LOpht in Transition

Most of the '90s hacking group the L0pht - Mudge, Space Rogue, Weld Pond and others - have emerged in legitimate roles. Was their work ultimately boon or bane for security?

Brian Oblivion. Kingpin. Mudge. Space Rogue. Stefan von Neumann. Tan. Weld Pond. That’s how the hacker group called the L0pht appeared before the Senate Subcommittee on Government Cybersecurity on May 19, 1998. They said, among other things, that they could take down the Internet in 30 minutes. The senators listened closely and afterward praised them effusively.

It was a landmark moment for hackers, shunned, derided and loathed by the technology industry. And it was a landmark for the L0pht too. Though the group was already known for its vulnerability disclosures, for the Hacker News Network, for tools like the hash cracking tool L0phtCrack, now “everybody [in the hacking community] wanted to be the L0pht,” remembers Jeff Moss, founder of the Black Hat and Defcon security conferences.

Not bad for a group that got its start when someone’s wife said it was time to get his computers out of the bathtub.

The L0pht shaped the way disclosures are handled and helped force vendors like Microsoft to change the way they address software security flaws. There’s no question, either, that by raising the visibility of security problems, the group spurred companies to begin paying more attention to security. “You knew you’d better rattle your own doorknobs before the hackers did,” says John Pescatore, a longtime information security analyst at Gartner.

Some think, though, that visibility has hurt software security. “They were the Led Zeppelin of gray hat hacking,” says Marcus Ranum, who is credited with creating the first commercial firewall product and is now CSO at Tenable Network Security. “By releasing gray hat tools and techniques they were able to get a tremendous amount of attention. And they opened the floodgates for all the bottom feeders that followed them.”

Ironically, it was Ranum himself who helped give the L0pht credibility. As CEO of NFR, which made software to find intruders on corporate networks, Ranum used the L0pht’s vulnerability research to strengthen his product, and hired the L0pht both to do a code review and to write modules for his product, giving the group a legitimate corporate client to tout. He says he considers the L0pht members his friends and says they are “great guys.” But he thinks those who have followed them find vulnerabilities almost as a way to blackmail corporations. He blames the L0pht, saying, “They have changed the industry for the worse.”

Nothing in the L0pht’s emergence from Boston’s bulletin board community in 1992 suggested it would achieve any more notoriety than other hacker collectives of the day. Brian Oblivion, a hacker with strong interests in radio communications, founded the group. Oblivion declined to be interviewed for this article, saying via Space Rogue that he was too busy. Chris Wysopal, who joined the L0pht in late 1992 as Weld Pond (a handle chosen by pointing at random at a map of the Boston area, because the bulletin board The Works forbade members to use real names), says that Oblivion “had so many computers in the bathroom that his wife couldn’t use it anymore.” She gave the group space in the South End artist’s loft where she made hats. And for several years, the L0pht was just a place for Oblivion and his friends to hang out after work and store their growing collection of computing equipment.

Among those friends were Space Rogue and a teenage hacker and skateboarder named Joe Grand, who went by the handle Kingpin (named for the bolt that runs through the truck, or axle, of a skateboard).

Grand calls from the road. He’s often on the road, literally—he is a triathlete good enough to have a sponsor. He’s 31 now and runs his own San Diego design shop, Grand Idea Studio, which has designed RFID and GPS modules for Parallax, an in-game videocamera for Gamecaster, and his best design yet, a video game accessory that he has licensed but can’t talk about.

Grand, an electrical engineer, has also written two books on hardware hacking and is a technical adviser to Make magazine. If all goes well with a pilot he’s recently shot, this fall we’ll see him on an engineering show on the Discovery Channel. Yet he’s nostalgic about the L0pht.

“I’m having a really hard time with realizing that I’m twice as old as when I joined the L0pht,” he says. “We did so many great things—what can I do to top that?”

The L0pht originally built a network so they could play Doom against each other. But they got more serious in 1994 and 1995, shedding some members and adding others with specific technical skills that complemented the group. They moved to a larger space in Watertown, Mass.

Excepting Grand, who was still in high school, all of the L0pht held various day jobs, often working together at places like Comp­USA, Massachusetts General Hospital or BBN Technologies, the fabled research lab (Weld Pond, Brian Oblivion, Mudge and Silicosis all worked there at some point). They kept their identities hidden, in part to keep their day jobs. Everyone in the hacking community knew Dan Farmer had been fired from his job for releasing the Satan network analyzer. But the group wanted to turn the L0pht into a day job.

The charismatic, long-tressed Peiter “Mudge” Zatko had emerged as the group’s public face, if not its de facto leader. He developed, along with Wysopal, L0phtCrack, a tool that revealed weak passwords. Released in 1997, it’s still available on some websites today. “Back then, the companies would pretend [vulnerabilities] weren’t real,” says Bruce Schneier, the noted cryptographer and CTO of BT Counterpane. Schneier says the L0pht’s ability to build tools like L0phtCrack forced vendors to address security problems. “That’s the reason we have more secure software today. If it wasn’t for that, Microsoft would still be belittling, insulting and suing researchers,” he says.

