Original URL: http://www.theregister.co.uk/2002/07/24/sir_dystic_steps_up_clears/

Sir Dystic steps up, clears air

Microserf? - Somebody jokin'

By Thomas C Greene

Posted in Security, 24th July 2002 01:34 GMT

I've been hanging on to several excellent flames relating to an article called Security industry's hacker-pimping slammed and another called 'Hacker' security biz built on FBI snitches, in hopes that Sir Dystic, slammed in a speech at H2K2 by Gweeds (and covered in both), would contact me. He's done so and he denies flatly any suggestion that he's ever worked for Microsoft, as Gweeds claimed. His is the first letter posted below.

Note: Letters are unedited except for occasional slips where the authors have used a subject's normally-aliased IRL name. These I've changed back to the corresponding aliases. --tcg



To begin with, no I do _not_ work for Microsoft, never have. This should give you an idea about the accuracy of Gweeds' speech. It seems it was largely based on rumor and speculation.

While the topic that Gweeds spoke on is certainly a valid one, I find his motivation suspect. Gweeds has made a point lately (for the last several years) of being counter-everything, looking for anything that he thinks people will believe he is 'in the know' about to speak against. He protests whatever people are currently enjoying or interested in, he focuses on whatever unpopular entertainment the fewest people seem to enjoy. I suspect he does these things not because he believes in a cause, but as a calculated attempt to appear more interesting.

I find it very odd that I was mentioned by name in his speech as I feel I am an extremely poor example of what he was talking about, unlike countless friends and associates of his. I have _never_ worked for a security company or worked in the security department of a software company, though I have talked with several. Doing a search on bugtraq right now, I find ONE SINGLE post that I made in January of 2000 containing research I had done revealing many serious security issues of a very popular freeware ftp server:
http://online.securityfocus.com/archive/1/40856
I think Aleph1 may have posted my write-up of NBNAME when I released that as well, but other than that, THAT'S IT! All of the applications and research I did I posted on my public web site and made little effort to bring attention to them (except, of course, for Back Orifice). You yourself wrote an article on SMBRelay, which I made almost no effort to publicize except for discussing it at @lanta.con, a very small con, not even a hacker con. How did you discover SMBRelay? I remember you emailing me asking if you could write an article on it.

I can only assume that the fact that I was mentioned has something to do with the long and public rivalry that Gweeds and I have had, which occurred because of my intolerance of his sociopathic asshole behavior and his frustration with my (and other's) attempts to exclude him from activities and events and a certain IRC channel. We were even once good friends until I became intolerant of his racism which did not stop when I warned him of how it disgusted me. Our rivalry, sadly, was probably a large contributor to the demise of New Hack City, a project that both of us were passionate about. We managed to mostly be civil towards each other during that time (at least on my part for the sake of NHC and mutual friends), and now he mentions me in a speech soon after our association in that group no longer exists.

Gweeds does not speak for any respectable community that I know of, though I don't claim to know much about such things these days. He only seeks to make a name for himself as a speaker for the underground, or since the 'underground' has become 'popular', he speaks against the underground and for the 'hardcore underground' that you aren't cool enough to even know about. He speaks of sellouts, and yet here he is betraying his former friends and colleagues so he can seem important.

I hope this helps.
--SD



I reply: [greetz deleted for IRL privacy] a lot of people say gweeds is a total asshole. i'm prepared to believe that, but at the same time what he said, at least in a general way, makes a lot of sense to me. i think it's important that we don't shut down a statement that rings true merely because it's said by 'the wrong sort' of person.

it would be a really nasty world if we had standards for who can say something where, if the person speaking isn't the 'right kind', then what he says is not legitimate. this goes on in the government and the corporate world -- you saw how the fair use people were silenced at the commerce dept 'workshop' on copyright last week
http://www.theregister.co.uk/content/6/26275.html
but that's no reason for you and me to follow a bad example ;-)

anyway i'm glad to hear from you, and very happy to set the record straight on the supposed MS job.

chrz,
--tom



SD replies: As for shutting down the message because of the messenger, I want to make it clear that I'm sure Gweeds had some totally valid points, he's not stupid. My concern is that he made these points for no reason other than to gain publicity and support and make a name for himself, and that if he begins to be recognized as a speaker for the computer underground he might use that recognition for his own purposes, such as making personal attacks on people he doesn't like or who don't like him.


