L0pht And The FBI

A reader recently submitted a story from The Reg concerning some questioning of l0pht ^? , @stake ^? , and the general business of security. The article itself is harsh, but raises some interesting points.

This article is basically one big troll

[evil_roy]

I'm sure if the contents were included in a comment here they'd be modded as flamebait.

A typical quote from this article :

"There does indeed appear to be a circle jerk between commercialized blackhat sellouts and the Feds; and the cons do appear, perhaps inadvertently, to provide the venue and privacy needed for such liaisons."

There is no substance whatsoever for any of the wild claims this bloke is making. Leet-speak junk.

They seem to try to fight back

[heikkile]

Looks like someone is pissed at Thomas Greene from the Register

And not doing a very good job at it...

Hacking and Ethics are two different entities

[Dr.+JJJ]

It seems that a lot of people have problems with this article because it suggests that hackers and their heroes might posess anything less than perfect integrity. But don't let your personal pride in the accomplishments of people you admire and to which you relate prevent you from also acknowledging their flaws and shortcomings.

All the author of this article is doing is reposting a very important rant made by someone at H2K2. The substance of that rant is: the rewards a hacker or hacker group can receive for ratting out malicious hackers is strong, and it is more than likely that a high profile hacking group has done so at one time or another. We are all human.

Viruses

[Perdo]

I make a hell of a lot of money off viruses. Stupid users are my bread and butter. Virus wipes out their system, I bring it back.

Norton's makes a killing on viruses. It would not suprise me to find out that they write them too... or hire people that have written them.

As long as Microsoft can't make a secure system and corporations keep buying into their line of FUD and crap products, they create thousands of jobs that are nothing but leaches on the system.

The beauty of linux is you only have to pay your administrators to make your systems better, and not hire extras just to do disaster recovery.

One full time admin for every 50 windows machines just because of security holes and viruses compared to 1 admin for every 150 Mac/Linux/FreeBSD boxes.

Do the math: Windows initial price is higher, and upkeep is higher even if you have to pay twice as much to hire a good unix admin than you have to pay for a dime a dozen MCSE

Execs must get some great kickbacks from Microsoft.

Re:Viruses

[Perdo]

How secure were your Windows 2000 machines for the two months that Microsoft knew universal plug and play was a huge hole but were unwilling to tell the public about? They were launching XP at the same time, with the same vulnerability and did not want to have to have to immediatly issue a patch for "the most secure OS ever".

Your security was compromised by Microsofts marketing for god's sake. Oh, I'm sure you had a firewall on port 1900/UDP and port 5000/UDP right?

The timing:

"On December 20, 2001, eEye Digital Security, the security firm that gave the Code Red worm its name, announced the discovery of "major security vulnerabilities"[1] in Microsoft's flagship operating system, Windows XP. Specifically, the vulnerabilities were discovered in Microsoft's Universal Plug and Play feature, which ships by default with XP. On that same day Microsoft released a patch [2] that resolved the issue; however, it was a dismal ending to a year that saw security flaws in Microsoft products announced in the press on a weekly basis [3] and exploited in hundreds of thousands of computers worldwide."

The vulnerability:

"When eEye announced the discovery of the UPNP vulnerability [9], they described three attack scenarios; a remotely exploitable buffer overflow, a Denial of Service attack and a Distributed Denial of Service attack. Of these three, the buffer overflow is by far the most serious. It could lead to a remote compromise of a machine, surrendering complete control of the machine (and possibly an entire network) to its attacker."

Microsoft knew about this hole on the launch date. The XP Cd had gone gold so they could not change it before it reached consumers. They waited until a third party discovered the hole and published before releasing the patch.

The disgust this decision generated caused such a backlash, Bill announced the "Trustworthy Computing" initiative.

There have been 7 exploits found since then.

There will be 7 more found before the end of this year.

Your Windows network is vulnerable no matter how good your admins (1 per 50 machines) are because only Microsoft can issue patches and they have proven to be criminally irresponsible where security is concerned.

Re:Viruses

[Sangui5]

All the AV vendors I know of have strict policies about their employees: they can never have written a virus. Ever. Even if it was harmless, or never released into the wild.

