LOpht in Transition
Most of the '90s hacking group the L0pht - Mudge, Space Rogue, Weld Pond and others - have emerged in legitimate roles. Was their work ultimately boon or bane for security?
By Michael Fitzgerald
April 17, 2007 — CSO —
Brian Oblivion. Kingpin. Mudge. Space Rogue. Stefan von Neumann. Tan. Weld Pond. That’s how the hacker group called the L0pht appeared before the Senate Subcommittee on Government Cybersecurity on May 19, 1998. They said, among other things, that they could take down the Internet in 30 minutes. The senators listened closely and afterward praised them effusively.
It was a landmark moment for hackers, shunned, derided and loathed by the technology industry. And it was a landmark for the L0pht too. Though the group was already known for its vulnerability disclosures, for the Hacker News Network, for tools like the hash cracking tool L0phtCrack, now “everybody [in the hacking community] wanted to be the L0pht,” remembers Jeff Moss, founder of the Black Hat and Defcon security conferences.
Not bad for a group that got its start when someone’s wife said it was time to get his computers out of the bathtub.
The L0pht shaped the way disclosures are handled and helped force vendors like Microsoft to change the way they address software security flaws. There’s no question, either, that by raising the visibility of security problems, the group spurred companies to begin paying more attention to security. “You knew you’d better rattle your own doorknobs before the hackers did,” says John Pescatore, a longtime information security analyst at Gartner.
Some think, though, that visibility has hurt software security. “They were the Led Zeppelin of gray hat hacking,” says Marcus Ranum, who is credited with creating the first commercial firewall product and is now CSO at Tenable Network Security. “By releasing gray hat tools and techniques they were able to get a tremendous amount of attention. And they opened the floodgates for all the bottom feeders that followed them.”
Ironically, it was Ranum himself who helped give the L0pht credibility. As CEO of NFR, which made software to find intruders on corporate networks, Ranum used the L0pht’s vulnerability research to strengthen his product, and hired the L0pht both to do a code review and to write modules for his product, giving the group a legitimate corporate client to tout. He says he considers the L0pht members his friends and says they are “great guys.” But he thinks those who have followed them find vulnerabilities almost as a way to blackmail corporations. He blames the L0pht, saying, “They have changed the industry for the worse.”
Nothing in the L0pht’s emergence from Boston’s bulletin board community in 1992 suggested it would achieve any more notoriety than other hacker collectives of the day. Brian Oblivion, a hacker with strong interests in radio communications, founded the group. Oblivion declined to be interviewed for this article, saying via Space Rogue that he was too busy. Chris Wysopal, who joined the L0pht in late 1992 as Weld Pond (a handle chosen by pointing at random at a map of the Boston area, because the bulletin board The Works forbade members to use real names), says that Oblivion “had so many computers in the bathroom that his wife couldn’t use it anymore.” She gave the group space in the South End artist’s loft where she made hats. And for several years, the L0pht was just a place for Oblivion and his friends to hang out after work and store their growing collection of computing equipment.