Can you trust your company's network to someone you know only as Mudge, Space Rogue, Kingpin, or Brian
Oblivion? Would you give security access to Weld Pond, John Tan, and Stefan von Neumann -- all icons in the murky
world of cybercrime -- if they promised only to help you find and fix weak spots?
You might not think so. But that's the idea behind @Stake, a Cambridge (Mass.) computer-security startup that
teams seven well-known hackers with respected business execs, including a former Compaq executive. The hackers are
hoping to transform themselves from back-door artists into bona-fide entrepreneurs so they can offer their
expertise to major companies at premium prices. At least, that's the plan. Whether anyone will actually let them
in the front door is another matter.
Their timing couldn't be better. @Stake was formed just a few weeks before the recent outbreaks of high-profile
Net vandalism. For a startup looking to acquire some marketing buzz, the attacks seemed tailor-made to acquaint
potential clients with its Internet security savvy. Leveraging their hacker mystique, the fledgling company's
employees explained the nuances of the attacks to a media fascinated by the blackouts of eBay, Yahoo!, CNN.com,
and other big sites. Even the White House took notice, inviting the lanky, long-haired Mudge to join 28 other
experts to counsel President Clinton on Internet security.
The group's rented
warehouse loft was
part clubhouse, part
lab -- and inspired
its name, "L0pht"
In that sense, it has been quite a trip for the seven men in their 20s and 30s who gained notoriety not by
ravaging government databases or defacing Web sites but by publicly exposing the security weaknesses of commercial
software, such as Microsoft Windows NT. From a rented warehouse loft that served as part clubhouse and part
computer lab, the seven hackers, known collectively as "L0pht", began posting scathing criticisms on Internet
bulletin boards, forcing publishers to issue software "patches" to fix security holes in their products.
That stroked some egos, but it didn't pay the rent. Says Mudge, who declines to give his real name: "We tried to
keep the research and fun environment, but we were fighting a losing battle in making ends meet." So when @Stake
came knocking in January, promising $10 million in funding from Battery Ventures in Wellesley, Mass., and another
$10 million by yearend, L0pht agreed to be acquired as the brains of the new operation.
Even with a big publicity boost, the challenges of transforming a band of hackers into a going concern are
plentiful. @Stake has an experienced businessman at the top: Chairman John Rando, 48, who ran Compaq Computer's
services business before signing up with the company.
GOING THE WRONG WAY? Still, the hackers who make up the core of @Stake must become consultants, assessing
Internet security and recommending a course of action for corporations that hire them. "The skills in finding
security holes are not the same skills in designing a secure Web site," says Win Treese, vice-president for
technology at electronic-commerce developer Open Market in Burlington, Mass. "The attackers have to find one weak
point. The defenders have to defend many holes."
@Stake will also have to overcome the natural reluctance of businesses to allow hackers to rummage around in their
networks, says Alan Paller, research director for The SANS Institute, a nonprofit association of network
administrators and security professionals based in Bethesda, Md. "Hiring an ex-hacker is like hiring an
ex-terrorist," Paller says. "Are they O.K., since it's been more than an hour since they threw the last bombs?"
David Green, deputy chief of the computer crime and intellectual property section of the Justice Dept.'s Criminal
Div., concurs: "We welcome anyone who's seen the error of his ways and wants to enhance security on the Web rather
than attack the Web. But we have concerns about companies who think that employing hackers is the best way to go
about things. I don't think the best people in bank security were former bank robbers."
@Stake admits that
the nicknames create
aura and serve as a
great publicity tool
Whether or not any L0pht member ever worked on the wrong side of the law is a question @Stake executives like to
leave vague. While Mudge explicitly states that no L0pht members have ever broken the law, he is described in
company literature as a "grey-hat hacker" -- that is, neither a good guy nor a bad guy. And at a Senate
Governmental Affairs Committee hearing on computer security in May, 1998, L0pht stated that its inclusion of
Kingpin into its group in 1993 "kept [him] from illegitimate activities."
