Slashdot Mirror
Interviews: We Have 2! 1st, L0pht Heavy Industries
Yes, it's "year-end double-bonus interview week" on Slashdot. First, L0pht Heavy Industries. Yes, the world's most publicized infosec group, the one trotted out by TV and other mainstream media reporters whenever they want pithy (but authoritative) quotes about hacking and cracking and that sort of thing. The L0pht guys have heard all the (ho-hum) obvious questions already. They expect extra-smart ones from you, and we don't doubt for a second that you'll provide them. ;-) One question per post, please.
You said in an interview that it's possible to shut down all the Internet. How you possibly might do that? With a DoS attack in some routers or by taking command of some servers in the principal backbones of the USA?
"Learning, learning, learning - that is the secret of jewish survival" -- Ahad A'Ham
Do you agree with the President's plea to cease hacking activities for Y2K, and do you think it will have an adverse affect?
"Those [filthy|pagan|heathen|whiny] americans, I'll show them....."
--WooooHoooo--
Whenever the subject of securing our web servers comes up at work, someone inadvertently says "We should hire one of those L0pht guys." As if you have nothing better to do than to work for a starving second-rate e-commerce IPO. My question is: Do you get job offers like this? If so, how does it feel? Do you refer them somewhere?
_______
2B1ASK1
Which do you consider more dangerous to personal liberties on the Internet, national governments or multinational corporations, and why?
----
----
Open mind, insert foot.
How the frag do you pronounce L0pht? And what the hell does it mean? Somebody write me a perl warez filter for pete's sake. All this kewl l33t drek is driving me insane.
Where did you guys come up with the name, "the l0pht?" Does the 0 in it (as opposed to an O) have some special significance?
What do you think will be the future of computer security ? Encryption ? I don't think it'll be enough... What we'll be doing to protect our data ?
The L0pht has been involved in independent wireless networking reasonably heavily. What do you see as the most important discoveries/protocols/designs for the next few years? Do you forsee an opportunity for the hardware hacking community to open up the airwaves in the same way Linux & OSS has opened up operating systems and tools?
At work we recently purchased a copy of L0phtCrack (Guess what - it has saved many many hours of work for me especially!) - for $99? Are you guys making a killing off of this tool or what?
--onyx--
FORNICATE!
Moore's law is that computing power doubles every eighteen months. At the same time, parallel processing and distributed computation ( Cosm & Distributed.net) are becoming increasingly common. This leads to an abundance of cheap computing power, enabling brute force attacks on secure systems. In light of these developments, do you see username/password pairs being replaced by anything more resistant to such brute computing force?
"There's so much left to know/ and I'm on the road to find out." -Cat Stevens
At one point I thought it was
"low-fight" but somewheres I remember it being said as "loft" which would make more sense as
L=L
0=O
PH=F
T=T
LOFT
--
Insert Witty Sig Here
What products and or projects are you considering in the future? Also, what happened to the wireless networking you were planning (and made a few steps to)? I have often considered setting up something similar to this on a local scale for a few friends. But I think it'd be awesome to be able to be free of US Worst for my internet service.
you haven't released any security advisories lately. where do you get your nitrous? can i have some?
Cretin - a powerful and flexible CD reencoder
Do you have a guesstimate as to when Operating Systems and protocols will make Information Security a non issue (from and attack and penetration perspective)? I have discussed this with my colleagues quite a bit and none of us can really say.
This is not bait for Microsoft jokes, either.
Developers may eventually wisen up, the day that I hang my A/P hat and retire to a desk job because of this evolution is inveitable, but thankfully not in sight. I would appreciate some comments on this matter...
-jcw
L0pht-
As with any of the well-known infosec groups (you, cDc, &c), it's always a far-flung collective of folks who coalesce and make things happen. How did you meet and decide, "hey, we have common goals and interests, let's do this as a team"?
Rafe
V^^^^V
Rafe
Opinions expressed by the author may not actually exist in the wild.
The halcyon days of the net are gone. With ubiquity - the underground vanishes. Is it well on its way, with people like the CEO of Amazon being worshipped by the mainstream press, to becoming an enormous cyber strip mall, marketing tool, PR exercise in control of perception...
Or is there still an underground? Does it still have a potential to be the one true medium with liberation? Will governments and coroporations end up controlling it? Cause they are winning small, important victories relentlessly...
** http://www.nkhumanrights.or.kr/ ** Human rights in North Korea. 1 million estimated dead from starvation.
Considering the availability of easy to use, secure, persistent, pseudoanonymous nyms (http://www.freedom.com) and the increasing role that electronic commerce plays in our economy, what privacy and security concerns do you anticipate moving to the forefront of attention as this rapidly changing technology evolves?
What is your take on the quashing of the use of photuris, for IPSEC keyserver use over the open to attack isakmp, by the IETF?
The Master (Angelo Rossitto) in Mad Max Beyond Thunderdome, "Not shit, energy!"
How do you see things evolving, from this unholy mess?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
What are the non-computer hobbies of the l0pht crew?
I suppose that this is a sort of "celebrety interview" question, but I'm curious.
I meet a lot of "white hat" security types in my job. Every so often, I one of these guys goes into name dropping mode and starts talking about how chummy he is with Mudge. Once I had one of them tell me how he had contacts with the "low fat" guys (although he hadn't heard it pronounced as "loft"). What is it like to have your name(s) dropped by potentially thousands of really cluesless people who you might never even meet?
What do you propose as a solution to the whole Q1 OSS cheating debacle?
Now I know that Mudge has a painting (can't remember who by) hanging around, and I was wondering what artist everyone at L0pht enjoys as well as composers (if any there are into classical music).
I read something to the gist of this recently:
"The difficulty with computer security is that programmers write code to allow a course of action, not to prevent another. In order
for computer security to become a reality, the design methodology must be changed."
Any programmer worth their check does program defensively. Certain languages support the writing of "safe code" more easily than others. It requires less fore-thought to program defensively in Java than it does in C. The results, however, will not be as fine tuned.
Any methodology for designing and producing safe code must take this, the experience of those implementing it, the environments the product could be used int, into account. L0pht has compromised many designs. Have you seen any design/impl (hardware or software) methodologies that yield more secure results than others? Could you give reference to them?
In my experience, it has always been a matter of refinement. Security is relative.
Never send anything unencrypted that you don't want to have appear in court.
If the windows API was opened because of the DOJ trial, what would you do?
A) Exploit every weakness from here to kingdom come, thereby propelling linux to the forefront.
B) fix everything and tell microsoft so they can make the changes show up in a new release
C) Do A) and grin real big and giggle lots
D) Other | Please Specify ___________________
Do you think there will be any security in the internet of the future? There seems to be more and more security holes (or at least we are finding more). Plus does encryption or digitially signing data help or hender the net?
