|Laman Webantu KM2A1: 2211 File Size: 36.1 Kb *|
L0pht interview at SlashDot
By web aNtu
4/1/2000 12:25 pm Tue
The following is an excerpt from a L0pht Hacker group interview from SlashDot.
It reveals something interesting regarding privacy, net control N freedom of expression N knowledge.
Interview: The L0pht Answers
This week's "main" interview guest is L0pht Heavy Industries as a group.
(We hope to have answers from Linux International head Jon "maddog"
Hall tomorrow). Many insightful questions for the L0pht guys were posted
Monday. Today, lots of insightful answers on everything from political
controls on the Internet to hardware hacking. (Click below to read.)
1) Which do you consider more dangerous
Many people believe that anonymous access to the Internet is criminal behavior.
Government would like you to think privacy is an "anti-social" behavior. You should have
nothing to hide, should you? You wouldn't be reading up on the consecration of
explosives, looking up security holes in various operating systems, or possibly
downloading the latest crypto software, would you? Only terrorists do that.
Governments are lobbied by uninformed citizens, or citizens which are easily manipulated
and swayed by various groups across the gambit of our modern civilization. Multinational
corporations have their hand in the fray by funding these groups or by participation in
a#sociations which provide counsel to government officials on technical matters. Often
recommending legislation which will better the profit taking over the sanctity of "personal
Multinational corporations are problematic in that they operate in a proprietary world. Often
outside parties will scrutinize the technological fabric of a communciations service being
provided. Should a flaw be found, and published, the corporation claims that the flaw itself
is detrimental to the service being provided and litigation is dispatched on the party
disclosing the flaw. This has been the case in the Cellular communications venue. Cloning
a cellular telephone was a real thorn in the side of the Cellular Industry. They took their
gripes to the US Government. The CTIA and their ilk successfully swayed Washington to
pa#s legislation to combat the cellular fraud. Result: A portion of the radio spectrum was
made _forbidden_ to reception. Possession of an eprom programmer, a computer, and a
cellular telephone became a crime. Meanwhile, the cellular network REMAINS open to
eavsdropping. Money is power, and with power comes influence. However, in the end it
was the Government, sucking up to industry, which pa#sed the law.
Law Enforcement and Intelligence gathering communities dwell within the governmental
domain. Both are lobbying lawmakers to pa#s laws to give them greater powers to combat
crime in this high tech world. Surveillance is paramount. They will convince the lawmakers
that without the keys to all communications, a bomb may be set outside Parliment or
Congress or .
The government pursuades the people, the people pursuade the government. Who planted
the seed first? Those who understand the technology are too busy working on the next
cool widget. Meanwhile the technological world rushes toward a global dictatorship and
the populace embraces it under the guise of security.
2) The net: strip mall or unlimted human potential?
Or is there still an underground? Does it still have a potential to be the one true medium
with liberation? Will governments and coroporations end up controlling it? Cause they are
winning small, important victories relentlessly...
As the web increasingly encroaches onto the mainstream and large portal and corporate
sites take over feeding you only the information they want you to see, the underground will
evolve and change and morph to suit its surroundings.
There is definitely still an underground. In some aspects it is a lot larger than it used to be
and in others it seems to be much much smaller. I think labeling the underground as 'the
one true medium with liberation' is laying it on a little thick. The internet underground has
been nothing but the exploration for knowledge, if you are looking to it to save mankind
from itself your looking in the wrong place.
Governments are increasingly encroaching on personal liberties and freedoms of the
average citizen, this is unfortunate. How much longer before the population as a hole
realizes what is going on and says enough? Maybe they will never wake up. Will the
governments eventually control the internet? Possibly. It is hard to tell but there will always
be those who will resist that control and the underground will continue in one form or
While the web, as you put it, may become 'an enormous cyber strip mall' I can't help but
think of the trash dumpsters behind that mall and what secrets they may hold.
3) Internet Worm II
What are your thoughts on this prediction? (Timeline, reasonableness, etc.)
Which brings us to the right way: To design software with a security policy in mind, and
with extra caution, care, and expenditure during the implementation. OpenBSD's model of
proactive security measures is a cla#sic example of 'the job done right'. Retroactively
applied security measures are a recipe for disaster.
As for when Microsoft is going to learn about these things, they'll first have to learn that
'bigger isn't necessarily better'. They need to stop believing their own FUD before they
can actually make change over there. When I read things like the article at
http://www.microsoft.com/ntserver/nts/news/msnw/LinuxMyths.asp, particularly the parts
about Linux being less 'secure' than Windows NT, I'm appalled at the ridiculous 'facts' that
are being used to back up their claims. For example, they claim that:
"Linux only provides access controls for files and directories. In contrast, every object in
Windows NT, from files to operating system data structures, has an access control list and
its use can be regulated as appropriate."
