|Home » Resources » Rants
With a Little Help from My Friends
Week of 15 May 2006
First published at Rixstep. Used with permission.
Who made Spycar?
Spycar is an outgrowth of a research project at Intelguardians Labs. Ed Skoudis came up with the idea and the name, but Tom Liston did the actual implementation, taking the wacky idea and making it real. Mike Poor did all of the infrastructure work.
- Spycar website
I get by with a little help from my friends
I get high with a little help from my friends
I'm gonna to try with a little help from my friends
- J Lennon, P McCartney
This is very sad.
He (Liston) would share responsibilities for day to day labour such as bookkeeping, product uploads for customers, support enquiries, and the like.
For this and this alone, despite there being nearly one hundred fifty (150) tools already in the product suite, he would received 15% (fifteen percent) of all revenues [sic].
At this point we left the ball in his court. When after considerable time we received no reply at all from him, we wrote back, asking if he'd read our letter and our proposal and if he was ready to reply. He wrote back, rather lamely, to say 'yeah sure that's cool'. Honestly, we should have understood at that point that something was not right.
To: Brian Krebs c/o Washington Post
Re: Brian Krebs: Your Spycar Ran Over My Dogma
Following is an article that's been posted at our forum and will shortly be posted online. We're still breathless at this and haven't taken any further action. Suffice it to say we're sad and furious both.
An outsider wouldn't know, but for us it's obvious Spycar is based on our SysGuard which goes Mark Russinovich one better in that it doesn't need any drivers to operate.
SysGuard is a sophisticated application which flags potentially dangerous (suspect) changes to the Windows Registry and the physical disk storage. It uses special hook mechanisms David Cutler wrote into Windows 'user land' code. Liston has no inkling of the existence of these hooks and how they work. Spycar is a direct adaptation (theft) of this code put into dozens of silly standalone modules so organised as to impress the unwitting user. Spycar is stolen code.
What we know, Spycar - despite Liston's lofty claims - is not 'open source', but if it were - if we were able to subpoena a copy of that source - we know what we would find. Whether we push matters that far is something we're not sure we want to do, but hearing about his latest 'jippo' has us infuriated to say the least.
Liston is not a Windows programmer. Not only doesn't he have the chops, but also he can't stay on the wagon long enough to learn anything. He was given a copy of our (rather expensive) Windows programming course for free and was supposed to follow along with that term's other students, but the bottle let him down about two weeks into it: he just dropped it and refused to get back to us on what had happened.
Liston cannot program Windows and in fact knows precious little about it. His Outbound and related utilities which received so much press at the time were written by me. All he provided was the raw packet stuff which he did with a standard packet crafting library from Unix.
We've seen examples of Liston's 'Windows programming' and they are pathetic to say the least.
All the esoteric intrinsics of how you watch for 'intrusions' into the 'guts' of Windows come from our (proprietary) code. All the 'finesses' of how you -really- build Windows applications - the kind of thing that made our XPT famous and in a class of its own - come from proprietary XPT code, amassed and assimilated over many years by many skilled programmers - Liston's just 'lifted' it and copied it into his latest project (which he hopes, it would seem, will finally make him famous).
Shortly before I became ill with West Nile (and before Sydney and I learned of his 'condition') we had discussions with him about his joining the Radsoft team. The terms offered were lucrative to say the least.
- He (Liston) would write at least one Windows 'killer app' on his own. He already had the course materials and we would 'help' him without compromising 'integrity'. The application would still have to be his own. With this application announced, we would also announce (through press release) that he had become a member of the team.
Shortly afterwards I succumbed to West Nile. Sydney went into my TiBook and began mailing people on the list, telling them of what happened. Liston, always eager to help (at least for a while) and appear the white knight, offered to come to the rescue.
His first idea was to reverse engineer key components of the XPT so he could continue to offer new licence upgrades to customers. This project failed grandiosely, in part because the XPT is engineered to make reverse engineering on this scale impossible.
But to attempt this feat, he went to Kagi and bought a new licence of the XPT on his own credit card in order to compare his own copy with the new copy he received. This of course resulted in nothing.
His next idea was to fly down to meet with Sydney and poke around on one of our Windows computers. This never got farther than being yet another 'Liston idea'.
His next idea was to have Sydney extract the hard drive from one of the Windows computers and run it over to a contact of his in Sydney's vicinity who could copy it and send it to Liston. The contact refused to do this without my written permission, and I was in a coma, so that was impossible.
