Interviews: We Have 2! 1st, L0pht Heavy Industries

Yes, it's "year-end double-bonus interview week" on Slashdot. First, L0pht Heavy Industries. Yes, the world's most publicized infosec group, the one trotted out by TV and other mainstream media reporters whenever they want pithy (but authoritative) quotes about hacking and cracking and that sort of thing. The L0pht guys have heard all the (ho-hum) obvious questions already. They expect extra-smart ones from you, and we don't doubt for a second that you'll provide them. ;-) One question per post, please.

Shutting down the Internet

[papo]

You said in an interview that it's possible to shut down all the Internet. How you possibly might do that? With a DoS attack in some routers or by taking command of some servers in the principal backbones of the USA?

Y2k Hacking

[merky1]

Do you agree with the President's plea to cease hacking activities for Y2K, and do you think it will have an adverse affect?

"Those [filthy|pagan|heathen|whiny] americans, I'll show them....."

Re:Shutting down the Internet

[merky1]

If I can add to this.. What event would cause you to take down the internet?

Job offers

[eyeball]

Whenever the subject of securing our web servers comes up at work, someone inadvertently says "We should hire one of those L0pht guys." As if you have nothing better to do than to work for a starving second-rate e-commerce IPO. My question is: Do you get job offers like this? If so, how does it feel? Do you refer them somewhere?

Which do you consider more dangerous

[Gleef]

Which do you consider more dangerous to personal liberties on the Internet, national governments or multinational corporations, and why?

----

Um

[Synn]

How the frag do you pronounce L0pht? And what the hell does it mean? Somebody write me a perl warez filter for pete's sake. All this kewl l33t drek is driving me insane.

Just out of curiosity...

[Ater]

Where did you guys come up with the name, "the l0pht?" Does the 0 in it (as opposed to an O) have some special significance?

Private wireless networks

[rise]

The L0pht has been involved in independent wireless networking reasonably heavily. What do you see as the most important discoveries/protocols/designs for the next few years? Do you forsee an opportunity for the hardware hacking community to open up the airwaves in the same way Linux & OSS has opened up operating systems and tools?

L0phtCrack

[OnyxRaven]

At work we recently purchased a copy of L0phtCrack (Guess what - it has saved many many hours of work for me especially!) - for $99? Are you guys making a killing off of this tool or what?

Distributed Computing

[jake_the_blue_spruce]

Moore's law is that computing power doubles every eighteen months. At the same time, parallel processing and distributed computation ( Cosm [mitrhal.net] & Distributed.net [distributed.net]) are becoming increasingly common. This leads to an abundance of cheap computing power, enabling brute force attacks on secure systems. In light of these developments, do you see username/password pairs being replaced by anything more resistant to such brute computing force?

Pronounciation

[RAruler]

At one point I thought it was
"low-fight" but somewheres I remember it being said as "loft" which would make more sense as
L=L
0=O
PH=F
T=T
LOFT

Re:Distributed Computing

[jake_the_blue_spruce]

Shoot. Cosm is at http://cosm.mithral.com/ [mithral.com]. I thought I checked that link.

Future Products

[MoOsEb0y]

What products and or projects are you considering in the future? Also, what happened to the wireless networking you were planning (and made a few steps to)? I have often considered setting up something similar to this on a local scale for a few friends. But I think it'd be awesome to be able to be free of US Worst for my internet service.

Re:Shutting down the Internet

[jd]

That one's easy. Very few routers have authoritive checks set up. Simply fire up a router such as gated and have it inject false routes into the net. Have the backbone located at the South Pole, for instance.

The UK network's been crashed dozens of times, by this. Usually by poor network administration, or faulty software, but that's just details. What an admin can do through ignorance, I'm sure crackers could do by design.

advisories

[krog]

you haven't released any security advisories lately. where do you get your nitrous? can i have some?

Coagulation

[Raffy]

L0pht-
As with any of the well-known infosec groups (you, cDc, &c), it's always a far-flung collective of folks who coalesce and make things happen. How did you meet and decide, "hey, we have common goals and interests, let's do this as a team"?
Rafe

V^^^^V

Re:Um

[GeorgeH]

Ell Zero Pee Aitche Tee
L 0 P H T : PH = F (in crazy english)
L0FT : 0 = O (in crazy 1337 5p33k)
loft
1 : an upper room or floor : ATTIC
2 a : a gallery in a church or hall b : one of the upper floors of a warehouse or business building especially when not partitioned c : HAYLOFT
3 a : the backward slant of the face of a golf-club head b : the act of lofting
4 : the thickness of a fabric or insulating material (as goose down)


--

The net: strip mall or unlimted human potential?

[garagekubrick]

The halcyon days of the net are gone. With ubiquity - the underground vanishes. Is it well on its way, with people like the CEO of Amazon being worshipped by the mainstream press, to becoming an enormous cyber strip mall, marketing tool, PR exercise in control of perception...

Or is there still an underground? Does it still have a potential to be the one true medium with liberation? Will governments and coroporations end up controlling it? Cause they are winning small, important victories relentlessly...

,,,

[Signail11]

Considering the availability of easy to use, secure, persistent, pseudoanonymous nyms (http://www.freedom.com) and the increasing role that electronic commerce plays in our economy, what privacy and security concerns do you anticipate moving to the forefront of attention as this rapidly changing technology evolves?

IPSEC key debate

[Ruzty]

What is your take on the quashing of the use of photuris, for IPSEC keyserver use over the open to attack isakmp, by the IETF?

Re:Um

[bbk]

l0pth is pronounced "loft" - synonomous with attic. l0phters are people who dumpster dive looking for computer parts, usually in large companies trash bins, and carry the parts back to their l0pht where they use them.

