Follow Slashdot stories on Twitter


Forgot your password?
The Internet

L0pht Gives FAQ of @Stake Merger 70

Duke of URL writes "The gray hat hacker think tank L0pht Heavy Industries has provided a FAQ list on their recent merger with @Stake. It sounds like there will be a few more changes than I personally previously thought, (i.e. Web site changes, etc.) but the good news is that L0pht 'will continue to act as a Consumer Reports style organization in posting our general findings through analysis and evaluation as general customers reviewing software.' Also Hacker News Network will still be run by L0pht/@Stake and will receive more time and resources. "
This discussion has been archived. No new comments can be posted.

L0pht Gives FAQ of @Stake Merger

Comments Filter:
  • The white ones, I mean. The grey was a bit dingy, y'know.

    But seriously, this is fantastic. Hackers get VC, story at 11--network security gets accepted as a real, actualy important thing. ohmigosh! What a concept! I've always admired the l0pht's methods of impriving security, and their general air of professionalism (with the normal caveats).

  • I'd appreciate it if someone who gets in could repost the FAQ here. the site is in violation of my employers "acceptable use policy". (Apparently I have to print out how to hack their boxes at home and carry it in?)

    Thanks in advance

  • by Jonathan White ( 15086 ) on Wednesday January 26, 2000 @11:36AM (#1333652)
    Well unfortunately there is no one book to sum up breaking into systems that is along the lines of Applied Cryptography.

    Some books to get you on the right direction follow:

    1. A good C book if you do not already know C. I personally learned with C Programming, A Modern Approach, it's a good book. Knowledge of C is essential because you will need it to write your test exploits and most of the following books assume knowledge of C.

    2. Advanced Programming in the UNIX Environment and a good OS theory book such as Operating Systems by Stallings or "the dinosaur book". This is necessary so that you understand the both the nature and implementation of modern operating systems.

    3. TCP/IP Illustrated Volumes 1 and 2. These are necessary so that you understand TCP/IP at a very low level. Most attacks involve a network and that network usually runs TCP/IP, a lower level network book covering such topics as Ethernet may be necessary as well.

    4. The Tao of the Buffer Overflow by Aleph1. This can be found in the Bugtraq archives. Stack based overflows remain the most common method of compromise (besides social engineering). This article does an excellent job of explaining how to exploit and find them. Dildog wrote an NT version for the l0pht which you may also need.

    5. w00w00 published an article on heap based overflows which you may need.

    6. A general Internet + Systems security book, O'Reilly has one I have heard good things about, I can't recall it's title. Note however that a general security book is not enough.

    7. Various academic pubications and thesis papers. These can be an invaluable resource for descriptions of more esoteric attacks not covered in published books. These also have the benefit of assuming a much higher level of knowledge than most papers/websites/books for dummies.

    8. OS Specific docs and books. In order to secure or break an OS you need to know everything about that OS.

    9. Mailing lists such as Bugtraq and OS specific security lists will provide a history of previous vulnerabilities and solutions.

    Security is a very broad and difficult subject requiring its practitioners to be skilled in many different areas. I hope this is a good transition and you enjoy your new post.

  • I don't know if that's Russ Cooper's policy -- I think he leaves it up to the person posting the security hole. From the document you link to:

    2.B.I If they insist on it going out immediately, it gets sent to the list. My moderating policy ends here.

    Whether or not it's a good thing is debatable. It does allow security people to threaten the vendor with disclosure without having to post the full exploit details.

    For example, someone can post "I discovered a serious problem with MS XYZ, disable PDQ until MS produces a fix. If they don't have a fix out in 60 days, I'm going public." Now of course, the person could be lying -- perhaps there isn't really an exploit in MS XYZ PDQ, but that's up to the reader to judge.
  • Does anyone here have any expertise or suggestions about suitable books or webpages? Something along the lines of Applied Cryptography, except in the domain of cracking. Again, I'm looking higher-level material, not Online Hooliganism for Dummies :-)

    What I did, in a similar situation, was to think like the dirtiest malicious-brand hacker. It was easy for me since I too was infatuated with the whole break n' enter side of things early on. I spent time reading exploits, and I was quite interested in how they worked. I sometimes felt the itch to do something stupid, but thankfully I was too chicken to actually mess around with systems -- unless I had permission.

