"That vulnerability is completely theoretical."
  -- Microsoft
 
L0pht, Making the theoretical practical since 1992.

Rebuttal Letter to Mass High Tech

From: Dr. Mudge 
To: Mary Nelen ,
    RBrown@masshightech.com,
    DHendrickson@masshightech.com
Cc: webmaster@masshightech.com,
    postmaster@masshightech.com,
    press@l0pht.com,
    hotnews@l0pht.com
Subject: Mass High Tech article on AIP "hacker" talk


[webmaster@masshightech.com - please forward to the editor]

Greetings,

I just finished reading the Mass Tech article titled "Think your site's
safe? Think again, Pros say" and I have to say I am tremendously
dissapointed.

I don't know which talk you were at but it definately was not the same
one.

How is it that the US Senate, NPR, Associated Press, Wired Magazine, Byte
Magazine, the BBC, Washington Post, etc. etc. all praise the work we do
as
laudable and beneficial to society as a whole while you label us as
'crackers' who inflict 'chaos'? Perhaps it is a lack of understanding.
Then again perhaps it is just a case of poor journalism.

To wit:

a - I never stated that corporate executives don't spend enough money on
creating secure sites. Further it is not something I even believe. The
problem is completely different.

b - your description of crackers vs hackers is 1) not one that I used and
    2) completely wrong. 

c - I never said there were white hat and black hat crackers. That does
not make sense. As a matter of fact the entire panel was made of white
hat
people.

d - I was completely specific on what type of "chaos", as you put it, the
L0pht "inflicts" (thank you for two words with negative conotations). The
exact same type that consumer reports does. To wit: if I am using a piece
of software and find it to be flawed - we go public with it. This alerts
the general populace to the problem and forces the company to fix it.
So... out of this chaos you, as an end user, see technological
and security related enhacements. Sorry if that is so evil.

e - I never "indicated that members like to create Web-based
disorientation to bring attention to their belief that most commercial
and
government sites do not have enough security". I mentioned that we post
our research and development efforts on our web pages.

f - you directly equate (crackers) and the l0pht. Which is absolutely
untrue. Even the Senate (whom we testified to) called us modern day paul
reveres who are doing a great service for our country. I believe the
other
person they equated us to was Rachael Carson. Too bad you can't see this.

g - I did not state I attended a recent gathering of crackers in which we
thought of 80 to 90 ways to take down society. I stated that I attended a
conference where at one point we discused methods of potential disruption
to society through the internet / technology. I find it funny that you
quickly labeled this as crackers. Some of the members of this invite only
conference were: high ranking officials from the NSA and CIA, senior
scientists from ATT, Sun Microsystems, foreign universities, etc.  etc.

h - I never mentioned doing a cryptographic check line by line as a
solution to the NYT problem. I mentioned, briefly, that one solution
would
be to keep cryptographic checksums of the pages / stories.

I (we) feel that you came into this with a bunch of pre-defined
assumptions / assertions and did not listen to what was actually being
said.

Considering that we provide these 'service(s) to our country' at our own
expense without malicious intent or expecting monetary rewards I did not
think mentioning that we would be interested in angel investors was a
"curious shift of hubris".

With the above said, we are recinding our offer for a photograph
opportunity and declining the request for a future interview.

.mudge