While this statement is true, they neglect to mention the fact that under a unix operating
system, most things that correspond to Windows NT kernel objects, file, data structures,
etc, are represented as files. Hence, the coverage of the security model for Linux is just as
extensive, even more so, than Windows NT. This is a particularly bad statement, simply
because it's not only incorrect, but the converse is true. Linux is more flexible in terms of
permission management. Try setting the access controls on who can bind to a particular
port under Windows NT, with the ease of chmod and portfs under Linux, and you'll fail
miserably. And the list goes on.
(And as for 'access control lists', we've noticed that Windows can't seem to get the right
default ACLs anyway, and that the complexity of managing them has outweighted the
value of their 'flexibility'.)
As for your comments on the Windows NT TCP/IP stack being vulnerable to attack
(possibly, who knows :P) and the possibility of a worm destroying Windows systems, the
possibility is very real. And again, this possiblity is not unique to Windows. They're just a
likely target at this point in time.
It would take a feat of dedication and great skill, but the possibility is there. My advice to
anyone who's worried about this, is this: If you're going to use Windows NT, you should
probably keep that firewall in place between those Windows service ports and the rest of
the world. Microsoft loves to add services and open ports to your computer when you're
not looking. And it's probably not going to be the IP stack, it'll probably be some goofy
listening service, like anonymous share enumeration or something. Or maybe remote
access to NetDDE. Or some authentication protocol that doesn't like large Netbios fields.
Or possibly even some undocumented functionality in the named pipe filesystem used for
RPC. Who knows. Personally, I'm not going to wait around to find out.
4)The Public's Perception of Hacking
Anyway, my question is, how do you deal with the way the public (including the media)
percieves "hackers"? I've seen some clueless people use the term to describe *anyone* who
does anything with a computer that they find > objectionable. I've even heard the term
applied to spammers!
Needless to say, the misue of the term makes my blood boil, because I feel a certain respect
towards the real hackers, such as yourselves, because you guys do know what you're
doing, unlike all of the script kiddies out that that either have the term applied by clueless
reporters, or they use it on themselves.
So, I'd be interested in knowing how you cope with this sort of problem, as I've noticed this
sort of perception of the hacking communtiy for some time.
A lot of the time we talk to the media just because we are afraid that if we don't there will
be no one they talk to who will describe hacking in a positive light. No one to describe it
as other than defacing web pages or breaking into .mil sites. This was one of the reasons
we wanted to talk to MTV. We were afraid their story would be all about criminal hackers. If
you saw the MTV show you saw that sometimes resistance against the media memes is
futile. The show was 95% about illegal activity.
Yet the world of hackers is 95% non-criminal. Probably a better percentage of people
behaving positively than most segments of society. It is a world of people exploring the
edges of technology and building things. The crazy thing is the government is making more
and more of that exploration illegal.
Reverse engineering security mechanisms is being considered a crime. Receiving digital
radio signals is a crime. We can't let them wall off part of the world we inhabit from
Hackers have a positive role to play both as builders and critics of the digital world. Unless
we speak up and refer to ourselves in that light we have only ourselves to blame.
Everyone who can should educate. Its not easy changing perceptions. But sometimes a
pa#sionate personal explanation of what hacking means to you can make someone
change their mind.
5)security of capability-based operating systems
In reality the implementation is key. Things can look great on paper and be a real bear to
implement (look at communism for example). Another key component that is often
overlooked is the functionality. This is a double edged sword. If the system is not universal
and generic enough in nature to exist in a plethora of environments then it is difficult, if not
impossible, to gain wide scale acceptance and use. Of course, this notion is directly
opposed to creating a secure operating system. If it has to work in a multitude of
environments then it needs to be relatively open and flexible or else the skill set and
support for integrating it into one specific environment is beyond most peoples abilities (ie
it won't get used). Sun Microsystems ran in to this problem with older versions of SunOS
(now retroactivly named Solaris 1.x) when they used to consistently ship with a '+' in
/etc/hosts.equiv. After several years they received enough requests to take it out of the
distribution for security reasons. Unfortunately, taking it out caused so many installations to
not be "plug-n-play" that they promptly put it back in.
When I look at an operating system such as EROS the following pops out at me when
thinking security (this should not be viewed as condemnation by any means).
. RTOS modeled.
. Emulated POSIX and Unix environments
I love Unix. However, it's difficult for someone to maintain the claim that they are more
secure than another operating system and then emulate it's behaviour. A good emulation is
going to have the good and bad aspects on the security front or many things won't work.
