L0pht

Last updated
L0pht Heavy Industries
Formation1992
Dissolved2000
Purpose Hacker think tank
Location
  • United States
Origin
Boston, Massachusetts
Founders
Count Zero
White Knight
Brian Oblivion
Golgo 13
Products
L0phtCrack
Affiliations Cult of the Dead Cow
Website Main Site

L0pht Heavy Industries (pronounced "loft") was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. The L0pht was one of the first viable hackerspaces in the US, and a pioneer of responsible disclosure. [1] The group famously testified [2] in front of Congress in 1998 on the topic of ‘Weak Computer Security in Government’. [3]

Contents

Name

The second character in its name was originally a slashed zero, a symbol used by old teletypewriters and some character mode operating systems to mean zero. Its modern online name, including its domain name, is therefore "l0pht" (with a zero, not a letter O or Ø).

History

The origin of the L0pht can be traced to Brian Oblivion and Count Zero, two of the founding members, sharing a common loft space in South Boston with their wives (Mary and Alicia) who ran a hat business in one half of the space and helped to establish an IRL communal work space. There they experimented with their own personal computers, equipment purchased from the Flea [4] at MIT, and items obtained from dumpster diving local places of interest. [5]

Founded in 1992 the L0pht quickly became a location for its members to store their computer hardware and work on various projects. [6] [7] In time, the members of L0pht quit their day jobs to start a business venture named L0pht Heavy Industries, a hacker think tank. The business released numerous security advisories. They also produced widely used software tools such as L0phtCrack, a password cracker for Windows NT, a POCSAG decoder, and CD software collections.

In 1997, on August 8–10, Mudge, Brian Oblivion, Kingpin, Space Rogue, Stefan, Weld Pond, and John Tan of L0pht discussed recent projects and accomplishments, Windows NT, new projects, emerging trends and shortcomings in technologies, with Q&A session at Beyond HOPE at the Puck Building in New York City. [8]

In October 1999 L0pht was featured in a lengthy article in the New York Times Sunday Magazine. [9] In the article Jeffrey Hunker, NSC's then Director of Information Protection, said about L0pht, "Their objective is basically to help improve the state of the art in security and to be a gadfly, so to speak."

In January 2000, L0pht Heavy Industries merged with the startup @stake, completing the L0pht's slow transition from an underground organization into a "whitehat" computer security company. [10] Symantec announced its acquisition of @stake on September 16, 2004, and completed the transaction on October 8 of that year. [11]

In March 2006, Weld Pond and Dildog founded application security company Veracode as a spin out from Symantec. The Veracode static binary analysis technology was built at @stake, based on prototypes and ideas incubated at the L0pht.

On March 14, 2008, several members of L0pht sat at a panel at a standing-room-only group of infosec professionals at SOURCE:Boston. Present were Weld Pond, John Tan, Mudge, Space Rogue, Silicosis and Dildog. [12]

Senate testimony

On May 19, 1998, all seven members of L0pht (Brian Oblivion, Kingpin, Mudge, Space Rogue, Stefan Von Neumann, John Tan, Weld Pond) famously testified [13] [14] [15] before the Congress of the United States that they could shut down the entire Internet in 30 minutes. [16] The Washington Post referred to the response as "a tragedy of missed opportunity". [17]

Four members of the original group Space Rogue, Weld Pond, Kingpin and Mudge [18] held a briefing entitled "“A Disaster Foretold — And Ignored” Revisiting the First-Ever Congressional Cybersecurity Hearing" hosted by the Congressional Internet Caucus Academy. [19] The briefing, held on May 22, 2018, [20] was almost exactly 20 years after the original testimony and was streamed live via Facebook. [21] [22] [23] [24] [25] [26] [27]

At the Defcon 26 hacking conference, held on August 10, 2018 in Las Vegas, seven of the L0pht members sat on a panel entitled "The L0pht Testimony, 20 Years Later (and Other Things You Were Afraid to Ask)". [28] Among other things the panel encouraged attendees to keep on hacking but stay on the side of the law that kept them out of jail. [29]

The General Counsel of the National Security Agency, Glenn S. Gerstell quoted testimony [30] from the L0pht’s hearing during his keynote to American Bar Association’s 28th Annual Review of the Field of National Security Law Conference on November 1, 2018. [31]

