
     16 July 2002
     Updated: 02:40 EST
   The Register The Register USA
   [trans.gif]
   
   Search The Register
   ___________   Go!
   
                               Pricegrabber 
                                      
                         Find lowest prices in ...
                                      
     Motherboards
                                      
     Memory
   
     Processors (Box)
   
     Processors (OEM)
   
     Cooling Fans
   
     Graphics Cards
   
     Digital Video
   
     Hard Disks
   
     DVD ROM
   
     CD ROM
   
     CDR/CDRW
   
     Multi Media
   
     Cases
   
     Power Supplies
   
     Input Devices
   
     Monitors
   
     Networking
   
     Printers
   
     Scanners
   
     Software
   
     Notebooks
   
     PDAs
   
                                 Search for
                              lowest prices in
                      [All Products] for _____________
                                   Search
                                      
   [sechome;area=sechome;pos!=1;sz=468x60;tile=1;abr=!ie4;abr=!ie5;ord=10
   0055?] 
     _________________________________________________________________
   
   Gweeds gets killed
   By Thomas C Greene in Washington
   Posted: 07/16/2002 at 02:39 EST
   My recent item entitled "Security industry's hacker-pimping slammed"
   has generated damn few page hits but a vast flood of e-mail. What I
   reported, essentially, is that my boy Gweeds stood up at H2K2 this
   past weekend and excoriated the security establishment for selling out
   'old-fashioned' (possibly fictional) hacker ethics for a quick buck.
   But before we get to the dirt, which readers have supplied with glee,
   I should at least say this much:
   Gweeds' cynical angle on hacker sell-outs doesn't get enough play in
   the press, imho. It doesn't seem right that the public discussion
   should be so asymmetrical. I think it's healthy to play Devil's
   Advocate once in a while. That said, I believe I expressed a hint of a
   doubt that the blackhat community actually gives a rat's ass about
   social issues:
   "The rush to publish and take credit for discovering and patching a
   new ewxploit hobbles the positive efforts of blackhats with a social
   conscience (though admittedly no one knows how big a category that
   is)."
   It would be cool if that category would grow -- assuming it contains
   at least one, that is....
   I never said that I believe what Gweeds claimed about @Stake or SD. I
   reported what he said, and said that I liked it. That's not to say
   that I believed it.
   Regardless of Gweeds' foibles, I maintain that his argument is worth
   presenting in The Register. Where else will you find stuff like that,
   after all?
   And finally, I have no loyalties other than my own, which are
   well-known to our beloved readers. I loathe Microsoft, adore Linux,
   loathe Feds, adore soldiers, loathe cops, adore firefighters, and
   would be delighted beyond expression to beat John Ashcroft, Billy
   Rehnquist and Little Dubya to death with a tightly-rolled-up copy of
   the Bill of Rights.
   And as for Gweeds, who suddenly seems quite easy to ignore in context
   of Presidents and Attorneys General and Supreme Court Chief Justices,
   I'll still gladly tear him a new one if the dirt sticks. Which it very
   well might.... 
     _________________________________________________________________
   
   Gweeds and Sir Dystic have a past - and there are many stories
   floating around about a fued between Gweeds and Sir Dystic over
   NewHackCity, a site Gweeds screwed up and is no longer. Are you sure
   that Sir Dystic works for MS? Or are you taking Gweeds word for it?
   Something tells me that MS wouldn't go and hire the programmer of BO
   knowingly. Nor would "programmer of BO, member of cDc" look all that
   good on a resume.
   If you do a search of the Bugtraq archives (I used both SecurityFocus'
   archive and Neohapsis) you will find only one post by Sir Dystic to
   the mailing list and its not even a security advisory.
   L0pht was invited to speak to congress by Senator Thompson not NIPC.
   I've read some of the L0pht testimony and have yet to see any FUD in
   it. Does Gweeds have any examples?
   Gweeds does not have the ability to know anything about @Stake
   government contracts. From what I can tell from coversations I have
   had with @Stake people Gweeds statement is false. Again, does he have
   any examples? I have interviewed with @Stake in the past and am pretty
   sure that they are not living off of lucritive government contracts -
   a simple phone call could also confirm this.
   It would also seem that Gweeds is somehow connected to the "el8" crowd
   as the following was taken from IRC recently
   (http://www.eurocompton.net/~fuk/el8.3.txt)
   *snip* Oh it just keeps getting better: Six degrees of
   seperation..This is the whois info for gweeds on IRC this morning
   gweeds (gweeds@ghettobox.eurocompton.net). Oh my goodness..the
   hostnames match..looks like Gweeds has a posse.
   As you might know, the el8 crowd has made it their mission to attempt
   to destroy the so called whitehats. To them, the legitimate hackers
   are a threat to their zero days and their fun.
   Is it just me or has the true hacker ethic always been about the quest
   to explore systems and gain knowledge?
     _________________________________________________________________
   
