L0PHT--hackerish spelling for loft--is a sort of hackers' workshop. In Boston, seven men regularly meet in a space they've rented to work on various projects. NewsHour Correspondent Tom Bearden recently spoke with the members of L0PHT about how they started, what they do and why they do it. The names used by L0pht members in the interview are to protect their identities.
TOM BEARDEN: How did this organization get started?
The origins of L0pht.
MUDGE: Basically, we had all known each other for quite some time, for the past, I'd say, maybe even ten years. We found that we were all located geographically in a similar area, and having known each other through online, on the bulletin boards in the late eighties, early nineties, we started to hang out. We started having meetings in Harvard Square at some of the eateries around there.It got to a point where we had enough junk and equipment in all of our collective houses that our significant others, our girlfriends, our wives were a little upset with the scattering of computer boards, computer equipment taking up the bedroom, the bathroom, the kitchen sink that it was generally agreed that we were all going to chip in and rent a loft space in the south end of Boston to store the stuff. And as everybody started bringing over their "junk," as it was always euphemistically referred to, as we started noticing a synergy in what everybody was bringing over, and it was all able to work together. And since we were doing this sort of thing on the sides anyway, trying to amass our own tools and toys, it just was much more convenient to use everybody else's. So we started building miniature networks, ripping down protocols, playing with software, and the other thing was it kept us out of trouble because before that, a lot of us used to play with other people's hardware and protocols, and whoever's machines would talk to us, and that's kind of how the loft grew out. It kind of took off from there. Two years after that, we moved over to this location, so L0pht, spelled L-Zero-P-H-T, was just a takeoff on the hackerish type spelling of loft, which is what we started out in. TOM BEARDEN: Why did you join?
A colloborative effort.
WELD POND: Because this type of activity you really need to collaborate. Hacking is something where you're not really learning things from textbooks. We obviously read the textbooks too, and we read the published material, but it's knowledge that's built up by talking to other people who have basically toyed around and played with operating systems, played with software, and it's a way to learn is to talk to other people who enjoy doing that kind of thing, and you really need to meet with others and collaborate on projects to really build up your own knowledge.
TOM BEARDEN: Trade on each other's knowledge and build on that?
WELD POND: Right. So if, say, I may know something about Windows NT, and Mudge here might know something about Unix, and he can help me out with something that Windows NT is doing that is something that has a Unix background to it, something like a TCP/IP protocol. So I have some knowledge, he has some knowledge, we fit it together, and that way we can, you know, have some sort of a breakthrough because we're just getting a synergy going....
SPACE ROGUE: Well, one thing on that question, you keep saying "joined". I don't think anybody actually joined. We just grabbed together and that was it, and we just sort of fell into each other's hands, as it were.
TOM BEARDEN: What would you call this, a club, just a group, a bunch of guys who hang out with similar interests, how would you call it?
SPACE ROGUE: Well, we have been called a conglomerate, a think tank.
L0pht -- A hacker think tank.
MUDGE: The various media references, which whenever we get a good one we like to kind of try and keep hold of it, have been a conglomerate, a hacker think tank, a collective, brilliant crypto-crackers -- that was one of my personal favorites, a fraternity. Basically, I just think it's amazing that seven people can be together for four years in close proximity, in close quarters and not kill each other.
WELD POND: And not have sort of a monetary reason for sticking around with each other, for a familiar reason.
TOM BEARDEN: Where did you get all this stuff?
KINGPIN: Trash, flea markets, gifts, people's work when they're throwing stuff out. Trash is really how it started. We used to go "dumpster diving" a lot, ride around on bicycles -- still do, look in computer manufacturers, telephone companies, cellular phone companies. You'd be surprised what companies throw out. When they're upgrading, they'll throw out complete systems or complete working telephones, or bundles of software, or basically anything when they're upgrading.
MUDGE: A great example is over a period of months we were able to piece together the . . . super computer that we showed you. That was entirely from a company that was starting to lose government contracts, ditching different R&D departments....
