L0pht/@Stake Merger FAQ

1. Is it true? Did L0pht Heavy Industries actually merge with @Stake?
2. Why did you do it? You seemed to have a perfect club-house environment.
3. So, how's the cultural fit with @Stake? How do the L0pht's values fit in there?
4. So what's going to happen to the old L0pht space you were in?
5. And what about the webpage? Is it going to go away? Is it going to be put on 'atstake.com'?
6. What exactly is L0pht doing over at @Stake? Are you consulting now?
7. What's going to happen to all the advisories? Are you still going to publish them?
8. Are you still going to sell L0phtCrack? And AntiSniff? Will there be new versions?
9. What's the deal with Hacker News Network anyway? Is that actually part of L0pht, and was it picked up by the merger?
10. How does it feel working with a bunch of business stiffs?
11. What are the financial makings of this merger?
12. You talk about 'Strategic Security Solutions' on the @Stake webpage, and you talk about being truly 'vendor-neutral'... isn't that what everyone else is doing? What makes @Stake different? Explain in small words.
13. I don't trust hackers like you. Why should I?
14. Are you still going to get drunk and rant at cons? What about your 'professional image'?
15. Are you hiring? Can I be a L0pht Member?
16. Does @Stake have an open-door policy?
17. Are you still going to the MIT Swapfest and selling funky stuff?
18. Are you still using your handles? Or are you going to use your real names now?
19. What's up with Guerilla Net? Are you guys still doing hardware projects over at @Stake?
20. Will you be coming out with any more T-shirts?

1. Is it true? Did L0pht Heavy Industries actually merge with @Stake?

YES. L0pht Heavy Industries was incorporated, had employees on the payroll, and sold software products and consulting services. In short, we were a real company and had been operating that way for a couple years. L0pht Heavy Industries legally merged with @Stake in the beginning of 2000 so we are all one company now. The new company will go by the name of @Stake.

2. Why did you do it? You seemed to have a perfect club-house environment.

We strived to be (and achieved) a pure R&D environment. Unfortunately pure research and development is not a very profitable arena. In addition, one needs business people, sales and productization of services. So, while we tried to keep the research and fun environment we were fighting a losing battle in making ends meet.

To summarize, we had problems scaling. Everyone was spending more money and effort doing less research and experiments. The L0pht wanted desperately to avoid having to compromise our goals and ideals which would have happened if we had continued to go the route we were. The solution was obvious. We needed to find an organization that valued the R&D work that we did, could benefit from it, profit from it, and enable us to keep contributing to the community.

We feel very fortunate in having come across such people in @Stake. We see this as a win-win situation where we will be able to do a lot of the research that we were unable to do while just being the L0pht. We also feel very fortunate in finding an organization that did not expect us to about-face in the way we approach sharing our findings with people.

3. So, how's the cultural fit with @Stake? How do the L0pht's values fit in there?

Here is a PARTIAL list of components that we find work very well with our VALUES and make us very comfortable about the merger:

@Stake is aiming to be completely product / vendor neutral. This enables them to make the best design decision and recommendations possible to the customer without unknown biases. This is accomplished in the following ways:
- @Stake will not take commissions / kick-backs from product vendors for recommending a product into a customer.
- @Stake is in the business of providing strategic services rather than tactical ones. What this means is that they see the benefit in helping design / implement solutions with security and functionality from the beginning rather than looking for known problems and helping to only remediate them when they could have been avoided all together.
- @Stake will not sell products. Thus they do not have customers being worried that they will recommend their own product even if it might not be the best solution. What this means to us is that we get to continue coming out with tools and programs but are forced to give them away for free! How cool is that! We are completely non-biased in our opinions of products and technologies, and we are able to continue our experimentation and reverse-engineering of such. This also allows us to continue our "consumer reports"-style announcements, papers and research.
@Stake is committed to a strong research and development leg as a method of always being a leader and not just a follower.
@Stake wants smarter customers rather than dumber ones in the community. By helping to educate everyone as much as possible it not only helps differentiate the company but allows more interesting and thorough solutions to be deployed for customers. This is the same belief that the L0pht has always held.