   "L0pht went in front of Congress and testified at the behest of NIPC
   and talked about how they could get into any network in the United
   States. The result is that NIPC got increased funds for cyber-defense
   and FBI got more funding to fight cyber crime. And now L0pht (@Stake)
   enjoys federal security auditing contracts," Gweeds observed.
   L0pht testified at the request of Senator Thompson's office. No one
   from NIPC ever spoke to them. They testified because they thought the
   citizens of the country needed to hear the truth about the security of
   governmental systems and the critical infrastructure. I would like to
   see some evidence to back up the statement that @Stake now enjoys
   federal security auditing contracts. Any tiny bit of evidence.
   "They're making money, sure; but they're also increasing the reach of
   the Federal police state at the expense of fellow hackers who are
   being caught and put in jail."
   So if there is no evidence then this second statement is clearly
   untrue.
   So taken together these statements paint a picture that L0pht used its
   fame and knowledge to get in front of Congress so that they could get
   government contracts to help the government catch hackers. This is
   clearly bizarre. You would think if you were going to rewrite history
   so boldly that you would have sought out a comment from someone who
   was actually there.
   [I was there, and Gweeds' characterization, while not strictly
   correct, is revealing and worthwhile -- tcg]
     _________________________________________________________________
   
   After reading your article it became important to me to express my
   perspective. I've sent it out to various channels, including the
   Security Focus forum related to the article, and only time will tell
   if SF deems it acceptable for publishing in the forum, and Gweeds. It
   seemed appropriate to send it to you directly also. You should be
   aware that I am close friends with Gweeds, Sir Dystic, and almost all
   the members of the L0pht, and an actual member of The Cult Of The Dead
   Cow, so that my bias and motivations are understood. I think it's
   great that you focused on Gweeds' speech, as it was probably the most
   significant session that happened at h2k2. There are ripples in the
   net as a consequence of the talk, your article being part of those
   ripples. Anyways, here's what I have to say about it.
   Over the past year I've spoken to many hackers who share a lot of the
   same sentiments that were expressed in "Black Hat Bloc or How I
   Stopped Worrying About Corporations and Learned to Love the Hacker
   Class War". However, it took Gweeds' courage to step up and lay it out
   to a live audience of hackers. I have to admit that I have been guilty
   of some of the same "exposure equals success" thoughts, and I have
   made attempts to join the big money computer security industry,
   unsuccessfully. Although, I would also have to say that my underlying
   intention was to make a career doing something I enjoy, hacking.
   Gweeds didn't hold back in his talk. There was no innuendo. Names were
   named. I think some of those mentioned, like Chris Klaus, deserved to
   be exposed. The evidence exists in the original ISS code. However, I
   think others were unjustly accused. To the best of my knowledge, Sir
   Dystic does not work for Microsoft, but if he did, doesn't that make
   sense? Aren't we always saying that Microsoft lacks the skill or
   talent to do things right, especially when it comes to security.
   Couldn't we use someone like Sir Dystic, on the inside, just like we
   have Andy Mueller-Maguhn on the inside at ICANN?
   I think I need to shed some light on Sir Dystic's history, to set the
   record straight, even though I also feel it is an invasion of his
   privacy. Sir Dystic never cared for money. There was never any spark
   of greed in him. He doesn't own a BMW, a Mercedes,.. he drove around
   in an old minivan he borrowed from his parents. He doesn't own a
   house. He never made any millions from company stock. He never joined
   any company that appeared to have great prospects. He was expressing
   that the industry made him sick while Gweeds was still at Macromedia,
   earning one hell of a salary for a 20 year old, plus stock options.
   Sir Dystic was mostly unemployed through most of the "dot com years",