    My advice is to keep in the back of the mind how you would circumvent any security mechanism anywhere, especially outside your reign. This way you'll quickly spot exploitable configurations. It's amazing, when I started doing it myself, everything changed, I could instantly point out the weaknesses of any design I fully understood. This is really good for a programmer, very little will escape you if you pretend you're going to break you code later... but it also works with any system's configuration.

    If you have in-house coding/development, talk to the developers, and find out what kind of access those programs have to your system that you don't want outsiders to get, ensure they're secured against abuse. Obscurity is (obviously) not a long-term solution to anything.

    While doing this, learn about every service you provide... and look at all of the setuid programs that can be executed by users -- even if you don't give out shell access, if someone pulls a buffer-overflow on your webserver then thier 'nobody' user can still execute your setuid toys -- so really, you have to take a look at anything that people aren't supposed to have access to in the first place.

    Finally, read CERT (and all the others) like you read slashdot, when an exploit is found, check to see if you're vulnerable.

    It's not smut it's data
  • how about @5t34k, I'm hungry ;)
    It's not smut it's data

  • 'Bitch nuggets and elite ass bastards formerly known as l0pht'?

    luv it when you talk dirty to me. start me up!

  • > I don't know if that's Russ Cooper's policy --
    > I think he leaves it up to the person posting
    > the security hole.

    Of course its his policy, its his mailing list, he's the moderator. You have to send posts through him before they hit the list. He has in the past held onto a bug while waiting for a vendor to make a patch.

    > Whether or not it's a good thing is debatable.
    > It does allow security people to threaten the
    > vendor with disclosure without having to post
    > the full exploit details

    Full disclosure is a good thing. It has been proven over the last 7 years of Bugtraq's existence. If vendors don't fix their bugs before they get out the door, the proven best method for getting things fixed is to force them through full disclosure.

    > For example, someone can post "I discovered a
    > serious problem with MS XYZ, disable PDQ until
    > MS produces a fix. If they don't have a fix out
    > in 60 days, I'm going public." Now of course,
    > the person could be lying -- perhaps there
    > isn't really an exploit in MS XYZ PDQ, but
    > that's up to the reader to judge.

    First off, this type of thing doesn't happen with a full disclosure list, because when others try and reproduce the results (one of the benefits of full disclosure) they see there isn't a problem. With 'partial' disclosure the scenario you lay out above COULD happen, since no one but the discoverer of the bug, the vendor, and perhaps the moderator of the list are involved.
  • The movie is finshed, they just have not released it yet.

    I am curious to see how it is. They did change it a little after some 2600 protesting.
  • You have to send posts through him before they hit the list. He has in the past held onto a bug while waiting for a vendor to make a patch.

    And he got ripped for it. Thus the policy documented you linked to, where he pretty much leaves the disclosure policy up to the poster.

    I'm not sure how BugTraq works. Would they reject a post that read "I discovered a serious problem with MS XYZ, disable PDQ until MS produces a fix. If they don't have a fix out in 60 days, I'm going public."? As far as day-to-day administration goes, I'd rather have that information (even inaccurate) than nothing. (Or is that enough info to give the black hats a clue, and not enough to really kick the vendor in the butt?)
  • The theory of full disclosure works like this.
    I discover a bug. I do one of two things

    1) Full Disclosure
    I send the bug to bugtraq, along with whatever info i've been able to glean about it. This way, a huge community can first, verify that the bug exists, second, figure out an effective workaround, third, produce a patch, or make a stink about the vendor until they produce a patch

    2) Partial disclosure
    I send a scary letter to bugtraq saying theres a bug, but i don't want to release the details, and this is how I think you should fix it. Assuming my 'fix' is fine, everything works great, but if my 'fix' has a problem with it, no one can verify the problem since they don't know the nature of the bug. Responsible vendors start looking over their code trying to find the bug, or if the finder has notified them will release a patch, eventually. There aren't many vendors with quick security turnaround, so you have no alternative but to sit around and wait and hope the fix is the correct one. In the meantime, the blackhats, who are a lot smarter and quicker about finding bugs then vendors, figure out the problem, and start exploiting the bug.

