Slashdot Mirror
L0pht Heavy Industries in NY Times Magazine
Billy Joe Bob writes "This Sunday's (10/03/99) New York Times Magazine features an article about L0pht Heavy Industries." Not a bad piece for a mainstream pub - good writeup about the personalities involved, how they work, etc. (free NYT reg. required to read.)
I think it would be preferable for L0pht to post a "Coming Soon..." article which identifies the vendor, product, and the general nature of the exploit, but stops short of providing full details. The complete details of the exploit could be sent to the vendor immediately and then added to the l0pht article after a warning period.
This approach has a few nice effects: First, it gives L0pht full credit for the hack without immediately giving the script kiddies access to it. Second, it gives vendors a fighting chance to get fixes made. Third, it gives (astute) users of the product fair warning about the coming exploit allowing them to contact (pressure) the vendor.
One of the biggest complaints I've seen about L0pht and other such groups is that they release both 'good' and 'bad' information. I completely agree that both sets of info need to be released (many software vendors won't lift a finger if all they see is an advisory), but I wonder if it would be better to release the details on the 'sploit like a week after they release the details on how to patch it.
Only answer I can think of is they feel that would push them towards the realm of white-hat, which they don't want to do.
something smallish compnaies like Allaire dont have vast amounts of.
they basically make good software, we should help them - not smack them down
stty erase ^H
telnet://bbs.l0pht.com
L0pht does themselves a disservice by going along with the comparison to Ralph Nader. Nader is a lawyer-happy parasite, more interested in publicity and money than anything else. Doesn't sound like L0pht.
i'll make/try it everywhere i'm asked to register/login.
make some work for you hackers if it catches on everywhere
You know, I actually tried putting the email address of the nytimes.com domain's administrative contact and it told me the email was invalid... So I'm betting that has been tried before.... :-)
Hmm... I think I will create an account on one of my UNIX boxen, create an NYT account with that, ask to receive all the spam, and set up a forward to send all the spam to a whole bunch of nytimes.com addresses...
Surely not...Not even Gates could be that thick...
and none of them work for those whose upstream proxies filter cookies! :( PLEASE no more NYT articles!
I'm not sure thats a valid argument, perhaps the way this (hypothetical) ISP could differentiate itself from its competitors (and it *is* a competitive market) was that it could provide Coldfusion hosting - there are after all plenty of CF developers. Should they be penalised for finding a niche? I think not.
I'm with the AC that said l0pht should post a warning of impending security hole announcement at the same time as notifying the vendor on this.
This isn't a tirade against OSS at all, I agree it is easier to audit - all i'm saying is their are valid reasons to go proprietary.
stty erase ^H
They have no right to override a vendor in this manner and possibly drive them out of business or really harm them for what may have been a very honest mistake.
They have every right to do what the want to, however I stand by my initial assertation that the way they go about displaying their knowledge is irresponsible.
I'm fairly sure they'd get more respect from the majority if they did, whether they want this respect or not is another matter entirely.
stty erase ^H
The warehouse brims with more than 200 computers ranging from state-of-the-art Sun and Digital workstations to nostalgia pieces like Commodore 64's and Apple IIe's. Black cables, yellow cables and jumbles of thin rainbow-colored wires drip from the ceiling, all jacked in to steel racks of oscilloscopes, radio transmitters, D.S.L. modems, I.S.D.N. modems, half-opened C.P.U.'s and a 50-foot roof antenna. The warehouse also contains several small-scale dummy computer networks.
Where do they get their financial backing for all of this hardware/service/location? Maybe they get a little advertising money and sell a few shirts, but how about the rest of the money? Does L0pht do paid consulting, or what?
That electicity bill must be through the roof.
-- "Complacency is a far more dangerous attitude than outrage." -Naomi Littlebear
Try some different spellings.
cypherpunks/cypherpunks
cipherpunks/cipherpunks
cypherpunk/cypherpunk
cipherpunk/cipherpunk
At least one of them works, but I forget which one.
Besides, as the NRA might say if they were a pro-hacker org - "Posted exploits don't hax0r systems, PEOPLE hax0r systems!"
Best new white rapper since Pimp Daddy Welfare... Pimp-T!
but to no avail.
