All the rest of you who've made this work, I'm looking at a whole battery of people down here at KPFK in Los Angeles and those of you in KPFA. Thank you very much. We'll be with you tomorrow. I'm Jerry Brown for We The People. That's Small Deep singing Street Life. Do you think Shakespeare would have liked rap if he was still alive? I mean, he would have liked some of it. This Tuesday at 10 p.m. the Arts Magazine celebrates Shakespeare's birthday, born the week of April 23rd, 1564. Tramiel, how would the rappers say that? It's party time. That's right. This Tuesday at 10 p.m. on WBAI 99.5 FM. And it's exactly 8 o'clock, which means it's time for another edition of Off The Hook here on WBAI New York. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. It's time for Off The Hook. This is unbelievable. Have you seen things like this before? Uh, no. I've never seen anything quite this blatant before. Blatant is the word. And, you know, I can only imagine what kind of response this is going to get from people. I mean, is this true they can change the message ID of the email? Well, you can change anything you want in the header of a message when it's going out. But, I mean, as you yourself saw when you did a trace route, that you could see who their provider was. Oh, yeah. That's true. It wasn't any real big secret there. Can you send out a piece of mail and have it not be detectable? No. It's always going to say, whoever receives the email, if you receive the email, in the header of the message, it's going to say what system that email came from. Even if that system decided to modify its header, if it was used as a relay, if that system modified the header of the message before it reached you, that is, if it was in the middle, then all you're going to see is the fact that it came from the last hop. But you're still going to see that it came from somewhere. Now, the only way that these people would be hiding where it is that this email is coming from is if they were redirecting the outgoing email to other people's mail servers. Which they say they did at one point, but they don't do that anymore because the people got angry. Well, I'd get angry. Yeah. In fact, some people were doing that at 2600. We noticed some things bouncing around that weren't coming from us, and that's kind of nasty. But they're claiming that they no longer need to do that because of this new method of disguising where they're coming from. And you have to wonder, how legitimate can these people possibly be? They're sending out 150,000 of these things an hour, and their main goal is just to remain totally anonymous and not be found. I mean, that's fine for somebody trying to get across a message of some sort that there's some risk involved in. But these are people trying to sell quote-unquote legitimate products. I don't think people like that. How much junk mail do you get in your mailbox now? I get junk mail every single day. Over the past few months, I think it's grown. It's skyrocketed. Yeah. Now, what can we, as mere mortals, do to fight this? We can do anything. We can only hope that the powers that be take down sites like this. See, now, I don't usually advocate things like this. But I don't know. When you get this worked up about it, when you see people just blatantly bombing you with all kinds of junk, you've got to do something about it. You know, what's going to stop these people? Yeah. They have to get the message somehow. Obviously, they don't want to hear the message from us because you can't mail them back and say, you know, I really hate you with a passion that you just could not believe. They won't hear that. So you have to communicate to them in some other method. And if it can be kept on the net, I think that's perfectly civilized. Hopefully, that's where it will stay. Why don't they just spam public places like Usenet? Well, they do. People, yeah, well, it used to be, you know, that used to happen a lot more often than it did in email, at least from my perspective. Every so often, I would be reading a news group, and I'd see a message come across that had nothing to do with the news group. And obviously, you know, that was some moron who was just spamming every single solitary news group. You saw his address. Right. Everybody replied to it to tell the person what a doofus he was in the first place for doing that. And basically, you know, he slunk away and formed a new identity and did it all over again. But that's just how it works. Right. But now it's become all too easy for these same people to do email spamming. Yeah. We don't even know that these are people. I mean, these are dedicated machines devoted to annoying us over and over and over again. I don't know. I feel pretty helpless and powerless. I think it's nothing I can do. It's every system administrator's responsibility to disable mail relaying on their mail server. Absolutely. Every single system administrator who is not running a mail server for the purpose of relaying mail. Well, okay, what's the concept of mail relaying? Very briefly. Okay, briefly. If you're running a mail host, and say you have multiple domains, you have people calling in from all different places, and you host a variety of domains, you're going to think that the easiest thing to do is, okay, I'm just going to allow my SendMail, for example, to relay all mail. That is, if the destination of the email message isn't on the system that the actual mail host is, then the mail can be relayed to another site. Well, when you install SendMail, by default, it will forward on any mail to anywhere. So, in essence, any mail host is a mail relayer, unless you take the steps to disable that. Now, what possible good reason is there to have this enabled? Nowadays, there is absolutely no good reason. Okay, back in the old days. Back in the old days, we wanted to encourage people to use email, so that if you didn't really know, let's say, for example, you have access to some crappy machine that has email access, provides you with email access, but it doesn't really know how to route email everywhere in the world. Well, just by crafting your email address, you can direct where the mail is going to go, so that you can tell it to go to a major relay host that will know how to deliver that mail anywhere in the world. You are actually in control of your email routing, which you still are. But if everyone goes and has to