Thanks
Scott
Scott
C{E,F,O,T}O
sboss dot net
email: scott@sboss.net
Scott
janitor
sdn website family
email: scott at sboss dot net
I have a couple questions. Choose whatever you like. * The silicon valley is froth with IPOs. A huge opportunity exists even in Boston, if you were attached to the city. Do you regret not putting more into a commercial enterprise that could have netted you the millions some people are getting? If so, would you trade your fame in this community for it if you could? * L0pht spends an enormous amount of time hacking on other peoples' equipment, cracking and analyzing other peoples' software. Without meaning to denigrate such useful activities, do you ever want to stop it for a while and dedicate yourself to the creation of something innovative and positive? * Somewhere in the future, drowning in gigahertz, manufacturers turn to adding security to their CPUs. CPUs have decryption modules which stop the CPU from running any code not specifically signed and encrypted for your CPU. Your machine (or cpu) would come with a disk or cdrom with a public key you'd provide to vendors (probably on a web page) that would be used to "complete" a build of software that was sold to you, and lock it onto your CPU only. Every piece of software will have a known desination and a known source. Piracy will be a thousand times harder. Viruses will be wiped out by applying this technology to documents and software alike. Is this the future? * I see the patent situation forcing software to inevitably go one way or the other: it will either be written only by corporations with tons of money and patents, and be commercial (and by judgement-proof pauper-programmers who have nothing to sue away from them), or the USPTO will suffer through a massive regulation change, and thousands of software/algorithm/ business-model patents will be swept away, along with more easy way to review a given patent's "nonobvious"-ness. Where do you think this tragedy is headed?
Well I never really put much thought in to it, but here goes. L0pht Heavy Industries. Perhaps it means Low Phat as in Low Fat , Heavily Used as in high speed low drag industries.
Good is never enough, when you dream of being great!
with the local networks expanding from one solitary computer, to 20 computers connected in a room, to wireless devices also now able to connect to large databases and networks, how do you see the security industry (is it considered an industry) responding to these changes and do you forsee any interesting problems arising?
I was digging around the l0pht web site one day and read up on the wireless project you guys were doing trying to make use some old UHF equipment and seeing how far you could spread a free wireless network. So what's the current status of that project?
Normally, I'd write you off as a hot grit troll. But I'd really love to see the clever answer l0pht would come up with for this one.
--- "So THAT's what an invisible barrier looks like!" - Time Bandits
What are your opinions on "script kiddies" and your propogation of these people? Don't you believe that people who would want to be hackers should learn through experience, much like yourselves?
For assurance, before installing software on a secure-as-plausible machine, I would love to have an automated for security problems, such as buffer overflows. So, how is the development of SLINT progressing? Are you still planning to release it?
What do you think about the wisdom of linking a planetary network of desktop computers to a radio telescope, hoping to go online with any extra-terrestrial who cares to open our collective port?
Several months ago I began predicting that someday someone would find a buffer overflow in the various Windows TCP-IP stacks and use it to write a worm that would bring down the Microsoft part of the Internet and cause so much traffic as to effectively shut down everything else. I further predict that until an event of this magnitude happens, the general public will not really learn the basic lessons about security that the *nix world was forced to learn from the first worm.
What are your thoughts on this prediction? (Timeline, reasonableness, etc.)
Regards,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Do you believe that it is possible to provide a secure computing model in an open source environment? If so, how?
Hi guys,
Any plans to write a proper Win2K/NT rootkit (the kind that was published on Phrack a while back - that replaces or adds to the actual calls in the win32 ring 0 system with its own) soon ?
(First the silly question) :-)
Prove your existence
(Now the real question)
How do we get back control of our information?
Neil Cherry - Linux Smart Homes For Dummies
Assume you own a server to run the following protocols: HTTP, POP/POP3, SMTP, NNTP, telnet, FTP. Can such a machine be secure under -any- OS? If this was sitting in your basement, what would you do with it (after loading Q3A/UT and distributed.net's latest client ;-) to make sure the script kiddies didn't f*ck with you?
Rafe
V^^^^V
Rafe
Opinions expressed by the author may not actually exist in the wild.
According to your site, you have developed a quite powerful source code security analysis tool.
A while ago, this tool was not distributable, and closed source.
Do you plan on releasing Slint and/or other currently closed source L0pht tools in an open source license, or in some other freely distributable binary form ?
hi guys.
when you testified before congress, one of you (I believe it was Weld Pond) said that software manufacturers need a financial incentive to ship secure software. I believe that you went on to say that they should be held partially liable for damages caused by bugs in their software.
How do you think that legislation like that would affect the open source movement?
Sometimes, corporations are ignorant of your advisories, as they feel the general hacking community is only destructive and has little to offer. It also seems obvious in ABCNews' report that people have an inherent fear of the hacking/cracking community in general. The intent of some groups (cDc comes to mind) is different from others (gH), and as a result it becomes difficult to create an accurate definition of what hacking/cracking really is.
My question is this: do you feel the negative publicity and stereotypes of hackers and crackers rubs off on l0pht to some extent?
-- BlueCalx | http://nickd.org/
Hi.
Lots of companies are shipping "VPN" solutions that are simply IPv6 boxes. Do you feel that IPv6 is adequate for this purpose? Will IPv6 really prevent the types of attacks we've seen with IPv4?
I was not impressed to see L0pht embrace any form of commercial philosophy. While it is true I live in a fairly isolated section of the world, I and the community I live within have the general impression that you are no longer available to the public. It appears as though you have sequestered yourselves away in your building(s) and sent Mudge out to maintain good PR. What I mean is, aside from the odd security release and product update, you guys seem to have disappeared from the face of the earth. What are you up to? Are you still truly pursuing the tenet that is listed prominently on your BBS? "Freedom, freedom, blah" -lhi, psalm blah verse blah?
Do you see yourselves as this inaccessible except to people willing to fork over large dollars, or am I just living on the moon?
Do you think we'll see capabilities begin to replace root in Linux? What will that world be like? When will it happen?
How secure do you feel linux is? Please compare or contrast this with OpenBSD.
Letter to the editor: Opening windows could let bad guys do a lot of damage Saturday, December 25, 1999
I was amazed to see that the Clinton administration, in its initial victory over Microsoft, wants the source code to Windows to be made public. I'm sure it will follow up with a demand that all banks publish the combinations to their safes and freely distribute keys to both their front and back doors. Perhaps they will make banks install a large button so visitors can disable all alarms.
Making the world safe for bank robbers would be a lot better than making Windows' source code public. The year 2000 problem is nothing compared to what a hacker could do with the code to Windows.
The anti-virus software today depends on two primary tests to find a virus: the Cyclic Redundancy Checksum and file size. A virus attaches itself to a program and runs when the program runs.
