Forgot your password?
typodupeerror
Technology

Interview: The L0pht Answers 99

Posted by Roblimo
from the lots-of-neat-stuff dept.
This week's "main" interview guest is L0pht Heavy Industries as a group. (We hope to have answers from Linux International head Jon "maddog" Hall tomorrow). Many insightful questions for the L0pht guys were posted Monday. Today, lots of insightful answers on everything from political controls on the Internet to hardware hacking. (Click below to read.)

1) Which do you consider more dangerous
by Gleef

Which do you consider more dangerous to personal liberties on the Internet, national governments or multinational corporations, and why?

L0pht
While both Governments and multinational corporations are detrimental to personal liberties on the Internet, one must not overlook the greatest danger of them all. The uninformed citizen. In democracies, this is problematic, where governmental policy typically follows public opinion. In the case of the Internet, one will find that most citizens of the world are willing to give up personal liberties in exchange for perceived safety and piece-of-mind. For the safety of the children, is cited commonly.

Many people believe that anonymous access to the Internet is criminal behavior. Government would like you to think privacy is an "anti-social" behavior. You should have nothing to hide, should you? You wouldn't be reading up on the consecration of explosives, looking up security holes in various operating systems, or possibly downloading the latest crypto software, would you? Only terrorists do that.

Governments are lobbied by uninformed citizens, or citizens which are easily manipulated and swayed by various groups across the gambit of our modern civilization. Multinational corporations have their hand in the fray by funding these groups or by participation in Associations which provide counsel to government officials on technical matters. Often recommending legislation which will better the profit taking over the sanctity of "personal liberties."

Multinational corporations are problematic in that they operate in a proprietary world. Often outside parties will scrutinize the technological fabric of a communciations service being provided. Should a flaw be found, and published, the corporation claims that the flaw itself is detrimental to the service being provided and litigation is dispatched on the party disclosing the flaw. This has been the case in the Cellular communications venue. Cloning a cellular telephone was a real thorn in the side of the Cellular Industry. They took their gripes to the US Government. The CTIA and their ilk successfully swayed Washington to pass legislation to combat the cellular fraud. Result: A portion of the radio spectrum was made _forbidden_ to reception. Possession of an eprom programmer, a computer, and a cellular telephone became a crime. Meanwhile, the cellular network REMAINS open to eavsdropping. Money is power, and with power comes influence. However, in the end it was the Government, sucking up to industry, which passed the law.

Law Enforcement and Intelligence gathering communities dwell within the governmental domain. Both are lobbying lawmakers to pass laws to give them greater powers to combat crime in this high tech world. Surveillance is paramount. They will convince the lawmakers that without the keys to all communications, a bomb may be set outside Parliment or Congress or .

The government pursuades the people, the people pursuade the government. Who planted the seed first? Those who understand the technology are too busy working on the next cool widget. Meanwhile the technological world rushes toward a global dictatorship and the populace embraces it under the guise of security.

2) The net: strip mall or unlimted human potential?
by garagekubrick

The halcyon days of the net are gone. With ubiquity - the underground vanishes. Is it well on its way, with people like the CEO of Amazon being worshipped by the mainstream press, to becoming an enormous cyber strip mall, marketing tool, PR exercise in control of perception...

Or is there still an underground? Does it still have a potential to be the one true medium with liberation? Will governments and coroporations end up controlling it? Cause they are winning small, important victories relentlessly...

L0pht
The Internet has changed dramatically over the last year or two and with it the underground has also changed. Back in the good ole days (1995+6) every web site was underground, hell the entire internet was underground.

As the web increasingly encroaches onto the mainstream and large portal and corporate sites take over feeding you only the information they want you to see, the underground will evolve and change and morph to suit its surroundings.

There is definitely still an underground. In some aspects it is a lot larger than it used to be and in others it seems to be much much smaller. I think labeling the underground as 'the one true medium with liberation' is laying it on a little thick. The internet underground has been nothing but the exploration for knowledge, if you are looking to it to save mankind from itself your looking in the wrong place.

Governments are increasingly encroaching on personal liberties and freedoms of the average citizen, this is unfortunate. How much longer before the population as a hole realizes what is going on and says enough? Maybe they will never wake up. Will the governments eventually control the internet? Possibly. It is hard to tell but there will always be those who will resist that control and the underground will continue in one form or another.

While the web, as you put it, may become 'an enormous cyber strip mall' I can't help but think of the trash dumpsters behind that mall and what secrets they may hold.

3) Internet Worm II
by tilly

Several months ago I began predicting that someday someone would find a buffer overflow in the various Windows TCP-IP stacks and use it to write a worm that would bring down the Microsoft part of the Internet and cause so much traffic as to effectively shut down everything else. I further predict that until an event of this magnitude happens, the general public will not really learn the basic lessons about security that the *nix world was forced to learn from the first worm.

What are your thoughts on this prediction? (Timeline, reasonableness, etc.)

L0pht:
I believe your prediction is right on track. However, I don't feel that an Internet Worm II is necessary to teach Microsoft, its customers, or its vendors, about security. There are three ways to implement a security model, the slow way, the fast way, and the right way. The slow way involves making a bunch of little mistakes and fixing them over time as you find them, correcting your policies and implementations. The fast way involves having a major disaster occur, after which the faulty parts of the system are completely torn apart and reimplemented. In practice, the slow way often leads to the fast way.

Which brings us to the right way: To design software with a security policy in mind, and with extra caution, care, and expenditure during the implementation. OpenBSD's model of proactive security measures is a classic example of 'the job done right'. Retroactively applied security measures are a recipe for disaster.

Rant off.

As for when Microsoft is going to learn about these things, they'll first have to learn that 'bigger isn't necessarily better'. They need to stop believing their own FUD before they can actually make change over there. When I read things like the article at http://www.microsoft.com/ntserver/nts/news/msnw/LinuxMyths.asp, particularly the parts about Linux being less 'secure' than Windows NT, I'm appalled at the ridiculous 'facts' that are being used to back up their claims. For example, they claim that:

"Linux only provides access controls for files and directories. In contrast, every object in Windows NT, from files to operating system data structures, has an access control list and its use can be regulated as appropriate."

While this statement is true, they neglect to mention the fact that under a unix operating system, most things that correspond to Windows NT kernel objects, file, data structures, etc, are represented as files. Hence, the coverage of the security model for Linux is just as extensive, even more so, than Windows NT. This is a particularly bad statement, simply because it's not only incorrect, but the converse is true. Linux is more flexible in terms of permission management. Try setting the access controls on who can bind to a particular port under Windows NT, with the ease of chmod and portfs under Linux, and you'll fail miserably. And the list goes on.

(And as for 'access control lists', we've noticed that Windows can't seem to get the right default ACLs anyway, and that the complexity of managing them has outweighted the value of their 'flexibility'.)

As for your comments on the Windows NT TCP/IP stack being vulnerable to attack (possibly, who knows :P) and the possibility of a worm destroying Windows systems, the possibility is very real. And again, this possiblity is not unique to Windows. They're just a likely target at this point in time.

It would take a feat of dedication and great skill, but the possibility is there. My advice to anyone who's worried about this, is this: If you're going to use Windows NT, you should probably keep that firewall in place between those Windows service ports and the rest of the world. Microsoft loves to add services and open ports to your computer when you're not looking. And it's probably not going to be the IP stack, it'll probably be some goofy listening service, like anonymous share enumeration or something. Or maybe remote access to NetDDE. Or some authentication protocol that doesn't like large Netbios fields. Or possibly even some undocumented functionality in the named pipe filesystem used for RPC. Who knows. Personally, I'm not going to wait around to find out.

4)The Public's Perception of Hacking
by dmuth

First, I should probally preface this geek for several years, and love playing with technology, so I feel I am able to relate to the hacking community.

Anyway, my question is, how do you deal with the way the public (including the media) percieves "hackers"? I've seen some clueless people use the term to describe *anyone* who does anything with a computer that they find > objectionable. I've even heard the term applied to spammers!

Needless to say, the misue of the term makes my blood boil, because I feel a certain respect towards the real hackers, such as yourselves, because you guys do know what you're doing, unlike all of the script kiddies out that that either have the term applied by clueless reporters, or they use it on themselves.

So, I'd be interested in knowing how you cope with this sort of problem, as I've noticed this sort of perception of the hacking communtiy for some time.

