Security news that informs and inspires

‘Nothing’s Going to Last Forever’: An Oral History of the LØpht, Part Four

As the 1990s drew to a close, the curtain was coming down on the L0pht, as well. Security companies were helping to fuel the first dot-com boom, and venture capitalists and investors took the place of the law enforcement agencies that once circled the group. The L0pht members considered their options: continue as an independent organization and make a go of it; or find a partner--preferably one with a ready supply of cash. After some fits and starts, the group wound up joining forces with Battery Ventures to become part of @stake, a security consultancy, in 2000. The sale turned out well for some of the L0pht members, and not so much for others. The deal also drew criticism from people in the hacker community, some of whom thought the group was just taking the easy money and abandoning its hacker ethos.

(Read Part 1, Part 2, and Part 3.)

Katie Moussouris: That was the sell-out part. It was really funny, it was talking shit about the professionalization of hacking. Quite honestly, taking me back to that moment, you can understand and grieve for the loss of the purity of what was our hacking craft, right? But you can also flip it on the other side and say look at all of these incredible opportunities that the commercialization of hacking skills has offered to so many people. First in the penetration testing space, and now in the bug bounty space. But yeah, there's a trade-off, and that was it.

Space Rogue: The whole idea behind L0pht from very early on was to get it to pay for itself, because we had rent to pay, we had electricity to pay. And then once we got it to pay for itself, it was like, "Well, why can't it pay our salaries so we can just hang out all day and play?" So we got a couple of consulting gigs that paid a little bit of money. We were doing okay, but we didn't have everybody on salary yet and we were sort of like, "Well, we need more money. We need a big chunk, infusion of cash." And so, we decided we're gonna go and try to get some VC. And so, we talked to a couple of companies, we came really close to signing a couple of deals. We did an engagement with a company called Cambridge Technology Partners, which is a whole other story in and of itself. We basically completely owned them inside and out.

Mudge: It smelled funny, so I said, "I'm not sure you know what you're buying," because I don't think they understood the hardware group at all. Turns out they didn't. I said, "Why don't we actually do a full-blown pen test on you, physical and everything? You're local. And at the end, you'll know precisely what you're getting. I think you're going to like it. And if you don't like it, we'll get like five grand for our time and you'll get a security report out of it." The first thing we did was we broke into their voicemail

Weld Pond: In order for us to show them what it was like, we were like, let's do a pen test on you, right? We'll test your security, and you'll get to see what we do and how well we do it. Kingpin is in charge of phones. He's in charge of voicemail, hacking the PBX. That's his specialty. Basically, all the executives, he's trying the password 1234, 1234, as their password. He runs across the guy that is actually the lead guy we're negotiation with. He's the vice president. We were able to listen to his voicemails. This was a life lesson. If you're in negotiations with someone, don't allow them to pen test your network. One of the funniest lines that was in there is, we had sort of a list of all the equipment we needed. I think this was Tan's idea. He came up with the idea of we needed a Winnebago like they had in the movie Sneakers. We love Sneakers. We're like, we want to be like that. The Winnebago outfitted with all of this signal intelligence equipment and stuff like that. We put that in there. I just remember the guy was, in his voicemail, he's like, "We can't work with these guys. These guys say they want a Winnebago."

We basically completely owned them inside and out.

By the end of the decade, the security industry was expanding rapidly and was awash in venture capital. The L0pht had tried to forge a path as a for-profit business, but a number of factors contributed to the group eventually selling and becoming part of @stake.

Kingpin: When I hacked their voicemail, the guy said, "Here's the deal. We could do this, and stock options, and blah, blah, blah. I'm just not sure about Brian and Joe." Because we're hardware guys. They're like, "Yeah, hardware guys. But if they're part of the package, they're part of the package." So we were always this sort of tag along part, which really annoyed me.

Mudge: We didn't let on, but then we'd hear the phone calls, because they had signed legal agreements allowing us to do this, again, playing it the right way. And during the negotiations they'd come in, and we knew exactly what they would be willing to go up to, so we wouldn't take the lower [offers], and then we wouldn't act surprised, and we'd listen to them have those comments on the voicemails and in their emails directly after. "Wow, they should be doing back flips over that." So we ultimately gave the readout of the findings with the executive team there at Cambridge Technology Partners in the room, and it dawned on them within the first five minutes what had happened, so they never talked to us again. Ironically, a bunch of the implants that I put in there to give us reverse shells and everything kept trying to go back to the L0pht for like a year or so afterwards. And I'd send them emails going, "This is from the security engagement. It is giving a root shell. Please turn it off. I don't want it."