. implementation from the ground up can be painful
Often times it is required. But heaven help the "vendor" that decides that in order to be
their own maker they will do it from scratch without looking at the mistakes that others have
made. We see it all too often that people decide to reinvent the wheel and foist square
versions on people the first time around.
With all of that being said I believe that in the future, should people start to wake up and
really appreciate the notion of security and privacy in a way that really influences the
market... we will see more dedicated systems and fewer general purpose ones. In order to
go that route projects such as EROS are invaluable.
If so, how much stock can we put into the "metadesign" of limiting the damage an exploit
can create by attacking the ability of a failure to be controlled? Should operating systems
incorporate such "unpredictability engines" when being run in a production, non-debugging
manner? Or is such a design not worth pursuing, for various reasons?
Now, with that said, it is important to shoot for the pinultimate solution to problems and this
ends up being a wonderful academic excercise (out of which great things come). Do we
shun any notions that merely raise the bar instead of being the silver-bullet? No. Each
elevation in design is a step in the right direction. It is apparent that we have many steps in
front of us but this does not mean we should stop progressing until a magic cure is found.
Unpredictability in systems, such as loaders or interpreters that recurse random times to
throw off "static" frame location and other mechanisms (ie canary values) etc. are some of
the finer points that I see coming out of the security approach to implementations. Are they
ready for production systems? It all depends upon what your production system must be
capable of. In many cases the answer is yes. In some cases the answer is no.
7) Future of Hardware Hacking?
> When do we get to see some hardware projects to build, or is it the case that -- due to
regulatory restrictions on what can and cannot be transmitted on US airwaves -- work is
being done independently on the notion of a secure wireless IP-based network but isn't
being released so that those of us who aren't RF engineers can't gum up the works by
screwing things up before it's ready? :-)
There is a lot of interest, but no one seems to be willing to put up the nodes. There are 2
sites currently on the network. One at l0pht and one at a residence. This has been the
state of the network for the past 2 years. Unfortunately no one with enough initiative in
either state has been found to setup other nodes. There has been interest in other states
but the long haul capability has yet to be worked out. Encrypted tunneling over the Internet
may help span the network over long distances. Once the fabric of the network expands,
landlines could be replaced with wireless links/nodes.
High-density, low-power networks sound great in theory, but until the interest level rises
above its present state, the cellular structure will remain the dominant topology.
To get the network off the ground, we have been trying to go the Amateur radio route.
Going this route does have its drawbacks. Encryption is forbidden, however compression
is not. I have been running ssh in compression-only mode for years. The initial ssh
authentication is allowed under FCC guidelines, as long as the communications is not
encrypted, you are within the rules.
The move off the Amateur frequencies will be made once the cost of National Information
Infrastructue (NII) part-15 devices drop under $500 dollars for a pair of nodes. These
devices fall operate in the 5Ghz frequency range. The breakdown is as follows:
200 milliwatts EIRP (5.15-5.25 GHz) - indoor
1 watt EIRP (5.25-5.35 GHz) - inter-campus/neighborhood
4 watts EIRP (5.725-5.825 GHz) - Point-to-point, few miles, terrain permitting.
Other devices which are useable in the project are ISM band Part-15 devices which
operate in the 900Mhz and 2.3Ghz frequency range, and dwell in the Wireless lan arena.
Wavelan(Roamabout) http://www.wavelan.com, and rooftop networks (just purchased by
Nokia) among others, players in the 900Mhz and 2.3Ghz arena. Older wavelan equipment
can be found by searching auction sites and used equipment dealers. Early wavelan
2Mbps/sec ISA/PCMCIA cards can be found for ~$125.00 US Dollars. The problem with
these cards is they don't conform to the IEEE 802.11 Wireless Ethernet specification. This
is one inherent problem with building the network out of old equipment. It becomes costly to
replace eqiupment once the entropy ball starts rolling.
The path to build custom equipment is equally as challenging. For example, the TAPR
(Tucson Amateur Packet Radio) group has been in the forefront of Amateur packet radio for
the past 15 years. While they have an established base of dedicated users, they continue
to have problems developing new hardware. They have been prototyping a Frequency
Hopping Spread Spectrum (FHSS) system for 3 years now, with still a protoype just
pa#sing a design review. Hopefully this project will come to fruition soon!
Some very talented folks over in Slovenia have developed some BPSK transceivers and a
no IF SSB transceiver which will work on 1296, 2304 and 5760MHz. None are in kit form
but the schematics, theory, construction notes, and equipment checkout is available in
english. (schematics are not in english.). These radios are not for beginners or even
intermediate kit builders. It would be nice if someone could kit these units. I started to
convert the 23cm BPSK design to utilize a chipset family put out by RF Microdevices, but
then my time got sucked into other projects. I may find the time to persue this once again,
but I would like to get some semblence of a network greater than 2 nodes up and running
B) The future of hardware hacking.
