"That vulnerability is completely theoretical."
  -- Microsoft
 
L0pht, Making the theoretical practical since 1992.

Rebuttal Letter Redux to Mass High Tech


We appreciate the fact that you have taken the time to fix some of the
errors contained in your original article, "Think your site's safe? Think
again, pros say."  It is unfortunate that the research and fact checking
is occuring after the article was published. There are some statements in
your new article that bear continued scrutiny to set the record straight.

This statement is misleading:

     "It should be noted that both M.A. Nelen and I responded to Dr.
     Mudge's e-mails with requests to talk with him so that issues could
     be clarified. He declined."

Dr. Mudge was not contacted via email until several days after the first
erroneous article was published.  Furthermore, this contact was not until
Dr. Mudge sent a rebuttal to the authors and Mass High Tech was deluged
with email from angry readers.  All of what, we felt, were inaccuracies
in the article were explained in our rebuttal. 

Let us offer our explanation of the terms "hacker" and "cracker" for the
record. A hacker is someone who explores, pushes, and twists technology
to its limits and beyond, making systems behave in ways that their
creators never intended. Hackers do this for the joy of it, not for money
or glory. 

The term cracker was invented out of necessity by hackers to describe a
criminal subset of the hacker culture that is mainly interested in
defacing web sites or stealing proprietary information. The term was
invented because the media latched onto the term hacker without
understanding what it truly meant.  This atrocity is akin to the media
calling all hitmen "firearm experts" because hitmen usually know a lot
about weapons.  The people who were using the term "firearm expert" to
refer to themselves would be, understandably, quite peeved and would try
to clear up this misunderstanding whenever possible.

If there are people who call themselves, as you say, "security
professionals", who think your article's distinction of hacker and
cracker was adequate they are, quite simply, ignorant.  We recommend they
read the Hacker's Dictionary by Eric S. Raymond which is published by MIT
Press.  Here a few words of his about the book: 

     ...many in the public think of hackers as a potential conspiracy of
     dangerous nerds, that the very term "hacker" is now considered by
     many ignorant people to be a synonym for "computer criminal". We
     must reclaim the word "hacker" for our own! There is a real danger
     to hackers that restrictive, wrong-headed information laws and
     strict licensing requirements for "software professionals"  might
     kill our open, free-spirited culture. This would be a tragedy not
     just for us but for the whole world that benefits from our
     creativity.

     Groups like the Electronic Frontier Foundation have been formed to
     fight for hackerdom on the legal and political level. To support
     that, though, the public needs to be re-educated about all the
     positive aspects of hackerdom. We need them to see our sense of
     humor, our dedication, our playfulness, our idealism; we need to
     communicate the excitement, challenge and promise of the new worlds
     we're exploring. We need the man in the street to see us as an ally,
     not a threat.

It is interesting that you use the term "reportedly" when referring to
the fact that we testified before a Senate Committee.  If anything can be
verified firsthand as fact it is matters that are contained in the
public record of the federal government. See
http://www.senate.gov/~gov_affairs/51998notice.htm for the official
hearing notice.  

Yes, the tone of the article was very wrong and we are grateful that you
have admitted that it was not appropriate.  For the record, Dr. Mudge and
the other members of the l0pht do not commit crimes or "intrude" on
private internet sites. We have our fun by hacking, not playing cat and
mouse with law enforcement or tormenting system administrators.

We also enjoy speaking out about our findings and trying to educate
people on computer security from a hacker's mindset.  This takes time and
energy.  It was the reason why Dr. Mudge was giving his time to speak to
the Association of Internet Professionals at their monthly meeting.  We
felt it was a slap in the face to go out of our way to educate others and
then have a report of the event speak of Dr. Mudge and the l0pht in such
a derogatory tone. 

You would like Dr. Mudge to "identify" himself so he can be recognized
for his good work?  With what?  A home address?  A social security
number?  What purpose would this serve?  Dr. Mudge is already recognized
for his work and can be contacted via his email address at the l0pht. 

We at the l0pht see no reason to use identifiers that are used for
tracking a person's physical location or financial resources.  We inhabit
an information sphere where reputation is built on what information you
know and what information you share.  For this purpose we use monikers of
our own choosing.  There is a long history of people using pen names from
the writers of the Federalist Papers to novelists, to modern celebrities.  
Privacy is the primary reason. 

-The L0pht-