[iwar] [fc:'Hacker'.security.biz.built.on.FBI.snitches]

From: Fred Cohen (fc@all.net)
Date: 2002-07-18 18:26:51
Next message: Fred Cohen: "[iwar] [fc:Al.Qaeda.and.Cyber-Terrorism]"
Previous message: Fred Cohen: "[iwar] [fc:New.Rules.May.Require.Banks.Verify.ID]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200207190126.g6J1Qqt11679@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Thu, 18 Jul 2002 18:26:51 -0700 (PDT)
Subject: [iwar] [fc:'Hacker'.security.biz.built.on.FBI.snitches]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

'Hacker' security biz built on FBI snitches
By Thomas C Greene in Washington
17/07/2002
<a href="http://www.theregister.co.uk/content/55/26247.html">http://www.theregister.co.uk/content/55/26247.html>
The Register

On Monday I reported a speech by Gweeds at H2K2, in which the grand
hypocrisy of hackers weaseling their way from the scene to the
mainstream by forming security outfits was denounced very nicely. A
torrent of e-mail denouncing him soon followed, some of which I've
posted here.

Even I was attacked merely for reporting what he'd said. Suffice it to
say that Gweeds has managed to piss off a large number of scene denizens
past and present, though I suspect this is connected to his apparently
athletic promiscuity: he's tied for second in the hacker sex chart v.
9.28, with 27 links. No doubt he's 0wned the wrong bitch from time to
time, steadily adding to his enemies list.

He also named names in the speech, in particular ISS, L0pht/@Stake and
Sir Dystic, three prime examples of energetic blackhat pimping for
venture capital and cushy jobs, Gweeds believes. In particular, he
expressed a suspicion that L0pht/@Stake was somehow connected to NIPC
(the National Infrastructure Protection Center), which may have helped
the h4x0r glam rockers gain credibility and rise in profile among
influential members of the federal bureaucracy. This connection also
helped get Mudge a high-profile hacker-hysteria FUD session before
Congress, he suspects.

On Monday, when I posted the first item in this series, I didn't know
personally if the speech was punctiliously accurate, but it absolutely
rang true to me. All too true.

Surely no one imagined that I wouldn't dig deeper into this deliciously
nasty confluence of FUD, favors and venture capital flowing between the
blackhat community and the Feds, with the cons serving as a handy,
mediating conduit.

And indeed, Gweeds appears to have hit on a number of dirty little
secrets, though with a few minor inaccuracies, none of which is
sufficient to undermine his basic thesis. There does indeed appear to be
a circle jerk between commercialized blackhat sellouts and the Feds; and
the cons do appear, perhaps inadvertently, to provide the venue and
privacy needed for such liaisons. And finally, there does seem to be a
significant amount of snitching for favors and 'trust' building going on
between the two 'communities', a la the despised JP model.

Flamboyant anti-establishment gestures and costumes do not a blackhat
make. Your friendly neighborhood hacker turned young security
businessman may well be looking to 'develop' your exploit, hack out a
patch and pimp for proppies on BugTraq, and then rat you out to the Feds
for gain and favor. This is how it works:

FUD platform  Soon after I posted my report Monday, @Stake's Chris
Wysopal (aka Weld Pond) vehemently denied any connection with NIPC to me
in an e-mail exchange. He further insisted that I 'correct' the
inaccuracies in Gweeds' statements. I explained that it wasn't proper
for me to edit someone else's words, or even to express doubt, unless I
believed or at least suspected that the statements were inaccurate. In
this case I didn't.

"I'm going to let it stand, again because any inaccuracies are his, not
mine, and I prefer to let readers make up their own minds about it.
However, last night I did post your and several other people's letters
criticizing his talk," I replied.

I'd also put a link to that letters page in the original story so
readers can easily find the counterpoint. Finally, I invited Wysopal to
write a rebuttal, which I offered to publish on The Register.

"I am not going to write a 'point of view' piece that is parallel to an
article that leads the reader to believe that patent falsehoods are
true. Letters to the editor are much different than qualifying
statements where they stand or issuing an errata," he replied.
"[Several] statements by Gweeds are false. They were spoken by a man
with an agenda. You have become his FUD platform."

Me, a FUD platform -- right. There's a definite pot/kettle equation in
play here, as we'll see.

dann0  According to Wysopal, Gweeds got a number of facts wrong. "There
is no evidence that the L0pht testified at the behest of NIPC. NIPC was
formed two months prior to our testimony. We didn't even speak to anyone
from NIPC until much, much later. The L0pht testified at the request of
Senator Thompson. This coincided with a GAO report on the weaknesses of
government security. Our testimony did not mention a criminal solution
to the government security problem. We were not advocating an increased
cyber police force or increased penalties."

And that is strictly correct, though not entirely true. NIPC is not
where L0pht's Fed relationship was developed. But according to documents
I've received, L0pht did have a relationship with FBI Special Agent Dan
Romando, or 'dann0' as they called him, a Boston agent with a
cybercrime-enforcement background. Our dann0 was an old friend of
Mudge's from high school; and our dann0 had also been an intern in
Senator Thompson's office before joining the FBI.