    I'd much rather go for #1.
  • I'd much rather that you go for #1 too, but what if you'd rather go for #2?

    Not much I can say about it -- which is the crux of the NTBugTraq problem -- they can't make you disclose anymore than you want to.

    (For the record, I'm not advocating partial disclosure by any means, just casting doubt on if NTBugTraq is really responsible for white hats that prefer partial disclosure. It seems to me that folks in single vendor cultures [MS, IBM] tend to "give the vendor a chance to fix it" policy, while the "open systems" [Unix] folks seem to prefer the full review policy, preferably with source code at their disposal. Just something to chew over.)
  • ... continuing with the funny ideas of the "consumer reports"....

    "The Sun StarFire server has been found to tip over during fast/heavy CGI turning...."

    "How to properly secure you're baby-pilot in its car cradle.."


  • One of the better sites for security related issues is: []. Definitely check it out and get on the mailing list.


    "Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
  • It's up at my site ( []) -- please try not to hammer it, it's a lowly 300k DSL line :)
  • bugtraq sure makes me wish one thing these days: that all MS related bugs were moved to their own mailing list! I mean, after all, there already is an NTBugtraq list, so why not rename it MSBugtraq and keep MS stuff out of Bugtraq itself? right now the situation is annoying: NT people need to read two lists, and Unix people read one but skip more than 50% of it.
  • I think they do it so that the UNIX people can get a good chuckle out of MS' continuous errors. A sort of comic relief.
  • Geez. I was pointing the story to the original poster of this thread and explaining why their submission may not have been accepted... Maybe I wasn't clear about it, but I certainly wasn't being redundant, i don't think.
  • b1tChn00g1tZ4nDl33t455b45tRdZf0rM3r1YKn0Wn4Zl0pht

    'Bitch nuggets and elite ass bastards formerly known as l0pht'?

    Sorry, I didn't take Skr1ptk1dd13 as my elective foreign language in college.
  • Do moderators read what they moderate up? $20 says that this is the same troller who yells "Miramax announces Don Knotts to play hacker Emmanuel Goldstein in upcoming movie 'Takedown'"...

    A nice link for you... []

    Moderators -- Please, take your time while you moderate. Even looking at the URL without going there, would you think "" would be where CNN posts its news? With the label "CNN Entertainment"

    Damn, Slashdot moderators need their heads checked...

  • Oh yes, I completely agree. If I concentrated in that field I would do that myself (if I could convince the NT and Bug folks to go along with it). As it stands now, I do not even have time to keep an automated website up :(

  • Here's the full text of the article:

    1. Is it true? Did L0pht Heavy Industries actually merge with @Stake?

    YES. L0pht Heavy Industries was incorporated, had employees on the payroll, and sold
    software products and consulting services. In short, we were a real company and had
    been operating that way for a couple years. L0pht Heavy Industries legally merged
    with @Stake in the beginning of 2000 so we are all one company now. The new
    company will go by the name of @Stake.

    2. Why did you do it? You seemed to have a perfect club-house environment.

    We strived to be (and achieved) a pure R&D environment. Unfortunately pure research
    and development is not a very profitable arena. In addition, one needs business people,
    sales and productization of services. So, while we tried to keep the research and fun
    environment we were fighting a losing battle in making ends meet.

    To summarize, we had problems scaling. Everyone was spending more money and
    effort doing less research and experiments. The L0pht wanted desperately to avoid
    having to compromise our goals and ideals which would have happened if we had
    continued to go the route we were. The solution was obvious. We needed to find an
    organization that valued the R&D work that we did, could benefit from it, profit from it,
    and enable us to keep contributing to the community.