By late 1998, the L0pht was actively trying to attract venture capital and turn itself into a real business—it had pushed out Stefan von Neumann and a couple of other short-lived members, and hired Christien Rioux (known as Dildog) and Paul Nash (known as Silicosis) to support L0phtCrack and do custom work for companies like NFR. The L0pht was not the first group of hackers to offer professional services or tools, but even in the giddy late 1990s, hackers still had an unsavory reputation. Finally, @stake, a security consulting firm, came to the group with $10 million in VC money and told the L0pht it could continue its research. The members voted to join it.

Even so, that merger, announced Jan. 10, 2000, marked the symbolic end of the L0pht. Over the next few years, its members were fired or drifted away, and @stake itself was gobbled up by Symantec in 2004. The only member of the L0pht still there is Nash. The transition was particularly difficult for Zatko, who spent six months on disability and left @stake after just two years.

Today, Zatko’s office at BBN is a rest area for sundry things. There’s a dead computer on a chair, and a working circa-1940s polygraph machine on a table. In a corner are two fishing rods and an antenna, part of an impromptu communications experiment. There’s a guitar signed by one-time porn stars Barbara Dare and Jamie Summers. A bound copy of the L0pht’s testimony in front of the Senate is on a shelf. On one wall hangs a picture of him with President Bill Clinton and Vinton Cerf, in which Zatko’s light brown hair is still rock-star length. It’s short now, parted in the middle. He has a goatee and wears glasses. He’s sore from a boxing workout the night before, a reminder that he’s in his late 30s.

Zatko says he can’t talk about what he does at BBN, other than to say it’s security-related and for some unmentionable three-lettered government agencies. He also says he returned to BBN, which employed him in the 1990s, before the L0pht was his job, in part because BBN told him there could be no publicity about the projects he was working on. “That was attractive as hell,” he says.

But Zatko can’t seem to stay out of the spotlight. He is the obvious model for “Soxster,” one of the main characters in former cyberczar Richard A. Clarke’s new novel, Breakpoint (the L0pht itself appears as “the Dugout”). And he acknowledges that he still “wants to make a dent in the universe,” the old motto of the L0pht.

After an hour of talking about the L0pht, Zatko suggests a tour of the older parts of the BBN laboratory in Cambridge, dating from when it was an acoustics consultancy. He shows off the silent room, the amplification room, the sonar tank, the place where it developed Boomerang—a technology being used in Iraq to help find snipers—and he talks about how much he likes the variety of the cool ideas BBN pursues.

“Originally, the L0pht was meant as a microcosm of here,” he says, with a wistful expression.

The spirit of the L0pht lives on most directly at Veracode, the security software company started by Wysopal and Rioux after they left Symantec in 2005. The company launched at the RSA Security Conference in February.

Wysopal post-L0pht helped codify responsible disclosure policies and establish the Organization of Internet Safety, and while starting Veracode he also managed to be lead author of The Art of Software Security Testing, published in December 2006.

Wysopal, at a rangy 6 foot 2 inches, was the tallest member of the L0pht and the oldest (he’s now 41). Rioux (whose handle Dildog was the original name Dilbert creator Scott Adams gave to Dogbert) was the shortest and youngest (now 29).

In early January, sitting in the conference room at Veracode, the two play Click-and-Clack about their time at the L0pht, and the purpose of Veracode, which in a real sense extends the L0pht’s mission: to make software more secure, in this case by offering a Web-based service that automatically checks software for security flaws, via a clever—and patented—technique for data flow modeling and modeling control flow analysis developed by Rioux.

Told of Ranum’s comments, Rioux makes a slight grimace. “The days are over when we should be flinging mud over the Internet about vulnerabilities,” he says.

Veracode has pulled in $19.5 million in capital from Polaris Venture Partners, Atlas Venture and .406 Ventures. While it has competitors, such as Coverity, Fortify and Ounce Labs, Veracode’s approach is “a cool spin” on existing security technology, according to Gartner’s Pescatore.

Both Wysopal and Rioux believe Veracode is ready to sharply reduce the world’s total number of software vulnerabilities.

The L0pht, then, are all now unquestionably legitimate, and their evolution serves as a metaphor for the security business, which is now mainstream. Companies like Microsoft and Oracle have developed methods to take care of vulnerabilities, and the L0pht deserves some credit for that turn of events. While the disclosure wars are again raging, thanks to bug-a-day campaigns and other ploys by the hackers of today, the L0pht’s overall impact on corporate security has been positive, say many, including Howard Schmidt, who knew the L0pht both in his role as a computer forensics investigator at the Air Force and as CSO at Microsoft.

Still, some vendors continue to try to shove security issues under the rug, and there is no question that more of the Internet is under attack today than ever before. So what of that?

Peter Neumann (no relation to the L0pht’s Stefan von Neumann) is 74 and still a principal scientist at SRI, working on security issues. He also testified before the Senate subcommittee on that day in May 1998. He says security vulnerabilities are a part of a much bigger set of problems that have existed for 40 years and probably will exist 40 years from now. But he chuckles when asked about the L0pht, saying, “They were pointing out that the emperor has no clothes on, and nobody wants to hear that, but they did it in a tasteful way that made people listen. They made a difference.”

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)