NOT reality.
Yeah I used to proud to be a geek, but now when I say that people think I'm trying to be cool and that MAKES ME SICK! It's too bad that what was once a community of people just interested in expanding their minds and that of others in figuring out problems and "sharing" the solutions with those that helped them has turned into a bunch of people who's only commonality is that they use a slang form of language that is designed purely to make them look "cool".
Yeah, I used to be proud to be a geek, but I'm afraid I'm just not "cool" enough to be one. I am truly sorry if this offends any of my "actual" peers, but I suppose I am just tired of being associated with this "new" breed of geeks. I just like the ordered world of 0 or 1. It WAS soooo peaceful there. Sad
Greene, Gweeds and the like are oversimplifying a very complex situation. First of all, while l0pht was acquired by @stake, they do not direct it. In fact, several l0pht members are no longer with @stake, including the group's founder, and Mudge has been 'away on personal leave' since February.
Yes, I know all of the l0pht guys, many others from @stake, and I know gweeds. I do not trust gweeds' motives in this supposed expose, he seems to have become obsessed with publicity, and destructive rhetoric seems to be the easiest way to achieve it ("fuck up the goons" at last year's defcon for instance).
I'd like to see the so-called documents that gweeds, greene, etc. have -- to ferret out the truth.
Well, you can find out what it is here. I suppose it comes up in crypto work, but I'm not familiar with the details. The website has some graphs to go with the equations and description, plus hyperlinks to related stuff.
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
At the beginning of the piece, he used the phrase "my boy Gweeds". Whether he explicitly said he believed Gweeds claims about l0pht and @stake is more or less irrelevant, since he didn't distance himself from Gweeds' claims at all in any of his articles. He should give up trying to pretend he's being objective, and admit that he's playing Devil's advocate, as he says it's healthy to.
Greene provides, in his articles, supporting evidence for claims that l0pht have "sold out". That pretty much makes it impossible for him to deny any responsibility for anything. Not that that's a bad thing: It's good when media people come up with stuff and stand behind it. If he's misinterpreted stuff, someone will say why and then we'll know what's really going on.
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
When you are a kid, you have skills and powers and the fire in your gut. And Mom & Dad pay for more than half your stuff. You don't worry about how you'll take care of yourself. You don't care about owning property and about how you will take care of your family. --You don't have kids yet, and probably don't plan to. Money is interesting and sexy, but it's not vital. In fact, it's kind of funny. It seems so many people take it far too seriously. It's fun to mock.
And so you hack. Or paint. Or busk. Or drink and smoke, or whatever young people do with their time and their fire and the money Mom & Dad gave them. --Or the few bucks earned from some lousy retail job.
And life is pretty good for about five to ten years. Rough and kinky and friendly around the edges. You can live on beer and pizza and Playstation and hope for a good romance/fuck with that girl you like, and maybe get some D&D in on every second Tuesday, cuz, you know, everybody has so little time these days, now that college is over.
But then. . .
You get the first of your grey hairs. Your body starts to do funny things. The mad fire of enthusiasm starts to flicker and you realize that your river of power is really NOT going to last forever!
And worse, you realize that true love has an unexpected price tag; one which is somewhat higher than the cruddy IKEA furnished room-mate situation you lived in when you were 25. Wives and families need proper bedspreads and New Car Smell purring from the AC. --And it always kind of sucked, but now you find yourself thinking more and more that working the Blockbuster counter just isn't as cool in your late twenties as it was when you were sixteen. And fuck! You're going to be thirty next year!
So you start to get scared, but this time you can't put off finding a solution. It's getting late. So what skills do you have? What can you turn into a lot of cash? The gun-wielding asshole at the border or in the patrol car or wherever, isn't going to let you get away with your stupid young shit just because you flash that caught-in-the-headlights "but I'm just a student," look at them anymore. You need credit cards and a fucking haircut buddy, or you're no place.
Sure, it's selling out. Sure it is. Hell, you had about 10 whole years to find a proper solution! And hell, if you were smart and diligent, you could have come up with something which would have steered you to financial comfort and self-reliance without darkening your soul; without caving in to the siren call of corporate slavery. But if you are like the other 99% of the spent sperm out there which never even found the road map to the lovely egg, then you're fucked like everybody else. Youth is powerful and wonderful and intoxicating, but then it's gone, and that's the way of things. It's not even sad. It's just how it is.
And this is one of the places where FBI sell-outs come from.
The rest is just stupidity and grandstanding. Cuz, you know, kids, eh?.
-Fantastic Lad
(Sorry. I'm painting a very negative picture of life here. You can change any of the above at any time. Corporate slavery can be left behind and moral high ground reached very easily any time you choose. But tonight, I've got the techno-ambient MP3's playing and I'm in a bad mood, so this is what I wrote. The sun'll come out tomorrow. . .)