These days, his handle is "Sir Dystic". I've known him for over a decade. At my annual Memorial Day barbeque, when he reminded me that he was the author of BackOrifice -- and mentioned that there was a new version due out soon -- I asked him if he'd mind giving an interview for publication in Boardwatch.
On July 15, we finally sat down to talk for an hour and a half. What follows is a condensed version of that conversation.
Thom Stark: Let's talk about your background. How did you get into programming to begin with?
Sir Dystic: Let's just say when I was a teenager, I ended up with a lot of free time and I wasn't allowed to leave the house for a long time. And I turned my focus toward computers. I originally learned to program in Basic, on probably a -- actually, you know how I learned to program in Basic? I learned to program because my Dad wouldn't buy me any games. He bought me Compute! Magazine and said, "Type 'em in!"
Thom Stark: (laughs)
Sir Dystic: And of course I'd always make a typo. And I'd have to go back and find that typo -- and that's how I learned to program, was by watching what went wrong with the game or getting whatever run error. I had to go back and fix the bug I introduced and that's how I originally learned to program. I actually took a class in programming when I was, like, thirteen. Learned on a Franklin. Remember those?
Thom Stark: Sure do.
Sir Dystic: That was like the first computer I really, like, learned how to screw with -- for the month that they existed. So, yeah, when I was a teenager, I ended up having a lot of free time and I decided that -- this was, y'know, when the Teleguard group broke up and there wasn't going to be any future development of Teleguard and there wasn't going to be a multi-line version of Teleguard and -- you remember that whole awful thing that happened.
Thom Stark: Sure do.
Sir Dystic: And the only decent multi-node BBS -- I mean the only multi-node BBS software was... (to himself) What was that God-awful thing?
Thom Stark: PC Board?
Sir Dystic: PC Board. Thank you. And I thought that was ridiculous. And PC Board required you to run it under a multi-tasker, anyway. I mean, it wasn't really a multi-node BBS.
So, I sat down and the first big programming project I ever wrote was a multi-node BBS software written entirely in compiled Basic. Supported eight lines simultaneously.
Thom Stark: And the name of that was?
Sir Dystic: I never released it. My hard drive blew up right as I finished it. I got to run my own software for, like, three months live. Then my hard drive blew up and I lost all the source.
Thom Stark: And you had no backup?
Sir Dystic: Backup? I had 240 megs of hard disks! How're you going to back up 200 -- that's a lot of floppies!
Thom Stark: (laughs) 360K floppies?
Sir Dystic: Exactly! Exactly! And I couldn't afford a tape drive. And, besides which, I didn't have time to wait 8 hours for it to back up 100 megs!
Thom Stark: So, how'd you wind up affiliated with the Cult of the Dead Cow?
Sir Dystic: Well, I met a bunch of the cDc members at Def Con 3. And after knowing them for about a year and a half, they asked if I wanted to be member -- that's the only way to become a member, is to be asked.
What I love about the cDc, is that it's just the most amazingly smart, interesting group of people I've ever hung out with. I mean, this year, at Def Con, we had all but one member there -- largest gathering of the Herd ever. Seriously, seriously ever. We live in totally opposite corners of the world. I had never met probably half the members before. And one of the original founders resurfaced after nobody hearing from him for, like, five years -- Franken Gibe -- original founder, with Swamp Rat, in 1984.
Thom Stark: And you have your roots in...
Sir Dystic: Bay Area BBS scene, man. My roots are absolutely in the Bay Area BBS scene. I absolutely think that groups like the Pigdog crew, the entire group of Bay Area text files scenes -- the cDc was a lot like those groups. You can call us a "hacker group," whatever. We're an electronic publishing group. People give us stuff and they say, "I want the world to see this," and we put our name on it and put it out there. That's all there is to it. We're up to over 350 text files, now -- and two pieces of code.
Thom Stark: One of them yours.
Sir Dystic: All the projects I'm working on are cDc copyrighted.
Thom Stark: Which is liable to confuse people who wonder why do you do it for free.
Sir Dystic: Because we love it. I mean, this is the stuff I do in my spare time. I have a job in the computer industry. I write code for a living. But this is the stuff I do because I want to, y'know? I probably could be making money off it, but then I probably wouldn't be getting my message out there nearly as well.