    We feel very fortunate in having come across such people in @Stake. We see this as a
    win-win situation where we will be able to do a lot of the research that we were unable
    to do while just being the L0pht. We also feel very fortunate in finding an organization
    that did not expect us to about-face in the way we approach sharing our findings with

    3. So, how's the cultural fit with @Stake? How do the L0pht's values fit in there?

    Here is a PARTIAL list of components that we find work very well with our VALUES and
    make us very comfortable about the merger:

    @Stake is aiming to be completely product / vendor neutral. This enables them to
    make the best design decision and recommendations possible to the customer
    without unknown biases. This is accomplished in the following ways:

    @Stake will not take commissions / kick-backs from product vendors for
    recommending a product into a customer.
    @Stake is in the business of providing strategic services rather than
    tactical ones. What this means is that they see the benefit in helping design
    / implement solutions with security and functionality from the beginning
    rather than looking for known problems and helping to only remediate them
    when they could have been avoided all together.
    @Stake will not sell products. Thus they do not have customers being
    worried that they will recommend their own product even if it might not be
    the best solution. What this means to us is that we get to continue coming
    out with tools and programs but are forced to give them away for free!
    How cool is that! We are completely non-biased in out opinions of products
    and technologies, and we are able to continue our experimentation and
    reverse-engineering of such. This also allows us to continue our "consumer
    reports"-style announcements, papers and research.

    @Stake is committed to a strong research and development leg as a method of
    always being a leader and not just a follower.
    @Stake wants smarter customers rather than dumber ones in the community. By
    helping to educate everyone as much as possible it not only helps differentiate
    the company but allows more interesting and thorough solutions to be deployed
    for customers. This is the same belief that the L0pht has always held.

    4. So what's going to happen to the old L0pht space you were in?

    We still have the space. Some of the hardware projects that were going on over there
    are just not practical to move. We are also setting up new lab space that has many of
    the things that we could not manage at the old location.

    5. And what about the webpage? Is it going to go away? Is it going to be put on

    Not in the immediate future. There will obviously be a period of time before we manage
    to fully integrate everything. As was stated in a previous response one of the reasons
    we embarked upon this merger is due to the like-minded beliefs. So, when the two web
    sites finally merge you can expect to find the same sort of information that is currently
    published in an even better format. It might even be that they stay as individual web
    sites, one focusing more on R&D and the other on business angles. What it boils down
    to is that you can expect some changes but the main focus will be quite similar to what
    it currently is.

    6. What exactly is L0pht doing over at @Stake? Are you consulting now?

    The L0pht forms the nucleus of the Research and Development group in @Stake. By
    continuing to push the envelope in security research we can help productize new
    services to the consulting and business legs of @Stake.

    7. What's going to happen to all the advisories? Are you still going to publish them?

    The L0pht will continue to publish advisories. This will not change. The L0pht never did
    and never will publish an advisory based upon insider information that would betray
    someones trust. However, we will continue to act as a Consumer Reports style
    organization in posting our general findings through analysis and evaluation as general
    customers reviewing software.

    We still beleive in Full-Disclosure in our advisories. We are also happy that we will be
    better able to work with companies in giving them advance notice before posting
    publicly to the world.

    8. Are you still going to sell L0phtCrack? And AntiSniff? Will there be new versions?

    Since @Stake is purely a consulting services company, it did not acquire the products
    that were sold commercialy from the L0pht. L0phtCrack and AntiSniff are being moved
    to a holding company independent of @Stake and will continue to be sold. We will be
    donating the proceeds (after operational expenses) to non-profit and educational

    The free versions will continue to be free and include source code. A new version of
    L0phtCrack was 95% complete at the time of the merger. The authors will probably
    finish the last bit and release L0phtCrack 3.0 but the schedule is uncertain.

    A Linux version of the researchers version of AntiSniff is underway and will be released
    under the same free researchers license that the command line AntiSniff currently has.

    9. What's the deal with Hacker News Network anyway? Is that actually part of L0pht, and
    was it picked up by the merger?

    Hacker News Network was run by l0pht employees on l0pht equipment so it certainly
    was a part of l0pht. We feel it provides a valuable news source to the security
    community so it will continue to operate as part of @Stake. We expect to be able to
    spend more time and resources in making it an even better resource for the community.

    10. How does it feel working with a bunch of business stiffs?

    @Stake is definitely not populated with a bunch of business stiffs. One of the reasons
    L0pht merged with @Stake was the quality of the people there. They understand our
    vision of computer security. Some of them would even be considered hackers exactly
    the same way we think of ourselves as hackers.

    Things are a bit more businesslike at the merged company but the place is a place that
    values openness, diversity, creativity, thinking outside of the box, and coming up with
    non-conventional solutions.

