Slashdot Mirror
Interviews: We Have 2! 1st, L0pht Heavy Industries
Yes, it's "year-end double-bonus interview week" on Slashdot. First, L0pht Heavy Industries. Yes, the world's most publicized infosec group, the one trotted out by TV and other mainstream media reporters whenever they want pithy (but authoritative) quotes about hacking and cracking and that sort of thing. The L0pht guys have heard all the (ho-hum) obvious questions already. They expect extra-smart ones from you, and we don't doubt for a second that you'll provide them. ;-) One question per post, please.
You said in an interview that it's possible to shut down all the Internet. How you possibly might do that? With a DoS attack in some routers or by taking command of some servers in the principal backbones of the USA?
"Learning, learning, learning - that is the secret of jewish survival" -- Ahad A'Ham
Do you agree with the President's plea to cease hacking activities for Y2K, and do you think it will have an adverse affect?
"Those [filthy|pagan|heathen|whiny] americans, I'll show them....."
--WooooHoooo--
Which do you consider more dangerous to personal liberties on the Internet, national governments or multinational corporations, and why?
----
----
Open mind, insert foot.
The L0pht has been involved in independent wireless networking reasonably heavily. What do you see as the most important discoveries/protocols/designs for the next few years? Do you forsee an opportunity for the hardware hacking community to open up the airwaves in the same way Linux & OSS has opened up operating systems and tools?
At work we recently purchased a copy of L0phtCrack (Guess what - it has saved many many hours of work for me especially!) - for $99? Are you guys making a killing off of this tool or what?
--onyx--
Moore's law is that computing power doubles every eighteen months. At the same time, parallel processing and distributed computation ( Cosm & Distributed.net) are becoming increasingly common. This leads to an abundance of cheap computing power, enabling brute force attacks on secure systems. In light of these developments, do you see username/password pairs being replaced by anything more resistant to such brute computing force?
"There's so much left to know/ and I'm on the road to find out." -Cat Stevens
At one point I thought it was
"low-fight" but somewheres I remember it being said as "loft" which would make more sense as
L=L
0=O
PH=F
T=T
LOFT
--
Insert Witty Sig Here
The halcyon days of the net are gone. With ubiquity - the underground vanishes. Is it well on its way, with people like the CEO of Amazon being worshipped by the mainstream press, to becoming an enormous cyber strip mall, marketing tool, PR exercise in control of perception...
Or is there still an underground? Does it still have a potential to be the one true medium with liberation? Will governments and coroporations end up controlling it? Cause they are winning small, important victories relentlessly...
** http://www.nkhumanrights.or.kr/ ** Human rights in North Korea. 1 million estimated dead from starvation.
Considering the availability of easy to use, secure, persistent, pseudoanonymous nyms (http://www.freedom.com) and the increasing role that electronic commerce plays in our economy, what privacy and security concerns do you anticipate moving to the forefront of attention as this rapidly changing technology evolves?
l0pth is pronounced "loft" - synonomous with attic. l0phters are people who dumpster dive looking for computer parts, usually in large companies trash bins, and carry the parts back to their l0pht where they use them.
I've l0phted a couple monitors and cases from my ever so friendly ECE department before... It's a great way to get an eclectic computer collection for very little!
How do you see things evolving, from this unholy mess?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
What are the non-computer hobbies of the l0pht crew?
I suppose that this is a sort of "celebrety interview" question, but I'm curious.
I meet a lot of "white hat" security types in my job. Every so often, I one of these guys goes into name dropping mode and starts talking about how chummy he is with Mudge. Once I had one of them tell me how he had contacts with the "low fat" guys (although he hadn't heard it pronounced as "loft"). What is it like to have your name(s) dropped by potentially thousands of really cluesless people who you might never even meet?
I always thought that L0pht stood for LOW PHAT as in Low fat as in high speed low drag.
Good is never enough, when you dream of being great!
I read something to the gist of this recently:
"The difficulty with computer security is that programmers write code to allow a course of action, not to prevent another. In order
for computer security to become a reality, the design methodology must be changed."
Any programmer worth their check does program defensively. Certain languages support the writing of "safe code" more easily than others. It requires less fore-thought to program defensively in Java than it does in C. The results, however, will not be as fine tuned.
Any methodology for designing and producing safe code must take this, the experience of those implementing it, the environments the product could be used int, into account. L0pht has compromised many designs. Have you seen any design/impl (hardware or software) methodologies that yield more secure results than others? Could you give reference to them?
In my experience, it has always been a matter of refinement. Security is relative.
Never send anything unencrypted that you don't want to have appear in court.
If the windows API was opened because of the DOJ trial, what would you do?
