L0pht Heavy Industries in NY Times Magazine

Billy Joe Bob writes "This Sunday's (10/03/99) New York Times Magazine features an article about L0pht Heavy Industries." Not a bad piece for a mainstream pub - good writeup about the personalities involved, how they work, etc. (free NYT reg. required to read.)

Re:Irresponsible?

I think it would be preferable for L0pht to post a "Coming Soon..." article which identifies the vendor, product, and the general nature of the exploit, but stops short of providing full details. The complete details of the exploit could be sent to the vendor immediately and then added to the l0pht article after a warning period.

This approach has a few nice effects: First, it gives L0pht full credit for the hack without immediately giving the script kiddies access to it. Second, it gives vendors a fighting chance to get fixes made. Third, it gives (astute) users of the product fair warning about the coming exploit allowing them to contact (pressure) the vendor.

How about releasing the fix before the hack?

[Decibel]

One of the biggest complaints I've seen about L0pht and other such groups is that they release both 'good' and 'bad' information. I completely agree that both sets of info need to be released (many software vendors won't lift a finger if all they see is an advisory), but I wonder if it would be better to release the details on the 'sploit like a week after they release the details on how to patch it.

Only answer I can think of is they feel that would push them towards the realm of white-hat, which they don't want to do.

Re:How about releasing the fix before the hack?

[Decibel]

Did you read my comment? I said how about releasing the exploit *after* the patch.

Re:Irresponsible?

[FooBarSmith]

something smallish compnaies like Allaire dont have vast amounts of.

they basically make good software, we should help them - not smack them down

L0pht != Nader

[Brian+Stretch]

L0pht does themselves a disservice by going along with the comparison to Ralph Nader. Nader is a lawyer-happy parasite, more interested in publicity and money than anything else. Doesn't sound like L0pht.

Re:Accessing the NYT article

[Wntrmute]

You know, I actually tried putting the email address of the nytimes.com domain's administrative contact and it told me the email was invalid... So I'm betting that has been tried before.... :-)

Hmm... I think I will create an account on one of my UNIX boxen, create an NYT account with that, ask to receive all the spam, and set up a forward to send all the spam to a whole bunch of nytimes.com addresses...

Is that Gates quote true?

[jazman]

Surely not...Not even Gates could be that thick...

Re:Is that Gates quote true?

[Le+douanier]

It seems to be true (check yourself in his book) but I hadn't any copy of the book myself.

Don't forget that anybody make stupid errors sometimes...except me of course ;)

Re:Or we all have the same registration :)

[lazarusL]

and none of them work for those whose upstream proxies filter cookies! :( PLEASE no more NYT articles!

Re:use Free software

[FooBarSmith]

I'm not sure thats a valid argument, perhaps the way this (hypothetical) ISP could differentiate itself from its competitors (and it *is* a competitive market) was that it could provide Coldfusion hosting - there are after all plenty of CF developers. Should they be penalised for finding a niche? I think not.

I'm with the AC that said l0pht should post a warning of impending security hole announcement at the same time as notifying the vendor on this.

This isn't a tirade against OSS at all, I agree it is easier to audit - all i'm saying is their are valid reasons to go proprietary.

Re:Irresponsible?

[FooBarSmith]

They have no right to override a vendor in this manner and possibly drive them out of business or really harm them for what may have been a very honest mistake.

They have every right to do what the want to, however I stand by my initial assertation that the way they go about displaying their knowledge is irresponsible.

I'm fairly sure they'd get more respect from the majority if they did, whether they want this respect or not is another matter entirely.

how does L0pht *afford* this?

[dboyles]

The warehouse brims with more than 200 computers ranging from state-of-the-art Sun and Digital workstations to nostalgia pieces like Commodore 64's and Apple IIe's. Black cables, yellow cables and jumbles of thin rainbow-colored wires drip from the ceiling, all jacked in to steel racks of oscilloscopes, radio transmitters, D.S.L. modems, I.S.D.N. modems, half-opened C.P.U.'s and a 50-foot roof antenna. The warehouse also contains several small-scale dummy computer networks.

Where do they get their financial backing for all of this hardware/service/location? Maybe they get a little advertising money and sell a few shirts, but how about the rest of the money? Does L0pht do paid consulting, or what?

That electicity bill must be through the roof.

Re:how does L0pht *afford* this?

