Before
he
was
Space
Rogue,
before
L0pht,
before
testifying
in
front
of
Congress
about
what
used
to
be
a
very
unknown
risk
of
networked
computers,
and
before
he
embarked
on
a
career
in
cybersecurity,
he
was
just
young
Cris
Thomas
with
a
homemade
flashlight.
Growing
up
in
a
mobile
home
in
rural
Maine
in
the
1970s,
Thomas
didn’t
have
a
whole
lot
of
access
to
technology
in
his
early
years.
But
at
the
tender
age
of
five,
armed
with
a
hammer
and
a
worn-out
sealed
alkaline
flashlight
—
the
kind
that
you
threw
away
after
the
batteries
lost
their
juice
—
he
was
able
to
first
learn
the
basics
of
electrical
circuits.
Cannibalizing
parts
from
those
flashlights
and
adding
C
and
D
cell
batteries
and
wires
consisting
of
garbage
bag
twist
ties,
he
was
in
business
with
his
very
own
lighting
device.
That
kind
of
tinkering
is
the
very
essence
of
a
hacker’s
modus
operandi,
and
it
was
the
start
of
his
love
affair
with
hacking
and
his
eventual
profession
as
a
cybersecurity
leader.
Over
the
years,
Thomas
has
done
stints
at
the
likes
of
Trustwave
Security,
Tenable,
and
almost
six
years
now
at
IBM
as
Global
Lead
of
Policy
and
Special
Initiatives.
But
at
its
root
his
beginnings
have
all
the
same
flavor
of
self-directed
experimentation
and
trial-and-error
with
his
flashlight.
His
route
was
circuitous
and
full
of
ups
and
downs,
but
he
says
that
in
some
ways
it
was
easier
for
him
to
go
down
that
path
than
those
trying
to
get
their
break
in
cybersecurity
today
without
the
traditional
path
straight
from
college.
“There’s
still
people
who
are
trying
to
break
into
the
industry
with
little
to
no
formal
education,
and
the
debate
of
college
or
certifications
is
still
raging.
So,
I
think
getting
into
the
industry,
from
an
austere
beginning
and
maybe
even
skipping
the
formal
education
and
being
self-taught
—
it
is
possible,”
he
says.
“It’s
a
lot
more
difficult
today,
because
I
think
people
put
a
lot
of
importance
on
the
college
degree
and
the
formal
education,
and
so
it’s
hard
to
get
around
that
stigma.”
After
early
grade
school
he
moved
to
a
bigger
town,
was
exposed
to
computers
in
bits
and
pieces,
and
mastered
the
basics
of
BASIC
from
chance
encounters,
clubs,
and
high
school
computer
class.
But
it
wasn’t
until
he
was
in
the
Army
that
he
was
able
to
buy
his
very
own
computer,
a
Mac
SE
he
bought
on
credit
from
a
store
nearby
his
base.
It
was
from
this
machine
he
dug
further
into
programming
and
got
synced
up
with
his
first
local
user
group,
a
Mac
HyperCard
user
group.
From
there
he
branched
out
into
BBSs
and
began
to
tap
into
the
burgeoning
Internet
hacker
subculture.
After
the
Army
and
a
brief
stint
at
Boston
University,
he
took
the
handle
Space
Rogue,
dialing
into
the
Boston
BBSs.
Many
of
those
had
a
whole
underground
world
of
in-person
meet-ups
attached
to
them.
Running
in
those
circles
—
plus
holding
down
a
job
at
a
local
CompUSA
where
a
number
of
local
hackers
worked
—
is
what
would
eventually
lead
Space
Rogue
to
the
ragtag
group
of
hackers
called
L0pht.
Remembering
the
L0pht
A
collective
of
elite
hackers
and
a
hackerspace
rolled
into
one,
the
L0pht
is
one
of
those
storied
groups
that’s
inextricably
tied
in
with
the
infancy
of
the
cybersecurity
industry.
In
a
book
published
this
month,
Space
Rogue:
How
the
Hackers
Known
as
L0pht
Changed
the
World,
Thomas
writes
the
memoir
of
his
winding
journey
to
hacking
and
his
membership
in
the
group.
Space
Rogue
was
one
of
the
earliest
members
and
was
heavily
involved
in
the
group’s
adventures
and
hacking
experimentation.
He
was
there
for
its
evolution
into
what
would
become
L0pht
Heavy
Industries,
its
release
of
the
L0phtCrack
password-cracking
tool,
and
its
eventual
sale
to
@Stake.