--SD



Sir Dystic has been among the least active in marketing himself as a "security consultant" based on previous hacking experience... not only did Gweeds target him for personal reasons, one could VERY EASILY find stronger examples among some of gweeds' close friends; you might ask him how many senior ISS executives he counts as friends and neglected to sell-out publically at the convention.

"According to Wysopal, Gweeds got a number of facts wrong. 'There is no evidence that the L0pht testified at the behest of NIPC. NIPC was formed two months prior to our testimony. We didn't even speak to anyone from NIPC until much, much later. The L0pht testified at the request of Senator Thompson. This coincided with a GAO report on the weaknesses of government security. Our testimony did not mention a criminal solution to the government security problem. We were not advocating an increased cyber police force or increased penalties.'"

and, indeed, for a much more plausible answer to the question of the l0pht's invitation to testify before congress (at least for those of us without access to whatever confidential documents implicate them in narking people out), look no further than the front-page washington post story about the l0pht that was published approximately 2 weeks before the (commercial, but drastically less-so than @stake was to become) was asked to testify. It was undoubtedly a publicity coup for a struggling security startup to testify before congress, but how is that news? L0pht has always identified themselves as pro-security; this by necessity means aligning yourself with forces which have substantially different perspectives on how to accomplish that goal. It is worth nothing that never, in any public statement (or private one, for that matter) have the l0pht ever advocated increased sentences for computer related crimes, and indeed have often (including in their congressional appearance) taken the opposite stand, emphasizing technical solutions as the only real way to deal with computer security issues.

Your statements accusing the l0pht of being (cash-distributing?) confidential FBI informants I find both unlikely and disturbing. I wish that I had access to the same information you seem to, so I could judge it's veracity against what I know about some life-long friends.

"When a guy like Mudge addresses a gaggle of naive, technically-illiterate Congressmen, claiming to be able to break into any network on Earth..."

What mudge actually said is that he could bring down the internet in 30 minutes, which was, at the time, specifically TRUE, due to unreleased problems with the BGP protocol that runs the backbone routers of the internet. These BGP problems have since been fixed, due, no doubt, more to gweeds' selfless activism than any efforts to that end by the l0pht.

"Since you really don't have any skillz worth mentioning, no background in computer science, no military cryptography training, you'll have to learn to talk the talk. Outrageous clothes and piercings (preferably from a nail gun), blue hair and bad skin freely exhibited at cons are a big plus here. Journalists love this kind of shit and will usually assign you a high, imaginary threat level. Teenagers will too."

It's worth mentioned that none of the l0pht guys, nor SD, have ever exhibited either outrageous clothes, piercings, blue hair or particularly bad skin... if they're trying to "fit in" to a scene that they can lay confident claim to having enriched and edified, they must be doing it in some more subtle way that visually. Gweeds and his close friends, of course, almost invariably have colored hair and ridiculous (though not in the sublimely ridiculous way swamp ratte can pull off) clothes.

As far as relationships with the real underground, I would say it seems plausible that mudge et al developed their connections with the scene through REAL, TECHNICAL contributions. Mudge's circa-1994 paper on buffer overflows was the first serious examintion of this now-omnipresent security flaw, and taught untold legions of so-called "blackhats" how to write exploits. It also came with no possibility of implicating anybody else in anything, being a freely disclosed piece of research with no strings attached.

I have very mixed feelings about the l0pht's decision to "corporate-ize" what they had built. Joining the commercial world with something you love and have built for other reasons entirely is a complicated, and deeply mixed decision, that I could never make. [Sentence deleted due to self-identifying slip. --tcg] With that being said, the l0pht has never been anything but straightforward about what they're trying to do and who they have become. The process hasn't been easy for them (most of the original members have left @stake), but it was what they chose, and it doesn't make them any more or less "sellouts" than the h4g1s and el8 members who went to work for ISS and it's progeny.