Warehouses aren't that expensive to rent out. You might be suprised at what you can actually rent one out for. As for the hardware just dig it out of the trash and/or pick it up at hamfests, flea markets, and scrap yards. Electricity? No big deal either, I'm sure they don't actually have that many machines on. If they did then they'd be fools although it would sufficiently heat the place if they did. 386s and 486s only draw about 15-25W of power (on the DC side) anyways.

Of course 8-9 people could easily share the costs of this, but it would be superior to have it pay for itself.

Re:One funny sentences

[emac]

Besides, as the NRA might say if they were a pro-hacker org - "Posted exploits don't hax0r systems, PEOPLE hax0r systems!"

Re:Accessing the NYT article

[Morgaine]

Whoever moderated the head item in this subthread as off-topic would do well to reread the headline article: anything about the NYT is directly on-topic.

NYT was (for some reason) the direct subject of the item, and L0pht merely the object. :-)

Tool neutrality

[Morgaine]

I'm glad that they replied "Yes" when asked whether they accepted that their approach had negative consequences as well as positive ones. That was honest and even-handed.

However, an analogy would have served them well. "Yes, our activities can have negative consequences. This is similar to the case of a kitchen knife manufacturer whose products can lead to domestic murder or to excellence in the kitchen. But you don't criminalize such a company for the negative use of its products, nor indeed do you praise it when you enjoy a well-prepared meal. The tool is neutral."

Likewise, a nuclear tipped missile can be used to deflect an Earth-destroying asteroid or to wipe out another country. The tool itself does not determine the morality of the people that use it.

Re:Tool neutrality

[aaarrrgggh]

Well, it's more like a gun than a kitchen knife...

The gun can help people defend themselves and feel more secure, but it is just as likely to be abused by a child or burglar.

That said... on the balance are guns and lOpht equally important in preserving freedom?

I dunno...

I stopped paying attention when...

[JoeShmoe]

...l0pht stopped updating their PalmPilot section.

Besides, the "BeamCrack" they posted there that supposedly defeats the beam copy protection doesn't since it only works on databases (PDBs) and the real security issue is with beaming copy protected programs (PRCs)...

Not so infantile if it slips under l0pht's radar, is it?

Oh well...there are better security sites, IMHO...but I really, really liked the hippie Palm graphic that l0pht had on theirs...

- JoeShmoe

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-

One funny sentences

[Le+douanier]

'"their only victims are the little people that are customers" -- the people who purchase products like Windows 2000.'

Buying windows is already asking for being a victim.

Accessing the NYT article

[Morgaine]

If everyone does the same as the NYT and forces registration, we'll all have hundreds or thousands of registrations worldwide before long. The direction in which this is heading is completely untenable.

Somebody mirror the article for us, please, so that we can retain our sanity!

Re:Accessing the NYT article

[JoeShmoe]

...Which is why Microsoft created the Passport system. Then, anyone can login anywhere, anytime and not ever ever see a single password prompt, even if they loing to the wrong Hotmail account...whoops.

A more important question...how many people do you think type absolute crap whenever they get prompted for this @#$@##@% stupid NYT login crap?

I've read maybe ten articles at NYT that were slashdotted...and every time I typed something like name:asdfda email:fddffasd@fdsaf.com and was greatly amused when NYT asked me to take asdfda1129 because asdfda was already taken.

With all the SlashDot readers probably doing the same thing every time there is a NYT article...think how much mail must bounce from that mailing list and how much crap is in the user database.

I am a big fan of user registeration (points proudly to /. #90109 ID) I am only a fan when it is VOLUNTARY (I was AC for many months until I started counting how much karma I was losing).

Any website that FORCES you to register to even evaluate if you are interested in their goods is going to end up with an awful lot of hateful swear words as user name.

What do you all think? Is there anyone who actually writes all these thousands of worthless logins down in case they clear our their cookie jar?

- JoeShmoe

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-

Re:Accessing the NYT article

[Mawbid]

Well, that's why we have Microsoft Passport, silly!

--

Irresponsible?

[FooBarSmith]

I know they are very big on their neutrality, but some of the attitudes seem irresponsible to me.

"We were trained by the vendors to go public," says Mudge, "to give them a black eye."

This was in relation to the coldfusion 'sploit. Not only did it give the vendors a black eye, but also a lot of customers who use coldfusion for whatever reason. They didn't deserve a black eye for it.