I've l0phted a couple monitors and cases from my ever so friendly ECE department before... It's a great way to get an eclectic computer collection for very little!

A quickish question

[jd]

The Internet is fragmenting (eg: IPv4 vs. IPv6, Internet 2) and those parts that do have any awareness of security are now beginning to take it seriously (eg: IPSec, SSH). Many other parts are brain-dead, insecure and incoherent.

How do you see things evolving, from this unholy mess?

A question about L0pht constituents:

[NateTG]

What are the non-computer hobbies of the l0pht crew?

I suppose that this is a sort of "celebrety interview" question, but I'm curious.

Name Dropping Asswipes

[Anonymous Coward]

I meet a lot of "white hat" security types in my job. Every so often, I one of these guys goes into name dropping mode and starts talking about how chummy he is with Mudge. Once I had one of them tell me how he had contacts with the "low fat" guys (although he hadn't heard it pronounced as "loft"). What is it like to have your name(s) dropped by potentially thousands of really cluesless people who you might never even meet?

Re:Um

[BradyB]

I always thought that L0pht stood for LOW PHAT as in Low fat as in high speed low drag.

Human interest stuff

[Errant Knyght]

Now I know that Mudge has a painting (can't remember who by) hanging around, and I was wondering what artist everyone at L0pht enjoys as well as composers (if any there are into classical music).

Defensive Design Methodologies

[FuriousJester]

I read something to the gist of this recently:

"The difficulty with computer security is that programmers write code to allow a course of action, not to prevent another. In order
for computer security to become a reality, the design methodology must be changed."

Any programmer worth their check does program defensively. Certain languages support the writing of "safe code" more easily than others. It requires less fore-thought to program defensively in Java than it does in C. The results, however, will not be as fine tuned.
Any methodology for designing and producing safe code must take this, the experience of those implementing it, the environments the product could be used int, into account. L0pht has compromised many designs. Have you seen any design/impl (hardware or software) methodologies that yield more secure results than others? Could you give reference to them?

In my experience, it has always been a matter of refinement. Security is relative.

Windows API

[IRNI]

If the windows API was opened because of the DOJ trial, what would you do?

A) Exploit every weakness from here to kingdom come, thereby propelling linux to the forefront.

B) fix everything and tell microsoft so they can make the changes show up in a new release

C) Do A) and grin real big and giggle lots

D) Other | Please Specify ___________________

Question:

[sboss]

Do you think there will be any security in the internet of the future? There seems to be more and more security holes (or at least we are finding more). Plus does encryption or digitially signing data help or hender the net?

Thanks
Scott

Scott
C{E,F,O,T}O
sboss dot net
email: scott@sboss.net

Re:advisories

[barleyguy]

Nitrous is available as a product called "whip-its". It's manufactured for making whipped cream, but is usually sold at adult bookstores. I'm not sure exactly why....

Regret / Useful Software / Orwellian CPUs

[MattW]

I have a couple questions. Choose whatever you like. * The silicon valley is froth with IPOs. A huge opportunity exists even in Boston, if you were attached to the city. Do you regret not putting more into a commercial enterprise that could have netted you the millions some people are getting? If so, would you trade your fame in this community for it if you could? * L0pht spends an enormous amount of time hacking on other peoples' equipment, cracking and analyzing other peoples' software. Without meaning to denigrate such useful activities, do you ever want to stop it for a while and dedicate yourself to the creation of something innovative and positive? * Somewhere in the future, drowning in gigahertz, manufacturers turn to adding security to their CPUs. CPUs have decryption modules which stop the CPU from running any code not specifically signed and encrypted for your CPU. Your machine (or cpu) would come with a disk or cdrom with a public key you'd provide to vendors (probably on a web page) that would be used to "complete" a build of software that was sold to you, and lock it onto your CPU only. Every piece of software will have a known desination and a known source. Piracy will be a thousand times harder. Viruses will be wiped out by applying this technology to documents and software alike. Is this the future? * I see the patent situation forcing software to inevitably go one way or the other: it will either be written only by corporations with tons of money and patents, and be commercial (and by judgement-proof pauper-programmers who have nothing to sue away from them), or the USPTO will suffer through a massive regulation change, and thousands of software/algorithm/ business-model patents will be swept away, along with more easy way to review a given patent's "nonobvious"-ness. Where do you think this tragedy is headed?

What does L0pht mean? Maybe an answer

[BradyB]

Well I never really put much thought in to it, but here goes. L0pht Heavy Industries. Perhaps it means Low Phat as in Low Fat , Heavily Used as in high speed low drag industries.

evolution of the network

[kootch]

with the local networks expanding from one solitary computer, to 20 computers connected in a room, to wireless devices also now able to connect to large databases and networks, how do you see the security industry (is it considered an industry) responding to these changes and do you forsee any interesting problems arising?

How's the wireless 'net project going?

[Anonymous Coward]

I was digging around the l0pht web site one day and read up on the wireless project you guys were doing trying to make use some old UHF equipment and seeing how far you could spread a free wireless network. So what's the current status of that project?

Re:I got one

[barleyguy]

Normally, I'd write you off as a hot grit troll. But I'd really love to see the clever answer l0pht would come up with for this one.

Question

[Necroleptic]

What are your opinions on "script kiddies" and your propogation of these people? Don't you believe that people who would want to be hackers should learn through experience, much like yourselves?

Security Lint

[Omniscient Ferret]

For assurance, before installing software on a secure-as-plausible machine, I would love to have an automated for security problems, such as buffer overflows. So, how is the development of SLINT [l0pht.com] progressing? Are you still planning to release it?

Welcome, our door is open

[lildogie]

What do you think about the wisdom of linking a planetary network of desktop computers to a radio telescope, hoping to go online with any extra-terrestrial who cares to open our collective port?

