Posted on 01/30/2006 10:21:08 AM PST by Salo
In an exclusive interview on Friday, infamous hacker Kevin Mitnick told Tectonic that, given the choice between finding security vulnerabilities in closed and open source, he'd prefer to attack an open source environment.
“Open source would be easier [to hack],” admits ex-hacker turned security consultant Mitnick. “It's less work.”
Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called “fuzzing”.
Fuzzing means putting fake data – such as really long strings – into portions of the application that allow user input. “You want to make that function call fail. Does it cause an exception? If it does then the programmer probably hasn't validated the input. You could supply your code in a particular manner – thus tricking the application or function into executing your own code. Hackers want to execute their own code – preferably with privileges – and then they gain control.
“On the face of it, open source software is more secure,” says Mitnick. “A lot of eyes are looking at the code. You'd think that with OSS, with more people looking at the code, you're more apt at finding security holes. But are enough people really interested?”
Mitnick does qualify his statement carefully - it's six of one and half-a-dozen of the other. “Then again, a lot of people are really good at reverse engineering. You can obtain illicit copies of [proprietary] source code,” he says diplomatically.
Mitnick was arrested in 1995 by the FBI for hacking. He served five years in prison, including eight months in solitary confinement after it was alleged that he could launch nuclear missiles by whistling into a telephone. He will be in South Africa next month for the ITWeb Security Summit 2006, and will speak about social engineering and wireless security.
He runs Microsoft Windows XP Pro, Microsoft Windows 2003 Server, Debian, Gentoo and Solaris. Currently he's penning an autobiography to clear up some myths about himself. And no, you can't launch a nuclear attack by whistling into a telephone.
The whole point of one of his books, maybe the first one (I'm not getting recall on the title just now) was all about how social engineering was the greater risk, and its a point well taken.
Every system and every organization is vulnerable to the social engineerring approach. It's more dependable and often a faster way in than probing around for a technical hack.
It was an excellent read.
I seem to recall that he was a social-hacker. That is, he would shmooze a secretary or front-desk person into getting him access, passwords, etc.
(Kind of like the Matthew Broderick character in War Games. He got himself sent to the principles office, b/c he knew where they wrote down the passwords)
(Denny Crane: "I Don't Want To Socialize With A Pinko Liberal Democrat Commie. Say What You Like About Republicans. We Stick To Our Convictions. Even When We Know We're Dead Wrong.")
I used to code software for a IT security company. Despite all of the arguments about the quality of Windows versus Linux etc., most real security exploits have nothing to do with things like patches but rather with things like careless passwords and disgruntled employees. If I were the CIO for a big company with sensitive information, patching opersating systems would be way down on my list of how to protect the data.
Mitnick is NOT this kind of hacker. In his successful cracks, he either used social engineering or already-known backdoors, hacks and default passwords. He is also a master at hacking a phone switch.
But he probably is not himself capable of looking through code to find vulnerabilities.
I believe in one heist he walked into PacBell's phone center by schmoozing a security guard, and got all the passwords and numbers for the system.
He also forgets that people have disassemblers and can look at what the code does.
On a tangent, disassemblers are the main way OSS authors can find out if closed-source applications have stolen their code.
"I seem to recall that Mitnick was not nearly as good as he claimed to be--someone said there are IRC transcripts where ol' Mitnick is asking other people to compile and link his exploit code for him, because he didn't know how."
Yup. He was a pretty decent hacker back in the day... when it came to VAX/VMS. *Not* UNIX.
"If I were the CIO for a big company with sensitive information, patching opersating systems would be way down on my list of how to protect the data."
That's kinda silly. Platform bugs are the easiest to fix. Just get a decent multi platform patch management system in place and keep stuff up to daye.
Unpatched boxes are childs play to own. Literally. Go look at "Metasploit" to see why.
"He also forgets that people have disassemblers and can look at what the code does. "
Plus, fuzzing is just plain easier. You can set up your fuzzing tool and let er rip while you go and do something else. SPIKE is a nifty tool for this. You can teach it how to test proprietary protocols, too.
Platform bugs aren't necessarily all that easy to fix. Some require reboots, some are huge and chew up bandwidth, and you have other issues to deal with as well, such as what to do about laptops who dial into the system and aren't up to date. If Road Warrior Bob is on the cusp of a big deal selling widgets to Beijing and needs to send a spreadsheet to headquarters but the system won't let him log in until he's downloaded a 25 MB patch -- on a 56 bps modem with an iffy connection -- then you have problems.
"Platform bugs aren't necessarily all that easy to fix. Some require reboots, some are huge and chew up bandwidth, and you have other issues to deal with as well, such as what to do about laptops who dial into the system and aren't up to date. If Road Warrior Bob is on the cusp of a big deal selling widgets to Beijing and needs to send a spreadsheet to headquarters but the system won't let him log in until he's downloaded a 25 MB patch -- on a 56 bps modem with an iffy connection -- then you have problems."
Sure. Laptops are always a problem. Sure, some patches on some production systems might need a reboot which you'd have to schedule. Boo freaking hoo. If the box is that important, then leaving it unpached is worse than taking the time to test the patch and deploy it and (possibly) reboot. It's a relatively easy win.
On UNIX you only need to reboot when you upgrade your kernel. Windows used to require a reboot just to change your ip address.
He was interesting to talk to, but even then he seemed to being capitalizing on his infamy.
Mitnick, was an accomplished hacker precisely because of his versatiliy. While he might not have been the most talented hacker, technically, his understanding of large orgnizational structures got him a lot further then purely technical exploits (which he was still pretty good at) would have.
Well since the source code is already wide open, why wouldn't it be? Especially since there's no definitive proof whatsoever that "good eyes" is even 1/10th the number of "bad eyes", it's a total unknown and always will be.
Here's some things we can quantify, however:
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=177105109&cid=ChannelWebNews
Simply not true. The "programmer community" IS a human institution, after all, and all the rules of sociology apply. In ANY human institution, the "good guys" outnumber the "bad guys" by a typically 10:1 margin. Problems occur when the "organization" re-defines the rules as to what constitutes a "good guy" (street gangs, the Mafia, etc.).
It's never been quantified and it never will be because it can't be. We do know this however...
http://www.securityfocus.com/news/7947
Unless you are willing to say the programmers aren't human, you are wrong. Sociology has investigated this kind of phenomenon for years, and it is why, for instance, "must-issue" concealed carry works to prevent crime.
If you have a source that provides serious studies of quantifiable good eyes verses bad eyes let's see it, but random claims of sociology aren't helping you when I gave a link showing previous attempts to document the claims have failed.
You don't even understand your own links, do you? You gave a 2-year old link showing that a particular model of bug-finding doesn't work--not that bug-finding by the public doesn't work. For a more current, but different, model of people finding bugs, I suggest you check out Bugzilla. It's being used at Mozilla, Ximian, Gnome, and NeoOffice, just to name a few.
You merely pointed out a business model that didn't work out.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.