Whoever moderated the head item in this subthread as off-topic would do well to reread the headline article: anything about the NYT is directly on-topic.
:-)
NYT was (for some reason) the direct subject of the item, and L0pht merely the object.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
I'm glad that they replied "Yes" when asked whether they accepted that their approach had negative consequences as well as positive ones. That was honest and even-handed.
However, an analogy would have served them well. "Yes, our activities can have negative consequences. This is similar to the case of a kitchen knife manufacturer whose products can lead to domestic murder or to excellence in the kitchen. But you don't criminalize such a company for the negative use of its products, nor indeed do you praise it when you enjoy a well-prepared meal. The tool is neutral."
Likewise, a nuclear tipped missile can be used to deflect an Earth-destroying asteroid or to wipe out another country. The tool itself does not determine the morality of the people that use it.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
...l0pht stopped updating their PalmPilot section.
= -=-=-=-=-=-=-=-
Besides, the "BeamCrack" they posted there that supposedly defeats the beam copy protection doesn't since it only works on databases (PDBs) and the real security issue is with beaming copy protected programs (PRCs)...
Not so infantile if it slips under l0pht's radar, is it?
Oh well...there are better security sites, IMHO...but I really, really liked the hippie Palm graphic that l0pht had on theirs...
- JoeShmoe
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
'"their only victims are the little people that are customers" -- the people who purchase products like Windows 2000.'
Buying windows is already asking for being a victim.
"The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers." Bill Gates,
If everyone does the same as the NYT and forces registration, we'll all have hundreds or thousands of registrations worldwide before long. The direction in which this is heading is completely untenable.
Somebody mirror the article for us, please, so that we can retain our sanity!
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
I know they are very big on their neutrality, but some of the attitudes seem irresponsible to me.
"We were trained by the vendors to go public," says Mudge, "to give them a black eye."
This was in relation to the coldfusion 'sploit. Not only did it give the vendors a black eye, but also a lot of customers who use coldfusion for whatever reason. They didn't deserve a black eye for it.
Hypothetical:
An ISP provided Coldfusion hosting for many high profile sites, these all got hacked due to this exploit and the ISP's reputation suffered. They went bust. Could happen. (Maybe it did?)
Surely the responsible action would have been to notify Allaire of the exploit and warn them that they were posting it in a week? This would have given Allaire time to fix it and notify their customers. Allaire's reputation suffers a little & only the lazy / stupid customers are damaged.
From comments later in the article it seems they may be heading in this direction. I hope they do.
stty erase ^H
Almost all websites have some of the "standard" guest accounts. Here is a list I try first before creating another (bogus) account. Please try to create one of these guest accounts if they don't exist yet. That will save all of use al lot of time and frustration:
username - password
test - test
testuser - testuser
test_user - test_user (This one works on the NYT)
test@user.org - test
test@user.org - testuser
cypherpunk - cypherpunk
cyberpunk - cyberpunk
Do you keep a pencil and some paper handy? Or vi?
Login with username: 4special, password: forfree
why doesn't slashdot register a nick and password and let us use it to view the articles? I already have fifteen accounts there but always forget my info so I have to get a new account each time I try to read it!
If you think you know what the hell is going on you're probably full of shit. -- Robert Anton Wilson
jdube is who
I am now asdfg1140. Works like a champ. Power to the people!
--
Infuriate left and right
Is 100% chock-full of bullshit.
Maybe he thinks security problems get fixed by pretending they aren't there, but I for one am *very* grateful to Mudge and the rest of the l0pht crew for providing the information I need to convince my clients to stay the hell away from MicroSquish products on systems they want to expose to the net.
EARTH TO MICROSQUISH: SECURITY MATTERS!
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
I've always been a big fan of l0pht and I think that it's an important step that a national publication like the NYT turns even the smallest bit of attention to their cause. Think about it, what was the last thing the general public heard about a computer-guru? Blah blah blah, child pornography, blah blah blah, Computer Guru, blah blab blah, 13 year old girl. The non-perversion base for this article makes it worthwhile.
And why is it that there are currently 15 articles and 13 have to do with the FREAKING REGISTRATION on the FREAKING NYT site? Register a name! save a cookie, oh god forbid.