disable the fact that their SendMail will relay mail, then that won't be true anymore. But it isn't really necessary anymore. And I think it's just a remnant of a bygone era. Now, all mail hosts know how to deliver mail everywhere, so it isn't really necessary. I guess that default will be changing pretty soon. I hope so. Right now, if you go to www.sendmail.org, right on the first page, there are instructions for administrators how to modify the SendMail rules, so that you will disable relaying of mail. And I guess that's becoming increasingly necessary with all these morons out there that are bombarding us. I was thinking, though, one of the main things that I guess these people really hate is to have their privacy invaded. If you find out who is responsible, an individual that is responsible for sending out hundreds of thousands of these things to unwilling receivers, I guess giving that information out is probably about the best thing you can do. Maybe that will stop it once and for all. If you know a person that is doing this, then I don't know how to find out that information. There's an elaborate amount of tracing mail and figuring things out that way. But if enough people do it, we'll get an answer somehow. So, yeah, this is something I guess we'll be seeing this get to be more of a problem as the years go on. It's always been a slight problem, but I've really noticed it. Especially when I got the mail last week saying, you can have five million pieces of email addresses or whatever, so you can do this too. That was just too much, because obviously these people don't want to be mailed, yet you're giving out their private information. It's not really private information. I mean, it is an email address. But still, you're invading their privacy by bombarding them with junk that they obviously do not want. I mean, I don't know what the... With U.S. mail, you can tell them to stop sending you mail. Here, you can't, because they're not telling you who they are. So that's... Well, to me, the way it's like is, say, for example, you live in an apartment building, and somebody's delivering food to another apartment in your building. Right. And while they're in your building, now that they've gained access to your building, they're sticking menus under everyone's door. And let's just say that they're doing this... That's a problem in your building, isn't it? Yeah. How did I guess? Let's say that this happens half a dozen times every day. That could get really irritating. Yes. Well, that's what it's like if you get mail bombed every single day. To me, that's how it feels. For all you New York tenants out there that are listening to this, that's what it's like. Keep it in mind. And this week on Off The Hook, we have a guest with us. All the way up from Boston, Massachusetts, we have someone from an organization known as The Loft. Just to let you know what kind of mischief these guys are up to, here's a story that I got mailed to me about 50 times in my mailbox. Yeah, I did too. I don't know how this happens either. I mean, sometimes it's interesting stuff because you can actually read it, and it's got something to do with your life. So I don't mind getting it that many times over. I can just delete all the duplicates and keep one of them. But anyway, let's get to the story. A group of Boston-based sophisticated computer hackers called The Loft, pronounced loft because it's not spelled that way. It's spelled L-0-P-H-T. And I guess I would confuse a lot of people if they didn't tell you how it was pronounced. Anyway, they're continuing the assault of Microsoft's Windows NT operating system. The Loft has made available for download via their website an entire, with other publicly available programs, that is, that they claim can be used to steal the entire registry of passwords off a Windows NT network. That's according to CMP Media's EETimes Online. If you have an NT network and you have that network connected to the Internet, you're in deep trouble, says Mudge, co-author of the program Loft Crack, and also an encryption expert. Microsoft officials contacted by EETimes Online last week said they were not familiar enough with Loft Crack to comment specifically on the more serious threat to Microsoft's flagship network operating system and other hacks that have come to light in recent weeks because it employs a spreadsheet-like interface that is far easier to use. You know, I think this thing is printed off the column again because that sentence didn't make any sense. So let's just do this. Let's bring Mudge on. Mudge, are you there? Yes, I'm here. How are you doing? All right. How are you guys? Okay. So now, how true is this story that we read part of as far as you guys taking down Microsoft and causing them terror? Well, like any media article, there's a couple grains of truth in there. And there's a couple places where the author botched some of the information and seemed to have a couple notions of his own. You know, what are you going to do? Yeah, well, you tell people about it. That's the main thing to do. Yes, you do. Well, you want to start going through and debunking this thing right now? Well, let's start with what you guys did. Now, you have this program called Loft Crack. What does it do? Well, a while back, a person named Jeremy Allison, who works for Cygnus Software, came out with a program called PWDump. And what that does is it deobfuscates, basically Microsoft had kind of hidden the way it stores its username and passwords in their registry, so that it could be used with a public domain tool called Samba, which is a tool that is used to let Unix systems and NT systems share files back and forth between each other. Once he came out with the program, the same day we wrote the initial Loft Crack, and it takes the password, the user password file, and its encrypted form, and runs through various and sundry mechanisms to hand back the actual user's passwords. We have a couple of unique and novel things that we had done in there, such as brute forcing through the entire key space, which for a while Microsoft was saying, well, gee, you really need to choose. This is not common sense. Good passwords. Don't choose cat. Don't choose dog. Don't choose love, sex, secret, god, money, system. Or if you're over in Europe, Fred seems to be the most common one. Okay, they saw the film, so they know. Exactly. And this kind