HacK, CouNterHaCk

The members of L0pht can knock you off line, steal your credit-card numbers and cut off the power for your whole neighborhood. But they'd like you to think they're the good guys. By BRUCE GOTTLIEB Photographs by DANA SMITH



[member1]

[member2]

[member3]

[member4]

Would you like to see how to knock someone off the Web?" Silicosis asks.

Sili, as he is known, is a slim young man with serious eyes set deeply into a delicate face. He's the newest member of a hacker collective known as L0pht (pronounced "loft"). He becomes visibly uncomfortable when asked to talk about himself. He gives his age as "mid-20's" and then clams up. But when the conversation moves to hacking, Sili turns voluble: "I think it's a thrill to look at a program and figure out how to make that program do something that it was never designed to do in the first place. There's the challenge."

We sit down at a computer monitor while Sili explains his latest discovery. By mimicking messages that typically flow between computers on a network, he can reach out to almost anyone running Windows 95, 98 or 2000 in a large corporate environment, or anyone using a cable modem, and forcibly disconnect them from the Web. In a demonstration of this, he types a one-line command on his computer and hits the return key with a flourish. Sure enough, the computer across the room, which seconds before had been connected to M.I.T.'s server, is now off line. The same technique, Sili explains, can be used to take information flowing between the Web and your neighbor's computer and reroute it into your own. A clever hacker could capture a neighbor's banking transactions, passwords or credit-card information.

Sili published his research on L0pht's Web site in mid-August. The report was covered in the computer publication Infoworld and the on-line magazine ZDNet. At the time, a Microsoft spokesman, instead of denouncing L0pht, expressed the hope to reporters that the group would "design a more secure version of the protocol" -- a hackerproof set of operating instructions for the computer.

This request strikes Sili as especially outrageous. "Why doesn't Ralph Nader just redesign the Corvair?" he asks.

ader is something of a role model at L0pht, a confederation of eight young hackers who position themselves, incredibly enough, as a consumer-advocacy group. But L0pht's tactics are a bit unorthodox: breaking into software systems and then posting instructions on how to do so on the Web, where they can be picked up by software designers and malicious hackers alike. Intrigued, I paid a visit to their workshop.

L0pht's "laboratory" is the second floor of a ramshackle warehouse in suburban Boston. Predictably, the door to the lab has a sign for the pizza man -- "Domino's Knock Loudly."

The eight men who make up L0pht allow themselves to be identified only by their screen names: Dr. Mudge, Space Rogue, Dildog, Brian Oblivion, Kingpin, Silicosis, Weld Pond and John Tan. They look to be in their 20's or 30's, but their six-room suite is an adolescent geek's fantasy clubhouse. One wall is papered with antiquated circuit boards while another has a signed picture from Julie, Penthouse Pet. Junk food in the cupboard is taken seriously. There are three different kinds of Cheez-Its: hot and spicy, plain and white cheddar.

The warehouse brims with more than 200 computers ranging from state-of-the-art Sun and Digital workstations to nostalgia pieces like Commodore 64's and Apple IIe's. Black cables, yellow cables and jumbles of thin rainbow-colored wires drip from the ceiling, all jacked in to steel racks of oscilloscopes, radio transmitters, D.S.L. modems, I.S.D.N. modems, half-opened C.P.U.'s and a 50-foot roof antenna. The warehouse also contains several small-scale dummy computer networks.

L0pht's "research" consists of trying to break into these internal systems. Upon discovering a security flaw in commercial-network software, the L0phties publish an advisory on their Web site. The advisory is a double-edged sword: a detailed description of the flaw — enough information for other hackers to duplicate the "exploit" — and a solution that tells network administrators how to close the loophole.

L0pht's unorthodox methods have garnered praise from very unlikely quarters. Sixteen months ago, L0pht appeared before the Committee on Governmental Affairs of the United States Senate. Senator Fred Thompson introduced L0pht not as a "gang" nor even a "group," but, translating for Washington pols, as a "hacker think tank."