Rather than get into a complex technical discussion, let us just say every computer file has a fingerprint. If a virus is attached, the file's fingerprint changes. An anti-virus program just looks for the fingerprints left by the virus. However, if one has the source code to Windows, a file with a virus can be made with the same fingerprint as a file without the virus.
Even worse, the operating system, instead of being the virus cop, becomes the virus enabler. Imagine a world where half the people in uniform are trying to rob you and where dialing 911 brings a band of serial killers to your door.
Such a virus would be very, very difficult to fight. Police try to catch such people by tracing who benefits. But when the goal is revenge and not profit, it gets tough to catch the bad guys. If you think catching the Unabomber was time consuming, this would make the search for the Unabomber look very fast, indeed.
So with the Windows source code, the hacker could write a program that on June 1, 2001, swaps all bank balances. Someone whose name starts with an A gets Z's balances. Throw credit cards into that mix, and there could be real fun. Maybe some hacker would find it fun to pay off everyone's property taxes. I'll bet everyone who had not paid his tax would tell the truth and pay up voluntarily, wouldn't they?
Every programmer I have ever met has always left himself a back door into every system he writes. Does anyone want to bet Microsoft does not have a back door to its software? Does anyone believe that if the judge makes Microsoft publish the source code, Bill Gates would remove the back door before publishing it? He would not dare. The judge might put him in jail for modifying the code. Couldn't have that now, could we?
If he would leave it in, every highly skilled programmer would have a key to everything running on Microsoft software. We can rest assured that every hacker is totally honest, can't we? And with the Internet, those hackers would all be in places where Americans are loved, such as Belgrade, Yugoslavia, and Baghdad, Iraq, for example.
Some hacker might even have fun with a newspaper, such as removing the names of everyone who is a subscriber and replacing them with the names of people who are not. Did I mention court records, employment records, child support records?
All Microsoft bashers in and out of government should beware. It looks like they are going to get what they wished for.
Ray Malone
MBS Software
Chillicothe, Ohio
a real zero.
I'm curious to know how you all felt when your tool (L0phtcrack), notoriously effective on beating lanman hashes, was itself cracked. One way in that L0phtcrack existence was justified in the community was that it had a limited use for the "Script kiddies", and only lasted 20 days (I think), but as with all tools it was cracked. In essence, your cracker was cracked. While I highly respect L0phtcrack and find it very usefull on the job, I have to wonder how well you thought about your own key. You know you have a tool that is very much in demand, yet you dont seem to protect it in the way that one would have expected. I mean some would argue that are the "best" security experts around, yet you didn't even protect your own software. I would like very much to know what you think about this. -kamelkev
I'm curious to know how you all felt when your tool (L0phtcrack), notoriously effective on beating lanman hashes, was itself cracked.
One way in that L0phtcrack existence was justified in the community was that it had a limited use for the "Script kiddies", and only lasted 20 days (I think), but as with all tools it was cracked. In essence, your cracker was cracked.
While I highly respect L0phtcrack and find it very usefull on the job, I have to wonder how well you thought about your own key. You know you have a tool that is very much in demand, yet you dont seem to protect it in the way that one would have expected. I mean some would argue that are the "best" security experts around, yet you didn't even protect your own software.
I would like very much to know what you think about this.
-kamelkev
Question for l0pht: 1) What are your all's opinions about non-full-disclosure companies making money off of full-disclosure vulnerability reports? A very important example is that of ISS (http://www.iss.net/). They made millions from the sale of their products like RealSecure and Security Scanner. These programs obviously check for vulnerabilities that were once posted on full-disclosure lists/pages. ISS is ABSOLUTELY DEPENDANT on this information... But when it comes time for ISS to report on vulnerabilities they have found (via X-FORCE) they release the most poor excuse for a vulnerability report I've even seen. A person cannot get any USEFUL information from them at all. Things like "There is a buffer overflow in BLAH version x.xx" And thats all the detail they give. What if every company/group did this? ISS wouldn't even have a worth wild scanner/detector at all! Do you all feel that ISS is doing anything wrong?
As you are one of the most well-known security-focused-groups today, you must surely attract a lot of young people who would want nothing more than to follow in your footsteps. Every kid nowaday wants their umpteen minutes of fame and TV air time.
What are your thoughts on the reponsibilities you have as frontal figures for the "hacking community"? (For some non-disclosed definition of "hacker")
Do you feel such a responsibility to steer the young and naive hacker-wannabies into white-hat territory? - or are you more into "give them the knowledge, let them choose side for themselves"?
If you feel an obligation to inspire kids towards non-illegal, non-confrontational, non-disruptive hacking; how do you take on such a task? Your choice of a name that surely goes well within script-kiddie-hacker territory indicates to me either a wish to attract such a following, or perhaps it is just an indication of your history, coming from that background.
Enough rambling, I guess my question more or less boils down to "How do you install a sense of decency in your fan groups?"
By the way, thank you for all your good security work. It seems you appear in my bugtraq and ntbugtraq e-mail folder every other time I look... I hope I don't come across as insulting or demeaning in my question, I am seriously interested in your answer.
Okay, well two Q's.
That which does not kill you, makes you stronger.
You have seen a lot of insecure systems. What do you see as the largest barrier to secure computing/communications (or largest contributor to security holes)? Braindead users, poorly implemented security, men in black, something else?
Are there any OSs that you guys like from a security standpoint? Ignoring the common UNIX variants and Microsoft's OS products, all of which have known holes through which one could drive an 18-wheeler, is there anything worth looking at?
Some time ago, the l0pht was involved in trying to set up a small independent network (along the lines of DARPA ) involving microwave technology to communicate 'off of the grid'.
How has the work progressed? Any notes, or better yet, a HOW-TO?
I'm interested to hear you talk about the thinking behind some of your members' involvement not just with 'grey hat' operations, but the 'black hat' groups too. Are they just schizophrenic, or are they just undecided on the moral code they wish to follow?
A computer without Microsoft is like ice cream without ketchup.
As a administrator I am very concerned with the security of my network. So it's no great surprise that I try to do as much research as I can in what little off time I have. Your website is on of the first I hit for NT security issues. For the Novell side I head over the Nomad Mobile Research Centre. It would seem that l0pht is geared more toward the NT side and NMRC more the NDS side. I always get the feeling that both l0pht and NMRC are in a sort of information share relationship. What other groups do you work with on a regular basis?
GIHM -The light at the end of the tunnel is only the oncoming train.
Has the L0pht considered line-of-sight laser light as a communications medium for guerilla.net?
well? do you?
See above
What is your opinion on most of the major ISP's in the nation? For example, AOL, Mindspring, Earthlink, Bellsouth.net, GTE, and others.
last summer, the us army switched to a power mac g4 and webstar. starnine, of course, made lots of noise.
