Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

OSS is an easier hack: Mitnick
TECTONIC ^ | 30 January, 2006 | Jason Norwood-Young

Posted on 01/30/2006 10:21:08 AM PST by Salo

In an exclusive interview on Friday, infamous hacker Kevin Mitnick told Tectonic that, given the choice between finding security vulnerabilities in closed and open source, he'd prefer to attack an open source environment.

“Open source would be easier [to hack],” admits ex-hacker turned security consultant Mitnick. “It's less work.”

Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called “fuzzing”.

Fuzzing means putting fake data – such as really long strings – into portions of the application that allow user input. “You want to make that function call fail. Does it cause an exception? If it does then the programmer probably hasn't validated the input. You could supply your code in a particular manner – thus tricking the application or function into executing your own code. Hackers want to execute their own code – preferably with privileges – and then they gain control.

“On the face of it, open source software is more secure,” says Mitnick. “A lot of eyes are looking at the code. You'd think that with OSS, with more people looking at the code, you're more apt at finding security holes. But are enough people really interested?”

Mitnick does qualify his statement carefully - it's six of one and half-a-dozen of the other. “Then again, a lot of people are really good at reverse engineering. You can obtain illicit copies of [proprietary] source code,” he says diplomatically.

Mitnick was arrested in 1995 by the FBI for hacking. He served five years in prison, including eight months in solitary confinement after it was alleged that he could launch nuclear missiles by whistling into a telephone. He will be in South Africa next month for the ITWeb Security Summit 2006, and will speak about social engineering and wireless security.

He runs Microsoft Windows XP Pro, Microsoft Windows 2003 Server, Debian, Gentoo and Solaris. Currently he's penning an autobiography to clear up some myths about himself. And no, you can't launch a nuclear attack by whistling into a telephone.


TOPICS: Crime/Corruption; Technical
KEYWORDS: linux; microsoft; oss; security; windows
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-68 next last
To: Golden Eagle
"If you have a source that provides serious studies of quantifiable good eyes verses bad eyes let's see it, but random claims of sociology aren't helping you when I gave a link showing previous attempts to document the claims have failed."

Can I provide a source---not without doing a lot of homework. Have serious studies been done---definitely. If I get a minute or three, I'll see what I can find.

41 posted on 01/31/2006 9:55:22 AM PST by Wonder Warthog (The Hog of Steel)
[ Post Reply | Private Reply | To 39 | View Replies]

To: ShadowAce
Where does Bugzilla quantify who exactly is looking, how frequently they are looking, and what did they find both good and bad? It looks to me like nothing more than a huge bulletin board with random posts of bugs, take a look at the bugzilla apache site.

http://issues.apache.org/bugzilla/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__open__&product=&content=

The naked eye indicates 90+% of the inputs for apache are by apache personnel. How is this supposedly proving that there is many good eyes outside of the original development group? Isn't that a tremendously small group of people considering how widespread that software is used?

Shouldn't there be lots and lots of other "good eyes" reviewing that code for vulnerabilities? But right now it looks pretty convincingly like good eyes = ~original dev team, and nothing more.
42 posted on 01/31/2006 10:48:42 AM PST by Golden Eagle
[ Post Reply | Private Reply | To 40 | View Replies]

To: zeugma

He actually wrote a book about how to guard against social engineering attacks. Pretty good, IMHO.

The Art of Deception, or something like that.


43 posted on 01/31/2006 11:17:10 AM PST by Constantine XIII
[ Post Reply | Private Reply | To 12 | View Replies]

To: Golden Eagle
The naked eye indicates 90+% of the inputs for apache are by for apache personnel.

Fixed it, since you don't know what the word "Asignee" means.

44 posted on 01/31/2006 12:01:50 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 42 | View Replies]

To: zeugma
Social Engineering can be an art form all its own, but it is not really 'hacking' in the negative sense.

Oh its most defiantly hacking but its not at all technical. I think the attitude many system architects have about social engineering being not all that much of a worry causes huge problems for business..

keep in mind hacking is not really a negative term some people are paid good money for a blackbox hack by the people who want to secure their systems.

45 posted on 01/31/2006 12:40:51 PM PST by N3WBI3 (If SCO wants to go fishing they should buy a permit and find a lake like the rest of us..)
[ Post Reply | Private Reply | To 12 | View Replies]

To: DallasMike
If I were the CIO for a big company with sensitive information, patching opersating systems would be way down on my list of how to protect the data.

Except that patching is low hanging fruit..

46 posted on 01/31/2006 12:43:15 PM PST by N3WBI3 (If SCO wants to go fishing they should buy a permit and find a lake like the rest of us..)
[ Post Reply | Private Reply | To 24 | View Replies]

To: N3WBI3
I think the attitude many system architects have about social engineering being not all that much of a worry causes huge problems for business..

Absolutely agreed. It's much harder to engineer people than devices though :-)

keep in mind hacking is not really a negative term some people are paid good money for a blackbox hack by the people who want to secure their systems.