L0pht wowed the committee by reeling off an alarming list of security holes in public and private systems. After the presentation, Senator Lieberman gushed, "It is probably not what you came to hear, but actually, I think you are performing an act of very good citizenship and I appreciate it." Lieberman went on to compare L0pht, in a single sentence, to both Rachel Carson and Paul Revere. "You are performing a valuable service to your country," Thompson added, "and we appreciate that and want you to continue."

The National Security Council is equally bullish on L0pht. I met the N.S.C.'s director of information protection, Jeffrey Hunker, at Defcon, an annual three-day "conference" attracting more than 2,000 computer hackers from around the country. Hunker had come to talk about President Clinton's initiatives on computer security (and to spy on hackers, if you believe the whispers). He surprised me by raving about the group's technical sophistication. "L0pht has carved out an interest-ing niche for itself," he added, "and for similar-minded people — white-hatted hackers. Their objective is basically to help improve the state of the art in security and to be a gadfly, so to speak — to identify products that have vulnerabilities and make certain those vulnerabilities get fixed."

When I told L0pht about Hunker's comments, they rolled their eyes, saying, "You're not going to publish that, are you?"

For one thing, they had no wish to be identified as favorites of the N.S.C., since that might jeopardize their standing among so-called black-hat, or malicious, hackers. "We are all extremely ethical and moral," one member allowed, "but we're not white-hat hackers. We have our own moral and ethical standards" — the term is gray-hat.


[whole group]
The L0pht boys, from left: Silicosis, Brian Oblivion, John Tan, Mudge, Kingpin (standing), Space Rogue (front), Weld Pond and Dildog.
It's not hard to spot the reasons for the moral ambiguity. In their off hours, Mudge and Dildog are members of Cult of the Dead Cow, a black-hat hacker group that recently released Back Orifice 2000 (bo2k), a computer program that enables a hacker to control another computer from afar. (The name is a crude play on Microsoft's Back Office Server, a program that allows a legitimate administrator to, among other things, control another computer on a network.) But unlike Back Office, bo2k is "invisible," meaning that a hacker can spy on another user, even change files, without the user's knowledge. Dildog, one of bo2k's authors, euphemistically describes it as "a shy program." Jason Garms, the former head of Microsoft's security-response team, is a bit more direct, labeling b02k "a malicious program, with malicious intent."

Perhaps because of their ties to the black-hat community, L0pht members refuse to be identified, although they will let themselves be photographed. As Space Rogue explains (and any hacker knows), pictures are next to useless if you're trying to dig up private data on someone.

When L0pht testified before the Senate, members would not accept checks for hotel and travel expenses. As with members of the Witness Protection Program who have come before the Senate, they were reimbursed with cash. Senator John Glenn even signed pictures — with the group's screen names: "To Dr. Mudge. . . . To Space Rogue. . . . To Weld Pond."

"Open up the raincoat to expose all the little parts," is how Mudge, smiling, describes L0pht's ethos. Mudge will not disclose his age, but mid-30's seems a good guess. He claims a college degree in music with further course work in computer science. Mudge says that early experimenting with computers led to informal warnings from certain "three-letter agencies." He wears his hair below his shoulders, sports a goatee and favors faded jeans and a T-shirt. In his Senate testimony he claimed to have given training seminars at NASA and the National Security Agency.

Mudge frankly admits that he'll answer anyone's technical questions about hacking. "If a black hat approaches us and says, Hey, this is the project or problem I'm looking at . . . we'll talk to them, no problem. And if a government agency approaches us and says, How do you do this, or, How does this work, we'll talk to them."

Of course, this laissez-faire attitude has its costs. Mudge says: "Full disclosure is something we had to grapple with for a long time. The flip side is that critics say, 'You're giving people tools that can actually do bad things.' That is absolutely true. It's got a lot of nasty side effects."

