A Short, Strange Trip from Hackers to Entrepreneurs --------------------------------------------------- By Kevin Ferguson in Boston MARCH 2, 2000 The notorious group called L0pht has gone mainstream, complete with VC funding. But its image could scare off corporate clients Can you trust your company's network to someone you know only as Mudge, Space Rogue, Kingpin, or Brian Oblivion? Would you give security access to Weld Pond, John Tan, and Stefan von Neumann -- all icons in the murky world of cybercrime -- if they promised only to help you find and fix weak spots? You might not think so. But that's the idea behind @Stake, a Cambridge (Mass.) computer-security startup that teams seven well-known hackers with respected business execs, including a former Compaq executive. The hackers are hoping to transform themselves from back-door artists into bona-fide entrepreneurs so they can offer their expertise to major companies at premium prices. At least, that's the plan. Whether anyone will actually let them in the front door is another matter. Their timing couldn't be better. @Stake was formed just a few weeks before the recent outbreaks of high-profile Net vandalism. For a startup looking to acquire some marketing buzz, the attacks seemed tailor-made to acquaint potential clients with its Internet security savvy. Leveraging their hacker mystique, the fledgling company's employees explained the nuances of the attacks to a media fascinated by the blackouts of eBay, Yahoo!, CNN.com, and other big sites. Even the White House took notice, inviting the lanky, long-haired Mudge to join 28 other experts to counsel President Clinton on Internet security. __________________________________________________________________ The group's rented warehouse loft was part clubhouse, part lab -- and inspired its name, "L0pht" __________________________________________________________________ In that sense, it has been quite a trip for the seven men in their 20s and 30s who gained notoriety not by ravaging government databases or defacing Web sites but by publicly exposing the security weaknesses of commercial software, such as Microsoft Windows NT. From a rented warehouse loft that served as part clubhouse and part computer lab, the seven hackers, known collectively as "L0pht", began posting scathing criticisms on Internet bulletin boards, forcing publishers to issue software "patches" to fix security holes in their products. That stroked some egos, but it didn't pay the rent. Says Mudge, who declines to give his real name: "We tried to keep the research and fun environment, but we were fighting a losing battle in making ends meet." So when @Stake came knocking in January, promising $10 million in funding from Battery Ventures in Wellesley, Mass., and another $10 million by yearend, L0pht agreed to be acquired as the brains of the new operation. Even with a big publicity boost, the challenges of transforming a band of hackers into a going concern are plentiful. @Stake has an experienced businessman at the top: Chairman John Rando, 48, who ran Compaq Computer's services business before signing up with the company. GOING THE WRONG WAY? Still, the hackers who make up the core of @Stake must become consultants, assessing Internet security and recommending a course of action for corporations that hire them. "The skills in finding security holes are not the same skills in designing a secure Web site," says Win Treese, vice-president for technology at electronic-commerce developer Open Market in Burlington, Mass. "The attackers have to find one weak point. The defenders have to defend many holes." @Stake will also have to overcome the natural reluctance of businesses to allow hackers to rummage around in their networks, says Alan Paller, research director for The SANS Institute, a nonprofit association of network administrators and security professionals based in Bethesda, Md. "Hiring an ex-hacker is like hiring an ex-terrorist," Paller says. "Are they O.K., since it's been more than an hour since they threw the last bombs?" David Green, deputy chief of the computer crime and intellectual property section of the Justice Dept.'s Criminal Div., concurs: "We welcome anyone who's seen the error of his ways and wants to enhance security on the Web rather than attack the Web. But we have concerns about companies who think that employing hackers is the best way to go about things. I don't think the best people in bank security were former bank robbers." __________________________________________________________________ @Stake admits that the nicknames create a cloak-and-dagger aura and serve as a great publicity tool __________________________________________________________________ Whether or not any L0pht member ever worked on the wrong side of the law is a question @Stake executives like to leave vague. While Mudge explicitly states that no L0pht members have ever broken the law, he is described in company literature as a "grey-hat hacker" -- that is, neither a good guy nor a bad guy. And at a Senate Governmental Affairs