'Hacker' security biz built on FBI snitches

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/26247.html

By Thomas C Greene in Washington
Posted: 17/07/2002 at 18:59 GMT

On Monday I reported a speech by Gweeds at H2K2, in which the grand
hypocrisy of hackers weaseling their way from the scene to the
mainstream by forming security outfits was denounced very nicely. A
torrent of e-mail denouncing him soon followed, some of which I've
posted here.

Even I was attacked merely for reporting what he'd said. Suffice it to
say that Gweeds has managed to piss off a large number of scene
denizens past and present, though I suspect this is connected to his
apparently athletic promiscuity: he's tied for second in the hacker
sex chart v. 9.28, with 27 links. [1] No doubt he's 0wned the wrong
bitch from time to time, steadily adding to his enemies list.

He also named names in the speech, in particular ISS, L0pht/@Stake and
Sir Dystic, three prime examples of energetic blackhat pimping for
venture capital and cushy jobs, Gweeds believes. In particular, he
expressed a suspicion that L0pht/@Stake was somehow connected to NIPC
(the National Infrastructure Protection Center), which may have helped
the h4x0r glam rockers gain credibility and rise in profile among
influential members of the federal bureaucracy. This connection also
helped get Mudge a high-profile hacker-hysteria FUD session before
Congress, he suspects.

On Monday, when I posted the first item in this series, I didn't know
personally if the speech was punctiliously accurate, but it absolutely
rang true to me. All too true.

Surely no one imagined that I wouldn't dig deeper into this
deliciously nasty confluence of FUD, favors and venture capital
flowing between the blackhat community and the Feds, with the cons
serving as a handy, mediating conduit.

And indeed, Gweeds appears to have hit on a number of dirty little
secrets, though with a few minor inaccuracies, none of which is
sufficient to undermine his basic thesis. There does indeed appear to
be a circle jerk between commercialized blackhat sellouts and the
Feds; and the cons do appear, perhaps inadvertently, to provide the
venue and privacy needed for such liaisons. And finally, there does
seem to be a significant amount of snitching for favors and 'trust'
building going on between the two 'communities', a la the despised JP
model.

Flamboyant anti-establishment gestures and costumes do not a blackhat
make. Your friendly neighborhood hacker turned young security
businessman may well be looking to 'develop' your exploit, hack out a
patch and pimp for proppies on BugTraq, and then rat you out to the
Feds for gain and favor. This is how it works:

FUD platform

Soon after I posted my report Monday, @Stake's Chris Wysopal (aka Weld
Pond) vehemently denied any connection with NIPC to me in an e-mail
exchange. He further insisted that I 'correct' the inaccuracies in
Gweeds' statements. I explained that it wasn't proper for me to edit
someone else's words, or even to express doubt, unless I believed or
at least suspected that the statements were inaccurate. In this case I
didn't.

"I'm going to let it stand, again because any inaccuracies are his,
not mine, and I prefer to let readers make up their own minds about
it. However, last night I did post your and several other people's
letters criticizing his talk," I replied.

I'd also put a link to that letters page in the original story so
readers can easily find the counterpoint. Finally, I invited Wysopal
to write a rebuttal, which I offered to publish on The Register.

"I am not going to write a 'point of view' piece that is parallel to
an article that leads the reader to believe that patent falsehoods are
true. Letters to the editor are much different than qualifying
statements where they stand or issuing an errata," he replied.  
"[Several] statements by Gweeds are false. They were spoken by a man
with an agenda. You have become his FUD platform."

Me, a FUD platform -- right. There's a definite pot/kettle equation in
play here, as we'll see.

dann0

According to Wysopal, Gweeds got a number of facts wrong. "There is no
evidence that the L0pht testified at the behest of NIPC. NIPC was
formed two months prior to our testimony. We didn't even speak to
anyone from NIPC until much, much later. The L0pht testified at the
request of Senator Thompson. This coincided with a GAO report on the
weaknesses of government security. Our testimony did not mention a
criminal solution to the government security problem. We were not
advocating an increased cyber police force or increased penalties."

And that is strictly correct, though not entirely true. NIPC is not
where L0pht's Fed relationship was developed. But according to
documents I've received, L0pht did have a relationship with FBI
Special Agent Dan Romando, or 'dann0' as they called him, a Boston
agent with a cybercrime-enforcement background. Our dann0 was an old
friend of Mudge's from high school; and our dann0 had also been an
intern in Senator Thompson's office before joining the FBI.

If you want to know how L0pht got an invitation to testify "at the
request of Senator Thompson," you'll find Agent Romando's hand all
over that one. Ditto for Mudge's famous meeting with then-President
Bill Clinton.

And why did dann0 Romando bother to help the L0pht cyber-ninjas gain
national fame? Was it out of friendly loyalty?