Space Rogue: Anyway, we ended up not signing with them, and then we ran into the @stake folks, which was already an ongoing company that had already been founded and had funding by Dave Goldsmith. And Mudge talked to them and said, "Okay, why doesn't @stake buy the L0pht? We'll just purchase you." And so we worked out a deal.

Weld Pond: Dave G. was there. Window [Snyder] was there. It wasn't just the L0pht. That was part of the reason that we felt more comfortable going there, was because people like Dave G. and Window were actually there. At the time, Dan Geer was flirting with going there. We didn't know Dan, but we sort of had a conversation between intermediaries. Like, if Dan goes, we'll go. If we go, Dan says he'll go, so let's just do this.

Silicosis: I remember coming to work one day. It was like, Dan Geer is sitting at the end of a desk. He flipped over the garbage can and just hammering away on his keyboard. Just brilliant.

Kingpin: At @stake, the thought was that we would be able to do more hardware research because we had a lab, and it was fully funded. Maybe we were too ahead of our time, but we were not understood enough in a way that they could benefit from it in some financial manner.

Silicosis: We just wanted to find, or not find, but make, a place where we could continue doing the research on a full time basis. We knew there was problems on the Internet. We knew there was problems with all the major software running on all the system. We just wanted to have the time, space and just to pull it all together. To research it, to rip it apart, to actually try to make it better. Remove vulnerabilities to make it a better place. It was one of the main goals.

Weld Pond: There was a lot of hesitation for sure. I think that people were like, "I want this to be my full time job. I want to also continue on doing things exactly like we did at the L0pht." Those two things were very hard to put together, because no one was paying anyone really to do research back then. Maybe it was something that was impossible to do, and we had wishful thinking that we could figure out how to do it.

Maybe we were too ahead of our time, but we were not understood enough in a way that they could benefit from it in some financial manner.

A sign in the current hackerspace used by some L0pht members.

Mudge: Weld and I had talked about it at length, because we were really ... we didn't know that we wanted to do it, but at the same time, we knew that we had to evolve, because otherwise we were just going to be the greatest garage band in the world and everybody on the block would know about us and hear the message in the song. Okay. You want to do the world tour on a big stage, you're going to get some promoters and there's going to be some record labels, and yeah, there's going to be some change, but hopefully the message is still a little watered down but at a much larger audience. So that was our discussion.

Katie Moussouris: I was actually at the West Coast @stake launch party They had started in 1999. And then in 2000, during RSA that year, they basically had a launch party. And I went to that, 'cause they're my friends, and a bunch of them were there. And then I didn't talk to them about working with them until, I think it was Weld who reached out to me around 2002 or so. Something like that. 2001, 2002. And was like, "Hey, you should join us." I missed that comradery, talking to my friends about tools and techniques and things like that. So I felt like the best thing for me to do, was actually to go ahead and join them.

Space Rogue: So we're at @stake, we got the funding, we're trying to figure out what we're doing. We don't really have any leadership. And then, the VC company decided, "We need to get some real management in there," and so they brought in a CEO and they brought in some other folks who didn't really understand the hacker mindset or even really security. And this is a common practice you see in a lot of startups where they bring in new leadership and the new leadership has to say, "I'm in charge," and so they have to do a dramatic move to prove that they're in charge. And one of the things that the CEO did is he fired me.

Kingpin: I remember when Space Rogue got fired, and I apologize to him about this all the time. When he got fired, and that was early on in @stake, we didn't band together as a group to fight that. That hit me really hard, especially later on. After I left @stake, I thought, "That's really messed up what we did because we didn't back up one of our brothers." And he was huge part of the L0pht. We were this tight knit group of seven people, who were starting this thing, which was very bold, and we didn't know what was going to happen. But of course me being younger, it seemed like an okay progression because we know that nothing's going to last forever. We went in as a group, and left as individuals. And very different individuals.

Count Zero: For me, what I took out of all of it, and continue to, is I'm just so happy to have been there when these people came together. And for some of them, I like to think I was able to help them at a formative time in their years. Because the other thing that was really clear to me was that it was so easy to go off the rails.

Kingpin: We were just at the right place at the right time with I think the right people, and the mix of personalities. We all had a certain personality. The personalities were synergistic enough in a way that let us do this stuff.

Read Part 1 here, Part 2 here, and Part 3 here

Joe Grand has become one of the top hardware hackers in the industry. (Photo courtesy Joe Grand)