For instance: last December, a hacker magazine called Phrack disclosed a flaw in a network program called Cold Fusion. (Network programs help manage computers that are linked together). In April of this year, Weld Pond — an older, thoughtful L0pht programmer — discovered a second, more serious way to exploit the flaw.

Weld immediately published an advisory on L0pht.com prescribing a fix. Weld's report also contained enough detail to explain the flaw to so-called "script kiddies" — young, malicious hackers with limited technical expertise who are among the most avid readers of L0pht's advisories. In the span of three weeks, according to PC Week, hackers inserted bogus text and images on at least 100 Cold Fusion systems, including those of NASA, the Army and the National Oceanic and Atmospheric Administration.

So why didn't L0pht contact Allaire, the small Cambridge, Mass., software firm that makes Cold Fusion, before releasing an advisory? The reason, say Weld and the other L0phties, is that vendors usually sweep tips from hackers under the rug. Vendors, claims L0pht, don't want customers to think software has flaws. "We were trained by the vendors to go public," says Mudge, "to give them a black eye."

With an attitude like this, it's tempting to blame Weld Pond, especially since L0pht's advisory led to more security breaches than would have occurred had nothing ever been reported. It's not enough to claim, as Weld does, that "We try to stay somewhat neutral — we're not on the vendor's side, we're not on the hacker's side. When we release the tools, they can be used for good or bad. It's up to the individuals to have morals."

udge is currently writing a paper on a longtime hobbyhorse of his: the vulnerability of electrical power grids to hacker attacks. While the computers that control these power grids are not directly connected to the Internet, Mudge thinks a hacker could still turn out the nation's lights because utility companies have left the keys to their computers under the proverbial doormat.

Mudge tells me that careless utility employees often put internal documents on public servers — perhaps to access them from home or while on the road. Sometimes, Mudge claims, the documents explain how to access the central computers. Central computers "might have no attachment to the Internet," he says, "other than the fact that somebody put up a document on the Internet describing how to get to it and how to use it." Mudge pauses. "Well, that's just as good."

Mudge has written a program to scan utility companies' Web sites for words like "confidential" or "password." "I'm not breaking any laws by doing this, I'm just grabbing public stuff," he is quick to point out. "They don't realize that they're putting it up there for the world to see."

He shows me a file downloaded from a large utility company that contains a presentation on company security. Next he opens a file full of phone numbers from another utility company. "It sounds almost science-fictionist," he cautions, "but with these numbers here I'd be able to turn off their entire grid." The phone numbers, he explains, connect to modems linked to the central switches that determine where electricity flows. "If I don't publish this information," Mudge claims, "someone else will come along and do the same thing, with less ethical goals. Now you can see a situation where people are dying because of these corporations' stupidity. At that point, who's to blame?"

Given the stakes, Mudge intends to relax his commitment to so-called full disclosure. "It's uncool," he says, for utility companies to "learn about a problem by reading it in the newspaper." That's why he plans to alert companies in advance, so they can close vulnerabilities before the news is made public on L0pht's Web site.

ike Nader, the L0pht members can get a bit preachy on the subject of ethics. "Any of us could leave L0pht right now and take six-figure jobs," Mudge says. "The fact that we don't and we're on the ramen-noodle, mac-and-cheese diet, that speaks for our ethics right there. It's not a job for us; this is what drives us through life."


Critics say L0pht's laissez-faire style helps malicious hackers. 'That is absolutely true,' one member says unapologetically. 'It's got a lot of nasty side effects.'


While Mudge's self-righteousness may be justified up to a point, there are also more prosaic reasons for working at L0pht. Freedom to do whatever you want, for instance. Silicosis and Brian Oblivion are installing a motor-driven satellite dish on the warehouse roof. They hope to capture ground-to-space communications from the Space Shuttle and high-resolution images of the earth broadcast from satellites. The justification? It's cool. Silicosis adds, "It impresses my girlfriend."