Together
with
hackers
like
Mudge,
Weld
Pond,
Kingpin,
Dildog,
tan,
and
Stefan
von
Neumann,
they
were
on
the
bleeding
edge
of
experimentation
with
hardware
and
software
—
partially
from
scavenging
corporate
dumpsters
for
equipment,
partially
from
soliciting
donations
and
picking
up
cool
finds
at
the
MIT
Flea
Market,
where
they
also
sold
refurbished
gear
to
partially
fund
their
loft
space.
The
crew
ran
their
own
NOC,
experimenting
with
different
forms
of
networking,
and
they
shared
files
online
through
the
early
version
of
the
L0pht.com
server.
Space
Rogue
ran
the
popular
Whacked
Mac
Archives,
a
collection
of
software
collected
from
underground
systems
and
BBSs
over
the
years.
He
did
the
books
and
paid
the
bills
as
an
unofficial
chief
operating
officer
and
was
also
instrumental
in
helping
raise
the
profile
of
the
group
by
founding
and
running
Hacker
News
Network
and
helping
to
coordinate
a
lot
of
its
work
with
the
media.
The
work
the
L0pht
did
for
a
very
long
time
was
simply
a
labor
of
love
—
the
hackers
had
day
jobs.
In
their
off-hours
time
of
experimentation
they
started
learning
how
truly
vulnerable
systems
are
to
manipulation
and
exploitation
in
ways
unexpected
by
their
creators.
As
the
team
evolved,
they
started
picking
up
gigs
writing
custom
signatures
for
the
first
incarnations
of
intrusion
detection
systems,
issued
advisories
about
vulnerabilities
on
their
website
and
Bugtraq,
and
were
courted
by
firms
to
do
pen
testing.
For
a
long
time
they
barely
broke
even,
but
their
security
chops
did
gain
the
attention
of
the
federal
government,
and
in
1998
Space
Rogue
and
six
other
core
members
of
the
L0pht
stepped
in
front
of
a
Congressional
panel
to
give
one
of
the
earliest
public
warnings
about
the
state
of
insecurity
of
the
online
world.
Thomas
does
a
great
job
detailing
all
of
these
happenings
in
his
book,
which
offers
a
very
personal
and
open
account
of
his
perspective
on
how
things
unfolded.
He
does
a
great
job
highlighting
the
personalities
and
mindsets
of
the
different
hackers
he
worked
with
or
came
across
over
the
years,
and
is
very
relatable
and
vulnerable
offering
thoughts
on
his
maturing
perspectives
on
dealing
with
not
just
systems
but
also
people.
Readers
get
to
follow
along
with
his
close
connections
with
hacker
friends,
fallouts
and
reconciliations,
and
run-ins
with
difficult
bosses,
as
well
as
career
disillusionment
and
rebirth.
What’s
in
a
Handle?
Musing
about
the
L0pht
and
his
book
recently,
he
notes
that
while
his
unconventional
learnings
and
rise
through
cybersecurity
could
probably
be
emulated
by
newcomers,
the
rise
of
L0pht
itself
occurred
during
a
very
unique
era
in
time
and
would
be
a
whole
heck
of
a
lot
more
difficult
to
recreate.
“I
mean,
you
can
get
a
bunch
of
people
together
and
rent
some
space
and
do
some
stuff,
but
getting
the
same
attention
would
be
harder
because
the
bugs
are
harder
to
find
now,”
he
says.
He
explains
that
what
L0pht
did
wasn’t
easy,
but
they
found
the
low-hanging
fruit
in
security
flaws.
They
also
had
a
lot
less
red
tape
and
legal
and
professional
standards
to
navigate.
Doing
what
they
did
back
in
the
1990s
today
would
put
most
cybersecurity
researchers
in
a
lot
of
hot
water.
“There’s
a
lot
more
risk
involved.
I
mean,
there
was
risk
then
too,
but
if
you’re
going
to
release
information
about
a
zero-day
vulnerability
to
the
public
without
a
pseudonym,
the
risk
of
lawsuits
is
pretty
high.
Which
is,
again,
one
of
the
reasons
why
we
were
using
the
handles
and
the
pseudonyms
to
begin
with.
But
staying
pseudonymous
is
a
lot
more
difficult
today
than
it
was.”
Thomas
still
cherishes
and
uses
his
Space
Rogue
handle
—
it’s
part
of
his
online
and
professional
persona.
For
example,
his
email
address
at
IBM
is
based
on
that
handle
rather
than
his
real
name.
“I
built
a
reputation
as
Space
Rogue
within
the
industry.
I
was
the
last
member
of
the
L0pht
to
actually
start
using
their
given
name
in
professional
settings,”
he
says.
“So
it’s
only
been
a
few
years
for
me,
really,
that
people
have
looked
at
the
handle
and
been
able
to
equate
it
to
the
given
name
easily.”