4. So what's going to happen to the old L0pht space you were in?

We still have the space. Some of the hardware projects that were going on over there are just not practical to move. We are also setting up new lab space that has many of the things that we could not manage at the old location.

5. And what about the webpage? Is it going to go away? Is it going to be put on 'atstake.com'?

Not in the immediate future. There will obviously be a period of time before we manage to fully integrate everything. As was stated in a previous response one of the reasons we embarked upon this merger is due to the like-minded beliefs. So, when the two web sites finally merge you can expect to find the same sort of information that is currently published in an even better format. It might even be that they stay as individual web sites, one focusing more on R&D and the other on business angles. What it boils down to is that you can expect some changes but the main focus will be quite similar to what it currently is.

6. What exactly is L0pht doing over at @Stake? Are you consulting now?

The L0pht forms the nucleus of the Research and Development group in @Stake. By continuing to push the envelope in security research we can help productize new services to the consulting and business legs of @Stake.

7. What's going to happen to all the advisories? Are you still going to publish them?

The L0pht will continue to publish advisories. This will not change. The L0pht never did and never will publish an advisory based upon insider information that would betray someones trust. However, we will continue to act as a Consumer Reports style organization in posting our general findings through analysis and evaluation as general customers reviewing software.

We still beleive in Full-Disclosure in our advisories. We are also happy that we will be better able to work with companies in giving them advance notice before posting publicly to the world.

8. Are you still going to sell L0phtCrack? And AntiSniff? Will there be new versions?

Since @Stake is purely a consulting services company, it did not acquire the products that were sold commercialy from the L0pht. L0phtCrack and AntiSniff are being moved to a holding company independent of @Stake and will continue to be sold. We will be donating the proceeds (after operational expenses) to non-profit and educational organizations.

The free versions will continue to be free and include source code. A new version of L0phtCrack was 95% complete at the time of the merger. The authors will probably finish the last bit and release L0phtCrack 3.0 but the schedule is uncertain.

A Linux version of the researchers version of AntiSniff is underway and will be released under the same free researchers license that the command line AntiSniff currently has.

9. What's the deal with Hacker News Network anyway? Is that actually part of L0pht, and was it picked up by the merger?

Hacker News Network was run by l0pht employees on l0pht equipment so it certainly was a part of l0pht. We feel it provides a valuable news source to the security community so it will continue to operate as part of @Stake. We expect to be able to spend more time and resources in making it an even better resource for the community.

10. How does it feel working with a bunch of business stiffs?

@Stake is definitely not populated with a bunch of business stiffs. One of the reasons L0pht merged with @Stake was the quality of the people there. They understand our vision of computer security. Some of them would even be considered hackers exactly the same way we think of ourselves as hackers.

Things are a bit more businesslike at the merged company but the place is a place that values openness, diversity, creativity, thinking outside of the box, and coming up with non-conventional solutions.

11. What are the financial makings of this merger?

@Stake is not a publicly traded company right now and as such we are not able to give those details. We are happy to say that the main impetus for the merger was the ability to engage in much more grandiose research work and not compromise our morals in the process. We started into this field in order to learn, educate, and contribute and are happy to say that we should only be able to do this things even better now.

12. You talk about 'Strategic Security Solutions' on the @Stake webpage, and you talk about being truly 'vendor-neutral'... isn't that what everyone else is doing? What makes @Stake different? Explain in small words.

The answer to question #3 should help on the vendor-neutral aspect being more than just lip service.

As for the 'Strategic Security Solutions' this is similar to how the L0pht always handled customers. An example in the software world between tactical and strategic might help:

A buffer overflow was found in a section of code. The offending call was the unbounded strcpy().