    11. What are the financial makings of this merger?

    @Stake is not a publicly traded company right now and as such we are not able to give
    those details. We are happy to say that the main impetus for the merger was the ability
    to engage in much more grandious research work and not compromise our morals in the
    process. We started into this field in order to learn, educate, and contribute and are
    happy to say that we should only be able to do this things even better now.

    12. You talk about 'Strategic Security Solutions' on the @Stake webpage, and you talk about
    being truly 'vendor-neutral'... isn't that what everyone else is doing? What makes @Stake
    different? Explain in small words.

    The answer to question #3 should help on the vendor-neutral aspect being more than
    just lip service.

    As for the 'Strategic Security Solutions' this is similar to how the L0pht always handled
    customers. An example in the software world between tactical and strategic might help:
    A buffer overflow was found in a section of code. The offending call was the
    unbounded strcpy().
    Tactical approach:
    Replace that particular strcpy() call with the bounded strncpy(). If a
    similar problem is found elsewhere later on fix that one after it is reported.
    Repeat as necessary.
    Strategic approach:
    From the design point help model with security involved. Use bounded
    string functions to remove that class of future problems.
    Obviously the above is just an example of the way we see tactical being different from
    strategic approaches. This is how we view all projects be they in the infrastructure,
    content, operational, network, etc. fields. It also does not preclude us from
    implementing tactical solutions as necessary but the main focus is enabling, not only

    13. I don't trust hackers like you. Why should I?

    We call ourselves hackers using the original, positive meaning of the word. A good
    definition can be found in Eric Raymond's Hacker's Dictionary. We think hackers have
    higher ethical standards than most in the business world. We do not do anything illegal
    with our computers or anyone else's. We get our kicks finding and solving security
    vulnerabilities in products and technologies using our own networks, hardware, and
    other resource. This is the way we have always operated and that is the way we will
    continue to operate. If you can't relate to this, then you should probably reinvestigate
    the meaning of the word 'hacker'.

    14. Are you still going to get drunk and rant at cons? What about your 'professional image'?

    We will continue to be involved in conferences the way we always have. Don't you
    think that if @Stake had told Mudge he would not be able to have a beer with his friends
    and talk about crypto-systems that would have been a show stopper for the merger
    right there?

    15. Are you hiring? Can I be a L0pht Member?

    We are definitely hiring. We cannot thrive and be the leader in security without the
    best people on the planet. Submit your resume to if you are
    interested. We want to work with the best and you probably do, too. If you have top
    notch security skills in consulting or research we urge you to apply. That being said, we
    cannot accept everyone that applies but will do our best to make sure everyone gets a
    fair shake.

    The L0pht is fully integrated with @Stake so there is no seperate group of people called
    "L0pht Members". We are proud to call ourselves members of the @Stake team. We
    will now be known as 'The Hackers Formerly Known As The L0pht', or perhaps some
    unpronouncable symbol.

    16. Does @Stake have an open-door policy?

    @Stake operates in a similar fashion to most other professional service organizations.
    The reason we went to the closed door policy at the L0pht was to enable ourselves to
    get work done and not just have the place be a local hang-out for people wanting to
    kick back with a beer and watch TV. While we will be more accesible at @Stake, we are
    there to do R&D work and as such it will continue to not be an open-door-hangout type

    Keep in mind, however, that L0pht has not had a true open-door policy for many years.
    At our original location, the L0pht was more of a club-house and place for general
    hanging-out of hackers from around the world. When we moved to our new location
    and decided to do real research and provide to the community, the L0pht was not open
    for everybody. We occasionally gave tours and threw parties, but the space was not
    open for visitors 24 hours a day.

    17. Are you still going to the MIT Swapfest and selling funky stuff?

    We will still be going to the MIT Swapfest to see people and pick up various things. We
    hope we won't have to sell our scraps at it anymore in order to make ends meet :)
    However, as most people going to the MIT flea, we will also want to "upgrade our junk
    pile". We will be selling, just not every month as in the past.

    18. Are you still using your handles? Or are you going to use your real names now?

    We have been using our handles for over 10 years now. It is what we have published
    under in academic journals, magazines, books, given training courses under, and
    provided recommendations to the US Senate under. As such they are as much our
    recognized names in the security community and we will continue to use them. Many
    companies seem to be scared of doing business with people using pseudonyms or
    handles. This is a problem that we would like to solve. We are not really hiding from
    anyone, but this is how we've been known for a long time, and for some, is what our
    parents call us. We hope to educate those companies by showing them that its not the
    name that's important, rather the information and services that can be provided.