... with the unix base, does that make it just as insecure as solaris/linux/et cetera?
do you think the mac os is a viable platform to run http on?
what about mac os x
Have you guys/gals ever gotten in any "real" trouble? I personally like to play around on other systems, that aren't really mine, but I always try not to cause trouble. I notice that you do that as well. I was just curious if anyone ever got really ticked at you guys and tried to "get" you, so to speak. Also, I must say that you are doing a wonderful thing for network security. I work for a very large company that was quite sure of its network security. Our admin was quite surprised when I ran a preview of L0phtcrack on the system and it started spouting off passwords (including his!). Now he is considering purchasing it to use on a weekly basis to help with our security.
=======
There was never a genius without a tincture of madness.
Anyway, my question is, how do you deal with the way the public (including the media) percieves "hackers"? I've seen some clueless people use the term to describe *anyone* who does anything with a computer that they find objectionable. I've even heard the term applied to spammers!
Needless to say, the misue of the term makes my blood boil, because I feel a certain respect towards the real hackers, such as yourselves, because you guys do know what you're doing, unlike all of the script kiddies out that that either have the term applied by clueless reporters, or they use it on themselve.
So, I'd be interested in knowing how you cope with this sort of problem, as I've noticed this sort of perception of the hacking communtiy for some time.
Thanks!
I live in Boston, and am kinda bummed that the open door policy is no longer. How has your popularity and status changed what you do / how you do it? Do you find it alienating at all?
-Spazimodo
Fsck the millennium, we want it now.
Fsck the millennium, we want it now.
Millennium Crisis Line: 0890 900 2000 [calls cost 50p/min]
What do you think of capability-based systems, such as EROS? The folks who are working on these systems say they are fundamentally more secure (against both malicious code and heisenbugs) than Unix derivatives, Windows NT, and other ACL-based operating systems. Do you agree with this assessment? Do these systems have security weaknesses that Unix-like systems don't have?
--
"But, Mulder, the new millennium doesn't begin until January 2001."
send all spam to theotherwhitemeat@ropine.com
I've seen a great deal of problems start to arise from some of the coding efforts by the Linux community. Namely the fact that WM's like Gnome open random high numbered ports when running, etc. I have seen the OpenBSD and FreeBSD communities react to issues of software security, but I have yet to see anyone really take a more secure step towards software on Linux. What do you forsee as a solution for Linux software, and/or do you think it's security issues will begin to approach the problems Windows has?
Null_Packet
Hybrid
(hybrid@ghettohackers.net)
Ever been 'requested' to do anything, hand over some info, poke around some stuff, by any gov't agency? I don't imagine that you'd be too happy about it, and I'm not insinuating that you'd cozy up with the government, but just wondering if maybe they've ever ordered or asked you to send them a copy of l0phtcrack, SLINT, etc...
Regarding the following incident, as reported by the Crypt News letter (http://sun.soci.niu.edu/~crypt/)
Were you accurately represented? Claims like this one are a little, um 'out there'. What's the skinny on this?
thanks
-nme!
December 20, 1999: In this transcript from ABC World News Tonight entitled "Computer Hackers Could Target Military," news reader Connie Chung stated:
"Computer experts have been worried for some time about a flood of viruses designed to disrupt the nation's computer systems over the new year. The systems may be at far greater risk than most people believe."
Chung continued: "ABC's Kevin Newman has been granted access to a group of elite hackers who usually operate in secret."
Yes, so secret, the well-known group -- The L0pht -- has a website, has appeared in the New York Times Magazine, has appeared before Congress, has appeared . . . well, you get the idea. For a secret group, they sure appear in the media a lot.
The purpose of the interview seemed to be aimed at convincing the viewing audience that "the L0pht" were the masters of the world.
Senator Fred Thompson appeared, acting as "the L0pht's" unpaid press agent: "I'm informed that you think that within thirty minutes the seven of you could make the Internet unusable for the entire nation. Is that correct?"
UNIDENTIFIED [L0pht] HACKER #1: "That's correct. It would definitely take a few days for people to figure out what was going on."
[Sound of Crypt Newsletter channel changer-switching to WWF pro wrestling, where the phonies and bluster are more entertaining.]
I know that at one point you were offered the source code to the Windows products by Microsoft. I also know that you did not accept the offer. What were your reasons for not accepting the offer?
L0pht Crew:
;-)
Would you agree that security and stability are but different sides of the same coin? In other words, a security exploit is truly nothing more than a expertly controlled failure?
If so, how much stock can we put into the "metadesign" of limiting the damage an exploit can create by attacking the ability of a failure to be controlled? Should operating systems incorporate such "unpredictability engines" when being run in a production, non-debugging manner? Or is such a design not worth pursing, for various reasons?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
P.S. First poster to make a crack about modulating the shield harmonics is gonna get a pie in the face
well now i just gonna poke in here an say that how do you guyz get ur software??? do u buy it or do u warezzz it??? i just got my american on line accont and im real new here 2 the internet/aOL but i am trying 2 learn to do this hacking stuff!! can u point me in a good directoin to get hacking stuff?:?? i run windows98 on my computer its a compaq persario so i think its big enuff to hack on!! n e wayz also i have 2 say that the last 2 times i posted stuff here i got called a troll by some ppl!!! thats pretty childish of them 2 do this!!!!! like i already said i just got my american on line accuont!! im new here ppl1!!!! so dont call me a troll!!!! cuz one day ill be callin ya alls trolls and u'll be real mad and stuff like me!1!!!
1) Wireless.
Lots of folks have been asking today about the wireless network project. "Me too"; the page has been up for years, it's a fascinating and extremely powerful idea, but for those of us who aren't RF engineers...
2) The future of hardware hacking.
With the trend towards more and more functionality becoming embedded into ASICs and single-chip solutions, the golden age of "just desolder this", or "reverse-engineer the schematics and jumper that", or "replace a [PROM|EPROM|EEPROM|PIC|FPGA] with one with the following special programming, and here's the [CPU|microcontroller]'s instruction set and a memory map of the embedded system" appears to be drawing to a close. Anyone can desolder a 24-pin DIP EPROM and hack it, but trying to desolder a 100-pin PQFP is a real bear without $500+ worth of specialized equipment, and knowing what to do with the chip after you've desoldered it is well-nigh impossible.
I suppose that's tangentially related to the wireless.net question - for mass distribution of the tools needed to build such a network, for instance, it seems to me that re-purposing cheap, widely-available stuff that others have junked is a better path than having to build things from scratch. But if the cheap, widely-available stuff of the future isn't gonna be re-usable... where does one go from there?
3) The future of l0pht.
(At least publicly), there's been a lot more activity on the software side of l0pht than on the hardware side.
