Good For Business:
HacK, CouNterHaCk
nytimes.com
The members of L0pht can knock you off line, steal your credit-card
numbers and cut off the power for your whole neighborhood. But they'd
like you to think they're the good guys. By BRUCE GOTTLIEB
Photographs by DANA SMITH
ould you like to see how to
knock someone off the Web?"
Silicosis asks.
Sili, as he is known, is a slim young man
with serious eyes set deeply into a delicate
face. He's the newest member of a hacker
collective known as L0pht (pronounced
"loft"). He becomes visibly uncomfortable
when asked to talk about himself. He gives
his age as "mid-20's" and then clams up.
But when the conversation moves to
hacking, Sili turns voluble: "I think it's a
thrill to look at a program and figure out
how to make that program do something
that it was never designed to do in the first
place. There's the challenge."
We sit down at a computer monitor while
Sili explains his latest discovery. By
mimicking messages that typically flow
between computers on a network, he can
reach out to almost anyone running
Windows 95, 98 or 2000 in a large
corporate environment, or anyone using a
cable modem, and forcibly disconnect them
from the Web. In a demonstration of this,
he types a one-line command on his
computer and hits the return key with a
flourish. Sure enough, the computer across
the room, which seconds before had been
connected to M.I.T.'s server, is now off
line. The same technique, Sili explains, can
be used to take information flowing
between the Web and your neighbor's
computer and reroute it into your own. A
clever hacker could capture a neighbor's
banking transactions, passwords or
credit-card information.
Sili published his research on L0pht's Web
site in mid-August. The report was
covered in the computer publication
Infoworld and the on-line magazine ZDNet.
At the time, a Microsoft spokesman,
instead of denouncing L0pht, expressed
the hope to reporters that the group would
"design a more secure version of the
protocol" -- a hackerproof set of operating
instructions for the computer.
This request strikes Sili as especially
outrageous. "Why doesn't Ralph Nader
just redesign the Corvair?" he asks.
ader is something of a role model at
L0pht, a confederation of eight
young hackers who position themselves, incredibly enough, as a
consumer-advocacy group. But L0pht's tactics are a bit unorthodox: breaking into
software systems and then posting instructions on how to do so on the Web,
where they can be picked up by software designers and malicious hackers alike.
Intrigued, I paid a visit to their workshop.
L0pht's "laboratory" is the second floor of a ramshackle warehouse in suburban
Boston. Predictably, the door to the lab has a sign for the pizza man -- "Domino's
Knock Loudly."
The eight men who make up L0pht allow themselves to be identified only by their
screen names: Dr. Mudge, Space Rogue, Dildog, Brian Oblivion, Kingpin, Silicosis,
Weld Pond and John Tan. They look to be in their 20's or 30's, but their six-room
suite is an adolescent geek's fantasy clubhouse. One wall is papered with
antiquated circuit boards while another has a signed picture from Julie, Penthouse
Pet. Junk food in the cupboard is taken seriously. There are three different kinds of
Cheez-Its: hot and spicy, plain and white cheddar.
The warehouse brims with more than 200 computers ranging from state-of-the-art
Sun and Digital workstations to nostalgia pieces like Commodore 64's and Apple
IIe's. Black cables, yellow cables and jumbles of thin rainbow-colored wires drip
from the ceiling, all jacked in to steel racks of oscilloscopes, radio transmitters,
D.S.L. modems, I.S.D.N. modems, half-opened C.P.U.'s and a 50-foot roof antenna.
The warehouse also contains several small-scale dummy computer networks.
L0pht's "research" consists of trying to break into these internal systems. Upon
discovering a security flaw in commercial-network software, the L0phties publish
an advisory on their Web site. The advisory is a double-edged sword: a detailed
description of the flaw ? enough information for other hackers to duplicate the
"exploit" ? and a solution that tells network administrators how to close the
loophole.
L0pht's unorthodox methods have garnered praise from very unlikely quarters.
