Security
Headlines
HeadlinesLatestCVEs

Headline

Cris Thomas: Space Rogue, From L0pht Hacker to IBM Security Influencer

Security Pro File: The old-school hacker traces a path from young hardware tinkerer to senior cybersecurity executive.

DARKReading
#vulnerability#web#mac#google#auth#ibm#zero_day

Before he was Space Rogue, before L0pht, before testifying in front of Congress about what used to be a very unknown risk of networked computers, and before he embarked on a career in cybersecurity, he was just young Cris Thomas with a homemade flashlight.

Growing up in a mobile home in rural Maine in the 1970s, Thomas didn’t have a whole lot of access to technology in his early years. But at the tender age of five, armed with a hammer and a worn-out sealed alkaline flashlight — the kind that you threw away after the batteries lost their juice — he was able to first learn the basics of electrical circuits. Cannibalizing parts from those flashlights and adding C and D cell batteries and wires consisting of garbage bag twist ties, he was in business with his very own lighting device.

That kind of tinkering is the very essence of a hacker’s modus operandi, and it was the start of his love affair with hacking and his eventual profession as a cybersecurity leader. Over the years, Thomas has done stints at the likes of Trustwave Security, Tenable, and almost six years now at IBM as Global Lead of Policy and Special Initiatives. But at its root his beginnings have all the same flavor of self-directed experimentation and trial-and-error with his flashlight. His route was circuitous and full of ups and downs, but he says that in some ways it was easier for him to go down that path than those trying to get their break in cybersecurity today without the traditional path straight from college.

“There’s still people who are trying to break into the industry with little to no formal education, and the debate of college or certifications is still raging. So, I think getting into the industry, from an austere beginning and maybe even skipping the formal education and being self-taught — it is possible,” he says. “It’s a lot more difficult today, because I think people put a lot of importance on the college degree and the formal education, and so it’s hard to get around that stigma.”

After early grade school he moved to a bigger town, was exposed to computers in bits and pieces, and mastered the basics of BASIC from chance encounters, clubs, and high school computer class. But it wasn’t until he was in the Army that he was able to buy his very own computer, a Mac SE he bought on credit from a store nearby his base. It was from this machine he dug further into programming and got synced up with his first local user group, a Mac HyperCard user group. From there he branched out into BBSs and began to tap into the burgeoning Internet hacker subculture. After the Army and a brief stint at Boston University, he took the handle Space Rogue, dialing into the Boston BBSs. Many of those had a whole underground world of in-person meet-ups attached to them. Running in those circles — plus holding down a job at a local CompUSA where a number of local hackers worked — is what would eventually lead Space Rogue to the ragtag group of hackers called L0pht.

Remembering the L0pht

A collective of elite hackers and a hackerspace rolled into one, the L0pht is one of those storied groups that’s inextricably tied in with the infancy of the cybersecurity industry. In a book published this month, Space Rogue: How the Hackers Known as L0pht Changed the World, Thomas writes the memoir of his winding journey to hacking and his membership in the group.

Space Rogue was one of the earliest members and was heavily involved in the group’s adventures and hacking experimentation. He was there for its evolution into what would become L0pht Heavy Industries, its release of the L0phtCrack password-cracking tool, and its eventual sale to @Stake. Together with hackers like Mudge, Weld Pond, Kingpin, Dildog, tan, and Stefan von Neumann, they were on the bleeding edge of experimentation with hardware and software — partially from scavenging corporate dumpsters for equipment, partially from soliciting donations and picking up cool finds at the MIT Flea Market, where they also sold refurbished gear to partially fund their loft space. The crew ran their own NOC, experimenting with different forms of networking, and they shared files online through the early version of the L0pht.com server. Space Rogue ran the popular Whacked Mac Archives, a collection of software collected from underground systems and BBSs over the years. He did the books and paid the bills as an unofficial chief operating officer and was also instrumental in helping raise the profile of the group by founding and running Hacker News Network and helping to coordinate a lot of its work with the media.

The work the L0pht did for a very long time was simply a labor of love — the hackers had day jobs. In their off-hours time of experimentation they started learning how truly vulnerable systems are to manipulation and exploitation in ways unexpected by their creators. As the team evolved, they started picking up gigs writing custom signatures for the first incarnations of intrusion detection systems, issued advisories about vulnerabilities on their website and Bugtraq, and were courted by firms to do pen testing. For a long time they barely broke even, but their security chops did gain the attention of the federal government, and in 1998 Space Rogue and six other core members of the L0pht stepped in front of a Congressional panel to give one of the earliest public warnings about the state of insecurity of the online world.