Space Rogue — a sort of young Archie Bunker figure, to the extent that an Archie Bunker figure can be young — sticks closer to earth when asked how he ended up at L0pht. "I did one semester in college, said the hell with this and got out. Controlled learning environments have never been my strong point." L0pht gave him a place to pursue projects at his own pace.

Mostly, Space Rogue seems to like L0pht for the camaraderie. "I moved to Boston in 1990," he says, "and I almost immediately met all these people on line on local bulletin boards. L0pht started shortly thereafter in fall '91. So I'd already known these people awhile, even face to face. The on-line world at the time was very small."

Mudge recalls that the group took off when members moved their computers from their living rooms to a small loft space in Boston. (All but one of the founders, Brian Oblivion, have since left.) L0pht soon added members and moved to a larger suburban warehouse four years ago. It has also started a consulting business on the side called L0pht Heavy Industries.

0pht is not without critics, of course. "While L0pht puts on the Robin Hood mantle of fighting the big computer companies," a senior programmer at Microsoft tells me, "their only victims are the little people that are customers" — the people who purchase products like Windows 2000.

Microsoft has been on the business end of several L0pht advisories, most notably when Mudge and Weld demonstrated how to decrypt passwords from computers running Microsoft's NT operating system. Jason Garms, the former head of Microsoft's security-response team, admits that hackers have a role in creating secure software. But he's wary of the Darwinian notion that hackers will, by actively looking for flaws, expose inferior products. He likens it to improving public safety by painting a target on everyone's head.

I mentioned Garms's criticism to the L0pht members, who were equally dismissive. If gray-hat hackers stopped searching for vulnerabilities, L0pht believes, a black-hat hacker would find them sooner or later. It's better to get rid of flaws than hope no one finds them. The N.S.C.'s Hunker shares this belief — the hackers are already out there" — which is why he applauds L0pht for keeping vendors honest.

The senior Microsoft programmer also warns that Mudge and his colleagues, for all their highfalutin apologia, are motivated mostly by naked ego: "I am certain," he says, "that the primary motivation of these people is simple self-gratification and justification."

I asked the L0pht members whether ego played a part in their ethical reasoning. Weld Pond replied that, by assuming pseudonyms, they more or less deny themselves the benefits of celebrity. "When I walk down the street," he says, "no one knows I'm Weld Pond."

But at Defcon, the annual hacker convention, it was quite clear that everyone knew Weld, Mudge, Space Rogue and Dildog. L0pht members have become, as Mudge notes wryly, "rock stars of the computer underground." That they help malicious hackers as well as the Feds and big business hasn't hurt their popularity among the outlaws.

On the other hand, L0pht's poorly hidden hunger for the spotlight shouldn't obscure the truly fascinating work they've done. Socially important research is perfectly compatible with, and perhaps inseparable from, love of celebrity, as James Watson has made admirably clear. Say what you will, there is no denying that L0pht's advisories have improved computer security even as they have harmed corporations and government agencies.

No one doubts that information security is going to become an increasingly critical topic as the ordinary economy moves into the digital age. In their grander moments, L0pht's members hope to become digital Ralph Naders, making sure that the software behind the transition is as safe as manufacturers say.

The idea of eight computer hackers in a dingy warehouse insuring the safety of the information age may sound a little farfetched. But sometimes hackers eventually direct their curiosity toward laudable ends. Take, for example, the two young hackers who engineered a small blue box in the early 1970's that allowed free long-distance calls when placed near a telephone receiver. The two enterprising techies went door to door in the Berkeley dorms, selling the devices. Their names? Steve Jobs and Steve Wozniak, future founders of Apple Computer.

Bruce Gottlieb was a staff writer at Slate magazine until enrolling in Harvard Law School this fall.


New York Times Magazine
October 03, 1999
Copyright 1999 The New York Times Company