Dildog Interview

All tutorials we have thought to write or that have been compiled that do not explicitly belong in another category.
Post Reply
User avatar
weazy
Ex-Admin
Posts: 1688
Joined: Sun Jul 07, 2002 10:02 am
Location: any given
Contact:

Dildog Interview

Post by weazy » Fri May 30, 2003 6:13 pm

DilDog was responsible for BackOrifice 2000 and numerous vulnerability alerts. He was a member of CDC and

L0pht, L0pht was recently bought out by @stake, so we had to find out how rich Dil was now (and ask him some other questions as well). Our questions in Bold.




DilDog, for those people who have lived under a rock for the last forty years and have no clue who you are, could you give a brief history of how you got involved in computers and specifically when and why you got involved in the security side? And how you got the name DilDog?



I got involved with computers when I was 5, thanks to my Dad working at a computer store. Started coding in 6502 assembly and Apple ][ floating point basic and moved on to PC's when I realized what a compiler was. I Worked a lot with videogame/demo/low-level programming, and didn't really get into security until I got to college. During my second year of college, I released my first advisory, and started going to 2600 meetings and it was all downhill from there.


As for the name, Dildog was the original name of the "Dogbert" character from the 'Dilbert' comic strip. I didn't realize that the name had the substring 'Dildo' until I got laughed out of #hack on efnet like 6 years ago. So I capitalized the second 'd'.

Since the release of BO2K and the purchasing of L0pht by @stake, you've kinda disappeared from the scene (or at least from the newspapers), can you fill us in on what you've been doing lately, what's the next awesome tool we can expect to see from you?


'The scene', eh? I've disappeared from IRC, and from the press. I've found that both take up a lot of my time, and frankly, I'd rather be working on new technology and writing advisories and papers and whatnot.

After viewing the BO2K sections on sourceforge.net, we noticed that there was not alot of people contributing to help BO2K grow, is BO2K dead? Will a BO2001K be released? Do you think there has been a lack of support for BO2K from the development community as a whole, considering that you put so much time into making it as easily accesible and configurable as possible?


BO2K is now in the public domain. There has been little to no effort from the open-source community, or from the 'hacker scene' to improve the program, despite my numerous offers to allow others who are interested to lead the project for a while. I did my part with the project.

It's a Darwinist model though. If people don't need a better version of the software, then they won't bother contributing. If the software falls apart over time due to lack of support, then I'll be sad to see it go, but I'm not going to be too pissed about it. It's done it's job, in my opinion.

At Defcon when you released BO2K, we noticed that cDc actually had a lot of groupies hanging around (almost like you guys were rock stars)... Can you tell us how many groupies you impregnated, how long you were in rehab for, or what rock stars (or cDc members) go through when touring?


Yes indeed. If I could remember what happened during the few days after the release, I'd be glad to tell you all about it. It was a lot of fun, and I think more software releases should be done that way. It's all about the text filez and the girliez. And world domination.

On one end of the spectrum we see some of the brightest minds on the planet, but then there are the "please tell me how to hack a box, what script do I use, and how do I compile it, so I can be a l337 h4x0r" types, do you believe there is a "dumbing-down" effect taking place in the network security field?


The collective intelligence of any society, over time, approaches the average intelligence level of the planet. The internet was once only for intellectuals and collegiates. The security/hacker scene follows the same laws of nature. It's not one thing that contributes to this effect. It's the inevitability of thousands of factors that the community has no control over.

Your tone, however, suggests that you are looking for sympathy for 'the scene'. I have no sympathy for 'the scene'. It's never going to be a small close-knit community again. As 'the scene' changes, so does it's purpose. I'd challenge anyone that could define 'the scene' today anyway...