L0pht:
The first thing you need to do is refer to yourself as a hacker and be prepared to educate the person you are talking to what you mean by that. It doesn't matter if you are talking to someone from the media, or the government, or the business world. People need to know the real meaning of hacking, its history, and what a positive thing it is.

A lot of the time we talk to the media just because we are afraid that if we don't there will be no one they talk to who will describe hacking in a positive light. No one to describe it as other than defacing web pages or breaking into .mil sites. This was one of the reasons we wanted to talk to MTV. We were afraid their story would be all about criminal hackers. If you saw the MTV show you saw that sometimes resistance against the media memes is futile. The show was 95% about illegal activity.

Yet the world of hackers is 95% non-criminal. Probably a better percentage of people behaving positively than most segments of society. It is a world of people exploring the edges of technology and building things. The crazy thing is the government is making more and more of that exploration illegal.

Reverse engineering security mechanisms is being considered a crime. Receiving digital radio signals is a crime. We can't let them wall off part of the world we inhabit from investigation.

Hackers have a positive role to play both as builders and critics of the digital world. Unless we speak up and refer to ourselves in that light we have only ourselves to blame. Everyone who can should educate. Its not easy changing perceptions. But sometimes a passionate personal explanation of what hacking means to you can make someone change their mind.

5)security of capability-based operating systems
by sethg

What do you think of capability-based systems, such as EROS? The folks who are working on these systems say they are fundamentally more secure (against both malicious code and heisenbugs) than Unix derivatives, Windows NT, and other ACL-based operating systems. Do you agree with this assessment? Do these systems have security weaknesses that Unix-like systems don't have?

L0pht:
It's nice to see work such as EROS comming out of DARPA funded projects. Capability-based systems are quite interesting. However, one must be quite careful when making statements such as the one that these systems are more fundamentally secure that others. One has to keep in mind that Windows NT made a similar claim. Was NT fundamentally more secure that Unix as was presented to the general public? Well, it did have a security model that Unix lacked and it's internals were much more akin to VMS which had various strengths that Unix lacked. Yet we all saw that the implementation is where it matters.

In reality the implementation is key. Things can look great on paper and be a real bear to implement (look at communism for example). Another key component that is often overlooked is the functionality. This is a double edged sword. If the system is not universal and generic enough in nature to exist in a plethora of environments then it is difficult, if not impossible, to gain wide scale acceptance and use. Of course, this notion is directly opposed to creating a secure operating system. If it has to work in a multitude of environments then it needs to be relatively open and flexible or else the skill set and support for integrating it into one specific environment is beyond most peoples abilities (ie it won't get used). Sun Microsystems ran in to this problem with older versions of SunOS (now retroactivly named Solaris 1.x) when they used to consistently ship with a '+' in /etc/hosts.equiv. After several years they received enough requests to take it out of the distribution for security reasons. Unfortunately, taking it out caused so many installations to not be "plug-n-play" that they promptly put it back in.

When I look at an operating system such as EROS the following pops out at me when thinking security (this should not be viewed as condemnation by any means).

. RTOS modeled.
Real Time Operating Systems can be very useful for directed applications but suffer in general use often times. In addition, certain security notions at extremely low levels of a system (ie hash signing memory blocks that are passed between processors or ASICS) incur overhead that is quite unwelcomed in most of the "general public's" acceptance in RTOS.

. Emulated POSIX and Unix environments
I love Unix. However, it's difficult for someone to maintain the claim that they are more secure than another operating system and then emulate it's behaviour. A good emulation is going to have the good and bad aspects on the security front or many things won't work.

. implementation from the ground up can be painful
Often times it is required. But heaven help the "vendor" that decides that in order to be their own maker they will do it from scratch without looking at the mistakes that others have made. We see it all too often that people decide to reinvent the wheel and foist square versions on people the first time around.

With all of that being said I believe that in the future, should people start to wake up and really appreciate the notion of security and privacy in a way that really influences the market... we will see more dedicated systems and fewer general purpose ones. In order to go that route projects such as EROS are invaluable.

6)Security Through...Unpredictability?
by Effugas

Would you agree that security and stability are but different sides of the same coin? In other words, a security exploit is truly nothing more than an expertly controlled failure?

If so, how much stock can we put into the "metadesign" of limiting the damage an exploit can create by attacking the ability of a failure to be controlled? Should operating systems incorporate such "unpredictability engines" when being run in a production, non-debugging manner? Or is such a design not worth pursuing, for various reasons?

L0pht:
You must be a kindred spirit :) We have been preaching the approach that most stability problems are security problems that have not been looked into enough for quite some time. By fixing security problems you enhance the stability.

Now, with that said, it is important to shoot for the pinultimate solution to problems and this ends up being a wonderful academic excercise (out of which great things come). Do we shun any notions that merely raise the bar instead of being the silver-bullet? No. Each elevation in design is a step in the right direction. It is apparent that we have many steps in front of us but this does not mean we should stop progressing until a magic cure is found.

Unpredictability in systems, such as loaders or interpreters that recurse random times to throw off "static" frame location and other mechanisms (ie canary values) etc. are some of the finer points that I see coming out of the security approach to implementations. Are they ready for production systems? It all depends upon what your production system must be capable of. In many cases the answer is yes. In some cases the answer is no.

7) Future of Hardware Hacking?
by Tackhead

Two questions (Well, three, really, but I'm a hardware geek, and I love trying to squeeze three things in the space of two):

A) Wireless.
Lots of folks have been asking today about the wireless network project. "Me too"; the page has been up for years, it's a fascinating and extremely powerful idea, but for those of us who aren't RF engineers...

> When do we get to see some hardware projects to build, or is it the case that -- due to regulatory restrictions on what can and cannot be transmitted on US airwaves -- work is being done independently on the notion of a secure wireless IP-based network but isn't being released so that those of us who aren't RF engineers can't gum up the works by screwing things up before it's ready? :-)

L0pht:
The Gnet project has been in progress for many years now. Mainly the problem had been lack of funds, but now time allocation and lack of dedicated participants hold back expansion.

There is a lot of interest, but no one seems to be willing to put up the nodes. There are 2 sites currently on the network. One at l0pht and one at a residence. This has been the state of the network for the past 2 years. Unfortunately no one with enough initiative in either state has been found to setup other nodes. There has been interest in other states but the long haul capability has yet to be worked out. Encrypted tunneling over the Internet may help span the network over long distances. Once the fabric of the network expands, landlines could be replaced with wireless links/nodes.

High-density, low-power networks sound great in theory, but until the interest level rises above its present state, the cellular structure will remain the dominant topology.

To get the network off the ground, we have been trying to go the Amateur radio route. Going this route does have its drawbacks. Encryption is forbidden, however compression is not. I have been running ssh in compression-only mode for years. The initial ssh authentication is allowed under FCC guidelines, as long as the communications is not encrypted, you are within the rules.

The move off the Amateur frequencies will be made once the cost of National Information Infrastructue (NII) part-15 devices drop under $500 dollars for a pair of nodes. These devices fall operate in the 5Ghz frequency range. The breakdown is as follows:

  • 200 milliwatts EIRP (5.15-5.25 GHz) - indoor
  • 1 watt EIRP (5.25-5.35 GHz) - inter-campus/neighborhood
  • 4 watts EIRP (5.725-5.825 GHz) - Point-to-point, few miles, terrain permitting.
Other devices which are useable in the project are ISM band Part-15 devices which operate in the 900Mhz and 2.3Ghz frequency range, and dwell in the Wireless lan arena. Wavelan(Roamabout) http://www.wavelan.com, and rooftop networks (just purchased by Nokia) among others, players in the 900Mhz and 2.3Ghz arena. Older wavelan equipment can be found by searching auction sites and used equipment dealers. Early wavelan 2Mbps/sec ISA/PCMCIA cards can be found for ~$125.00 US Dollars. The problem with these cards is they don't conform to the IEEE 802.11 Wireless Ethernet specification. This is one inherent problem with building the network out of old equipment. It becomes costly to replace eqiupment once the entropy ball starts rolling.

The path to build custom equipment is equally as challenging. For example, the TAPR (Tucson Amateur Packet Radio) group has been in the forefront of Amateur packet radio for the past 15 years. While they have an established base of dedicated users, they continue to have problems developing new hardware. They have been prototyping a Frequency Hopping Spread Spectrum (FHSS) system for 3 years now, with still a protoype just passing a design review. Hopefully this project will come to fruition soon!

