Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
News

l0pht Joins with Others to Form @Stake 70

ContinuousPark writes "MSNBC has an article by Brock Meeks, reporting the formation of a security company called @Stake with members from L0pht and people from Compaq, Forrester and Cambridge Technology Partners. They already have $10 millions to start the whole thing. " Check out the recent interview with l0pht heavy industries, as well.
This discussion has been archived. No new comments can be posted.

Ll0pht Joins with Others to Form @Stake

Comments Filter:
  • by Anonymous Coward
    Have you noticed that all those "eleet hax0r" websites you used to see several years ago that showed you how to get into this & that are now called SECURITY sites? The only thing that's different is the name. Great, now every 15-year old Pokemon trading kid is a "security consultant".
  • by Anonymous Coward
    ...Chris Goggan's (ex-Legion of Doom) attempt at a security company back around '91. They got run out of town on a rail by the industry not to mention every old school hacker yelling "sellout" at him and his two pals. How times have changed.
  • There's a little bit of irony in the juxtaposition of claims of @Stake's vendor neutrality and L0pht's KMFMS button, methinks...

    As someone who worked for Dan Geer at Athena, though, I can certainly vouch for his personal integrity. Very sharp (and very low key), too...
  • Blame Acornsoft. They started it, back in the 80's. (*fx, !boot, etc). :)

    Also, does this mean you won't be setting up a headlines service, entitled nfn@/..com :)

    Last, but not least, I'm going to bet you don't live in that town that changed it's official name to a web address. :)

  • by jd ( 1658 ) <`imipak' `at' `yahoo.com'> on Thursday January 06, 2000 @04:30AM (#1399313) Homepage Journal
    ...Could be a complete disaster.

    It depends. L0pht, as it stands, is probably very trustworthy, reputable and straight-up. But sooner or later, they're going to get fresh blood, and who's to say they'll be playing by the same rules?

    Then, other [h|cr]acking groups may try and cash in on this, set up their own "security firms", and rip people off for serious money. Even if/though L0pht has nothing to do with any such stuff, they -will- get tarred by the same brush. That's the way the media, and Joe Bloggs, Inc. work.

    Last, but not least, it'll only take L0pht missing -one- security hole, just one, in a high-profle company, and there'll be a national scandal, possibly international. L0pht'll undoubtably be accused of leaving the hole there for their own "nefarious" purposes and (at best) be sued to oblivion. The worst'll depend on whether the cops or the heavies get there first.

    I would never try and disuade anyone from this kind of venture. It sounds like an extrodinary mix that feels just right for what people need today. What concerns me is that "rightness" might just destroy L0pht and any other "[white|grey]-hat" group. Humanity is notorious for destroying the people it needs, and crushing it's heros.

    I'd rather not be reading, this time next year, that those [h|cr]ackers who want to put their skills to good, considerate use are all in maximum security, lynched, or hiding out in the Amazonian rain forest.

  • Funny, my company just got new filtering software and I no longer can look at www.l0pht.com or www.2600.com. They are filtered as "criminal activity" sites. But I use to read these sites to get the information on how to secure my systems better. But at least I can see these sites at home.

    The PHBs at my company installed such a package too, recently (Elron Internet Manager).

    I did a bit of research, mostly because I am annoyed that they notified us about that we get monitored while not telling us what information is gathered and who gets access to it. Anyways, the interesting bit is this technology pretty much looks like derived from underground technology:

    • The monitoring is done by passivley snooping traffic and analyzing packet content. A large variety of reports/profiles is calculated from it.
    • The blocking function I believe is realized by using an IP spoofing technique, sending a blocking notice to the user posing as the original host. At least I can't spot any connection between the software and the firewall, so that's my explanation, without wasting more time on analysis.

  • Complain to your management or whoever manages the filtering software. L0pht is not a criminal organization (though some of their practices are controvercial). They are a legitimate security consulting organization, and they give back to the security community whenever they find vulnerabilities.

    If your management doesn't want secure systems, they should continue to filter out those web sites. But I suspect if you let them know the value of the service they provide.

    People in general have a tendency to villify anything they don't understand, especially when it gives people a kind of power they don't have. This is exactly what is going on with the field of computer security. To make matters worse, there is a double standard... Law enforcement and government agencies openly condemn the actions of legitimate hackers, and then turn around and hire them to do their dirty work.
  • Cambridge Technology Partners is where I used to work. They are a pretty damn good consulting outfit, especially now that the old management team is gone.