of negates that to the point of saying, well, don't choose any password under 14 characters, even if it's a 7'5 pound bang star, yada, yada, yada. This was the initial one. We had actually called up the people who wrote NT Crack before they had come out with it and explained how we were doing it, which, much to our chagrin, turned around and came out with one a couple days later before we released ours, which is great, because you need more of them out there, different people taking different views and approaches to things. The initial version that went out, one of the notable things, which I guess made most of the press, was the fact that it had a nice GUI, graphical user interface, to point and click. Nobody's excited about, well, gee, Microsoft only does one round of DES encryption as opposed to 24. Gee, they have no salts. They have this horrible landman protocol. They're like, ooh, nice point and click interface. Anybody can use this. So I think that's the reason it's getting a lot of the press, which is a good thing. If you've got to figure out how the press plays their game, if you want to expose an underlying problem, maybe you have to candy-coat it and present it in a nice package to them. It's kind of sad to realize that's the way it works. I think we can pretty much predict how the press is going to react to something like this. They're going to get most of the facts wrong, and they're going to rely on panicking. But how is Microsoft reacting? Well, the funny thing, the one line Microsoft officials contacted last week said they were not familiar enough with Lost Crack to comment specifically about it. I find that rather funny. I talked to one of their head marketing people, and his big comment was, well, gee, if you can brute force all of our passwords in a matter of two, three days, let's say, why can't you find something more productive to do with those two, three days' worth of time? Of course, the response is, well, the computer's doing it. I told it to run it, and I am doing more productive things. Uh-huh. That's amazing. So is that really the only... you haven't gotten any kind of legal threats or anything like that? No, we haven't gotten any legal threats. I don't think we presented it the way... well, from our advisories and our information on it, which is if you grab the package off of the loft, all is there. We tried to present it in a very nice fashion, saying, look, this is a problem. Here are a couple of purported solutions, and we really need the public to be more aware of what Microsoft's doing and what Microsoft's doing. If they're pandering relatively crappy solutions and saying they're secure because, quote, they're secure. And the average Joe user who's using it at work or using it at home might not necessarily have the technical expertise or the tools or the resources to actually go in and say, well, gee, what's this thing really doing? You know, that's a large part of the loft's main directive. Uh-huh. And what kinds of things have you done in the past that also followed that? We ripped apart SKEY, which is a one-time password algorithm developed by Belcor. We found flaws in Kerberos 4, which was developed out of MIT. We've done numerous attacks on the Sun Microsystems operating systems. We've done some hardware projects such as POCSEG decoder kits, which allow you to listen to people's pages going across to their beepers much in the same fashion that you could tune into cellular frequencies on a wideband transceiver scanner and listen to those. Other things that we've done. We created mischief many years ago. We found that we don't necessarily have the time to take the beatings from some of that, create our own mischief internally on our own systems now and try and basically post the outcomes, the results to the general populace so that they can consume it and hopefully open up and look at things in a new perspective. Well, how does the general populace react? I mean, how do you get feedback from the general populace anyway? Well, we release our exploits, if you will, on different mailing lists. We don't do much in the way of actual printed form. We do it through our web page, generally getting about 50,000 hits a day. And the general populace has been really happy for the most part. Once in a while you get some people who are just upset and think we're nothing but troublemakers, but they're relatively few and far between, which we're really happy to say because we always try and come out with solutions or if nothing else to say, look, this is a coding mistake done in the way they developed this program and hopefully other people doing development work will say, oh, geez, I was going to do that in my program here. Now with this explanation and this example and a proof of concept showing why it's a problem, because without a proof of concept showing it's a problem, people will just brush over it. Hopefully they'll improve their software and everybody will have a better product. So how would you compare yourself to an organization like CERT, for instance? Oh. Without using any profanity. Oh, thank you. Well, A, we don't make any money off this. CERT being originally a government-funded organization, which now seems to be entirely funded by the private sector and in it for the money. We give credit where credit's due. If we based our work off of somebody else's work, we're right up front with it, and we try and give it to people in a timely fashion, none of which are things that CERT seems to do. CERT is a bit of an old boys network, and it's internal. And a couple of things that they have really hinder them in their work. One, they have such a huge name recognition that they get people on board, and within a matter of a week, having no previous experience in the field, they're labeling themselves as experts in the industry. The other thing is that they have a policy where if a problem is found in a piece of software or a piece of code or something that's on the Internet, that could put a lot of people at risk. Say, for instance, an operating system that's holding all of your financial data. They will not go public with it until they've contacted that company, which is a good thing, and contacted all the other companies that they think it's affected, and then all the other companies have come back and said either we have a fix or we don't have a fix. Now, here's a really interesting