    19. What's up with Guerilla Net? Are you guys still doing hardware projects over at @Stake?

    @Stake has committed to enabling the R&D labs to work on hardware related projects
    as well as protocol and software ones. We see an ultimate marriage between all of
    these areas as technology is progressing and would be remiss if we turned a blind eye
    towards any of them.

    20. Will you be coming out with any more T-shirts?

    The T-shirts were fun little projects that we did more out of amusement than anything
    else. Should the opportunity and inspiration strike again we would not rule out the
    possibility of coming out with some new designs.

  • I highly recommend:

    "Maximum Security: A Hacker's Guide to Protecting your Internet Site and Network" by Anonymous, published by SAMS, ISBN 0-672-31341-3

    It's a real crackers/hackers point of view book, with heaps of refs to web sources/sites/RFCs etc.

    Very good.

  • correct.
  • by wozz ( 25963 ) on Wednesday January 26, 2000 @02:54PM (#1333680)
    > Well unfortunately there is no one book to sum
    > up breaking into systems that is along the
    > lines of Applied Cryptography.

    Sure there is. Hacking Exposed. Its already been mentioned in this thread, but its a great resource. I'm a security manager for a large ISP that is responsible for penetration testing as well as a bunch of other stuff, and being that its rather hard to find qualified security people for reasonable salaries, hiring a good unix/nt guy and making him read that book has proved pretty effective at making people 'think secure'

    Also, the content of that book comes out of the security practice at Ernst and Young, where they offer a great 5 day course called "Extreme Hacking" [] (as well as courses on Incident Reponse and Computer Forensics) , taught by some of the authers of "Hacking Exposed". Its $5000, but well worth it if you don't have the white or grey hat background. I haven't taken the course (my grey hat saved me $5k ;)) but I've heard many good things about it. And compared to the rest of the "security" classes out there, this is by far the best.

    Another important point to consider is that you don't neccesarily need to have black hat skills to sucessfully secure a system. It helps, but you don't need it.
  • While l0pht is a great component for @stake, its certainly not the only thing they have going for them. Their CTO is Dan Geer, who should be well known to anyone involved with USENIX who reads Login; regularly. Their management pool is pretty impressive too. Not a Pointy Hair amongst them.
  • The biggest problem is that the fake story/intelligence test is about 2600 and not L0pht.

    Still, I'm hoping that Takedown: The Movie never actually gets made. Honestly, whatever a person may think about Kevin, a movie about him from Miramax will probably be a hacker/techie nightmare. I can see it now, "Christopher Walken to play darkside hacker Kevin Mitnick. You've Got Mail star Tom Hanks to play the man who brought him down, John Markoff."

    Honestly, it would just be an excuse to paint all hackers with a broad brush, as evil, demon-like people. So, here's hoping Markoff's dreams of having his "masterpiece" filmed go up in smoke.

    I hope the @stake merger doesn't domesticate the L0pht, but I'm going to wait and see before making a judgement.

  • Its mostly a matter of competition. Bugtraq and NTBugtraq are not related other than by name. Bugtraq has been around since 1993 (started by a former boss of mine, Scott Chasin). NTBugtraq's only been around since 1997. Personally, I'm not a big fan of NT Bugtraq. Everything posted there is also posted on Bugtraq, and there have been issues with Russ Cooper holding back information thats been submitted to the list for weeks until the bugs are fixed [], which Russ might think is a good idea, but, unfortunately thats not what full disclosure is all about.
  • While I understand your point aboout the different viewpoints, full disclosure is better for security in general. This is a proven fact, before full disclosure came in vogue, vendor security problems dragged on forever.
  • From the faq - (El Guapo quotes thusly) "The new company will go by the name of @Stake" I feel the L0pht name carried quite a bit of respect (I've been following these guys for a while, I think they're great). "@Stake" says "e-too" to me. You think they'd consider changing it if they got enough *polite* emails???
  • You may want to try using Magusnet's server;
    it tacks on the destination address to the end of the URL; it may or may not be blocked at your companies proxy:

    here [] for a https connection to the l0pht article, or
    here [] for a regular http connection.

