Interviews: We Have 2! 1st, L0pht Heavy Industries

Yes, it's "year-end double-bonus interview week" on Slashdot. First, L0pht Heavy Industries. Yes, the world's most publicized infosec group, the one trotted out by TV and other mainstream media reporters whenever they want pithy (but authoritative) quotes about hacking and cracking and that sort of thing. The L0pht guys have heard all the (ho-hum) obvious questions already. They expect extra-smart ones from you, and we don't doubt for a second that you'll provide them. ;-) One question per post, please.

Shutting down the Internet

You said in an interview that it's possible to shut down all the Internet. How you possibly might do that? With a DoS attack in some routers or by taking command of some servers in the principal backbones of the USA?

Y2k Hacking

Do you agree with the President's plea to cease hacking activities for Y2K, and do you think it will have an adverse affect?

"Those [filthy|pagan|heathen|whiny] americans, I'll show them....."

Which do you consider more dangerous

Which do you consider more dangerous to personal liberties on the Internet, national governments or multinational corporations, and why?

----

Private wireless networks

The L0pht has been involved in independent wireless networking reasonably heavily. What do you see as the most important discoveries/protocols/designs for the next few years? Do you forsee an opportunity for the hardware hacking community to open up the airwaves in the same way Linux & OSS has opened up operating systems and tools?

Distributed Computing

Moore's law is that computing power doubles every eighteen months. At the same time, parallel processing and distributed computation ( Cosm [mitrhal.net] & Distributed.net [distributed.net]) are becoming increasingly common. This leads to an abundance of cheap computing power, enabling brute force attacks on secure systems. In light of these developments, do you see username/password pairs being replaced by anything more resistant to such brute computing force?

Re:Shutting down the Internet

That one's easy. Very few routers have authoritive checks set up. Simply fire up a router such as gated and have it inject false routes into the net. Have the backbone located at the South Pole, for instance.

The UK network's been crashed dozens of times, by this. Usually by poor network administration, or faulty software, but that's just details. What an admin can do through ignorance, I'm sure crackers could do by design.

The net: strip mall or unlimted human potential?

The halcyon days of the net are gone. With ubiquity - the underground vanishes. Is it well on its way, with people like the CEO of Amazon being worshipped by the mainstream press, to becoming an enormous cyber strip mall, marketing tool, PR exercise in control of perception...

Or is there still an underground? Does it still have a potential to be the one true medium with liberation? Will governments and coroporations end up controlling it? Cause they are winning small, important victories relentlessly...

A quickish question

The Internet is fragmenting (eg: IPv4 vs. IPv6, Internet 2) and those parts that do have any awareness of security are now beginning to take it seriously (eg: IPSec, SSH). Many other parts are brain-dead, insecure and incoherent.

How do you see things evolving, from this unholy mess?

A question about L0pht constituents:

What are the non-computer hobbies of the l0pht crew?

I suppose that this is a sort of "celebrety interview" question, but I'm curious.

Defensive Design Methodologies

I read something to the gist of this recently:

"The difficulty with computer security is that programmers write code to allow a course of action, not to prevent another. In order
for computer security to become a reality, the design methodology must be changed."

Any programmer worth their check does program defensively. Certain languages support the writing of "safe code" more easily than others. It requires less fore-thought to program defensively in Java than it does in C. The results, however, will not be as fine tuned.
Any methodology for designing and producing safe code must take this, the experience of those implementing it, the environments the product could be used int, into account. L0pht has compromised many designs. Have you seen any design/impl (hardware or software) methodologies that yield more secure results than others? Could you give reference to them?

In my experience, it has always been a matter of refinement. Security is relative.

Windows API

If the windows API was opened because of the DOJ trial, what would you do?

A) Exploit every weakness from here to kingdom come, thereby propelling linux to the forefront.

B) fix everything and tell microsoft so they can make the changes show up in a new release

C) Do A) and grin real big and giggle lots

D) Other | Please Specify ___________________

How's the wireless 'net project going?

