Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Interviews: We Have 2! 1st, L0pht Heavy Industries

Roblimo posted more than 14 years ago | from the direct-from-the-mainstream-media-spotlight dept.

News 232

Yes, it's "year-end double-bonus interview week" on Slashdot. First, L0pht Heavy Industries. Yes, the world's most publicized infosec group, the one trotted out by TV and other mainstream media reporters whenever they want pithy (but authoritative) quotes about hacking and cracking and that sort of thing. The L0pht guys have heard all the (ho-hum) obvious questions already. They expect extra-smart ones from you, and we don't doubt for a second that you'll provide them. ;-) One question per post, please.

Sorry! There are no comments related to the filter you selected.

Shutting down the Internet (3)

papo (57964) | more than 14 years ago | (#1442149)

You said in an interview that it's possible to shut down all the Internet. How you possibly might do that? With a DoS attack in some routers or by taking command of some servers in the principal backbones of the USA?

Y2k Hacking (3)

merky1 (83978) | more than 14 years ago | (#1442150)

Do you agree with the President's plea to cease hacking activities for Y2K, and do you think it will have an adverse affect?

"Those [filthy|pagan|heathen|whiny] americans, I'll show them....."

Re:Shutting down the Internet (1)

merky1 (83978) | more than 14 years ago | (#1442151)

If I can add to this.. What event would cause you to take down the internet?

Job offers (1)

eyeball (17206) | more than 14 years ago | (#1442152)

Whenever the subject of securing our web servers comes up at work, someone inadvertently says "We should hire one of those L0pht guys." As if you have nothing better to do than to work for a starving second-rate e-commerce IPO. My question is: Do you get job offers like this? If so, how does it feel? Do you refer them somewhere?

Which do you consider more dangerous (5)

Gleef (86) | more than 14 years ago | (#1442153)

Which do you consider more dangerous to personal liberties on the Internet, national governments or multinational corporations, and why?

----

Um (1)

Synn (6288) | more than 14 years ago | (#1442154)

How the frag do you pronounce L0pht? And what the hell does it mean? Somebody write me a perl warez filter for pete's sake. All this kewl l33t drek is driving me insane.

Just out of curiosity... (1)

Ater (87170) | more than 14 years ago | (#1442155)

Where did you guys come up with the name, "the l0pht?" Does the 0 in it (as opposed to an O) have some special significance?

Future of Security (0)

Anonymous Coward | more than 14 years ago | (#1442156)

What do you think will be the future of computer security ? Encryption ? I don't think it'll be enough... What we'll be doing to protect our data ?

Private wireless networks (3)

rise (101383) | more than 14 years ago | (#1442157)

The L0pht has been involved in independent wireless networking reasonably heavily. What do you see as the most important discoveries/protocols/designs for the next few years? Do you forsee an opportunity for the hardware hacking community to open up the airwaves in the same way Linux & OSS has opened up operating systems and tools?

L0phtCrack (2)

OnyxRaven (9906) | more than 14 years ago | (#1442158)

At work we recently purchased a copy of L0phtCrack (Guess what - it has saved many many hours of work for me especially!) - for $99? Are you guys making a killing off of this tool or what?

Re:I got one (0)

Anonymous Coward | more than 14 years ago | (#1442159)

FORNICATE!

Distributed Computing (3)

jake_the_blue_spruce (64738) | more than 14 years ago | (#1442160)

Moore's law is that computing power doubles every eighteen months. At the same time, parallel processing and distributed computation ( Cosm [mitrhal.net] & Distributed.net [distributed.net] ) are becoming increasingly common. This leads to an abundance of cheap computing power, enabling brute force attacks on secure systems. In light of these developments, do you see username/password pairs being replaced by anything more resistant to such brute computing force?

Pronounciation (2)

RAruler (11862) | more than 14 years ago | (#1442161)

At one point I thought it was
"low-fight" but somewheres I remember it being said as "loft" which would make more sense as
L=L
0=O
PH=F
T=T
LOFT

Re:Distributed Computing (1)

jake_the_blue_spruce (64738) | more than 14 years ago | (#1442162)

Shoot. Cosm is at http://cosm.mithral.com/ [mithral.com] . I thought I checked that link.

Future Products (1)

MoOsEb0y (2177) | more than 14 years ago | (#1442163)

What products and or projects are you considering in the future? Also, what happened to the wireless networking you were planning (and made a few steps to)? I have often considered setting up something similar to this on a local scale for a few friends. But I think it'd be awesome to be able to be free of US Worst for my internet service.

Re:Shutting down the Internet (3)

jd (1658) | more than 14 years ago | (#1442164)

That one's easy. Very few routers have authoritive checks set up. Simply fire up a router such as gated and have it inject false routes into the net. Have the backbone located at the South Pole, for instance.

The UK network's been crashed dozens of times, by this. Usually by poor network administration, or faulty software, but that's just details. What an admin can do through ignorance, I'm sure crackers could do by design.

advisories (1)

krog (25663) | more than 14 years ago | (#1442165)

you haven't released any security advisories lately. where do you get your nitrous? can i have some?

Things to come... (0)

Anonymous Coward | more than 14 years ago | (#1442166)

Do you have a guesstimate as to when Operating Systems and protocols will make Information Security a non issue (from and attack and penetration perspective)? I have discussed this with my colleagues quite a bit and none of us can really say.
This is not bait for Microsoft jokes, either.
Developers may eventually wisen up, the day that I hang my A/P hat and retire to a desk job because of this evolution is inveitable, but thankfully not in sight. I would appreciate some comments on this matter...