Internet Worm II

[tilly]

Several months ago I began predicting that someday someone would find a buffer overflow in the various Windows TCP-IP stacks and use it to write a worm that would bring down the Microsoft part of the Internet and cause so much traffic as to effectively shut down everything else. I further predict that until an event of this magnitude happens, the general public will not really learn the basic lessons about security that the *nix world was forced to learn from the first worm.

What are your thoughts on this prediction? (Timeline, reasonableness, etc.)

Regards,
Ben

Proper NT rootkit.

[Zurk]

Hi guys,
Any plans to write a proper Win2K/NT rootkit (the kind that was published on Phrack a while back - that replaces or adds to the actual calls in the win32 ring 0 system with its own) soon ?

Simple question

[Ricochet]

(First the silly question)
Prove your existence :-)

(Now the real question)
How do we get back control of our information?

Security?

[Raffy]

Assume you own a server to run the following protocols: HTTP, POP/POP3, SMTP, NNTP, telnet, FTP. Can such a machine be secure under -any- OS? If this was sitting in your basement, what would you do with it (after loading Q3A/UT and distributed.net's latest client ;-) to make sure the script kiddies didn't f*ck with you?

Rafe

V^^^^V

Slint

[Emphyrio]

According to your site, you have developed a quite powerful source code security analysis tool.
A while ago, this tool was not distributable, and closed source.
Do you plan on releasing Slint and/or other currently closed source L0pht tools in an open source license, or in some other freely distributable binary form ?

Questions

[Anonymous Coward]

I've been checking out the 'L0pht' ever since the days when mudge posted the page up asking how many boxes everyone had up, but anyways...

Is there any work still being done on the 'guerilla net' project? The page hasn't been updated in ages.

Did you guys ever manage to locate the TX ready pin on the WaveLAN cards to switch the amplifier on?

What happened to the user pages on www.l0pht.com?

What are your main development platforms?

...And of course, what's the best piece of equipment you've dug out of the garbage so far?

Re: Security Lint

[Omniscient Ferret]

Er, that should be "love to have automated scanner".

Differences in interest

[BlueCalx-]

Sometimes, corporations are ignorant of your advisories, as they feel the general hacking community is only destructive and has little to offer. It also seems obvious in ABCNews' report that people have an inherent fear of the hacking/cracking community in general. The intent of some groups (cDc comes to mind) is different from others (gH), and as a result it becomes difficult to create an accurate definition of what hacking/cracking really is.

My question is this: do you feel the negative publicity and stereotypes of hackers and crackers rubs off on l0pht to some extent?

A Question of Principle

[sudog]

I was not impressed to see L0pht embrace any form of commercial philosophy. While it is true I live in a fairly isolated section of the world, I and the community I live within have the general impression that you are no longer available to the public. It appears as though you have sequestered yourselves away in your building(s) and sent Mudge out to maintain good PR. What I mean is, aside from the odd security release and product update, you guys seem to have disappeared from the face of the earth. What are you up to? Are you still truly pursuing the tenet that is listed prominently on your BBS? "Freedom, freedom, blah" -lhi, psalm blah verse blah?

Do you see yourselves as this inaccessible except to people willing to fork over large dollars, or am I just living on the moon?

Capabilities in Linux

[Nemesys]

Hi - this is a specific question.

Do you think we'll see capabilities begin to replace root in Linux? What will that world be like? When will it happen?

Reply to this letter.

[An0nymousC0ward]

This letter was recently published in the columbus dispatch [dispatch.com] (Ohio's greatest home newspaper....yea right). What would your response be to this person?

Letter to the editor: Opening windows could let bad guys do a lot of damage Saturday, December 25, 1999

I was amazed to see that the Clinton administration, in its initial victory over Microsoft, wants the source code to Windows to be made public. I'm sure it will follow up with a demand that all banks publish the combinations to their safes and freely distribute keys to both their front and back doors. Perhaps they will make banks install a large button so visitors can disable all alarms.

Making the world safe for bank robbers would be a lot better than making Windows' source code public. The year 2000 problem is nothing compared to what a hacker could do with the code to Windows.

The anti-virus software today depends on two primary tests to find a virus: the Cyclic Redundancy Checksum and file size. A virus attaches itself to a program and runs when the program runs.

Rather than get into a complex technical discussion, let us just say every computer file has a fingerprint. If a virus is attached, the file's fingerprint changes. An anti-virus program just looks for the fingerprints left by the virus. However, if one has the source code to Windows, a file with a virus can be made with the same fingerprint as a file without the virus.

Even worse, the operating system, instead of being the virus cop, becomes the virus enabler. Imagine a world where half the people in uniform are trying to rob you and where dialing 911 brings a band of serial killers to your door.

Such a virus would be very, very difficult to fight. Police try to catch such people by tracing who benefits. But when the goal is revenge and not profit, it gets tough to catch the bad guys. If you think catching the Unabomber was time consuming, this would make the search for the Unabomber look very fast, indeed.

So with the Windows source code, the hacker could write a program that on June 1, 2001, swaps all bank balances. Someone whose name starts with an A gets Z's balances. Throw credit cards into that mix, and there could be real fun. Maybe some hacker would find it fun to pay off everyone's property taxes. I'll bet everyone who had not paid his tax would tell the truth and pay up voluntarily, wouldn't they?

Every programmer I have ever met has always left himself a back door into every system he writes. Does anyone want to bet Microsoft does not have a back door to its software? Does anyone believe that if the judge makes Microsoft publish the source code, Bill Gates would remove the back door before publishing it? He would not dare. The judge might put him in jail for modifying the code. Couldn't have that now, could we?

If he would leave it in, every highly skilled programmer would have a key to everything running on Microsoft software. We can rest assured that every hacker is totally honest, can't we? And with the Internet, those hackers would all be in places where Americans are loved, such as Belgrade, Yugoslavia, and Baghdad, Iraq, for example.