    For reference, the address is:

    Standard HTTP ---[the site you want]

    SSL ---[the site you want]

    Hope this helps you.
  • It appears their server is having problems temporarily (pings fine, but I can't even open a telnet connection to port 80). I have a mirror at my site: []
  • It is not sufficient, the poster wanted information that would stop attacks other than the currently known script kiddie methods. Hacking Exposed is an overview of current methods and tools. It does not go into necessary (code level) detail, that is nothing against the book which from what I have heard is excellent, you simply cannot fit all of the information into one 500 page book.

    In fact, on further thought I should have included Applied Cryptography itself on that list because knowledge of how to break and detect weak cryptosystems is necessary.

    Hacking Exposed is probably a good start but it certainly cannot cover all of the information at the level of detail he will need.
  • The original poster said

    > In the next month and a half or so I'll be
    > making a transition out of my current job into
    > another post. This new position will require
    > me, among other things, to crack our pre-
    > deployment systems so that holes can be patched
    > before release.

    Hacking Exposed can certainly get him a good start on that. I'm assuming this is not a full fledged security job, because it was, they wouldn't be hiring someone who's posting here asking how to do the job. If this is a full fledged security job, I agree with what you've posted for resource however: You can read all you want, there's no substitute for experience, on the white or black hatted side of the line. If yer looking to become a full fledged security professional, you can't just read what others write (although you do have to do that). Thats where 99% of the security "professionals" come from, and they have no idea what they are doing because, while they may know how aleph1 writes a buffer overflow, they don't know where the buffer overflows are on their system.
  • While yer listing stuff....

    Just browsing SecurityFocus can be immensely educational, especially some of the guest features. I've told them before, but if any of the securityfocus folks are reading this, Thank you for a great tool!

  • post on, it's free, no login required, and no moderators...

  • and of course no companies attitudes are affected at all by the new millions of $ they now have to consider. You beleive it.
  • It's about time the public learned that not every computer-savvy individual is going to take over the world. It's good to see L0pht breaking some molds in the computer security industry as well.
  • by konstant ( 63560 ) on Wednesday January 26, 2000 @09:57AM (#1333698)
    This is only vaguely on-topic, but I would appreciate it if some of the more knowledgeable crowd could help me out.

    In the next month and a half or so I'll be making a transition out of my current job into another post. This new position will require me, among other things, to crack our pre-deployment systems so that holes can be patched before release.

    I don't think I'll have much trouble with the more prosaic "skript kiddie" side of the assignment, things like netcat and ping floods, but I'm concerned that I might miss some of the less glamorous holes due to lack of specific training in "white hat" cracking. This groups is more concerned about a coalition like the l0pht finding a vulnerability than they are about the more typical attacks.

    Does anyone here have any expertise or suggestions about suitable books or webpages? Something along the lines of Applied Cryptography, except in the domain of cracking. Again, I'm looking higher-level material, not Online Hooliganism for Dummies :-)


    Yes! We are all individuals! I'm not!
  • Checkout Bugtraq and NTBugtraq (if using MS OS.

    OKOK, I could not spell my name without notes, but check the above places as well as Packetstorm (link at, yea a daily scan of hackernews is good too.

    Listen to Off the Hook check 2600 news daily, buy 2600 magazine too for a general look at some of the more out-of-the-way items that crop up.

    Your local 2600 meeting (if there is one in your area) will probably have other professionals with the same concerns as you, with solutions.

  • All these companies merge and then just take one of the names. Sometimes they put a slash (/) between the names & use the compound name. I think they should all come up with new names to use. What's with @stake? l0pht was a leet name and now they went and screwed it up. Yeah, I read that l0pht will still be around, but they should have given @stake a reet name before they merged. How about @5T4K3? Any ideas?
  • It's a good thing that now The L0pht dosn't really have to worry that much about money anymore but have already paid somewhat of a price.

