King of the hackers

[InfoSec News <isn () C4I ORG>]

http://www.upside.com/Opinion/3a4126761.html

Upside New England
December 21, 2000 12:00 AM PT
by Geoffrey James

BOSTON -- I met the mysterious Doctor Mudge on the doorstep of Bob
Metcalfe's townhouse on Beacon Street in the fashionable Back Bay area
of Boston. You've probably heard about Metcalfe -- he invented
Ethernet, among other things -- but you might not be as familiar with
Mudge, who remains a somewhat mysterious figure. He is, according to
some, the king of the hackers, and a man who's managed to parlay that
expertise into big bucks from the corporate world.

The reason that we were standing on a doorstep was because Mudge was
smoking a cigarette, which he held between his third and fourth
fingers -- a style that I hadn't seen since I left Los Angeles 12
years earlier. Indeed, Mudge looked like a character from bygone times
with his beard and moustache, long hair flowing down past his
shoulders -- a younger image of the guys I used to hang with back when
I was the junior dude in an OS development group in the late 1970s.

The reason we were standing on Bob Metcalfe's particular doorstep was
that Metcalfe was hosting a party celebrating Boston's most prominent
Internet celebrities. Unlike myself, Mudge was one of the honorees,
having won been named No. 40 (out of 40) in the Improper Bostonian, a
biweekly magazine that's the arbiter of cool in the Boston area. Under
Mudge's arm was an extremely attractive young lady who was dressed in
retro-crunchy chic.

Searching around for a conversation starter, I asked: "Why did you
become a hacker?"

He took a long drag on the 'rette, blew a smoke ring and glanced at
the girl. "I got into it because of the chicks, man." The chick
smiled.

In case you're wondering, I'm not making this up.

Hacker with a cause

If Mudge seemed a little cocky, it's probably because he was just
about to close a deal to become the vice president of R&D for @stake,
a firm that "builds comprehensive security architectures to minimize
the impact of viruses, malicious attacks and other threats."

Until then, Mudge had made something of a career out pissing off the
high(-tech) and mighty by telling the world how to break into their
computer systems. His organization, L0pht Heavy Industries, had a
history of poking and prodding at other folks' software, discovering
security holes that a more vicious subspecies of hacker might exploit
to steal credit-card information, for example.

Mudge claims L0pht published technical information on security
problems because it discovered software vendors were perfectly willing
to leave their customers vulnerable -- even after Mudge informed them
of the security flaw.

"Without us publishing the information on the Web, the vendors would
just bury it," explains Mudge. "And the customers wouldn't even be
aware that there was a problem."

But forcing big-shot companies like Microsoft (MSFT) to drop
everything and fix security holes before Internet villains could
exploit them didn't exactly make Mudge into Mr. Popularity. Nor did
the Internet-will-change-the-world crowd exactly break into applause
when Mudge told Congress the Internet was so fragile that he and his
pals could bring the whole thing crashing down in about "half an
hour."

Hiring credibility

To obtain the credibility Mudge needed to make @stake into a real
venture, he managed to attract, as chairman of the board, a man named
John Rando, who used to be VP of services at Digital Equipment, where
"he controlled $6 billion in yearly revenue," says Eric Rocco, vice
president at market research firm Dataquest's Lowell-based IT Services
group.

Rocco adds that Rando is considered "a top-notch industry executive."
Rando was known at DEC as the one manager who could get things done
inside what was probably the most Byzantine management structure
since, well, Byzantium.

Still, Rando isn't exactly the kind of guy you'd expect to find
hanging out with Mudge and his tattooed and body-pierced crew, any
more than you'd expect to find Tony Bennett jamming with Marilyn
Manson. Let's face it, for a guy like Rando, a walk on the wild side
is taking an afternoon off to play a round of golf.

Mudge admits he was a bit uneasy when he met Rando. "A little voice
inside me said, 'Suit, uh-oh, suit.'" But Mudge claims Rando
understood the L0pht concept very quickly, and Mudge feels confident
the relationship will work well. Mudge points out that Rando's
enormous industry credibility will prove useful, especially when
working through the inevitable relationship problems that occur when
one company is in the business of criticizing the work of another.

The secret of his true identity

Ultimately, Mudge believes security problems are dangerous and need to
be fixed and that forming a new company with industry heavyweights is
the best way to ensure his "gray-hat" hackers have a positive impact
on the world. And, in any case, Mudge is used to dealing with guys in
suits. Mudge recently was seen hanging around with Vice President Al
Gore, who reportedly joked with Mudge about inventing the Internet.

Despite the fact that he's basically gone legit, Mudge keeps his true
identity secret. Rumor has it that Mudge, far from being a former MIT
lab rat, is actually a student at a "major Boston-based school of
music." Mudge doesn't feel that the ersatz anonymity is a publicity
ploy because "when you're explaining security ramifications, it's nice
to be able to stand up and not worry about companies harassing you."
He knows of several instances when employees reporting security
problems were squelched by their management at the insistence of the
vendors who sold the company the software.

There may be another reason Mudge is hanging onto the pseudonym,
though. The fact that few know his true identity would give Mudge the
ability to slip quietly into the woodwork if, for some reason, he
finds that the @stake venture (which is proving to be successful)
finally begins to lose his interest. If that happens, who knows? Maybe
next time he surfaces, he'll be jamming with Tony Bennett.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".