I was digging around the l0pht web site one day and read up on the wireless project you guys were doing trying to make use some old UHF equipment and seeing how far you could spread a free wireless network. So what's the current status of that project?

Security Lint

For assurance, before installing software on a secure-as-plausible machine, I would love to have an automated for security problems, such as buffer overflows. So, how is the development of SLINT [l0pht.com] progressing? Are you still planning to release it?

Internet Worm II

Several months ago I began predicting that someday someone would find a buffer overflow in the various Windows TCP-IP stacks and use it to write a worm that would bring down the Microsoft part of the Internet and cause so much traffic as to effectively shut down everything else. I further predict that until an event of this magnitude happens, the general public will not really learn the basic lessons about security that the *nix world was forced to learn from the first worm.

What are your thoughts on this prediction? (Timeline, reasonableness, etc.)

Regards,
Ben

Proper NT rootkit.

Hi guys,
Any plans to write a proper Win2K/NT rootkit (the kind that was published on Phrack a while back - that replaces or adds to the actual calls in the win32 ring 0 system with its own) soon ?

Reply to this letter.

This letter was recently published in the columbus dispatch [dispatch.com] (Ohio's greatest home newspaper....yea right). What would your response be to this person?

Letter to the editor: Opening windows could let bad guys do a lot of damage Saturday, December 25, 1999

I was amazed to see that the Clinton administration, in its initial victory over Microsoft, wants the source code to Windows to be made public. I'm sure it will follow up with a demand that all banks publish the combinations to their safes and freely distribute keys to both their front and back doors. Perhaps they will make banks install a large button so visitors can disable all alarms.

Making the world safe for bank robbers would be a lot better than making Windows' source code public. The year 2000 problem is nothing compared to what a hacker could do with the code to Windows.

The anti-virus software today depends on two primary tests to find a virus: the Cyclic Redundancy Checksum and file size. A virus attaches itself to a program and runs when the program runs.

Rather than get into a complex technical discussion, let us just say every computer file has a fingerprint. If a virus is attached, the file's fingerprint changes. An anti-virus program just looks for the fingerprints left by the virus. However, if one has the source code to Windows, a file with a virus can be made with the same fingerprint as a file without the virus.

Even worse, the operating system, instead of being the virus cop, becomes the virus enabler. Imagine a world where half the people in uniform are trying to rob you and where dialing 911 brings a band of serial killers to your door.

Such a virus would be very, very difficult to fight. Police try to catch such people by tracing who benefits. But when the goal is revenge and not profit, it gets tough to catch the bad guys. If you think catching the Unabomber was time consuming, this would make the search for the Unabomber look very fast, indeed.

So with the Windows source code, the hacker could write a program that on June 1, 2001, swaps all bank balances. Someone whose name starts with an A gets Z's balances. Throw credit cards into that mix, and there could be real fun. Maybe some hacker would find it fun to pay off everyone's property taxes. I'll bet everyone who had not paid his tax would tell the truth and pay up voluntarily, wouldn't they?

Every programmer I have ever met has always left himself a back door into every system he writes. Does anyone want to bet Microsoft does not have a back door to its software? Does anyone believe that if the judge makes Microsoft publish the source code, Bill Gates would remove the back door before publishing it? He would not dare. The judge might put him in jail for modifying the code. Couldn't have that now, could we?

If he would leave it in, every highly skilled programmer would have a key to everything running on Microsoft software. We can rest assured that every hacker is totally honest, can't we? And with the Internet, those hackers would all be in places where Americans are loved, such as Belgrade, Yugoslavia, and Baghdad, Iraq, for example.

Some hacker might even have fun with a newspaper, such as removing the names of everyone who is a subscriber and replacing them with the names of people who are not. Did I mention court records, employment records, child support records?

All Microsoft bashers in and out of government should beware. It looks like they are going to get what they wished for.

Ray Malone

MBS Software

Chillicothe, Ohio

The Public's Perception of Hacking

First, I should probally preface this by saying that while I don't consider myself to be a hacker, I have been a geek for several years, and love playing with technology, so I feel I am able to relate to the hacking community.

