Foreword v 1.0

My personal belief is that the only way to move society and technology forward is to not be afraid to tear things apart and understand how they work. I surround myself with people who see the merit to this, yet bring different aptitudes to the table. The sharing of information from our efforts, both internally and with the world, is designed to help educate people on where problems arise, how they might have been avoided, and how to find them on their own.

This brought together some fine people who I consider close friends, and is where the L0pht grew from. As time progressed and as our understanding of how to strategically address the problems that we came across in our research grew, we became aware of the paradigm shift that the world must embrace. Whether it was the government, big business, or the hot little e-commerce startup, it was apparent that the mentality of addressing security was to wait for the building to collapse, and come in with brooms and dustbins. This was not progress. This was not even an acceptable effort. All that this dealt with was reconstitution and did not attempt to address the problems at hand. Perhaps this would suffice in a small static environment with few users, but the Internet is far from that. As companies and organizations move from the closed and self-contained model to the open and distributed form that fosters new communication and data movement, one cannot take the tactical “repair after the fact” approach. Security needs to be brought in at the design stage and built into the architecture for the organization in question.

But how do people understand what they will need to protect? What is the clue to what the next attack will be if it does not yet exist? Often it is an easy take if one takes an offensive research stance. Look for the new problems yourself. In doing do, the researcher will invariably end up reverse-engineering the object under scrutiny and see where the faults and stress lines are. These areas are the ones on which to spend time and effort buttressing against future attacks. By thoroughly understanding the object being analyzed, it is more readily apparent how and where it can be deployed securely, and how and where it cannot. This is, after all, one of the reasons why we have War Colleges in the physical world—the worst-case scenario should never come as a surprise.

We saw this paradigm shift and so did the marketplace. L0pht merged with respected luminaries in the business world to form the research and consulting company @stake. The goal of the company has been to enable organizations to start treating security in a strategic fashion as opposed to always playing the catch-up tactical game. Shortly thereafter, President Bill Clinton put forward addendums to Presidential Directive 63 showing a strategic educational component to how the government planned to approach computer security in the coming years. On top of this, we have had huge clients beating down our doors for just this type of service.

But all is not roses, and while there will always be the necessity for some continual remediation of existing systems concurrent to the forward design and strategic implementations, there are those who are afraid. In an attempt to do the right thing, people sometimes go about it in strange ways. There have been bills and laws put in place that attempt to hinder or restrict the amount of disassembling and reverse-engineering people can engage in. There are attempts to secure insecure protocols and communications channels by passing laws that make it illegal to look at the vulnerable parts instead of addressing the protocols themselves. There even seems to be the belief in various law enforcement agencies that if a local area network is the equivalent to a local neighborhood, and the problem is that there are no locks on any of the doors to the houses, the solution is to put more cops on the beat.

As the generation that will either turn security into an enabling technology, or allow it to persist as the obstacle that it is perceived as today, it is up to us to look strategically at our dilemma. We do that by understanding how current attacks work, what they take advantage of, where they came from, and where the next wave might be aimed. We create proof-of-concept tools and code to demonstrate to ourselves and to others just how things work and where they are weak. We postulate and provide suggestions on how these things might be addressed before it’s after the fact and too late. We must do this responsibly, lest we provide people who are afraid of understanding these problems too many reasons to prevent us from undertaking this work. Knowing many of the authors of the book over the past several years, I hold high hopes that this becomes an enabling tool in educating and encouraging people to discover and think creatively about computer and network security. There are plenty of documents that just tell people what to repair, but not many that really explain the threat model or how to find flaws on their own. The people who enable and educate the world to the mental shift to the new security model and the literature that documented how things worked, will be remembered for a long time. Let there be many of these people and large tomes of such literature.