L0pht Heavy Industries in NY Times Magazine

Billy Joe Bob writes "This Sunday's (10/03/99) New York Times Magazine features an article about L0pht Heavy Industries." Not a bad piece for a mainstream pub - good writeup about the personalities involved, how they work, etc. (free NYT reg. required to read.)

Re:Irresponsible?

I think it would be preferable for L0pht to post a "Coming Soon..." article which identifies the vendor, product, and the general nature of the exploit, but stops short of providing full details. The complete details of the exploit could be sent to the vendor immediately and then added to the l0pht article after a warning period.

This approach has a few nice effects: First, it gives L0pht full credit for the hack without immediately giving the script kiddies access to it. Second, it gives vendors a fighting chance to get fixes made. Third, it gives (astute) users of the product fair warning about the coming exploit allowing them to contact (pressure) the vendor.

how does L0pht *afford* this?

[dboyles]

The warehouse brims with more than 200 computers ranging from state-of-the-art Sun and Digital workstations to nostalgia pieces like Commodore 64's and Apple IIe's. Black cables, yellow cables and jumbles of thin rainbow-colored wires drip from the ceiling, all jacked in to steel racks of oscilloscopes, radio transmitters, D.S.L. modems, I.S.D.N. modems, half-opened C.P.U.'s and a 50-foot roof antenna. The warehouse also contains several small-scale dummy computer networks.

Where do they get their financial backing for all of this hardware/service/location? Maybe they get a little advertising money and sell a few shirts, but how about the rest of the money? Does L0pht do paid consulting, or what?

That electicity bill must be through the roof.

Re:One funny sentences

[emac]

Besides, as the NRA might say if they were a pro-hacker org - "Posted exploits don't hax0r systems, PEOPLE hax0r systems!"

Tool neutrality

[Morgaine]

I'm glad that they replied "Yes" when asked whether they accepted that their approach had negative consequences as well as positive ones. That was honest and even-handed.

However, an analogy would have served them well. "Yes, our activities can have negative consequences. This is similar to the case of a kitchen knife manufacturer whose products can lead to domestic murder or to excellence in the kitchen. But you don't criminalize such a company for the negative use of its products, nor indeed do you praise it when you enjoy a well-prepared meal. The tool is neutral."

Likewise, a nuclear tipped missile can be used to deflect an Earth-destroying asteroid or to wipe out another country. The tool itself does not determine the morality of the people that use it.

One funny sentences

[Le+douanier]

'"their only victims are the little people that are customers" -- the people who purchase products like Windows 2000.'

Buying windows is already asking for being a victim.

Accessing the NYT article

[Morgaine]

If everyone does the same as the NYT and forces registration, we'll all have hundreds or thousands of registrations worldwide before long. The direction in which this is heading is completely untenable.

Somebody mirror the article for us, please, so that we can retain our sanity!

Re:Accessing the NYT article

[JoeShmoe]

...Which is why Microsoft created the Passport system. Then, anyone can login anywhere, anytime and not ever ever see a single password prompt, even if they loing to the wrong Hotmail account...whoops.

A more important question...how many people do you think type absolute crap whenever they get prompted for this @#$@##@% stupid NYT login crap?

I've read maybe ten articles at NYT that were slashdotted...and every time I typed something like name:asdfda email:fddffasd@fdsaf.com and was greatly amused when NYT asked me to take asdfda1129 because asdfda was already taken.

With all the SlashDot readers probably doing the same thing every time there is a NYT article...think how much mail must bounce from that mailing list and how much crap is in the user database.

I am a big fan of user registeration (points proudly to /. #90109 ID) I am only a fan when it is VOLUNTARY (I was AC for many months until I started counting how much karma I was losing).

Any website that FORCES you to register to even evaluate if you are interested in their goods is going to end up with an awful lot of hateful swear words as user name.

What do you all think? Is there anyone who actually writes all these thousands of worthless logins down in case they clear our their cookie jar?

- JoeShmoe

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-

Irresponsible?

[FooBarSmith]

I know they are very big on their neutrality, but some of the attitudes seem irresponsible to me.

"We were trained by the vendors to go public," says Mudge, "to give them a black eye."

This was in relation to the coldfusion 'sploit. Not only did it give the vendors a black eye, but also a lot of customers who use coldfusion for whatever reason. They didn't deserve a black eye for it.

Hypothetical:

An ISP provided Coldfusion hosting for many high profile sites, these all got hacked due to this exploit and the ISP's reputation suffered. They went bust. Could happen. (Maybe it did?)

Surely the responsible action would have been to notify Allaire of the exploit and warn them that they were posting it in a week? This would have given Allaire time to fix it and notify their customers. Allaire's reputation suffers a little & only the lazy / stupid customers are damaged.

From comments later in the article it seems they may be heading in this direction. I hope they do.

Re:Irresponsible?