thing to do if somebody has a lot of spare time on their hands. We were thinking actually about releasing a loft advisory on cert advisories. You can go through the cert advisories and find the standard companies that they list that they've been working with, such as Harris Computing, Sun Microsystems. You'll definitely find a lot of older Department of Defense groups working with them. They will only mention the company in an advisory if that company is not vulnerable or if they were vulnerable and already have a fix in place. If the company is vulnerable and either refuses to fix it or doesn't have a fix for it at the time, they will leave them absent. It is quite apparent through a little traffic analysis in what names you see and all of a sudden somebody's notably absent that this person is still vulnerable. Wow, you're right. You see one advisory and then the next one suddenly doesn't have this name. Yeah, it lists Sun and Apple and Next and SGI and the next one lists Sun and Apple and Next and that's it. You realize, gee, that was the printing subsystem and they're all based off the same printing subsystem. They weren't listed either as not vulnerable or vulnerable and here's the fix. So cert will let this go on for an unlimited amount of time? Yes. How about you guys? Do you give any lead time whatsoever? It depends on what it is. For instance, the Kerberos advisory, we found that if we give them a lot of lead time, they don't do anything about it. So we've approached companies like Security Dynamics who makes the secure ID card. We've approached Cygnus who is the current maintainers of the Kerberos crypto and authentication system. And a lot of times it seems that if you say, here's a problem, they'll come back and say, who knows about this? And you're like, well, us and potentially other hackers, anybody else who spent the time to go looking for it. Like, oh, that's it? Well, yeah, okay. Thanks a lot for the info. We'll look into it. That's it. End of story. If their customers, where they're getting their money from, aren't bitching and moaning and complaining about it, then it's not worth, in their eyes, their time to pull their top developers off of whatever project they are, adding new bells and whistles to their software to go in and clean up the problems. In reality, all they're doing is keeping their customers in the dark and keeping them vulnerable to the people who know the problems, which are the hackers, which are the people rummaging through their systems with impunity at that point. They keep their software dumb intentionally in the name of the all-powerful dollar. So once they do that, what's your reaction? Oh, we go public with it. I mean, how much time do you give them? 48 hours a week? We played with security and we gave them about a year's lead time. Really? And they did absolutely nothing. So we ended up helping do some work on a paper that was released publicly out of Canada. Uh-huh. We were a bit nervous because they seemed that they really wanted to play hardball for a while. Meaning legally, they wanted to come out on you? Yeah. They seemed to be of the ilk where, and great, I'll probably be getting a call from their lawyers saying, that's some slander. Yes. In my opinion, or how it appeared to be, was that they were more than happy to try and keep track of us for a while. We kept trying to get them to change things. And after they were able to say, okay, this is over X amount of dollars, $500,000 worth of our money, just to try and keep track of it, try and do damage control on some of the questions you were asking, we can hand this over to the feds now because it's a federal incident. Uh-huh. Because we're purporting this amount of monetary loss. We were like, well, all you had to do was spend the time, you know, take your developers off what they're doing for like a day or two, have them fix this stuff, and then you're offering your customers a much better solution. Aren't you actually doing them a favor by telling them this? Yeah, we're doing them probably, you know, so much money's worth of free work that it's not even funny. You have seven people who are highly talented in computer security and operating system design and secure coding practices and hardware and, you know, you name it. And if a company actually had to pay somebody like that, you know, like we actually make this, you know, this would probably be, you know, a high five-digit to six-digit salaries each. Mm-hmm. Has any company ever thanked you for what you've done? Yeah, actually, one company was extremely cool about it, which was Lotus, of all companies. WeldPond found some problems in Lotus Domino. And this is the same one that I forget the comedian's name who does their advertisement, Dennis Leary, that's it, saying, oh, it's secure. So he said, well, it's not secure. Here's the post. Here's how to impersonate any other user where they say you can't be done. Here's how to remove people's documents without the authority to do it. And Lotus turned around the very next day, put up on their main Domino webpage a nice, you know, here's credit to where, you know, credits do. They did the research. They found the problem. And here's our fix. We loved that. You know, we were tickled pink. Usually we come out with something. You know, all the hackers say, oh, this is great, thanks, which, hey, that's fair game. Anybody knows it now. And the companies do nothing. They keep trying to spin their wheels so that, you know, they can make money and not have to worry about it, shove it under the carpet. And then some organization like CERT will come along, post an advisory about it two months later and take credit for it. Interesting. That is exactly how it works. I was speaking with Mudge from The Loft up in Boston about the latest, I guess, hack into Windows NT that's being misreported all over the place by the press and reacted to in various ways by Microsoft entities. FiberOptics here as well. And I think you had something to say about S-Key, right? Yeah, I was curious about what you think about the fact that we've more or less been forced into using the older version of S-Key, that it's sort of nobody really ever got a chance to vote, but everybody supports S-Key using MD4, Message Digest 4, instead of MD5 or something stronger. Yeah, the difference between MD4 and MD5, which are both one-way hash algorithms, meaning that you