-jcw

Coagulation (1)

Raffy (89138) | more than 14 years ago | (#1442167)

L0pht-
As with any of the well-known infosec groups (you, cDc, &c), it's always a far-flung collective of folks who coalesce and make things happen. How did you meet and decide, "hey, we have common goals and interests, let's do this as a team"?
Rafe

V^^^^V

Re:Um (1)

GeorgeH (5469) | more than 14 years ago | (#1442168)

Ell Zero Pee Aitche Tee
L 0 P H T : PH = F (in crazy english)
L0FT : 0 = O (in crazy 1337 5p33k)
loft
1 : an upper room or floor : ATTIC
2 a : a gallery in a church or hall b : one of the upper floors of a warehouse or business building especially when not partitioned c : HAYLOFT
3 a : the backward slant of the face of a golf-club head b : the act of lofting
4 : the thickness of a fabric or insulating material (as goose down)


--

The net: strip mall or unlimted human potential? (5)

garagekubrick (121058) | more than 14 years ago | (#1442169)

The halcyon days of the net are gone. With ubiquity - the underground vanishes. Is it well on its way, with people like the CEO of Amazon being worshipped by the mainstream press, to becoming an enormous cyber strip mall, marketing tool, PR exercise in control of perception...

Or is there still an underground? Does it still have a potential to be the one true medium with liberation? Will governments and coroporations end up controlling it? Cause they are winning small, important victories relentlessly...

,,, (2)

Signail11 (123143) | more than 14 years ago | (#1442170)

Considering the availability of easy to use, secure, persistent, pseudoanonymous nyms (http://www.freedom.com) and the increasing role that electronic commerce plays in our economy, what privacy and security concerns do you anticipate moving to the forefront of attention as this rapidly changing technology evolves?

IPSEC key debate (1)

Ruzty (46204) | more than 14 years ago | (#1442171)

What is your take on the quashing of the use of photuris, for IPSEC keyserver use over the open to attack isakmp, by the IETF?

Re:Um (2)

bbk (33798) | more than 14 years ago | (#1442172)

l0pth is pronounced "loft" - synonomous with attic. l0phters are people who dumpster dive looking for computer parts, usually in large companies trash bins, and carry the parts back to their l0pht where they use them.

I've l0phted a couple monitors and cases from my ever so friendly ECE department before... It's a great way to get an eclectic computer collection for very little!

A quickish question (3)

jd (1658) | more than 14 years ago | (#1442173)

The Internet is fragmenting (eg: IPv4 vs. IPv6, Internet 2) and those parts that do have any awareness of security are now beginning to take it seriously (eg: IPSec, SSH). Many other parts are brain-dead, insecure and incoherent.

How do you see things evolving, from this unholy mess?

A question about L0pht constituents: (3)

NateTG (93930) | more than 14 years ago | (#1442174)

What are the non-computer hobbies of the l0pht crew?

I suppose that this is a sort of "celebrety interview" question, but I'm curious.

Name Dropping Asswipes (2)

Anonymous Coward | more than 14 years ago | (#1442175)

I meet a lot of "white hat" security types in my job. Every so often, I one of these guys goes into name dropping mode and starts talking about how chummy he is with Mudge. Once I had one of them tell me how he had contacts with the "low fat" guys (although he hadn't heard it pronounced as "loft"). What is it like to have your name(s) dropped by potentially thousands of really cluesless people who you might never even meet?

Re:Um (2)

BradyB (52090) | more than 14 years ago | (#1442176)

I always thought that L0pht stood for LOW PHAT as in Low fat as in high speed low drag.

Somebody else would do this, so I'll do it first (0)

Anonymous Coward | more than 14 years ago | (#1442177)

What do you propose as a solution to the whole Q1 OSS cheating debacle?

Human interest stuff (1)

Errant Knyght (35004) | more than 14 years ago | (#1442178)

Now I know that Mudge has a painting (can't remember who by) hanging around, and I was wondering what artist everyone at L0pht enjoys as well as composers (if any there are into classical music).

Defensive Design Methodologies (4)

FuriousJester (7941) | more than 14 years ago | (#1442179)

I read something to the gist of this recently:

"The difficulty with computer security is that programmers write code to allow a course of action, not to prevent another. In order
for computer security to become a reality, the design methodology must be changed."

Any programmer worth their check does program defensively. Certain languages support the writing of "safe code" more easily than others. It requires less fore-thought to program defensively in Java than it does in C. The results, however, will not be as fine tuned.
Any methodology for designing and producing safe code must take this, the experience of those implementing it, the environments the product could be used int, into account. L0pht has compromised many designs. Have you seen any design/impl (hardware or software) methodologies that yield more secure results than others? Could you give reference to them?

In my experience, it has always been a matter of refinement. Security is relative.

Windows API (3)

IRNI (5906) | more than 14 years ago | (#1442180)

If the windows API was opened because of the DOJ trial, what would you do?

A) Exploit every weakness from here to kingdom come, thereby propelling linux to the forefront.

B) fix everything and tell microsoft so they can make the changes show up in a new release

C) Do A) and grin real big and giggle lots

D) Other | Please Specify ___________________

Question: (1)

sboss (13167) | more than 14 years ago | (#1442181)

Do you think there will be any security in the internet of the future? There seems to be more and more security holes (or at least we are finding more). Plus does encryption or digitially signing data help or hender the net?

Thanks
Scott

Scott
C{E,F,O,T}O
sboss dot net
email: scott@sboss.net

Re:advisories (1)

barleyguy (64202) | more than 14 years ago | (#1442182)

Nitrous is available as a product called "whip-its". It's manufactured for making whipped cream, but is usually sold at adult bookstores. I'm not sure exactly why....