Some very talented folks over in Slovenia have developed some BPSK transceivers and a no IF SSB transceiver which will work on 1296, 2304 and 5760MHz. None are in kit form but the schematics, theory, construction notes, and equipment checkout is available in english. (schematics are not in english.). These radios are not for beginners or even intermediate kit builders. It would be nice if someone could kit these units. I started to convert the 23cm BPSK design to utilize a chipset family put out by RF Microdevices, but then my time got sucked into other projects. I may find the time to persue this once again, but I would like to get some semblence of a network greater than 2 nodes up and running first. *sigh*

B) The future of hardware hacking.
With the trend towards more and more functionality becoming embedded into ASICs and single-chip solutions, the golden age of "just desolder this", or "reverse-engineer the schematics and jumper that", or "replace [PROM| EPROM| EEPROM| PIC| FPGA] with one with the following special programming, and here's the [CPU| microcontroller]'s instruction set and a memory map of the embedded system" appears to be drawing to a close. Anyone can desolder a 24-pin DIP EPROM and hack it, but trying to desolder a 100-pin PQFP is a real bear without $500+ worth of specialized equipment, and knowing what to do with the chip after you've desoldered it is well-nigh impossible.

Do you see a time when "hardware hacking" (as we've traditionally known it) will have to fall by the wayside? If so - what, if anything, do you see as taking its place? (Perhaps users taking advantage of the vastly more-powerful gear out there today and building their own hackable hardware, eliminating the need to hack other people's hardware?)

I suppose that's tangentially related to the wireless.net question - for mass distribution of the tools needed to build such a network, for instance, it seems to me that re-purposing cheap, widely-available stuff that others have junked is a better path than having to build things from scratch. But if the cheap, widely-available stuff of the future isn't gonna be re-usable... where does one go from there?

L0pht:
It is true that the Electronics industry is moving toward much denser Multi-chip module like IC's. System-on-a-chip (SOC) is beginning to make inroads in communications equipment. Celluar/GSM/PCS phones are beginning to sport such technology. SOC will also revolutionize the security coprocessor industry.

What we see here is the bar being raised in the HW hacking arena. Remember cost still drives much of the industry and you will continue to see many devices still using microcontrollers. There are many, many internet appliances using standard Embedded Processors and peripheral IC's. The hackers are just going to have to bone up on thier FPGA hacking skillz. Monitoring the inputs of an FPGA and then the outputs, and hacking together an FPGA to drop inbetween isn't unheard of.

Hardware hacking today does require a bit more than the standard weller solding iron, a 50Mhz scope, and a multimeter. With processor speeds moving up into the 800Mhz range, you fall flat on your face with those stoneage tools. The trend in general is hardware which is becoming more and more abstracted and described by high-level programming languages such as verilog and VHDL. One must stay abreast of the latest tools in his trade. There are also relatively inexpensive "soft" tools, in that a spectrum analyzer, logic analyzer or a scope utilizes the modern PC as the guts of the device and an inexpensive physical interface module is purchased along with software for the host. The interface is typically a data acquisition pod for converting the sampled analog data into the host PC for processing and the presentation.

The security of FPGA's is definately going to become more of a target in the future. I can't think of anyone that doesn't set the security bit of FPGA before programming a device. Ummm.. Hmmm.. maybe I shouldn't say that. ;^) It does happen. There are also some not so well known ways around "securty bits" on FPGA's. Also, most FPGA's will allow you to reprogram them in circuit whether or not the security bit is blown. You just better be sure you can reproduce what you monitored before squirting in your own code.

Remember there are many more ways to fry an egg, such as voltage margining, or operating a circuit over/under current and temperature specifications. Hitting HW with various RF emissions (above and beyond what stantard emissions/immunities tests test for.) can also produce interesting results and insights.

And as you alluded to in your question, hackers will build their own hardware which will interface to the service/system under attack, which will allow for variable, marginable, modules to provide the flexibilty which the stock standard HW didn't provide. Study communications test equipment. Many secrets lie inside.

A lot of today's "hardware hacking" isn't strictly limited to hardware, due to the fact that most products are embedded systems - meaning there is a union of hardware and software. Those who are strictly "hardware guys" will fall by the wayside and those who are strictly "software guys" will also fall. You will need to have a decent knowledge of both the software and the hardware environment you are programming for. I have seen companies struggle because they hire CS folks to write firmware for a product. These particular folks could not grasp that they were writing for a platform other than a PC or desktop. They didn't understand how interrupts worked, how to write to a port, how to write low-level drivers to control external memory or other devices on an SPI, I2C or other inter-chip protocol. What ended up happening is the company called in the hardware engineer (me) to write all the low-level functionality. In order to properly design a product (and reverse engineer the product), you need to be able to grasp all facets...

The industry today is really in a sad state and I am fearful of the quality of the products that are due to come out on the market - the hardware and circuitry is sound and well-structured, but the software will have major fault and, because of this, many possibilities for vulnerabilities.

C) The future of l0pht.
(At least publicly), there's been a lot more activity on the software side of l0pht than on the hardware side.

To the extent that you can discuss it openly, do you see l0pht's main activities over the next 3-5 years as continuing to revolve around the "expose weaknesses in software" side or the "work on next-generation hardware projects" side?

L0pht:
Both. Hardware projects, since the beginning of time, are more costly, require more tools than software, and mroe often than not, more time consuming. Due to this, the amount of publicly-known activity appears to be less. As mentioned before, there will be more and more projects that require the knowledge of both hardware and software sides, where L0pht fits the bill perfectly. There are so many products and technologies to look at, there is no way we can limit ourselves by saying what activities we will and will not do. If something comes out, be it hardware or software, that we want to attack, we will.

8)What engines/sites do you use to scour the 'Net?
by Bacteriophage

Seriously, I would like to know. When you sometimes don't have all the answers (I assume that would be more than never), where do you guys go on the 'Net to find what you need concerning computer security, **/*acking, or even just news? Do you ever come to /.? This answer shouldn't take very long, and it'd be nice to get the seperate preferences of each crew member, as well as the general preferences of the group.

L0pht:

Generic search:

Altavista or NorthernLight for a spider based search Yahoo for a topic search.

Ask Jeeves when I don't really know what it is I am looking for.

security/hacking: altavista - word sequences work well. A recent example would be a search for the PCI specification by looking for "pci spec".

yahoo - when altavista doesn't help

Hacker search:

------

Next week: Steve Wozniak (and a special pair of *surprise* guests Tuesday).

This discussion has been archived. No new comments can be posted.

Interview: The L0pht Answers

Comments Filter:
  • Agreed. I don't know what's worse -- the DCOM approach of using a mystery port between 34567 and 65432, or tunnelling RPC calls over plain 'ol port 80 and hoping the Unix hippie firewall admin doesn't notice. Either way you are opening yourself to remote code execution that may not be expected.
    --
  • Maybe it doesn't make them something else, but a malicous "hacker" is called a "cracker" and therefore is no longer a "hacker"...yes, I know, many arguments about that, but try convincing a real hacker of that.
  • by pabs (1629) <pabs@pablotron.org> on Friday December 31, 1999 @03:02PM (#1428044) Homepage
    That was one of the best Slashdot interviews I've seen since...I don't know when. It's good to see someone (or a group) speak thoroughly and clearly. And I'm sure that comes from years of dealing with aggressive press who don't want to listen.

    Agreed. It's nice to see an educated and well articulated piece on /. for a change.

    No one argues that hackers are mis-portrayed in the media.

    I disagree. Supposedly reputable news establishments generally attribute report break-ins, defacements, and theft (eg _cracking_ behavior, or malicious hacking) to hackers. Unlike most hackers, I'm not particularly concerned about the "hacker" label. What I am concerned about is the implicit message the media is sending to the uninformed: that learning and privacy are analagous to criminal behavior merely because knowledge regarding either could be used to exploit badly designed or implemented security models. Correlation is not causation. Just because an apple is a fruit does not mean it's an orange.

