Hackers Join The Other Side
Last week, @Stake Inc., a Boston-based security consulting startup that wants to provide customers with everything from security audits to systems integration, announced it has acquired L0pht and the services of its often flamboyant hackers.
With the acquisition, the half-dozen or so hackers of L0pht become the R&D heart of @Stake, said Ted Julian, a former Forrester Research Inc. analyst and @Stake’s founder.
With seven years of high-profile security debunking under their belts, L0pht’s hackers don’t need to convince the world of their expertise. But L0pht needs to convince customers its hackers are trustworthy consultants who enjoy referring to one another by such colorful names as Professor Mudge, not malicious code breakers afraid to reveal their true identities. (The hackers plan to remain anonymous.)
“Would you bring someone in to do something as sensitive as security if you don’t even know who they really are?” asked one network administrator at a Southwestern manufacturing company who requested anonymity. “I’m not sure I would.”
That’s a question that many corporate IT departments will likely ask over the next few years. International Data Corp., of Framingham, Mass., predicts the market for network security services will quadruple to $2.3 billion by 2003.
Because there simply aren’t enough security experts to support such growth, hackers-even amateurs who flock to the Def Con hackers convention in Las Vegas-are emerging as a tempting alternative. But it’s an option some security companies have no plans to pursue.
“Go to DefCon and recruit people? I would not,” said G. Mark Hardy, director of professional services at Secure Computing Corp., in Baltimore. “We cannot risk having an untrustworthy or a questionable person on our staff.”
Best of the bunch?
Hardy is more receptive to L0pht hackers, who he says have proved to be contentious but honest. “Their reputability comes from their ability to articulate security vulnerabilities and their willingness to first contact the vendor before making it public,” he said.
Hardy should know. Secure Computing has enjoyed an unusual relationship with the hacking community. About two years ago, the company hired Jeff Moss, the young hacker who founded the DefCon conference, to manage its security assessment business.
Moss added an insider’s cache to Secure Computing, and he started another convention called the Black Hat Conference for IT administrators eager to learn the tricks of the hacker trade.
There’s no reason L0pht can’t go the same route. In hacker lingo, where a “white hat” is a conservative security expert and a “black hat” is a criminal, the hats worn at L0pht are decidedly gray.
Since the group’s formation in 1993 in a Cambridge, Mass., loft, L0pht has gained respect in the security community and has never been accused of breaking into a network. L0pht developed the L0phtCrack tool, considered one of the best on the market for testing network security. Its hackers also have quietly consulted on network security for numerous companies.
“What we had always been doing is research and development work,” Mudge said. That’s what they’ll be doing for @Stake: assessing a company’s security, poking holes and making recommendations.
Microsoft Corp. has been a favorite target of L0pht hackers, who have exposed with zeal security vulnerabilities in Microsoft products. But the group also has held others, even industry darlings such as Linux vendor Red Hat Inc., up for public ridicule-especially if a vendor had ignored a flaw after being notified by the hackers.
L0pht, which publishes a hackers newsletter and runs the L0pht.com Web site, will publish a detailed description of the vulnerability and how to take advantage of it and will even post a tool for hackers. That approach has drawn the ire of some, particularly Microsoft, but few can dispute that the group has forced vendors to tighten their security.
“We have really acted as a consumer advocacy group,” Mudge said, “ripping apart products that need to be improved.”