Regret / Useful Software / Orwellian CPUs (2)

MattW (97290) | more than 14 years ago | (#1442183)

I have a couple questions. Choose whatever you like. * The silicon valley is froth with IPOs. A huge opportunity exists even in Boston, if you were attached to the city. Do you regret not putting more into a commercial enterprise that could have netted you the millions some people are getting? If so, would you trade your fame in this community for it if you could? * L0pht spends an enormous amount of time hacking on other peoples' equipment, cracking and analyzing other peoples' software. Without meaning to denigrate such useful activities, do you ever want to stop it for a while and dedicate yourself to the creation of something innovative and positive? * Somewhere in the future, drowning in gigahertz, manufacturers turn to adding security to their CPUs. CPUs have decryption modules which stop the CPU from running any code not specifically signed and encrypted for your CPU. Your machine (or cpu) would come with a disk or cdrom with a public key you'd provide to vendors (probably on a web page) that would be used to "complete" a build of software that was sold to you, and lock it onto your CPU only. Every piece of software will have a known desination and a known source. Piracy will be a thousand times harder. Viruses will be wiped out by applying this technology to documents and software alike. Is this the future? * I see the patent situation forcing software to inevitably go one way or the other: it will either be written only by corporations with tons of money and patents, and be commercial (and by judgement-proof pauper-programmers who have nothing to sue away from them), or the USPTO will suffer through a massive regulation change, and thousands of software/algorithm/ business-model patents will be swept away, along with more easy way to review a given patent's "nonobvious"-ness. Where do you think this tragedy is headed?

What does L0pht mean? Maybe an answer (1)

BradyB (52090) | more than 14 years ago | (#1442184)

Well I never really put much thought in to it, but here goes. L0pht Heavy Industries. Perhaps it means Low Phat as in Low Fat , Heavily Used as in high speed low drag industries.

evolution of the network (1)

kootch (81702) | more than 14 years ago | (#1442185)

with the local networks expanding from one solitary computer, to 20 computers connected in a room, to wireless devices also now able to connect to large databases and networks, how do you see the security industry (is it considered an industry) responding to these changes and do you forsee any interesting problems arising?

How's the wireless 'net project going? (3)

Anonymous Coward | more than 14 years ago | (#1442186)

I was digging around the l0pht web site one day and read up on the wireless project you guys were doing trying to make use some old UHF equipment and seeing how far you could spread a free wireless network. So what's the current status of that project?

Re:I got one (1)

barleyguy (64202) | more than 14 years ago | (#1442187)

Normally, I'd write you off as a hot grit troll. But I'd really love to see the clever answer l0pht would come up with for this one.

Question (1)

Necroleptic (117803) | more than 14 years ago | (#1442188)

What are your opinions on "script kiddies" and your propogation of these people? Don't you believe that people who would want to be hackers should learn through experience, much like yourselves?

Security Lint (3)

Omniscient Ferret (4208) | more than 14 years ago | (#1442189)

For assurance, before installing software on a secure-as-plausible machine, I would love to have an automated for security problems, such as buffer overflows. So, how is the development of SLINT [l0pht.com] progressing? Are you still planning to release it?

Welcome, our door is open (2)

lildogie (54998) | more than 14 years ago | (#1442190)

What do you think about the wisdom of linking a planetary network of desktop computers to a radio telescope, hoping to go online with any extra-terrestrial who cares to open our collective port?

Internet Worm II (4)

tilly (7530) | more than 14 years ago | (#1442191)

Several months ago I began predicting that someday someone would find a buffer overflow in the various Windows TCP-IP stacks and use it to write a worm that would bring down the Microsoft part of the Internet and cause so much traffic as to effectively shut down everything else. I further predict that until an event of this magnitude happens, the general public will not really learn the basic lessons about security that the *nix world was forced to learn from the first worm.

What are your thoughts on this prediction? (Timeline, reasonableness, etc.)

Regards,
Ben

Security and Open Source (0)

Anonymous Coward | more than 14 years ago | (#1442192)

Do you believe that it is possible to provide a secure computing model in an open source environment? If so, how?

Proper NT rootkit. (3)

Zurk (37028) | more than 14 years ago | (#1442193)

Hi guys,
Any plans to write a proper Win2K/NT rootkit (the kind that was published on Phrack a while back - that replaces or adds to the actual calls in the win32 ring 0 system with its own) soon ?

Simple question (1)

Ricochet (16874) | more than 14 years ago | (#1442194)

(First the silly question)
Prove your existence :-)

(Now the real question)
How do we get back control of our information?

Security? (1)

Raffy (89138) | more than 14 years ago | (#1442195)

Assume you own a server to run the following protocols: HTTP, POP/POP3, SMTP, NNTP, telnet, FTP. Can such a machine be secure under -any- OS? If this was sitting in your basement, what would you do with it (after loading Q3A/UT and distributed.net's latest client ;-) to make sure the script kiddies didn't f*ck with you?

Rafe

V^^^^V

Slint (2)

Emphyrio (125143) | more than 14 years ago | (#1442196)

According to your site, you have developed a quite powerful source code security analysis tool.
A while ago, this tool was not distributable, and closed source.
Do you plan on releasing Slint and/or other currently closed source L0pht tools in an open source license, or in some other freely distributable binary form ?

Re:Job offers (0)

Anonymous Coward | more than 14 years ago | (#1442197)

"How does it feel?"

What a bizarre question. Well, let me give an answer. I'll answer it in as much detail as possible so you can really get a good sense about what a job offer from a second-rate IPO e-commerce outfit feels like. Pay close attention. It's best to read this twice, as it will take at least two readings for your imagination to kick in. (I say this because from the sound of the question -- asking how a job offer feels -- I get the sense that (a) you're still in college and have not had a job offer, (b) are working at a job and are a little slow, or (c) are truly a blockhead and have no idea how the real world works and that, well, a job offer doesn't feel like much -- or at least not much that is easily quantifiable.)

So, this is what it feels like:

It feels all tingly. It feels like when you're in the ocean and you've been swimming out away from the beach for about 20 minutes, and then suddenly you turn back toward shore, swim for another 20 minutes, and then get up on the beach and walk to the beach house for a nice, cool Pina Colada.

That's about the closest I can describe it.

Well, okay, not entirely true. It feels like when you've been standing on a train platform on a cold morning and then the train comes whooshing by and kicks up a tiny pebble which zings toward your face, hits your glasses, cracks the lens, and then zigs to the right and dings your nose.

It feels the way your nose feels after the pebble has fallen back to the platform and you're standing there -- standing wearing your goose-down winter coat, your thick gloves, and carrying your briefcase -- and you must walk up the steps into the train vestibule with a horde of other commuters.