Meanwhile, thanks for much great work on both the hardware and software sides of the equation, and best wishes for your continued good work. A couple of years ago, some of your tools saved an ex-employer's butt, and the look on my pointy-haired boss' face when I showed him where I got the tools that saved him was something I'll never forget. Y'all rule, and convincing a PHB of it takes work above and beyond the call of duty :-)
We all know what a farce the press is and their mistreatment of the word "Hacker," and their total misunderstanding of what hackers stand for. What is the best say, in your opinion, to change all of this to put the hacking community in the positive light that it deserves?
-- I am. Therefore, I think!
I've come across someone that is involved in a wireless internet project much like yours, whom described it at length, and then went off about how l0pht had ripped his ideas off his web site with no acknowledgement of where it came from.
The wording is infact so similar that it appears as if l0pht did indeed copy what he said, or vice-versa.
So what I'd like to know is where did you come up with the idea for the wireless internet project?
When the time comes to protect America against radical and reckless attacks from overseas and domestic script kiddies will your group offer assistance, or take the "We told you so attitude"?
I am the lead sys / network admin for a very large ISP, and have had to freely offer my support to the local city and state government during small emergencies.
After working with the local governments
"Microsoft / SUN / Cisco Certified Engineers" I am very very very worried about what could happen in the future. These people are clueless and pose a serious security threat to our government networks.
How do you recommend we enlighten and possibly force some equilibrium to make sure they don't screw things up?
Eric
--
"Free your code...and the rest will follow."
Be who you are...and be it in style!
Just recently on slashdot there was talk of large wireless networks using wavelan. I'm especially interested in hearing about the status of guerilla.net. I'm sure answering the question i'm replying to would further the project and get more people involved. thanks
One serious and one dumb question:
Have you suffered any legal reprocussions from some of your more gray hat work, (l0phtcrack), and if so, what route have you taken to avoid such ramifications?
Do you find your ability to booze with your friends and recover enough to give a speech the next morning at a con has diminished with age, or do you feel that you will be able to hang with a bottle of Jaeger has grown over the years?
-- Javaman
L0pht Guys:
One of the most interesting applications to come out of the L0pht has been nothing but the immensely useful Netcat. Built to transfer arbitrary data at all costs, it's been used countless times when one needs your data to get from point A to B without interference by the various vagaries of the underlying content.
What's interesting about this, in my mind, is that instead of whipping up a new protocol to transport the independent units of whatever types of data one needs to send, netcat allows simple, unimpeded transport of whatever happens to go over the pipe--syslogs, files, shells, video.
Yet, while each of these custom protocols will toss over the data they were built to, the quality of the protocol design is often eroded by the content normally transfered over it such that only that content can effectively be transported using that protocol.
And thus lies the problem--whereas netcat is built to transfer anything, and is thus very unlikely to fail no matter what traffic enters the datastream, it's enough trouble to write custom protocol handlers that manage to read the data as intended, let alone possess the hands-off arbitrarity that you've designed into netcat.
Thus, my question: Should there be a libnc equivalent, one that security-conscious software coders could use to avoid the vagaries of raw socket code(and the obvious insecurity of shell pipes)? Or would this inspire a false sense of security and in fact make things worse?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
How come you guys don't come over and talk to us mere mortals when you drop by the Boston 2600 meeting? I've heard rumors its because we're (mostly) penguinheads and you guys are BSD/Solaris people?
Didya know that having something from l0pht on your machine is grounds for termination? I do ... now.
Oops.
netcat did not come from loft. it was made by hobbit.
I was just wondering, what's the average day of work like for one of the l0pht guys? Is it a day-long security bug hunt, or more of a "let's get done with this security audit" kinda gig?
Out of the box which is more secure for the average user (not a server), NT or Linux? I'm stipulating that Outlook is not the email program and that no downloaded executables are run without scan.
My thoughts run thus: I realize that NT has many security holes and needs somthing like 200 changes to be made secure, but for the average user who is *not* running a server, are these changes necessary? Contrast that with many versions of Linux, which out of the box for the average user can be hacked in 15 minutes on the net. I am talking out of the *box* not using updates from either linux sites or M$.
Norton Antivirus has a security hole. Details at msnbc . What do you think about such cases? Should the software liscensors be sued (since they are refusing to fix the hole)?
I can throw myself at the ground, and miss.
possible? probable?
nobody has cracked global cash transfers between central banks.
I can't remember my password so I will post as an AC: L0pht, You have mentioned that you could take the Internet down in 30 minutes... if there was a coordinated attack on the Internet via foreign cyber warfare, do you think that you would/could use your skills to 'protect' the U.S.'s interests and thwart those 'attacks'? Thanks.
whats the deal with Oprah?
Assuming that sometime in the future, our TVs, lights, security systems, microwave ovens, fridges etc. will all be connected to the internet, how can manufacturers guarantee that their products are safe from outside attacks from malicious users?
Since you guys rate much higher on the crypto-phreakometer than I do, I was wondering if you had any insight into the security of current crypto technology.
Specifically, do you think that advances in computer horsepower has weakened the security of the current generation of crypto, as it relates to finding BIG prime numbers for the purpose of factoring.
What groups do you feel are doing really good/useful work in the computer underground today?
http://n-sanity.hypermart.net
http://n-sanity.hypermart.net
The N-Sanity Network
First off, do you believe the fascination the media has had with hackers/crackers is merely a fad and will go away (like Y2k paranoia), or are computers in these times too much of an integral part of society to ignore? Case in point- your local newspaper prints which homes have been robbed in the last week. Isn't it plausible that they'll one day publish which corporations have been compromised?
Two, do you believe hacking can be incorporated? Packet Storm has been bought by Knoll-O'Gara as you know. Is it plausible that previously taboo security information repositories/experts will become obtained/retained by corporations in the future?
many thanks.
"In individuals, insanity is rare, but in groups, parties, nations, and epochs it is the rule." -Nietzsche
Jonathan Rees describes a security kernel based on the lambda calculus in AI memo #1564 which is similar to capability-based systems. Other research attempts to devise systems that formally prove a program to be secure (or correct). Has the L0pht done any research on capabilities, security kernels, or formal proofs of security or correctness? Does the L0pht see this research as being usable in the Real World, or is it too early to tell? Will it ever be possible to reason about computer security in a formal, mathematical way, as we can reason about the efficiency of an algorithm or the solvability of a particular problem; or are we forever cursed to be unable to formally reason about computer security and the surrounding problems and issues?
Rev. Dr. Xenophon Fenderson, the Carbon(d)ated, KSC, DEATH, SubGenius, mhm21x16
I'm proud of my Northern Tibetian Heritage
"There are no shortcuts to any place worth going."
"Be regular and orderly in your life, so that you may be violent and original in your work." -Flaubert
As time goes by we see the emergence of ever-more complicated IT concepts and machinery, which is being used by an increasingly "mediocre" public who view it as little more than blackbox. Do you see the non-computer-literate's appetite for high-tech causing the IT working class to evolve into a wizards' guild, or even a technocracy?
--GAck
3. Profit!
2. ???