    Tell them what it means. It's a fine line between informative and over zealous

    It is extremely difficult to convince most people to sacrifice convenience for security (witness the hundred of thousands of unprotected and unpatched Windows 9X and Windows NT systems accessible by any other machine via internet). Even though connecting a Windows 9X machine to internet is akin to hang gliding in a military no-fly zone, attempting to explain this to the masses will automatically place you in the "paranoid security nut" category. I'm not saying you shouldn't try (I've been trying to move my users from telnet to ssh for monthes), but noone should expect a chocolate coated, overnight change.



    --
    odds of being killed by lighning and
  • Corrinne Yu [slashdot.org] wrote
    I am trying to swear of /. for good, and you have to interview Woz, who is *only* one of the people I look up to the most and have the greatest (though remote) influences in my life.


    It's a pity we don't have any real way of honoring all the quiet garage-shop hackers who have paved the way for today's progress. Sure the general public is somewhat aware of Moore's Law and Metcalf's Law but what about all the people who make significant advances but shunn the celebrity limelight (note the distinction between fame and celebrity). Scientists had one advantage in that they can name stellar or planetary features after famous scientists. What do hackers do to honor the quiet heros (e.g. Postel) who have contributed so such, yet are unknown outside their specialty? Perhaps autographed designer chips/cases might become collectable memorabilia in a few decades time :-). Without heros (and I'm not talking about Time's money-churning poster boys/gals here) how do we inspire upcoming hackers to follow in the footsteps of the real pioneers?

    To end on a philosophical note, a great society can be measured by how well it treats the least of its members, not by the self-awarded laurels of the elite. Respect the source of knowledge and cite their inspirations for one day, others too may stand on your shoulders to reach for heights unimaginable.

    LL
  • by Corrinne Yu (121661) on Friday December 31, 1999 @09:57AM (#1428046)
    Good to see mass media has finally caught up with *real* *hackers/crackers* and not juvenile delinquent web defacer.

    I think the good old (childish :) ) days of hacker/cracker/manifesto (I wrote a few when I was young enough to be forgiven :) ) are returning in a pleasant way.

    Apologies for both OT and "dittohood".

    I hate you Roblimo.

    I am trying to swear of /. for good, and you have to interview Woz, who is *only* one of the people I look up to the most and have the greatest (though remote) influences in my life.

    Coding on Apple 2 changed my life in drastic ways.

    I doubt I can come up with any insightful questions for Woz beyond the "You have been the greatest hero in my life since I was a teenage girl. What you have done made such a huge difference to me and people like me. What do I need to accomplish such that I can meet you? Then what more do I need to accomplish such that I can earn your respect?"

    Why such a temptation, Roblimo?

    P.S. flamebait :) I hate the Mac and only love the Apple 2, and adore the 2GS.
    Corrinne Yu
    3D Game Engine Programmer
  • Thanks, Lopht, kickass reply to my inane bantering.

    Just a slight clarificiation though, since I worded it badly. I meant does THE NET itself still have the potential to be the singluar, defining, medium of liberation - not the underground itself. With such talk as taxes on the Internet, and courts deciding linking itself can be illegal, then there are serious threats to the idea of an open medium - and your repeated analogy of democracies undermined by uniformed people is particularly telling. Think about how many people use the Net just to read corporate owned portal sites on Entertaiment and fashion news.

    Anyways, signing off - It's 2 AM here in Central London. No civil disruption. My puter is working fine. Had an amazing view on the rooftop of The Savoy hotel shooting with a mini DV camera and a 16mm Canon Scopic - next to a bunch of Int'l news crews - now that's the kind of hack I can pull off. The Hotel staff told me off for bringing a skateboard into their building. Suckers.

    The moment leading up - such exhilaration. I just have a feeling like I'm walking on other people's hopes. 1999 years without annhiliation, new challenges, but there's people out there working on them, at least.

    Just want to say, babbling here, that I for one have a strange sense of hope. May you all have a safe and emotionally reflective New Year.

  • Just imagine a new generation of a Bubbleboy-Type worm (you don't seriously believe M$ has fixed every security-hole in VBS, WSH and their email-clients, don't you?), this time not without payload and several weeks after the first warnings about the signature checking in Outlook, but instead especially designed to do whatever damage you could do on a PC.

    A few ideas from myself:
    - Randomize the registry
    - Insert errors in every file residing on accessable network shares
    - Flash the BIOS incorrectly
    - Burn graphics chips by overlocking them
    - Crash harddisks
    - Damage Monitors/Graphics-cards

    I'm sure a good terrorist could come up with a few more tricks. If only some of these tricks work, and about 25% of NT/Win 9x boxes are hit (which isn't too unrealistic), you can prepare for some _serious_ damage.
    It would cost billions alone in hardware damages, but these would be dwarfed by the costs in work and lost productivity.
  • Do remember that there is still a large amount of people in the US that do not have internet access, much less own a computer at all. If those people vote, they won't give a damn about computer security, hackers, crackers, or anything like that. If anything, there's a good chance those people are going to be listening for two things from the people running for office: social security and welfare reform.

    Most poor people are too poor to afford a luxury computer, and most senior citizens tend to care less about the internet, or especially about privacy or things like that.

    I don't exactly know how that problem can be remedied. There's no point asking someone what they didn't understand about a James Joyce novel if they don't even know how to read.

    Zack "Vorro" Adgie
    ---------------------------
    A wise man speaks because he has something to say.
    A foolish man speaks because he has to say something.
  • If this offends the L0pht people, good. I browse
    the l0pht website. They have links to 'hacked' pages. Displayed very prominently


    If this is where you stopped "browsing" then I feel sorry for you.
    L0pht has been giving to both sides of the security community for a long time.

    Maybe you should read the web site instead of "browsing" it.

    Unstable Boy

    P.S. the web pages were "hacked"...as in the code in the page was changed...that is a hack...
    the servers they were on were "cracked", maybe YOU should learn the real meaning of those two words.
  • 'm prepared to forgive them this for the sake of the amusement I got out of the reference to 'consecrating explosives'. To make the Holy Hand Grenade of Antioch perhaps?
    Don't forget the instruction book.
    "...and three is the number thou shall count..."

    Unstable "1...2...5" Boy

  • we just need to minimize their impact as much as possible
    We all should at least get our friends practicing safe computer practices. I have several friends that are not and probably will not be "computer literate" but I try to at least help them make the right desicions (you should hear me rant on opening e-mail attachements).

    Even if you only help a little at a time.. it adds up quickly. Unstable Boy

  • I think a big problem is that the uninformed citizenry doesn't care to be informed. They've got better things to do. This is especially the case with many of the older people in positions to make decisions that involve computers. They've been running a business for years,when suddenly computers appear. These people don't understand them, they may even be afraid of them, either way, they don't fully see the importance of them. They've been making a living for years without them. Or even if they see how relevant computers can be, they still don't want to take the time to study and learn them. My mom is a perfect and very frustrating example of this. She has an old pentium running win95 that she uses to check her email. Repeated efforts by me to get her to switch to a mac have failed, even when I offer to pay for the machine myself (The family tech support time it would save me would quickly make up for even the most overpriced of apple's software ;)).

    This really confused me for a long time. Her usual response was "But I don't know macs, I know my computer." I finally realized that she doesn't know any computer, she knows at most, a little about outlook express. Furthermore, she doesn't want to learn anything, which is why all my attempts to upgrade her equipment or to teach her anything haven't worked.

    Now my mom can't be swayed by her own son, a definate windows hater, and someone she would readily admit knows about a billion times more about computers than her. Take some guy off the street with no knowledge, no desire to gain knowledge, and no child to constantly assult you with that knowledge anyways, and you've got a permenently uniformed citizen. They don't want to learn, trying to teach them isn't going to help, we just need to minimize their impact as much as possible, and wait for the world to pass them over. It won't be much longer.

  • The solution that has been taken by most people, including many posters to /., is to hide themselves and hope the newbies go away. With the current situation that has caused the newbies to become what they are, and the amazing pre-background that is not possessed by these newbies that is required with the majority of current documentation and friendly tech support, this solution is in fact a solution, it will make the newbies go away, unfortunately it will also be a great detriment to the operating system itself

    Hmm. I don't know where you've been lurking, but on the Linux newsgroups, there are an enormous number of newbies looking for help, and a smaller population of people trying valiantly to help them. I personally visit comp.os.linux.hardware and comp.os.linux.misc every day, looking for questions that I know the answers to and trying to help people even if they don't know what button 2 on their mouse is for. And I know I'm not alone.