The ding from the pebble stings -- but only a little bit -- but you're more worried about whether or not the pebble caused your nose to bleed (you can't tell because you have gloves on) -- but you're self-conscious since people are looking at you, and you're not sure if they're looking at you because your glasses are cracked, because the side of your nose is bleeding, or because you look a little shell-shocked because you just got whipped by a pebble shot up from the steel wheels of the train.

That's about the best way to describe how the job offer from a second-rate outfit feels like.

Questions (1)

Anonymous Coward | more than 14 years ago | (#1442198)

I've been checking out the 'L0pht' ever since the days when mudge posted the page up asking how many boxes everyone had up, but anyways...

Is there any work still being done on the 'guerilla net' project? The page hasn't been updated in ages.

Did you guys ever manage to locate the TX ready pin on the WaveLAN cards to switch the amplifier on?

What happened to the user pages on www.l0pht.com?

What are your main development platforms?

...And of course, what's the best piece of equipment you've dug out of the garbage so far?

Re: Security Lint (1)

Omniscient Ferret (4208) | more than 14 years ago | (#1442199)

Er, that should be "love to have automated scanner".

software liability (0)

Anonymous Coward | more than 14 years ago | (#1442200)

hi guys.

when you testified before congress, one of you (I believe it was Weld Pond) said that software manufacturers need a financial incentive to ship secure software. I believe that you went on to say that they should be held partially liable for damages caused by bugs in their software.

How do you think that legislation like that would affect the open source movement?

Differences in interest (1)

BlueCalx- (59283) | more than 14 years ago | (#1442201)

Sometimes, corporations are ignorant of your advisories, as they feel the general hacking community is only destructive and has little to offer. It also seems obvious in ABCNews' report that people have an inherent fear of the hacking/cracking community in general. The intent of some groups (cDc comes to mind) is different from others (gH), and as a result it becomes difficult to create an accurate definition of what hacking/cracking really is.

My question is this: do you feel the negative publicity and stereotypes of hackers and crackers rubs off on l0pht to some extent?

IPv6 (0)

Anonymous Coward | more than 14 years ago | (#1442202)

Hi.

Lots of companies are shipping "VPN" solutions that are simply IPv6 boxes. Do you feel that IPv6 is adequate for this purpose? Will IPv6 really prevent the types of attacks we've seen with IPv4?

A Question of Principle (2)

sudog (101964) | more than 14 years ago | (#1442203)

I was not impressed to see L0pht embrace any form of commercial philosophy. While it is true I live in a fairly isolated section of the world, I and the community I live within have the general impression that you are no longer available to the public. It appears as though you have sequestered yourselves away in your building(s) and sent Mudge out to maintain good PR. What I mean is, aside from the odd security release and product update, you guys seem to have disappeared from the face of the earth. What are you up to? Are you still truly pursuing the tenet that is listed prominently on your BBS? "Freedom, freedom, blah" -lhi, psalm blah verse blah?

Do you see yourselves as this inaccessible except to people willing to fork over large dollars, or am I just living on the moon?

Capabilities in Linux (1)

Nemesys (6004) | more than 14 years ago | (#1442204)

Hi - this is a specific question.

Do you think we'll see capabilities begin to replace root in Linux? What will that world be like? When will it happen?

OpenBSD (0)

Anonymous Coward | more than 14 years ago | (#1442205)

How secure do you feel linux is? Please compare or contrast this with OpenBSD.

Reply to this letter. (5)

An0nymousC0ward (110267) | more than 14 years ago | (#1442206)

This letter was recently published in the columbus dispatch [dispatch.com] (Ohio's greatest home newspaper....yea right). What would your response be to this person?

Letter to the editor: Opening windows could let bad guys do a lot of damage Saturday, December 25, 1999

I was amazed to see that the Clinton administration, in its initial victory over Microsoft, wants the source code to Windows to be made public. I'm sure it will follow up with a demand that all banks publish the combinations to their safes and freely distribute keys to both their front and back doors. Perhaps they will make banks install a large button so visitors can disable all alarms.

Making the world safe for bank robbers would be a lot better than making Windows' source code public. The year 2000 problem is nothing compared to what a hacker could do with the code to Windows.

The anti-virus software today depends on two primary tests to find a virus: the Cyclic Redundancy Checksum and file size. A virus attaches itself to a program and runs when the program runs.

Rather than get into a complex technical discussion, let us just say every computer file has a fingerprint. If a virus is attached, the file's fingerprint changes. An anti-virus program just looks for the fingerprints left by the virus. However, if one has the source code to Windows, a file with a virus can be made with the same fingerprint as a file without the virus.

Even worse, the operating system, instead of being the virus cop, becomes the virus enabler. Imagine a world where half the people in uniform are trying to rob you and where dialing 911 brings a band of serial killers to your door.

Such a virus would be very, very difficult to fight. Police try to catch such people by tracing who benefits. But when the goal is revenge and not profit, it gets tough to catch the bad guys. If you think catching the Unabomber was time consuming, this would make the search for the Unabomber look very fast, indeed.

So with the Windows source code, the hacker could write a program that on June 1, 2001, swaps all bank balances. Someone whose name starts with an A gets Z's balances. Throw credit cards into that mix, and there could be real fun. Maybe some hacker would find it fun to pay off everyone's property taxes. I'll bet everyone who had not paid his tax would tell the truth and pay up voluntarily, wouldn't they?

Every programmer I have ever met has always left himself a back door into every system he writes. Does anyone want to bet Microsoft does not have a back door to its software? Does anyone believe that if the judge makes Microsoft publish the source code, Bill Gates would remove the back door before publishing it? He would not dare. The judge might put him in jail for modifying the code. Couldn't have that now, could we?