A) Exploit every weakness from here to kingdom come, thereby propelling linux to the forefront.
B) fix everything and tell microsoft so they can make the changes show up in a new release
C) Do A) and grin real big and giggle lots
D) Other | Please Specify ___________________
I have a couple questions. Choose whatever you like. * The silicon valley is froth with IPOs. A huge opportunity exists even in Boston, if you were attached to the city. Do you regret not putting more into a commercial enterprise that could have netted you the millions some people are getting? If so, would you trade your fame in this community for it if you could? * L0pht spends an enormous amount of time hacking on other peoples' equipment, cracking and analyzing other peoples' software. Without meaning to denigrate such useful activities, do you ever want to stop it for a while and dedicate yourself to the creation of something innovative and positive? * Somewhere in the future, drowning in gigahertz, manufacturers turn to adding security to their CPUs. CPUs have decryption modules which stop the CPU from running any code not specifically signed and encrypted for your CPU. Your machine (or cpu) would come with a disk or cdrom with a public key you'd provide to vendors (probably on a web page) that would be used to "complete" a build of software that was sold to you, and lock it onto your CPU only. Every piece of software will have a known desination and a known source. Piracy will be a thousand times harder. Viruses will be wiped out by applying this technology to documents and software alike. Is this the future? * I see the patent situation forcing software to inevitably go one way or the other: it will either be written only by corporations with tons of money and patents, and be commercial (and by judgement-proof pauper-programmers who have nothing to sue away from them), or the USPTO will suffer through a massive regulation change, and thousands of software/algorithm/ business-model patents will be swept away, along with more easy way to review a given patent's "nonobvious"-ness. Where do you think this tragedy is headed?
I was digging around the l0pht web site one day and read up on the wireless project you guys were doing trying to make use some old UHF equipment and seeing how far you could spread a free wireless network. So what's the current status of that project?
For assurance, before installing software on a secure-as-plausible machine, I would love to have an automated for security problems, such as buffer overflows. So, how is the development of SLINT progressing? Are you still planning to release it?
What do you think about the wisdom of linking a planetary network of desktop computers to a radio telescope, hoping to go online with any extra-terrestrial who cares to open our collective port?
Several months ago I began predicting that someday someone would find a buffer overflow in the various Windows TCP-IP stacks and use it to write a worm that would bring down the Microsoft part of the Internet and cause so much traffic as to effectively shut down everything else. I further predict that until an event of this magnitude happens, the general public will not really learn the basic lessons about security that the *nix world was forced to learn from the first worm.
What are your thoughts on this prediction? (Timeline, reasonableness, etc.)
Regards,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Hi guys,
Any plans to write a proper Win2K/NT rootkit (the kind that was published on Phrack a while back - that replaces or adds to the actual calls in the win32 ring 0 system with its own) soon ?
According to your site, you have developed a quite powerful source code security analysis tool.
A while ago, this tool was not distributable, and closed source.
Do you plan on releasing Slint and/or other currently closed source L0pht tools in an open source license, or in some other freely distributable binary form ?
I was not impressed to see L0pht embrace any form of commercial philosophy. While it is true I live in a fairly isolated section of the world, I and the community I live within have the general impression that you are no longer available to the public. It appears as though you have sequestered yourselves away in your building(s) and sent Mudge out to maintain good PR. What I mean is, aside from the odd security release and product update, you guys seem to have disappeared from the face of the earth. What are you up to? Are you still truly pursuing the tenet that is listed prominently on your BBS? "Freedom, freedom, blah" -lhi, psalm blah verse blah?
Do you see yourselves as this inaccessible except to people willing to fork over large dollars, or am I just living on the moon?
Letter to the editor: Opening windows could let bad guys do a lot of damage Saturday, December 25, 1999
I was amazed to see that the Clinton administration, in its initial victory over Microsoft, wants the source code to Windows to be made public. I'm sure it will follow up with a demand that all banks publish the combinations to their safes and freely distribute keys to both their front and back doors. Perhaps they will make banks install a large button so visitors can disable all alarms.
Making the world safe for bank robbers would be a lot better than making Windows' source code public. The year 2000 problem is nothing compared to what a hacker could do with the code to Windows.
The anti-virus software today depends on two primary tests to find a virus: the Cyclic Redundancy Checksum and file size. A virus attaches itself to a program and runs when the program runs.
Rather than get into a complex technical discussion, let us just say every computer file has a fingerprint. If a virus is attached, the file's fingerprint changes. An anti-virus program just looks for the fingerprints left by the virus. However, if one has the source code to Windows, a file with a virus can be made with the same fingerprint as a file without the virus.