Anyway, my question is, how do you deal with the way the public (including the media) percieves "hackers"? I've seen some clueless people use the term to describe *anyone* who does anything with a computer that they find objectionable. I've even heard the term applied to spammers!

Needless to say, the misue of the term makes my blood boil, because I feel a certain respect towards the real hackers, such as yourselves, because you guys do know what you're doing, unlike all of the script kiddies out that that either have the term applied by clueless reporters, or they use it on themselve.

So, I'd be interested in knowing how you cope with this sort of problem, as I've noticed this sort of perception of the hacking communtiy for some time.

Thanks!

security of capability-based operating systems

What do you think of capability-based systems, such as EROS [eros-os.org]? The folks who are working on these systems say they are fundamentally more secure (against both malicious code and heisenbugs) than Unix derivatives, Windows NT, and other ACL-based operating systems. Do you agree with this assessment? Do these systems have security weaknesses that Unix-like systems don't have?
--
"But, Mulder, the new millennium doesn't begin until January 2001."

Security Through...Unpredictability?

L0pht Crew:

Would you agree that security and stability are but different sides of the same coin? In other words, a security exploit is truly nothing more than a expertly controlled failure?

If so, how much stock can we put into the "metadesign" of limiting the damage an exploit can create by attacking the ability of a failure to be controlled? Should operating systems incorporate such "unpredictability engines" when being run in a production, non-debugging manner? Or is such a design not worth pursing, for various reasons?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

P.S. First poster to make a crack about modulating the shield harmonics is gonna get a pie in the face ;-)

Future of Hardware Hacking?

Two questions (Well, three, really, but I'm a hardware geek, and I love trying to squeeze three things in the space of two):

1) Wireless.

Lots of folks have been asking today about the wireless network project. "Me too"; the page has been up for years, it's a fascinating and extremely powerful idea, but for those of us who aren't RF engineers...

• when do we get to see some hardware projects to build, or is it the case that - due to regulatory restrictions on what can and cannot be transmitted on US airwaves - work is being done independently on the notion of a secure wireless IP-based network but isn't being released so that those of us who aren't RF engineers can't gum up the works by screwing things up before it's ready :-)

2) The future of hardware hacking.

With the trend towards more and more functionality becoming embedded into ASICs and single-chip solutions, the golden age of "just desolder this", or "reverse-engineer the schematics and jumper that", or "replace a [PROM|EPROM|EEPROM|PIC|FPGA] with one with the following special programming, and here's the [CPU|microcontroller]'s instruction set and a memory map of the embedded system" appears to be drawing to a close. Anyone can desolder a 24-pin DIP EPROM and hack it, but trying to desolder a 100-pin PQFP is a real bear without $500+ worth of specialized equipment, and knowing what to do with the chip after you've desoldered it is well-nigh impossible.

• Do you see a time when "hardware hacking" (as we've traditionally known it) will have to fall by the wayside? If so - what, if anything, do you see as taking its place? (Perhaps users taking advantage of the vastly more-powerful gear out there today and building their own hackable hardware, eliminating the need to hack other people's hardware?)

I suppose that's tangentially related to the wireless.net question - for mass distribution of the tools needed to build such a network, for instance, it seems to me that re-purposing cheap, widely-available stuff that others have junked is a better path than having to build things from scratch. But if the cheap, widely-available stuff of the future isn't gonna be re-usable... where does one go from there?

3) The future of l0pht.

(At least publicly), there's been a lot more activity on the software side of l0pht than on the hardware side.

• To the extent that you can discuss it openly, do you see l0pht's main activities over the next 3-5 years as continuing to revolve around the "expose weaknesses in software" side or the "work on next-generation hardare projects" side?

Meanwhile, thanks for much great work on both the hardware and software sides of the equation, and best wishes for your continued good work. A couple of years ago, some of your tools saved an ex-employer's butt, and the look on my pointy-haired boss' face when I showed him where I got the tools that saved him was something I'll never forget. Y'all rule, and convincing a PHB of it takes work above and beyond the call of duty :-)

Who's more dangerous?