If he would leave it in, every highly skilled programmer would have a key to everything running on Microsoft software. We can rest assured that every hacker is totally honest, can't we? And with the Internet, those hackers would all be in places where Americans are loved, such as Belgrade, Yugoslavia, and Baghdad, Iraq, for example.

Some hacker might even have fun with a newspaper, such as removing the names of everyone who is a subscriber and replacing them with the names of people who are not. Did I mention court records, employment records, child support records?

All Microsoft bashers in and out of government should beware. It looks like they are going to get what they wished for.

Ray Malone

MBS Software

Chillicothe, Ohio

L0phtcrack Registration (1)

kamelkev (114875) | more than 14 years ago | (#1442207)

I'm curious to know how you all felt when your tool (L0phtcrack), notoriously effective on beating lanman hashes, was itself cracked. One way in that L0phtcrack existence was justified in the community was that it had a limited use for the "Script kiddies", and only lasted 20 days (I think), but as with all tools it was cracked. In essence, your cracker was cracked. While I highly respect L0phtcrack and find it very usefull on the job, I have to wonder how well you thought about your own key. You know you have a tool that is very much in demand, yet you dont seem to protect it in the way that one would have expected. I mean some would argue that are the "best" security experts around, yet you didn't even protect your own software. I would like very much to know what you think about this. -kamelkev

L0phtcrack Registration (2)

kamelkev (114875) | more than 14 years ago | (#1442208)

I'm curious to know how you all felt when your tool (L0phtcrack), notoriously effective on beating lanman hashes, was itself cracked.


One way in that L0phtcrack existence was justified in the community was that it had a limited use for the "Script kiddies", and only lasted 20 days (I think), but as with all tools it was cracked. In essence, your cracker was cracked.

While I highly respect L0phtcrack and find it very usefull on the job, I have to wonder how well you thought about your own key. You know you have a tool that is very much in demand, yet you dont seem to protect it in the way that one would have expected. I mean some would argue that are the "best" security experts around, yet you didn't even protect your own software.

I would like very much to know what you think about this.

-kamelkev

Question: Opinion on non-full-disclosure companies (1)

minga (124572) | more than 14 years ago | (#1442209)

Question for l0pht: 1) What are your all's opinions about non-full-disclosure companies making money off of full-disclosure vulnerability reports? A very important example is that of ISS (http://www.iss.net/). They made millions from the sale of their products like RealSecure and Security Scanner. These programs obviously check for vulnerabilities that were once posted on full-disclosure lists/pages. ISS is ABSOLUTELY DEPENDANT on this information... But when it comes time for ISS to report on vulnerabilities they have found (via X-FORCE) they release the most poor excuse for a vulnerability report I've even seen. A person cannot get any USEFUL information from them at all. Things like "There is a buffer overflow in BLAH version x.xx" And thats all the detail they give. What if every company/group did this? ISS wouldn't even have a worth wild scanner/detector at all! Do you all feel that ISS is doing anything wrong?

Re:L0phtcrack Registration (1)

kamelkev (114875) | more than 14 years ago | (#1442210)

Sorry, Im a dumbass, instead of hitting preview I hit submit after I had fixified it for readability.

my bad

What responsibilities come with publicity? (1)

ebohman (11378) | more than 14 years ago | (#1442211)

As you are one of the most well-known security-focused-groups today, you must surely attract a lot of young people who would want nothing more than to follow in your footsteps. Every kid nowaday wants their umpteen minutes of fame and TV air time.

What are your thoughts on the reponsibilities you have as frontal figures for the "hacking community"? (For some non-disclosed definition of "hacker")
Do you feel such a responsibility to steer the young and naive hacker-wannabies into white-hat territory? - or are you more into "give them the knowledge, let them choose side for themselves"?

If you feel an obligation to inspire kids towards non-illegal, non-confrontational, non-disruptive hacking; how do you take on such a task? Your choice of a name that surely goes well within script-kiddie-hacker territory indicates to me either a wish to attract such a following, or perhaps it is just an indication of your history, coming from that background.


Enough rambling, I guess my question more or less boils down to "How do you install a sense of decency in your fan groups?"

By the way, thank you for all your good security work. It seems you appear in my bugtraq [securityfocus.com] and ntbugtraq [ntbugtraq.com] e-mail folder every other time I look... I hope I don't come across as insulting or demeaning in my question, I am seriously interested in your answer.

Future of Security (2)

lostproc (93890) | more than 14 years ago | (#1442212)

Q:What event or events will have to occur and of what magnitude (in your collective opinion), to make people realize that security is not an "afterthought" but also needs time and money to be done correctly? Do you think security will ever get its due by commercial firms doing transactions on the Interent, or will it always be the firefight that it seems today?

Okay, well two Q's.

largest barrier to secure computing/communications (1)

Mike Miller (28248) | more than 14 years ago | (#1442213)

You have seen a lot of insecure systems. What do you see as the largest barrier to secure computing/communications (or largest contributor to security holes)? Braindead users, poorly implemented security, men in black, something else?

What's good out there? (1)

Animats (122034) | more than 14 years ago | (#1442214)

Are there any OSs that you guys like from a security standpoint? Ignoring the common UNIX variants and Microsoft's OS products, all of which have known holes through which one could drive an 18-wheeler, is there anything worth looking at?

Guerrilla Network (2)

kerouac (18850) | more than 14 years ago | (#1442215)

Some time ago, the l0pht was involved in trying to set up a small independent network (along the lines of DARPA ) involving microwave technology to communicate 'off of the grid'.

How has the work progressed? Any notes, or better yet, a HOW-TO?

Bipolarity (1)

Keck (7446) | more than 14 years ago | (#1442216)

I'm interested to hear you talk about the thinking behind some of your members' involvement not just with 'grey hat' operations, but the 'black hat' groups too. Are they just schizophrenic, or are they just undecided on the moral code they wish to follow?