Even worse, the operating system, instead of being the virus cop, becomes the virus enabler. Imagine a world where half the people in uniform are trying to rob you and where dialing 911 brings a band of serial killers to your door.
Such a virus would be very, very difficult to fight. Police try to catch such people by tracing who benefits. But when the goal is revenge and not profit, it gets tough to catch the bad guys. If you think catching the Unabomber was time consuming, this would make the search for the Unabomber look very fast, indeed.
So with the Windows source code, the hacker could write a program that on June 1, 2001, swaps all bank balances. Someone whose name starts with an A gets Z's balances. Throw credit cards into that mix, and there could be real fun. Maybe some hacker would find it fun to pay off everyone's property taxes. I'll bet everyone who had not paid his tax would tell the truth and pay up voluntarily, wouldn't they?
Every programmer I have ever met has always left himself a back door into every system he writes. Does anyone want to bet Microsoft does not have a back door to its software? Does anyone believe that if the judge makes Microsoft publish the source code, Bill Gates would remove the back door before publishing it? He would not dare. The judge might put him in jail for modifying the code. Couldn't have that now, could we?
If he would leave it in, every highly skilled programmer would have a key to everything running on Microsoft software. We can rest assured that every hacker is totally honest, can't we? And with the Internet, those hackers would all be in places where Americans are loved, such as Belgrade, Yugoslavia, and Baghdad, Iraq, for example.
Some hacker might even have fun with a newspaper, such as removing the names of everyone who is a subscriber and replacing them with the names of people who are not. Did I mention court records, employment records, child support records?
All Microsoft bashers in and out of government should beware. It looks like they are going to get what they wished for.
Ray Malone
MBS Software
Chillicothe, Ohio
a real zero.
I'm curious to know how you all felt when your tool (L0phtcrack), notoriously effective on beating lanman hashes, was itself cracked.
One way in that L0phtcrack existence was justified in the community was that it had a limited use for the "Script kiddies", and only lasted 20 days (I think), but as with all tools it was cracked. In essence, your cracker was cracked.
While I highly respect L0phtcrack and find it very usefull on the job, I have to wonder how well you thought about your own key. You know you have a tool that is very much in demand, yet you dont seem to protect it in the way that one would have expected. I mean some would argue that are the "best" security experts around, yet you didn't even protect your own software.
I would like very much to know what you think about this.
-kamelkev
Okay, well two Q's.
That which does not kill you, makes you stronger.
Some time ago, the l0pht was involved in trying to set up a small independent network (along the lines of DARPA ) involving microwave technology to communicate 'off of the grid'.
How has the work progressed? Any notes, or better yet, a HOW-TO?
Has the L0pht considered line-of-sight laser light as a communications medium for guerilla.net?
Anyway, my question is, how do you deal with the way the public (including the media) percieves "hackers"? I've seen some clueless people use the term to describe *anyone* who does anything with a computer that they find objectionable. I've even heard the term applied to spammers!
Needless to say, the misue of the term makes my blood boil, because I feel a certain respect towards the real hackers, such as yourselves, because you guys do know what you're doing, unlike all of the script kiddies out that that either have the term applied by clueless reporters, or they use it on themselve.
So, I'd be interested in knowing how you cope with this sort of problem, as I've noticed this sort of perception of the hacking communtiy for some time.
Thanks!
What do you think of capability-based systems, such as EROS? The folks who are working on these systems say they are fundamentally more secure (against both malicious code and heisenbugs) than Unix derivatives, Windows NT, and other ACL-based operating systems. Do you agree with this assessment? Do these systems have security weaknesses that Unix-like systems don't have?
--
"But, Mulder, the new millennium doesn't begin until January 2001."
send all spam to theotherwhitemeat@ropine.com
L0pht Crew:
;-)
Would you agree that security and stability are but different sides of the same coin? In other words, a security exploit is truly nothing more than a expertly controlled failure?
If so, how much stock can we put into the "metadesign" of limiting the damage an exploit can create by attacking the ability of a failure to be controlled? Should operating systems incorporate such "unpredictability engines" when being run in a production, non-debugging manner? Or is such a design not worth pursing, for various reasons?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
P.S. First poster to make a crack about modulating the shield harmonics is gonna get a pie in the face
1) Wireless.
Lots of folks have been asking today about the wireless network project. "Me too"; the page has been up for years, it's a fascinating and extremely powerful idea, but for those of us who aren't RF engineers...
2) The future of hardware hacking.