Sixteen months ago, L0pht appeared before the Committee on Governmental
Affairs of the United States Senate. Senator Fred Thompson introduced L0pht not
as a "gang" nor even a "group," but, translating for Washington pols, as a
"hacker think tank."
L0pht wowed the committee by reeling off an alarming list of security holes in
public and private systems. After the presentation, Senator Lieberman gushed, "It
is probably not what you came to hear, but actually, I think you are performing an
act of very good citizenship and I appreciate it." Lieberman went on to compare
L0pht, in a single sentence, to both Rachel Carson and Paul Revere. "You are
performing a valuable service to your country," Thompson added, "and we
appreciate that and want you to continue."
The National Security Council is equally bullish on L0pht. I met the N.S.C.'s
director of information protection, Jeffrey Hunker, at Defcon, an annual three-day
"conference" attracting more than 2,000 computer hackers from around the
country. Hunker had come to talk about President Clinton's initiatives on computer
security (and to spy on hackers, if you believe the whispers). He surprised me by
raving about the group's technical sophistication. "L0pht has carved out an
interest-ing niche for itself," he added, "and for similar-minded people ?
white-hatted hackers. Their objective is basically to help improve the state of the
art in security and to be a gadfly, so to speak ? to identify products that have
vulnerabilities and make certain those vulnerabilities get fixed."
When I told L0pht about Hunker's comments, they rolled their eyes, saying,
"You're not going to publish that, are you?"
For one thing, they had no wish to be identified as favorites of the N.S.C., since
that might jeopardize their standing among so-called black-hat, or malicious,
hackers. "We are all extremely ethical and moral," one member allowed, "but we're
not white-hat hackers. We have our own moral and ethical standards" ? the term
is gray-hat.
It's not hard to spot the reasons for
the moral ambiguity. In their off
hours, Mudge and Dildog are
members of Cult of the Dead Cow, a
black-hat hacker group that
recently released Back Orifice 2000
(bo2k), a computer program that
enables a hacker to control another
computer from afar. (The name is a
crude play on Microsoft's Back
Office Server, a program that allows
a legitimate administrator to, among
other things, control another
computer on a network.) But unlike
Back Office, bo2k is "invisible,"
meaning that a hacker can spy on
another user, even change files,
without the user's knowledge.
Dildog, one of bo2k's authors, euphemistically describes it as "a shy program."
Jason Garms, the former head of Microsoft's security-response team, is a bit more
direct, labeling b02k "a malicious program, with malicious intent."
Perhaps because of their ties to the black-hat community, L0pht members refuse to
be identified, although they will let themselves be photographed. As Space Rogue
explains (and any hacker knows), pictures are next to useless if you're trying to dig
up private data on someone.
When L0pht testified before the Senate, members would not accept checks for
hotel and travel expenses. As with members of the Witness Protection Program
who have come before the Senate, they were reimbursed with cash. Senator John
Glenn even signed pictures ? with the group's screen names: "To Dr. Mudge. . . .
To Space Rogue. . . . To Weld Pond."
pen up the raincoat to expose all the little parts," is how Mudge, smiling,
describes L0pht's ethos. Mudge will not disclose his age, but mid-30's
seems a good guess. He claims a college degree in music with further
course work in computer science. Mudge says that early experimenting with
computers led to informal warnings from certain "three-letter agencies." He wears
his hair below his shoulders, sports a goatee and favors faded jeans and a T-shirt.
In his Senate testimony he claimed to have given training seminars at NASA and
the National Security Agency.
Mudge frankly admits that he'll answer anyone's technical questions about
hacking. "If a black hat approaches us and says, Hey, this is the project or problem
I'm looking at . . . we'll talk to them, no problem. And if a government agency
approaches us and says, How do you do this, or, How does this work, we'll talk to
them."
Of course, this laissez-faire attitude has its costs. Mudge says: "Full disclosure is
something we had to grapple with for a long time. The flip side is that critics say,
'You're giving people tools that can actually do bad things.' That is absolutely
true. It's got a lot of nasty side effects."