Then, of course, there's the continued use of the hacker nicknames. Senator Fred Thompson (R-Tenn.), citing the
"sensitivity of the work done at the L0pht," allowed the hackers to use their pseudonyms during the 1998 hearings.
Now, says @Stake, they use their nicknames simply because they have a following in the computer security industry.
@Stake also acknowledges that the cloak-and-dagger aura serves as a great publicity tool. (For the record, L0pht's
September, 1998, incorporation papers identify its members as Peiter Zatko, Cris Thomas, Chris Wysopal, Brian
Hassick, Joseph Grand, and Karl Kasper. It doesn't mention a seventh member, nor does it match the nicknames with
the proper names.)
But what of hacking itself? Isn't it inherently illegal? Not exactly. Certainly it's illegal to break into a
computer network and alter, extract, or insert data without its owner's permission. Similarly, it's illegal to
launch "denial of service" attacks such as those suffered recently by eBay and Yahoo!. But it isn't illegal to do
what corporate network administrators routinely do: use software to remotely determine how a computer network is
configured and what security measures are in place.
NEFARIOUS TOOL. And that's how @Stake says it will provide service for its corporate and government
clients. Once it figures out how a network is set up, it will replicate that configuration in its Cambridge
computer lab and test its security. (What will that cost? "Around $1,000 a day if we send out a junior person to
do tactical work, to $20,000 a day if we send out a senior management person to do some strategic work," according
to Ted Julian, marketing vice-president.)
Not all of L0pht's methods are so antiseptic. Ostensibly as part of its campaign to force the hand of software
vendors, L0pht created and distributed Internet hacking tools to anyone who wants them. One such tool, L0phtcrack,
allows unsophisticated computer users to crack password codes of Web sites. "I would think many people have done
damage using L0phtcrack," says SANS Institute's Paller. Internet security experts believe that L0phtcrack, written
by L0pht member Weld Pond, is one of the most widely distributed hacking software programs.
Still, L0pht and L0phtcrack have had their supporters. Senator John Glenn (D-Ohio), during the 1998 hearings,
referred to Mudge and his colleagues as "the white hats" of computer hacking. Senator Thompson, who chaired the
Senate hearings, described them to Business Week two weeks ago as "brilliant young men." The National Security
Agency and NASA have both hired L0pht members as consultants. Even Microsoft, which has been roundly criticized by
L0pht on numerous occasions for its failure to use more stringent security code in its software, advised customers
in a 1998 security bulletin to "consider evaluating a tool such as L0phtcrack 2.0 for assisting in checking the
quality of user passwords."
actually possess a
wide range of skills
that are needed to
ward off a complex
variety of attacks
In addition to the credibility L0pht has built up, @Stake has attracted technologists who have earned their
stripes in the tamer side of the computer industry. They include Rando and former Interpath Chief Executive Chris
Darby, 40, who became @Stake president and CEO on Feb. 28. They also include Chief Technology Officer Dan Geer, a
self-effacing intellectual who is considered one of the top computer scientists in the country.
A closer look at @Stake also reveals a diversity of skills among its hackers. Brian Oblivion concentrates on
wireless communications and chip architecture, while Mudge's expertise is in network systems and cryptology. "They
have a balanced team that spans everything," concludes Peter Neumann, principal scientist at Menlo Park (Calif.)
think tank SRI International who also testified at the 1998 Senate hearings. Such diversity of skills is
important, say Neumann and other experts, because security threats can come in multiple forms. For example,
malicious hackers could disrupt Internet service not only by cracking passwords but by disabling telephone
switches and electrical power grids that serve huge geographic regions.
But @Stake will be doomed if prospective clients fail to look past the company's hacker roots, acknowledges
Battery Ventures general partner Tom Crotty. "We've been having discussions with @Stake about that very issue," he
says. After all, once the marketing smoke clears and the media mirrors fade, @Stake will find itself competing
with well-established, button-down consultants from PricewaterhouseCoopers, Ernst & Young, and other large firms.
To be taken seriously in this market, @Stake will have to crack the code of business.