I wish it were. I have evidence indicating that L0pht members served
as confidential FBI informants and actively solicited dirt on fellow
blackhats. I have evidence indicating that they've offered to pay cash
for such information. And they name dann0 Romando specifically as
their FBI handler. That's right, those anti-establishment
pop-underground h4x0r heroes have at least attempted, probably with
success, to rat out their friends and enemies in service of good
relations with the FBI.

Relations, I should add, that paved the way for their splashy media
hagiography. We can safely infer a pretty significant haul of
snitch-work behind dann0's generosity in assisting this monumental
fraud.

And as for not advocating increased penalties for cyber-wrongdoing,
that's just window dressing. L0pht was in fact spreading cyber-terror
FUD to fuel expensive national cyber-defence measures and increased
penalties for hackers while exhibiting themselves as both the emblem
of the Dark Forces America has to fear, and her White Knights of
salvation.

When a guy like Mudge addresses a gaggle of naive,
technically-illiterate Congressmen, claiming to be able to break into
any network on Earth, only a fool will imagine that the consequence
will be anything other than more Draconian laws. That's how Congress
deals with threats. That's how Congress has always dealt with threats:  
give more money to the Feds for investigation and enforcement, bump up
the penalties, and let the evil bastards rot. There is no other
outcome to be expected from testimony like that. And sure enough,
nowadays hacking can lead to a life sentence.

And Wysopal calls me a FUD platform....

'Sploits for me, jail for you

So how does some cheese-eater gang of l4m3r
blackhats-turned-security-advisors make its bones in the wider world
of legitimate security services? Gweeds talked about a 'model' of
selling out, and I'd like to add my own contribution to it. It goes
like this:

Since you really don't have any skillz worth mentioning, no background
in computer science, no military cryptography training, you'll have to
learn to talk the talk. Outrageous clothes and piercings (preferably
from a nail gun), blue hair and bad skin freely exhibited at cons are
a big plus here. Journalists love this kind of shit and will usually
assign you a high, imaginary threat level. Teenagers will too.

Develop relationships with members of the real blackhat underground.  
Hit them up for kewl new 'sploits they're using. Maybe pay cash for
them; maybe barter for them with other kewl 'sploits or illegal gear
you're cobbling up in your basement, like pager monitoring devices,
say.

Rely on the fact that your grateful FBI handler will see that you
never get raided. When you do receive a new exploit, either by paying
cash or through barter, pretend it's yours. Don't worry; the real
blackhat doesn't want publicity, believe me. Develop the exploit,
refine it, and at the same time develop a patch or at least a
workaround. Post to BugTraq and PacketStorm. Receive proppies from
envious wannabes and be worshiped by dumbfuck security journalists.  
Apply for VC, and develop a shell corporation containing people with
actual business experience to receive and manage the money for you.

Hire eager PR flacks who can tell your fascinating story to the press
in the simplistic, hagiographic terms they prefer to be fed, the way
ABC News drones lapped up this drivel:

"[L0pht], described as a 'hacker think tank,' testified about lax
computer security before the Senate Governmental Affairs Committee in
May 1998. They said any of them could easily bring down the Internet
in North America, although other experts dismissed the claims as
exaggerated. Committee Chairman Fred Thompson allowed L0pht's members
to use only their on-line handles 'due to the sensitivity of their
work.'"

And be sure to get your peers to pimp for you; remember, the more
31337 they think you are, the better for everyone else in the biz:

"Russ Cooper, who publishes the NTBugtraq newsletter exposing security
risks in Microsoft products, called the group "eight brilliant
geniuses."

Like Mudge, call yourself a "Chief Scientist," or like Marc Maiffret,
a "Chief Hacking Officer" or like Russ Cooper, a "Surgeon General".  
Only journos like myself will actually laugh in your face, so it's a
pretty safe practice.

Keep trading with the blackhats, and release your occasional
'discoveries' which they make possible. Ensure that your PR flacks
spam the living shit out of every journo on the planet whenever this
occurs.

Go in front of Congress every chance you get: remind them of how
scared they should be. Tell them that the Internet is about to be
brought down, along with planes and trains and power grids, and tell
them how you can hack the Apache server at www.MinuteMan.mil and
launch a withering nuclear assault on Kansas City with your lame
Windoze box.

And don't be wasteful with precious resources. Just as a cook will use
the bones from a carcass to make delicious stock, if a blackhat whose
work you've been plagiarizing runs out of new tricks, you can always
toss him to the FBI for additional mileage. Maybe you can even get him
busted for the shit you sold him, haha.

Now that's what I call a business model.

Note: L0pht/@Stake declined two invitations to comment for this
article.

Related Link

Mudge's hilarious hagiography [2], telling us among other things that
he's "a renowned scientist in cryptanalysis." And asserting that he's
"consulted and even conducted training courses for members of
Congress, the Department of Justice, NASA, the US Air Force, and other
government agencies."

[1] http://www.attrition.org/hosted/sexchart/sexchart.9.28 
[2] http://www.hostingtech.com/security/01_00_mudge.html



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.