You know who ISS -- Internet Security Service -- is? Chris Rouland? X-force team?
Thom Stark: No, I don't.
Sir Dystic: Big security company. Started by a hacker -- Chris Rouland. Excuse me: "former" hacker.
ISS has been pushing themselves in the press a lot lately as being on the front lines against "evil" hacker groups like Cult of the Dead Cow. And yet, they contacted us on IRC about a week before we were going to release BO2K and offered to buy an advance copy. We thought they were joking. We basically said, "Well, look, put a formal request on letterhead. Get it signed by your manager." And, sure enough, we got a signed request by Chris Rouland -- to which we responded, "We would gladly send you an advance copy for one million dollars and a monster truck."
And he is so pissed now, that -- every chance he gets -- he's like, "See how arrogant they are?" I mean, "Did you not get the joke?"
The thing is that ISS is getting a lot of media right now, because they're claiming to have been the first people to, quote, "reverse engineer" BO2K.
(whispers) It's open source.
The actual quote was, "They spent six months, locked in a room, writing this tool -- and it took us only 24 hours to take it apart." Our response to which was, "It takes a lot longer to write a book than to read it." Especially when the source code's available.
Thom Stark: Since he mentions you by name, in PC World, a writer named Tom Spring wrote this article...
Sir Dystic: I talk a lot to Tom Spring -- especially about this actually. So, you want to talk about DIRT?
What is DIRT? DIRT is nothing more than a Trojan horse. It is a keyboard logger and SMTP mailer. It logs keyboard strokes and, on a timer, emails them somewhere. Period. The end. The only advantage it has over anything else is that nobody's scanning for it, because it's only available to military and law enforcement.
Thom Stark: What's the relationship between cDc and law enforcement?
Sir Dystic: You know, a lot of people talk to the Secret Service either before or after they interview me and say, "Why don't you just arrest these guys?" And their response is, "Well, we've looked at the product. We wish they hadn't released it -- but there's nothing illegal about having written this tool." The analogy we make is a hammer. You can build a house or you can smash somebody's head in.
I've also talked to people in the FBI's computer division and they're basically frustrated, because they can no longer verify that, because an attack came from a specific IP address, that that's where it originated from. 'Cause all it takes is to bounce the connection off a program like BO. Our point has been, "Look, people are already doing this, whether they're using BO or not. People are writing tools to do this and they're getting away with it because nobody's talking about it."
I think they really do get the point we're trying to make. They might not agree with it -- but that's not important.
Thom Stark: Do you have any sympathizers in law enforcement?
Sir Dystic: I just don't talk to enough people in law enforcement to really have an idea of how they feel. The feeling I get from just random people who email me -- even if they have personally had their privacy taken away by BO -- is generally, "Well, you know, I'm never going to let it happen again. And it raised my awareness of security and let me realize just how easily I could lose complete control of my computer." And they don't blame me for writing the code.
Thom Stark: You're the author of the original BackOrifice. How about BO2K?
Sir Dystic: I had nothing to do with any of the coding. Just put some ideas out there, said "This is what I'd like to see for the next version," and DilDog put all those ideas in there and a lot more.
Thom Stark: Why did he take over the BO2K project?
Sir Dystic: BO was supposed to be a statement about the fact that people feel secure and safe, although there are wide, gaping holes in both the operating system they're using and the means of defense they're using against hostile code. I mean, that was my message and BO2K really has a different message.
BO2K is really, "Look how far we can take this. We can make this the best remote administration software out there: open source; and it's secure; and it's free." I was actually really surprised at the large number of emails I got from people who were talking about using BackOrifice to remotely, legitimately administer machines across the Internet.
Thom Stark: The original BackOrifice?
Sir Dystic: Correct. I was getting emails from people who were saying, "I don't have to drive across town to fix my sister's computer. I can do it across the Internet. All she has to do is run one program that I can send her in email." BO2K, though, has every feature that every other remote administration software does and much, much more than any other piece of software.
Thom Stark: And BO2K is completely open source -- you made the source code available from Day One.
Sir Dystic: Absolutely. But, anyway, that's not what I want to rant about.
Thom Stark: So, what do you want to rant about?