    I think part of the problem is that Linux/the "geek society" is more of a meritocracy than anything. Anyone can be an expert; all it takes is time and effort. This is not common in the real world, where money/birth/social position/physical appearance are more important. Long-time Linuxers are more used to the "if it works, use it no matter who it comes from" attitude, while others worry about the endless political maneuverings more common in normal human relationships. ("Should I use Person 1's code? It works better than Person 2's code, but Person 2 is influential and maybe I should suck up to Person 2...")

    Representative democracies have an inner circle of politicians and Pocket Filler corperations...There is not currently a method of government that has been invented to inform the uninformed, give power to the powerless, and lead the scattered in a manner that is truely their own motive.

    "Democracy is the worst form of government, except for all the others."

    The problem is that most people don't want to think and make decisions on their own; they want to do the easiest thing, even if that means bowing down to Big Brother. This tendency is probably impossible to conquer. Til everyone on the planet is capable of thinking for themselves and willing to do that most of the time, there will be a minority that will control many aspects of society.

    Thing is, in the Linux community, I think those in the "elite minority" encourage independent thought/action/learning. "Study the source, and you too can hack device drivers someday." When was the last time you saw a large media conglomerate encouraging ordinary people to set up their own small private radio stations?

  • As someone who was forced onto a service owned by AOL when my ISP (CompuServe) was bought out, I have to disagree with you in my personal case.

    I run RedHat 6.1 on a separate partition. I tried Corel but didn't think much of it. I can't run my modem under Linux because it's a Rockwell HCF (why, Rockwell, why?) - otherwise, I'd probably move. I use Windows [a Beta 2 version, guess which project I'm on] mostly for games and MSWord. I'm trying to learn C and C++ in a UNIX context. I spent days trying to make svgalib work under Linux, eventually discovering I needed to download v1.4 (RedHat 5.2 had supplied v1.2.1.)

    My online service provider is now using a modified version of the AOL software, with new graphics. (I'm typing this using a Freeserve account, as it regularly refuses access to USENET or to /., claiming a timeout.) My email and file download screens are festooned with adverts for E-BAY. The only thing I use it for is the Web, and I get a rather slow connection which disconnects me around every twenty minutes and which takes several minutes to download a 100K attached file. I'm close to leaving.

    I agree with several points here: AOL does indeed want to [EDITED] you over for ad revenue, and the OS is indeed second rate compared to Linux or even MacOS. But I need to keep it, because the world does not run on Linux, or MacOS, or even UNIXes as a whole. 70% of computers in the world (I'm not sure about this) run on MSFT software. If I want a computing job, I have to work with it.

    And that is the saddest thing of all, as people like l0pht help to advance our knowledge of computer security systems and inner workings of computers, things which would really help the rest of us. But instead, most of the world's population just wants to play several rounds of Solitaire and write a letter to their grandmother on MSFT software, and this is why they are on top. Not because of any interesting reason, but because people have placed them there.
  • no kidding...when I was trying to convince my mom to get a macintosh, she asked some questions about email, and for some reason I mentioned that she wouldn't be able to open any attachments that were .exe files. While that'd actually be a rather good thing, (for her computer and her little on call 24/7 tech support slave) she wanted none of that. I wonder what sort of overall effect on bandwidth these people have with their little email circles.
  • Apologies to OT.

    // Pity

    "It's a pity we don't have any real way of honoring all the quiet garage-shop hackers who have paved the way for today's progress."

    It is sad that the only way I can think of are people like you and I who keep their contribution, achievement, talent, ingenuity, work ethic close to our appreciative hearts.

    // way of honoring

    I was a home computer hobbyist before being apple 2 fanatic, so I do remember and appreciate the same heroes you hold dear to your heart.

    I think a start would be to post, publicize, and factually append and correct various faqs in early home computer hobbyist development. Would you like to do this with me? (I saw you did not post your email address.) corrinney@3drealms.com

    I "act locally" by "publicizing" and mention various "less-sung" heroes in my life.

    // devil's advocate

    I am one of the "celebrity limelight" shunner myself who stay away from being a "Time's money-churning poster boy/gal", and have several friends and peers in that category.

    Sometimes I think: Why is Person A who contributed more and Person B lauded more (or get mentioned in Time more)?

    And sometimes my answer is the same for why Woz is influential. While there may have been several technically laudable home computers, the Apples, and specially the Apple II's, are the ones that directly propelled many onto the path of hobbyist coding. To those coders, their lives were more directly affected by Woz.

    There may have been several to many laudable computer games, 3D engines (I was working on those myself in the same time frame), but celebrity/popularity it is Doom and Quake and Duke Nukem itself that reach the largest number of players, not the various technically interesting projects we coded. To those players, their lives were more affected by id, though there are many other fine and great coders then.

    So in that way id et al. *deserve* having the celebrity limelight and Time articles, not necessarily for being technically most advanced in all issues, but for having impact to the largest number of players.

    It is indeed a worthy topic (and worthy of action), and I would be glad to discuss with you on this off-line.
    Corrinne Yu
    3D Game Engine Programmer
  • Not just uninformed, but apathetic. People just don't seem to care anymore. That is just plain sad. I sincerely fear for our liberties in the future due to this more than anything.

    ----------------

    "Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
  • I've been following this stuff and I'm keenly interested...
  • by volsung (378)
    I am impressed with your amazing deductive powers. It isn't just anyone who can write off an entire group based upon a single technicality. Such tunnel vision and narrow-mindedness should stand as an example to us all.

    [Sarcasm off]

  • As soon as I read your original posting (a FEMALE talking about adoring Woz on SLASHDOT) I knew there would be at least one slightly offtopic remark. I wasn't let down ;-)

    But you shouldn't feed the troll, simply ignore him (or her).
  • by Foogle (35117) on Friday December 31, 1999 @10:02AM (#1428065) Homepage
    Here's an topic that I've batted back and for awhile now. Here on /. we're all pretty well informed about technology and the laws regarding it, because that's what we're interested in. But there's a huge number of slashdotters that seem to look down on people who don't feel the same way. Namely, AOL and Windows users.

    Let's give these guys a break. They don't want to learn the command-line. They don't want to edit config files. And they don't want to play around with dial-up settings. Sure, it's a trade off. They get a second-rate operating system and an ISP that basically just wants to fuck them over for Ad revenue. BFD, but don't say that those who aren't "in-the-know" are the biggest danger to personal liberties.

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

  • "well, the example of a big huge internet worm strikes me as something which will probably happen. but it seems to me that m$ is probably thinking about it too... imagine if there just happened to be an outbreak of a linux worm?

    Sure, but you're assuming that MS has the skill and expertise to write such a worm, bugfree, before releasing it.

    Relax. That'll NEVER happen! :-)

  • There's one main difference. If there's an exploit for a Linux-System out there, there's a fix not too far behind, usually from more than one source. If it's Windows, it really depends on how bad Microsoft thinks it is before there's a fix available. The difference is the nature of the source, and that makes for what Linux advocates feel is a more secure system. I certainly feel more secure knowing that everyone with an interest has already seen my source-code...

    CCIIAW(c'rect me if I am wrong) but doesn't the way *nix in general handles file permissions pretty much prevent most malicious code such as worms from getting in and trashing things? With Windows it's fairly easy for a program to get in and trash the TCP/IP stack, however unless I run something as root or someone else *gets* root most system files should remain in good shape. Of course I think most folks running Linux would be a little hesitant to run an attachment from a message that read "A cool kernel patch from me 2u".


    mcrandello@my-deja.com
    rschaar{at}pegasus.cc.ucf.edu if it's important.
  • I thought Gumby had a pointy head?


    mcrandello@my-deja.com
    rschaar{at}pegasus.cc.ucf.edu if it's important.
  • >>Here we are moving into a new century and these fucknuts want to turn the clock back.

    Hey fucknut, we will not be moving into a new centure for more than 366 days.