Absolutely. I've done some of that myself against systems I'm responsible for. You really have to look at security from both sides in order to understand all sides of the issues.

47 posted on 01/31/2006 1:49:20 PM PST by zeugma (Muslims are varelse...)
[ Post Reply | Private Reply | To 45 | View Replies]

To: Salo

If I wanted to make a name for myself in the hacking community, it seems the only way to impress them is by going after closed source.


48 posted on 01/31/2006 3:02:38 PM PST by JoJo Gunn (Help control the Leftist population. Have them spayed or neutered. ©)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
Fixed it

LOL, who do you think you're trying to fool? Earlier today down at the bottom there was an entry from some guy that works for Haliburton, his entry was "web server crashing". They've since deleted it, but obviously that guy was not assigned that problem to correct.

Looking at the list closer, it's about ~99% people associated with apache.org. That's hardly a diverse set of good eyes.

49 posted on 01/31/2006 4:51:27 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 44 | View Replies]

To: Golden Eagle
Looking at the list closer, it's about ~99% people associated with apache.org.

Exactly. Imagine, if you will, a world in which people at apache are the ones assigned to fix the problems found and reported on bugzilla/apache.

Ssh--don't tell anyone, but the list of bugs over at Mozilla has (gasp!) mozilla people assigned to them!

The list you are looking at does not reference those people who are looking for the bugs--only those who are fixing the bugs.

Do you now understand what "Assignee" means?

50 posted on 02/01/2006 6:38:28 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 49 | View Replies]

To: ShadowAce

So the guy from Haliburton yesterday was assigned to fix his "web server crashing" problem? Laughable.


51 posted on 02/01/2006 7:06:59 AM PST by Golden Eagle
[ Post Reply | Private Reply | To 50 | View Replies]

To: Golden Eagle
Laughable.

What's laughable is that you're claiming something without proof--yet again.

52 posted on 02/01/2006 7:20:20 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 51 | View Replies]

To: ShadowAce

Here it is, simply resort to include closed items. Look near the bottom, you'll see an entry from a guy working for Haliburton, issue is Windows 2000 Server Hanging. You're trying to tell me he was assigned to fix that? LMAO!

http://issues.apache.org/bugzilla/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__all__&product=&content=


53 posted on 02/01/2006 8:17:22 AM PST by Golden Eagle
[ Post Reply | Private Reply | To 52 | View Replies]

To: Golden Eagle
Look near the bottom,...

You'll have to be more specific. I've search for "Haliburton", "Web Server", and looked through a few hundred bugs on that link you sent me. No hits.

Just tell me the bug number. I'll find it then.

54 posted on 02/01/2006 8:40:13 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 53 | View Replies]

To: ShadowAce

Scroll to the bottom, then go up about 15 entries. Yesterday it was on the active page, assignee was the guy from Haliburton, which you're insisting meant he was supposed to fix it LOL. Funniest of all is it many if not most of these "bug reports" have nothing to do with looking over source code, which is why you referrenced it to begin with.


55 posted on 02/01/2006 8:52:23 AM PST by Golden Eagle
[ Post Reply | Private Reply | To 54 | View Replies]

To: Golden Eagle

Nope--not there. You're dreaming again.


56 posted on 02/01/2006 8:55:06 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 55 | View Replies]

To: Golden Eagle
OK--I finally found it. (rolls eyes)

So the guy from Haliburton yesterday was assigned to fix his "web server crashing" problem? Laughable.

Yes. He was assigned to it because his "problem" wasn't a bug--it was a support issue. Assignees change as the issue becomes more known.

What you are seeing is the final resolution and the final responible party. Not the initial one.

57 posted on 02/01/2006 9:51:14 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 55 | View Replies]

To: ShadowAce

Yes it is, and has been all along. Some people are just hopelessly inept.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38463


58 posted on 02/01/2006 9:54:23 AM PST by Golden Eagle
[ Post Reply | Private Reply | To 56 | View Replies]

To: ShadowAce

I reported the listing to you yesterday, when it was still active. Yet you denied, insulted, attempted to define "assigned to", etc etc etc, all of which were wrong. You might as well admit it, you have no proof regarding the number of good eyes verses bad eyes, nor will you ever.


59 posted on 02/01/2006 10:03:11 AM PST by Golden Eagle
[ Post Reply | Private Reply | To 57 | View Replies]

To: Golden Eagle
Yet you denied, insulted, attempted to define "assigned to", etc etc etc, all of which were wrong.

I have admitted I found the bug report. I still stand by what "assignee" means. The activity log of this bug backs me up.

Face it--you're arguing just for the sake of arguing, and with no experience in the system you're trying to denigrate. I've got actual experience with bugzilla, and I know what I'm talking about.

You, obvious to everyone reading this, do not.

60 posted on 02/01/2006 10:10:56 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 59 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-68 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson