Letters My recent item entitled "Security industry's hacker-pimping slammed" has generated damn few page hits but a vast flood of e-mail. What I reported, essentially, is that my boy Gweeds stood up at H2K2 this past weekend and excoriated the security establishment for selling out 'old-fashioned' (possibly fictional) hacker ethics for a quick buck. But before we get to the dirt, which readers have supplied with glee, I should at least say this much:
Gweeds' cynical angle on hacker sell-outs doesn't get enough play in the press, imho. It doesn't seem right that the public discussion should be so asymmetrical. I think it's healthy to play Devil's Advocate once in a while. That said, I believe I expressed a hint of a doubt that the blackhat community actually gives a rat's ass about social issues:
"The rush to publish and take credit for discovering and patching a new ewxploit hobbles the positive efforts of blackhats with a social conscience (though admittedly no one knows how big a category that is)."
It would be cool if that category would grow -- assuming it contains at least one, that is....
I never said that I believe what Gweeds claimed about @Stake or SD. I reported what he said, and said that I liked it. That's not to say that I believed it.
Regardless of Gweeds' foibles, I maintain that his argument is worth presenting in The Register. Where else will you find stuff like that, after all?
And finally, I have no loyalties other than my own, which are well-known to our beloved readers. I loathe Microsoft, adore Linux, loathe Feds, adore soldiers, loathe cops, adore firefighters, and would be delighted beyond expression to beat John Ashcroft, Billy Rehnquist and Little Dubya to death with a tightly-rolled-up copy of the Bill of Rights.
And as for Gweeds, who suddenly seems quite easy to ignore in context of Presidents and Attorneys General and Supreme Court Chief Justices, I'll still gladly tear him a new one if the dirt sticks. Which it very well might.... ®
Gweeds and Sir Dystic have a past - and there are many stories floating around about a fued between Gweeds and Sir Dystic over NewHackCity, a site Gweeds screwed up and is no longer. Are you sure that Sir Dystic works for MS? Or are you taking Gweeds word for it? Something tells me that MS wouldn't go and hire the programmer of BO knowingly. Nor would "programmer of BO, member of cDc" look all that good on a resume.
If you do a search of the Bugtraq archives (I used both SecurityFocus' archive and Neohapsis) you will find only one post by Sir Dystic to the mailing list and its not even a security advisory.
L0pht was invited to speak to congress by Senator Thompson not NIPC. I've read some of the L0pht testimony and have yet to see any FUD in it. Does Gweeds have any examples?
Gweeds does not have the ability to know anything about @Stake government contracts. From what I can tell from coversations I have had with @Stake people Gweeds statement is false. Again, does he have any examples? I have interviewed with @Stake in the past and am pretty sure that they are not living off of lucritive government contracts - a simple phone call could also confirm this.
It would also seem that Gweeds is somehow connected to the "el8" crowd as the following was taken from IRC recently (http://www.eurocompton.net/~fuk/el8.3.txt)
*snip* Oh it just keeps getting better: Six degrees of seperation..This is the whois info for gweeds on IRC this morning gweeds (firstname.lastname@example.org). Oh my goodness..the hostnames match..looks like Gweeds has a posse.
As you might know, the el8 crowd has made it their mission to attempt to destroy the so called whitehats. To them, the legitimate hackers are a threat to their zero days and their fun.
Is it just me or has the true hacker ethic always been about the quest to explore systems and gain knowledge?
"L0pht went in front of Congress and testified at the behest of NIPC and talked about how they could get into any network in the United States. The result is that NIPC got increased funds for cyber-defense and FBI got more funding to fight cyber crime. And now L0pht (@Stake) enjoys federal security auditing contracts," Gweeds observed.
L0pht testified at the request of Senator Thompson's office. No one from NIPC ever spoke to them. They testified because they thought the citizens of the country needed to hear the truth about the security of governmental systems and the critical infrastructure. I would like to see some evidence to back up the statement that @Stake now enjoys federal security auditing contracts. Any tiny bit of evidence.