    They started a security group in their LA office but I haven't heard anything about them.

    They are an American company, incorporated in Delaware, with headquarters in Cambridge Mass USA and offices around the world.

  • by cswiii ( 11061 ) on Thursday January 06, 2000 @03:39AM (#1399317)
    I can see an IPO coming soon in the next few months, (NASDAQ: HACK).
  • Maybe someone should tell the military [slashdot.org] about @Stake [msnbc.com] and save taxpayers millions of dollars? After all, why should Uncle Sam feed, clothe and pay hackers, if they can just sub-contract them like they do everything that doesn't require dying?

    Then again, do we really want our firewalls to be made by the lowest bidder?
  • Pity about the @Stake web site [atstake.com] - they seem to have had the "web is art" or "my browser is the only browser" designers in (or perhaps the black on black I got is an 'underground' thing).

    So, who owns http://www.@stake.com [stake.com]? Or is likely to be 0wn3d later?
  • IANAL, but I get the sinking impression that you havn't even figured out what "IANAL" stands for. Of course I could be wrong, as I do misinterpret things, because well... IANAL.
  • Apparently some Llamas got together and decided to form an Upper Andean hackers group....
    ---
  • Ll0pht: Ll4M45 0v PH34R & T3RR0R :)

    --
  • by ben_ ( 30741 ) on Thursday January 06, 2000 @03:32AM (#1399323)
    Having read the L0pht comments on Seattle's finest monopoly company, I wonder how MS will view this development. Think about it - while MS endeavour to sell Win2K to enterprises, @Stake, a high-profile REPUTABLE security company is telling them what security actually means, and where the holes are. I regard this development as a Good Thing - it's about time that security got the profile it deserves, and the only way to get that to much of the Corporate world is to set up a corporation to do it. @Stake have it right.
  • The members of L0pht refer to themselves as "gray hat hackers" and use the term "hacker" in the old-school sense, distinguishing themselves from the media-distorted usage that bestows the term on any kid with a modem and too much time on his hands wielding an easily downloadable "script" to break into computers.

    Hey, somebody seems to finally have seen the light ;)
  • what is the real difference between security
    people and crackers? For the most part, if I
    were planning to put together an elite team of
    security people, I would likely start my search
    among reformed and highly skilled crackers.

    I would then augment this team with a few veteran
    UNIX admins and network specialists, and BINGO!

    It really only makes sense... if you want to beat
    them, you need to know how they think and function


  • USA Today [usatoday.com] has an article [usatoday.com] about this that I would like to hear someone else's input on.

    When I read the article, it immediately irritated me, though I had to take a minute to figure out why: the description of the groups activities implies that there is no technical grounding for their methods - there sadly is no mention that part of the group's raison d'etre is to convince people that using 'security through obscurity is wrong' and 'with enough eyes all bugs are shallow' as standard policy is good for the consumer.
    It's good for people to know the news, but often we miss out on why these articles are important to know.

    An aside: does anyone know who first referred to USA Today as "the television of newspapers"?
    Thanks


    ----

  • I mentioned this in my earlier post, but those that are good at breaking a system are the ones that are good a securing them. In fact it also goes the other way around. If you are good a securing a system, then you usually are good a breaking it. My only worry is trust, but this may come in time, when their skills are not looked at as mischievous but as a way to fix systems.

    I just wish my company could understand this (see my prior post!)


    Steven Rostedt
  • usually from the [h(cr)]ackers.

    I read about this morning in the paper and tried to find it on the web, to post to /., but when I finally found one, it was already posted :(.

    Anyway, this is good and bad. The ones that can make the best secured machine is usually the ones that are the best a breaking them. But most crackers have an ego. They will probably always leave a back entrance that is very difficult to find. Now I would trust them enough to analyze a system, and consult on how to make it better, but I don't know if I could trust them to work on the machines themselves. But then again, if they are now a company that relies on trust, then the may keep from doing it. But if this company gets big and starts to hire lots of people the trust may just go down. So, it's a good thing and it's a bad thing.

    Funny, my company just got new filtering software and I no longer can look at www.l0pht.com or www.2600.com. They are filtered as "criminal activity" sites. But I use to read these sites to get the information on how to secure my systems better. But at least I can see these sites at home.