Hypothetical:

An ISP provided Coldfusion hosting for many high profile sites, these all got hacked due to this exploit and the ISP's reputation suffered. They went bust. Could happen. (Maybe it did?)

Surely the responsible action would have been to notify Allaire of the exploit and warn them that they were posting it in a week? This would have given Allaire time to fix it and notify their customers. Allaire's reputation suffers a little & only the lazy / stupid customers are damaged.

From comments later in the article it seems they may be heading in this direction. I hope they do.

Re:Irresponsible?

[JoeShmoe]

Well...two comments...

First, I agree that yes...it is only fair to give a company advance warning. It's pretty much standard for news organizations (newspapers and television, etc) to call a company, drop the bomb on them and then ask for a comment.

L0pht argues that companies just will "sweep it under the rug"...so? BFD? You now get to add "I told you so" to the end of your advisory. Not every company is Microsoft and some would go running to their customers with patch CDs in their hands if they knew about serious bugs.

The real issue...what they aren't saying is that the reason they don't warn companies is because:

A) There is the risk that the company will make it public before they do...either by

1) posting the fix and thus making it look like l0pht is taking credit for something they didn't find or by

2) talking about it with someone who has connections with another security group, who publishes the information first.

and

B) If the resulting fallout is bad enough...there is more attention given to l0pht. Who the hell has heard of lopht besides IT professionals? Ah...but if they get blamed because they were "irresponsible" well, it's more hits to their website. It's like children who want attention...good or bad.


The best thing to do would be to draft a legal agreement and fax it to a company that they find released an insecure product. The draft would basically tell the company they can sign it, giving full credit to l0pht for the discovery of said insecurity and promising to give l0pht exclusing rights to information about how to fix said insecurity...or they can throw it away because they don't believe the hole exists and then take the fallout when it is posted in public.

- JoeShmoe

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-

Re:Irresponsible?

[Detritus]

I agree with l0pht. My experience has been that vendors ignore reports of security problems. If you're lucky, it gets fixed in the next release. More often, they ignore it until someone publicizes an exploit.

Re:Irresponsible?

[barbaBob]

"Of course, this laissez-faire attitude has its costs. Mudge says: "Full disclosure is something we had to grapple with for a long time. The flip side is that critics say, 'You're giving people tools that can actually do bad things.' That is absolutely true. It's got a lot of nasty side effects."

"So why didn't L0pht contact Allaire, the small Cambridge, Mass., software firm that makes Cold Fusion, before releasing an advisory? The reason, say Weld and the other L0phties, is that vendors usually sweep tips from hackers under the rug. Vendors, claims L0pht, don't want customers to think software has flaws. "We were trained by the vendors to go public," says Mudge, "to give them a black eye."

They realize the damages it might do, but don't try to warn a company because they are a vendor that probably won't listen anyway. That's a policy I don't like. Warn them, give 'm a week or so and only then publish it.

I'd hate to be on the company side of an advisory, especially smaller companies will suffer of even go out of business because of such an attitude.

Hacking is not white or grey anymore when people suffer - customers, employees - because someone found a hole and didn't give them time to fix it.

I think they are doing some very cool stuff though, wouldn't mind having a similarly equipped warehouse. Like the one in 'Sneakers'. Or paying L0pht a visit :)

Re:Irresponsible?

[Detritus]

The vendor has no right to be notified.

Just because you assert that it is "wonderfully stupid" and "purely irresponsible" doesn't make it so.

Vendors like Microsoft don't care about security, the care about making money and their corporate image. They will keep shovelling buggy, insecure crap out the door until they discover that there are consequences for their actions.

If publishing an exploit puts a vendor out of business or causes them serious damage, I will be very happy.

Hammurabi's Building Code

229 If a builder build a house for some one, and does not construct it properly, and the house which he built fall in and kill its owner, then that builder shall be put to death.

230. If it kill the son of the owner the son of that builder shall be put to death.

231. If it kill a slave of the owner, then he shall pay slave for slave to the owner of the house.

232. If it ruin goods, he shall make compensation for all that has been ruined, and inasmuch as he did not construct properly this house which he built and it fell, he shall re-erect the house from his own means.

233. If a builder build a house for some one, even though he has not yet completed it; if then the walls seem toppling, the builder must make the walls solid from his own means.

Re:Irresponsible?