    LK
  • No matter what the group, it can be a solitary group for years, but when it gets noticed, there will be many people who will jump on the bandwagon, this is what happened to the linux community. there will be the group yelling "I am a Linux User, Hear me ROAR! BRING DOWN M$", but then their will be the other, smaller group of people who spend hours coding, devloping and working behind the scenes. these are the true linux people. sort of the difference between "script kiddies" and "hackers" and the ever elusive (but relevant to this story) "true elite hackers" who write/discover/work-untill-their-fingers-bleed on the stuff that the script kiddies abuse, and the hackers use. That will never change. People want to stand on the shoulders of the dedicated greats who formed the object of their ego.
  • While that did irk me as well, I was pleasantly surprised while reading the responses. Every response was well thought out and expressed well. It is unusual to see this on Slashdot, where a lot of the text that describes articles is atrociously written. I have kept from telling people about Slashdot because of this, feeling ashamed to recommend a site that cares nothing about how they present themselves. At least the l0pht guys have some self respect (even if they did get ONE thing wrong)
  • I do have this feeling that kids that are growing up right now, ppl that are immersed in technology from day one will know better and see through the marketing crap. Ill stop becuase I am rambling now, and slightly off-topic.

    I would just like to inform you that yes, that is absolutely correct. I'm 17, I've been pounding at keyboards since I could reach one (sometime when I was 6 or so, I'm not totally sure anymore... ;). At the moment, I'm the anomaly (from looking at my peers in HS), but the immersion in tech early on is what I think has fueled my current interests.

    Just FYI.

    Jeff

  • by Tackhead (54550) on Friday December 31, 1999 @08:11PM (#1428076)
    I, too, was glad to see that L0pht hasn't stopped their efforts on the hardware front.

    My software/hardware interest was sparked when I started poking around an Apple ][ (cue next interview: "Thanks Woz, for including a ROM disassembly in your docs!") with CALL -151, and discovered that I could talk right down to the bare metal.

    From there, it was a question of learning to reverse-engineer 6502 with the built-in disassembler, and later on, dumping data from other machines (e.g. 1980s video games!) into the magic Apple box and seeing what I could glean from the disassembly. It was immediately obvious that I had to match the schematics of the hardware I was playing with against the addresses I was seeing in the code, and from then on, I became a hardware geek.

    I mention this because the concern I had with the barrier to entry is that when I got into it, any 12-year-old with enough time on his hands and brains in his skull could get started. Likewise with programming today - thank the Gods for Linux and open source because a 12-year-old can still get started in software by typing "man foo" and picking up a copy of K&R. (*shudder* - imagine a world without Free Software - what 12-year-old, however brainy, would get anywhere with an M$ system, where the very notion of "development tools" implies "very expensive add-on", rather than being part of the core distribution...)

    I guess the interesting question - and the one that can probably only be answered by the next 10 years of hacker history - is gonna be how today's 12-year-old is gonna make the jump between taking apart a computer and putting it back together again, typing "make foo", learning how to write good code that'll be properly optimized for the compiler, and {then the miracle happens} and he's in college poking around with a logic analyzer and a DVD-RAM drive in the lab off-hours.

    Having read L0pht's reply however, I realize that online auctions are bringing surplus electronic equipment availability to an all-time high. If you need a single-user SMT rework station, you can get one for a few hundred bucks. And the costs - like EPROM burners in the past 10 years from $800 to $150, are falling at the same rate. As for expensive VHDL software, I mean no disrespect to those who write such software when I say that for the hobbyist, if there were ever an ethical justification for piracy, "hobby use" just might be it. (And I note in passing that much electronic software is issued on a "try-before-you-buy, limited to 500 pads per board" basis :-)

    Someone else spoke about getting "warm fuzzies" from L0pht in the context of being glad the media are turning to them when they have questions. Count me in on the "warm fuzzies" too, but for a very different reason: in response to my hardware hacking question, they didn't just stop at saying "the bar's been raised, but don't worry, the hardware scene's alive and well".

    Where others might have stopped there, L0pht went - as they always have - one step further. In addition to the warm fuzzies mentioned above, they also managed to give me, and everyone else reading, a set of practical, concrete things to do today - bone up on VHDL, invest in new equipment, make that old 20 MHz scope available to someone still learning the basics, poke around presently-available wireless technologies, and network with fellow geeks who share your interest.

    Thanks, L0pht - not just for the idea of "Making the theoretical practical since 1992", but for living up to it and setting the standard in the years to come.


  • bling bling
  • No one argues that hackers are mis-portrayed in the media.

    I disagree. Supposedly reputable news establishments generally attribute report break-ins, defacements, and theft (eg _cracking_ behavior, or malicious hacking) to hackers.

    I think you agree with each other. Sometimes "argue" gets misused, and I think the original poster meant "No one disputes that hackers are mis-portrayed in the media."

  • Dude, don't thinkabout what this'll do to the public in $$, think of the shattered faith in M$!

    Work together for the Common Geek Good:
  • by FoulBeard (112622) <chrisx@@@speakeasy...net> on Friday December 31, 1999 @08:36AM (#1428089)
    While the lopht certainly have had some buzz around them, and have gained quite a notorious reputation. There is one point I would like to make.
    They answered all of the questions in the interview intelligently, and fairly. It seems that the members of the lopht are intelligent sentient beings, and not whining script kiddies.
    Also they brought up a very good point "uninformed citizens are the greatest threat to personal liberties on the net". How else would you explain the dominance of AOL, and M$ operatin systems

    I do have this feeling that kids that are growing up right now, ppl that are immersed in technology from day one will know better and see through the marketing crap. Ill stop becuase I am rambling now, and slightly off-topic.

    BTW: Hapy New Years!!!!

  • I read somewhere that one of the main signs of being a geek is a love of wordplay. Why then, do you put down this person who caught this interesting, shall we say "Freudian slip"?
  • by Jikes (123986) on Friday December 31, 1999 @08:20AM (#1428091)
    not to be a dick, but this one gets me... just like principle/principal...

    pEnultimate means *second* best... the word i think they were looking for is ULTIMATE, which is in common usage...



    penultimate (p-nlt-mt)
    adj.

    Next to last.
    Linguistics. Of or relating to the penult of a word: penultimate stress.
    n.
    The next to the last.


  • by Wellspring (111524) on Friday December 31, 1999 @08:23AM (#1428092)

    What really stands out to me from this interview is something I have felt for a long time-- that an uninformed citizenry is the biggest threat to our liberty.

    The best thing we can do is to remain engaged and active in educating people about what the internet and other computational advances mean for people. One thing I see is that although we may bicker about alot, it is interesting that whether you are a self described libertarian or socialist (or anything in between), most hackers have a great deal in common.

    I think that this is because knowledge of the new realities of the world and their implications itself points to good solutions for people. Small, agile corporations and governments. Privacy for individuals, publicly available information on group activities (such as governments or corporations.

    So grim saying of nay, which is all I've been hearing recently, is premature. Once people know what is going on, the answers will present themselves to them. And with the web, we don't have to tell them anymore, or give them philes we've downloaded at 1200 baud from someone's C64-- we can show them in full color.

  • by drrobin_ (131741) on Friday December 31, 1999 @08:39AM (#1428093)
    well, the example of a big huge internet worm strikes me as something which will probably happen. but it seems to me that m$ is probably thinking about it too... imagine if there just happened to be an outbreak of a linux worm? a linux -only- worm? it sure would help microsoft. and haven't they been hiring *nix people recently? maybe they're busy as we speak, happily shooting DOS's at our favorite operating systems, looking for a way in. i can just see the headlines: Y2K Rolls Over. NT has minor glitches. Linux systems crash worldwide. never mind the fact that the linux systems crashed because of a worm. reporters don't know the difference. geez, talk about FUD... anyone got any thoughts to cheer me up on this? --robin
  • Dude, what have you been smoking. L0pht is one of the most well respected groups in the "hacker" community. I mean they release software like l0phtcrack that no one else can even come close to emulating. You don't have to crash computers inorder to be "elite". I seriously suggest you check out thier site and see for youself how much they know before you start making cracks like this.
  • by IntlHarvester (11985) on Friday December 31, 1999 @08:56AM (#1428096) Journal
    If you're going to use Windows NT, you should probably keep that firewall in place between those Windows service ports and the rest of the world. Microsoft loves to add services and open ports to your computer when you're not looking. And it's probably not going to be the IP stack, it'll probably be some goofy listening service, like anonymous share enumeration or something. Or maybe remote access to NetDDE. Or some authentication protocol that doesn't like large Netbios fields. Or possibly even some undocumented functionality in the named pipe filesystem used for RPC. Who knows. Personally, I'm not going to wait around to find out.