In your view, which of the following corporations is most dangerous to the future freedom of the Internet as we know it, and why?

• Microsoft
• America Online
• Amazon.com

Eric
--
"Free your code...and the rest will follow."

Antivirus software holes

Norton Antivirus has a security hole. Details at msnbc [msnbc.com] . What do you think about such cases? Should the software liscensors be sued (since they are refusing to fix the hole)?

Crypto-Phreakishness

Since you guys rate much higher on the crypto-phreakometer than I do, I was wondering if you had any insight into the security of current crypto technology.

Specifically, do you think that advances in computer horsepower has weakened the security of the current generation of crypto, as it relates to finding BIG prime numbers for the purpose of factoring.

What engines/sites do you use to scour the 'Net?

Seriously, I would like to know. When you sometimes don't have all the answers (I assume that would be more than never), where do you guys go on the 'Net to find what you need concerning computer security, **/*acking, or even just news? Do you ever come to /.? This answer shouldn't take very long, and it'd be nice to get the seperate preferences of each crew member, as well as the general preferences of the group.

"There are no shortcuts to any place worth going."

Re:Reply to this letter.

Here's my "letter to the editor" to the Columbus Dispatch:

I was disappointed with Ray Malone's 12/25 letter to the editor. Speaking as a hacker and security enthusiast of 17 years, allow me to educate Mr. Malone on hacking and open source.

First of all, viruses have nothing at all to do with hacking. Virus writers are not hackers in any sense of the word, they're merely vandals. But semantics aside, virus scanners that look for virus "fingerprints" can't be fooled by making the virus appear to be something else. The virus' fingerprint still exists in the code. At any rate, Mr. Malone is discussing individual programs here and not the operating system, which is the part that would be open source.

Mr. Malone goes on to say, "So with the Windows source code, the hacker could write a program that on June 1, 2001, swaps all bank balances." Yes, if the hacker had a database full of bank balances to work with in the first place, I suppose. And his modified source would only run on his system and any other system whose owner was duped into installing it. Other systems wouldn't be affected.

The real fun begins with this gem from Mr. Malone: "Every programmer I have ever met has always left himself a back door into every system he writes." I find this an extremely interesting perspective, considering that every single programmer I know does NOT leave a back door in ANY code. Given that Mr. Malone works for MBS Software (according to his letter), I take his words to mean that MBS products contain security holes by way of programmed "back doors," and I will accordingly caution consumers not to purchase anything from MBS until such time as they secure their software.

Mr. Malone then warns "Microsoft bashers" to beware, lest they get what they wished for. I don't know about him, but I've been wishing for stable, secure products for years, and Microsoft has yet to deliver. I am fortunate that the open source movement--pioneered by such products as the 32-bit multitasking, multithreaded, stable-as-a-rock, open source operating system known as Linux--is making such a large impact on the computer industry. Otherwise, we'd have 10 more years of Microsoft "innovation" to look forward to.

Adaptive Pseudo-Biological Security

To L0pht:



We've been working on network theory for a while and an idea which we've been working on recently is adaptive system and network security that models the identification and proaction of a biological immune system.



Basically, the security system all incoming and outgoing traffic, processes, etc. As it analyzes a network configuration, it 1) adapts to that network and covers potentials holes from the start, 2) learns from and builds immunity to network attacks, hostile processes, and general system errors such as buffer overflows. Many security systems are, to a point, adaptive to their environment, but I have yet to see a security design that is adaptive/intelligent enough to configure itself to "live" within an environment and to become intelligently symbiotic with that environment.



How much work have you done with highly adaptive security systems, and do you foresee adaptive security becoming a working reality within the next decade?

Security Hoaxes

L0pht Crew--

Combine extreme paranoia about web site security, a money stream coming straight out of PR Maintenance, and a "get-rich-quick" mentality that infuses Internet businesses, and you get an environment rife for the creation of snake oil cures and security systems that work by seeing to the financial security of the software authors.

Of course, the natural defense to such hucksterism is the presence of groups such as yours. What are some of the products and techniques that you've seen, debunked, and felt you intelligence insulted by?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com