Slashdot Mirror

← Back to Stories (view on slashdot.org)

Interviews: We Have 2! 1st, L0pht Heavy Industries

Posted by Roblimo on from the direct-from-the-mainstream-media-spotlight dept.

Yes, it's "year-end double-bonus interview week" on Slashdot. First, L0pht Heavy Industries. Yes, the world's most publicized infosec group, the one trotted out by TV and other mainstream media reporters whenever they want pithy (but authoritative) quotes about hacking and cracking and that sort of thing. The L0pht guys have heard all the (ho-hum) obvious questions already. They expect extra-smart ones from you, and we don't doubt for a second that you'll provide them. ;-) One question per post, please.

10 of 232 comments (clear)

  1. Which do you consider more dangerous by Gleef · · Score: 5

    Which do you consider more dangerous to personal liberties on the Internet, national governments or multinational corporations, and why?

    ----

    --

    ----
    Open mind, insert foot.
  2. The net: strip mall or unlimted human potential? by garagekubrick · · Score: 5

    The halcyon days of the net are gone. With ubiquity - the underground vanishes. Is it well on its way, with people like the CEO of Amazon being worshipped by the mainstream press, to becoming an enormous cyber strip mall, marketing tool, PR exercise in control of perception...

    Or is there still an underground? Does it still have a potential to be the one true medium with liberation? Will governments and coroporations end up controlling it? Cause they are winning small, important victories relentlessly...

    --
    ** http://www.nkhumanrights.or.kr/ ** Human rights in North Korea. 1 million estimated dead from starvation.
  3. Defensive Design Methodologies by FuriousJester · · Score: 4

    I read something to the gist of this recently:

    "The difficulty with computer security is that programmers write code to allow a course of action, not to prevent another. In order
    for computer security to become a reality, the design methodology must be changed."

    Any programmer worth their check does program defensively. Certain languages support the writing of "safe code" more easily than others. It requires less fore-thought to program defensively in Java than it does in C. The results, however, will not be as fine tuned.
    Any methodology for designing and producing safe code must take this, the experience of those implementing it, the environments the product could be used int, into account. L0pht has compromised many designs. Have you seen any design/impl (hardware or software) methodologies that yield more secure results than others? Could you give reference to them?

    In my experience, it has always been a matter of refinement. Security is relative.

    --
    Never send anything unencrypted that you don't want to have appear in court.
  4. Internet Worm II by tilly · · Score: 4

    Several months ago I began predicting that someday someone would find a buffer overflow in the various Windows TCP-IP stacks and use it to write a worm that would bring down the Microsoft part of the Internet and cause so much traffic as to effectively shut down everything else. I further predict that until an event of this magnitude happens, the general public will not really learn the basic lessons about security that the *nix world was forced to learn from the first worm.

    What are your thoughts on this prediction? (Timeline, reasonableness, etc.)

    Regards,
    Ben

    --
    My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
  5. Reply to this letter. by An0nymousC0ward · · Score: 5
    This letter was recently published in the columbus dispatch (Ohio's greatest home newspaper....yea right). What would your response be to this person?

    Letter to the editor: Opening windows could let bad guys do a lot of damage Saturday, December 25, 1999

    I was amazed to see that the Clinton administration, in its initial victory over Microsoft, wants the source code to Windows to be made public. I'm sure it will follow up with a demand that all banks publish the combinations to their safes and freely distribute keys to both their front and back doors. Perhaps they will make banks install a large button so visitors can disable all alarms.

    Making the world safe for bank robbers would be a lot better than making Windows' source code public. The year 2000 problem is nothing compared to what a hacker could do with the code to Windows.

    The anti-virus software today depends on two primary tests to find a virus: the Cyclic Redundancy Checksum and file size. A virus attaches itself to a program and runs when the program runs.

    Rather than get into a complex technical discussion, let us just say every computer file has a fingerprint. If a virus is attached, the file's fingerprint changes. An anti-virus program just looks for the fingerprints left by the virus. However, if one has the source code to Windows, a file with a virus can be made with the same fingerprint as a file without the virus.

    Even worse, the operating system, instead of being the virus cop, becomes the virus enabler. Imagine a world where half the people in uniform are trying to rob you and where dialing 911 brings a band of serial killers to your door.

    Such a virus would be very, very difficult to fight. Police try to catch such people by tracing who benefits. But when the goal is revenge and not profit, it gets tough to catch the bad guys. If you think catching the Unabomber was time consuming, this would make the search for the Unabomber look very fast, indeed.

    So with the Windows source code, the hacker could write a program that on June 1, 2001, swaps all bank balances. Someone whose name starts with an A gets Z's balances. Throw credit cards into that mix, and there could be real fun. Maybe some hacker would find it fun to pay off everyone's property taxes. I'll bet everyone who had not paid his tax would tell the truth and pay up voluntarily, wouldn't they?

    Every programmer I have ever met has always left himself a back door into every system he writes. Does anyone want to bet Microsoft does not have a back door to its software? Does anyone believe that if the judge makes Microsoft publish the source code, Bill Gates would remove the back door before publishing it? He would not dare. The judge might put him in jail for modifying the code. Couldn't have that now, could we?

    If he would leave it in, every highly skilled programmer would have a key to everything running on Microsoft software. We can rest assured that every hacker is totally honest, can't we? And with the Internet, those hackers would all be in places where Americans are loved, such as Belgrade, Yugoslavia, and Baghdad, Iraq, for example.