    "Firewall your NT systems!" -- This bit of advice has been widely known by experienced NT admins for many years -- some existing vulnerabilities having been documented back in the OS/2 LanMan era in the late 80s. Like early Unix network protocols, the product was designed for a mostly-trusted LAN environment, and this design philosophy has been continued with even fairly new add-ons like MS Transaction Server.

    Unfortunately, with the huge growth of NT as a platform, shifty or incorrect Microsoft documentation, an education program (MCSE) that completely neglects these issues, and a generally ignorant group of low-end administrators, there is a huge number of unprotected NT systems running on the Internet. (Compare this to Unix, where there exists a broad understanding of Internet security issues, and a healthy community skepticism of security claims.) As time, home broadband, and Windows 2000 goes on, I would expect that the number of unsecured hosts is going to out number the firewalled ones.

    Considering the underlying culture, I doubt an "Internet Worm II - This time it's NT!" would lead to anything more than a cosmetic fix. Unfortunately, Microsoft is probably going to have to redesign the control mechanisms of the numerous RPC services that run on NT and create a nice GUI with a big "Internet (Secure) Mode" checkbox. A security blanket, but it's going to do nothing to educate the administrators or engender a culture of security consciousness, and exploits will continue.

    Just as the original Internet Worm didn't shift the tide away from Unix and towards VMS, I really doubt these issues will affect marketshare seriously. Only, as the number of specialized Internet hosts grows, Unix's compartmentalized, peer-reviewed approach is going to continue to win over Microsoft's poorly understood philosophy of integrated RPC services.
    --
  • by vovin (12759) on Friday December 31, 1999 @10:56AM (#1428097)
    Actually this is the basis for the electoral college and fundamental to the founding of USA.

    Why should a farmer be as informed about any specific topic as a pundit? As generally knowledge in general as say a librarian or a college professor? The answer is that they are not and shouldn't be. So the question is, do they have a learned person who they respect and trust to make those decisions for them? Should I not be able to trust my MD to help me make medical decisions? Of course.

    This is why the founders of this country desired a REPUBLIC and not a DEMOCRACY. A democracy is the unfit to rule, ruling themselves. A Republic and the unfit to rule pick people to do for them what they cannot do for themselves.
  • I am not so sure the citizenry is uninformed. I would say that most people are fully informed about matters that affect them personally. Unfortunately, the world is too big a place, and there is too much going on, for everyone to worry about all the problems. In a democracy like ours (US here), it is up to individuals to defend their own interests, not fight impartially to make the world a better place. It certainly is not realistic to expect others to care about your problems.
  • I'm glad to see hackers talk about the hardware side of hacking. I'm no expert in the field of HW hacking but a problem that L0pht did not state was the problem with the expense of hardware programming tools.

    VHDL software for coding FPGAs are expensive and could and probably does impede HW hacking. The skill level needed for HW hacking is high and with the convolution of many chips and complicated hardware code it could only get higher. On the positive side the high barrier of entry (in terms of skill level) does keep out the script kiddies.

    I am also glad to see L0pht address the problem of many CS majors when it comes to hardware. I can't wait to see when my watch and toaster starts crashing because of poorly written code.
  • Apologies to OT.
    Never.
    For some people whose mind I respect, I will never have any relationship with them no matter what.
    That way when I earn their respect of my intelligence and talent, I have the satisfaction that it is unbiased.
    Besides you never know who ends up being your next co-worker.
    P.S. Please moderate me down! My post is OT, ditto, and *fannish* (uninformatiave). :)
    P.P.S. Besides, what makes you think Woz won't prefer men over women? (I don't think this question would make the grade for the interview either.) Maybe he would be more interested in you.
    Corrinne Yu
    3D Game Engine Programmer
  • I was very interested to read your comments on guerrilla.net. I too have been frustrated by the slow speed of packet radio and the level of participation in guerrilla.net. Specifically I'm frustrated buy the fact that I've sent email to the contact for guerrilla.net numerous times and have gotten no response. I'm now working with a local ham radio networking group (http://www.netcpa.org) for building out more network nodes.

    As for the Slovenian radios, they exist as kits. You just need to find the right person to talk to and the right way to send money overseas. I've ordered three partial kits for the radios and 1.2 Mb SCC-DMA cards with scramblers. With any luck they should be here by the middle of January.

    if you are serious about building up guerrilla.net, there are people out there willing to participate! You just need to respond when the email you!! --- eric (ka1eec)

  • by Shanoyu (975) on Friday December 31, 1999 @11:34AM (#1428102)
    Hahaha, ironic if you look at the slashdot article about newbies. The linux community has a great dislike of bandwagon hoppers yet they also have a large amount of Zealots who blindly promote the operating system to the detriment of features, other than the elitest attitude the zealots would have linux users put forth to others.

    Civilization has always operated with an inner circle controlling everything. For instance a Total Democracy via Technocracy would be controlled by the media. Monarchies have an inner circle of nobility, Representative democracies have an inner circle of politicians and Pocket Filler corperations, Afganistan has the Taliban. There is not currently a method of government that has been invented to inform the uninformed, give power to the powerless, and lead the scattered in a manner that is truely their own motive. Should anyone ever devise such a method of governing then it will truly be by a intellectual giant amongst men.

    Such is Linux's problem. The uninformed. Truly a problem with few solutions. The solution that has been taken by most people, including many posters to /., is to hide themselves and hope the newbies go away. With the current situation that has caused the newbies to become what they are, and the amazing pre-background that is not possessed by these newbies that is required with the majority of current documentation and friendly tech support, this solution is in fact a solution, it will make the newbies go away, unfortunately it will also be a great detriment to the operating system itself. I don't mean to insult this article since it's broad spectrum is relevant to many things outside of linux. However I feel it is fair, and important to point out that we see the problems pointed out by l0pht developing in a microcosm of the linux community.

    My point, kind people, is that we must fix the problems in our inner circles before we can offer, or even point out; (for risk of hipocriticism) to fix societies problems in our outer circles.


    -[ World domination - rains.net ]-
  • Comforting thought....

    Micro$oft is probably too large and incompetent to do anything of the sort anymore, and certainly not without any leaks getting out. And think about the timing of this with anti-trust investigations. No worries from Redmond.

    (besides, the 'ship date' of their "y2k-linux-worm" would prolly slip well into 2002, second quarter...) (G)

  • Isn't the Melissa virus (and its cousins) really already an example of a similar worm? It basically did the same thing as the Internet worm years ago and affected tons of users and companies.

    The thing about it is that whoever wrote it didn't *need* to find mysterious stack overflows in the IP drivers or even in the mail programs. The mail program (Outlook, in this case) HELPED the worm work! The Power of VBA at your fingertips, as MS would say.

    If there is a checkbox to "turn off" security and run scripts automatically, people are going to use it. If a message box appears to verify that the user wants to run the script, even though it may cause problems, users are going to just click OK without even reading it and the happy few who do read it are going to assume that the message is fine and click OK anyway.

    This issue is not just about Microsoft either. Sun crows about how Java is "secure" because it can't get at your personal files on your local drives, since the scripts are running in the VM. What they don't say is that, in their world, no one HAS any files local because their Java apps are saving everything on the servers, which theoretical Java-based viruses *would* have access to.

    Someone might want to challenge me on this, but imo, security and script-enabled applications/OS are opposites.

  • If this offends the L0pht people, good. I browse the l0pht website. They have links to 'hacked' pages. Displayed very prominently. But they obviously mean 'cracked' pages. If the l0pht folks can't get 'hack' and 'crack' defined, they are _not_ hackers, they are more likely _crackers_. And I'm dissappointed that slashdot and many people do not recognize this. Is slashdot running low on suitable people to interview?
  • Normally I do not rush into an argument with both swords drawn; I can make an acception for the dogmatic, almost hipocritical toleration of evil that has been displayed by some Troglodytes over the past few days.

    Recently, we have seen people from the same group, (linux users, a true miniature world of everything that is geek, of everyone who is informed of their field, and what is going on there.) insult the very people who would be educated, the very problem that has been stated in this discussion. I think it is obivous that if we do not stop the hipocriticism, which I personally see as the greatest evil ever to threaten linux, and soon to be spread to a wide variety of other intrests, then we will surely not be able to deal with the larger sickness of society as presented, (Powerfuly presented, i'll note) by L0pht in this interview.


    -[ World domination - rains.net ]-
  • Too bad the 2GS was a pile of shit for cr.. er debugging games :-) Much easier to do this on a 2e.