TOM BEARDEN: What do you do when you find vulnerabilities? What do you do with the information?
WELD POND: Well, basically we agree that things should be -- there should be full disclosure, and we just let the world know when we find a vulnerability. And we found that by doing that, the vulnerability gets fixed pretty quickly. It used to be that this information kind of got passed around in the underground. If I found something, I would put it up on an underground bulletin board and other hackers would read it, and other hackers used the information maybe. But the problem really didn't get fixed.
And then we started publishing these things on our Web site, and other Web sites have sprung up just for the sole purpose of publishing this information. You'd be surprised how quickly the problems get fixed when thousands of people can exploit those vulnerabilities instantly. And this problem with the -- like the thing that happened at the Pentagon, I mean, this thing was discovered by a hacker, was put up on a hacker web site called Root Shell. Everyone in the world could download it. It was discovered before Root Shell, but it was really made totally publicly available there. And still months later, the Pentagon didn't fix the problem.
TOM BEARDEN: And they're aware of it?
SPACE ROGUE: Some of the first vulnerabilities that we found, we actually went to the companies first and said "Hey, you guys have got this big problem."
MUDGE: And the first question was "do our customers know this?" "No, we haven't told anybody. We figured we'd tell you first." And they're like "Oh, good, thanks a lot for the information. We'll do something about it." And they never did, because they didn't want to spend the time or the money going in and fixing it when their customers weren't complaining and weren't saying "Gee, you told me you're protecting my software, protecting my company with your product, and there's this huge back door and you know of it, and you refuse to fix the problem?" And the longer that goes, the more the actual people trying to protect the sites are in the dark, and everybody else knows the problem. You end up being the laughing stock because you're the last person on the block to know of the problem after everybody has run through your systems....
WELD POND: Another example is even just publishing a paper, even describing the problem doesn't get them to fix it. An example is with Microsoft's Windows NT. A friend of ours, Hobbit, a fellow hacker published this paper on weaknesses in their network authentication protocol where basically you could sniff the network and you could gather people's passwords from this....
So he published this paper, and Microsoft didn't do anything to fix this. We came along and we wrote a program which could exploit this vulnerability, and I think a few days after we actually published the program that could exploit the vulnerability, Microsoft came out with a fix for it....
Now, we're not the only guys who could read the paper and write the program, obviously. There's plenty of foreign governments. There's plenty of other computer think tanks out there that have the knowledge we have. And until you actually -- and have a lot more money and a lot more time. So until you actually say to a system administrator you go, "Look, I can grab the passwords on your system." He doesn't go to Microsoft and say "fix this."
Microsoft knew about the problem, but they had none of their customers saying "fix this," so they didn't.
Helping out the consumer.
MUDGE: And what was the end result? The end result was a better product for the customer....
TOM BEARDEN: So my question is why do you do it? Why do you put this information out there?
KINGPIN: Because it's fun, and we learn, and it keeps me out of trouble. It's just nice to experiment with hardware or software.
SPACE ROGUE: Most of us do this in our day jobs. We all have jobs in the IT industry, and we all basically do the exact same thing 9 to 5, or 8 to 6, or whatever.
TOM BEARDEN: So why do you do it 6 to midnight?
STEFAN VON NEUMANN: Most of us in our day jobs are doing one aspect that we can't push to the limit in our day job. It's not relevant to our position. So it's the off hours, it's the time spent here that we can push what we've stumbled upon to the extreme and maybe get some use out of it that might be useful for somebody else other than our employer.
TOM BEARDEN: Do you do this in at least some sense out of a sense of public service?
STEFAN: A little bit.
SPACE ROGUE: It's probably the lowest level. The higher level is the knowledge and the learning for ourselves.
WELD POND: If we can share what we've learned with everybody and then publish it, that's great. But we want other people to share with us, too. But it's actually sort of the thrill of finding the problems, the thrill of exposing the weaknesses and saying "Well, geeze, look, they had all these smart people design this system, and I spent a few hours and I looked at it, and look, I found this huge problem." That's kind of exciting.