[mcc]

this would obviously be the best idea. or, just to make it absoloutely certain _they_ found it first, why not just write up the exploit/advisory whatever, then post the full thing to some big newsgroup _encrypted_?

then they could notify the company, and if the company hadn't done anything after a couple weeks, release the key to the encrypted advisory along with the plaintext advisory. with the right kind of encryption it would prove they did, in fact, find it first..

Re:Irresponsible?

[grooveloop]

This attitude is ridiculous! So let me get this straight, just so I'm sure I understand: since some vendors will ignore an exploit, we won't bother to give any vendors a chance to patch their software. That is a wonderfully stupid assumption. What harm is there in waiting 7 days and letting the companies sink or float themselves? I cannot see any reason why you would not give a company a chance to salvage themselves from a mistake. This kind of behavior should not, IMO be heralded by anyone as correct or preferred. It is purely irresponsible of L0pht and I am sure they realize it, despite their stance on paper. They have no right to override a vendor in this manner and possibly drive them out of business or really harm them for what may have been a very honest mistake. It is the same kind of sensibility that says drinking should be banned because some people will ignore the law and drive their car while under the influence.

Re:Irresponsible?

Vendors like Microsoft don't care about security, the care about making money and their corporate image. They will keep shovelling buggy, insecure crap out the door until they discover that there are consequences for their actions.
If publishing an exploit puts a vendor out of business or causes them serious damage, I will be very happy.

I tired, very tired of Slashdot kiddies obsession about Microsoft. There is more to software than Microsoft, and in the case of ColdFusion, it has nothing to do with them.

What you are saying, is that when an exploit will be released for RedHat for instance, you will be very happy if they get out of business.

Because no software in the galaxy, is without bugs, and finding an exploit in any system is just a matter of working hard enough at it.

Hammurabi's Building Code
229 If a builder build a house for some one, and does not construct it properly, and the house which he built fall in and kill its owner, then that builder shall be put to death.

That's ok for building, because house solidity is a big imperative and can be achieved by respecting standards (yes, they do have big books with rules that you must respect).

This miss completly the point of software. With software it is impossible to make a program without bugs. There are no rules, no standard, nothing, that could give you a secure software. Even the most checked code (with millions of dollars of checking), such as Space Shuttle program is evaluated to have about still 10 uncovered bugs.

Re:Irresponsible?

[Detritus]

It may be impossible to eliminate all bugs but testing can greatly improve software reliability.

AT&T has done a lot of work in this area. See "Software Reliability Engineering" by John Musa.

The problem is that testing takes time, discipline and money.

Or we all have the same registration :)

[Carl]

Almost all websites have some of the "standard" guest accounts. Here is a list I try first before creating another (bogus) account. Please try to create one of these guest accounts if they don't exist yet. That will save all of use al lot of time and frustration:

username - password
test - test
testuser - testuser
test_user - test_user (This one works on the NYT)
test@user.org - test
test@user.org - testuser
cypherpunk - cypherpunk
cyberpunk - cyberpunk

Re:Or we all have the same registration :)

[JoeShmoe]

Ummm...brute forcing sites takes longer than registering with pure crap.

I could also say if life was fair then the password for "foo" would always be "bar" and the password for "test" would always be "test" but the sad truth is that most times, the password for "foo" is "chow" and the password for "test" is "account"

You can spend all day trying to find which key on your keyring will work...I'll just punch a new one.

But I like the idea of posting login/pass...note to Rob: put "test_user" "test_user" in the tagline of any article from NYT...

You can call it "an alert to inform NYT that their passsword security has been breached"

Quick! Before l0pht does it! =)

- JoeShmoe

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-

Re:Or we all have the same registration :)

[Demona]

cpunks/cpunks is also a common one, and works on NYT.

Re:Or we all have the same registration :)

[Ludd+Kilken]

And not to forget, sknuprehpyc - sknuprehpyc
needless to say, it's backwards.. but it does work on NYT, too.

Re:a thought...

[kevcol]

Do you keep a pencil and some paper handy? Or vi?

Free NYT Registration

[prizrak]

Login with username: 4special, password: forfree

Thanks

[A+nonymous+Coward]

I am now asdfg1140. Works like a champ. Power to the people!

--

Jason Garms...

[jcr]

Is 100% chock-full of bullshit.

Maybe he thinks security problems get fixed by pretending they aren't there, but I for one am *very* grateful to Mudge and the rest of the l0pht crew for providing the information I need to convince my clients to stay the hell away from MicroSquish products on systems they want to expose to the net.