For instance: last December, a hacker magazine called Phrack disclosed a flaw in a
network program called Cold Fusion. (Network programs help manage computers
that are linked together). In April of this year, Weld Pond ? an older, thoughtful
L0pht programmer ? discovered a second, more serious way to exploit the flaw.
Weld immediately published an advisory on L0pht.com prescribing a fix. Weld's
report also contained enough detail to explain the flaw to so-called "script kiddies"
? young, malicious hackers with limited technical expertise who are among the
most avid readers of L0pht's advisories. In the span of three weeks, according to
PC Week, hackers inserted bogus text and images on at least 100 Cold Fusion
systems, including those of NASA, the Army and the National Oceanic and
Atmospheric Administration.
So why didn't L0pht contact Allaire, the small Cambridge, Mass., software firm that
makes Cold Fusion, before releasing an advisory? The reason, say Weld and the
other L0phties, is that vendors usually sweep tips from hackers under the rug.
Vendors, claims L0pht, don't want customers to think software has flaws. "We
were trained by the vendors to go public," says Mudge, "to give them a black
eye."
With an attitude like this, it's tempting to blame Weld Pond, especially since
L0pht's advisory led to more security breaches than would have occurred had
nothing ever been reported. It's not enough to claim, as Weld does, that "We try
to stay somewhat neutral ? we're not on the vendor's side, we're not on the
hacker's side. When we release the tools, they can be used for good or bad. It's up
to the individuals to have morals."
udge is currently writing a paper on a longtime hobbyhorse of his: the
vulnerability of electrical power grids to hacker attacks. While the
computers that control these power grids are not directly connected to
the Internet, Mudge thinks a hacker could still turn out the nation's lights because
utility companies have left the keys to their computers under the proverbial
doormat.
Mudge tells me that careless utility employees often put internal documents on
public servers ? perhaps to access them from home or while on the road.
Sometimes, Mudge claims, the documents explain how to access the central
computers. Central computers "might have no attachment to the Internet," he
says, "other than the fact that somebody put up a document on the Internet
describing how to get to it and how to use it." Mudge pauses. "Well, that's just as
good."
Mudge has written a program to scan utility companies' Web sites for words like
"confidential" or "password." "I'm not breaking any laws by doing this, I'm just
grabbing public stuff," he is quick to point out. "They don't realize that they're
putting it up there for the world to see."
He shows me a file downloaded from a large utility company that contains a
presentation on company security. Next he opens a file full of phone numbers from
another utility company. "It sounds almost science-fictionist," he cautions, "but
with these numbers here I'd be able to turn off their entire grid." The phone
numbers, he explains, connect to modems linked to the central switches that
determine where electricity flows. "If I don't publish this information," Mudge
claims, "someone else will come along and do the same thing, with less ethical
goals. Now you can see a situation where people are dying because of these
corporations' stupidity. At that point, who's to blame?"
Given the stakes, Mudge intends to relax his commitment to so-called full
disclosure. "It's uncool," he says, for utility companies to "learn about a problem
by reading it in the newspaper." That's why he plans to alert companies in
advance, so they can close vulnerabilities before the news is made public on
L0pht's Web site.
ike Nader, the L0pht members can get a bit preachy on the subject of ethics.
"Any of us could leave L0pht right now and take six-figure jobs," Mudge
says. "The fact that we don't and we're on the ramen-noodle,
mac-and-cheese diet, that speaks for our ethics right there. It's not a job for us;
this is what drives us through life."
While Mudge's self-righteousness may be justified
up to a point, there are also more prosaic reasons for
working at L0pht. Freedom to do whatever you
want, for instance. Silicosis and Brian Oblivion are
installing a motor-driven satellite dish on the
warehouse roof. They hope to capture
ground-to-space communications from the Space
Shuttle and high-resolution images of the earth
broadcast from satellites. The justification? It's cool.