Sir Dystic: Well, my rants this year have mostly been about signature scanning and what a useless method of defense it is. I call it "the Borg defense." The Federation beams aboard the Borg cubes and they shoot at them with their phasers when they have to. And the first few shots work -- until the Borg adapt. Then all of a sudden their phasers don't work until they go back to the ship and re-modulate it again. Which is also an interesting analogue for people changing the signatures in viruses and Trojans. Who wants to be one of those first few Borg that get wiped out, so the rest can adapt?
Thom Stark: (Laughs)
Sir Dystic: I mean, seriously. I'm not part of a "collective." I'm part of a herd! You know? "We all value our individuality!" And our data...
That's my whole argument against signature scanning -- I mean, I'm sure you're familiar with the acronym "WYSIWYG." The acronym we're pushing this year is "WYDSIWGY" -- What You Don't See Is What Gets You, because with virus scanning -- signature scanning -- you have a big list of programs you don't want to run. And all it takes to defeat that method of defense is to write a new program, or mask the signature of the program you already have. In fact, all it takes to get even as well-known a Trojan as BO around signature scanners is to compress it, because that hides the signature.
Now all of a sudden, as soon as all the virus scanners started defending against BO, they also started scanning for things like NetBus and these other Trojans that had been available for six months -- and I didn't even know about them!
I thought I was the first guy, like, writing big remote-control Trojans. But, no, there were other programs that were -- and people, of course, claimed that I stole the idea from these other guys I'd never even heard of.
It's not an original idea, guys. Trojan horse is not an original idea. It goes back to the early UNIX days, where people put a keyboard logger on and record what people were doing. It's one of the oldest forms of attack, and yet there's really no defense against it.
Thom Stark: Except to be careful about what you download.
Sir Dystic: But that doesn't help you if your email program has an overflow in it or you didn't know that you left your shares open. Convincing them to run it is only one way that a program like that can be introduced.
Thom Stark: And Microsoft doesn't want to advertise the fact.
Sir Dystic: Well, you know Trojan horses and remote control programs are nothing specific to Microsoft. I mean, I'm not targeting Microsoft specifically -- although Windows 95 and 98 basically has no security model at all, which is really ridiculous if you're pushing this for people to use for online commerce and storing all their personal information on. And I think that's wrong. NT does have a security model, but the problem is that -- out of the box -- to actually secure your machine, there's about 100 steps you have to take and most people don't have any clue what they are.
BO2K does some very, very simple forms of access promotion. For instance, if an unprivileged user is allowed to write to the global user startup directory, it copies itself in there. The next time the administrator logs in -- bam -- it's running as Administrator. It could be secure. All you'd have to do is not make that directory globally-writable. But -- out of the box -- it's insecure. And, although Microsoft really has been improving a lot lately about raising security awareness, they're still almost entirely run by their marketing department.
Thom Stark: (laughs)
Sir Dystic: Actually, most large companies are run by their marketing department. And generally the people who work in the development departments of that area love hackers. Because they bring these issues to the foreground, because they make big issues of it -- that's the only way their marketing departments will let them fix it.
Thom Stark: So, how does Boardwatch's readership protect against BO2K?
Sir Dystic: Well, Microsoft's advice is sound -- "Follow safe computing practices." It's not going to help you against every possible way you can get screwed, but it will protect you against at least most of the low-level ones. Essentially, the defense we have right now will protect you against the very lowest forms of attack -- not if someone wants to specifically attack you. Beyond that...don't do anything as Administrator, that's my best advice.
Thom Stark: One would think that people would know better than that, but...
Sir Dystic: Exactly! But, you have no idea how many times I check people on the Internet and they're logged in as Administrator. I mean, all the time.
Thom Stark: You mentioned you've been working on an "application sandbox"?
Sir Dystic: The stuff I'm working on is on my homepage. I've written essentially a system monitor which hooks file and registry access at Ring 0, and any time any application accesses the registry or the file system, it logs it. It shows you exactly what process -- and not just the stupid 8-character module name, like a lot of them do. It actually shows you the full pathname to the executable.
Again, this is not a new concept. Application sandboxing was something that the Navy came up with in '84, when they did their Rainbow Papers. The idea is you run an untrusted application in a controlled environment where, if it attempts to do something bad to your computer, you have a chance to intercept it before it does.