hand in input that generates a random output that you won't get by handing any other input in, the main difference seems to be that it is possible in extreme cases to create duplicate hashes with MD4 as opposed to MD5. The actual usefulness of this in ATT&CK is pretty minimal. The other thing is you can grab somebody like Bits of Oneima's log daemon utilities, which has S-Key, and you can compile in MD5 very easily. There are drop-in routines to put in place for it. What kind of chagrins me is the fact that Bellcore released S-Key publicly with a free version. Then later put some fixes in and handed it out as a commercial version and wouldn't let us. They approached us a while back saying, geez, you did a lot of hacking on S-Key, what do you think of the new version? I said, well, send us an example copy to play around with. They're like, well, you have to buy it. I don't think so. Wow. Just for the benefit of those people that I know are tearing their hair out in frustration, what is S-Key? Just very briefly. S-Key stands for, well, geez, I hope I remember what it stands for. Secure key or single key. What happens is normally if I want to log into a computer system, so I connect to that computer system and it says, what's your username? I say Mudge. It says, what's your password? I say Love or Sexers. You know the movie. Yeah, all the passwords we're allowed to use. Of course. Anybody who's sniffing on the wire, and sniffing on the wire is analogous to the old party line telephones where if you pick up the line and hear your neighbor talking, out of politeness you put it back down. Well, if you continue to listen, that's the same thing as sniffing on an Ethernet wire or sniffing on the network. In order to prevent you from using the same password over and over again, so that somebody sees it going by or hears it on the phone and they say, oh, I know his password is Love, so now I'm going to connect and say, oh, my name is Mudge and my password is Love. Ha, ha, ha, I'm into his system. What S-Key does is S-Key says, greetings, what's your username? Mudge. Okay, here's your challenge. And it hands you back a number. And you plug that number into a little piece of software called a calculator and it generates the response. And that number challenge that you get is different every time. So, although my password might be Love, I compute Love against, or the software computes Love against this challenge and gives me a unique response. So I type in that response and the person watching on the wire, if they get that response, which will be five non-sequitur terms like dog, boy, cat, bike, mountain, which, geez, I'd love a little Freudian analysis on this. You know, that's useless because it was only good that one time. If they try and connect in and say, ha, I'm going to pretend I'm Mudge. My name's Mudge. It's going to give them a different challenge. Once they know what my secret password was that I plugged into my calculator, they don't know what the response is supposed to be. I was curious, why is it always words? Why is it just random characters? I've always seen words whenever I've used this. Yeah, that's the way that they default set it up. You can build it in two different fashions, one where it gives you the words, one where it gives you the actual message digest hash, which is the pseudo-random string. The words are simply so that it's easier for you to type them in. If you had to type in 16 characters being A, E, 3, 7, 5, B, 1, 6, yada, yada, or if you can type in five words, dog, boy, cat, etc., you have much less of a chance of making a mistake typing it in. I just figured most people were cutting and pasting, so it didn't really matter. Yeah, exactly. Okay, we're taking phone calls. 212-279-3400. We have Mudge from the loft on. I hope he can stay with us. Oh, yeah. Great, okay. If you have any kinds of questions for him or about the organization, what those people up in the loft are doing, and are there other organizations that you know of that do similar things? I'm sure there are lots of little hack groups all over the place. There was one up in Massachusetts, which is pretty much disbanded at this point. It seems like everybody's relocating to California. That was called New Hack City for a while. There is the Cult of the Dead Cow, the infamous, which a couple of the members of that are actually members of the loft, such as myself. So I have to give a little plug for them in there. People still bow down when you say that. I can attest to that right now. Too, too funny. Yes. Well, did you want to actually run through the article the E.E. Times wrote a little bit? Sure. Because there are some parts that you missed that are actually much more scary than what the press let out. Much more scary. Not to help, you know, fan the fire. Okay, well, this article is pretty much quoting the article from E.E. Times. It's not the article itself. So I guess I'll read what I have here. Okay. But keep in mind, occasionally our printer went off the page. It might not make any sense. That's fine. I have a copy in front of myself, too. Okay. While Loft Crack, like other hacks before it, requires that a user have network administrative privileges to access an NT network's password encryption file, hackers note that common workarounds already exist if you know where to find them. However, that could change soon, E.E. Times Online reports. As a worldwide network of hackers who communicate via the Internet, prepare an all-out assault on Windows NT. I must have missed the battle cry. Yeah, there was, um, let's see. Let's see. Well, all these hacks, yadda, yadda, yadda. Already to find them. Much said Microsoft has to change the way it undertakes product development. Let's see. Where was the part about Rev 2? I think what he was trying to refer to is, in our advisory, Microsoft's hiding behind, first they were hiding behind, well, don't choose simple passwords. So then we came out with a tool saying, well, you know, good luck getting your users to always choose passwords that are more than 14 characters in length. I can't even remember some of my 8-character long Unix passwords. But in version 2, we made a claim that we were working on, well, let me back up for one second here. Microsoft said, okay, no simple passwords. Then they said, well, these are all non-issues because you have to be the administrator of the system in order