Silicosis adds, "It impresses my girlfriend."
Space Rogue ? a sort of young Archie Bunker
figure, to the extent that an Archie Bunker figure can
be young ? sticks closer to earth when asked how
he ended up at L0pht. "I did one semester in college, said the hell with this and got
out. Controlled learning environments have never been my strong point." L0pht
gave him a place to pursue projects at his own pace.
Mostly, Space Rogue seems to like L0pht for the camaraderie. "I moved to Boston
in 1990," he says, "and I almost immediately met all these people on line on local
bulletin boards. L0pht started shortly thereafter in fall '91. So I'd already known
these people awhile, even face to face. The on-line world at the time was very
small."
Mudge recalls that the group took off when members moved their computers from
their living rooms to a small loft space in Boston. (All but one of the founders,
Brian Oblivion, have since left.) L0pht soon added members and moved to a larger
suburban warehouse four years ago. It has also started a consulting business on
the side called L0pht Heavy Industries.
0pht is not without critics, of course. "While L0pht puts on the Robin Hood
mantle of fighting the big computer companies," a senior programmer at
Microsoft tells me, "their only victims are the little people that are
customers" ? the people who purchase products like Windows 2000.
Microsoft has been on the business end of several L0pht advisories, most notably
when Mudge and Weld demonstrated how to decrypt passwords from computers
running Microsoft's NT operating system. Jason Garms, the former head of
Microsoft's security-response team, admits that hackers have a role in creating
secure software. But he's wary of the Darwinian notion that hackers will, by
actively looking for flaws, expose inferior products. He likens it to improving
public safety by painting a target on everyone's head.
I mentioned Garms's criticism to the L0pht members, who were equally dismissive.
If gray-hat hackers stopped searching for vulnerabilities, L0pht believes, a
black-hat hacker would find them sooner or later. It's better to get rid of flaws than
hope no one finds them. The N.S.C.'s Hunker shares this belief ? the hackers are
already out there" ? which is why he applauds L0pht for keeping vendors honest.
The senior Microsoft programmer also warns that Mudge and his colleagues, for
all their highfalutin apologia, are motivated mostly by naked ego: "I am certain," he
says, "that the primary motivation of these people is simple self-gratification and
justification."
I asked the L0pht members whether ego played a part in their ethical reasoning.
Weld Pond replied that, by assuming pseudonyms, they more or less deny
themselves the benefits of celebrity. "When I walk down the street," he says, "no
one knows I'm Weld Pond."
But at Defcon, the annual hacker convention, it was quite clear that everyone
knew Weld, Mudge, Space Rogue and Dildog. L0pht members have become, as
Mudge notes wryly, "rock stars of the computer underground." That they help
malicious hackers as well as the Feds and big business hasn't hurt their popularity
among the outlaws.
On the other hand, L0pht's poorly hidden hunger for the spotlight shouldn't
obscure the truly fascinating work they've done. Socially important research is
perfectly compatible with, and perhaps inseparable from, love of celebrity, as
James Watson has made admirably clear. Say what you will, there is no denying
that L0pht's advisories have improved computer security even as they have
harmed corporations and government agencies.
No one doubts that information security is going to become an increasingly critical
topic as the ordinary economy moves into the digital age. In their grander
moments, L0pht's members hope to become digital Ralph Naders, making sure that
the software behind the transition is as safe as manufacturers say.
The idea of eight computer hackers in a dingy warehouse insuring the safety of
the information age may sound a little farfetched. But sometimes hackers
eventually direct their curiosity toward laudable ends. Take, for example, the two
young hackers who engineered a small blue box in the early 1970's that allowed
free long-distance calls when placed near a telephone receiver. The two
enterprising techies went door to door in the Berkeley dorms, selling the devices.
Their names? Steve Jobs and Steve Wozniak, future founders of Apple Computer.
Bruce Gottlieb was a staff writer at Slate magazine until enrolling in Harvard Law School
this fall. |