With the trend towards more and more functionality becoming embedded into ASICs and single-chip solutions, the golden age of "just desolder this", or "reverse-engineer the schematics and jumper that", or "replace a [PROM|EPROM|EEPROM|PIC|FPGA] with one with the following special programming, and here's the [CPU|microcontroller]'s instruction set and a memory map of the embedded system" appears to be drawing to a close. Anyone can desolder a 24-pin DIP EPROM and hack it, but trying to desolder a 100-pin PQFP is a real bear without $500+ worth of specialized equipment, and knowing what to do with the chip after you've desoldered it is well-nigh impossible.
I suppose that's tangentially related to the wireless.net question - for mass distribution of the tools needed to build such a network, for instance, it seems to me that re-purposing cheap, widely-available stuff that others have junked is a better path than having to build things from scratch. But if the cheap, widely-available stuff of the future isn't gonna be re-usable... where does one go from there?
3) The future of l0pht.
(At least publicly), there's been a lot more activity on the software side of l0pht than on the hardware side.
Meanwhile, thanks for much great work on both the hardware and software sides of the equation, and best wishes for your continued good work. A couple of years ago, some of your tools saved an ex-employer's butt, and the look on my pointy-haired boss' face when I showed him where I got the tools that saved him was something I'll never forget. Y'all rule, and convincing a PHB of it takes work above and beyond the call of duty :-)
Eric
--
"Free your code...and the rest will follow."
Be who you are...and be it in style!
L0pht Guys:
One of the most interesting applications to come out of the L0pht has been nothing but the immensely useful Netcat. Built to transfer arbitrary data at all costs, it's been used countless times when one needs your data to get from point A to B without interference by the various vagaries of the underlying content.
What's interesting about this, in my mind, is that instead of whipping up a new protocol to transport the independent units of whatever types of data one needs to send, netcat allows simple, unimpeded transport of whatever happens to go over the pipe--syslogs, files, shells, video.
Yet, while each of these custom protocols will toss over the data they were built to, the quality of the protocol design is often eroded by the content normally transfered over it such that only that content can effectively be transported using that protocol.
And thus lies the problem--whereas netcat is built to transfer anything, and is thus very unlikely to fail no matter what traffic enters the datastream, it's enough trouble to write custom protocol handlers that manage to read the data as intended, let alone possess the hands-off arbitrarity that you've designed into netcat.
Thus, my question: Should there be a libnc equivalent, one that security-conscious software coders could use to avoid the vagaries of raw socket code(and the obvious insecurity of shell pipes)? Or would this inspire a false sense of security and in fact make things worse?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
How come you guys don't come over and talk to us mere mortals when you drop by the Boston 2600 meeting? I've heard rumors its because we're (mostly) penguinheads and you guys are BSD/Solaris people?
Didya know that having something from l0pht on your machine is grounds for termination? I do ... now.
Oops.
Out of the box which is more secure for the average user (not a server), NT or Linux? I'm stipulating that Outlook is not the email program and that no downloaded executables are run without scan.
My thoughts run thus: I realize that NT has many security holes and needs somthing like 200 changes to be made secure, but for the average user who is *not* running a server, are these changes necessary? Contrast that with many versions of Linux, which out of the box for the average user can be hacked in 15 minutes on the net. I am talking out of the *box* not using updates from either linux sites or M$.
netcat did not come from loft. it was made by hobbit.
Well, don't I feel foolish. Always assumed by the URL(http://www.l0pht.com/~weld/netcat/) that nc was their doing. I'd heard of hobbit, but for some reason assumed he was part of the l0pht.
*Feeling very, very, sheepish right now.*
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Norton Antivirus has a security hole. Details at msnbc . What do you think about such cases? Should the software liscensors be sued (since they are refusing to fix the hole)?
I can throw myself at the ground, and miss.
*Hobbit* wrote netcat, Weld Pond ported it to NT.
Yeah, I noticed. Feel pretty stupid about the whole thing. Duh.
--Dan
Since you guys rate much higher on the crypto-phreakometer than I do, I was wondering if you had any insight into the security of current crypto technology.
Specifically, do you think that advances in computer horsepower has weakened the security of the current generation of crypto, as it relates to finding BIG prime numbers for the purpose of factoring.
First off, do you believe the fascination the media has had with hackers/crackers is merely a fad and will go away (like Y2k paranoia), or are computers in these times too much of an integral part of society to ignore? Case in point- your local newspaper prints which homes have been robbed in the last week. Isn't it plausible that they'll one day publish which corporations have been compromised?
Two, do you believe hacking can be incorporated? Packet Storm has been bought by Knoll-O'Gara as you know. Is it plausible that previously taboo security information repositories/experts will become obtained/retained by corporations in the future?
many thanks.