    Steven Rostedt
  • Having people who can speak "suit language" working as consultants with people who understand security technology looks like an important step to getting security taken seriously. For too long, security has been the "top priority" until it comes time to pay in [money,time to market,performance,usability] when the acceptable price turns out to be [some,nothing,nothing,nothing].

    Let us hope that this company has the credibility, both business and technical, to make decision makers realise that it is possible to do better than is common with current offerings.

    Pity about the @Stake web site [atstake.com] - they seem to have had the "web is art" or "my browser is the only browser" designers in (or perhaps the black on black I got is an 'underground' thing).

  • It's funny how they've even adopted other geek aspects.. Sports Center used to be that.. now it's SportsCenter. There are hundreds of other examples of this out there as well.

    Everything's a variable now.


    That's what I love about them high-school girls. I get older, they stay the same age... yes they do.
    --Wooderson 1976
  • by 1984 ( 56406 ) on Thursday January 06, 2000 @04:00AM (#1399331)
    I have to look on this as a Good Thing, iff it turns out to be what it should be.

    There are so many companies out there selling snake-oil security 'solutions' (monoalphabetic encryption anyone?) that people are putting their faith in because they don't know any better, and don't have the time to learn. Plus, when a company the size of Microsoft says 'Oh don't you worry about that, it'd never *really* happen' all too many people will take them at face value.

    It's good to have people with some real cracking mileage under their feet doing this because it ads credibility to what they're saying. It doesn't matter if you like them or not, you'll sit up and take notice if the folk who wrote l0phtcrack put their hands up and say "it doesn't look right" when talking about the security of a given product. They've demonstrated that they know what they're talking about, and demonstrated that "that probably doesn't matter" is no way to regard security issues.

    One of these days, we may even manage to convince the commercial side of the business that security is a fundamental, and that a robust security facility must inform every other aspect of installing and managing systems, especially on the Internet. But hell, it's easier just us techies aren't doing our jobs properly when someone gets cracked...

    (not that I'm talking from sore experience or anything :)
  • How the hell do you know how much "undeniably genius" these folks have? Granted, they are smart marketeers. But just broadcasting a bunch of surly comments about how much of a bunch of ham-fisted morons Microsoft coders are doesn't make you a genius.

  • will we ever see the end of the media/commercial use of the 'sexy internet'(TM) chars? stuff like @, ., /, and the oh-so-popular .com

    Well, over at ZDuhNET, they report the company name [zdnet.com] as "AtStake Inc."

    Oh wait, the headline sez they are joining the e-security market. e-yuk.

    ======
    "Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

  • The Boston Globe also reported on this (in the dead tree version), on page 7 of the Business section. They spelled l0pht wrong; "Lopht" was their rendering.
    ---
  • I could be wrong on this, but I do believe he does put "Mudge" on his 1040 every April. His full name is Peter Mudge.
  • Puppy, is that name Irish?

    Anyway, I think Mudge is really his last name.
  • well, I've owned a Mac since 1985, developed on it since then, so don't for one moment thing I was dissing Apple. I am however very displeased with everybody jumping the bandwagon.
  • well, I've owned a Mac since 1985, developed on it since then, so don't for one moment think I was dissing Apple. I am however very displeased with everybody jumping the bandwagon.
  • Personally, I'd like to see a new keyboard, aimed for the marketing managers, with the "i" and "e" removed, so they can't point to iMacs sold through eCommerce as The Way To Do It. We've seen more than enough lower case prefixes, thank you very much...
  • Wow, who woulda thought. On my income tax return, I put "Puppy, Alexander Caustic the III."
  • I have an old issue (ca. 1990) of Scientific American with an article about how several former members of the Legion of Doom were going to create a computer security consulting company. Reading about the L0pht guys' company reminds me of the LoD guys in a lot of ways, including a trendy picture they had of the LoD guys posing in sunglasses and suits. After the article came out, I recall that they started the company but went out of business a short time later due to a few factors. First, people weren't all that concerned about computer security at the time because it wasn't as obvious of a need in the pre-Internet days. Second, I got the impression that they maybe played around more than they ended up doing productive work.

    It will be interesting to see how successful the L0pht guys are. A lot of factors are different now than in the late 1980's. For one thing, people are a lot more aware that there are adversaries out there who want to get into your computers. Also, it seems that the market favors trendy new computer-related companies, a testament to this is the $10mil of startup money they have.