    I was really smiling when I saw that AppleWin [asimov.net] lets you bring up a disassembly window. Almost brought a tear to my eye :-)

    SEAL

  • Have a look at what I said yesterday. I misspelled century, but I think that my meaning was clear.

    >>http://slashdot.org/comments.pl?sid=99/12/31/1 030242&cid=48

    LK
  • I'm prepared to forgive them this for the sake of the amusement I got out of the reference to 'consecrating explosives'. To make the Holy Hand Grenade of Antioch perhaps?
  • Being on the stage during that event, I would have to say that it is indeed the case that Mudge was standing toward the back of the stage, he was indeed playing a guitar at the end of our presentation, and did indeed bash the shit out of some old computers. Honest.

    cDc and l0pht don't fight much more than any other siblings.

  • by Anonymous Coward
    Oh, that's just two bad; next you'll be accusing them of not noing there stuff. Why, you probably think their are better people then they are out their who should be doing they're job. Well, this is to much. We no how too write and how too spell. We need two no the hole storey, and can't bee worrying about wholes in our grammer and spelling. Don't like it? Well, too heck with you! Two bad your so bound up with such trivia. I'm sorry to be sow bemused buy you're post, but I cant help laughing. Yes, this hear flame is inflammible! :-)
  • I have no clue why I'm even responding to this but... you need help :-)

    They never made any claims that they could kill your computer. They are security experts and hackers, not the damn crackers you're talking about. Hackers do have a code of ethics that most follow. ( maybe you should look them up )

    And if you're running Windows, then it'll die by itself... no help is needed!

    I think you're the uninformed citizen that L0pht is talking about.
  • That was one of the best Slashdot interviews I've seen since...I don't know when. It's good to see someone (or a group) speak thoroughly and clearly. And I'm sure that comes from years of dealing with aggressive press who don't want to listen.

    But the more I think about it, I really don't mind that these guys are the ones the press run to rather than say CotDC. I don't find myself disagreeing with them, and they're far more eloquent than I could be in the situation.

    No one argues that hackers are mis-portrayed in the media. I think L0pht has the right idea: pro-active re-information. Don't wait until someone misuses the word "hacker" or what not to correct them. Tell them what it means. It's a find line between informative and over zealous (as a pagan who is neither wiccan nor satanic I have that problem all the time; but my beliefs allow explaining, not converting. I don't care if you disagree, so long as you made effort to understand). The next 10-20 years are going to be pretty frightening if we don't stay on top of information, and if the hackers are evil, then who is going to listen to them?

    Here's to you guys!
  • by synthe (86919)
    This Ask Slashdot was about the most intelligent discussion of the state of the net and the future of it that I have seen in a long time. I was hoping for some decent insight from the l0pht guys, and instead I recieved some of the most insightful thoughts of the year. I really hope that somehow the Powers That Be can convince l0pht to do something like a monthly (or even quarterly or semi-annually) article for /. .
  • by jlb (78725)
    Try setting the access controls on who can bind to a particular port under Windows NT, with the ease of chmod and portfs under Linux, and you'll fail miserably. And the list goes on.

    What is portfs? It sounds interesting but I can't find anything about it. Is it known by another name, or does anyone have a URL for it? Maybe I already know about it and just don't know what it's called. :)

  • where do you get them?
  • Oi. This post may be a little off topic, but education of the masses is important, no?

    >But the more I think about it, I really don't mind that these guys are the ones the press run to rather than say CotDC.

    Too many people confuse the purposes of cDc (that's lowercase c, uppercase D, lowercase c. Pretty much always has been.) with the purpose of a group like l0pht. cDc is not a software/hardware or even (dare I say it?) a hacking group. cDc is a textfile group. The (supposedly) original eZine. Stuff like BO (which, IIRC was written by a guy that is actually in l0pht as well as cDc) is a side project used to further their goal of Global Domination through Media Saturation. They SHOULDN'T be consulted on hacking/cracking information. Groups like l0pht are what that's all about. Media that consult cDc on these kinds of subjects are just victims of the cDc MediaMindFuck(tm).
  • by Roblimo (357) on Friday December 31, 1999 @01:26PM (#1428130) Homepage Journal
    Corrinne, I believe Mr. Wozniak reads Slashdot now and then. For all you know, he's already read your opinion of him.

    And besides, you *never know* what kind of questions might get moderated up and sent to him. No law says they all have to be techie stuff.

    We often get some excellent personal question in these interview. *I* sure don't discourage them!

    - Robin

  • Oooooh, rough tough Anonymous Coward. It's morons like you who though that the earth was flat for thousands of years even when there was proof that it was not. The ancient Greeks and Egyptians knew that the earth was round, but "cool" people like you convienently forgot about it just because it made things simpler to go with what was easy and trendy.

    Get your head out of your ass.

    BTW the earth revolves around the sun, NOT the other way 'round.

    LK
  • For a worm like this to occur, it would likely affect some sort of daemon (mail, httpd, etc.) and not the kernel itself. Any mediocre sysadmin would just look at the code and see how they were exploited, exclaim a nice "oh duh" and fix the problem.

    That's the point of Linux - the source is open. When you can dig in and look at the exploit, it's not a mystery occurance that makes you lose faith in the OS. Exploits like these hurt NT or other closed-source OS's much worse because the sysadmin has no way of seeing what happened, thus they lose faith in the system.

  • Obviously I am a "blithering ..." of incorrect english if I do not spend my time spell checking and editing comments which are essentially in futility in the first place. There are grammatical errors in your reply telling me I have grammatical errors, so quite frankly you can just sod off. Since I have no desire to dick around with an AC over a correction with his comment complaining about my comment that he feels needs to be corrected, the correct format for your comment was:

    You blithering [explicative], there is no such word as "hipocritism".

    You also forgot a period at the end of hypocrisy. Thank you, have a nice day.


    -[ World domination - rains.net ]-
  • doesn't the way *nix in general handles file permissions pretty much prevent most malicious code such as worms from getting in and trashing things?

    Nope. The god-like powers of root supercede file, memory, and device permissions. A lot has changed since 1988, but history [software.com.pl] has a way of repeating itself.

    Remember, all it takes is a badly placed sprinf(), malloc(), or strcpy() in a SUID daemon to bring a so-called bulletproof security model to it's knees.



    --
    odds of being killed by lighning and
  • by tilly (7530) on Friday December 31, 1999 @09:27AM (#1428136)
    I have to say that their answers were much better than I expected. I really liked their answer to mine. And I think that you hit some nails pretty solidly.

    I would just like to back up your comment on Remote Call Procedures. Microsoft had this thing called OLE, then they moved to COM, now DCOM. The next iteration is called SOAP and it works using XML over http. Everyone accepts http, so it is a great way to get remote call procedures, right?

    Wrong.

    The issues with remote call procedures are inherent in the nature of what you are doing. Microsoft is addressing the mechanism of doing it, and not also the substance of the security issue. All that they will succeed in doing is make it easier to unkowingly create something with serious security holes that is sent by http. And to make it better they are also encouraging creating customized SOAP applications in Office, which just means that there are a lot of new applications wandering around there that can also be security holes.

    When Sun created Java it not only addressed how you call it remotely, it also attempted to address security concerns. Microsoft has not learned that lesson, and I dread what it will take to teach people that security is inherent in what you are trying to do, and not in how you are doing it.

    (See likewise some of Tom Christiansen's rants about executable content in email.)

    Cheers,
    Ben

    PS Off to my sister's, away from the web for a bit. Glad I caught L0pht's response before I went though!
  • Very funny. very very funny... even got the @aol... nice touch...
  • I find a few things wrong with that:
    1. Warez is not hacking. It's pirating/cracking.
    2. Hackers do not throw their email out.
    3. 99.9% of hackers know better than to use AOL.
    4. Getting "hacking programs" means you're a script-kiddie, not a hacker.
    5. I didn't quite get the second to the last sentence, so I can't comment on it.
  • I think you may not be giving them enough credit for their linguistic skills; the writer (we're all thinking Mudge because we know his name, and who knows maybe it is him) may have meant exactly what he said.

    After all, we'll never find the ultimate solution to any security problem, but we'll find the best one for now. Penultimate is a pretty good word to describe that state of affairs.

What this country needs is a good five dollar plasma weapon.

Working...