Posted on 01/30/2006 10:21:08 AM PST by Salo
In an exclusive interview on Friday, infamous hacker Kevin Mitnick told Tectonic that, given the choice between finding security vulnerabilities in closed and open source, he'd prefer to attack an open source environment.
“Open source would be easier [to hack],” admits ex-hacker turned security consultant Mitnick. “It's less work.”
Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called “fuzzing”.
Fuzzing means putting fake data – such as really long strings – into portions of the application that allow user input. “You want to make that function call fail. Does it cause an exception? If it does then the programmer probably hasn't validated the input. You could supply your code in a particular manner – thus tricking the application or function into executing your own code. Hackers want to execute their own code – preferably with privileges – and then they gain control.
“On the face of it, open source software is more secure,” says Mitnick. “A lot of eyes are looking at the code. You'd think that with OSS, with more people looking at the code, you're more apt at finding security holes. But are enough people really interested?”
Mitnick does qualify his statement carefully - it's six of one and half-a-dozen of the other. “Then again, a lot of people are really good at reverse engineering. You can obtain illicit copies of [proprietary] source code,” he says diplomatically.
Mitnick was arrested in 1995 by the FBI for hacking. He served five years in prison, including eight months in solitary confinement after it was alleged that he could launch nuclear missiles by whistling into a telephone. He will be in South Africa next month for the ITWeb Security Summit 2006, and will speak about social engineering and wireless security.
He runs Microsoft Windows XP Pro, Microsoft Windows 2003 Server, Debian, Gentoo and Solaris. Currently he's penning an autobiography to clear up some myths about himself. And no, you can't launch a nuclear attack by whistling into a telephone.
Can I provide a source---not without doing a lot of homework. Have serious studies been done---definitely. If I get a minute or three, I'll see what I can find.
He actually wrote a book about how to guard against social engineering attacks. Pretty good, IMHO.
The Art of Deception, or something like that.
Fixed it, since you don't know what the word "Asignee" means.
Oh its most defiantly hacking but its not at all technical. I think the attitude many system architects have about social engineering being not all that much of a worry causes huge problems for business..
keep in mind hacking is not really a negative term some people are paid good money for a blackbox hack by the people who want to secure their systems.
Except that patching is low hanging fruit..
Absolutely agreed. It's much harder to engineer people than devices though :-)
keep in mind hacking is not really a negative term some people are paid good money for a blackbox hack by the people who want to secure their systems.
Absolutely. I've done some of that myself against systems I'm responsible for. You really have to look at security from both sides in order to understand all sides of the issues.
If I wanted to make a name for myself in the hacking community, it seems the only way to impress them is by going after closed source.
LOL, who do you think you're trying to fool? Earlier today down at the bottom there was an entry from some guy that works for Haliburton, his entry was "web server crashing". They've since deleted it, but obviously that guy was not assigned that problem to correct.
Looking at the list closer, it's about ~99% people associated with apache.org. That's hardly a diverse set of good eyes.
Exactly. Imagine, if you will, a world in which people at apache are the ones assigned to fix the problems found and reported on bugzilla/apache.
Ssh--don't tell anyone, but the list of bugs over at Mozilla has (gasp!) mozilla people assigned to them!
The list you are looking at does not reference those people who are looking for the bugs--only those who are fixing the bugs.
Do you now understand what "Assignee" means?
So the guy from Haliburton yesterday was assigned to fix his "web server crashing" problem? Laughable.
What's laughable is that you're claiming something without proof--yet again.
Here it is, simply resort to include closed items. Look near the bottom, you'll see an entry from a guy working for Haliburton, issue is Windows 2000 Server Hanging. You're trying to tell me he was assigned to fix that? LMAO!
http://issues.apache.org/bugzilla/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__all__&product=&content=
You'll have to be more specific. I've search for "Haliburton", "Web Server", and looked through a few hundred bugs on that link you sent me. No hits.
Just tell me the bug number. I'll find it then.
Scroll to the bottom, then go up about 15 entries. Yesterday it was on the active page, assignee was the guy from Haliburton, which you're insisting meant he was supposed to fix it LOL. Funniest of all is it many if not most of these "bug reports" have nothing to do with looking over source code, which is why you referrenced it to begin with.
Nope--not there. You're dreaming again.
So the guy from Haliburton yesterday was assigned to fix his "web server crashing" problem? Laughable.
Yes. He was assigned to it because his "problem" wasn't a bug--it was a support issue. Assignees change as the issue becomes more known.
What you are seeing is the final resolution and the final responible party. Not the initial one.
Yes it is, and has been all along. Some people are just hopelessly inept.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38463
I reported the listing to you yesterday, when it was still active. Yet you denied, insulted, attempted to define "assigned to", etc etc etc, all of which were wrong. You might as well admit it, you have no proof regarding the number of good eyes verses bad eyes, nor will you ever.
I have admitted I found the bug report. I still stand by what "assignee" means. The activity log of this bug backs me up.
Face it--you're arguing just for the sake of arguing, and with no experience in the system you're trying to denigrate. I've got actual experience with bugzilla, and I know what I'm talking about.
You, obvious to everyone reading this, do not.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.