Sunday, February 28, 2016

A Brief Introduction to Ancient History for Policy People

The technical community is often amazed by how little the policy world knows about the history of software vulnerabilities. So I want to take this post to introduce a few members of the pre-historical world, much as a Disney movie introduces you to a large plant eating reptile.

Both hackers and dinosaurs are equally adorable!

Let me put it bluntly: The people in these groups are now in places of influence in both Government and Industry all over the world. Like many fields, it takes decades to get a deep understanding of the issues involved in information security. This post is designed to give policy people the context they need to understand historical tribal factions which remain important today. All these groups were notable for performing a level of security research which eclipsed most nation-states during their time (and perhaps today, as well).

The CEO of Duo Security has an interesting take on the D&D alignment chart, which gathers historical groups with modern ones.


You may not recognize the pseudonyms "Halvar Flake" or "Zip" or "Stealth" or "Caddis". But I guarantee you that you would recognize their real names and the capabilities they have built in recent years, and those of us who were active in the 90's recognized TESO as the premium brand of quality exploits. In many ways, TESO and ADM changed public perceptions around exploits as things that could be developed with a level of quality crafting that was strategically better than just "proof of concept" but was in fact operational in the wild, with real science and artistic care.

TESO was largely a European group. But they were respected world-wide.


Was Duke w00w00 or ADM?
People know about w00w00 a little bit because they had a few members who did very well in the media space ("Napster" was a w00w00 hacker and "WhatApp" was written by one as well. Hacker Billionaires!). But that undervalues the research and influence of other members in the largely American-based group.


This group's name is short for "Association of Mobsters" in French. And it comes from a French base but of course like all hacker groups was international. ADM was also known for high quality exploits in the "Remote Unix Hacking" arena. 

ADM did a lot of research into early exploit automation (c.f. ADMHack) - integrating many exploits in one package which made intelligent decisions as it tried to exploit a given network. They did one known defacement: Of the DEFCON website.


 * Linux rpc.mountd 2.2beta29 exploit
 * Coded by plaguez, Antilove, Mikasoft at the ADM Party (7/98)
 * Credits:
 *    - DiGiT for finding the vulnerability
 * Compile: rpcgen mount.x ; gcc exmnt.c

Are those names you know? They should be. Plaguez inspired some of my early shellcode, but ADM was another one of those teams (no picture is available) who were far ahead of their time. You would know the real names of these hackers should I mention them here, which I am not rude enough to do.


"GOBBLES were auditing the Roxen webserver packages for holes that can be
used to comprimise servers so that GOBBLES could have the holes patched so
that no servers could be comprimised."

Enigmatically GOBBLES was famous for both having a sense of humor and broken English in their exploits, which were often against targets chosen purely for comedic effect, but also for poking fun at the developing security industry and its hypocrisy and lack of skill. Their most famous work was the exploit Apache Nosejob, which exploited a rather tricky overflow in the Apache web-server on the "Secure" OS OpenBSD, using a vulnerability previously declared unexploitable by the ISS X-Force researchers who discovered the issue.

They became famous via posts of humorous "Advisories" to the Bugtraq mailing list, but below is a video at DEFCON (the famous "Wolves Among Us" talk) which added to their popularity by examining cultural issues in the security community itself. You'll also notice the famously tall Stephen Watt make an appearance.

l0pht Heavy Industries

This group includes now-Government executives, and the beginnings of the security consulting industry.

This sprawling Boston-based group is famous for many things, including the hackers which released l0phtcrack and Back Orifice 2000 (an early Windows RAT). They later sold themselves as a company to @stake (which I joined when I left the NSA), and also testified in front of Congress on cyber-issues, highlighting the risks long before they were a political hot potato.

One odd fact is that this crew also started the practice of issuing formal "Advisories" for security vulnerabilities that the group GOBBLES was well known for making fun of.


Since I am currently at a NATO workshop with a member of Phenoelit talking about policy with Government officials, I cannot avoid pointing out that this German-based team still, in fact, exists and is doing good work in the space. They also run the ph-neutral hacking conference, which is unique in having no "talks". Their most famous member "FX" is well known for doing router hacking before it was cool enough for Alex Wheeler to do. Router hacking is still important! Think of it as "Internet of Things" work, but before the marketing droids got their beady little eyes on it. 

Phrack and Phrack High Council (PHC)/Project Mayhem

These two are very different but easy to confuse. Phrack magazine is a a well known research publication in the space, whereas PHC was known for hacking other hackers and releasing their private information, especially those who were "White Hats". 


Not listed here are cDc,, SYNNERGY, 8lgm, and many others, each of which remains highly influential in the space. If you are annoyed you are missing, please feel free to send me a paragraph.

No comments:

Post a Comment