So you say, "Stop this program any time it tries to read or write anywhere; only stop it, if it trys to write to something -- whatever." You give it the access that it's allowed. And then, any time it trys to break that access, it blue-screens, shows you the executable -- what it tried to do -- and do you want to allow it to do it this time, every time, not this time, never -- depending on the application. And, every time the application tries to spawn additional applications, it lets you know what it's trying to spawn. I mean really straight-forward concepts.
Thom Stark: And this functionality is in BO2K?
Sir Dystic: No. This is completely unrelated. I call this "cDc Application Controller" -- and it works.
Thom Stark: Is it in release?
Sir Dystic: It is something I'm planning on releasing. I already talk about it here (he points to his monitor. I basically outline all the concepts, I talk about all the APIs I use -- because you have to do it all at Ring 0 with VXDs and annoying stuff like that -- and I've even got sample source up here as to how I determine the full pathname to the executable at Ring O. And the idea is, it at least brings the defense up to another level -- you at least have to know something about what the defense is and know how to specifically get around the actual defense. And that brings it to the exploit-and-patch level, rather than, "Eighteen zillion new programs were written this week. Update your data files." You know what I mean?
Thom Stark: It seems like it would be useful for troubleshooting ill-behaved applications that crash your system.
Sir Dystic: Yeah, exactly. So, what I would like this application sandboxing to turn into is, you have this running, monitoring all your applications, all the time. You put it into "learn" mode for a day. You do everything you normally do. You let it know what is okay for programs to do. Then you put it into "protected" mode. Any time an application does something new, it sets an alarm off. And, if you want to let it do that -- you want to let it do this time, or every time in the future -- you let it do that. Essentially, you just build a set of permissions for what applications are allowed to read and write from where.
This wouldn't just protect you from viruses and Trojans, by the way. This is going to protect you against security holes in applications you're running. Remember the Netscape client-side bug that let the server download any file? Soon as Netscape tried to access your personal files, it sets an alarm off. Overflow bugs? As soon as an application tries to write something it's never written before, it sets an alarm off.
You combine that with just a simple password protection to actually change the access for applications, you've got local security, too. Somebody can't just walk up to your computer, stick a floppy in it and run something. You combine that with the ability to administrate across a network, with permissions for what applications are allowed to read and write, you could have an actually very secure network. And not just secure against outside intrusion, but secure against against people walking in and being able to run whatever they want on your computer or read whatever they want off your computer.
Thom Stark: What haven't we talked about?
Sir Dystic: One thing we haven't talked about is competitive business practices. A lot of people are saying that our intentions for releasing BO2K were nothing but malicious. Which is laughable, really, considering the amount of power that tool has and the time that obviously went into it. People like Symantec -- who also have their own remote administration software and also have antivirus software and are scanning for our remote administration software, which we're trying to market legitimately. Doesn't that seem a bit odd?
Microsoft says, "It's incomprehensible why anybody would make this software." Essentially, their take on it is, because BO2K can be installed transparently -- that is, it doesn't tell the user that they're being administered -- that it has "no legitimate purpose." That's a direct quote. SMS has the ability to be configured so it gives the user no notification that they're being administered. Why is that any different? Ours doesn't do that by default -- you have to configure it to do that. Same with theirs -- but why is that any different?
Thom Stark: A not-unreasonable question.
Sir Dystic: I mean, anybody who's administering any type of network -- ISPs especially, I'm surprised aren't using BO. If you've ever worked tech support, you know what a nightmare it is, talking to somebody that doesn't know anything about computers, trying to fix their computer. If you can say, "Run this program," and be able to do everything you need to do yourself from your own computer -- gawd, hours of time saved, y'know?
And we designed BO2K with strong encryption -- there is no danger that that machine might be compromised by somebody else, just because it has BO2K on it -- if BO2K were configured properly.
There's a million uses for it. Not only that, but: a. it's open source, b. it's also extendable architecture. There's a plug-in interface where anybody can develop third-party plug-ins, attach them to the server, attach them to the client and add any functionality they want. It already comes with functionality to do real-time mouse and keyboard control and monitoring. The communication is pluggable and the encryption is also pluggable.