Some hacker might even have fun with a newspaper, such as removing the names of everyone who is a subscriber and replacing them with the names of people who are not. Did I mention court records, employment records, child support records?

All Microsoft bashers in and out of government should beware. It looks like they are going to get what they wished for.

Ray Malone

MBS Software

Chillicothe, Ohio

L0phtcrack Registration

[kamelkev]

I'm curious to know how you all felt when your tool (L0phtcrack), notoriously effective on beating lanman hashes, was itself cracked. One way in that L0phtcrack existence was justified in the community was that it had a limited use for the "Script kiddies", and only lasted 20 days (I think), but as with all tools it was cracked. In essence, your cracker was cracked. While I highly respect L0phtcrack and find it very usefull on the job, I have to wonder how well you thought about your own key. You know you have a tool that is very much in demand, yet you dont seem to protect it in the way that one would have expected. I mean some would argue that are the "best" security experts around, yet you didn't even protect your own software. I would like very much to know what you think about this. -kamelkev

L0phtcrack Registration

[kamelkev]

I'm curious to know how you all felt when your tool (L0phtcrack), notoriously effective on beating lanman hashes, was itself cracked.


One way in that L0phtcrack existence was justified in the community was that it had a limited use for the "Script kiddies", and only lasted 20 days (I think), but as with all tools it was cracked. In essence, your cracker was cracked.

While I highly respect L0phtcrack and find it very usefull on the job, I have to wonder how well you thought about your own key. You know you have a tool that is very much in demand, yet you dont seem to protect it in the way that one would have expected. I mean some would argue that are the "best" security experts around, yet you didn't even protect your own software.

I would like very much to know what you think about this.

-kamelkev

Question: Opinion on non-full-disclosure companies

[minga]

Question for l0pht: 1) What are your all's opinions about non-full-disclosure companies making money off of full-disclosure vulnerability reports? A very important example is that of ISS (http://www.iss.net/). They made millions from the sale of their products like RealSecure and Security Scanner. These programs obviously check for vulnerabilities that were once posted on full-disclosure lists/pages. ISS is ABSOLUTELY DEPENDANT on this information... But when it comes time for ISS to report on vulnerabilities they have found (via X-FORCE) they release the most poor excuse for a vulnerability report I've even seen. A person cannot get any USEFUL information from them at all. Things like "There is a buffer overflow in BLAH version x.xx" And thats all the detail they give. What if every company/group did this? ISS wouldn't even have a worth wild scanner/detector at all! Do you all feel that ISS is doing anything wrong?

Re:L0phtcrack Registration

[kamelkev]

Sorry, Im a dumbass, instead of hitting preview I hit submit after I had fixified it for readability.

my bad

What responsibilities come with publicity?

[ebohman]

As you are one of the most well-known security-focused-groups today, you must surely attract a lot of young people who would want nothing more than to follow in your footsteps. Every kid nowaday wants their umpteen minutes of fame and TV air time.

What are your thoughts on the reponsibilities you have as frontal figures for the "hacking community"? (For some non-disclosed definition of "hacker")
Do you feel such a responsibility to steer the young and naive hacker-wannabies into white-hat territory? - or are you more into "give them the knowledge, let them choose side for themselves"?

If you feel an obligation to inspire kids towards non-illegal, non-confrontational, non-disruptive hacking; how do you take on such a task? Your choice of a name that surely goes well within script-kiddie-hacker territory indicates to me either a wish to attract such a following, or perhaps it is just an indication of your history, coming from that background.


Enough rambling, I guess my question more or less boils down to "How do you install a sense of decency in your fan groups?"

By the way, thank you for all your good security work. It seems you appear in my bugtraq [securityfocus.com] and ntbugtraq [ntbugtraq.com] e-mail folder every other time I look... I hope I don't come across as insulting or demeaning in my question, I am seriously interested in your answer.

Future of Security

[lostproc]

Q:What event or events will have to occur and of what magnitude (in your collective opinion), to make people realize that security is not an "afterthought" but also needs time and money to be done correctly? Do you think security will ever get its due by commercial firms doing transactions on the Interent, or will it always be the firefight that it seems today?

Okay, well two Q's.

largest barrier to secure computing/communications

[Mike Miller]

You have seen a lot of insecure systems. What do you see as the largest barrier to secure computing/communications (or largest contributor to security holes)? Braindead users, poorly implemented security, men in black, something else?

What's good out there?

[Animats]

Are there any OSs that you guys like from a security standpoint? Ignoring the common UNIX variants and Microsoft's OS products, all of which have known holes through which one could drive an 18-wheeler, is there anything worth looking at?

Guerrilla Network

[kerouac]

Some time ago, the l0pht was involved in trying to set up a small independent network (along the lines of DARPA ) involving microwave technology to communicate 'off of the grid'.

How has the work progressed? Any notes, or better yet, a HOW-TO?

Bipolarity

[Keck]

I'm interested to hear you talk about the thinking behind some of your members' involvement not just with 'grey hat' operations, but the 'black hat' groups too. Are they just schizophrenic, or are they just undecided on the moral code they wish to follow?

Other groups you might work with?

[God I hate mornings]

As a administrator I am very concerned with the security of my network. So it's no great surprise that I try to do as much research as I can in what little off time I have. Your website is on of the first I hit for NT security issues. For the Novell side I head over the Nomad Mobile Research Centre. It would seem that l0pht is geared more toward the NT side and NMRC more the NDS side. I always get the feeling that both l0pht and NMRC are in a sort of information share relationship. What other groups do you work with on a regular basis?

guerilla net lasers

[vapor.516]

Has the L0pht considered line-of-sight laser light as a communications medium for guerilla.net?