Products

As L0pht occupied a physical space, it had real expenses such as electricity, phone, Internet access, and rent. Early in the L0pht's history these costs were evenly divided among L0pht members. In fact, L0pht originally shared a space with a hat-making business run by the spouses of Brian Oblivion and Count Zero, and the rental cost was divided amongst them both. This was soon subsidized by profits made from selling old hardware at the monthly MIT electronic flea market during the summer. [32]

Occasionally, shell accounts were offered for low cost on the L0pht.com server to selected individuals; while these individuals had access to the L0pht.com server they were not members of L0pht. One of the first physical products sold for profit by L0pht was a POCSAG decoder kit, which was sold in both kit and assembled form. Subsequently, the Whacked Mac Archives were transferred to CD-ROM for sale, [33] soon followed by CD copies of the Black Crawling System Archives. The command line version of L0phtCrack, the password cracker for Windows NT, was given away free, but the GUI version was sold as a commercial product. This was followed by the creation of the Hacker News Network website to host advertisements. However, even with these sources of income, L0pht barely broke even, and eventually began doing custom security coding for companies like NFR. [34] [35] [36]

In January 2009, L0phtCrack was acquired by the original authors Zatko, Wysopal, and Rioux from Symantec. L0phtCrack 6 was released at the SOURCE Boston Conference on March 11, 2009. L0phtCrack 6 contains support for 64-bit Windows platforms as well as upgraded rainbow tables support. On April 21, 2020 Terahash [37] announced it had acquired L0phtCrack, details of the sale were not released. As of July 1, 2021, the L0phtCrack software is no longer owned by Terahash, [38] LLC. It has been repossessed by the previous owners, formerly known as L0pht Holdings, LLC for Terahash defaulting on the installment sale loan. L0phtCrack has now been released as open source. Space Rogue had also published a book on February 24, 2023.

Members

L0pht membership varied but included at various times: [39]

Related Research Articles

<span class="mw-page-title-main">Gen Digital</span> Multinational software company

Gen Digital Inc. is a multinational software company co-headquartered in Tempe, Arizona and Prague, Czech Republic. The company provides cybersecurity software and services. Gen is a Fortune 500 company and a member of the S&P 500 stock-market index. The company also has development centers in Pune, Chennai and Bangalore. Its portfolio includes Norton, Avast, LifeLock, Avira, AVG, ReputationDefender, and CCleaner.

<span class="mw-page-title-main">Zoe Lofgren</span> American politician & lawyer (born 1947)

Susan Ellen "Zoe" Lofgren is an American lawyer and politician serving as a U.S. representative from California. A member of the Democratic Party, Lofgren is in her 15th term in Congress, having been first elected in 1994. Lofgren has long served on the House Judiciary Committee, and chaired the House Administration Committee in the 116th and 117th Congresses.

L0phtCrack is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables.

<span class="mw-page-title-main">Kevin Poulsen</span> American computer hacker

Kevin Lee Poulsen is an American former black-hat hacker and a contributing editor at The Daily Beast.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the original Norton 360 security suite. The suite was once again rebranded to Norton 360 in 2019.

Christien Rioux, also known by his handle DilDog, is the co-founder and chief scientist for the Burlington, Massachusetts based company Veracode, for which he is the main patent holder.

<span class="mw-page-title-main">Peiter Zatko</span> American computer security expert

Peiter C. Zatko, better known as Mudge, is an American network security expert, open source programmer, writer, and hacker. He is currently the chief information officer of DARPA. He was the most prominent member of the high-profile hacker think tank the L0pht as well as the computer and culture hacking cooperative the Cult of the Dead Cow.

<span class="mw-page-title-main">Chris Wysopal</span> American computer security expert (born 1965)

Chris Wysopal is an entrepreneur, computer security expert and co-founder and CTO of Veracode. He was a member of the high-profile hacker think tank the L0pht where he was a vulnerability researcher.

<span class="mw-page-title-main">Cult of the Dead Cow</span> Hacker organization

Cult of the Dead Cow, also known as cDc or cDc Communications, is a computer hacker and DIY media organization founded in 1984 in Lubbock, Texas. The group maintains a weblog on its site, also titled "[Cult of the Dead Cow]". New media are released first through the blog, which also features thoughts and opinions of the group's members.

