Information Security News
mailing list archives
LOpht in Transition
From: InfoSec News <alerts () infosecnews org>
Date: Tue, 24 Apr 2007 02:08:55 -0500 (CDT)
By Michael Fitzgerald
April 2007 Issue
Brian Oblivion. Kingpin. Mudge. Space Rogue. Stefan von Neumann. Tan.
Weld Pond. Thats how the hacker group called the L0pht appeared before
the Senate Subcommittee on Government Cybersecurity on May 19, 1998.
They said, among other things, that they could take down the Internet in
30 minutes. The senators listened closely and afterward praised them
It was a landmark moment for hackers, shunned, derided and loathed by
the technology industry. And it was a landmark for the L0pht too. Though
the group was already known for its vulnerability disclosures, for the
Hacker News Network, for tools like the hash cracking tool L0phtCrack,
now everybody [in the hacking community] wanted to be the L0pht,
remembers Jeff Moss, founder of the Black Hat and Defcon security
Not bad for a group that got its start when someones wife said it was
time to get his computers out of the bathtub.
The L0pht shaped the way disclosures are handled and helped force
vendors like Microsoft to change the way they address software security
flaws. Theres no question, either, that by raising the visibility of
security problems, the group spurred companies to begin paying more
attention to security. You knew youd better rattle your own doorknobs
before the hackers did, says John Pescatore, a longtime information
security analyst at Gartner.
Some think, though, that visibility has hurt software security. They
were the Led Zeppelin of gray hat hacking, says Marcus Ranum, who is
credited with creating the first commercial firewall product and is now
CSO at Tenable Network Security. By releasing gray hat tools and
techniques they were able to get a tremendous amount of attention. And
they opened the floodgates for all the bottom feeders that followed
Ironically, it was Ranum himself who helped give the L0pht credibility.
As CEO of NFR, which made software to find intruders on corporate
networks, Ranum used the L0phts vulnerability research to strengthen his
product, and hired the L0pht both to do a code review and to write
modules for his product, giving the group a legitimate corporate client
to tout. He says he considers the L0pht members his friends and says
they are great guys. But he thinks those who have followed them find
vulnerabilities almost as a way to blackmail corporations. He blames the
L0pht, saying, They have changed the industry for the worse.
Nothing in the L0phts emergence from Bostons bulletin board community in
1992 suggested it would achieve any more notoriety than other hacker
collectives of the day. Brian Oblivion, a hacker with strong interests
in radio communications, founded the group. Oblivion declined to be
interviewed for this article, saying via Space Rogue that he was too
busy. Chris Wysopal, who joined the L0pht in late 1992 as Weld Pond (a
handle chosen by pointing at random at a map of the Boston area, because
the bulletin board The Works forbade members to use real names), says
that Oblivion had so many computers in the bathroom that his wife
couldnt use it anymore. She gave the group space in the South End
artists loft where she made hats. And for several years, the L0pht was
just a place for Oblivion and his friends to hang out after work and
store their growing collection of computing equipment.
Among those friends were Space Rogue and a teenage hacker and
skateboarder named Joe Grand, who went by the handle Kingpin (named for
the bolt that runs through the truck, or axle, of a skateboard).
Grand calls from the road. Hes often on the road, literallyhe is a
triathlete good enough to have a sponsor. Hes 31 now and runs his own
San Diego design shop, Grand Idea Studio, which has designed RFID and
GPS modules for Parallax, an in-game videocamera for Gamecaster, and his
best design yet, a video game accessory that he has licensed but cant
Grand, an electrical engineer, has also written two books on hardware
hacking and is a technical adviser to Make magazine. If all goes well
with a pilot hes recently shot, this fall well see him on an engineering
show on the Discovery Channel. Yet hes nostalgic about the L0pht.
Im having a really hard time with realizing that Im twice as old as when
I joined the L0pht, he says. We did so many great thingswhat can I do to
The L0pht originally built a network so they could play Doom against
each other. But they got more serious in 1994 and 1995, shedding some
members and adding others with specific technical skills that
complemented the group. They moved to a larger space in Watertown, Mass.
Excepting Grand, who was still in high school, all of the L0pht held
various day jobs, often working together at places like CompUSA,
Massachusetts General Hospital or BBN Technologies, the fabled research
lab (Weld Pond, Brian Oblivion, Mudge and Silicosis all worked there at
some point). They kept their identities hidden, in part to keep their
day jobs. Everyone in the hacking community knew Dan Farmer had been
fired from his job for releasing the Satan network analyzer. But the
group wanted to turn the L0pht into a day job.
The charismatic, long-tressed Peiter Mudge Zatko had emerged as the
groups public face, if not its de facto leader. He developed, along with
Wysopal, L0phtCrack, a tool that revealed weak passwords. Released in
1997, its still available on some websites today. Back then, the
companies would pretend [vulnerabilities] werent real, says Bruce
Schneier, the noted cryptographer and CTO of BT Counterpane. Schneier
says the L0phts ability to build tools like L0phtCrack forced vendors to
address security problems. Thats the reason we have more secure software
today. If it wasnt for that, Microsoft would still be belittling,
insulting and suing researchers, he says.