The liability it would open them up to is way too high for it to be worth it. They'd rather pass on hiring an otherwise perfect candidate than expose themselves to that sort of legal risk.

Now, that's not to say that some Norton employees haven't written a virus before, just that Norton doesn't know, and said employees are (wisely) keeping their traps shut.

Oh boy, talk about such utter self importance.

[Blaede]

Why did I get the feeling I was in Junior High again? Black hat hackers squabbling about the "importance" of their craft, tit and tat arguing about UTTERLY STUPID SHIT! This is exactly why mainstream people laugh publicly at hard core computer guys. Classic case of TOO MUCH TIME ON ONE'S HANDS. We live in the best country in the world, and the best these guys do with it is base their lives and hates on the excrutiating useless minutiae and politics of computer hacking and it's culture? These guys make rednecks look like models of common sense.

Already a bunch of updates...

[Kafka_Canada]

There's already been a lot more news on this story, everythings from some feedback to thomas.greene spam making the rounds.

Please slashdot keep up with the news flow.

P.S. this Mudge guy seems to me a bit of a poser

Re:Who cares ?

[SamBeckett]

Everyone here knows how the Reimann Zeta function relates to hacking.... Except me.. Care to explain-- or were you just flaunting your "knoweldge" of math to make others feel stupid?

Re:Who cares ?

[supermoose]

I would be thrilled to know how the Riemann (not Reimann) zeta function relates to being a real security expert. As far as I can see, this post was no different than the "1337er-than-U" pissing-contest that formed the majority of this article.

good points

I didn't go to H2K2, although I looked over the itinerary and this speech caught my eye because of it's title and because of who was giving it. I know most of the people involved in this.

As far as the specific finger pointing at specific people, I don't really care and there probably was both truth and falsehoods contained in them. I don't care about that part of it, the specifics. As far as the *general* tone, I tend to agree with it.

Hackers break into systems and networks despite whatever technical roadblocks and threatened legal roadblocks are in their way. On the other side is law enforcement, who imprisons them, and corporate security people who try to prevent breakins from a technical standpoint and who work with law enforcement. These two sides are in *conflict* and as laws become more draconian (the recent retroactive hacker laws, or the life imprisonment hacker laws in the US) and hysteria about "cyber-attacks" or whatever they're called on the news grows, this only sharpens the definitions between the two conflicting groups.

This notion that there is a kind of continuity, with "black hats", "grey hats" and "white hats" and law enforcement all blending into one another is ridiculous. For that part, anyone actively engaged in the type of law breaking that the government is interested in enforcing would be crazy to go to these cons, or being a known person in these circles.

The skilled hackers I have known usually had regular contact with a handful of people and never went to cons. And even many of them got busted. Don't forget TAP's 3rd commandment of phreaking - "every 3rd phreak is an FBI agent".

There's a circle of people who always have, and always will, keep to themselves, get into systems and stay there unobtrusively, who are usually very good at programming, hacking, or social engineering. They seize the means of production, for a short time, from the bourgeoisie for themselves. Some of them don't even hack, they just look for buffer overflows, race conditions, or whatever the hell people look for nowadays, and pass them on to the people who do hack when they do find them. Security always exists so a small elite can hoard to themselves ownership and control of most of the pie, usually directly for, if not, as a side result of. For those like me who agree with Proudhon that "property is theft", what is obscene is not that some 16 year old wants to get into Monsanto's network, but what is obscene is Monsanto, it's profits which it expropriates from the surplus labor time of it's workers, it's frankenfood, toxic dumping and poisoning of the environment, and the security apparatus it employs, from it's software and hardware security, to it's onstaff security, to the state security apparatus, that maintains and continues it's existence. Most of the computer community is repulsive to look at, but at least there's some hope.

Re:good points

[HiThere]

But authoritarian governments believe more strongly in property than any capitalist. Authoritarian governments even believe that "their" citizens are their property.

Proundhon (sp?) was, I believe, an anarchist. The "property is theft" was only one of a series of statements. It goes (roughly):
Property is theft.
Property is impossible.
Property is liberty.