Committee hearing on computer security in May, 1998, L0pht stated that its inclusion of Kingpin into its group in 1993 "kept [him] from illegitimate activities." Then, of course, there's the continued use of the hacker nicknames. Senator Fred Thompson (R-Tenn.), citing the "sensitivity of the work done at the L0pht," allowed the hackers to use their pseudonyms during the 1998 hearings. Now, says @Stake, they use their nicknames simply because they have a following in the computer security industry. @Stake also acknowledges that the cloak-and-dagger aura serves as a great publicity tool. (For the record, L0pht's September, 1998, incorporation papers identify its members as Peiter Zatko, Cris Thomas, Chris Wysopal, Brian Hassick, Joseph Grand, and Karl Kasper. It doesn't mention a seventh member, nor does it match the nicknames with the proper names.) But what of hacking itself? Isn't it inherently illegal? Not exactly. Certainly it's illegal to break into a computer network and alter, extract, or insert data without its owner's permission. Similarly, it's illegal to launch "denial of service" attacks such as those suffered recently by eBay and Yahoo!. But it isn't illegal to do what corporate network administrators routinely do: use software to remotely determine how a computer network is configured and what security measures are in place. NEFARIOUS TOOL. And that's how @Stake says it will provide service for its corporate and government clients. Once it figures out how a network is set up, it will replicate that configuration in its Cambridge computer lab and test its security. (What will that cost? "Around $1,000 a day if we send out a junior person to do tactical work, to $20,000 a day if we send out a senior management person to do some strategic work," according to Ted Julian, marketing vice-president.) Not all of L0pht's methods are so antiseptic. Ostensibly as part of its campaign to force the hand of software vendors, L0pht created and distributed Internet hacking tools to anyone who wants them. One such tool, L0phtcrack, allows unsophisticated computer users to crack password codes of Web sites. "I would think many people have done damage using L0phtcrack," says SANS Institute's Paller. Internet security experts believe that L0phtcrack, written by L0pht member Weld Pond, is one of the most widely distributed hacking software programs. Still, L0pht and L0phtcrack have had their supporters. Senator John Glenn (D-Ohio), during the 1998 hearings, referred to Mudge and his colleagues as "the white hats" of computer hacking. Senator Thompson, who chaired the Senate hearings, described them to Business Week two weeks ago as "brilliant young men." The National Security Agency and NASA have both hired L0pht members as consultants. Even Microsoft, which has been roundly criticized by L0pht on numerous occasions for its failure to use more stringent security code in its software, advised customers in a 1998 security bulletin to "consider evaluating a tool such as L0phtcrack 2.0 for assisting in checking the quality of user passwords." __________________________________________________________________ @Stake's hackers actually possess a wide range of skills that are needed to ward off a complex variety of attacks __________________________________________________________________ In addition to the credibility L0pht has built up, @Stake has attracted technologists who have earned their stripes in the tamer side of the computer industry. They include Rando and former Interpath Chief Executive Chris Darby, 40, who became @Stake president and CEO on Feb. 28. They also include Chief Technology Officer Dan Geer, a self-effacing intellectual who is considered one of the top computer scientists in the country. A closer look at @Stake also reveals a diversity of skills among its hackers. Brian Oblivion concentrates on wireless communications and chip architecture, while Mudge's expertise is in network systems and cryptology. "They have a balanced team that spans everything," concludes Peter Neumann, principal scientist at Menlo Park (Calif.) think tank SRI International who also testified at the 1998 Senate hearings. Such diversity of skills is important, say Neumann and other experts, because security threats can come in multiple forms. For example, malicious hackers could disrupt Internet service not only by cracking passwords but by disabling telephone switches and electrical power grids that serve huge geographic regions. But @Stake will be doomed if prospective clients fail to look past the company's hacker roots, acknowledges Battery Ventures general partner Tom Crotty. "We've been having discussions with @Stake about that very issue," he says. After all, once the marketing smoke clears and the media mirrors fade, @Stake will find itself competing with well-established, button-down consultants from PricewaterhouseCoopers, Ernst & Young, and other large firms. To be taken seriously in this market, @Stake will have to crack the code of business. http://www.businessweek.com/smallbiz/0003/ep000302.htm