"They're making money, sure; but they're also increasing the reach of the Federal police state at the expense of fellow hackers who are being caught and put in jail."
So if there is no evidence then this second statement is clearly untrue.
So taken together these statements paint a picture that L0pht used its fame and knowledge to get in front of Congress so that they could get government contracts to help the government catch hackers. This is clearly bizarre. You would think if you were going to rewrite history so boldly that you would have sought out a comment from someone who was actually there.
[I was there, and Gweeds' characterization, while not strictly correct, is revealing and worthwhile -- tcg]
After reading your article it became important to me to express my perspective. I've sent it out to various channels, including the Security Focus forum related to the article, and only time will tell if SF deems it acceptable for publishing in the forum, and Gweeds. It seemed appropriate to send it to you directly also. You should be aware that I am close friends with Gweeds, Sir Dystic, and almost all the members of the L0pht, and an actual member of The Cult Of The Dead Cow, so that my bias and motivations are understood. I think it's great that you focused on Gweeds' speech, as it was probably the most significant session that happened at h2k2. There are ripples in the net as a consequence of the talk, your article being part of those ripples. Anyways, here's what I have to say about it.
Over the past year I've spoken to many hackers who share a lot of the same sentiments that were expressed in "Black Hat Bloc or How I Stopped Worrying About Corporations and Learned to Love the Hacker Class War". However, it took Gweeds' courage to step up and lay it out to a live audience of hackers. I have to admit that I have been guilty of some of the same "exposure equals success" thoughts, and I have made attempts to join the big money computer security industry, unsuccessfully. Although, I would also have to say that my underlying intention was to make a career doing something I enjoy, hacking.
Gweeds didn't hold back in his talk. There was no innuendo. Names were named. I think some of those mentioned, like Chris Klaus, deserved to be exposed. The evidence exists in the original ISS code. However, I think others were unjustly accused. To the best of my knowledge, Sir Dystic does not work for Microsoft, but if he did, doesn't that make sense? Aren't we always saying that Microsoft lacks the skill or talent to do things right, especially when it comes to security. Couldn't we use someone like Sir Dystic, on the inside, just like we have Andy Mueller-Maguhn on the inside at ICANN?
I think I need to shed some light on Sir Dystic's history, to set the record straight, even though I also feel it is an invasion of his privacy. Sir Dystic never cared for money. There was never any spark of greed in him. He doesn't own a BMW, a Mercedes,.. he drove around in an old minivan he borrowed from his parents. He doesn't own a house. He never made any millions from company stock. He never joined any company that appeared to have great prospects. He was expressing that the industry made him sick while Gweeds was still at Macromedia, earning one hell of a salary for a 20 year old, plus stock options. Sir Dystic was mostly unemployed through most of the "dot com years", only doing enough to get by, and only trying to find something that interested him. There were long periods of time that Sir Dystic didn't see his friends, but instead was sitting in front of his 2 year old computer doing research and coding. And what would he do with what he found? Did he use vulnerability extortion to line his pockets? or parlay it into working for some big security firm? No. He shared it, openly. Even though most often I think in doing so it only caused him grief. Accusations of being unethical, and tons of email requesting for tech support and warez that can be used to hack shit up! I think we should all implore Sir Dystic, and other hackers to work at Microsoft. Maybe by being on the inside, change can be made. History has shown that Microsoft isn't going to go away, let's see if we can make it better. For me, if I saw that Microsoft was hiring our brethren, it would lend credence to their recent so called "Security Initiative".
I think it was also unfair to call to the forefront the jealous laden cry of "L0pht has sold-out"! L0pht had no intentions of making a huge financial windfall through government contracts when they testified at congress. It was an amazing feat to finally have a chance for hackers to be heard and respected for their way of thinking. L0pht made attempts to point out the straight truth about security flaws in the internet, the way government and commerce handles information (including yours) insecurely, and that software companies should be held accountable for the flaws in their expensive software. History shows that the L0pht continuously freely released information and software. I'll also take this opportunity to point out that many years ago, when each new vulnerability didn't make the news, L0pht tried to speak to vendors and companies about their security holes, and got harassment and threats in return. L0pht, at great risk to themselves, released the information to all, long before the term Full Disclosure became a hacking political tool. In so many ways, L0pht is a shining example of what it means to be hackers. For that, they deserve our respect, not our usual need to tear down our own heroes when we're done with them.
Although, I think Gweeds was off target with his slings and arrows, those arrows were true. I feel that I don't deserve to name names, lest perhaps my own envy show through. However, I can speak of things in general terms.
The bugtraq Full Disclosure phenomenon comes to mind. Full Disclosure which was originally a means to share knowledge openly, alert everyone to a possible flaw, and force the vendor to provide a patch. This has instead become, as Gweeds said, about bragging rights and resume fodder. Also, while some focus on the problem of unethical hackers misuse of Full Disclosure, it is the security industry using this free information resource, to fuel their own expensive proprietary software, while spreading the word that hackers are evil, that turns my stomach. The ultimate example of this has to be the recent over-zealous release of the Apache chunked encoding vulnerability.
I think that we do have to be concerned that our government is going down the wrong path again. Software companies are still not under pressure to promote quality and be liable for the lack of it. Instead of using technology to improve our lives and as a means to disseminate public information, it will be used to restrict our freedoms, and peer into our private lives. If software is made with less obvious well-known coding flaws, intelligent authentication schemes, and encryption there should be no need for the government to spy on it's own citizens.
The good and bad things that have come out of hacking, involve people's motivation. We all have to explore our own motives and the motives of others, when it comes to hacking. There is nothing wrong with making a living, doing something in the technology field, even in the security industry. It should be based on a love of technology, the desire to improve things, and fact-based honesty, rather than fear and materialism.
I have a couple comments about your article.
"Hackers now work to expose security flaws with the specific intention of selling out and obtaining funding to become a security company, he said."
Perhaps today that is true when you see s'kiddiots like PimpShiz going out and defacing sites then starting up his own security company but in the past this has never been the case. Today, you see a lot of high flash but low skill guys getting the money and yes, they are manipulating things but to compare these idiots with the true hackers and the true security professionals is offensive.
"Security lists like BugTraq become the matter for resume stuffing. Post to BugTraq, become a well-known gadfly on the list, and, like Sir Dystic, get a high-paying job at Microsoft. It's an interesting progression: post a fix to a bug, work on the resume, release some software and then get offered a good job," Gweeds noted with sarcasm."
Or like Gweeds, become an early Macromedia employee so that you can cash in on options and never have to work again. Who is he to point a finger at those of us who still have to work for a living? As someone who has been in senior hiring positions at a few security firms, there is no way in hell I would hire someone just based on Bugtraq posts. Of course if someone was to post a well thought out and well written advisory plus showed a high level of maturity when working with vendors his name is going to be remembered but it's the skill set that gets the job, not the "pimping".
"L0pht went in front of Congress and testified at the behest of NIPC and talked about how they could get into any network in the United States. The result is that NIPC got increased funds for cyber-defense and FBI got more funding to fight cyber crime. And now L0pht (@Stake) enjoys federal security auditing contracts," Gweeds observed."
Was any of this even confirmed by you? When did L0pht go in front of congress and when did L0pth become @Stake. What specific government contracts is Gweeds talking about and how would he even know what contracts @Stake has? I don't work for @Stake but I am in pretty constant contact with a lot of their people and I am willing to bet you would hear a different story if you checked with them for a comment.
"They're making money, sure; but they're also increasing the reach of the Federal police state at the expense of fellow hackers who are being caught and put in jail."
Now this is outright FUD. The morons that are being caught and put in jail are not even considered hackers. Script kiddies at best. What is wrong with the idiots who deface web sites being caught anyways? What makes Gweeds think that L0pht should have some sort of allegiance with idiots? It's the job of a security professional to protect their employers networks and respond accordingly to attacks.
"Gweeds also believes that the window between when an exploit is developed by the underground and publicly released is shrinking as hackers turned security-knights hasten to pad their resumes with proppies on BugTraq. This may be good for the computing public at large, but when the purpose of hacking is to liberate information which may well be of concern to the public, then it's just another sell-out."
I agree that the exploit window is shrinking and I even agree that there are a few unethical organizations out there that hack then chase the ambulance in order to get the work. But without proper proof is this just not more FUD? Gweeds couldn't find his ass with both hands let alone be able to talk about the security industry or what security professionals are doing. We have all heard the rumors of certain research groups going out and defacing sites then having their consulting arm make a cold call the next day -- but these are just rumors with no proof. I personally would love to see this proved especially with who is rumored to be doing it.
"BlackHat brings together CEOs and corporate secuity people and government and military people, to tell them why they need to spend money on security services and products." They then learn about intrusion techniques from hackers who are there essentially to frighten them."
Its not like the presentations at Blackhat are just high level doom and gloom scenarios that are designed to scare people. They are presentations on real risks that are really exploitable. How is this designed to scare money out of people? It is a forum to increase the awareness of the true risks. You know as well as I do from attending most of the BH/Defcons that if someone got up there and did a FUD presentation they would get chased out of the venue. Although this year I see iDefense is presenting so we will see. :-)
The bottom line is, Gweeds sold you a bridge, he talks about nothing that he would even have the opportunity to offer evidence of and he is definitely in no position to point fingers when he himself sold out and cashed in on Macromedia.
Some consider me to be a hacker, I consider myself to be a pretty good IT guy that likes security and therefore works in the security area, can you fault people like me for making a living? That would be like saying that Thomas C. Greene is a good writer but he has really sold out by writing for The Reg -- he should do it for free.
Of course, when was the last time you've heard of a hacker releasing internal memos indicating unsafe products, discrepancies between a company's SEC filing and its own accounts, dirty dealings with local property owners, or any other routine crimes of corporations? Not recently, eh?
Cynicism of the security industry is good and healthy, but please let's not give precious ink to such bullshit hacker mantras as "information wants to be free", which are nothing more than a lame excuse by pimpled kids and folks with no social skills to read your private email to a drug use mailing list and raid your porn image collection.
Gweeds is a bitter little psycho who can't handle the fact that he never got famous enough, so he gets up on stage in front of hundreds of people and makes a speech about RUMORS of people who TRIED TO BE HIS FRIENDS, rumors that he only even heard because some people, in a misguided attempt at human caring, think that he will ever be less of a lying, petulant shit than he is now. When he picked SD and the L0pht as targets, it had nothing to do with the reality of the security industry and everything to do with specific personal vendettas against people who think he's a raging asshole and want nothing to do with him.
I think that other respondents have said enough about his work history. I wonder if it was the deadening pace of cubicle life or the ability to live off the government and buy himself into whatever half-assed grimy underground scene will have him for well over a year that gave him the inner fire for his new crusade to destroy the private lives of the people on his personal enemies list in the guise of some kind of social crusade. There really ARE people working on positive, activist, subversive and cool projects, and a lot of them are the exact same people that gweeds saw fit to slam in his speech. Gweeds, and other lesser luminaries of hax0r scene shithead, are a poison on the whole culture (which is always going to be tangential to the actual business of security anyways), and are a sad secret of the scene for those of us who would try to make it more exciting.
I understand your desire to cover gweeds' speech; a self-directed contrary view like that is way rarer than it should be at cons. But the content and purpose of the speech were totally perverted by the intentions & general anti-social tendencies of their creator.