Presented at DEF CON 26 (2018)
Aug. 10, 2018, 5 p.m.
2018 is the 20th anniversary of the hacker think-tank L0pht Heavy Industries testimony before the US Senate Homeland Security & Governmental Affairs Committee on the topic of weak computer security in government. The testimony made national news when the group announced they could take down the Internet in 30 minutes. It was also the first-time hackers using handles appeared before a US Legislative body.
Members of the L0pht have grown from their hacker roots to become distinguished leaders and contributors in the security community and beyond. They run multi-million dollar security-focused organizations, have lobbied the government for better security laws, work for some of the largest companies in the world, and continue to spread the message of the positive aspects of hacking.
With several of the L0pht's original members, this discussion will cover the original testimony and the changes that have happened over the last 20 years. Is the government any more secure? Have they provided enough influence to help protect its citizens' data? What steps should we take to ensure user security and privacy in the future? We are hoping for audience participation and also welcome questions about any other time in the L0pht's relatively short, but poignant, existence.
Chris Wysopal / Weld Pond
- Hacker, Co-Founder, Veracode
as Weld Pond
When Weld Pond (Chris Wysopal) joined the L0pht in 1993 there was no internet connection. He then built the l0pht.com gateway machine using Slackware 1.0 on 24 floppies. Weld was the webmaster of the l0pht.com website where all those hacker t-files from the BBS era could be found. Weld worked on the software side of L0pht researching vulnerabilities, writing advisories, building Netcat for Windows, and making L0phtCrack the first password cracker with a GUI. Weld was part of the 7 person group that testified at the US Senate in 1998 where he spoke about software transparency and liability. He joined @stake with the L0pht acquisition and worked there managing the research team and consulting at top customers like Microsoft until @stake was purchased by Symantec. Weld and Dildog then spun out the @stake static binary analysis technology to create Veracode, where he is co-founder and CTO.
John Tan joined the L0pht in 1996 contributing to the Full Disclosure movement with an advisory on Novell Netware 3.x. He was part of the L0pht's 1998 US Senate Testimony and published a widely cited essay called CyberUL which pointed out the conflict of interest that exists with the still current model of security certifications for people and products. He has over 20 years experience within the Financial industry and most recently shifted his focus to Health Insurance.
Silicosis (Paul Nash) joined the l0pht in 1998 and contributed to vulnerability research, with a focus on network protocols. In 1999, along with Mudge, he consulted with Marcus Ranum's new startup-Network Flight Recorder. Paul wrote a series of hybrid protocol analysis & anomaly detectors for the common protocols of the time. They successfully identified both known and unknown attacks. He continued on as a founder of @stake and continued research on network protocols-including fiber channel and 3G cellular networking. Paul was the last member of the L0pht to remain at Symantec after the acquisition.
Peiter Zatko / Mudge
- Head of Security, Stripe.
Mudge was responsible for early research into a type of security vulnerability known as the buffer overflow. He also published some of the first security advisories and research demonstrating early vulnerabilities such as code injection, side-channel attacks, and information leaks. In addition to these advisories he has had numerous technical papers published in peer reviewed journals.
Mudge has testified to the US Congress multiple times in addition to having a long history of teaching and lecturing at universities, military academies, and government agencies. He was the initial author of L0phtCrack and the author of early BGP attacks made famous in testimony to the US Senate referencing how to 'take down the Internet in 30 minutes.'
In 2010 he took an appointed position as a Department of Defense official within the Defense Advanced Research Projects Agency (DARPA), where he was responsible for redirecting the DoD's cyber research efforts. After his tenure at DARPA he was corporate VP of engineering at Motorola, and then the Deputy Director of Google's Advanced Technology and Projects group, before starting the 501(c)3 organization Cyber-ITL at the behest of the White House. He is presently Head of Security at Stripe.
Cris Thomas / Space Rogue
- Global Strategy Lead for X-Force Red, IBM
as Space Rogue
Space Rogue (Cris Thomas) joined the L0pht in 1992. While there he created one of the first Macintosh hacking sites, The Whacked Mac Archives and released an early MacOS exploit for FWB Hard Disk ToolKit. Later, while still at the L0pht he created and ran the Hacker News Network. He was part of the L0pht's US Senate Testimony in 1998. After the L0pht Space Rogue went on to work at security companies such as @Stake, Guardent, Trustwave and Tenable. He currently works as the Global Strategy Lead for X-Force Red at IBM.
Joe Grand / Kingpin
as Joe Grand, Kingpin
Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, former DEF CON badge designer, and proprietor of Grand Idea Studio (grandideastudio.com). He joined the L0pht as a 16-year-old in 1992. The youngest member and technological juvenile delinquent, the L0pht kept him out of trouble and helped redirect his passion towards good. Kingpin worked on the POCSAG Pager Decoder Kit, AMPS-based cellular phone hacking, and Palm OS application development, among other things. He was also a t-shirt shipper, food picker-upper, MIT Flea Market hawker, and terrified speaker at the US Senate Testimony in 1998. Kingpin was responsible for getting everyone sick in his attempt at making the infamous L0pht R00t B33r. He still hasn't apologized.
- Hacker, Co-Founder, Veracode
DilDog joined the L0pht shortly after graduating from MIT, leaving his job at a major bank to work on a password cracker in a warehouse with a bunch of hacker misfits. Thankfully, that wasn't as ridiculous as it sounded, and it turned out that L0phtCrack would be kind of a big deal. He's still the primary maintainer of the codebase today, 20 years later. Also at L0pht and @stake, he developed AntiSniff, a promiscuous-mode device detection system, wrote a bunch of security advisories, and developed a fine cDc-brand remote administration tool named Back Orifice 2000. Also at L0pht and throughout the @stake acquisition, he developed an automated software decompilation system that would become the core of the static analysis technology for the startup he and Chris Wysopal would found in 2006, Veracode.
- Senior Vice President of Content and Media Strategy at Bateman Group
Elinor Mills has been intrigued by hackers since she covered DEF CON III as a journalist in 1995. Following four years reporting for the Associated Press, she joined IDG News Service and for an early travel assignment headed off to the Las Vegas desert for the annual hacker pilgrimage (a trek she's taken more than a dozen times since). There she learned about the nuances of hacking, delighted in the Spot-the-Fed contests and met youth who would one day be leaders in securing the internet today. She went on to reporting jobs at The Industry Standard, Reuters and CNET over the next two decades covering a variety of tech topics, but her main interest remained security and the passion and intellectual drive of the people looking for the flaws that threaten our digital lives. Today, she helps hackers and security entrepreneurs spread the gospel as Senior Vice President of Content and Media Strategy at Bateman Group. Software may be eating the world, but hackers are keeping it safe.
L0pht Heavy Industries
- Hacker Collective
L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. The L0pht was one of the first viable hackerspaces in the US, and a pioneer of coordinated disclosure. In May, 1998, the group testified in front of a US Senate committee on weak computer security in government where they famously exclaimed they could take down the Internet in 30 minutes.