to get the password dumps to begin with. What we found, it appears that there are actually two ways to get the dumps of the user registries, which are their users and the encrypted passwords, without being the administrator. And that is pretty much going to hurt Microsoft from the standpoint of, that's what they're hiding behind in their marketing right now. That's how they're trying to downplay all of this. They're saying, to quote them, the loft makes a claim here, but the claim that you can basically get administrative privileges without knowing the admin password is a pretty significant claim that's unsubstantiated. Right. Microsoft contacted us. We have it working in our network environment. It is working. You have to kind of hobble it along, so it's not really a real-world situation. We're confident that we're going to be able to get it to work. It's just a matter of, you know, the loft is not a full-time thing. It doesn't pay us any money. We don't do it out of the kindness of our hearts or, you know, whatever other sadistic drives or, you know, sadomasochism thing keeps us going. Microsoft, let's see, they came back with that one. It was funny because there's another line in here that goes along with that. If I could find it, something saying to the extent of, well, gee, within three days, or within a day, Mudge was inundated with three e-mail messages. Well, obviously, this guy hasn't gotten mail-bombed in a while because inundated with three e-mail messages is not inundated at all. That wasn't a typo by any chance, was it? No. What I had told him was, yeah, he said, have you gotten a lot of e-mail based off this? I said, sure. You know, I've been getting, you know, deluged with, you know, wonderful messages. Some people going, well, you know, I can't get it to work. Some people saying, oh, this is great. I really appreciate it. We're able to audit our NT networks now. Some hackers going, this is fantastic. I have some good examples out of the code that you're using, you know, all of which I love. There were three e-mail messages that stood out that were people going, in your advisory you state that in revision two, you plan on being able to do this without being administrator. We think we know two ways of doing it. How are you doing it? And what was really unique about that was we're working on the ways we're doing it number two also. So we're like, hmm, chances are these people found the same things. So we're confident that if we don't come out with it in the near future based upon time constraints, that somebody else is going to post it. Oh, yeah, that's inevitable that it's going to get out somehow. The thing is you guys are making it, you know, open to everybody, and that makes it much more likely that it will be addressed at some point. And that's the way it should be, I think. Absolutely. All right, 212-279-3400. Let's take our first phone call. Good evening. You're on the air. What? You're on the air. Oh. Do you remember calling a radio show? Oh, whoa, hey. I know you've been on hold a long time, but... Yeah, no kidding. Okay. Hi, wow. How are you doing? Do you have a question for our guest? Actually, no. You're going to say something totally off topic, as is the case usually on this show, right? Yeah. Okay. Remember Sami? Oh, yeah. I read an article about him. Right, you know, I'm glad you mentioned that. Sami was the guy that was harassing his poor family in Ontario. We read about him last week. Turns out it was the son in the same house. Yeah. I mean, how could they not have known that? That was so simple to prove. I know. That it was the same person who was in the house already. But, yeah, it was not some super hacker someplace that was controlling the electric and the TV. You know, changing the channel on the TV set. Yeah. You know, it's likely that somebody in the house, they just figured it out now. Yeah. It's like the old Hitchcock movies. The mother says she's not going to press charges, and they're going to seek counseling. And that's where that stands. It's kind of funny, because if you go through the original article, it just makes it crack up. Like, you know, how they put, what, 600 volts through the guy's phone line? They sent 600 volts down the phone? Yeah. Yeah, I don't know where they thought they were sending it. And then the kid on an extension in the basement or something saying, oh, what did you do, try to blow up my equipment? Yeah, I mean, he knew everything that was going on, obviously. So that's why he was able to listen to conversations inside the house with the phone on the hook. Because he was in the house having the conversation. Yeah. Oh, boy. I guess, you know, those Canadian Mounties, they need a little more practice. Anyway, anything else, sir? I don't know. Okay, well, thanks for reminding us of that. Yeah, okay. Glad that we settled that. Okay, let's take another phone call. 212-279-3400. Good evening. Okay, well, that's not really on topic either, I don't think. Good evening. You're on the air. Wow, he has two phones. He has two phones. How cool. Okay, let's try again. Good evening. You're on the air. Don't belch, please. Hello? Hello. Yes, go ahead. Hi, Mudge. Great work. Keep it up. But this is nothing to do with you. I've been out of the loop for over a year. Whatever happened to Bernie S.? Ah, what happened to Bernie S.? Bernie S. was released in October following all kinds of abuse. He's currently living in Philadelphia and trying to get his life back together. And if you want more information, you should visit our website where we have the whole updated story there. Wonderful. Thank you very much. Okay, take care. You think we're going to get a single call having to do with the subject tonight? No. Last week was good. Last week we got almost every call having to do with the subject. Yeah, we'll open it up to anything. Well, if I do that, there's no hope whatsoever. Okay, let's try this one over here. This one looks good. I like the looks of this light here. Good evening. You're on the air. If I do that, there's no hope whatsoever. How long do you think it'll take them to realize that they're, in fact, on the air? Will people go away and, you know, have food and things? Call waiting. Okay, let's try another one. Good evening. You're on the air. Hello. Yes. Yes, I was going to ask a question of the gentleman, Mr. Mudge. Sir, you are a god. Go ahead. Ask your