By late 1998, the L0pht was actively trying to attract venture capital
and turn itself into a real businessit had pushed out Stefan von Neumann
and a couple of other short-lived members, and hired Christien Rioux
(known as Dildog) and Paul Nash (known as Silicosis) to support
L0phtCrack and do custom work for companies like NFR. The L0pht was not
the first group of hackers to offer professional services or tools, but
even in the giddy late 1990s, hackers still had an unsavory reputation.
Finally, @stake, a security consulting firm, came to the group with $10
million in VC money and told the L0pht it could continue its research.
The members voted to join it.
Even so, that merger, announced Jan. 10, 2000, marked the symbolic end
of the L0pht. Over the next few years, its members were fired or drifted
away, and @stake itself was gobbled up by Symantec in 2004. The only
member of the L0pht still there is Nash. The transition was particularly
difficult for Zatko, who spent six months on disability and left @stake
after just two years.
Today, Zatkos office at BBN is a rest area for sundry things. Theres a
dead computer on a chair, and a working circa-1940s polygraph machine on
a table. In a corner are two fishing rods and an antenna, part of an
impromptu communications experiment. Theres a guitar signed by one-time
porn stars Barbara Dare and Jamie Summers. A bound copy of the L0phts
testimony in front of the Senate is on a shelf. On one wall hangs a
picture of him with President Bill Clinton and Vinton Cerf, in which
Zatkos light brown hair is still rock-star length. Its short now, parted
in the middle. He has a goatee and wears glasses. Hes sore from a boxing
workout the night before, a reminder that hes in his late 30s.
Zatko says he cant talk about what he does at BBN, other than to say its
security-related and for some unmentionable three-lettered government
agencies. He also says he returned to BBN, which employed him in the
1990s, before the L0pht was his job, in part because BBN told him there
could be no publicity about the projects he was working on. That was
attractive as hell, he says.
But Zatko cant seem to stay out of the spotlight. He is the obvious
model for Soxster, one of the main characters in former cyberczar
Richard A. Clarkes new novel, Breakpoint (the L0pht itself appears as
the Dugout). And he acknowledges that he still wants to make a dent in
the universe, the old motto of the L0pht.
After an hour of talking about the L0pht, Zatko suggests a tour of the
older parts of the BBN laboratory in Cambridge, dating from when it was
an acoustics consultancy. He shows off the silent room, the
amplification room, the sonar tank, the place where it developed
Boomeranga technology being used in Iraq to help find snipersand he
talks about how much he likes the variety of the cool ideas BBN pursues.
Originally, the L0pht was meant as a microcosm of here, he says, with a
The spirit of the L0pht lives on most directly at Veracode, the security
software company started by Wysopal and Rioux after they left Symantec
in 2005. The company launched at the RSA Security Conference in
Wysopal post-L0pht helped codify responsible disclosure policies and
establish the Organization of Internet Safety, and while starting
Veracode he also managed to be lead author of The Art of Software
Security Testing, published in December 2006.
Wysopal, at a rangy 6 foot 2 inches, was the tallest member of the L0pht
and the oldest (hes now 41). Rioux (whose handle Dildog was the original
name Dilbert creator Scott Adams gave to Dogbert) was the shortest and
youngest (now 29).
In early January, sitting in the conference room at Veracode, the two
play Click-and-Clack about their time at the L0pht, and the purpose of
Veracode, which in a real sense extends the L0phts mission: to make
software more secure, in this case by offering a Web-based service that
automatically checks software for security flaws, via a cleverand
patentedtechnique for data flow modeling and modeling control flow
analysis developed by Rioux.
Told of Ranums comments, Rioux makes a slight grimace. The days are over
when we should be flinging mud over the Internet about vulnerabilities,
Veracode has pulled in $19.5 million in capital from Polaris Venture
Partners, Atlas Venture and .406 Ventures. While it has competitors,
such as Coverity, Fortify and Ounce Labs, Veracodes approach is a cool
spin on existing security technology, according to Gartners Pescatore.
Both Wysopal and Rioux believe Veracode is ready to sharply reduce the
worlds total number of software vulnerabilities.
The L0pht, then, are all now unquestionably legitimate, and their
evolution serves as a metaphor for the security business, which is now
mainstream. Companies like Microsoft and Oracle have developed methods
to take care of vulnerabilities, and the L0pht deserves some credit for
that turn of events. While the disclosure wars are again raging, thanks
to bug-a-day campaigns and other ploys by the hackers of today, the
L0phts overall impact on corporate security has been positive, say many,
including Howard Schmidt, who knew the L0pht both in his role as a
computer forensics investigator at the Air Force and as CSO at
Still, some vendors continue to try to shove security issues under the
rug, and there is no question that more of the Internet is under attack
today than ever before. So what of that?
Peter Neumann (no relation to the L0phts Stefan von Neumann) is 74 and
still a principal scientist at SRI, working on security issues. He also
testified before the Senate subcommittee on that day in May 1998. He
says security vulnerabilities are a part of a much bigger set of
problems that have existed for 40 years and probably will exist 40 years
from now. But he chuckles when asked about the L0pht, saying, They were
pointing out that the emperor has no clothes on, and nobody wants to
hear that, but they did it in a tasteful way that made people listen.
They made a difference.
2002-2007 CXO Media Inc. All rights reserved.
Subscribe to InfoSec News
- LOpht in Transition InfoSec News (Apr 24)