‘Hacker’ security biz built on FBI snitches

I can prove it to ya,
Watch the rotation;
It all adds up to
A fuckin situation
   - - Public Enemy

On Monday I reported a speech by Gweeds at H2K2, in which the grand hypocrisy of hackers weaseling their way from the scene to the mainstream by forming security outfits was denounced very nicely. A torrent of e-mail denouncing him soon followed, some of which I've posted here.

Even I was attacked merely for reporting what he'd said. Suffice it to say that Gweeds has managed to piss off a large number of scene denizens past and present, though I suspect this is connected to his apparently athletic promiscuity: he's tied for second in the hacker sex chart v. 9.28, with 27 links. No doubt he's 0wned the wrong bitch from time to time, steadily adding to his enemies list.

He also named names in the speech, in particular ISS, L0pht/@Stake and Sir Dystic, three prime examples of energetic blackhat pimping for venture capital and cushy jobs, Gweeds believes. In particular, he expressed a suspicion that L0pht/@Stake was somehow connected to NIPC (the National Infrastructure Protection Center), which may have helped the h4x0r glam rockers gain credibility and rise in profile among influential members of the federal bureaucracy. This connection also helped get Mudge a high-profile hacker-hysteria FUD session before Congress, he suspects.

On Monday, when I posted the first item in this series, I didn't know personally if the speech was punctiliously accurate, but it absolutely rang true to me. All too true.

Surely no one imagined that I wouldn't dig deeper into this deliciously nasty confluence of FUD, favors and venture capital flowing between the blackhat community and the Feds, with the cons serving as a handy, mediating conduit.

And indeed, Gweeds appears to have hit on a number of dirty little secrets, though with a few minor inaccuracies, none of which is sufficient to undermine his basic thesis. There does indeed appear to be a circle jerk between commercialized blackhat sellouts and the Feds; and the cons do appear, perhaps inadvertently, to provide the venue and privacy needed for such liaisons. And finally, there does seem to be a significant amount of snitching for favors and 'trust' building going on between the two 'communities', a la the despised JP model.

Flamboyant anti-establishment gestures and costumes do not a blackhat make. Your friendly neighborhood hacker turned young security businessman may well be looking to 'develop' your exploit, hack out a patch and pimp for proppies on BugTraq, and then rat you out to the Feds for gain and favor. This is how it works:

FUD platform

Soon after I posted my report Monday, @Stake's Chris Wysopal (aka Weld Pond) vehemently denied any connection with NIPC to me in an e-mail exchange. He further insisted that I 'correct' the inaccuracies in Gweeds' statements. I explained that it wasn't proper for me to edit someone else's words, or even to express doubt, unless I believed or at least suspected that the statements were inaccurate. In this case I didn't.

"I'm going to let it stand, again because any inaccuracies are his, not mine, and I prefer to let readers make up their own minds about it. However, last night I did post your and several other people's letters criticizing his talk," I replied.

I'd also put a link to that letters page in the original story so readers can easily find the counterpoint. Finally, I invited Wysopal to write a rebuttal, which I offered to publish on The Register.

"I am not going to write a 'point of view' piece that is parallel to an article that leads the reader to believe that patent falsehoods are true. Letters to the editor are much different than qualifying statements where they stand or issuing an errata," he replied. "[Several] statements by Gweeds are false. They were spoken by a man with an agenda. You have become his FUD platform."

Me, a FUD platform -- right. There's a definite pot/kettle equation in play here, as we'll see.

dann0

According to Wysopal, Gweeds got a number of facts wrong. "There is no evidence that the L0pht testified at the behest of NIPC. NIPC was formed two months prior to our testimony. We didn't even speak to anyone from NIPC until much, much later. The L0pht testified at the request of Senator Thompson. This coincided with a GAO report on the weaknesses of government security. Our testimony did not mention a criminal solution to the government security problem. We were not advocating an increased cyber police force or increased penalties."

And that is strictly correct, though not entirely true. NIPC is not where L0pht's Fed relationship was developed. But according to documents I've received, L0pht did have a relationship with FBI Special Agent Dan Romando, or 'dann0' as they called him, a Boston agent with a cybercrime-enforcement background. Our dann0 was an old friend of Mudge's from high school; and our dann0 had also been an intern in Senator Thompson's office before joining the FBI.

If you want to know how L0pht got an invitation to testify "at the request of Senator Thompson," you'll find Agent Romando's hand all over that one. Ditto for Mudge's famous meeting with then-President Bill Clinton.

And why did dann0 Romando bother to help the L0pht cyber-ninjas gain national fame? Was it out of friendly loyalty?