In an article about you @ http://sans.org/infosecFAQ/hackers/dildog.htm , SANS seemed to question your ethics, well they actually implied you had no ethics, released discovered flaws to newspapers (and mailing lists) before alerting companies, and said that you purposely released those flaws on Fridays so developers would have to work through the weekend. Since SANS didn't seem to give you a forum to respond, could you please respond to those allegations and how it makes you feel after making such a contribution to the info-sec community?


Their 'facts' are contrived and skewed. Many of the things that happened around me 4 to 5 years ago were very defining in how the security world does things today. Hence, one can not judge the events of 4 to 5 years ago by the same yardstick as the events of today.


For example: If I had come up with a local privilege escalation vulnerability in Windows NT 4.0 five years ago when it first came out and told Microsoft about it, they probably would have silently fixed it in the next service pack, and impolitely told me to 'not tell anyone about this, or we might have to sue you'. I've gotten that attitude before, circa that era.

The very things that SANS complains about in their essay were formative in determining the security advisory and release policies that we follow diligently today.

And yes, SANS is being a bit antagonistic toward me in this essay, but frankly, I don't really give a shit. And their attempts at revisionist history don't exactly bring out the truth of how things really happened.

Maybe I'll write a book about it all someday. But I don't have time right now to describe the entire history of how the security community formed and why SANS is being ignorant.

In the security field there isn't alot of helpful documentation (especially when finding new flaws, etc)... In general, when you get stuck, what do you do?
You don't send me email asking for help. Take other people's work and study it until you understand it. If you don't understand it, then maybe you're not giving yourself enough time. I wrote my first x86 buffer overflow exploit without referencing anyone else's code, because it seemed obvious. But again, I had been programming in PC assembly for eight years already. Don't expect to 'get it' overnight.

This seems to be a question alot of people ask, so for the record. what recommendations would you give to someone new to the info-sec field?


I don't know what to tell ya. You probably should have started 5 years ago when I did. It was easier then. Sorry sucka. Now you got a lot more shit to wade through. If you're really interested in this stuff, then I don't have to tell you anything. If you're asking me this question, then you haven't spent enough time figuring out what it is you want to learn.

In your career you have received tons of media exposure... What are your thoughts on how the media portray(s/ed) you and the products/vulnerabilities you brought to the publics attention?


Well, it definitely taught me a few things. Learning how to position yourself and your products is a valuable thing, and I thank the media for giving me the feedback that I needed when I needed it. All in all, my media experience has been enlightening.

As a developer, hacker, and info-sec professional... what's your thoughts on the future of network/application security in future?


Anyone who sells you complete security is lying to you. Security is a process, not a product, and nothing is 100% secure. Risk management is where it's at, and new risks crop up every day. As for the future, we've got to watch the integration of thing we deem 'secure'. Two things that are secure are not necessarily secure when you add them together. This concept is going to extend into everyone's lives in the near future.

On the near horizon, did you notice that over 50% of your local 802.11 networks are unencrypted? Ever take your laptop to the local bar and notice that your wireless connection still works all the way down the street?


At one time, people used 'outdials' to access networks far away from their own without relative anonymity and no expenditure. Today 802.11 is making this a reality again. I wouldn't be surprised if there was a trend in there somewhere.


And I just saw something about SS7 and TCP/IP getting married sometime soon...

We could ask you about 8,000,000,000 more questions but we know you're busy, so last one... Since @Stake bought L0pht, are you now a millionaire living on a beach in the carribean, hanging out at the Playboy mansion, and having tons of sex with a new batch of hot female cDc groupies?


I'm far from a millionaire, but I get to do what I love for a living. Better than selling out to my rent check day job flippin' burgers. And yes, the sex is good.
I'm still working my butt off for the security industry, just in a slightly different forum. There ain't no relaxing here. No beach, no mansion.
And if you think this is the last you've heard of me, then you've got another thing coming.

Thank you very much for taking the time to answer our thought-provoking and hard-hitting investigative field reporting questions.


Thanks.

dildog@cultdeadcow.com
--The Devil is in the Details--

Post Reply