If you want to know how L0pht got an invitation to testify "at the
request of Senator Thompson," you'll find Agent Romando's hand all over
that one. Ditto for Mudge's famous meeting with then-President Bill
Clinton.

And why did dann0 Romando bother to help the L0pht cyber-ninjas gain
national fame? Was it out of friendly loyalty?

I wish it were. I have evidence indicating that L0pht members served as
confidential FBI informants and actively solicited dirt on fellow
blackhats. I have evidence indicating that they've offered to pay cash
for such information. And they name dann0 Romando specifically as their
FBI handler. That's right, those anti-establishment pop-underground
h4x0r heroes have at least attempted, probably with success, to rat out
their friends and enemies in service of good relations with the FBI.

Relations, I should add, that paved the way for their splashy media
hagiography. We can safely infer a pretty significant haul of
snitch-work behind dann0's generosity in assisting this monumental
fraud.

And as for not advocating increased penalties for cyber-wrongdoing,
that's just window dressing. L0pht was in fact spreading cyber-terror
FUD to fuel expensive national cyber-defence measures and increased
penalties for hackers while exhibiting themselves as both the emblem of
the Dark Forces America has to fear, and her White Knights of salvation.

When a guy like Mudge addresses a gaggle of naive,
technically-illiterate Congressmen, claiming to be able to break into
any network on Earth, only a fool will imagine that the consequence will
be anything other than more Draconian laws. That's how Congress deals
with threats. That's how Congress has always dealt with threats: give
more money to the Feds for investigation and enforcement, bump up the
penalties, and let the evil bastards rot. There is no other outcome to
be expected from testimony like that. And sure enough, nowadays hacking
can lead to a life sentence.

And Wysopal calls me a FUD platform....

'Sploits for me, jail for you  So how does some cheese-eater gang of
l4m3r blackhats-turned-security-advisors make its bones in the wider
world of legitimate security services? Gweeds talked about a 'model' of
selling out, and I'd like to add my own contribution to it. It goes like
this:

Since you really don't have any skillz worth mentioning, no background
in computer science, no military cryptography training, you'll have to
learn to talk the talk. Outrageous clothes and piercings (preferably
from a nail gun), blue hair and bad skin freely exhibited at cons are a
big plus here. Journalists love this kind of shit and will usually
assign you a high, imaginary threat level. Teenagers will too.

Develop relationships with members of the real blackhat underground. Hit
them up for kewl new 'sploits they're using. Maybe pay cash for them;
maybe barter for them with other kewl 'sploits or illegal gear you're
cobbling up in your basement, like pager monitoring devices, say.

Rely on the fact that your grateful FBI handler will see that you never
get raided. When you do receive a new exploit, either by paying cash or
through barter, pretend it's yours. Don't worry; the real blackhat
doesn't want publicity, believe me. Develop the exploit, refine it, and
at the same time develop a patch or at least a workaround. Post to
BugTraq and PacketStorm. Receive proppies from envious wannabes and be
worshiped by dumbfuck security journalists. Apply for VC, and develop a
shell corporation containing people with actual business experience to
receive and manage the money for you.

Hire eager PR flacks who can tell your fascinating story to the press in
the simplistic, hagiographic terms they prefer to be fed, the way ABC
News drones lapped up this drivel:

"[L0pht], described as a 'hacker think tank,' testified about lax
computer security before the Senate Governmental Affairs Committee in
May 1998. They said any of them could easily bring down the Internet in
North America, although other experts dismissed the claims as
exaggerated. Committee Chairman Fred Thompson allowed L0pht's members to
use only their on-line handles 'due to the sensitivity of their work.'"

And be sure to get your peers to pimp for you; remember, the more 31337
they think you are, the better for everyone else in the biz:

"Russ Cooper, who publishes the NTBugtraq newsletter exposing security
risks in Microsoft products, called the group "eight brilliant
geniuses."

Like Mudge, call yourself a "Chief Scientist," or like Marc Maiffret, a
"Chief Hacking Officer" or like Russ Cooper, a "Surgeon General". Only
journos like myself will actually laugh in your face, so it's a pretty
safe practice.

Keep trading with the blackhats, and release your occasional
'discoveries' which they make possible. Ensure that your PR flacks spam
the living shit out of every journo on the planet whenever this occurs.

Go in front of Congress every chance you get: remind them of how scared
they should be. Tell them that the Internet is about to be brought down,
along with planes and trains and power grids, and tell them how you can
hack the Apache server at www.MinuteMan.mil and launch a withering
nuclear assault on Kansas City with your lame Windoze box.

And don't be wasteful with precious resources. Just as a cook will use
the bones from a carcass to make delicious stock, if a blackhat whose
work you've been plagiarizing runs out of new tricks, you can always
toss him to the FBI for additional mileage. Maybe you can even get him
busted for the shit you sold him, haha.

Now that's what I call a business model. �

Note: L0pht/@Stake declined two invitations to comment for this article.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Free $5 Love Reading
Risk Free!
http://us.click.yahoo.com/wlyPtD/PfREAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Al.Qaeda.and.Cyber-Terrorism]"
Previous message: Fred Cohen: "[iwar] [fc:New.Rules.May.Require.Banks.Verify.ID]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:31 PDT