Other groups you might work with? (1)

God I hate mornings (110205) | more than 14 years ago | (#1442217)

As a administrator I am very concerned with the security of my network. So it's no great surprise that I try to do as much research as I can in what little off time I have. Your website is on of the first I hit for NT security issues. For the Novell side I head over the Nomad Mobile Research Centre. It would seem that l0pht is geared more toward the NT side and NMRC more the NDS side. I always get the feeling that both l0pht and NMRC are in a sort of information share relationship. What other groups do you work with on a regular basis?

guerilla net lasers (2)

vapor.516 (129949) | more than 14 years ago | (#1442218)

Has the L0pht considered line-of-sight laser light as a communications medium for guerilla.net?

Do you think I'm pretty? (0)

Anonymous Coward | more than 14 years ago | (#1442219)

well? do you?

Actually it's http://www.freedom.net (1)

LiNT_ (65569) | more than 14 years ago | (#1442220)

See above

ISP's (1)

tech81 (128914) | more than 14 years ago | (#1442221)

What is your opinion on most of the major ISP's in the nation? For example, AOL, Mindspring, Earthlink, Bellsouth.net, GTE, and others.

mac os as a web server (1)

paulschreiber (113681) | more than 14 years ago | (#1442222)

last summer, the us army switched to a power mac g4 and webstar. starnine, of course, made lots of noise.

do you think the mac os is a viable platform to run http on?

what about mac os x ... with the unix base, does that make it just as insecure as solaris/linux/et cetera?

Re:A Question of Principle (1)

God I hate mornings (110205) | more than 14 years ago | (#1442223)

I don't think that they're pursing the all mighty dollar. I have contacted them serveral times with hopes of getting them to do some security work for various clients of mine. All had the potential for very nice paychecks at the end. They refused the work, very politly tho. SO I think you might be a bit off base. But I could be wrong.

Trouble (1)

jormurgandr (128408) | more than 14 years ago | (#1442224)

Have you guys/gals ever gotten in any "real" trouble? I personally like to play around on other systems, that aren't really mine, but I always try not to cause trouble. I notice that you do that as well. I was just curious if anyone ever got really ticked at you guys and tried to "get" you, so to speak. Also, I must say that you are doing a wonderful thing for network security. I work for a very large company that was quite sure of its network security. Our admin was quite surprised when I ran a preview of L0phtcrack on the system and it started spouting off passwords (including his!). Now he is considering purchasing it to use on a weekly basis to help with our security.
=======
There was never a genius without a tincture of madness.

Re:Shutting down the Internet (0)

Anonymous Coward | more than 14 years ago | (#1442225)

I think there is a better question. First, the claim is a bit of a braggadocios, it's easy to talk and the statement is pretty vague to begin with. That is sort of the nature of cracking community. I'm not going to say that it's not possible, corrupting router tables is a very good place to start and there are probably a few computing centers wher a good DoS attack could seriously hamper internet traffic but those aren't really crashing things and they usually don't last that long. There is a huge difference between cutting down the performance and making lots of traffic go through smaller pipes and crashing or stopping the net, the bigger it becomes the more reliable it becomes. As more and more infrastructure become dependent on the net, the net becomes more and more connected and more and more security is placed on more important pieces. Companies like AOL,TCI/ATandT,Qwest,mindspring,Amazon, etc... have substantial financial insentive to protect the net, secure their servers and network infrstructure, and have staff on duty ready to catch and fix problems as soon as they happen.

15 years ago, you could have easily attacked one router and substantially crippled the net, you could have went after 5 or 10 and pretty much shut it down. It is so much more connected today than it was then, you can cut a couple of major channels and there are others that stay up. There is no longer one east-west network pipe, there are numerous pipes and it keeps getting more and more connected. Take that major power-outage that cut power to most of the western US and parts of Canada a couple years back, the internet didn't blink.

If you do believe that you can crash it, how much longer do you think it will stay that way? Or do you even think that it is progressing towards a much more stable and crash-resistant infrastructure, please explain. Then on the ethics side (sorry to over shoot the one q per post rule) if you do believe you can do it, what have you done to get the problems fixed or at least publicize the methods so they can be corrected for? I would think that it would be good for business to take credit for stopping a potentially huge network shutdown.

The Public's Perception of Hacking (4)

dmuth (14143) | more than 14 years ago | (#1442226)

First, I should probally preface this by saying that while I don't consider myself to be a hacker, I have been a geek for several years, and love playing with technology, so I feel I am able to relate to the hacking community.

Anyway, my question is, how do you deal with the way the public (including the media) percieves "hackers"? I've seen some clueless people use the term to describe *anyone* who does anything with a computer that they find objectionable. I've even heard the term applied to spammers!

Needless to say, the misue of the term makes my blood boil, because I feel a certain respect towards the real hackers, such as yourselves, because you guys do know what you're doing, unlike all of the script kiddies out that that either have the term applied by clueless reporters, or they use it on themselve.

So, I'd be interested in knowing how you cope with this sort of problem, as I've noticed this sort of perception of the hacking communtiy for some time.

Thanks!

Re:Shutting down the Internet (0)

Anonymous Coward | more than 14 years ago | (#1442227)

Read this comment [slashdot.org] .

"FAMOUS, adj. Conspicuously miserable." -BIERCE (1)

spazimodo (97579) | more than 14 years ago | (#1442228)

I live in Boston, and am kinda bummed that the open door policy is no longer. How has your popularity and status changed what you do / how you do it? Do you find it alienating at all?
-Spazimodo

Fsck the millennium, we want it now.

security of capability-based operating systems (5)

sethg (15187) | more than 14 years ago | (#1442229)

What do you think of capability-based systems, such as EROS [eros-os.org] ? The folks who are working on these systems say they are fundamentally more secure (against both malicious code and heisenbugs) than Unix derivatives, Windows NT, and other ACL-based operating systems. Do you agree with this assessment? Do these systems have security weaknesses that Unix-like systems don't have?
--
"But, Mulder, the new millennium doesn't begin until January 2001."