   only doing enough to get by, and only trying to find something that
   interested him. There were long periods of time that Sir Dystic didn't
   see his friends, but instead was sitting in front of his 2 year old
   computer doing research and coding. And what would he do with what he
   found? Did he use vulnerability extortion to line his pockets? or
   parlay it into working for some big security firm? No. He shared it,
   openly. Even though most often I think in doing so it only caused him
   grief. Accusations of being unethical, and tons of email requesting
   for tech support and warez that can be used to hack shit up! I think
   we should all implore Sir Dystic, and other hackers to work at
   Microsoft. Maybe by being on the inside, change can be made. History
   has shown that Microsoft isn't going to go away, let's see if we can
   make it better. For me, if I saw that Microsoft was hiring our
   brethren, it would lend credence to their recent so called "Security
   Initiative".
   I think it was also unfair to call to the forefront the jealous laden
   cry of "L0pht has sold-out"! L0pht had no intentions of making a huge
   financial windfall through government contracts when they testified at
   congress. It was an amazing feat to finally have a chance for hackers
   to be heard and respected for their way of thinking. L0pht made
   attempts to point out the straight truth about security flaws in the
   internet, the way government and commerce handles information
   (including yours) insecurely, and that software companies should be
   held accountable for the flaws in their expensive software. History
   shows that the L0pht continuously freely released information and
   software. I'll also take this opportunity to point out that many years
   ago, when each new vulnerability didn't make the news, L0pht tried to
   speak to vendors and companies about their security holes, and got
   harassment and threats in return. L0pht, at great risk to themselves,
   released the information to all, long before the term Full Disclosure
   became a hacking political tool. In so many ways, L0pht is a shining
   example of what it means to be hackers. For that, they deserve our
   respect, not our usual need to tear down our own heroes when we're
   done with them.
   Although, I think Gweeds was off target with his slings and arrows,
   those arrows were true. I feel that I don't deserve to name names,
   lest perhaps my own envy show through. However, I can speak of things
   in general terms.
   The bugtraq Full Disclosure phenomenon comes to mind. Full Disclosure
   which was originally a means to share knowledge openly, alert everyone
   to a possible flaw, and force the vendor to provide a patch. This has
   instead become, as Gweeds said, about bragging rights and resume
   fodder. Also, while some focus on the problem of unethical hackers
   misuse of Full Disclosure, it is the security industry using this free
   information resource, to fuel their own expensive proprietary
   software, while spreading the word that hackers are evil, that turns
   my stomach. The ultimate example of this has to be the recent
   over-zealous release of the Apache chunked encoding vulnerability.
   I think that we do have to be concerned that our government is going
   down the wrong path again. Software companies are still not under
   pressure to promote quality and be liable for the lack of it. Instead
   of using technology to improve our lives and as a means to disseminate
   public information, it will be used to restrict our freedoms, and peer
   into our private lives. If software is made with less obvious
   well-known coding flaws, intelligent authentication schemes, and
   encryption there should be no need for the government to spy on it's
   own citizens.
   The good and bad things that have come out of hacking, involve
   people's motivation. We all have to explore our own motives and the
   motives of others, when it comes to hacking. There is nothing wrong
   with making a living, doing something in the technology field, even in
   the security industry. It should be based on a love of technology, the
   desire to improve things, and fact-based honesty, rather than fear and
   materialism.
     _________________________________________________________________
   