"In individuals, insanity is rare, but in groups, parties, nations, and epochs it is the rule." -Nietzsche
"There are no shortcuts to any place worth going."
"Be regular and orderly in your life, so that you may be violent and original in your work." -Flaubert
As time goes by we see the emergence of ever-more complicated IT concepts and machinery, which is being used by an increasingly "mediocre" public who view it as little more than blackbox. Do you see the non-computer-literate's appetite for high-tech causing the IT working class to evolve into a wizards' guild, or even a technocracy?
--GAck
3. Profit!
2. ???
1. On Soviet Slashdot, a Beowulf cluster of alien Natalie Portman overlords welcomes YOU!
How I'd go about giving it maximum security.
(Disclaimer: I've never actually set up a server running more than HTTP + FTP + POP3)
This should, at best, prevent anyone from messing with the machine at all. At worst, if someone does get in, they shouldn't be able to do anything - anything at all.
-- The act of censorship is always worse than whatever is being censored. Always.
I'm curious if any of the other L0pht denizens ever visit the L0pht BBS. It seems that of the L0pht guys, only BB ever posts, and that's next to never. Do you guys keep tabs on what goes on there?
To your knowledge, has anyone ever gained access to the Large Gov'ment Automated Keyword Scan System operated by the largest english speaking nations of the world? If yes, what do you know about the system that has not been in the press?
To L0pht:
We've been working on network theory for a while and an idea which we've been working on recently is adaptive system and network security that models the identification and proaction of a biological immune system.
Basically, the security system all incoming and outgoing traffic, processes, etc. As it analyzes a network configuration, it 1) adapts to that network and covers potentials holes from the start, 2) learns from and builds immunity to network attacks, hostile processes, and general system errors such as buffer overflows. Many security systems are, to a point, adaptive to their environment, but I have yet to see a security design that is adaptive/intelligent enough to configure itself to "live" within an environment and to become intelligently symbiotic with that environment.
How much work have you done with highly adaptive security systems, and do you foresee adaptive security becoming a working reality within the next decade?
Recently it seems there has been a trend towards eliminating anonymity in the computer world. It comes in the form of programs that "phone home" without the user's knowledge, or even some that won't run unless they get the okay from the central server. It comes in the form of universal unique identifiers in hardware, operating systems, and software.
With IPv6 on the horizon, and with a larger variety of software phoning home, this may soon become a large privacy issue. Most of the advances being made here are for the purpose of security (read "inspiring fear of being watched")and anti-piracy ("squeeze 'em for their last cent"). What immediate and/or long term effects do you see coming out of this?
---
Play Six Pack Man. I
What would happen if a large corporation sued another large corporation for a security weakness that was exploited and caused damage (loss of data / bad publicity / etc.)? Once other corporate lawyers begin to smell the blood, do you think this would force software manufactures to pay attention to security during the design stage?
Although various white-hat hacker groups (Oops! network security experts) continue expose design flaws and security weaknesses in numerous software products, government spokespersons and the media contine to blame "hackers" for all the nation's woes. Some news reports would have us believe that "hackers" can collapse etire economies with a single mouse-click.
Government agencies promise to prosecute "to the full extent of the law" a teenager that "hacks" into a non-classified, non-critical web site without even questioning the company that provides the flawed software. Operating systems and applications are purchased without a thought to security issues, yet companies are able to demand that those programs be "Y2K-compliant".
Imagine that a large company installed a security system in hundreds of banks across the country, but it was soon discovered (and widely publicized for years) that the alarms do not work from midnight to 1:00 a.m.! Suppose a criminal broke in and stole $249 dollars. Where would your efforts be expended? In prosecuting the the petty thief, the security company or both? Certainly not the thief alone?!
What will force a change in thinking? Money?
How did you guys (the orig. members) meet, and when did you guys actually start getting into computers and other technologies, and why?
Do you see a potential increase in these random number "hacks" in the future, as more and more programmers use supposedly random numbers without a clue as to how they were generated and vulnerabilities in this process?
L0pht Crew--
Combine extreme paranoia about web site security, a money stream coming straight out of PR Maintenance, and a "get-rich-quick" mentality that infuses Internet businesses, and you get an environment rife for the creation of snake oil cures and security systems that work by seeing to the financial security of the software authors.
Of course, the natural defense to such hucksterism is the presence of groups such as yours. What are some of the products and techniques that you've seen, debunked, and felt you intelligence insulted by?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Hi!
I have heard many times that L0pht uses OpenBSD almost exclusively for their servers. Is that true? If so, could you please explain why (in a more detailed manner that just the obvious "it's been audited for security...") and also tell us if you contribute code back to OpenBSD.
Thanks!
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)