--name withheld on request



I reply: another good one. when i've collected a few more flames i will post them and add yours without attribution, as you asked. unfortunately, mail has been solidly and overwhelmingly supportive so far so it may be a day or two before i have enough flames to fill a page. it's strange, as the first gweeds item generated a torrent of negative comments very quickly.

as for the evidence, i wish i could show it to you but the source wants anonymity and it could possibly blow his/her cover. believe me, you would pop an artery. it's some red-handed shit.

mudge's paper on buffer overflows was good; i rather admired it, though it's been ages since i read it, and ages since i've seen him or anyone else in his crew produce anything nearly as noteworthy.

i'm sure these guys have developed some unique tricks, whatever. but being able to swipe a car doesn't make you an automotive engineer. and no one can take down the internet. that's just pure tom clancy. last year the internet survived code red, a major east-coast backbone fracture due to a tunnel fire in baltimore, and sircam, all simultaneously. it's massively parallel, as the expression goes. (one can attack dns adequately to cause disruption, but that's not the same. that does nothing to the internet. ip's will still work, and traffic will still flow.)

bgp issues have and still do plague the net: there are dos issues, auth issues, and always router config issues. i really don't expect to see the internet come to a halt because of any of them. you are referring to the ios attribute corruption vuln? these items come up regularly and are routinely exaggerated. no need to dig a fallout shelter.

i have been hoping to get an email from sd (don't have a current one for him -- hint), because i'm not so sure about what gweeds says about him. in past exchanges he's always struck me as a very decent fellow. if i find that he's been mischaracterized by gweeds, i'll do a piece on that.

chrz,
--tom



After reading your article it became important to me to express my perspective. I've sent it out to various channels, including the Security Focus forum related to the article, and only time will tell if SF deems it acceptable for publishing in the forum, and Gweeds. It seemed appropriate to send it to you directly also. You should be aware that I am close friends with Gweeds, Sir Dystic, and almost all the members of the L0pht, and an actual member of The Cult Of The Dead Cow, so that my bias and motivations are understood. I think it's great that you focused on Gweeds' speech, as it was probably the most significant session that happened at h2k2. There are ripples in the net as a consequence of the talk, your article being part of those ripples. Anyways, here's what I have to say about it.

Over the past year I've spoken to many hackers who share a lot of the same sentiments that were expressed in "Black Hat Bloc or How I Stopped Worrying About Corporations and Learned to Love the Hacker Class War". However, it took Gweeds' courage to step up and lay it out to a live audience of hackers. I have to admit that I have been guilty of some of the same "exposure equals success" thoughts, and I have made attempts to join the big money computer security industry, unsuccessfully. Although, I would also have to say that my underlying intention was to make a career doing something I enjoy, hacking.

Gweeds didn't hold back in his talk. There was no innuendo. Names were named. I think some of those mentioned, like Chris Klaus, deserved to be exposed. The evidence exists in the original ISS code. However, I think others were unjustly accused. To the best of my knowledge, Sir Dystic does not work for Microsoft, but if he did, doesn't that make sense? Aren't we always saying that Microsoft lacks the skill or talent to do things right, especially when it comes to security. Couldn't we use someone like Sir Dystic, on the inside, just like we have Andy Mueller-Maguhn on the inside at ICANN?

I think I need to shed some light on Sir Dystic's history, to set the record straight, even though I also feel it is an invasion of his privacy. Sir Dystic never cared for money. There was never any spark of greed in him. He doesn't own a BMW, a Mercedes,.. he drove around in an old minivan he borrowed from his parents. He doesn't own a house. He never made any millions from company stock. He never joined any company that appeared to have great prospects. He was expressing that the industry made him sick while Gweeds was still at Macromedia, earning one hell of a salary for a 20 year old, plus stock options. Sir Dystic was mostly unemployed through most of the "dot com years", only doing enough to get by, and only trying to find something that interested him. There were long periods of time that Sir Dystic didn't see his friends, but instead was sitting in front of his 2 year old computer doing research and coding. And what would he do with what he found? Did he use vulnerability extortion to line his pockets? or parlay it into working for some big security firm? No. He shared it, openly. Even though most often I think in doing so it only caused him grief. Accusations of being unethical, and tons of email requesting for tech support and warez that can be used to hack shit up! I think we should all implore Sir Dystic, and other hackers to work at Microsoft. Maybe by being on the inside, change can be made. History has shown that Microsoft isn't going to go away, let's see if we can make it better. For me, if I saw that Microsoft was hiring our brethren, it would lend credence to their recent so called "Security Initiative".