   I have a couple comments about your article.
   "Hackers now work to expose security flaws with the specific intention
   of selling out and obtaining funding to become a security company, he
   said."
   Perhaps today that is true when you see s'kiddiots like PimpShiz going
   out and defacing sites then starting up his own security company but
   in the past this has never been the case. Today, you see a lot of high
   flash but low skill guys getting the money and yes, they are
   manipulating things but to compare these idiots with the true hackers
   and the true security professionals is offensive.
   "Security lists like BugTraq become the matter for resume stuffing.
   Post to BugTraq, become a well-known gadfly on the list, and, like Sir
   Dystic, get a high-paying job at Microsoft. It's an interesting
   progression: post a fix to a bug, work on the resume, release some
   software and then get offered a good job," Gweeds noted with sarcasm."
   Or like Gweeds, become an early Macromedia employee so that you can
   cash in on options and never have to work again. Who is he to point a
   finger at those of us who still have to work for a living? As someone
   who has been in senior hiring positions at a few security firms, there
   is no way in hell I would hire someone just based on Bugtraq posts. Of
   course if someone was to post a well thought out and well written
   advisory plus showed a high level of maturity when working with
   vendors his name is going to be remembered but it's the skill set that
   gets the job, not the "pimping".
   "L0pht went in front of Congress and testified at the behest of NIPC
   and talked about how they could get into any network in the United
   States. The result is that NIPC got increased funds for cyber-defense
   and FBI got more funding to fight cyber crime. And now L0pht (@Stake)
   enjoys federal security auditing contracts," Gweeds observed."
   Was any of this even confirmed by you? When did L0pht go in front of
   congress and when did L0pth become @Stake. What specific government
   contracts is Gweeds talking about and how would he even know what
   contracts @Stake has? I don't work for @Stake but I am in pretty
   constant contact with a lot of their people and I am willing to bet
   you would hear a different story if you checked with them for a
   comment.
   "They're making money, sure; but they're also increasing the reach of
   the Federal police state at the expense of fellow hackers who are
   being caught and put in jail."
   Now this is outright FUD. The morons that are being caught and put in
   jail are not even considered hackers. Script kiddies at best. What is
   wrong with the idiots who deface web sites being caught anyways? What
   makes Gweeds think that L0pht should have some sort of allegiance with
   idiots? It's the job of a security professional to protect their
   employers networks and respond accordingly to attacks.
   "Gweeds also believes that the window between when an exploit is
   developed by the underground and publicly released is shrinking as
   hackers turned security-knights hasten to pad their resumes with
   proppies on BugTraq. This may be good for the computing public at
   large, but when the purpose of hacking is to liberate information
   which may well be of concern to the public, then it's just another
   sell-out."
   I agree that the exploit window is shrinking and I even agree that
   there are a few unethical organizations out there that hack then chase
   the ambulance in order to get the work. But without proper proof is
   this just not more FUD? Gweeds couldn't find his ass with both hands
   let alone be able to talk about the security industry or what security
   professionals are doing. We have all heard the rumors of certain
   research groups going out and defacing sites then having their
   consulting arm make a cold call the next day -- but these are just
   rumors with no proof. I personally would love to see this proved
   especially with who is rumored to be doing it.
   "BlackHat brings together CEOs and corporate secuity people and
   government and military people, to tell them why they need to spend
   money on security services and products." They then learn about
   intrusion techniques from hackers who are there essentially to
   frighten them."
   Its not like the presentations at Blackhat are just high level doom
   and gloom scenarios that are designed to scare people. They are
   presentations on real risks that are really exploitable. How is this
   designed to scare money out of people? It is a forum to increase the
   awareness of the true risks. You know as well as I do from attending
   most of the BH/Defcons that if someone got up there and did a FUD
   presentation they would get chased out of the venue. Although this
   year I see iDefense is presenting so we will see. :-)
   The bottom line is, Gweeds sold you a bridge, he talks about nothing
   that he would even have the opportunity to offer evidence of and he is
   definitely in no position to point fingers when he himself sold out
   and cashed in on Macromedia.
   Some consider me to be a hacker, I consider myself to be a pretty good
   IT guy that likes security and therefore works in the security area,
   can you fault people like me for making a living? That would be like
   saying that Thomas C. Greene is a good writer but he has really sold
   out by writing for The Reg -- he should do it for free.
     _________________________________________________________________
   
   Of course, when was the last time you've heard of a hacker releasing
   internal memos indicating unsafe products, discrepancies between a
   company's SEC filing and its own accounts, dirty dealings with local
   property owners, or any other routine crimes of corporations? Not
   recently, eh?
   Cynicism of the security industry is good and healthy, but please
   let's not give precious ink to such bullshit hacker mantras as
   "information wants to be free", which are nothing more than a lame
   excuse by pimpled kids and folks with no social skills to read your
   private email to a drug use mailing list and raid your porn image
   collection.
   [reg_bullet.gif] Cash'n'Carrion Reg Shop [reg_bullet.gif] Search for a
   bargain with PriceGrabber.com
     Register Services [trans.gif]
     theregister.co.uk [trans.gif]
   Reg Reader Research [trans.gif]
       Reg Merchandise [trans.gif]
   Sections [trans.gif]
              Front Page
                Software
      Enterprise Systems
                 Servers
       Personal Hardware
          Semiconductors
                Internet
            Net Security
         Anti-Virus News
                Business
                Networks
               Bootnotes
   This Week's Headlines
   [black.gif]
   Search for a bargain with Pricegrabber.com 
   [black.gif]
                    e-business
               The Mac Channel
           Reg Reader Research
           BOFH: Whole Shebang
   The Vulture Central Mailbag
                     Site News
          Contact The Register
   [black.gif]
   The Reg Newsletter
   Get our headlines every day -- enter your email address here:
   _______________ Subscribe