His next idea was to have Sydney herself extract the hard drive and send it to Liston. Liston would circumvent the 'interdit' his contact had felt in this way. Liston would copy the hard drive and send it back to Sydney. At this time Sydney's parents came to visit and her father helped her hook up the hard drive again.
At this point Liston had not only the complete source code to the XPT but an entire hard drive with all ancillary header files, extra software, and libraries.
There were two or three things that he actually did. He flagged two domains of ours that were on their way to running out and kept them going. He also helped Sydney set up a domain of her own for later use.
When I later recovered I had many talks with Liston. My condition was still not good and I was not capable of a lot of work. If tricky questions did come in to the support lines, I might be the only one to answer them. But otherwise there were a lot of day to day routines that I simply could not handle.
Liston had yet to write his 'killer app' to officially become a member of the organisation, but he was to handle some of the monthly routines. I simply could not sit for very long and thus could not do these. Liston's part of the bargain was thus to send out mail to all new customers at the end of every month. This was a one time thing and extremely important, not in the least because of the reputation of the company. Radsoft had never reneged or been tardy in fulfilling obligations. Not a single time. NEVER.
From: XPT Customer
I received a message from a 'Tom Liston'. I replied but I never got a response.
To: Tom Liston
Subject: It'd be nice...
To hear even a murmur from you - even an 'I'm bogged down'. The mailbox is swamped.
Already in the first few months customer complaints came in. Where were the updates they had expected? We contacted Liston. Gee whiz, he'd write, I am sorry, I forgot. This was business and trust, we reminded him, there is no 'sorry'. You are threatening to ruin our reputation, we told him. He promised it would never happen again and yet it did happen again - and each time it got worse than the time before. Clearly this individual was not at all dependable for even trivial tasks as those we had assigned to him.
Without his so much as deserving a penny of it, I sent him a no-strings cheque for US$500 that Xmas. Without a word of remorse or anything else, he simply wrote back 'thanks' and continued to screw up on all his responsibilities as before. It was impossible to get through to him - and it was costly too.
An investigation of the executables offered at the Spycar website prove Liston is using 'optimisations' and 'tricks' he would not have known about without having access to our XPT source code. Amongst other things, and above and beyond all that is mentioned above, he is using our own special entry/exit code and our own methods for 'optimising' 'Windows resources' which require working without Microsoft's own resource editing tools. Our estimation is these are all obvious instances of IP theft and copyright violations.
Things got so bad that we were so completely flustered that we couldn't even bother writing to him anymore. There would be weeks where none of our mail was answered and we had no clue what he had done or not done - and then all of a sudden, out of the blue, he'd write to say something as provocative as 'hi, I haven't heard from you in a long time, what's up'. And considering our customers were again getting ripped off because of him, we really wanted to tell him what the F was up. So it got so bad we couldn't even answer any of his inane letters anymore.
There was a six week period where we just couldn't handle him. Most evenings Sydney and I would sit out under the stars and just try to figure out what to do with him. It was impossible. Clearly the individual was way beyond control - his own control. It was about now we realised there was a severe problem with the type of bottle that had '80 proof' on the label - something he later corroborated in a long 'sob' letter he wrote.
We had our 'E-E Refuge Stampede' at the turn of the year. The horrendous E-E people were evidently hurting and sent out a mass emailer to all their customers and anyone whose address they'd harvested telling them what a bunch of bastards Radsoft were. This ploy had the opposite of the intended effect. As most E-E customers hated the E-E people, they rushed to the Radsoft site to buy our E3 Security Kit instead. 'The enemy of my enemy is my friend'.
There was a period of fourteen or fifteen days there where I hardly slept a wink; where I could not shower or shave; where I was a total fucking mess: that's how much work there was. And where was Liston for all this time? Exactly: he just coyly disappeared until the worst of it was over.
And then we announced our free 'E-E Removal Tool'. I have to point out a few things here. One: Liston knew fully how sick I was. He knew fully I could not work for very long. He knew that if I tried to sit up and work I would be virtually crippled for days on end again afterwards.
Liston was supposed to write the 'E-E Removal Tool'. I wrote to him and told him how to do it. I guess he was too drunk to do a thing.
People started clamouring for the tool. Like fools we had taken Liston at his word and trusted he would do this. He did not. Pressure was building. In the end I had to do it myself.