Replace that particular strcpy() call with the bounded strncpy(). If a similar problem is found elsewhere later on fix that one after it is reported. Repeat as necessary.

From the design point help model with security involved. Use bounded string functions to remove that class of future problems.

Obviously the above is just an example of the way we see tactical being different from strategic approaches. This is how we view all projects be they in the infrastructure, content, operational, network, etc. fields. It also does not preclude us from implementing tactical solutions as necessary but the main focus is enabling, not only reacting.

13. I don't trust hackers like you. Why should I?

We call ourselves hackers using the original, positive meaning of the word. A good definition can be found in Eric Raymond's

Hacker's Dictionary. We think hackers have higher ethical standards than most in the business world. We do not do anything illegal with our computers or anyone else's. We get our kicks finding and solving security vulnerabilities in products and technologies using our own networks, hardware, and other resource. This is the way we have always operated and that is the way we will continue to operate. If you can't relate to this, then you should probably reinvestigate the meaning of the word 'hacker'.

14. Are you still going to get drunk and rant at cons? What about your 'professional image'?

We will continue to be involved in conferences the way we always have. Don't you think that if @Stake had told Mudge he would not be able to have a beer with his friends and talk about crypto-systems that would have been a show stopper for the merger right there?

15. Are you hiring? Can I be a L0pht Member?

We are definitely hiring. We cannot thrive and be the leader in security without the best people on the planet. Submit your resume to jobs@atstake.com if you are interested. We want to work with the best and you probably do, too. If you have top notch security skills in consulting or research we urge you to apply. That being said, we cannot accept everyone that applies but will do our best to make sure everyone gets a fair shake.

The L0pht is fully integrated with @Stake so there is no seperate group of people called "L0pht Members". We are proud to call ourselves members of the @Stake team. We will now be known as 'The Hackers Formerly Known As The L0pht', or perhaps some unpronouncable symbol.

16. Does @Stake have an open-door policy?

@Stake operates in a similar fashion to most other professional service organizations. The reason we went to the closed door policy at the L0pht was to enable ourselves to get work done and not just have the place be a local hang-out for people wanting to kick back with a beer and watch TV. While we will be more accesible at @Stake, we are there to do R&D work and as such it will continue to not be an open-door-hangout type environment.

Keep in mind, however, that L0pht has not had a true open-door policy for many years. At our original location, the L0pht was more of a club-house and place for general hanging-out of hackers from around the world. When we moved to our new location and decided to do real research and provide to the community, the L0pht was not open for everybody. We occasionally gave tours and threw parties, but the space was not open for visitors 24 hours a day.

17. Are you still going to the MIT Swapfest and selling funky stuff?

We will still be going to the MIT Swapfest to see people and pick up various things. We hope we won't have to sell our scraps at it anymore in order to make ends meet :) However, as most people going to the MIT flea, we will also want to "upgrade our junk pile". We will be selling, just not every month as in the past.

18. Are you still using your handles? Or are you going to use your real names now?

We have been using our handles for over 10 years now. It is what we have published under in academic journals, magazines, books, given training courses under, and provided recommendations to the US Senate under. As such they are as much our recognized names in the security community and we will continue to use them. Many companies seem to be scared of doing business with people using pseudonyms or handles. This is a problem that we would like to solve. We are not really hiding from anyone, but this is how we've been known for a long time, and for some, is what our parents call us. We hope to educate those companies by showing them that its not the name that's important, rather the information and services that can be provided.

19. What's up with Guerilla Net? Are you guys still doing hardware projects over at @Stake?

@Stake has committed to enabling the R&D labs to work on hardware related projects as well as protocol and software ones. We see an ultimate marriage between all of these areas as technology is progressing and would be remiss if we turned a blind eye towards any of them.

20. Will you be coming out with any more T-shirts?

The T-shirts were fun little projects that we did more out of amusement than anything else. Should the opportunity and inspiration strike again we would not rule out the possibility of coming out with some new designs.