Right now, it talks across TCP or unreliable UDP. In a week or so, the L0pht is going to be releasing additional communication plug-ins that let you do ICMP -- oh, that's going to piss a lot of firewall people off -- reliable UDP...
Thom Stark: (makes a face)
Sir Dystic: You know how it works?
Thom Stark: You do your checksums and so on at the application level.
Sir Dystic: Exactly. And, as far as -- everybody's already released all these fixes and detectors for it and blah, blah, blah for it -- but none of them really work, as far as I can tell. I mean, they'll work, if it's configured this way, or if somebody hasn't re-compiled it -- or if somebody isn't using some other method of communication. You know what I'm saying? And, again, it's what you don't see that gets you. If all it takes is to make something new to get around the defense, then you have no defense -- against somebody that really wants to get you, specifically.
Thom Stark: So, are there any meaningful ways to defend against BackOrifice?
Sir Dystic: You mean, "other than my application sandboxing that I haven't finished yet?"
Thom Stark: Other than that.
Sir Dystic: No. There isn't any real defense right now.
That's what I was trying to say with BO. And BO2K -- as extendable and as variable as it is -- should really make people realize that there is no defense. And there should be. I mean, the idea of burying your head in the sand and saying, "It's not a problem. It'll go away. Just keep updating your signature files," is all well and good -- but not a single person who ever had random messages start popping up on their computer for no reason that they could understand will ever forget that. They will remember how easily they lost their privacy -- and they were running virus scanners.
Thom Stark: Speaking of viruses, let's talk about the BO2K CDs you distributed at Def Con with the Chernobyl virus on them.
Sir Dystic: We certainly didn't put it on there on purpose. If we'd wanted to, we probably would have written a new virus that wouldn't have been picked up by everybody's virus scanners. But, why would we be signing our names and handing out CDs that have a virus on them? That would be a very bad idea.
Thom Stark: And that was just at Def Con?
Sir Dystic: Yeah. It's like a handful of CDs we gave out. The main problem was that, of course, within 45 minutes, there were several hundred copies of them. And the reason this all became such an issue was because we had assumed that it was the duplicates of our CDs that had the virus on them -- that it was introduced then.
So, people were coming up to us and saying, "Hey, there's a virus on your CD." And they'd show us the CD and it was a copy of the ones we'd distributed. And we'd say, "We don't know what's on that CD -- it could well be infected with a virus. We didn't do it." And that's basically why we denied it, was because -- as far as we knew -- the originals were clean, but, apparently... Actually, talk about irony -- we each autographed a CD and then tossed it into the audience. And the CD autographed by DilDog landed right in the lap of one of the ISS X-force employees.
Thom Stark: (laughs) Who I assume did not throw it over his shoulder.
Sir Dystic: Oh, no, they kept it. Sent us a picture of it and said, "This has the CiH virus on it." And, I mean, we're sorry. We didn't mean to do it. It just shows to go you how easy it is to have something like that happen. I mean, the bottom line is that it was not anything malicious. It wasn't anything we did on purpose. It was a mistake. And it was also not like we'd been distributing on our website an infected version.
There was 25 originals. I think we kept 3 of them -- handed out 22 of them -- and then, when people came to us and said that the copies that were floating around all had the virus on them, we took one of the originals and made 10 more copies. And then Count Zero autographed them and wrote "Virus Free!" on the CD. And I mean, while I would've preferred it didn't happen, I can appreciate the irony of the situation.
I can tell you that the cDc members are really, genuinely upset that that could happen. The odd thing is that we haven't actually been able to find that virus on any of our machines. Not on the dev machines it was compiled on. We checked the burner machine and it's not on there. We're very uncertain as to how it actually did get on there -- which makes us look kind of foolish, I guess. But we put out a statement to the press, apologizing and saying, "Our bad. Sorry. Shit happens." I dunno if there's much more to say about that.
Thom Stark: Speaking of "much more to say," is there anything you'd like to say to Boardwatch's readers?
Sir Dystic: Just that it's all about knowledge. Do everything you can to know your computer as well as you can -- know your computer well enough so that, if it does something it shouldn't be doing, you will be able to at least recognize that's happening. And when it starts doing something it shouldn't be doing, have the sense to pull the modem out of the wall.
(Copyright© 1999 by Thom Stark--all rights reserved)