In Depth
LOpht in Transition
Most of the '90s hacking group the L0pht - Mudge, Space Rogue, Weld Pond and others - have emerged in legitimate roles. Was their work ultimately boon or bane for security?
By Michael Fitzgerald
After an hour of talking about the L0pht, Zatko suggests a tour of the older parts of the BBN laboratory in Cambridge, dating from when it was an acoustics consultancy. He shows off the silent room, the amplification room, the sonar tank, the place where it developed Boomerang—a technology being used in Iraq to help find snipers—and he talks about how much he likes the variety of the cool ideas BBN pursues.
“Originally, the L0pht was meant as a microcosm of here,” he says, with a wistful expression.
The spirit of the L0pht lives on most directly at Veracode, the security software company started by Wysopal and Rioux after they left Symantec in 2005. The company launched at the RSA Security Conference in February.
Wysopal post-L0pht helped codify responsible disclosure policies and establish the Organization of Internet Safety, and while starting Veracode he also managed to be lead author of The Art of Software Security Testing, published in December 2006.
Wysopal, at a rangy 6 foot 2 inches, was the tallest member of the L0pht and the oldest (he’s now 41). Rioux (whose handle Dildog was the original name Dilbert creator Scott Adams gave to Dogbert) was the shortest and youngest (now 29).
In early January, sitting in the conference room at Veracode, the two play Click-and-Clack about their time at the L0pht, and the purpose of Veracode, which in a real sense extends the L0pht’s mission: to make software more secure, in this case by offering a Web-based service that automatically checks software for security flaws, via a clever—and patented—technique for data flow modeling and modeling control flow analysis developed by Rioux.
Told of Ranum’s comments, Rioux makes a slight grimace. “The days are over when we should be flinging mud over the Internet about vulnerabilities,” he says.
Veracode has pulled in $19.5 million in capital from Polaris Venture Partners, Atlas Venture and .406 Ventures. While it has competitors, such as Coverity, Fortify and Ounce Labs, Veracode’s approach is “a cool spin” on existing security technology, according to Gartner’s Pescatore.
Both Wysopal and Rioux believe Veracode is ready to sharply reduce the world’s total number of software vulnerabilities.
The L0pht, then, are all now unquestionably legitimate, and their evolution serves as a metaphor for the security business, which is now mainstream. Companies like Microsoft and Oracle have developed methods to take care of vulnerabilities, and the L0pht deserves some credit for that turn of events. While the disclosure wars are again raging, thanks to bug-a-day campaigns and other ploys by the hackers of today, the L0pht’s overall impact on corporate security has been positive, say many, including Howard Schmidt, who knew the L0pht both in his role as a computer forensics investigator at the Air Force and as CSO at Microsoft.
L0pht
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