Actually it's http://www.freedom.net

[LiNT_]

See above

ISP's

[tech81]

What is your opinion on most of the major ISP's in the nation? For example, AOL, Mindspring, Earthlink, Bellsouth.net, GTE, and others.

mac os as a web server

[paulschreiber]

last summer, the us army switched to a power mac g4 and webstar. starnine, of course, made lots of noise.

do you think the mac os is a viable platform to run http on?

what about mac os x ... with the unix base, does that make it just as insecure as solaris/linux/et cetera?

Re:A Question of Principle

[God I hate mornings]

I don't think that they're pursing the all mighty dollar. I have contacted them serveral times with hopes of getting them to do some security work for various clients of mine. All had the potential for very nice paychecks at the end. They refused the work, very politly tho. SO I think you might be a bit off base. But I could be wrong.

Trouble

[jormurgandr]

Have you guys/gals ever gotten in any "real" trouble? I personally like to play around on other systems, that aren't really mine, but I always try not to cause trouble. I notice that you do that as well. I was just curious if anyone ever got really ticked at you guys and tried to "get" you, so to speak. Also, I must say that you are doing a wonderful thing for network security. I work for a very large company that was quite sure of its network security. Our admin was quite surprised when I ran a preview of L0phtcrack on the system and it started spouting off passwords (including his!). Now he is considering purchasing it to use on a weekly basis to help with our security.
=======
There was never a genius without a tincture of madness.

The Public's Perception of Hacking

[dmuth]

First, I should probally preface this by saying that while I don't consider myself to be a hacker, I have been a geek for several years, and love playing with technology, so I feel I am able to relate to the hacking community.

Anyway, my question is, how do you deal with the way the public (including the media) percieves "hackers"? I've seen some clueless people use the term to describe *anyone* who does anything with a computer that they find objectionable. I've even heard the term applied to spammers!

Needless to say, the misue of the term makes my blood boil, because I feel a certain respect towards the real hackers, such as yourselves, because you guys do know what you're doing, unlike all of the script kiddies out that that either have the term applied by clueless reporters, or they use it on themselve.

So, I'd be interested in knowing how you cope with this sort of problem, as I've noticed this sort of perception of the hacking communtiy for some time.

Thanks!

"FAMOUS, adj. Conspicuously miserable." -BIERCE

[spazimodo]

I live in Boston, and am kinda bummed that the open door policy is no longer. How has your popularity and status changed what you do / how you do it? Do you find it alienating at all?
-Spazimodo

Fsck the millennium, we want it now.

security of capability-based operating systems

[sethg]

What do you think of capability-based systems, such as EROS [eros-os.org]? The folks who are working on these systems say they are fundamentally more secure (against both malicious code and heisenbugs) than Unix derivatives, Windows NT, and other ACL-based operating systems. Do you agree with this assessment? Do these systems have security weaknesses that Unix-like systems don't have?
--
"But, Mulder, the new millennium doesn't begin until January 2001."

Linux, the next Windows?

[Null_Packet]

I've seen a great deal of problems start to arise from some of the coding efforts by the Linux community. Namely the fact that WM's like Gnome open random high numbered ports when running, etc. I have seen the OpenBSD and FreeBSD communities react to issues of software security, but I have yet to see anyone really take a more secure step towards software on Linux. What do you forsee as a solution for Linux software, and/or do you think it's security issues will begin to approach the problems Windows has?

Null_Packet
Hybrid
(hybrid@ghettohackers.net)

Hm.

[!ramirez]

Ever been 'requested' to do anything, hand over some info, poke around some stuff, by any gov't agency? I don't imagine that you'd be too happy about it, and I'm not insinuating that you'd cozy up with the government, but just wondering if maybe they've ever ordered or asked you to send them a copy of l0phtcrack, SLINT, etc...

Adding to the hype

[NME]

Regarding the following incident, as reported by the Crypt News letter (http://sun.soci.niu.edu/~crypt/)

Were you accurately represented? Claims like this one are a little, um 'out there'. What's the skinny on this?

thanks

-nme!


December 20, 1999: In this transcript from ABC World News Tonight entitled "Computer Hackers Could Target Military," news reader Connie Chung stated:

"Computer experts have been worried for some time about a flood of viruses designed to disrupt the nation's computer systems over the new year. The systems may be at far greater risk than most people believe."

Chung continued: "ABC's Kevin Newman has been granted access to a group of elite hackers who usually operate in secret."

Yes, so secret, the well-known group -- The L0pht -- has a website, has appeared in the New York Times Magazine, has appeared before Congress, has appeared . . . well, you get the idea. For a secret group, they sure appear in the media a lot.

The purpose of the interview seemed to be aimed at convincing the viewing audience that "the L0pht" were the masters of the world.

Senator Fred Thompson appeared, acting as "the L0pht's" unpaid press agent: "I'm informed that you think that within thirty minutes the seven of you could make the Internet unusable for the entire nation. Is that correct?"

UNIDENTIFIED [L0pht] HACKER #1: "That's correct. It would definitely take a few days for people to figure out what was going on."

[Sound of Crypt Newsletter channel changer-switching to WWF pro wrestling, where the phonies and bluster are more entertaining.]

Security Through...Unpredictability?

[Effugas]

L0pht Crew:

Would you agree that security and stability are but different sides of the same coin? In other words, a security exploit is truly nothing more than a expertly controlled failure?

If so, how much stock can we put into the "metadesign" of limiting the damage an exploit can create by attacking the ability of a failure to be controlled? Should operating systems incorporate such "unpredictability engines" when being run in a production, non-debugging manner? Or is such a design not worth pursing, for various reasons?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

P.S. First poster to make a crack about modulating the shield harmonics is gonna get a pie in the face ;-)

Future of Hardware Hacking?

