Legacy of the L0phtWeldpond, Spacerogue, Kingpin and Dildog
It is more than 20 years since a group of Boston-based “makers and breakers” of IT equipment got into the same space and gave it the name “L0pht”.
At the time they were known by pseudonyms and have subsequently gone on to respectable jobs in the IT security industry. Over the past few months I have spoken with four of its members – Weldpond, Spacerogue, Kingpin and Dildog, and at the time they chose these names to protect themselves and their friends and families, for the purpose of this article we’ll use those pseudonyms.
To learn where it began and achieved, I started by looking at how and why it ended. Weldpond said that it ended because they wanted to go professional and this changed the dynamic, so it changed to a security company from a hacker space.
“Then it completely changed when we ended up getting bought by @stake. We all worked there full time and I was a day job and we had new bosses basically,” he said.
So was it a hobby, or something with an intention? Weldpond said: “In the beginning it was something on the side, something to do and something we were interested in; it was beyond a hobby as it was something that we really believed on, a second calling. But it started to overlap with what you could do in a job because the security industry was changing over time to talking about what hackers were doing.
“When I started at the L0pht it was back when it was coming together in 1992, and there was a space and already a group of six or seven people who were sharing that space and using it to work on projects – software, hardware, not necessarily security projects but reverse engineering and taking things apart to see how they work.”
So was it just friends with a shared interest and no long term aim? “I think over time it evolved that way as we wanted to do research and we wanted to get the word out to people about what we were doing and what we were finding, so it did seem to get more externally focused over time,” he said.
“It did seem that we had a mission to educate people on the insecurity of software, the insecurity of everyday devices that were computer controlled, so we started doing research and it became more of a public advocacy group.”
Dildog said that it was very similar to what goes on today, as there are a lot of houses where people share tools as they need training. “This was a hacker/maker space which back in the day wasn’t the thing really. Now they take the influence from the maker space to create a hacker space, it is a very interesting trend.”
Spacerogue said: “When we were doing this, we just wanted to get stuff fixed. That was the goal as we were deploying software solutions and technologies along with our regular jobs so all we wanted was to get stuff fixed. We didn’t care about hacktivism or have any over-reaching thing apart from wanting to get security right and get it fixed.
“I don’t see that from any other group today, other companies and individuals have that same sort of drive, but no independent group was trying to get security right, so now the gaps are repaired and users are safer.”
Kingpin said that when he joined in 1993, he was only 16 and it wasn’t anything like it turned out to be. “Once we had the core group it turned from a hangout space to something where we would be self funded and try to and maybe get paid for what we do. When we started at @stake it worked for the first few months but the investors said ‘enough playing around, we need you as consultants ad you need to bring in money’, but for me it was more than a place to use computers, it was almost a refuge for me,” he said.
“That’s what made it so special to me – that was my refuge and I got to bring my non-technical friends and we got to do all the computer stuff which was a new thing as most people didn’t have home computers and the internet was such a young thing, and we were a mysterious group which was kind of fun.”
Kingpin said that now, there are so many hacker spaces where people can go and do their hobby and learn from each other and teach each other, and you can see that the hacker spaces all over the world now, but those are public places, while the L0pht was a private group.
“Sometimes we let friends in from out of town, but it was a private group as at that time ‘hacker’ was such a misunderstood thing that hacker spaces now are more family friendly and glossy and not just about computer security.”
Moving on to what the group was best known for, I asked Weldpond how the reporting of bugs began and was received. He said that in the early days, there was no procedure at all, and often there was nobody at the vendor end either listening, or who would know what to do with the information. Dildog said: “The process was you could threaten to release it and the vendor would say ‘you’d better not release it or we will get you’. That was it.
“That was at the same time that Microsoft had one person answering email for the security section, to having the whole security development life cycle and fixing. They moved to being one of the more irresponsible companies with their security to being more responsible giving what they had to fix. It is interesting that they got picked on early and hard as the security USP pushed things up over there.”
