L0pht in Transition
Most of the ’90s hacking group the L0pht - Mudge, Space Rogue, Weld Pond and others - have emerged in legitimate roles. Was their work ultimately boon or bane for security?
Brian Oblivion. Kingpin [Joe Grand]. Mudge [Peiter Zatko]. Space Rogue . Stefan von Neumann. Tan. Weld Pond [Chris Wysopal]. That’s how the hacker group called the L0pht appeared before the Senate Subcommittee on Government Cybersecurity on May 19, 1998. They said, among other things [before the Congress of the United States] that they could take down the Internet in 30 minutes.
“Back then, the companies would pretend [vulnerabilities] weren’t real,” says Bruce Schneier, the noted cryptographer and CTO of BT Counterpane. Schneier says the L0pht’s ability to build tools like L0phtCrack forced vendors to address security problems. “That’s the reason we have more secure software today. If it wasn’t for that, Microsoft would still be belittling, insulting and suing researchers,” he says.
that merger [with security consulting firm “@Stake”] announced Jan. 10, 2000, marked the symbolic end of the L0pht. Over the next few years, its members were fired or drifted away, and @Stake itself was gobbled up by Symantec in 2004. The only member of the L0pht still there is Nash. The transition was particularly difficult for Zatko, who spent six months on disability and left @Stake after just two years.
The 1998 L0pth testimony before the US Senate:
Transcript of that testimony:
In reality, all we really are, is just Curious. For, well over the past decade, the seven of us have independently learned and worked in the fields of satellites communication, cryptography, operating systems’ design and implementation, computer network security, electronics and telecommunications.
To other learning process, we’ve made few waves with some large companies such as Microsoft, IBM, Novell, and Sun Microsystems. At the same time, the top hackers, and the top legitimate cryptographers, and computer security professionals pay us visits when they are in town, just to see what we’re currently working on.. so we kind of figured we must be doing something right.
Senator Thomson: (15’30")
I am informed that, you think that within 30 minutes the seven of you could make the internet unusable for the entire nation, is that correct?
Mudge: That’s correct. Actually one of us with just a few packets. We’ve told a few agencies about this, it’s kinda funny because we think that this is something that the various government agency should be actively going after, we know that the Department of Defense at very large, investigation into what’s known as denial of service attacks against the infrastructure
Kingpin: (22’36") I just want to add one thing to that, in the point of liability, the car manufactures will be and are held liable if something goes wrong in a product. If something goes wrong in one of the ten thousand cars, and it explodes they will be held liable. If something breaks in the software the companies aren’t held liable and they feel, why?
More about @Stake
This is a cached version of the original March 2000 article in BusinessWeek.
A Short, Strange Trip from Hackers to Entrepreneurs