Linux, the next Windows? (1)

Null_Packet (15946) | more than 14 years ago | (#1442230)

I've seen a great deal of problems start to arise from some of the coding efforts by the Linux community. Namely the fact that WM's like Gnome open random high numbered ports when running, etc. I have seen the OpenBSD and FreeBSD communities react to issues of software security, but I have yet to see anyone really take a more secure step towards software on Linux. What do you forsee as a solution for Linux software, and/or do you think it's security issues will begin to approach the problems Windows has?

Null_Packet
Hybrid
(hybrid@ghettohackers.net)

Hm. (1)

!ramirez (106823) | more than 14 years ago | (#1442231)

Ever been 'requested' to do anything, hand over some info, poke around some stuff, by any gov't agency? I don't imagine that you'd be too happy about it, and I'm not insinuating that you'd cozy up with the government, but just wondering if maybe they've ever ordered or asked you to send them a copy of l0phtcrack, SLINT, etc...

Re:L0phtcrack Registration (0)

Anonymous Coward | more than 14 years ago | (#1442232)

They probably realize that it is impossible to protect software. Almost any software that is in demand will be cracked.

Adding to the hype (1)

NME (36282) | more than 14 years ago | (#1442233)

Regarding the following incident, as reported by the Crypt News letter (http://sun.soci.niu.edu/~crypt/)

Were you accurately represented? Claims like this one are a little, um 'out there'. What's the skinny on this?

thanks

-nme!


December 20, 1999: In this transcript from ABC World News Tonight entitled "Computer Hackers Could Target Military," news reader Connie Chung stated:

"Computer experts have been worried for some time about a flood of viruses designed to disrupt the nation's computer systems over the new year. The systems may be at far greater risk than most people believe."

Chung continued: "ABC's Kevin Newman has been granted access to a group of elite hackers who usually operate in secret."

Yes, so secret, the well-known group -- The L0pht -- has a website, has appeared in the New York Times Magazine, has appeared before Congress, has appeared . . . well, you get the idea. For a secret group, they sure appear in the media a lot.

The purpose of the interview seemed to be aimed at convincing the viewing audience that "the L0pht" were the masters of the world.

Senator Fred Thompson appeared, acting as "the L0pht's" unpaid press agent: "I'm informed that you think that within thirty minutes the seven of you could make the Internet unusable for the entire nation. Is that correct?"

UNIDENTIFIED [L0pht] HACKER #1: "That's correct. It would definitely take a few days for people to figure out what was going on."

[Sound of Crypt Newsletter channel changer-switching to WWF pro wrestling, where the phonies and bluster are more entertaining.]

Microsoft Source Code? (1)

WH (10882) | more than 14 years ago | (#1442234)

I know that at one point you were offered the source code to the Windows products by Microsoft. I also know that you did not accept the offer. What were your reasons for not accepting the offer?

Security Through...Unpredictability? (5)

Effugas (2378) | more than 14 years ago | (#1442235)

L0pht Crew:

Would you agree that security and stability are but different sides of the same coin? In other words, a security exploit is truly nothing more than a expertly controlled failure?

If so, how much stock can we put into the "metadesign" of limiting the damage an exploit can create by attacking the ability of a failure to be controlled? Should operating systems incorporate such "unpredictability engines" when being run in a production, non-debugging manner? Or is such a design not worth pursing, for various reasons?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

P.S. First poster to make a crack about modulating the shield harmonics is gonna get a pie in the face ;-)

hi comments ect (0)

Anonymous Coward | more than 14 years ago | (#1442236)

well now i just gonna poke in here an say that how do you guyz get ur software??? do u buy it or do u warezzz it??? i just got my american on line accont and im real new here 2 the internet/aOL but i am trying 2 learn to do this hacking stuff!! can u point me in a good directoin to get hacking stuff?:?? i run windows98 on my computer its a compaq persario so i think its big enuff to hack on!! n e wayz also i have 2 say that the last 2 times i posted stuff here i got called a troll by some ppl!!! thats pretty childish of them 2 do this!!!!! like i already said i just got my american on line accuont!! im new here ppl1!!!! so dont call me a troll!!!! cuz one day ill be callin ya alls trolls and u'll be real mad and stuff like me!1!!!

Future of Hardware Hacking? (4)

Tackhead (54550) | more than 14 years ago | (#1442237)

Two questions (Well, three, really, but I'm a hardware geek, and I love trying to squeeze three things in the space of two):

1) Wireless.

Lots of folks have been asking today about the wireless network project. "Me too"; the page has been up for years, it's a fascinating and extremely powerful idea, but for those of us who aren't RF engineers...

  • when do we get to see some hardware projects to build, or is it the case that - due to regulatory restrictions on what can and cannot be transmitted on US airwaves - work is being done independently on the notion of a secure wireless IP-based network but isn't being released so that those of us who aren't RF engineers can't gum up the works by screwing things up before it's ready :-)

2) The future of hardware hacking.

With the trend towards more and more functionality becoming embedded into ASICs and single-chip solutions, the golden age of "just desolder this", or "reverse-engineer the schematics and jumper that", or "replace a [PROM|EPROM|EEPROM|PIC|FPGA] with one with the following special programming, and here's the [CPU|microcontroller]'s instruction set and a memory map of the embedded system" appears to be drawing to a close. Anyone can desolder a 24-pin DIP EPROM and hack it, but trying to desolder a 100-pin PQFP is a real bear without $500+ worth of specialized equipment, and knowing what to do with the chip after you've desoldered it is well-nigh impossible.

  • Do you see a time when "hardware hacking" (as we've traditionally known it) will have to fall by the wayside? If so - what, if anything, do you see as taking its place? (Perhaps users taking advantage of the vastly more-powerful gear out there today and building their own hackable hardware, eliminating the need to hack other people's hardware?)

I suppose that's tangentially related to the wireless.net question - for mass distribution of the tools needed to build such a network, for instance, it seems to me that re-purposing cheap, widely-available stuff that others have junked is a better path than having to build things from scratch. But if the cheap, widely-available stuff of the future isn't gonna be re-usable... where does one go from there?