Do you see a time when "hardware hacking" (as we've traditionally known it) will have to
fall by the wayside? If so - what, if anything, do you see as taking its place? (Perhaps
users taking advantage of the vastly more-powerful gear out there today and building their
own hackable hardware, eliminating the need to hack other people's hardware?)
I suppose that's tangentially related to the wireless.net question - for ma#s distribution of
the tools needed to build such a network, for instance, it seems to me that re-purposing
cheap, widely-available stuff that others have junked is a better path than having to build
things from scratch. But if the cheap, widely-available stuff of the future isn't gonna be
re-usable... where does one go from there?
What we see here is the bar being raised in the HW hacking arena. Remember cost still
drives much of the industry and you will continue to see many devices still using
microcontrollers. There are many, many internet appliances using standard Embedded
Processors and peripheral IC's. The hackers are just going to have to bone up on thier
FPGA hacking skillz. Monitoring the inputs of an FPGA and then the outputs, and hacking
together an FPGA to drop inbetween isn't unheard of.
Hardware hacking today does require a bit more than the standard weller solding iron, a
50Mhz scope, and a multimeter. With processor speeds moving up into the 800Mhz range,
you fall flat on your face with those stoneage tools. The trend in general is hardware which
is becoming more and more abstracted and described by high-level programming
languages such as verilog and VHDL. One must stay ab####t of the latest tools in his
trade. There are also relatively inexpensive "soft" tools, in that a spectrum analyzer, logic
analyzer or a scope utilizes the modern PC as the guts of the device and an inexpensive
physical interface module is purchased along with software for the host. The interface is
typically a data acquisition pod for converting the sampled analog data into the host PC for
processing and the presentation.
The security of FPGA's is definately going to become more of a target in the future. I can't
think of anyone that doesn't set the security bit of FPGA before programming a device.
Ummm.. Hmmm.. maybe I shouldn't say that. ;^) It does happen. There are also some not so
well known ways around "securty bits" on FPGA's. Also, most FPGA's will allow you to
reprogram them in circuit whether or not the security bit is blown. You just better be sure
you can reproduce what you monitored before squirting in your own code.
Remember there are many more ways to fry an egg, such as voltage margining, or
operating a circuit over/under current and temperature specifications. Hitting HW with
various RF emissions (above and beyond what stantard emissions/immunities tests test for.)
can also produce interesting results and insights.
And as you alluded to in your question, hackers will build their own hardware which will
interface to the service/system under attack, which will allow for variable, marginable,
modules to provide the flexibilty which the stock standard HW didn't provide. Study
communications test equipment. Many secrets lie inside.
A lot of today's "hardware hacking" isn't strictly limited to hardware, due to the fact that
most products are embedded systems - meaning there is a union of hardware and
software. Those who are strictly "hardware guys" will fall by the wayside and those who
are strictly "software guys" will also fall. You will need to have a decent knowledge of both
the software and the hardware environment you are programming for. I have seen
companies struggle because they hire CS folks to write firmware for a product. These
particular folks could not grasp that they were writing for a platform other than a PC or
desktop. They didn't understand how interrupts worked, how to write to a port, how to write
low-level drivers to control external memory or other devices on an SPI, I2C or other
inter-chip protocol. What ended up happening is the company called in the hardware
engineer (me) to write all the low-level functionality. In order to properly design a product
(and reverse engineer the product), you need to be able to grasp all facets...
The industry today is really in a sad state and I am fearful of the quality of the products that
are due to come out on the market - the hardware and circuitry is sound and
well-structured, but the software will have major fault and, because of this, many
possibilities for vulnerabilities.
C) The future of l0pht.
To the extent that you can discuss it openly, do you see l0pht's main activities over the next
3-5 years as continuing to revolve around the "expose weaknesses in software" side or the
"work on next-generation hardware projects" side?
8)What engines/sites do you use to scour the 'Net?
Altavista or NorthernLight for a spider based search Yahoo for a topic search.
Ask Jeeves when I don't really know what it is I am looking for.
security/hacking: altavista - word sequences work well. A recent example would be a
search for the PCI specification by looking for "pci spec".
yahoo - when altavista doesn't help
The Hacker News Network Search Engine Page - Lots of undergound spiders
attrition stats - http://www.attrition.org/mirror/attrition/stats.html
eEye stats - http://www.eeye.com/html/Databases/Statistics/os.html
NMRC - Good Novell NT and Unix info. www.nmrc.org
counterpane - for books (through amazon) and lots of free information on crypto
"You can kill the revolutionary but you can't kill the revolution"
Link Reference : Slashdot L0pht interview