I think it was also unfair to call to the forefront the jealous laden cry of "L0pht has sold-out"! L0pht had no intentions of making a huge financial windfall through government contracts when they testified at congress. It was an amazing feat to finally have a chance for hackers to be heard and respected for their way of thinking. L0pht made attempts to point out the straight truth about security flaws in the internet, the way government and commerce handles information (including yours) insecurely, and that software companies should be held accountable for the flaws in their expensive software. History shows that the L0pht continuously freely released information and software. I'll also take this opportunity to point out that many years ago, when each new vulnerability didn't make the news, L0pht tried to speak to vendors and companies about their security holes, and got harassment and threats in return. L0pht, at great risk to themselves, released the information to all, long before the term Full Disclosure became a hacking political tool. In so many ways, L0pht is a shining example of what it means to be hackers. For that, they deserve our respect, not our usual need to tear down our own heroes when we're done with them.

Although, I think Gweeds was off target with his slings and arrows, those arrows were true. I feel that I don't deserve to name names, lest perhaps my own envy show through. However, I can speak of things in general terms.

The bugtraq Full Disclosure phenomenon comes to mind. Full Disclosure which was originally a means to share knowledge openly, alert everyone to a possible flaw, and force the vendor to provide a patch. This has instead become, as Gweeds said, about bragging rights and resume fodder. Also, while some focus on the problem of unethical hackers misuse of Full Disclosure, it is the security industry using this free information resource, to fuel their own expensive proprietary software, while spreading the word that hackers are evil, that turns my stomach. The ultimate example of this has to be the recent over-zealous release of the Apache chunked encoding vulnerability.

I think that we do have to be concerned that our government is going down the wrong path again. Software companies are still not under pressure to promote quality and be liable for the lack of it. Instead of using technology to improve our lives and as a means to disseminate public information, it will be used to restrict our freedoms, and peer into our private lives. If software is made with less obvious well-known coding flaws, intelligent authentication schemes, and encryption there should be no need for the government to spy on it's own citizens.

The good and bad things that have come out of hacking, involve people's motivation. We all have to explore our own motives and the motives of others, when it comes to hacking. There is nothing wrong with making a living, doing something in the technology field, even in the security industry. It should be based on a love of technology, the desire to improve things, and fact-based honesty, rather than fear and materialism.

thanks for taking the time to hear my viewpoint.
--FreqOut



Read these articles, what disturbs me as someone whom posts to Bugtraq and is cDc through Hacktivismo is that Gweeds is completely unknown to anyone outside of that small "in" crowd. An "in" crowd amongst geeks is a pretty damned sad thing.

The thing which bothers me the most about the latest article is you assign credit to Gweeds - the only guy calling himself a hat at all - for actually being a real guy behind Bugtraqs. By stating that these "blackhats" really find the bugs and the Bugtraq posters just grab them from them and steal them.

But in reality, guys like Gweeds just spend all of their time chatting with friends. They are not involved with Bugtraqs and have never found a bug. (I really doubt, and if he has ever found a bug it is probably in some minor, opensource package which is not even a challenge).

In effect assigning to some nobody (outside of his old, outdated social clique) skills and abilities he has never shown evidence for. I am aware of everone whom finds bugs or writes exploits, or even virii code of note... and Gweeds is absolutely not there.

They are also not really "blackhat" - if that means bad - they are just poseur script kiddies using bugs found on places like Bugtraqs. Real black hats work for the Russian Mafiya and write virii. They don't change index.html and spend a day writing ASCII art.

I have heard tales of entire newsgroups of pedophiles being rooted. Of minister pedophiles writing suicide notes because they were confronted with evidence found on their system. Of individuals finding themselves in a position where their identity is stolen and the imposter has gone on a rampage.

In the end there is talk and there is action. I see no evidence of Gweeds being anything but a talker - regardless of his left wing albeit Neo-Nazi beliefs.