[Tackhead]

Two questions (Well, three, really, but I'm a hardware geek, and I love trying to squeeze three things in the space of two):

1) Wireless.

Lots of folks have been asking today about the wireless network project. "Me too"; the page has been up for years, it's a fascinating and extremely powerful idea, but for those of us who aren't RF engineers...

• when do we get to see some hardware projects to build, or is it the case that - due to regulatory restrictions on what can and cannot be transmitted on US airwaves - work is being done independently on the notion of a secure wireless IP-based network but isn't being released so that those of us who aren't RF engineers can't gum up the works by screwing things up before it's ready :-)

2) The future of hardware hacking.

With the trend towards more and more functionality becoming embedded into ASICs and single-chip solutions, the golden age of "just desolder this", or "reverse-engineer the schematics and jumper that", or "replace a [PROM|EPROM|EEPROM|PIC|FPGA] with one with the following special programming, and here's the [CPU|microcontroller]'s instruction set and a memory map of the embedded system" appears to be drawing to a close. Anyone can desolder a 24-pin DIP EPROM and hack it, but trying to desolder a 100-pin PQFP is a real bear without $500+ worth of specialized equipment, and knowing what to do with the chip after you've desoldered it is well-nigh impossible.

• Do you see a time when "hardware hacking" (as we've traditionally known it) will have to fall by the wayside? If so - what, if anything, do you see as taking its place? (Perhaps users taking advantage of the vastly more-powerful gear out there today and building their own hackable hardware, eliminating the need to hack other people's hardware?)

I suppose that's tangentially related to the wireless.net question - for mass distribution of the tools needed to build such a network, for instance, it seems to me that re-purposing cheap, widely-available stuff that others have junked is a better path than having to build things from scratch. But if the cheap, widely-available stuff of the future isn't gonna be re-usable... where does one go from there?

3) The future of l0pht.

(At least publicly), there's been a lot more activity on the software side of l0pht than on the hardware side.

• To the extent that you can discuss it openly, do you see l0pht's main activities over the next 3-5 years as continuing to revolve around the "expose weaknesses in software" side or the "work on next-generation hardare projects" side?

Meanwhile, thanks for much great work on both the hardware and software sides of the equation, and best wishes for your continued good work. A couple of years ago, some of your tools saved an ex-employer's butt, and the look on my pointy-haired boss' face when I showed him where I got the tools that saved him was something I'll never forget. Y'all rule, and convincing a PHB of it takes work above and beyond the call of duty :-)

Who's more dangerous?

[Erbo]

In your view, which of the following corporations is most dangerous to the future freedom of the Internet as we know it, and why?

• Microsoft
• America Online
• Amazon.com

Eric
--
"Free your code...and the rest will follow."

Security Through Arbitrarity: libnc?

[Effugas]

L0pht Guys:

One of the most interesting applications to come out of the L0pht has been nothing but the immensely useful Netcat. Built to transfer arbitrary data at all costs, it's been used countless times when one needs your data to get from point A to B without interference by the various vagaries of the underlying content.

What's interesting about this, in my mind, is that instead of whipping up a new protocol to transport the independent units of whatever types of data one needs to send, netcat allows simple, unimpeded transport of whatever happens to go over the pipe--syslogs, files, shells, video.

Yet, while each of these custom protocols will toss over the data they were built to, the quality of the protocol design is often eroded by the content normally transfered over it such that only that content can effectively be transported using that protocol.

And thus lies the problem--whereas netcat is built to transfer anything, and is thus very unlikely to fail no matter what traffic enters the datastream, it's enough trouble to write custom protocol handlers that manage to read the data as intended, let alone possess the hands-off arbitrarity that you've designed into netcat.

Thus, my question: Should there be a libnc equivalent, one that security-conscious software coders could use to avoid the vagaries of raw socket code(and the obvious insecurity of shell pipes)? Or would this inspire a false sense of security and in fact make things worse?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Boston 2600

[Ex Machina]

How come you guys don't come over and talk to us mere mortals when you drop by the Boston 2600 meeting? I've heard rumors its because we're (mostly) penguinheads and you guys are BSD/Solaris people?

Didya know?

[Sorklin]

Didya know that having something from l0pht on your machine is grounds for termination? I do ... now.

Oops.

NT v. Linux

[Sorklin]

Out of the box which is more secure for the average user (not a server), NT or Linux? I'm stipulating that Outlook is not the email program and that no downloaded executables are run without scan.

My thoughts run thus: I realize that NT has many security holes and needs somthing like 200 changes to be made secure, but for the average user who is *not* running a server, are these changes necessary? Contrast that with many versions of Linux, which out of the box for the average user can be hacked in 15 minutes on the net. I am talking out of the *box* not using updates from either linux sites or M$.

Re:netcat

[Effugas]

netcat did not come from loft. it was made by hobbit.

Well, don't I feel foolish. Always assumed by the URL(http://www.l0pht.com/~weld/netcat/) that nc was their doing. I'd heard of hobbit, but for some reason assumed he was part of the l0pht.

*Feeling very, very, sheepish right now.*

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Antivirus software holes

[dodobh]

Norton Antivirus has a security hole. Details at msnbc [msnbc.com] . What do you think about such cases? Should the software liscensors be sued (since they are refusing to fix the hole)?

Re:netcat

[Effugas]

*Hobbit* wrote netcat, Weld Pond ported it to NT.

Yeah, I noticed. Feel pretty stupid about the whole thing. Duh.

--Dan

Crypto-Phreakishness

[Anonymous Coward]

Since you guys rate much higher on the crypto-phreakometer than I do, I was wondering if you had any insight into the security of current crypto technology.

Specifically, do you think that advances in computer horsepower has weakened the security of the current generation of crypto, as it relates to finding BIG prime numbers for the purpose of factoring.