    One thing that I haven't seen mentioned anywhere with this discussion is Gene Spafford's (from Purdue) assertion that it is foolhardy to trust hackers with your sensitive information. He equates this to trusting a crook to guard your bank vault. Not sure I totally agree with this, but it will be interesting to see how the world views this.
  • Have your ever actually visited Lopht Heavy Industries???
  • This strikes me as a "Very Good Thing"(TM). This melding of industry heavyweights with the undeniable genius of L0pht should be able to provide their clients with EXCELENT security analysis and hopefully companies will finally realize what a secure system really is.

    One thing I'm wondering is whether L0pht will be continuing their individual software and hardware projects. Will they be able to keep their IP? Will they still be releasing holes?

    Just food for thought.

    P.S. I just can't help thinking of Alan Dean Foster's hyperactive otter from the spellsinger series every time I hear the name Mudge (grin)

  • Contact the manufacturer and complain. I am a security engineer for a large systems integrator and also found that some antivirus scanners see l0phtcrack as a trojan or some such thing.

    I'm sure the people who wrote this software check 2600.com and l0pht.com 500 times a day to stay current with the latest security news...but, I guess they think we can't be trusted with that information.

    Make your feelings known to the manufacturer....thats what I did...if that doesn't work....i'll look for new software.

  • They all say that....especially after going public. :)
  • I would buy some of that stock. Hard to keep trade secrets from these guys.
  • Maybe the good guys won't finish last this time.
    If anyone deserves to be recognized and to make money, in the field that they love, it's
    the guys from l0ft. They talked at one of the hope(hackers on planet earth conventions) and
    they convinced me that they are truly concerned with the internet community and the underground.

    BTW if you would like to hear what they had to say check the 2600 [2600.com] website. Look for the hope archives.

  • l0pht [l0pht.com] has it's own statement [l0pht.com] up. be sure to look at the main page then follow the link. They have a little piece at the top of their page.

    Sorry about the number of posts I really like these guys.

  • lets face it the millitary isn't the most sophisticated when it comes to there computers. The majority of the workstations (from my own experience). Are still Running on windows 95 (a few are 98 and NT systems). Where i'm currently at, this is a winblows95, connected to NT domains. At least the NT domains are then connected to Linux servers (DNS servers i believe). (THeres one point for the Millitary). Aside from that, most of the ppl here don't know much about computer security aside from: don't give out your password use a screensaver password .....and shutdown your computer at night (almost forgot that one)
  • i forgot to mention that i'm probably getting in some kinda shit for that last post...
  • Well said.

    I'm in the field of information security and from first hand experience the guys at l0pht have done more to educate and raise awareness on security issues than any other organization.

    Firms like ISS and the like are great but all are mostly reactive not proactive like l0pht.

    I dont agree with giving away stuff like l0phtcrack and tools which seem to have no real legit value, but overall they do in the long run serve a purpose.

  • Interesting, all the big security shops, Gartner, ISS, etc, preach

    DON'T hire hackers to be youyr security consultants! They will install back doors and steal your data!

    Yet, when you and now big names like compaq want real security insight and vision without the bull, they turn to L0pht.

  • I am not a lawyer.

    Although I do wish I got paid like one.

  • will we ever see the end of the /. use of the 'non-sexy slahdot'(TM) chars ?

    stuff like BSOD, IANAL,LOL and the oh-so-popular ANAL.

    i work for @IANAL(no flames please) and even *I* am getting sick of it. hopefully as the net-craze will sweep past the consumer, leaving only painfull memories of CAPATALIZED abbreviations and 'IAMAL.com-everywhere'

  • i forgot one...

    DotComGuy
    (.comguy for short?)

    what the hell is the world coming to ? all of a sudden the matrix doesnt seem so farfetched any more
  • yeah lets all buy some shares and draw even more undue attention to the sexy netstocks

    great idea, bad implementation.

    im sick of the net. if i didnt love my computer so much id throw my TV at it

  • will we ever see the end of the media/commercial use of the 'sexy internet'(TM) chars ?

    stuff like @, ., /, and the oh-so-popular .com

    i work for @home(no flames please) and even *I* am getting sick of it. hopefully as the net-craze will sweep past the consumer, leaving only painfull memories of dotted phone numbers and '.com-everywhere'
  • >> stuff like @, ., /, and the oh-so-popular .com
    aren't we on /. ???

To communicate is the beginning of understanding. -- AT&T

Working...