The assertion is that these are all true statements. If you understand them properly. They are embedded in a context that makes them intelligible (though I can't remember just how it goes). And once you understand them, they don't seem unreasonable at all, though I thought that they lacked a bit of being really convincing.

But when people quote "property is theft" out of context, it's almost guaranteed to be misunderstood. And your reply seems a fair piece of evidence that many people won't even know that they have misunderstood it. It wasn't intended as a slogan, so this isn't your fault, and it isn't the author's fault. But it does represent a severe mis-communication.

Re:good points

[peter]

> People like to be able to make money you know.

All I really want is to have a good life; To be able to eat, and to live comfortably, and do things I like. (It makes me happy to know that other people are also having good lives, which is why I dislike exploitation/sweatshops/crap like that). The easiest way to get stuff you want in Canada, where I live, is to make money. There's nothing intrinsically good about money itself. Systems very different from capitalism are possible, and people living under such systems probably still want to have a good life, but they may or may not want to make money, depending on the system.

Note that Western capitalism measures everything in dollar value. The state of the environment and public health have no value to a corporation, except when laws and liability translate actions into dollars taken away from the company. (Corporations are run by people, and some of those people do apply their moral values to things, but the system as a whole measures everything on the same scale: dollar value.)

Security

[ehiris]

I don't think security will be ever 100% and as we all know whit enough processing power we can break any encryption.

It's not about protecting, it's about avoiding.

For example I can own a gun and kill somebody but I won't because I know that isn't right and that I appreciate things for the effort that has been put into them.

Making people understand the value of everything is our key initiative because blocking everything from happening is the worst way we can go and will block us from being free just as in comunism.

Honestly, all the security breaches and exploits have to be explained on the main page of any publication.

"The most beautiful thing we can experience is the mysterious. It is the source of all true art and science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: his eyes are closed." Einstein

security sellouts

[The+Smoking+Man]

The blackhats we read about in the 70s, 80s, and early 90s are making serious bank as reformed hackers(which means they went to jail and would never hack again unless alot of venture capital is involved) ... Security Focus, $8000 Crunch Boxes, Kevin Mitnick's former talk radio show the more recent ones are busy pimping the trendy image and building "black hat street cred" by sitting in front of the camera in their anonymity hoods or shocking choice in hair colors and facial piercings then we have foundstone ... making a living off the fortune 500 while selling the overpriced book and cdset at Barnes and Nobles to the script kids that use them to hack the fortune 500 and lets not forget eeye who's been playing a rather questionable game of ethical hacking with Microsoft as of late ... and no doubt cashing in every time they wait for the patch to come out before they expose the flaw with the aide of a news reporter or two from the washington post the l0pht FBI rumor isn't new ... and its obvious they're milking their established cred for all its worth ... they haven't developed any NEW security software in quite a while ... just updates for their classics as for snitching ... exactly how long do you think you would last out there hacking and releasing deadly exploit code independantly without telling the puppet masters at least something? those that don't play by the rules pay for it and there are plenty of convicted felons who's work made that bugtraq top ten

Re:security sellouts

[$carab]

I think "sell-out" is an excellent term with l0pht. I remember when l0pht crack was free.....a free GUI password cracker...It was tremendous to me. But then they sold-out, and the next version of their software wasnt free, it had all sorts of little catches unless you wanted to shell out the 200 bucks to get the real thing. So I went looking for the previous version of their software, and it turns out they deleted the GUI version from their archives, so that people couldnt download that for free and take away from their buisness.

It was at that moment that I knew L0pht had sold out. As punishment, I suggest officially taking the leetness out of their name: Loft.

If that were only true...

[Otto]

Unfortunately, everything in that article pretty much speaks for itself after you get past the first few pages of drivel and leetspeak. These guys have spoken before Congress. These guys have met with Presidents. And these guys are more or less indirectly responsible for the draconian BS laws Congress passes. It rings true.

Yes, they're fakes. But they're fakes with a good PR people, and they're good at scaring the shit out of those in power. Has anyone seen the kind of things they claim to be able to do? It's ridiculous.