I resent him trying to impose himself within the full disclosure community because he has hung out with a bunch of geeks whom are in a "popular place".

If it were so friggin easy to find security holes, then guys like Gweeds and college boys would be finding them. It ISN'T. There are enough leeches in this industry without some dumbass poseur trying to shout his way in because he got in a tiff with some other geeks on the fringes.

Hacking is a martial arts. Not politics. Not a social club. Maybe a fight club for some, but not if you don't know how to fight.

This said, I did ask around and had it confirmed that Gweeds is not known for ever having found even the smallest bug in all of his life. This means he is using other people's exploits, and most likely these are straight from Bugtraqs, the people he condemns and so conceitedly looks down apon.

I also confirmed that he is a Neo-Nazi because his girlfriend talks a lot on livejournal. And, I confirmed that he is just some old, conceited geezer that spends all of his time chatting in IRC and writing ASCII art (of whatever kind) by doing some research.

Yeah, frankly, I did all of this after hearing the rumor he was racist. I think racists should be beheaded. In this day and age, after the Holocaust, there is no excuse for it.

--the pull



I can tell you haven't been around the scene much to not know about Gweeds. He's a diagnosed sociopath, with a prescription for lithium. I know he's beaten one girlfriend, and tried to kill another one with a knife. This was while he was working at Macromedia in SF. Dig up why he had that restraining order placed on him, you'll find out. At New Hack City, he'd run sniffers on the network, grab his 'friend's" accounts, and log onto IRC as them and cause problems. He hacks into other 'scene' guys' computers while calling them 'sellouts'.

The reason he's still a viable entity in a lot of peoples' eyes is that he is smart enough to act reasonably sane and normal when he needs to, to the right people. So they can't possibly believe that their great bud Gweeds could have possibly done all those horrible things. He's a big reason why Mindvox went down, as he was an employee there and had half the workers hating his guts. He's caused huge problems in cDc for years, as a large contingent of the San Francisco members consider him a friend while everybody else wants him dead. People have gotten so mad they quit over this. Sir Dystic is in the anti-gweeds camp, so he gets singled out in his little tirade. SD is broke and depressed, living in a friend's spare bedroom. Releasing BO was probably the worst thing he could have done to his life.

There's a fair ammount of bullshit commercialism is the scene with people trying to get into the security field but those people are blatantly obvious and don't try to hide their intentions. Defcon is a valid target. But otherwise, Gweeds is pointing fingers in the wrong direction, especially for someone who's never made a positive contribution to the 'scene' in his life.

I'd love to send you this email from my 'real' account, but there's no way I can do that. I've know these people for years and years. Check it out, it's all true.

-- cDc member



sir dystic once had talks with microsoft's scott culp about a job. no-one knows whether he took it because he refused to comment. he can deny it now because the talks didn't go beyond the preliminary stages because microsoft didn't want him and fucked him about.

sir dystics protests are not argument. because someone protests doesn't mean that they don't have something to say. effectively sir dystics response is personal attack and bears no relation to his argument other than trying to undermine gweeds credibility. gweeds regardless of motives was 99% right.

l0pht, @stake and all of the others have sold out. what they have forgotten is that their is nothing wrong with saying 'yeah so what?' instead of juvenile denial. there should be a movement of people saying 'we've sold out and we're proud' instead of pretending to be kings of the underground. when in fact they're like sad uncles, with bad trousers and patches on their elbows. they're the vh1 of the hacking world, safe, warm and established.

don't for one second believe otherwise. they're all shits. all of them. gweeds is a shit. sir dystic is a shit. which one of them had something useful to say at hope? that makes gweeds less of a shit in my books. the others have had nothing useful to say for quite some time.

ultimately gweeds is right. @stake were the wrong target, the worst are iss who release and research bugs and then sell you a product to detect the bugs, i don't think any other company does that. this seems to me like burglars working out how to break into your house, where there was previously not a problem, publishing the method to the world and then selling you an alarm. ?who does that?

cdc are the biggest media whores on the planet. fact. they deserve to live and die by the sword and i'm sure they will. their treatment of people at their press-conferences, ?remember those?, will backfire.

plz publish on your letters page, minus this line, if you have the ballz.

Earlier flames

Gweeds gets killed