Thomas does a great job detailing all of these happenings in his book, which offers a very personal and open account of his perspective on how things unfolded. He does a great job highlighting the personalities and mindsets of the different hackers he worked with or came across over the years, and is very relatable and vulnerable offering thoughts on his maturing perspectives on dealing with not just systems but also people. Readers get to follow along with his close connections with hacker friends, fallouts and reconciliations, and run-ins with difficult bosses, as well as career disillusionment and rebirth.

What’s in a Handle?

Musing about the L0pht and his book recently, he notes that while his unconventional learnings and rise through cybersecurity could probably be emulated by newcomers, the rise of L0pht itself occurred during a very unique era in time and would be a whole heck of a lot more difficult to recreate.

“I mean, you can get a bunch of people together and rent some space and do some stuff, but getting the same attention would be harder because the bugs are harder to find now,” he says. He explains that what L0pht did wasn’t easy, but they found the low-hanging fruit in security flaws.

They also had a lot less red tape and legal and professional standards to navigate. Doing what they did back in the 1990s today would put most cybersecurity researchers in a lot of hot water.

“There’s a lot more risk involved. I mean, there was risk then too, but if you’re going to release information about a zero-day vulnerability to the public without a pseudonym, the risk of lawsuits is pretty high. Which is, again, one of the reasons why we were using the handles and the pseudonyms to begin with. But staying pseudonymous is a lot more difficult today than it was.”

Thomas still cherishes and uses his Space Rogue handle — it’s part of his online and professional persona. For example, his email address at IBM is based on that handle rather than his real name.

“I built a reputation as Space Rogue within the industry. I was the last member of the L0pht to actually start using their given name in professional settings,” he says. “So it’s only been a few years for me, really, that people have looked at the handle and been able to equate it to the given name easily.”

These days, Mudge is known as Peiter Zatko, who worked at DARPA and Google in key roles, and most recently in the news as the Twitter whistleblower who drew attention to the social network’s lacking security stance. Weld Pond is Chris Wysopal, who co-founded Veracode. Kingpin is Joe Grand, a well-known security researcher and author who runs Grand Idea Studio. But when they see each other, they’ll always be Mudge, Weld, and Kingpin to him.

“And for the most part, people still address me as Space Rogue or SR. At work, people call me Space, and occasionally I’ll get Mr. Rogue, but that’s usually as a joke,” he says. “My wife actually referred herself in a Twitter thread the other day as Mrs. Space Rogue.”

Looking Back at Industry Change

All kidding aside about handles, Space Rogue is still as much of a concerned industry watcher as those days back at the L0pht, stepping in front of federal lawmakers.

“I’ve always been interested in policy and how legal ramifications are impacting the online world. Right now, I’m following a lot of actions of CISA, and I have to say that as a nation we’re actually doing a great job,” he says. “In the past, government has been behind schedule and playing catch-up, but I think CISA’s actually taken a very good, proactive approach, which is a welcome change in the industry.”

At the same time, though, he says that there’s this dichotomy in cybersecurity where over the last 25 years, everything has changed but is also still the same. There’s a ton more awareness now, not just from policy makers or industry insiders but just individual workers or non-tech business executives, about things like ransomware or phishing.

“Most people have to go through some sort of security training in their job, so the awareness factor is much higher,” he says.

At the same time, though, the cybersecurity world is still knocking its head against the same problems it did decades ago.

“We’re making stupid mistakes. We’re using default passwords. We’re designing flat networks. And these are the same problems that we had 25 years ago,” he says. “So, it’s a little bit of some and a little less of some other stuff. A lot of things have changed and gotten better, but a lot of things have still stayed the same as well.”

PERSONALITY BYTES

What he does for fun: A lot of treasured hobbies mirror his hacking interests — his fun project at the moment is setting up a Raspberry Pi for his son to help him learn Python and picoCTF. “You can’t get Raspberry Pis at the moment, so I’ve had to cannibalize some of my old projects to get him one that he can use.”

Non-hacking hobbies: There was a time he was into making hard cider, but he moved and had less room for all of the equipment. Now he’s turned his sights to rock tumbling. “My youngest got a rock tumbler last year and never used or was very interested in it. And I was like ‘Well, if you’re not going to use it, I’m going to.’ Now I have four tumblers and I’m rotating rocks in the basement all the time.”

Quirky tidbits: He says he’s kind of an open book, and shares a lot of fun stuff with co-workers via Slack, so there’s nothing they’d be surprised to know about him. But like many folks in the industry, he’s got his quirky interests. “I’m a big Saturn car aficionado.”

Favorite day-to-day drink: “I drink a lot of caffeine-free Diet Coke.”

How he tells people what he does for a living: Per his book, he wrote, “I rarely blurt out ‘Hi, I’m a hacker’ when I first meet people. Trying to explain to people what I do for work can sometimes be tricky and lead into all sorts of long and sticky conversations, so I usually just say I work in computers.”

DARKReading: Latest News

SEC Disclosures Up, But Not Enough Details Provided