Xcitium, formerly known as Comodo Security Solutions, Inc., is a cybersecurity company headquartered in Bloomfield, New Jersey. Under the brand Sectigo, the company acts as a web Certificate authority (CA) and issues SSL/TLS certificates.

ATstake, Inc. was a computer security professional services company in Cambridge, Massachusetts, United States. It was founded in 1999 by Battery Ventures and Ted Julian. Its initial core team of technologists included Dan Geer and the east coast security team from Cambridge Technology Partners. Its initial core team of executives included Christopher Darby, James T. Mobley, and Christina Luconi.

<span class="mw-page-title-main">Cain and Abel (software)</span> Password recovery software

Cain and Abel was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel was maintained by Massimiliano Montoro and Sean Babcock.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

<span class="mw-page-title-main">Joe Grand</span> American electrical engineer

Joe Grand is an American electrical engineer, inventor and hardware hacker known in the hacker community as Kingpin. He achieved mainstream popularity after his appearance on Prototype This!, a Discovery Channel television show. He specializes in reverse engineering and finding security flaws in hardware devices. Grand has testified before the U.S. Senate Committee on Governmental Affairs regarding government and homeland computer security under his internet handle, Kingpin.

Michael Gregg is an American computer security specialist, businessman, author and co-author of several books, including Build Your Own Network Security Lab and Inside Network Security Assessment. He has also served as an expert witness before a congressional committee on cyber security and identity theft.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

<span class="mw-page-title-main">Cris Thomas</span> American cybersecurity researcher and hacker

Cris Thomas is an American cybersecurity researcher, white hat hacker, and award winning best selling author. A founding member and researcher at the high-profile hacker security think tank L0pht Heavy Industries, Thomas was one of seven L0pht members who testified before the U.S. Senate Committee on Governmental Affairs (1998) on the topic of government and homeland computer security, specifically warning of internet vulnerabilities and claiming that the group could "take down the internet within 30 minutes".