    Still I do think that the community will come out for the better, but if this many changes have already been announced then how many more are planned that we don't know about? For better or worse?
  • Don't forget the other following security references:

    Cert: []

    Packetstorm: html []

    and Attrition has some stuff too []
  • Funny, I thought this whole merger was discussed right here on slashdot a couple weeks ago. Here's a link [], posted on 1/6/00. They probably got 50 submissions of the story, and either it ran before you posted, it ran and you forgot to come here one day, or it ran and they chose someone elses submission.

    So, you re-reporting it really does add nothing to it. But with the L0pht posting a FAQ, that's new news, rather than old news.
  • by Signal 11 ( 7608 ) on Wednesday January 26, 2000 @10:00AM (#1333705)
    Hmm, that's an interesting image. Let's see, the typical table of contents for such a "consumer report" for security might look something like this...

    Cover: More bugs found in W2K. Microsoft denies problem exists and says they're working to fix it as quickly as possible.
    MacOS: Most secure? Performance details p. 30
    AOL users swindled (again)- passwords leak out by the thousand.
    AOL 5.0 Upgrade of Death: Marketing ploy or gross incompetence?
    Slashdot source released: Malda's e-mail was out for a few weeks, thus bypassing the mandatory "24 hour wait per request" problem.
    L0pht drops SuperMegaCorp's pants with another vulnerability.
    The Press: Getting it wrong again. HNN goes inside to reveal why "they didn't get it" again.
    Buffer Overflow found in Cup 'O' Noodles. (After 2:30, the thing spills all over the inside of the microwave).

    Also inside: A feature on Kevin Mitnick - Martyr or idiot, and an in-depth review of Emacs as an Operating System.

  • They should call themselves: b1tChn00g1tZ4nDl33t455b45tRdZf0rM3r1YKn0Wn4Zl0pht
  • ...they brought a dump truck full of money and dumped it in front of us. What are we, stupid?

  • I set up an automated website that checks the headlines and new files of: Slashdot, Hackernews, Packetstorm, Securityfocus (bugtraq) and Technotronic. Check it out at (shameless plug)
  • by Hall ( 962 ) on Wednesday January 26, 2000 @11:06AM (#1333709)
    Anyone care to do a little "copy-n-paste" job ?? I can't read this (at least 'til I get home). Big brother don't like l0pht's site ;-) When I try and go there, I get this:

    SmartFilter Control List Restriction
    SmartFilter denied access to the URL http://WWW.L0PHT.COM/MERGER.HTML It matches the category 'Criminal skills content'.

    If you have a business reason to access this site, in adherence to Company Internet Use policy, there may be an error in the category sites list. Please contact your Division IT Director to have the error corrected.

  • Just a note to those who might mistakenly think is a source of unbiased news - it is run by a bunch of Objectivists.

    Of course the other choices aren't that great either-- AntiOnline (haha, yeah right..) or Rootshell (completely out of date). Bugtraq is good but it mostly focuses on bugs not hackers.

    Too bad there isn't a site that reports on the biases of the different internet news sources (and I don't just mean computer-news sites).

  • but with more money. Just a little bit of research show that @Stake and L0pht were both doing many of the same things, the only difference being that @Stake was turning a profit. I'm very pleased that this profit will now, in part, be used to help the L0pht fellows do what they do even better. As long as their still going to be getting plowed and whooping it up at the cons, that's all that matters!
  • by swordgeek ( 112599 ) on Wednesday January 26, 2000 @10:19AM (#1333713) Journal
    Yeah, got a book for you: "Hacking Exposed!" by Stuar McClure et al. Desppite the exciting title, it's a very clear, concise, and current treatise on how to break into systems, AS WELL AS how to block them out.

    There's a lot of stuff deliberately left out of it, along the lines of specific exploits to run on a buffer overflow (if you need it, go write it yourself!), but gives information on general attacks.

    For higher security, check out some of the lovely online articles, like the stuff on Sage []. The 'securing a Solaris server' is definitely required reading, regardless of your platform.

  • What is "@Stake"? Sounds like some flimsy fly-by-night buzzword startup (not to say it IS, just that that stupid @ symbol makes it look like that). I think the name "L0pht" held a lot of weight, if not respect, in the security community. They should have been able to keep the name somehow. I don't know what the hell "@Stake" it some property claims company? is it an e-butcher store? I would hire a "L0pht" but not an "@Stake". - the Java Mozilla []