3) The future of l0pht.

(At least publicly), there's been a lot more activity on the software side of l0pht than on the hardware side.

  • To the extent that you can discuss it openly, do you see l0pht's main activities over the next 3-5 years as continuing to revolve around the "expose weaknesses in software" side or the "work on next-generation hardare projects" side?

Meanwhile, thanks for much great work on both the hardware and software sides of the equation, and best wishes for your continued good work. A couple of years ago, some of your tools saved an ex-employer's butt, and the look on my pointy-haired boss' face when I showed him where I got the tools that saved him was something I'll never forget. Y'all rule, and convincing a PHB of it takes work above and beyond the call of duty :-)

The image of the Hacking Community. (1)

dentar (6540) | more than 14 years ago | (#1442238)

We all know what a farce the press is and their mistreatment of the word "Hacker," and their total misunderstanding of what hackers stand for. What is the best say, in your opinion, to change all of this to put the hacking community in the positive light that it deserves?

Wireless WAN project a rip-off (1)

WH (10882) | more than 14 years ago | (#1442239)

I've come across someone that is involved in a wireless internet project much like yours, whom described it at length, and then went off about how l0pht had ripped his ideas off his web site with no acknowledgement of where it came from.

The wording is infact so similar that it appears as if l0pht did indeed copy what he said, or vice-versa.

So what I'd like to know is where did you come up with the idea for the wireless internet project?

Re:Wireless WAN project a rip-off (0)

Anonymous Coward | more than 14 years ago | (#1442240)

How about a pointer to the web site that the l0pht allegedly ripped off? I wouldn't doubt they did because they don't seem to have a clue with regard to wireless networking.

When the time comes to protect America (1)

Anonymous Coward | more than 14 years ago | (#1442241)

When the time comes to protect America against radical and reckless attacks from overseas and domestic script kiddies will your group offer assistance, or take the "We told you so attitude"?

I am the lead sys / network admin for a very large ISP, and have had to freely offer my support to the local city and state government during small emergencies.

After working with the local governments
"Microsoft / SUN / Cisco Certified Engineers" I am very very very worried about what could happen in the future. These people are clueless and pose a serious security threat to our government networks.

How do you recommend we enlighten and possibly force some equilibrium to make sure they don't screw things up?



Who's more dangerous? (3)

Erbo (384) | more than 14 years ago | (#1442242)

In your view, which of the following corporations is most dangerous to the future freedom of the Internet as we know it, and why?
  • Microsoft
  • America Online
  • Amazon.com

Eric
--
"Free your code...and the rest will follow."

pls answer the q above (0)

Anonymous Coward | more than 14 years ago | (#1442243)

Just recently on slashdot there was talk of large wireless networks using wavelan. I'm especially interested in hearing about the status of guerilla.net. I'm sure answering the question i'm replying to would further the project and get more people involved. thanks

Drinking abilities? (0)

Anonymous Coward | more than 14 years ago | (#1442244)

One serious and one dumb question:
Have you suffered any legal reprocussions from some of your more gray hat work, (l0phtcrack), and if so, what route have you taken to avoid such ramifications?

Do you find your ability to booze with your friends and recover enough to give a speech the next morning at a con has diminished with age, or do you feel that you will be able to hang with a bottle of Jaeger has grown over the years?

-- Javaman

Re:What's good out there? (1)

Bald Wookie (18771) | more than 14 years ago | (#1442245)

Why bother asking such a leading question? You trimmed the field down so much, it seems like you want them to come out and sing the praises of Linux or a BSD variant. Fine, I have little doubt that they would. Yet in an interview I want to hear what they have to say, not what the interviewer wants to hear. Who knows, they could be sick bastards with an AIX fetish. If so, I want to hear about why they like it. Hell they might even like SCO UNIX (which I seem to remember is partially owned by Microsoft). An interesting answer would be something offbeat, not necessarily something that agrees with your preconceptions.

-BW

Security Through Arbitrarity: libnc? (2)

Effugas (2378) | more than 14 years ago | (#1442246)

L0pht Guys:

One of the most interesting applications to come out of the L0pht has been nothing but the immensely useful Netcat. Built to transfer arbitrary data at all costs, it's been used countless times when one needs your data to get from point A to B without interference by the various vagaries of the underlying content.

What's interesting about this, in my mind, is that instead of whipping up a new protocol to transport the independent units of whatever types of data one needs to send, netcat allows simple, unimpeded transport of whatever happens to go over the pipe--syslogs, files, shells, video.

Yet, while each of these custom protocols will toss over the data they were built to, the quality of the protocol design is often eroded by the content normally transfered over it such that only that content can effectively be transported using that protocol.

And thus lies the problem--whereas netcat is built to transfer anything, and is thus very unlikely to fail no matter what traffic enters the datastream, it's enough trouble to write custom protocol handlers that manage to read the data as intended, let alone possess the hands-off arbitrarity that you've designed into netcat.

Thus, my question: Should there be a libnc equivalent, one that security-conscious software coders could use to avoid the vagaries of raw socket code(and the obvious insecurity of shell pipes)? Or would this inspire a false sense of security and in fact make things worse?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:L0phtcrack Registration (1)

kamelkev (114875) | more than 14 years ago | (#1442247)

Yeah, I realize that it is possible to crack just about any software, still one would think they would have used a "good" algorithm to protecting thier software. The way I understand it, they didnt even try. They just stuck on some fakey auth package in and expected people to pay for it. I would suspect that a large percent of the "element" that actually uses l0phtcrack are not network admins doing audits (not that I actually care), who would never have any intention of registering it. One would think they would have done everything in thier power to prevent them from exploiting the software.

Boston 2600 (2)

Ex Machina (10710) | more than 14 years ago | (#1442248)

How come you guys don't come over and talk to us mere mortals when you drop by the Boston 2600 meeting? I've heard rumors its because we're (mostly) penguinheads and you guys are BSD/Solaris people?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?