L0phtCrack is dead! Long live L0phtCrack!

In a TechTarget ANZ exclusive, Patrick Gray interviews Peiter 'Mudge' Zatko on his most famous invention: the L0phtCrack password cracker. Symantec, the company that owns the software, will stop supporting it next month.

As a member of the famed Boston-area hacking collective The L0pht, which went on to merge with the respected IT security house @Stake, Peiter 'Mudge' Zatko has been in the security field long enough to ruffle some feathers.

It was Mudge who, in 1998, warned the US Senate that hackers could take down the Internet in 30 minutes. He wrote seminal papers on buffer overflows -- which he says will add hundreds of years to his purgatory sentence -- and created L0phtCrack, the Windows password cracker.

It's the latter innovation he's best known for and, as is the story with many similar tools, he cobbled it together out of necessity. "There simply weren't any tools to do the equivalent password cracking and auditing on Windows systems as there were for Unix. So, I had to write my own," he says. "Basically, if you had the SAM hive, where the usernames and encrypted passwords were kept on Windows systems, it would return the unencrypted password for you."

In March this year, Symantec, which acquired @Stake in 2004, announced it would discontinue support of L0phtCrack in December 2006. The company claimed the continued sale of L0phtCrack may run foul of US Government restrictions on the export of cryptography products.

Some speculate, however, that Symantec didn't want to continue selling a product that's so popular with hackers motivated by malice.

Mudge says it was never his intention for L0phtCrack to become a commercial password auditor -- by the time he'd finished coding it, he thought of the software as a practical demonstration of the weakness of passwords, not as a means for auditing their relative strengths, which is of course how it wound up being used. "[It wasn't to tell people to] stop using Microsoft systems but simply to understand what was being exposed in certain environments such that people or companies could architect around and protect against any perceived exposure risks," he says.

Originally releasing L0phtCrack free of charge for most users under a BSD-style license, Mudge decided to change tack when support e-mails from the US Government started flooding his inbox. He released a crippleware version and the money started flowing in - within a 'very short' period of time it was earning revenues well into the six figure range.

Things got substantially trickier when The L0pht crew became @Stake. "The venture capitalists and other executives did not want to have any products owned by @Stake as we were showing that we were vendor agnostic," he says. "I and the other L0pht members involved with L0phtCrack at the time, Dildog and Weld Pond, set up a shell company that was separate from @Stake. This company handled L0phtCrack and the goal was to take the proceeds, after operational costs of the company, and to donate them to charities."

It seemed the logical thing to do, until the management team at @Stake had other ideas - they wanted it in their portfolio. "Eventually Dildog, Weld, and I had to sign over L0phtCrack along with the next revision or release of the software," he says, still bitter. "It turned out that 'doing well by doing right' was just lip service that some of the other executives at @Stake had been paying us."

These days Mudge works for BBN Technologies as its Technical Director, National Intelligence Research and Applications. BBN is a government contractor in the US, providing services to various, unspecified agencies.

"Currently I'm tying together three areas: data kinetics, semantic context, and societal interactions...all as they are mapped to data and objects in the information and technology fields," he says. "So while this is a bit more on the defensive information assurance side of things, there's a strong intelligence gathering aspect as well."

He describes it thus: "The search for particular objects such as knives, guns or explosives in airports is loosely equivalent to signature detection, such as anti-virus scanning or intrusion detection. Similarly, if the majority of passengers on a plane are of a particular race or ethnicity and a couple stand out like a dog's proverbials, this could be viewed as anomaly detection or profiling."

"Now imagine instead that you let each passenger board the plane without looking for signatures or anomalies at this point," he says. "However, unbeknownst to the passengers, they are in actuality boarding individual flight simulators that are indistinguishable from the real thing. As their 'flights' take off they are being monitored. If they behave correctly during the initial part of the flight they are invisibly transported to the actual flight already in progress. If they do not behave correctly there is no damage to the actual flight and there are a multitude of actions that can be taken regarding the passenger."

Instead of applying that logic to passengers, imagine that these are communications sessions from external systems to internal resources, Mudge says. All of them, whether they are benign or malicious, interact with an artificial system initially that appears to be identical to the internal resources.

After a particular period of interactions if they are behaving "correctly" they are connected to the real resource. "This is one of the things I am currently working on that I can talk about," Mudge says.

Makes you wonder what he can't talk about, doesn't it!

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.