question. Sure. I wanted to, first of all, I'm an attorney in the area of copyright and Internet. And I wanted to ask both your and your guest's opinion about the U.S. government's position concerning the new encryption codes and the key. We had a lecture at the Harvard Club from Mr. Kenneth Dam where he was saying that the European and the German and the other countries are trying to develop a free world of information concerning encryption. And yet the U.S. government seems to be kind of torn in different directions on whether they want people to have that kind of information. And I'll hang up. And I would really appreciate you guys' response. And the program is excellent. Thank you. Thanks. And, Mudge, I'll have to ask that you limit your remarks to 45 minutes. No problem. Okay. Oh, boy, yeah. Uncle Sam is really a bit nervous about what's going on with the European countries and basically crypto being developed abroad because for a long time the United States really held the, you know, the keys to the Golden Kingdom in regards to crypto. We had some of the top people, you know, all the way back to Friedman and the Black Chamber stuff. And so it was really developed largely, you know, inside, as coming out of IBM with the NSA and in conjunction with Britain's groups of crypto people. And they were really happy because it turned around and they said, well, great, we have this. We have this as a standard now. You know, we have all these other internal things. We think we're really up on it. We most likely have the ability to get into most of the systems because if you think about it, crypto systems are developed largely for times of war. And if you develop a crypto system that even you can't break and the enemies get their hands on it, you know, you've just protected the enemies from yourself. This is really scaring our government to some extent. And we have a horrible situation where, A, they're scared and, B, they're trying, the legal side is trying to really ramp up on the technology because this is all new stuff to them. I think over the next, you know, probably year you're going to see a bunch of failed attempts to control crypto coming in, control the use of crypto developed abroad. And ultimately it's going to, those attempts are going to fail. And you're going to have, which would be wonderful, the best solution available to you because you'll be able to pick and choose from whoever you want. We've been hearing ultimately it's going to fail now, though, for years. When is it finally going to fail and what's going to make it fail? Well, what's your favorite encryption cipher right now? Oh, gosh. Fiber? What's yours? RSA? No, RSA is a good one. What about IDEA? I mean, if you're using symmetrical keys, such as the standard DES stuff, I don't know many people or many organizations, you know, unless they're under government contract, that are still, you know, I mean, banks have to still do this to a large extent, that are still saying, yeah, DES is the way to go. And people are saying, well, it's a small key, and there's the International Data Encryption Algorithm, IDEA, developed overseas, and that's really taken off. Even when you look at something like PGP, that's just using the, you know, RSA-ish mechanism of asymmetrical key exchange, and the actual payload in there is encrypted with DES, in this case, or triple DES, or IDEA, as it happens to be with PGP. So I think you'll start seeing, as soon as the RSA patent runs out, you know, the ability for many more people to come up with their public-private key exchanges. I think it's already fallen. Okay, let's go back to the phones. 212-279-3400. Good evening, you're on the air. Speak up, please. Okay, new rule, new rule. You have to talk. You have to be next to the, no, I mean, these people, they put down the phone and they go over to the radio, all right? The only way you're going to do that is if, you know, you're going to have the radio next to the phone, you can do it that way. Who got on the phone? Okay, all right. Yeah, who's there? I don't know. Good evening, you're on the air. Anybody there? I'm here. Go ahead, speak up. I have a question. It's not really pretty mundane. It's not related to your topic. Okay, well, make it fast, all right? You've got to speak faster than that, I'm sorry. Good evening, you're on the air. Hello? Yes. Hello? Yes, go ahead, speak up. All right. What's going on today? They spray something in the air? Okay, I want to talk to them. Okay, please, talk into the phone. All right, I don't know what's going on out there. What, people invading or something and spraying stupidity through the airwaves? Look, it's very simple, okay? We've had, oh, you know what? We lost Mudge. Did we? Yeah, I don't know how we lost him. Huh. I don't know how we lost him. I wasn't talking to him. Good evening, you're on the air. Watch, this is going to be a question for Mudge. Hello? Yes, go ahead, speak up. Well, I don't understand. What's going on? Is this some sort of worldwide conspiracy of stupidity or something? I don't get it. I mean, we've been doing this show now since, what, for years? They must be new callers. I don't know what's going on. Everyone sounds really puzzled when they pick up the phone. Okay, I'm really puzzled, I'll say that. All right, let's see if this is Mudge again. Mudge, is this you? Mudge, are you there? Okay. Hello, Manuel. Yes, is this Mudge? Hello? Wait a minute, I'm beginning to think there's something wrong with our phone system. Mudge, can you hear me? I guess not. Okay, something's wrong with our phone system. In which case, I have to apologize to everybody I've just yelled at because they can't seem to hear me for some reason. All right. Anybody want to take a look at this board here? Okay, either this is a mass conspiracy of some sort and everybody... I'm sorry? I didn't mess anything up. Don't accuse me of messing anything up. I didn't touch a thing. No, no, no. Okay, I don't know what's going on. Someone could maybe verify that we're... No, it's not an audition. That's the right switch. Okay. Obviously, nobody can hear us on the phone, so we're going to have to... We're going to have to wing it. We're going to have to wing it and talk about things that have nothing to do with... Well, hold on. This is something where an operator can actually help us here. Let's contact an operator on the phone and see if they