These
days,
Mudge
is
known
as
Peiter
Zatko,
who
worked
at
DARPA
and
Google
in
key
roles,
and
most
recently
in
the
news
as
the
Twitter
whistleblower
who
drew
attention
to
the
social
network’s
lacking
security
stance.
Weld
Pond
is
Chris
Wysopal,
who
co-founded
Veracode.
Kingpin
is
Joe
Grand,
a
well-known
security
researcher
and
author
who
runs
Grand
Idea
Studio.
But
when
they
see
each
other,
they’ll
always
be
Mudge,
Weld,
and
Kingpin
to
him.
“And
for
the
most
part,
people
still
address
me
as
Space
Rogue
or
SR.
At
work,
people
call
me
Space,
and
occasionally
I’ll
get
Mr.
Rogue,
but
that’s
usually
as
a
joke,”
he
says.
“My
wife
actually
referred
herself
in
a
Twitter
thread
the
other
day
as
Mrs.
Space
Rogue.”
Looking
Back
at
Industry
Change
All
kidding
aside
about
handles,
Space
Rogue
is
still
as
much
of
a
concerned
industry
watcher
as
those
days
back
at
the
L0pht,
stepping
in
front
of
federal
lawmakers.
“I’ve
always
been
interested
in
policy
and
how
legal
ramifications
are
impacting
the
online
world.
Right
now,
I’m
following
a
lot
of
actions
of
CISA,
and
I
have
to
say
that
as
a
nation
we’re
actually
doing
a
great
job,”
he
says.
“In
the
past,
government
has
been
behind
schedule
and
playing
catch-up,
but
I
think
CISA’s
actually
taken
a
very
good,
proactive
approach,
which
is
a
welcome
change
in
the
industry.”
At
the
same
time,
though,
he
says
that
there’s
this
dichotomy
in
cybersecurity
where
over
the
last
25
years,
everything
has
changed
but
is
also
still
the
same.
There’s
a
ton
more
awareness
now,
not
just
from
policy
makers
or
industry
insiders
but
just
individual
workers
or
non-tech
business
executives,
about
things
like
ransomware
or
phishing.
“Most
people
have
to
go
through
some
sort
of
security
training
in
their
job,
so
the
awareness
factor
is
much
higher,”
he
says.
At
the
same
time,
though,
the
cybersecurity
world
is
still
knocking
its
head
against
the
same
problems
it
did
decades
ago.
“We’re
making
stupid
mistakes.
We’re
using
default
passwords.
We’re
designing
flat
networks.
And
these
are
the
same
problems
that
we
had
25
years
ago,”
he
says.
“So,
it’s
a
little
bit
of
some
and
a
little
less
of
some
other
stuff.
A
lot
of
things
have
changed
and
gotten
better,
but
a
lot
of
things
have
still
stayed
the
same
as
well.”
PERSONALITY
BYTES
What
he
does
for
fun:
A
lot
of
treasured
hobbies
mirror
his
hacking
interests
—
his
fun
project
at
the
moment
is
setting
up
a
Raspberry
Pi
for
his
son
to
help
him
learn
Python
and
picoCTF.
“You
can’t
get
Raspberry
Pis
at
the
moment,
so
I’ve
had
to
cannibalize
some
of
my
old
projects
to
get
him
one
that
he
can
use.”
Non-hacking
hobbies:
There
was
a
time
he
was
into
making
hard
cider,
but
he
moved
and
had
less
room
for
all
of
the
equipment.
Now
he’s
turned
his
sights
to
rock
tumbling.
“My
youngest
got
a
rock
tumbler
last
year
and
never
used
or
was
very
interested
in
it.
And
I
was
like
‘Well,
if
you’re
not
going
to
use
it,
I’m
going
to.’
Now
I
have
four
tumblers
and
I’m
rotating
rocks
in
the
basement
all
the
time.”
Quirky
tidbits:
He
says
he’s
kind
of
an
open
book,
and
shares
a
lot
of
fun
stuff
with
co-workers
via
Slack,
so
there’s
nothing
they’d
be
surprised
to
know
about
him.
But
like
many
folks
in
the
industry,
he’s
got
his
quirky
interests.
“I’m
a
big
Saturn
car
aficionado.”
Favorite
day-to-day
drink:
“I
drink
a
lot
of
caffeine-free
Diet
Coke.”
How
he
tells
people
what
he
does
for
a
living:
Per
his
book,
he
wrote,
“I
rarely
blurt
out
‘Hi,
I’m
a
hacker’
when
I
first
meet
people.
Trying
to
explain
to
people
what
I
do
for
work
can
sometimes
be
tricky
and
lead
into
all
sorts
of
long
and
sticky
conversations,
so
I
usually
just
say
I
work
in
computers.”
About Author