EARTH TO MICROSQUISH: SECURITY MATTERS!

-jcr

Jobs and Woz created Blue Box???

[JuddMaltin]

Any validity to the closing story about Jobs and Woz inventing and selling the blue box?

Re:Jobs and Woz created Blue Box???

[chromatic]

If so, I bet Jobs spent six months picking the perfect shade of blue.

--
QDMerge 0.21!

Re:Jobs and Woz created Blue Box???

[DonFarfisa]

Sneakers was my favorite movie, too

Re:Jobs and Woz created Blue Box???

[hogwaller]

Nope. John Draper, aka Captain Crunch, perfected
the blue box, though I don't believe he invented it.

Captain Crunch got his name from a toy whistle
procured from the cereal of the same name, which emitted a perfect 2600-cycle tone that the phone company used to shuttle long distance traffic back in the stone age. It's where alt.2600 came from too....though most of you all probably know all this.

--------------------------
Your Favorite OS Sucks.
^D

U.S. Government not too Stupid.

[Wah]

"You are performing a valuable service to your country," (Fred) Thompson added, "and we appreciate that and want you to continue."

(Ceck out IMDB if you don't know who Fred Thompson was, although they don't mention that he is now a Senator, go figure)

Anyway, just a quick question. To me, it seems that the Hacker Ethic and Open Source Philosophy end up at the same place. The simple idea that information shared is worth more, intrinsically, than information hidden. Can an *expert* (self-appointed would qualify) show me how the two differ?

Re:Pronuciation?

[David+Ham]

L0pht pulled their named from the fact that their headquarters was their "loft." It is indeed pronounced "loft" and not "low fat."

Fred Dalton Thompson

[DHartung]

The "biography" and "trivia" sections both contain mentions of his election to the US Senate.

Re:Pronuciation?

[h2odragon]

In "english", "ph" is usually sounded "f"...

See "cypher", "trophy", "graph"...

What happened to the CYPHPERPUNK login/password?

[Griim]

Anyone know?

Re:Brief history of Jobs and Woz

[Money__]

See this story for details on the Jobs and Woz blue boxen. This PBS documentory (by Mr. Cringley) gives a very good look back at how computer came to be, and where they are going.

[OT]The preview page lies

[Mawbid]

In html mode, I can put (ampersand)lt; in the article, press preview, and see the less-than symbol. Then, when I press post, I get different results. I was hit by this behaviour a long time ago but I assumed it had been fixed.

Aaaah. I see. When you go to the preview, the text in the input box is changed (the html entity is changed into the symbol it stands for) and if you submit from the preview page rather than backing up and then submitting, this is what happens. Let's see what happens when I submit directly. <test>
--

Re:[OT]Confirmed

[Mawbid]

As I expected, using <foo> does work. It's just that if you post from the preview page, the text box no longer says <foo>, it says , and that gets stripped because it's not an allowed html tag.
--

Surprisingly good article

[jht]

You don't normally find articles that well-written on hacking in the "normal" press, so I'm pleased. The normal NY Times policy would be to have Markoff do a hatchet job.

That said, I think that the computing world needs L0pht, and they need the CDC, for that matter. Hacking should be an above-ground activity, and the information returned should be to help others pursue their knowledge of the systems. L0pht goes out and finds information, then they make it free to all. That's the Right Thing. CDC makes tools to exploit the dumb things vendors do - the tools themselves are not good _or_ evil, but the users may be.

The only negative that sometimes comes from the activities of these groups is the legions of script kiddies racing off to put their k00l d00dz signatures on websites before the holes get plugged. But on the other hand, the script kiddies will be therre regardless, and get in eventually, anyways - it's the Infinite Monkeys Theorem come to life.

- -Josh Turiel

Credit where credit is due

[eggnog]

Nice article, but the reporter gives credit to Weld for finding the ColdFusion hole. If the reporter glanced at the advisory, he would have noticed that Weld didn't write it.

Pronuciation?

[eyeball]

I always thought L0pht was pronounced Low-Fat. It seemed logical, since "Low-fat Heavy Industries" seemed to make more sense than "Loft Heavy Industries."

use Free software

[jabbo]

It's sure hard to audit proprietary crap...

Maybe the hypothetical ISP should have considered this. Most of IBM's internal network runs on free software because security and IGS can sift through the code.

Maybe ISPs are in a competitive enough environment that a bad decision like that is enough to kill one. What do you think?