1. On Soviet Slashdot, a Beowulf cluster of alien Natalie Portman overlords welcomes YOU!
This is one question, but to illustrate the general scope of the questions I will phrase it using a number of small questions. One response is expected that covers my general direction.
Obviously the internet is fast becoming a mainstream global digital society. It now commands healthy respect from "the real world", and governance increasingly becomes an issue.
Have you thought about what continuing role your organisation will play ? Do have an ordered outlook and strategy ? Will you remain an informal commentator, or become somehow more proactive and work with other organisations ?
matthew.gream@pobox.com
Many/most people that laughed at this claim forget that computer networks operate almost identically to power grids. By taking out all the Cisco routers, for instance, you might only take 30%-50% of the networks, but as other networks attempt to fail over and become dependant on the still live networks, those networks, routers, and servers become overloaded with the traffic and start to fail. It's a domino effect. This is the reason when someone with a backhoe cuts a major cross-continental fibre line, the rest of the Internet, especially in nearby affected areas, slows to a crawl because other networks failing over to another backbone creates a strain on those lines and equipment. Now, for my question to L0pht: What, in terms of network design, do you see as the single biggest threat to security?
which OS's are the most secure in their standard configuration, as seen in the average corporate network? Which take the most effort to make safe? Which take the least effort to make safe?
I'm curious if any of the other L0pht denizens ever visit the L0pht BBS. It seems that of the L0pht guys, only BB ever posts, and that's next to never. Do you guys keep tabs on what goes on there?
To your knowledge, has anyone ever gained access to the Large Gov'ment Automated Keyword Scan System operated by the largest english speaking nations of the world? If yes, what do you know about the system that has not been in the press?
When are you going to do a big money IPO? loads o' companies who provide so much less have gone rich lately and I want in on the ground floor once, dammit!
To L0pht:
We've been working on network theory for a while and an idea which we've been working on recently is adaptive system and network security that models the identification and proaction of a biological immune system.
Basically, the security system all incoming and outgoing traffic, processes, etc. As it analyzes a network configuration, it 1) adapts to that network and covers potentials holes from the start, 2) learns from and builds immunity to network attacks, hostile processes, and general system errors such as buffer overflows. Many security systems are, to a point, adaptive to their environment, but I have yet to see a security design that is adaptive/intelligent enough to configure itself to "live" within an environment and to become intelligently symbiotic with that environment.
How much work have you done with highly adaptive security systems, and do you foresee adaptive security becoming a working reality within the next decade?
Recently it seems there has been a trend towards eliminating anonymity in the computer world. It comes in the form of programs that "phone home" without the user's knowledge, or even some that won't run unless they get the okay from the central server. It comes in the form of universal unique identifiers in hardware, operating systems, and software.
With IPv6 on the horizon, and with a larger variety of software phoning home, this may soon become a large privacy issue. Most of the advances being made here are for the purpose of security (read "inspiring fear of being watched")and anti-piracy ("squeeze 'em for their last cent"). What immediate and/or long term effects do you see coming out of this?
---
Play Six Pack Man. I
f the windows API was opened because of the DOJ trial, what would you do?
A) Exploit every weakness from here to kingdom come, thereby propelling linux to the forefront.
First, I don't understand how exposing specific Windows vulnerabilities would propel 'linux to the forefront'. Your statement doesn't support your conclusion.
Anyhow... (and more on topic with your original post) if you pay attention, every exploit is closely followed by a fix. Exposing weaknesses in Windows would really just help, in the long run, to make it a more viable alternative to UNIX.
What would happen if a large corporation sued another large corporation for a security weakness that was exploited and caused damage (loss of data / bad publicity / etc.)? Once other corporate lawyers begin to smell the blood, do you think this would force software manufactures to pay attention to security during the design stage?
Although various white-hat hacker groups (Oops! network security experts) continue expose design flaws and security weaknesses in numerous software products, government spokespersons and the media contine to blame "hackers" for all the nation's woes. Some news reports would have us believe that "hackers" can collapse etire economies with a single mouse-click.
Government agencies promise to prosecute "to the full extent of the law" a teenager that "hacks" into a non-classified, non-critical web site without even questioning the company that provides the flawed software. Operating systems and applications are purchased without a thought to security issues, yet companies are able to demand that those programs be "Y2K-compliant".
Imagine that a large company installed a security system in hundreds of banks across the country, but it was soon discovered (and widely publicized for years) that the alarms do not work from midnight to 1:00 a.m.! Suppose a criminal broke in and stole $249 dollars. Where would your efforts be expended? In prosecuting the the petty thief, the security company or both? Certainly not the thief alone?!
What will force a change in thinking? Money?
How do you feel about totally freaking my boss out! Hehe. I have been tryin hard for a while to tighten up security on our intranet.. So when I sent him my report on our security status ( which included every NT Domain user and password on the network. I finally got my wish! hehe. Well Thats not a good question but heeh.
With large parts of the internet being very homogeneous (at the machine code/executable layer), and at the same time on a larger scale, being homogeneous at the transport protocol level, do you think that in the future that we will see the emergence of something more than viruses (I want to call them meta-viruses, but I don't think that would be the right term)?
I am thinking of something akin (in a biological sense) of a cross between a virus and a bacterium - something that could reproduce and mutate (perhaps via asexual and sexual means), in such a way that it would be near impossible for virus scanning software to keep up with...
Reason is the Path to God - Anon
Rather than ask you some technichal question about some part of the computer world where most likely I wouldn't understand the answer, I have a question that involves some creative though on your part...
Sci Fi, ever since the computer was first invented, has imagined a time where the computer will grow and grow, eventually overpowering the human mind. Can you see a point in time where firewalls and computer security software grow intelligent enough to learn to adapt to and overpower hacking attempts?
some cDc members are in texas, some are in california. One seems to spend a fair bit of time in Canada, although I don't know if he lives there. The l0pht members (including the mudge, who is also a cDc member) live in boston.
If so where and what are your account numbers?
When you do interviews and such with the likes of ABC, do you seriously expect them to be anything other than sensationalist?
K.
-
-- Proud descendant of semi-nomadic cattle-herders.
Enough of the gloom-and-doom stuff for a minute...
if y'all could be any O'Reilly animals, which would y'all be?
(I'm trying to think of some animal that would fit the name "Mudge,"
but I don't think Edward Gorey's made any covers, yet)
click a button, feed a hungry person:
http://www.thehungersite.com
it's real and free, so just do it, okay?
Get off my launchpad!
How many of your members were once part of the underground group Renegade Legion? :)
Well - According to l0pht's logo. L0pht is actually written LØpht. Ø is scandinavian.