Is media attn. a fad, can hacking be incorporated?

[Paolo]

First off, do you believe the fascination the media has had with hackers/crackers is merely a fad and will go away (like Y2k paranoia), or are computers in these times too much of an integral part of society to ignore? Case in point- your local newspaper prints which homes have been robbed in the last week. Isn't it plausible that they'll one day publish which corporations have been compromised?

Two, do you believe hacking can be incorporated? Packet Storm has been bought by Knoll-O'Gara as you know. Is it plausible that previously taboo security information repositories/experts will become obtained/retained by corporations in the future?

many thanks.

What engines/sites do you use to scour the 'Net?

[Bacteriophage]

Seriously, I would like to know. When you sometimes don't have all the answers (I assume that would be more than never), where do you guys go on the 'Net to find what you need concerning computer security, **/*acking, or even just news? Do you ever come to /.? This answer shouldn't take very long, and it'd be nice to get the seperate preferences of each crew member, as well as the general preferences of the group.

"There are no shortcuts to any place worth going."

The future of IT workers: domination?

[Jogar the Barbarian]

As time goes by we see the emergence of ever-more complicated IT concepts and machinery, which is being used by an increasingly "mediocre" public who view it as little more than blackbox. Do you see the non-computer-literate's appetite for high-tech causing the IT working class to evolve into a wizards' guild, or even a technocracy?
--GAck

Re:Security?

[Chandon Seldon]

Assume you own a server to run the following protocols: HTTP, POP/POP3, SMTP, NNTP, telnet, FTP. Can such a machine be secure under -any- OS? If this was sitting in your basement, what would you do with it (after loading Q3A/UT and distributed.net's latest client ;-) to make sure the script kiddies didn't f*ck with you?

How I'd go about giving it maximum security.

(Disclaimer: I've never actually set up a server running more than HTTP + FTP + POP3)

1. Partition the machine into the following partitions:
   • / (ro)
   • /home/httpd (ro if possible)
   • /home/mail (rw)
   • /home/news (rw)
   • /home/ftpd (ro if possible)
2. Install the most recent version of OpenBSD
3. Install any security fixes
4. Remove distributed.net's latest client and Q3A
5. Create the following new users: httpd, pop3d, nntpd, ftpd, telnet, unperson, admin
6. Set the permissions for all the files on the machine as strict as possible.
7. Setup a program to forward all requests on ports below 1024 to ports 10000 through 11024.
8. Set each server as it's own user, and make sure that one user can't effect the files of another in any way.
9. Set up each server on standard_port+10000, and have them each store their files in their own partiton (mounted under /home)
10. Use the simplest, most secure server for each task. Yes, this means you can't use apache.
11. Don't allow telnet logins as anyone but admin.
12. Set up the admin account with the minimum set of privilideges nessisary to administer the machine.
13. Go "chown root /bin/chmod; chmod og-rwx /bin/chmod"
14. "chmod a-x" any programs that aren't absolutey nessisary to the machine working, like 'su', 'chown', 'fortune', etc.
15. Change your root and admin passwords weekly.
16. Do anything that you should do that I missed.

This should, at best, prevent anyone from messing with the machine at all. At worst, if someone does get in, they shouldn't be able to do anything - anything at all.

Re:Reply to this letter.

[Legion303]

Here's my "letter to the editor" to the Columbus Dispatch:

I was disappointed with Ray Malone's 12/25 letter to the editor. Speaking as a hacker and security enthusiast of 17 years, allow me to educate Mr. Malone on hacking and open source.

First of all, viruses have nothing at all to do with hacking. Virus writers are not hackers in any sense of the word, they're merely vandals. But semantics aside, virus scanners that look for virus "fingerprints" can't be fooled by making the virus appear to be something else. The virus' fingerprint still exists in the code. At any rate, Mr. Malone is discussing individual programs here and not the operating system, which is the part that would be open source.

Mr. Malone goes on to say, "So with the Windows source code, the hacker could write a program that on June 1, 2001, swaps all bank balances." Yes, if the hacker had a database full of bank balances to work with in the first place, I suppose. And his modified source would only run on his system and any other system whose owner was duped into installing it. Other systems wouldn't be affected.

The real fun begins with this gem from Mr. Malone: "Every programmer I have ever met has always left himself a back door into every system he writes." I find this an extremely interesting perspective, considering that every single programmer I know does NOT leave a back door in ANY code. Given that Mr. Malone works for MBS Software (according to his letter), I take his words to mean that MBS products contain security holes by way of programmed "back doors," and I will accordingly caution consumers not to purchase anything from MBS until such time as they secure their software.

Mr. Malone then warns "Microsoft bashers" to beware, lest they get what they wished for. I don't know about him, but I've been wishing for stable, secure products for years, and Microsoft has yet to deliver. I am fortunate that the open source movement--pioneered by such products as the 32-bit multitasking, multithreaded, stable-as-a-rock, open source operating system known as Linux--is making such a large impact on the computer industry. Otherwise, we'd have 10 more years of Microsoft "innovation" to look forward to.

L0pht BBS

[Cynic]

I'm curious if any of the other L0pht denizens ever visit the L0pht BBS. It seems that of the L0pht guys, only BB ever posts, and that's next to never. Do you guys keep tabs on what goes on there?

Large Gov'ment Automated Keyword Scan System

[spartan]

To your knowledge, has anyone ever gained access to the Large Gov'ment Automated Keyword Scan System operated by the largest english speaking nations of the world? If yes, what do you know about the system that has not been in the press?

Adaptive Pseudo-Biological Security

[EchoMirage]

To L0pht:



We've been working on network theory for a while and an idea which we've been working on recently is adaptive system and network security that models the identification and proaction of a biological immune system.