-Zen I'm gonna make the _world_ my bitch.
Any validity to the closing story about Jobs and Woz inventing and selling the blue box?
"You are performing a valuable service to your country," (Fred) Thompson added, "and we appreciate that and want you to continue."
(Ceck out IMDB if you don't know who Fred Thompson was, although they don't mention that he is now a Senator, go figure)
Anyway, just a quick question. To me, it seems that the Hacker Ethic and Open Source Philosophy end up at the same place. The simple idea that information shared is worth more, intrinsically, than information hidden. Can an *expert* (self-appointed would qualify) show me how the two differ?
+&x
What happened the freebie login? I refuse to register...
L0pht pulled their named from the fact that their headquarters was their "loft." It is indeed pronounced "loft" and not "low fat."
--
you must amputate to email me
i read all replies to my comments
The "biography" and "trivia" sections both contain mentions of his election to the US Senate.
lake effect weblog
{Network engineer in Chicago--looking for work!}
In "english", "ph" is usually sounded "f"...
See "cypher", "trophy", "graph"...
Anyone know?
Aaaah. I see. When you go to the preview, the text in the input box is changed (the html entity is changed into the symbol it stands for) and if you submit from the preview page rather than backing up and then submitting, this is what happens. Let's see what happens when I submit directly. <test>
--
Fuck the system? Nah, you might catch something.
As I expected, using <foo> does work. It's just that if you post from the preview page, the text box no longer says <foo>, it says , and that gets stripped because it's not an allowed html tag.
--
Fuck the system? Nah, you might catch something.
You don't normally find articles that well-written on hacking in the "normal" press, so I'm pleased. The normal NY Times policy would be to have Markoff do a hatchet job.
That said, I think that the computing world needs L0pht, and they need the CDC, for that matter. Hacking should be an above-ground activity, and the information returned should be to help others pursue their knowledge of the systems. L0pht goes out and finds information, then they make it free to all. That's the Right Thing. CDC makes tools to exploit the dumb things vendors do - the tools themselves are not good _or_ evil, but the users may be.
The only negative that sometimes comes from the activities of these groups is the legions of script kiddies racing off to put their k00l d00dz signatures on websites before the holes get plugged. But on the other hand, the script kiddies will be therre regardless, and get in eventually, anyways - it's the Infinite Monkeys Theorem come to life.
- -Josh Turiel
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Nice article, but the reporter gives credit to Weld for finding the ColdFusion hole. If the reporter glanced at the advisory, he would have noticed that Weld didn't write it.
"Every software has bugs" ("hint" of FSecure, when restarted after having crashed). That means that potentially all the ISP could be badly cracked, and it's mostly a matter of luck (why did L0pht try to exploit ColdFusion rather than another product ?).
The one that is talked about in this article, which allows to disconnect Windows computers from the Net. It says that it was published on their site in August and i can't find it anywhere :-( Any ideas?
The one that is talked about in this article, which allows to disconnect Windows computers from the Net.
:-(
It says that it was published on their site in August, but i can't find it anywhere
Any ideas?
Why trust that utter moron Cringley? Go to the source instead. Captain Crunch's webpage: http://webcrunchers.woz.org/crunch/ And he'll tell you more than you'll ever wanted to know about his and his friends phreaking activities...
I always thought L0pht was pronounced Low-Fat. It seemed logical, since "Low-fat Heavy Industries" seemed to make more sense than "Loft Heavy Industries."
_______
2B1ASK1
Basically they provide for the closed source comminity what we provide for the open source community, that is active and serious attempts to find 'bugs.' Of course both the cost and the motivation of such action is that they get to play with large networks security. Right now they provide a great service but hopefully soon it wont be needed at all.
Just look at some of those 'tools.' Closed source indeed. And take a look at those projects on their page... deader than three month old horseshit.
Next.
It's sure hard to audit proprietary crap...
Maybe the hypothetical ISP should have considered this. Most of IBM's internal network runs on free software because security and IGS can sift through the code.
Maybe ISPs are in a competitive enough environment that a bad decision like that is enough to kill one. What do you think?
Remember that what's inside of you doesn't matter because nobody can see it.