I think the problem lies in

[Sycraft-fu]

The hypocracy. You get these people that say "ya, screw the government, information was meant to be free" and so on BUT then are willing to be governmantal lapdogs when it acts to line their pocketbooks. That's the aspect I mind of some of these "hacker" companies. They like to play pretend that they are in it for idealistic reasons, but are prefectly willing to throw ideals out the window if it will serve to make them more money.

Re:Who cares ?

[_Sprocket_]

For being a real security expert you need extremely broad scientific knowledge and not just a long list of memorized UNIX commands. And these dudes don't have this knowledge at all, e.g. I would be surprised if one of them knows the Riemannian Zeta function at all.

You said it! Why, just the other day I was busy building a ruleset for a new firewall and I had a coworker give it a look.

"Hey! You forgot the 'Riemannian Zeta function'", he noted.

Talk about a professional faus paux - that changed my entire ruleset. I knew then was the time to lock my screen and go get a coke from the break room. If I forgot such a mainstay to information security, I obviously needed a break.

The odd thing is that I was using the "Riemannian Zeta function" to harden a server that was going on the DMZ just that morning. And its also prominently featured in many of our infosec policies and best practices documentation - some of which I helped write. Hell - many arguments over infrastructure issues with the rest of the IT department has been solved by getting everyone in conference room and hashing out a zeta function on the whiteboard. I mean... sure, you still have a few dissenters. But its hard to maintain a rational stance in the face of pure mathmatics.

Here's where sellouts come from. . .

[Fantastic+Lad]

Very simply. . .

When you are a kid, you have skills and powers and the fire in your gut. And Mom & Dad pay for more than half your stuff. You don't worry about how you'll take care of yourself. You don't care about owning property and about how you will take care of your family. --You don't have kids yet, and probably don't plan to. Money is interesting and sexy, but it's not vital. In fact, it's kind of funny. It seems so many people take it far too seriously. It's fun to mock.

And so you hack. Or paint. Or busk. Or drink and smoke, or whatever young people do with their time and their fire and the money Mom & Dad gave them. --Or the few bucks earned from some lousy retail job.

And life is pretty good for about five to ten years. Rough and kinky and friendly around the edges. You can live on beer and pizza and Playstation and hope for a good romance/fuck with that girl you like, and maybe get some D&D in on every second Tuesday, cuz, you know, everybody has so little time these days, now that college is over.

But then. . .

You get the first of your grey hairs. Your body starts to do funny things. The mad fire of enthusiasm starts to flicker and you realize that your river of power is really NOT going to last forever!

And worse, you realize that true love has an unexpected price tag; one which is somewhat higher than the cruddy IKEA furnished room-mate situation you lived in when you were 25. Wives and families need proper bedspreads and New Car Smell purring from the AC. --And it always kind of sucked, but now you find yourself thinking more and more that working the Blockbuster counter just isn't as cool in your late twenties as it was when you were sixteen. And fuck! You're going to be thirty next year!

So you start to get scared, but this time you can't put off finding a solution. It's getting late. So what skills do you have? What can you turn into a lot of cash? The gun-wielding asshole at the border or in the patrol car or wherever, isn't going to let you get away with your stupid young shit just because you flash that caught-in-the-headlights "but I'm just a student," look at them anymore. You need credit cards and a fucking haircut buddy, or you're no place.

Sure, it's selling out. Sure it is. Hell, you had about 10 whole years to find a proper solution! And hell, if you were smart and diligent, you could have come up with something which would have steered you to financial comfort and self-reliance without darkening your soul; without caving in to the siren call of corporate slavery. But if you are like the other 99% of the spent sperm out there which never even found the road map to the lovely egg, then you're fucked like everybody else. Youth is powerful and wonderful and intoxicating, but then it's gone, and that's the way of things. It's not even sad. It's just how it is.

And this is one of the places where FBI sell-outs come from.

The rest is just stupidity and grandstanding. Cuz, you know, kids, eh?.

-Fantastic Lad

(Sorry. I'm painting a very negative picture of life here. You can change any of the above at any time. Corporate slavery can be left behind and moral high ground reached very easily any time you choose. But tonight, I've got the techno-ambient MP3's playing and I'm in a bad mood, so this is what I wrote. The sun'll come out tomorrow. . .)