The long, strange trip of the L0pht

Six members of the L0pht flaw-finding group reunite for the first time in years to assess the current state of security, which they say hasn't improved much in the last decade.

CAMBRIDGE, Mass. -- During the late 1990s, some executives from Microsoft Corp. were in Boston trying to figure out what the story was with this group of guys calling themselves the L0pht. There was a lot of noise coming from the group, including advisories laying out the details of vulnerabilities in a slew of Microsoft products, and the folks in Redmond were less than happy about it.

We're more dependent on the Internet and security hasn't improved, so we're not as safe.
Peiter Zatko,
technical directorBBN Technologies

Recounting the tale last week during a panel discussion that reunited six members of the L0pht for the first time in years, Peiter Zatko, better known as Mudge, said the officials reacted in typical Microsoft fashion, by trying to convince the young upstarts that there was a better way to do things.

"Their first response was to take us out to dinner and offer to give us the Windows source code under NDA," he said.

"We told them that we already had it," said Christien Rioux, aka Dildog, drawing smiles and laughs from the other panelists and the audience.

And that, in so many words, is the essence of what the L0pht was about: irreverence, cockiness and bravado backed up by serious technical skills. In the years since it was absorbed into @stake, the legends and myths surrounding the group have grown and morphed to such a degree that it's difficult to separate fact from fiction at this late date. But when it comes to the L0pht, truth is often stranger than fiction.

Did Mudge really tell Congress that he could take down the Internet in 30 minutes? He did, and though times and technology have changed a lot in the 10 years since he made that statement, Mudge said the security and architecture of the Internet aren't much better now than they were back then.

"It actually did happen a couple of times with people blackholing the entire Internet accidentally by publishing bogus routes," he said. "What's happened is we've gone to a lot of private peering agreements so there are more points of failure now. So it might take two and a half or three hours these days. But we're more dependent on the Internet and security hasn't improved, so we're not as safe."

And what about that time that Richard Clarke, then the president's cyber security advisor, and a small herd of other federal security officials showed up at the group's South Boston pad to have a look at what exactly was going on?

After showing the feds around for a couple of hours and talking about the projects the group was working on and how the members went about their research, the L0pht crew was a little dismayed to see Clarke and his cohorts huddled together, speaking in hushed tones. This did not sit well with Mudge and the others.

L0pht panel members at SOURCE Boston

Gesturing to the beer sitting in front of him, Mudge told the audience: "Having a bit of the Irish courage in me by that point, I went over to them and said, 'Look, we brought you guys in here and opened the kimono and showed you what we do here and now you're out here whispering. You have to tell me what you're talking about.' So Richard Clarke says, 'Ok, I'll tell you. We were just saying that the CIA guys have told us that the only way anyone could do this stuff was with funding from a foreign government.'

"He told us, 'You've changed our entire threat model.' And then he looks at me and says, 'You know I have to ask: Have you been approached by any foreign governments?'" Mudge said, laughing.

In addition to telling old war stories, the panelists, who also included Chris Wysopal, Paul Nash, Space Rogue and Karl Kasper, talked a lot about the state of security today and why things haven't improved much since they started patching together "reclaimed" PCs in the mid-1990s. Much of the discussion centered on the ways in which the threat landscape has changed in recent years.

"A lot of the attacks have become automated and the defenses need to become automated," said Rioux. "But there's always a human element and we do have to find ways to deal with that. It may not be solved until control is wrested from the hands of the users. Security may become dependent on centralization and things that become automated."

Kasper, who now works in security in the financial services industry, said that some of the technologies that vendors are now pushing on enterprises are ineffective at best and are helping to create a false sense of security in many companies.

"Multifactor authentication is being forced on the banks as snake oil," Kasper said. "They're coming up with software-only multifactor, which means that there's a JavaScript that profiles your machine and that's the second factor. That's because there's an entire industry around this and as long as people look at it as a checkbox, they look for what's cheap. We've demonstrated the weakness of these to upper management. That to me is where the snake oil is."

As they looked back on their time at the L0pht, the panelists considered the question of whether they had had a positive effect on the industry.

"We did make a big difference. We helped Microsoft out tremendously by rattling their cages," said Mudge. "People started realizing that if they weren't going to be responsive, we were going to take it public and drag them through the muck. Our thing was, look, these people aren't listening and the only thing we can do is publicly flog them."

Video - SOURCE Boston '08: L0pht panel excerpt

Dig deeper on Hacker Tools and Techniques: Underground Sites and Hacking Groups

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close