can hear us. All right. Why are we subjecting our listeners to this kind of abuse when we can abuse an operator? Right? It's only fair. 9X, can't be. Yes, hello, operator? Can you hear me? This is the 9X operator. Yes, can you hear me? Operator, can you hear me? Why you... See, with 9X, it's hard to tell. I don't know if they put this tongue up on me or if... Okay. Well, it's okay. It's not like BAI needs its phone system or anything like that. It's not like we need to be able to talk to our listeners. You see anything that's obviously wrong? I had to do that one week. You had to do that one week? You had to hit that little button? Let's try 9X again and see if... Why don't you take one of the caller? Okay. Yeah, you know, it's probably better to take a caller. Let's see if we can take Mudge. Mudge, are you there? See, Mudge is here, but he can't hear us. Let's see if we can communicate with touch tones. Can you hear that? Okay. I don't think he could hear that. I don't know. They seem to be having a difficult time here. I'm getting a touch tone burst. Okay. Let's see if we can communicate with Mudge. Okay. He's... This is... Okay. He knows that there's a problem. This guy's into cryptography. He should be able to figure this out. Now, there must be a way to communicate using this somehow. Oh, pick up the phone. Okay. I could do that. Hey, Mudge, can you hear me? Actually, maybe somebody else could do that, and I could do the radio show. Hello? Okay. We're trying to communicate with Mudge and tell him that there's a problem. Unfortunately, until we figure out what's wrong with our phone system... What, did you hang up on him? No, no, no. What happened? Okay. Well, if that line rings again, just tell him. Boy, we look like idiots here. This has never happened before. Okay. Well, he can't hear me. Maybe. Wait. Mudge, can you hear me? No, I'm not hearing the end of the conversation. You've got to pick up that phone. Let's put him on hold first. Yeah. Okay. Okay, we've got to put him on hold somehow. Yeah. All right, you've got to figure out how that little instrument works. Hello? Okay, well, we only have two minutes to kill now because we've spent all this time talking about the phone problems. Do you want to read this letter that we got? Sure. Okay, we've got... Even though we can't communicate with our local listeners, we are getting mail from people all over the country. And those people are sending us mail concerning our PCS discussions. Actually, why don't you read this? Okay. I can deal with the phone over here. Okay. He says he was just listening to our April 8th edition of Off the Hook, and he loved it. He says he wanted to clarify a few things about the PCS segment. He's an indirect marketer for PrimeCo Personal Communications in Hampton Roads, Virginia, and he basically supports the radio shacks in Circuit Cities and other indirect retailers. They say that they have the third largest PCS presence in the U.S. after AT&T and Sprint. What he seems to want to do is clarify a few things concerning CDMA versus TDMA. And I'm actually in agreement with some of the things that he says about CDMA being the direction that corporations are going in. Of course, with GSM, that isn't the case. GSM is currently using TDMA. I've mentioned in the past that ultimately companies, for example, OmniPoint, which currently use GSM, they ultimately plan on supporting CDMA, and they actually have one of the actual standards that they've come out with, IS661, is an actual hybrid of GSM using TDMA as well as CDMA. And while this isn't actually in place as of yet, to my knowledge, in New York City, hopefully it will be in the very near future. I just think it's cool that we're getting mail from people. Where is that, Virginia? He's in Errol's. It was you, wasn't it? It was Mr. Patchcable? Somebody patched us out. How do you like that? Mudge, are you back with us? Yes, I'm back with you. Okay. It was a studio engineer that plugged up a hole there. He must be on Microsoft's payroll. Okay. He'll be doing pennants for a while. Okay. Well, we only have a minute left. So, Mudge, why don't you give out your information so that people can get ahold of you. Okay. And find out more about this interesting bug and things that the loft does. Great. Anyone interested in the loft and what we do can connect to the website, which is www.loft, which is L0PHT.com. Email can be addressed to Mudge, M-U-D-G-E, at loft.com. The other seven members I will definitely forward on to if you don't know who they are or want to find out who they are. The other person who helped write the loft crack program is Weld, who can be reached at weld at W-E-L-D at loft.com. And the information on the actual program and the program itself are off of the advisories page from the main page. And, Emmanuel and Fiber, I thank you very much for letting me take part in this. Okay. And before we leave, we have with us now the studio engineer who messed up the whole show, who's going to personally apologize to everybody that I've insulted tonight. Claude, go ahead. Well, they certainly were entertaining insults. Trying to set up a show beyond Scott, it's difficult. I'm sorry. And I apologize to you especially, but also your listeners. I mean, I'm sure my listeners can understand this kind of a thing. But what are all these patch cables for? Is this some sort of special presentation that you'd like to promote now? Actually, at about quarter of 11, there will be Poison Darts, and they have an identical cousin direct from Texas. They do that every week. I see. Okay. I stand. All right. Is that the ISDN line you were hooking up just now? Mm-hmm. So we got victimized by ISDN yet again. All right. Well, that's just fine. Okay. That's going to do it for us here this week. Thanks very much, Mudge, for being part of this. My pleasure. Thanks for having me. All right. Take care. We'll be back again next week. By the way, Mudge and the Loft crew will be at Beyond Hope in August, so be sure to drop by then. We'll have more information there. Our new website is up now, www.hope.net. Check it out. We have hotel information finally. Of course, those of you who are here in New York City probably won't need that, but then again, those of you listening on the web probably will. Until next week, this is Emanuel Goldstein. Have a good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night. Good night.