Do you think that it is possible to create an unstoppable virus? What I mean by this is a virus that cannot be stopped, even if the source code if found, and spreads indefinitly, by many means such as e-mail, instant messaging protocols, brute forcing through various network protocols, attaching to files, boot sectors of disks, and/or various vulnerabilities. I have thought about this and have not come to a conclusion. I would that if possible it would have to use many or all of the above "techniques" along with a clever mutation of some kind, maybe even patterns used by real virus' and rapid evolution. (Many are created with slight alterations, whichever ones spread more survive and copy themselves more). What are your thoughts on this?
This Wiki Feeds You TV and Anime - vidwiki.org
It is interesting to note that generally, now more companies are interested with compatibility with Linux than with Macintosh.
When do you all think that hardware companies will consider Linux part of the 'norm' - in that driver support is no longer optional, it is expected? Creative and nVidia are paving the way, but they are a very small minority.
Levine
hey i know at least one of you guys back from the RDT days. rock on
Good question. I have heard that IPv6 is as insecure as IPv4; I'd like to know more about that.
Robots. Lots of robots.
In the face of ongoing change with hardware and software now pushing towards net based appliances for kitchens and small easy to use PDAs where do you see the largest security concerns and bottlenecks arrising in say the next 1 to 5 years?
How did you guys (the orig. members) meet, and when did you guys actually start getting into computers and other technologies, and why?
<g>
--
Do you believe Microsoft's claims that it will challenge Unix and other secure operating systems for security and stability?
Or, like myself, do you believe that it will crack like a spoiled egg once people have started poking around with it?
Also, have you had much chance to play with the pre-release copies? If so, have you found anything interestingly flawed in the new security model?
Thanks for your time!
---
Haplo - "The Internet is slow, please reboot it"
-- You have moved your mouse. Windows will now reboot.
Whats your preferred operating system and what do you write your programs in?
I would greatly disagree with your assessment that ISS' advisories don't have value.
You have to think about what the audience for ISS' advisories is. It is not the person that wants to figure out how to exactly exploit the vulnerability. It is for infosec officers to evaluate their risk and use the information to protect themselves.
There are many places on the Internet to find the exact details in full-disclosure, or you can be the l0pht guys and already know alot this crap before it becomes public.
If the products of the X-Force is so useless, then maybe it should come out of your bookmarks at minga.com;
// Rant on
Incidentally your employer (Meta Security) does the very same stuff that you accuse ISS of.
//Rant off
Q: Have you considered doing a Unix server for BackOrifice?
The main reason that I ask is because this would imply the need for a decent Open server for X under Windows for the Unix server + Windows client situation. (-:
I would like to be able to secureshell from a Windows box to Unix (mostly Linux) servers and run X programs without having to buy licences for whichever Windows box happens to be closest at communication time.
You could call it BackOrifice 2000 Second Edition or BackOrifice Bidirectional (BOB).
Got time? Spend some of it coding or testing
If so, will I have to wear a hooded robe and chant alot?
There's a spider on your shoulder.
Do you see a potential increase in these random number "hacks" in the future, as more and more programmers use supposedly random numbers without a clue as to how they were generated and vulnerabilities in this process?
Dude! I go to Paul D. Schreiber High School,
Port Washington, Long Island!
Coincidence? I think yes...
Work together for the Common Geek Good:
Check out Project Upper/Mute, an all-around awesome compiler fra
Last Spring you testified before Congress and met the Vice President among other policy actors, do our nation's policymakers have a clue about how to govern technology?
What's your whole take on the DeCSS thing, and how they intended to secure DVD content through obscurity of the decryption key. Hardware hacking of CSS keys is nearly impossible, since you can lock down microprocessor code stored in on-chip EPROM so it will be unreadable except by the processor during execution (A feature in some processors, like some in the Motorola 6811 family). But with computer software, how can you ever lock down code in the same way? Do you see their method of security as fundamentally flawed, at least in the computer software realm?
Beer wants to be free
L0pht Crew--
Combine extreme paranoia about web site security, a money stream coming straight out of PR Maintenance, and a "get-rich-quick" mentality that infuses Internet businesses, and you get an environment rife for the creation of snake oil cures and security systems that work by seeing to the financial security of the software authors.
Of course, the natural defense to such hucksterism is the presence of groups such as yours. What are some of the products and techniques that you've seen, debunked, and felt you intelligence insulted by?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Do you think the open source thing is kinda lame and missing the point?
Who is it that comes to work with you?
I would like to know what qualities l0pht and other similar groups look for in the recruitment of new members. Specifically, what would an intelligent, ambitious college student have to do/learn/know/pay/etc. :) in order to be worthy of notice? I know that I would love to learn even a small bit of what you guys must know about computers and software, but it seems that if you're not involved in the scene, then there is no way to advance beyond script-kiddie level without the good fortune of knowing somebody already inside. Any suggestions?
The amateur radio packet network is governed by the FCC just like any other amateur radio communications mode. The regulations can be difficult to get around, such as the rule that you MUST have an amateur radio license to transmit anything on an amateur radio frequency.
This would put a kink in using IRC for one. You would only be able to converse with valid amateurs, which would be impossible to guarantee.
I looked into setting up a wireless amateur radio packet network at school, as I admin a svr that is currently connected to the Internet AND the packet radio network. I couldn't legally use IRC thru the radio link because the folks I would chat with do not have FCC amateur radio licenses.
'Bout the only thing this would come in handy for would be remote system administration, but then you would have to look at the fact that packet radio is an OPEN mode of communication. Anyone with a TNC and radio receiver would be able to monitor what was going on. And forget about using SSH or some similiar mode of secure shell access -- the FCC forbids the use of encryption. :(
Hi!
I have heard many times that L0pht uses OpenBSD almost exclusively for their servers. Is that true? If so, could you please explain why (in a more detailed manner that just the obvious "it's been audited for security...") and also tell us if you contribute code back to OpenBSD.
Thanks!
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Heh , Maybe you dont understand. My company doesn't make software that is dependant on other peoples disclosed information (we dont make software AT ALL). Also my company doesn't do vulnerability reports! So your 0/2 on accusing my company of doing the same thing ISS does. (and another thing, I'm not posting this as "my company", this is something that personally bothers me) I agree that the ISS reports have SOME worth while value.. from a business standpoint they could be useful to identify risk, etc. But imagine someone (an ISS competitor) who makes a product like ISS Scanner (for example). The ISS reports hardly help them at all. But at the same time ISS doesnt mind getting all the details THEY need from other peoples reports. Its just MICROSOFT'ish. Why DOESN'T ISS do full disclosure? Im not asking for an exploit, just COMPLETE full disclosure. I.E. Show me the line of code that is wrong. -Minga
I am nobody. But I am slightly competent, I will give that to myself. I get annoyed a lot of the times when freshly newbies approach me, because it seems that with every second that passes, people get more stupid. When I learned to program C in high school, I had no computer, I didn't ask anyone, I went to the library, read a book and wrote my code on paper for 6 months till I could get access to a computer and a c compiler. These days, When newbies approach me, they don't even say something in the line of, I was learning C, then I got stock at pointers. Instead, they come out something like, "I want to learn C, blah blah blah", I tell them to search the net, they go no, and curse me in the name of being rude instead of giving them a crash course of C in 5 minutes. I get this with Unix too. ....and I am nobody. I wish those few that know that I know about computers, didn't know so that I will not be bothered. I mean, I like to help people, but I only help those who help themselves or attempt to. So, for you guys, how does it feel? With all your fame, How often do you get asked a bunch of stupid questions? Would you say people are getting more stupid or is that there were all stupid, but the internet is a magnet for stupid folks? Do you guys ever regret your fame? If you could do it again, would you do it, but with totally privacy, so that you don't get bugged with junkless crap. I bet this is one of those annoying stupid questions you get eh? BTW, What duh hell is going on with your hardware section, it has little development, bad bad lazy you.