References

  1. 1 2 3 Timberg, Craig (27 Jun 2015). "In 1998, these hackers said the Internet would become a security disaster. Nobody listened". The Daily Herald. USA. Retrieved 7 Dec 2017.
  2. Joe Grand (14 March 2011). "Hackers Testifying at the United States Senate, May 19, 1998 (L0pht Heavy Industries)" . Retrieved 24 July 2018 via YouTube.
  3. "Weak Computer Security in Government: Is the Public at Risk?". 1998-05-19. Archived from the original on 2000-09-01. Retrieved 2018-12-03.
  4. The Flea at MIT | The MIT Radio Society
  5. Smolan, Rick; Erwitt, Jennifer (1996). L0pht dumpster diving cited in 24 Hours in Cyberspace by Rick Smolan and Jennifer Erwitt. QUE Macmillan. ISBN   978-0-7897-0925-7 . Retrieved 2008-12-12.
  6. "Online NewsHour: L0pht on Hackers". PBS . 1998-05-08. Archived from the original on 2000-03-11.
  7. "Space Rogue". Forbes . USA. 7 Feb 2000. Retrieved 18 Dec 2017.
  8. Archived at Ghostarchive and the Wayback Machine : mhzghz2 (25 July 2012). "Beyond HOPE: The L0pht (Complete)" . Retrieved 24 July 2018 via YouTube.{{cite web}}: CS1 maint: numeric names: authors list (link)
  9. Bruce Gottlieb (1999-10-03). "HacK, CouNterHaCk". The New York Times . Archived from the original on 16 October 2015.
  10. "Odd coupling links hackers with security firm". 2000-01-07. Archived from the original on 2004-11-16.
  11. "Symantec Completes @stake Acquisition". 2004-10-08. Archived from the original on 2004-10-09.
  12. "SOURCE:Boston L0pht Panel on the SOURCE:Boston blog". Archived from the original on 2008-06-21. Retrieved 2008-03-14.
  13. Joe Grand (14 March 2011). "Hackers Testifying at the United States Senate, May 19, 1998 (L0pht Heavy Industries)" . Retrieved 24 July 2018 via YouTube.
  14. Archived at Ghostarchive and the Wayback Machine : Washington Post (2 December 2015). "How a hacker group came to Washington" . Retrieved 24 July 2018 via YouTube.
  15. "'90s hacker collective man turned infosec VIP: Internet security hasn't improved in 20 years". theregister.co.uk. Retrieved 24 July 2018.
  16. "Weak Computer Security in the Government: Is the Public at Risk?". 1998-05-19. Archived from the original on 2011-07-21.
  17. "A disaster foretold — and ignored". Washington Post. 22 Jun 2015.
  18. Tim Starks (2018-05-22). "Famed hacker collective reunites on Hill today".
  19. "A Disaster Foretold — And Ignored / Revisiting the First-Ever Congressional Cybersecurity Hearing". 2018-05-24.
  20. "Revisiting the First-Ever Congressional Cybersecurity Hearing". Eventbrite. Retrieved 24 July 2018.
  21. "Congressional Internet Caucus Academy - Videos". Facebook . 2018-05-22.
  22. "Congressional Internet Caucus Academy". YouTube. Retrieved 24 July 2018.
  23. Archived at Ghostarchive and the Wayback Machine : Congressional Internet Caucus Academy (25 May 2018). "L0pht Hearing - Joe Grand" . Retrieved 24 July 2018 via YouTube.
  24. Archived at Ghostarchive and the Wayback Machine : Congressional Internet Caucus Academy (25 May 2018). "L0pht Hearing - Mudge" . Retrieved 24 July 2018 via YouTube.
  25. Archived at Ghostarchive and the Wayback Machine : Congressional Internet Caucus Academy (25 May 2018). "L0pht Hearing - Weld Pond" . Retrieved 24 July 2018 via YouTube.
  26. Archived at Ghostarchive and the Wayback Machine : Congressional Internet Caucus Academy (25 May 2018). "L0pht Hearing - Space Rogue" . Retrieved 24 July 2018 via YouTube.
  27. Archived at Ghostarchive and the Wayback Machine : Congressional Internet Caucus Academy (24 May 2018). ""A DISASTER FORETOLD — AND IGNORED" - Revisiting the 1st Cybersecurity Hearing" . Retrieved 24 July 2018 via YouTube.
  28. "The L0pht Testimony, 20 Years Later (and Other Things You Were Afraid to Ask)". Archived from the original on 2018-09-20. Retrieved 2018-09-19.
  29. Sean Michael Kerner. "Lessons Learned at DEF CON 26". eSecurity Planet. Archived from the original on 2019-02-23. Retrieved 2018-09-19.
  30. "Keynote Address by Glenn S. Gerstell, General Counsel NSA to the American Bar Association 28th Annual Review of the Field of National Security Law Conference". Archived from the original on 2021-03-21. Retrieved 2018-11-21.
  31. "28th Annual Review of the Field of National Security Law CLE Conference". Archived from the original on 2018-11-21. Retrieved 2018-11-21.
  32. "Brian Oblivion on "function and direction of the L0pht" in 1998". Archived from the original on 1998-02-05. Retrieved 2008-12-12.
  33. 2600 Magazine Vol 13 , p. 49, at Google Books
  34. "NFR and L0pht to Deliver Improved IDS". InfoSecNews.org. Archived from the original on 2007-05-10.
  35. "NFR Intrusion Detection Appliance Version 4.0 Released". thefreelibrary.com. Archived from the original on 2019-05-16.
  36. Fitzgerald, Michael (2007-04-17). "L0pht in Transition". CSO. Archived from the original on 2016-03-05. Retrieved 2008-06-18.
  37. "Terahash Acquires L0phtCrack". Archived from the original on 2020-04-21.
  38. "Changes for L0phtCrack". Archived from the original on 2022-04-04. Retrieved 2022-04-29.
  39. "L0pht Heavy Industries Home Page" . Retrieved 2017-03-20.
  40. "These hackers warned the Internet would become a security disaster. Nobody listened. - The Washington Post". The Washington Post . Retrieved 2023-08-17.
  41. "We Got to Be Cool About This: An Oral History of the L0pht, Part 1 - Decipher". 6 March 2018. Retrieved 2023-08-17.
  42. "Space Rogue from L0pht and Hacker News Network Joins Tenable Network Security". 7 January 2014. Retrieved 2014-01-07.
  43. "Stefan von Neumann". Archived from the original on 1999-02-20. Retrieved 2008-12-12.
  44. "Cyber UL Could Become Reality Under Leadership of Hacker Mudge". 30 June 2015. Retrieved 2015-11-20.