[JoeShmoe]

Well...two comments...

First, I agree that yes...it is only fair to give a company advance warning. It's pretty much standard for news organizations (newspapers and television, etc) to call a company, drop the bomb on them and then ask for a comment.

L0pht argues that companies just will "sweep it under the rug"...so? BFD? You now get to add "I told you so" to the end of your advisory. Not every company is Microsoft and some would go running to their customers with patch CDs in their hands if they knew about serious bugs.

The real issue...what they aren't saying is that the reason they don't warn companies is because:

A) There is the risk that the company will make it public before they do...either by

1) posting the fix and thus making it look like l0pht is taking credit for something they didn't find or by

2) talking about it with someone who has connections with another security group, who publishes the information first.

and

B) If the resulting fallout is bad enough...there is more attention given to l0pht. Who the hell has heard of lopht besides IT professionals? Ah...but if they get blamed because they were "irresponsible" well, it's more hits to their website. It's like children who want attention...good or bad.


The best thing to do would be to draft a legal agreement and fax it to a company that they find released an insecure product. The draft would basically tell the company they can sign it, giving full credit to l0pht for the discovery of said insecurity and promising to give l0pht exclusing rights to information about how to fix said insecurity...or they can throw it away because they don't believe the hole exists and then take the fallout when it is posted in public.

- JoeShmoe

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-

Re:Irresponsible?

[Detritus]

It may be impossible to eliminate all bugs but testing can greatly improve software reliability.

AT&T has done a lot of work in this area. See "Software Reliability Engineering" by John Musa.

The problem is that testing takes time, discipline and money.

Or we all have the same registration :)

[Carl]

Almost all websites have some of the "standard" guest accounts. Here is a list I try first before creating another (bogus) account. Please try to create one of these guest accounts if they don't exist yet. That will save all of use al lot of time and frustration:

username - password
test - test
testuser - testuser
test_user - test_user (This one works on the NYT)
test@user.org - test
test@user.org - testuser
cypherpunk - cypherpunk
cyberpunk - cyberpunk

Re:Or we all have the same registration :)

[JoeShmoe]

Ummm...brute forcing sites takes longer than registering with pure crap.

I could also say if life was fair then the password for "foo" would always be "bar" and the password for "test" would always be "test" but the sad truth is that most times, the password for "foo" is "chow" and the password for "test" is "account"

You can spend all day trying to find which key on your keyring will work...I'll just punch a new one.

But I like the idea of posting login/pass...note to Rob: put "test_user" "test_user" in the tagline of any article from NYT...

You can call it "an alert to inform NYT that their passsword security has been breached"

Quick! Before l0pht does it! =)

- JoeShmoe

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-

Jason Garms...

[jcr]

Is 100% chock-full of bullshit.

Maybe he thinks security problems get fixed by pretending they aren't there, but I for one am *very* grateful to Mudge and the rest of the l0pht crew for providing the information I need to convince my clients to stay the hell away from MicroSquish products on systems they want to expose to the net.

EARTH TO MICROSQUISH: SECURITY MATTERS!

-jcr

Re:Jobs and Woz created Blue Box???

[chromatic]

If so, I bet Jobs spent six months picking the perfect shade of blue.

--
QDMerge 0.21!

U.S. Government not too Stupid.

[Wah]

"You are performing a valuable service to your country," (Fred) Thompson added, "and we appreciate that and want you to continue."

(Ceck out IMDB if you don't know who Fred Thompson was, although they don't mention that he is now a Senator, go figure)

Anyway, just a quick question. To me, it seems that the Hacker Ethic and Open Source Philosophy end up at the same place. The simple idea that information shared is worth more, intrinsically, than information hidden. Can an *expert* (self-appointed would qualify) show me how the two differ?

Surprisingly good article

[jht]

You don't normally find articles that well-written on hacking in the "normal" press, so I'm pleased. The normal NY Times policy would be to have Markoff do a hatchet job.

That said, I think that the computing world needs L0pht, and they need the CDC, for that matter. Hacking should be an above-ground activity, and the information returned should be to help others pursue their knowledge of the systems. L0pht goes out and finds information, then they make it free to all. That's the Right Thing. CDC makes tools to exploit the dumb things vendors do - the tools themselves are not good _or_ evil, but the users may be.

The only negative that sometimes comes from the activities of these groups is the legions of script kiddies racing off to put their k00l d00dz signatures on websites before the holes get plugged. But on the other hand, the script kiddies will be therre regardless, and get in eventually, anyways - it's the Infinite Monkeys Theorem come to life.

- -Josh Turiel

use Free software

[jabbo]

It's sure hard to audit proprietary crap...

Maybe the hypothetical ISP should have considered this. Most of IBM's internal network runs on free software because security and IGS can sift through the code.

Maybe ISPs are in a competitive enough environment that a bad decision like that is enough to kill one. What do you think?