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
"On May 19, 1998, Sen. Fred Thompson (R-Tenn.) of the Senate Government Affairs Committee asked L0pht members, "I'm informed that you think that within 30 minutes the seven of you could make the Internet unusable for the entire nation. Is that correct?"
"That's correct," one L0pht member responded. "It would definitely take a few days for people to figure out what was going on."
How and why (would it work)? The second question would have to be, if you could do it, what measures could be set in place to stop or slow down this type of attack on the nations Network?
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
You guys obviously have some hacking/cracking skillz but what I want to know is if you've ever used something you discovered in a "not-so-nice" way. No need for specifics (legal reasons) but I'm talking about anything from crashing a server or just nuking some llama on IRC.
Why did you all decide to practice full disclosure and what problems (legal, moral, etc) has is caused you in your "studies".
---Unstable Boy
ISS does in fact release full disclosure advisory information to the vendor so that they can properly patch the vulnerability. It is my personal opinion that if you have a good relationship with a vendor and are able through that relationship to quickly get patches issued for vulnerabilities, then that is a better avenue to pursue than posting exploits to get a quick response. ISS has no responsibility IMHO to make it easy for crackers or their competitors to write exploits for the advisories they release.
The media uses "hacker" to identify those who engage in unauthorized computer intrusion.
Slashdot readers tend to use the term "hacker" in
an older manner (i.e. "hacker"==those who
cleverly apply their knowledge to a problem)and use the term "cracker" to identify those who engage in unauthorized computer intrusion. Oddly, many slashdot readers act as though the two catagories are mutually exclusive; i.e. slashdotters seem to think that those they label as "crackers" because of computer intrusion are incapable of the scholarly research or expert programming they identify as "hacking".m
How much overlap do you think there is between these two groups? How do you define "hacker"? How many of the people deserving the term "hacker" still engage in computer intrusion, and how many of the people cracking into web servers deserve the term "hacker"?
I want to hear more about the infamous L0pht dress code, alluded to in several interviews. Please include a discussion of permittable clothing, jewelry, and hairstyles.
Do you see any way to allow for anoynmous transactions in the future of electronic commerce (not just e-commerce as it's used today, but the move of every aspect of commerce to the electronic medium)?
I think this is terribly important for a multitude of reasons, the most important being sheer personal freedom, so it is an issue that must be tackled before we allow laws to be passed that will affect us profoundly for years.
-- atomly
the lack of attention to detail.
When licking obscure's anus, is it best to drink a red or white wine? When touch Veggie's penis, do you need to wear asbestos gloves?
...from the world's most dangerous milkman.
I just found out, the source code to Linux and a lot of Unix Operating Systems has been avalible to the HACKER world! Aswell as the source code to the Apache web server, which is used in a lot of places!
Half the internet is comprimised! All my online transactions, my credit cards! Hackers have them all! Thank goodness we still have Microsoft with their totaly secure web servers!
Quick, do as I've done, take all your money out of the banks (They may run Unix you know!), and give it all to Microsoft (Its almost Y2k, so you'd better hurry!). Microsoft will save you! But don't give it all away, use some of it to buy 100 gallons of water, a 50 calibre machine gun, and 10,000 rounds of ammo, cause baby, Y2k is comming!
Eeeermmm, sorry, this is Zaffles brain returning back in control now, I couldn't stop that outbreak before, self-control circuits blew at that comment. They have been repaired.
Whip me, spank me, moderate me down for offtopic-ness! - Its funny, laugh.
I use to have a funny sig, but slash cut it off, and I forgot what the punchline was.
beleive it or not mudge and weld, some of us are astounded at your ability to discuss extrenely technical content in a clear manner. what's the secret?
oh, and thanks for the shirt (from defcon).
jose nazario jose@biocserver.cwru.edu
Your right, they do release ALL info to the vendor (as they are supposed to - so thats no big deal. Thats like congratulating yourself for taking care of your kids and not going to jail)
As for ISS having no responsibility to make it easy for crackers...... thats exactly my point. If OTHER people hadn't done this where would ISS be? If OTHER people hadn't released ALL info, ISS would have to research ALL vulnerabilities until they find the REAL INDEPTH problem. That would cost them a whole hell of alot more money (more people, more resources). You cannot tell me that ISS discovered all the vulnerabilities they search for in their software themselves. Its a simple case of being a leech... I cant say I blame them , it makes their company more marketable ( afterall this way, they have vulnerability information that no other company has... once again, sounds like something Microsoft would do)
-Minga
Well, as 1% or 10% (or ??%) are infected by netbus installations, a worm could simply propagate from one netbus PC to the next. Would be the first worm using a trojan to propagate :-) George
If you can really "make the internet unusable for the entire nation", then why don't you report the security holes that you are aware of to people who have the ability to fix them?
And, how do you know for sure that you can make it unusable if you've never done it before?
I think the real leeches are the security companies (and this is most of them, though not all) that are writing security products or doing security consulting, and spend absolutely no resources supporting security research or helping to improve the overall state of computer security. Yes, ISS is obviously doing research to gain a competitive advantage, but they are still doing research and have uncovered quite a number of vulnerabilities and gotten them corrected in a quick and quiet manner that has helped keep many people (not just their customers) a little bit safer. Sure they could do more, but to call them leeches seems unfair. I think they spend more money on vulnerability research than any other company in existence, give them a little credit for trying to do the right thing.
While we all know security through obscurity is fundamentally flawed, it does at least raise the bar (somewhat) for compromising a system, at least the first time, anyway.
Now, just how many "little holes" do you think the Microsofties let slip into their code?
Open-source software of course eliminates all obscurity, and thus renders a flawed security model utterly useless.
Closed-source on the other hand makes security through obscurity of uncertain, limited, and flawed use. In fact, it probably encourages it more than a little.
So while I would consider that letter-writer a fool by and large, I would have to agree that opening the source would make screwing with the system a lot easier.
-cwk.