The entire exercise took only a few hours, but those hours were debilitating: after the session was over, Sydney had to literally lift me out of my chair and put me back on the bed - my legs had again ceased to function. Completely. I was again a cripple and the pain for days was excruciating.
Now that the 'E-E Removal Tool' was out there, Liston announced a new 'super tool' of his own. Oh the specs for this were grandiose - but I could see holes in his thinking already. And I tried to talk to him about it. But he wouldn't listen.
Still and all - and this is very important - he promised all our customers to have this new super tool ready in a matter of days.
It doesn't take a lot of brain power to realise that this tool never materialised. Talk about embarrassment. Customers wrote and asked about it. What were we to say? Customers wrote to say they were ready to wipe and reinstall to get rid of E-E but they wanted to test Liston's super tool first - where was the tool? What were we to say?
Over the months (years) Liston was involved he had several dozen grandiose projects he announced to us (and sometimes to our customers). They were always fanciful ideas, lofty in their ambitions and most often ridiculous in their assumptions. Not a single one of these projects ever came to fruition. Not a one.
One example was the CD based hard drive shredder. Liston already had the (Gutmann) shredding code from our E3 Security Kit and the SPX application. He was to do the research to make a bootable Linux (Knoppix) CD and put a command line version of our E3/SPX Gutmann shredder on there. 'Pffft'.
Note: Liston never announces that he won't be following through on his pipe dream projects; he never apologises to our customers; he just forgets them - he just lets them drop. And if you write and ask what's happening - no answer. Write it off to the bottle.
Liston was now working more with SANS. Anytime there's an emergency, Liston will be there to lend a helping hand and win a medal for valour. Just don't depend on him sticking around long and showing responsibility.
He's on his way down to Florida for a SANS conference. All these SANS hackers are going to sit around and hack a network they set up.
Liston HAS OUR XPT SOURCE CODE. He wants permission to use that to create a special FREE utility for all his SANS friends. On the one hand we think it's boggling: here we have all these hackers who can afford to travel to Florida and stay at expensive hotels - but they can't afford to buy a software program?
Stupid as we were, we said 'yes'. He built this program and got in SANS' good graces with that. Since then he's been seen doing more work for SANS. This type of work evidently works for him because it doesn't require day to day responsibilities. He can still squeeze in the odd guzzling on his off days.
Liston was also part of a promotion campaign we were to have with Erin's NetLingo. We were to become a sponsor of NetLingo. We liked Erin because I got a term in her book: 'dag-tag'. It was the great Sargon who'd suggested I write to her. She loved it and put it in her book. We talked about a collaboration. We were in essence that far down the road and ready to run.
Liston came up with the banner ads. Sorry, but he's not the artist. He made a bunch of animated GIF ads that had Sydney and myself - and Erin at NetLingo - really irritated just looking at them.
Liston was also the one in charge of creating the up-sell link pages from NetLingo. It was now we saw what a sloppy worker Liston was. His HTML coding was horrendous. Sydney and I were starting to seriously doubt Liston was an advantage.
On the one hand he had at least tried (without succeeding) to help when I was sick; on the other hand all the possible good he'd at least tried to accomplish was more than offset by his reprehensible irresponsible behaviour since. We couldn't really bring ourselves to tell him 'get lost you lush' but we couldn't keep him on either. In the end we had to let him go.
The punch line: actually there are several.
- As soon as I got back from the hospital I wrote to him and told him to get a refund for that XPT licence he'd bought. Over a period of SEVERAL MONTHS I kept reminding him. He never got around to it. Perhaps he was too drunk. So we lost money to a merchant for something we already had.
What Liston has done now with Spycar is not the first instance of his taking our XPT code and reworking it for his own benefit, and neither is it the first instance of his doing this in general.
In fact, his 'LaBrea' is actually a collaboration with several programmers. He came up with an idea in the wake of Code Red he called 'Code Redneck'; it didn't get very far; a French programmer took it from there and turned it into something; Liston now came, took the French programmer's code, polished it up a bit - and then took full credit for the entire project. The other people involved are not mentioned at all.
[Note the irony: if you click any of the above links, you come to a cryptic page that says the source code is no longer available because of a possible implication with the 'DMCA'; this 'code' includes code given to Liston by Radsoft. Quite the cute trick - try to hide behind the DMCA to attempt to thwart prosecution under the very same DMCA. Ed.]
Common wisdom says you can't help an alcoholic; it should also say you shouldn't trust an alcoholic to help you.