Basically, the security system all incoming and outgoing traffic, processes, etc. As it analyzes a network configuration, it 1) adapts to that network and covers potentials holes from the start, 2) learns from and builds immunity to network attacks, hostile processes, and general system errors such as buffer overflows. Many security systems are, to a point, adaptive to their environment, but I have yet to see a security design that is adaptive/intelligent enough to configure itself to "live" within an environment and to become intelligently symbiotic with that environment.



How much work have you done with highly adaptive security systems, and do you foresee adaptive security becoming a working reality within the next decade?

Accountability vs Privacy

[drenehtsral]

Recently it seems there has been a trend towards eliminating anonymity in the computer world. It comes in the form of programs that "phone home" without the user's knowledge, or even some that won't run unless they get the okay from the central server. It comes in the form of universal unique identifiers in hardware, operating systems, and software.
With IPv6 on the horizon, and with a larger variety of software phoning home, this may soon become a large privacy issue. Most of the advances being made here are for the purpose of security (read "inspiring fear of being watched")and anti-piracy ("squeeze 'em for their last cent"). What immediate and/or long term effects do you see coming out of this?

Will it take a lawsuit?

[ghibli]

Who should be held responsible --- software companies or hackers? Will it take major lawsuit to change the thinking of businesses?

What would happen if a large corporation sued another large corporation for a security weakness that was exploited and caused damage (loss of data / bad publicity / etc.)? Once other corporate lawyers begin to smell the blood, do you think this would force software manufactures to pay attention to security during the design stage?

Although various white-hat hacker groups (Oops! network security experts) continue expose design flaws and security weaknesses in numerous software products, government spokespersons and the media contine to blame "hackers" for all the nation's woes. Some news reports would have us believe that "hackers" can collapse etire economies with a single mouse-click.

Government agencies promise to prosecute "to the full extent of the law" a teenager that "hacks" into a non-classified, non-critical web site without even questioning the company that provides the flawed software. Operating systems and applications are purchased without a thought to security issues, yet companies are able to demand that those programs be "Y2K-compliant".

Imagine that a large company installed a security system in hundreds of banks across the country, but it was soon discovered (and widely publicized for years) that the alarms do not work from midnight to 1:00 a.m.! Suppose a criminal broke in and stole $249 dollars. Where would your efforts be expended? In prosecuting the the petty thief, the security company or both? Certainly not the thief alone?!

What will force a change in thinking? Money?

Re:Reply to this letter.

[Neoplasm]

Well, I'm impressed. After an informative trip to their massive, sprawling web site (amazing what you can do with Frontpage Express these days) I've learned that they produce a wide array of software applications that can do scheduling as well as scheduling! I'm suprised they actually went out and bought a copy of the Acess 97 Developers Handbook and 'hacked' the example code in the book which builds...wait for it...a scheduling program!

I'm sure this is the kind of in depth programming genius that helped them produce a completely DOS and Windows compatable operating system of their very own. And it even extends the functionality of Windows itself! This is a great country where two brothers working in a garage in Ohio can change the world...oh, sorry I was thinking of the Wright brothers...nevermind.

Question on your history

[Townshend]

How did you guys (the orig. members) meet, and when did you guys actually start getting into computers and other technologies, and why?

Random Numbers...

[J. Chrysostom]

One alumnus of my college and a few of his buddies at work (he works for a major DC computer security firm) exploited the sloppy use of random number generation in an online casino's card shuffling algorithm (which they posted on their web site --- the joys of open source:) Courtesy of the casino's random seeding techniques the "hackers" were able to limit the number space to something easily brute forceable, and went on CNN with the results of their efforts. They could know the cards in every player's hand. The casino was not amused.

Do you see a potential increase in these random number "hacks" in the future, as more and more programmers use supposedly random numbers without a clue as to how they were generated and vulnerabilities in this process?

Re:Security Through Arbitrarity: libnc?

[Effugas]

Not when they exist. I think the word Don was reaching for in his quest for verbosity was arbitrariness.

Well, speaking of snobbery, sniffing loudly that I used "arbitrarity" instead of "arbitrariness" is pretty f*cking high up there ;-)

Anyway, as long as we're having a rousing semantic discussion, check this out:

Security Through...

Obscurity, not Obscureness
Impossibility, not Impossibleness
Predictability, not Predictableness

That being said, I'd rather not my writing be interpreted as "dry". I'll work on that--last thing I want to do is bore or annoy people with something as relatively small as simple style.

Keep me posted, preferably through email.

--Dan

Security Hoaxes

[Effugas]

L0pht Crew--

Combine extreme paranoia about web site security, a money stream coming straight out of PR Maintenance, and a "get-rich-quick" mentality that infuses Internet businesses, and you get an environment rife for the creation of snake oil cures and security systems that work by seeing to the financial security of the software authors.

Of course, the natural defense to such hucksterism is the presence of groups such as yours. What are some of the products and techniques that you've seen, debunked, and felt you intelligence insulted by?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Internet Worm II

[sinnergy]

You make an interesting point. The problem is, though, that many Unix shops (the small to medium sized ones at least) don't know what the lessons were from the first Worm. I'm only 23 and I learned about it through lore more than anything else. For everyone's sake, I hope you're not right, but I do believe that a good dose of prevention and education would be in order for most of us Sysadmins. Convincing management of this necessity, though, is almost impossible. With focus more on the hear and now as opposed keeping an eye out for potential problems, it's hard to keep abreast of security technologies

OpenBSD?

[Noryungi]

Hi!

I have heard many times that L0pht uses OpenBSD almost exclusively for their servers. Is that true? If so, could you please explain why (in a more detailed manner that just the obvious "it's been audited for security...") and also tell us if you contribute code back to OpenBSD.

Thanks!