Ask Fyodor Your Network Security Questions

Fyodor is the driving force behind Insecure.org and the top-rated Nmap network exploration and security auditing tool. He's also involved in The Honeynet Project (and is a coauthor of the project's book, Honeynet: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community). One question per post, please. We'll run Fyodor's answers to 10 of the highest-moderated questions as soon as he gets them back to us.

Assurance, not blocking attacks

[Frater+219]

It seems to me that security efforts have focused too strongly on detecting and blocking known categories of attacks, rather than on creating systems which are secure against innovative future attacks. There are projects for which this isn't the case, such as OpenSSH (and OpenBSD in general), but the preponderance of security work seems to be profoundly backward-looking.

Naturally, fighting in the dirt with the black hats is a lot "sexier" and more entertaining than building highly robust and reliable systems which will guarantee future security. The popularity of honeypots with security hobbyists (as opposed to researchers) seems to be a result of this: people enjoy seeing the attacker flummoxed, feeling superior to him, defeating him. Yet this doesn't really result in the improvement of security against new attacks, and it arguably distracts from that purpose.

I'm interested to know where you see progress in security assurance, as opposed to scanning or blocking of old, known attacks. Who else, besides OpenBSD, is in the camp of improving the guarantees that systems provide their users: guarantees such as W^X, packet normalization, and so forth?

Re:Weakest link: Between systems and people

[JoeBuck]

Users tend to ignore such warnings because similar warnings appear far too often for invalid reasons. This is not a new problem; Aesop wrote about the boy who cried wolf.

Re:Super-DMCA

[Doug+Neal]

What do you think his opinion is? That it's a super great idea?

FFS, what a stupid question ;)

Re:Have you ever been tempted to use your gifts

This is a moot question. In 2002, Fyodor was the victim of an impersonation attack by a Slashdot user who was posing as a woman. Fyodor sent an email to the fake "woman" in an attempt to solicit further conversation and a possible meeting. When the hoax was revealed, the hoaxer insulted fyodor (I believe the word was "wanker").

Fyodor responded by using information disclosure vulnerabilities in yahoo email to find the originating IP address of the Slashdot prankster (SumDeusExMachine) who was at the time a college student based on the Pacific coast. SDEM was using an open X server for windows, MI/X, with no security enabled. Fyodor quickly scanned SDEM's box, found the open X server, and attached to it, monitoring SDEM's life for nine hours. He took many screen shots of SDEM's machine and posted them to his web site, insecure.org.

A lot of personal information was revealed in these screenshots, including the existence and ip address of a "secret troll irc server", which was running an irc bot capable of tracking and posting new stories. Jamie McCarthy used the information disclosed by Fyodor's attack to log onto this server, discover the new-story-bot, and modify Slashdot to break the troll's new-story-robot.

So in short, Fyodor has an open record of malicious entry, and Slashdot's admins have used the information he has gleaned to combat Slashdot trolling.

What you have to understand is that illegal and malicious hacking won't land you in jail. The FBI won't prosecute interstate computer hacking unless there are $5000 or more in damages. In this case, there were no damages, rending the "crime" unprosecuteable. Whether this makes the perpetrator a whitehat, greyhat, or blackhat is an exercise for the reader.