I wish it were. I have evidence indicating that L0pht members served as confidential FBI informants and actively solicited dirt on fellow blackhats. I have evidence indicating that they've offered to pay cash for such information. And they name dann0 Romando specifically as their FBI handler. That's right, those anti-establishment pop-underground h4x0r heroes have at least attempted, probably with success, to rat out their friends and enemies in service of good relations with the FBI.

Relations, I should add, that paved the way for their splashy media hagiography. We can safely infer a pretty significant haul of snitch-work behind dann0's generosity in assisting this monumental fraud.

And as for not advocating increased penalties for cyber-wrongdoing, that's just window dressing. L0pht was in fact spreading cyber-terror FUD to fuel expensive national cyber-defence measures and increased penalties for hackers while exhibiting themselves as both the emblem of the Dark Forces America has to fear, and her White Knights of salvation.

When a guy like Mudge addresses a gaggle of naive, technically-illiterate Congressmen, claiming to be able to break into any network on Earth, only a fool will imagine that the consequence will be anything other than more Draconian laws. That's how Congress deals with threats. That's how Congress has always dealt with threats: give more money to the Feds for investigation and enforcement, bump up the penalties, and let the evil bastards rot. There is no other outcome to be expected from testimony like that. And sure enough, nowadays hacking can lead to a life sentence.

And Wysopal calls me a FUD platform....

'Sploits for me, jail for you

So how does some cheese-eater gang of l4m3r blackhats-turned-security-advisors make its bones in the wider world of legitimate security services? Gweeds talked about a 'model' of selling out, and I'd like to add my own contribution to it. It goes like this:

Since you really don't have any skillz worth mentioning, no background in computer science, no military cryptography training, you'll have to learn to talk the talk. Outrageous clothes and piercings (preferably from a nail gun), blue hair and bad skin freely exhibited at cons are a big plus here. Journalists love this kind of shit and will usually assign you a high, imaginary threat level. Teenagers will too.

Develop relationships with members of the real blackhat underground. Hit them up for kewl new 'sploits they're using. Maybe pay cash for them; maybe barter for them with other kewl 'sploits or illegal gear you're cobbling up in your basement, like pager monitoring devices, say.

Rely on the fact that your grateful FBI handler will see that you never get raided. When you do receive a new exploit, either by paying cash or through barter, pretend it's yours. Don't worry; the real blackhat doesn't want publicity, believe me. Develop the exploit, refine it, and at the same time develop a patch or at least a workaround. Post to BugTraq and PacketStorm. Receive proppies from envious wannabes and be worshiped by dumbfuck security journalists. Apply for VC, and develop a shell corporation containing people with actual business experience to receive and manage the money for you.

Hire eager PR flacks who can tell your fascinating story to the press in the simplistic, hagiographic terms they prefer to be fed, the way ABC News drones lapped up this drivel:

"[L0pht], described as a 'hacker think tank,' testified about lax computer security before the Senate Governmental Affairs Committee in May 1998. They said any of them could easily bring down the Internet in North America, although other experts dismissed the claims as exaggerated. Committee Chairman Fred Thompson allowed L0pht's members to use only their on-line handles 'due to the sensitivity of their work.'"

And be sure to get your peers to pimp for you; remember, the more 31337 they think you are, the better for everyone else in the biz:

"Russ Cooper, who publishes the NTBugtraq newsletter exposing security risks in Microsoft products, called the group "eight brilliant geniuses."

Like Mudge, call yourself a "Chief Scientist," or like Marc Maiffret, a "Chief Hacking Officer" or like Russ Cooper, a "Surgeon General". Only journos like myself will actually laugh in your face, so it's a pretty safe practice.

Keep trading with the blackhats, and release your occasional 'discoveries' which they make possible. Ensure that your PR flacks spam the living shit out of every journo on the planet whenever this occurs.

Go in front of Congress every chance you get: remind them of how scared they should be. Tell them that the Internet is about to be brought down, along with planes and trains and power grids, and tell them how you can hack the Apache server at www.MinuteMan.mil and launch a withering nuclear assault on Kansas City with your lame Windoze box.

And don't be wasteful with precious resources. Just as a cook will use the bones from a carcass to make delicious stock, if a blackhat whose work you've been plagiarizing runs out of new tricks, you can always toss him to the FBI for additional mileage. Maybe you can even get him busted for the shit you sold him, haha.

Now that's what I call a business model. ®

Note: L0pht/@Stake declined two invitations to comment for this article.

Related Link

Mudge's hilarious hagiography, telling us among other things that he's "a renowned scientist in cryptanalysis." And asserting that he's "consulted and even conducted training courses for members of Congress, the Department of Justice, NASA, the US Air Force, and other government agencies."