Weldpond said that eventually vendors would issue a fix, but there was no process and part of the evolution was that Microsoft eventually came to us and said “if you send us this information before you release it we could fix it, and you could release the information and it would be fixed”. This led to the concept of “coordinated disclosure”.
Kingpin said: “We published advisories but we realised that we could inform the public and industry by advising on vulnerabilities, and at that point vendors were in denial about it. We were pretty sure that if we could do it, and we were the good guys, then others could do it and not tell you about it.
“That is what we see today; the people publicly releasing research should be thanked and be treated as beneficial to the community instead of putting them in jail, as essentially it is those who you don’t know about who are selling zero-days on the black market, those are the guys you’ve got to worry about. Once we realised we could educate the community that way the vendors said that even though they don’t like hearing that they have a vulnerability they can educate people and that is how the whole full disclosure thing started. Security was only part of the beauty of the L0pht.”
Following on from these disclosures, the industry moved to offer bug bounties. Spacerogue said that this has changed the industry to be motivated by money. I asked him if L0pht could exist today? He said it could, but with the right people who were not too motivated by dollars.
“Now it is not about fixing bugs it is about putting dollars in your pocket. For me, I don’t care – if you find a bug you should get paid for your work as people forget that stuff we did 15 years ago was in addition to day jobs, so we had day jobs to pay for our research,” he said.
“We did L0pht stuff and found vulnerabilities for fun. Now there are people who get enjoyment out of finding vulnerabilities, but also want to get paid and reward for their effort and time, and I don’t see a problem with that, but it creates a lot of other issues as well as you create a marketplace and you have Governments buying vulnerabilities and stock piling them so that they do not get fixed. That is something I cannot agree with, I want to see stuff get fixed.”
In the discussions, I was keen to know what the four men thought of the current state of hacker groups and spaces. What was obvious was that the Chaos Computer Club was held in high esteem, but often the groups are more dispersed, and not at the same scale as the L0pht.
Weldpond said: “A lot of research is going on but not to that scale. It can be a regular full time job now, it wasn’t then.”
Kingpin said that loosely arranged groups hopefully will not be focused on money, and will be focused on doing something great and the money will follow that. “If a group is formed to make money it doesn’t end well. For us, selling exploits didn’t exist so going public was the only option. I wonder what it would have been like if there were those avenues?”
Finally, I asked if they felt that a group such as L0pht could exist again? Weldpond said that the idea of building tools to find vulnerabilities was something they did back at the L0pht, the same with application penetration testing we did at @stake and the techniques with doing that were things we experimented with at the L0pht. “So I see different threads on how we changed the way people did security, even though there is no clear company.”
Kingpin said it could happen again, but it would be different. “You’ll never see the same thing twice, and the L0pht was there at the right time as the industry started to change and it was a different sort of thing. Groups today, maybe they’ll change the world in a different way,” he said.
“Other groups do exist and will push the limits of what is expected, like the L0pht did, and maybe they’ll impact things in a different way. There will always be something new that can change things and can shape the future. It just may not be in a way that mirrors what the L0pht did.”
Kingpin admitted that L0pht was not the only group at the time, but was one of the first to push vendors to acknowledge the problems and would go public with them. “We helped pave the path for the bug bounty programs and the people that wrote them were involved with the L0pht or associated with the hacker community back then and can shake these companies and say ‘we need to reward these people who are helping us for free’,” he said.
“Everyone needs to get on the same page and give researchers the thanks that they deserve and hopefully everyone can work together to make the products good enough, where there are fewer zero-days sold on the black market and less nefarious things going on because people are not going public with these things, are getting thanked and it being worth their while.”
Kingpin struggled with the concept of a L0pht legacy, but said he often gets credibility which he said was surreal. “So I would say our legacy is with the full and responsible disclosure thing and forcing companies to face their problems”, as well as getting an open community to share information and not just exploits.
He summed it up well with this line: “We were just a group of people who worked together and got on together and did something; I haven’t found any group of people who could gel together like the L0pht since then.”
Yes they were one of many groups, but as some notable people in the industry their influence carries on and security is a better and safer place because of their work.