Security experts wary of the LOpht hackers hanging up gray hats
How foolish is it to set a fox to guard the henhouse? Does it take a thief to catch a thief?
The way you answer those questions probably determines your reaction to the news that the hackers of L0pht Heavy Industries of Boston are going legit and merging with a new security consultancy, @Stake Inc. of Cambridge, Mass. Members of the hacker think tank will staff the new company's research and development division.
The hiring of the self-described gray-hat hackers is problematic for some federal security experts.
'I think trust would have to be established over a period of collaborative working,' said Dave Jarrell of the Federal Computer Incident Response Capability Center. 'There are still some connotations of being on the dark side.'
@Stake has solid credentials, however. John J. Rando, a former senior vice president and group general manager at Compaq Computer Corp., chairs the board. Ted Julian, former lead security analyst at Forrester Research Inc., also of Cambridge, is vice president of marketing and business development. And Phil Tams, vice president of consulting and operations, is a former senior manager at Cambridge Technology Partners Inc.
The guys from L0pht have earned the respect of many in the security community.
'They are going to be very successful, and rightly so,' said Alan Paller, director of research for the SANS Institute of Bethesda, Md. 'The person heading it has been one of the great educators.'
That would be Dr. Mudge, the nom de hack of L0pht's colorful front man. He will serve as @Stake's vice president of R&D. Mudge personifies the gray-hat hacker in a murky underworld between the squeaky-clean white hat who protects systems and the malicious black hat who attacks them.
A popular speaker, Mudge has testified before the Senate Governmental Affairs Committee. He includes the Air Force, NASA and the Justice Department among his clients.
But some people still feel nervous about his long hair, insistence on a pseudonym, and habit of writing software tools such as L0phtCrack that can be used for evil, as well as for good.
'L0phtCrack, developed as a hacking tool, is a very valuable network administration tool,' Jarrell said. FedCIRC has used it, he said, to recover passwords and regain control of compromised computers. But hackers can use L0phtCrack to find passwords and break into systems, too.
L0pht's response to critics of its ambivalent activities: If it's a threat, close the loopholes and protect yourself.
Some who come from the law enforcement side, such as James R.C. Hansen of Trident Data Systems Inc. of Los Angeles, a former special agent for the Air Force's Office of Special Investigations, are dead set against hiring anyone whose hat has even a touch of gray.
But, Paller said, a lot of people are going to ask themselves: 'Who knows better? If he's willing to help, let's ask.'
Probably anyone skilled in the ways of hacking has succumbed to temptation at one time or another. No one is lily-white. Mudge, Dildog, Space Rogue and the rest of the gang at L0pht'now with @Stake'seem up-front about their activities and enjoy closing loopholes as much as finding them.
'They are intelligent; they are smart,' Jarrell said. 'Too bad they couldn't have started on the right side to begin with.'