    Some hacker might even have fun with a newspaper, such as removing the names of everyone who is a subscriber and replacing them with the names of people who are not. Did I mention court records, employment records, child support records?

    All Microsoft bashers in and out of government should beware. It looks like they are going to get what they wished for.

    Ray Malone

    MBS Software

    Chillicothe, Ohio

    --
    a real zero.
  6. The Public's Perception of Hacking by dmuth · · Score: 4
    First, I should probally preface this by saying that while I don't consider myself to be a hacker, I have been a geek for several years, and love playing with technology, so I feel I am able to relate to the hacking community.

    Anyway, my question is, how do you deal with the way the public (including the media) percieves "hackers"? I've seen some clueless people use the term to describe *anyone* who does anything with a computer that they find objectionable. I've even heard the term applied to spammers!

    Needless to say, the misue of the term makes my blood boil, because I feel a certain respect towards the real hackers, such as yourselves, because you guys do know what you're doing, unlike all of the script kiddies out that that either have the term applied by clueless reporters, or they use it on themselve.

    So, I'd be interested in knowing how you cope with this sort of problem, as I've noticed this sort of perception of the hacking communtiy for some time.

    Thanks!

  7. security of capability-based operating systems by sethg · · Score: 5

    What do you think of capability-based systems, such as EROS? The folks who are working on these systems say they are fundamentally more secure (against both malicious code and heisenbugs) than Unix derivatives, Windows NT, and other ACL-based operating systems. Do you agree with this assessment? Do these systems have security weaknesses that Unix-like systems don't have?
    --
    "But, Mulder, the new millennium doesn't begin until January 2001."

    --
    send all spam to theotherwhitemeat@ropine.com
  8. Security Through...Unpredictability? by Effugas · · Score: 5

    L0pht Crew:

    Would you agree that security and stability are but different sides of the same coin? In other words, a security exploit is truly nothing more than a expertly controlled failure?

    If so, how much stock can we put into the "metadesign" of limiting the damage an exploit can create by attacking the ability of a failure to be controlled? Should operating systems incorporate such "unpredictability engines" when being run in a production, non-debugging manner? Or is such a design not worth pursing, for various reasons?

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

    P.S. First poster to make a crack about modulating the shield harmonics is gonna get a pie in the face ;-)

  9. Future of Hardware Hacking? by Tackhead · · Score: 4
    Two questions (Well, three, really, but I'm a hardware geek, and I love trying to squeeze three things in the space of two):

    1) Wireless.

    Lots of folks have been asking today about the wireless network project. "Me too"; the page has been up for years, it's a fascinating and extremely powerful idea, but for those of us who aren't RF engineers...

    • when do we get to see some hardware projects to build, or is it the case that - due to regulatory restrictions on what can and cannot be transmitted on US airwaves - work is being done independently on the notion of a secure wireless IP-based network but isn't being released so that those of us who aren't RF engineers can't gum up the works by screwing things up before it's ready :-)

    2) The future of hardware hacking.

    With the trend towards more and more functionality becoming embedded into ASICs and single-chip solutions, the golden age of "just desolder this", or "reverse-engineer the schematics and jumper that", or "replace a [PROM|EPROM|EEPROM|PIC|FPGA] with one with the following special programming, and here's the [CPU|microcontroller]'s instruction set and a memory map of the embedded system" appears to be drawing to a close. Anyone can desolder a 24-pin DIP EPROM and hack it, but trying to desolder a 100-pin PQFP is a real bear without $500+ worth of specialized equipment, and knowing what to do with the chip after you've desoldered it is well-nigh impossible.

    • Do you see a time when "hardware hacking" (as we've traditionally known it) will have to fall by the wayside? If so - what, if anything, do you see as taking its place? (Perhaps users taking advantage of the vastly more-powerful gear out there today and building their own hackable hardware, eliminating the need to hack other people's hardware?)

    I suppose that's tangentially related to the wireless.net question - for mass distribution of the tools needed to build such a network, for instance, it seems to me that re-purposing cheap, widely-available stuff that others have junked is a better path than having to build things from scratch. But if the cheap, widely-available stuff of the future isn't gonna be re-usable... where does one go from there?

    3) The future of l0pht.

    (At least publicly), there's been a lot more activity on the software side of l0pht than on the hardware side.

    • To the extent that you can discuss it openly, do you see l0pht's main activities over the next 3-5 years as continuing to revolve around the "expose weaknesses in software" side or the "work on next-generation hardare projects" side?

    Meanwhile, thanks for much great work on both the hardware and software sides of the equation, and best wishes for your continued good work. A couple of years ago, some of your tools saved an ex-employer's butt, and the look on my pointy-haired boss' face when I showed him where I got the tools that saved him was something I'll never forget. Y'all rule, and convincing a PHB of it takes work above and beyond the call of duty :-)

  10. What engines/sites do you use to scour the 'Net? by Bacteriophage · · Score: 5
    Seriously, I would like to know. When you sometimes don't have all the answers (I assume that would be more than never), where do you guys go on the 'Net to find what you need concerning computer security, **/*acking, or even just news? Do you ever come to /.? This answer shouldn't take very long, and it'd be nice to get the seperate preferences of each crew member, as well as the general preferences of the group.

    "There are no shortcuts to any place worth going."

    --
    "Be regular and orderly in your life, so that you may be violent and original in your work." -Flaubert