Slashdot Mirror
Mitnick on OSS
comforteagle writes "Infamous cracker Kevin Mitnick (turned security consultant) has come out to say that he'd prefer to 'hack' open source code vs proprietary closed code. "Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called 'fuzzing'." He further says that open source is more secure, but leaves you wondering questions if enough people are really interested in securing open source code."
In other news, it's easier to see where you are going when you have your eyes open.
I figured I'd add a little more to how "fuzzing" works as the article left me a little disappointed as to what it actually is. There are a few things online about it, including a decent white paper written by Ilja van Sprundel. There's also a large amount of fuzzing going on to test the security of WAP. It's basically the standard buffer overflow attack.
... silently idling waiting to do it's malicious purpose ...
The crux of this attack is using a buffer overflow to gain superuser privileges. This might be trivial on Windows, so I'll relay the "la/ls" story to you regarding how to gain it in Linux. The part of this trick involves figuring out how to get an executable file from your machine to another user's machine. Let's say you know some company or institution is running a webserver on their unix/linux machines from a server and you go to visit their site. Now, their code isn't completely up to date and there's a security hole in one of their web applications. You know (after toying around with said web app on your home machine) that certain large chunks of hex in a field will result in a submission that essentially writes your binary to their $HOME directory. The name of this file will be, of course, "la."
Now hopefully their home directory is like mine and it's full of crap. So they'll never notice the "la" file but everyday they use that machine, they type "ls" to display the file. One day, their finger slips and they type "la" resulting in the execution of my binary. Instantly, another executable is written, this time called "ps" and a thread is started that simply spin locks on the processor--chewing up cycles. The machine might slow or freeze but an admin will notice this process and go into the users directory (as root) and type "ps -al" to see all the existing processes. Instead, it executes your "ps" virus and subsequently, the spinlocking stops with "ps" printed to output with the super user killing "la" and thinking everything is fixed. In the background however, the "ps" process is active
I'm sure there's a hundred things wrong with what I've said, I'm not a hacker--I just like to point out possible security holes.
Improbable but not impossible.
One more thing about the article, the beauty of OSS is that it is impossible to implement security through obfuscation--a major pitfall to security in application design.
My work here is dung.
Many of you may be unfamiliar with the term "fuzzing."
....
I was when I read the article and have done some research and fuzzing is:
What is fuzzing?
- Sending semi-random data to an application
- Semi-random: good enough so it'll look like valid data, bad
enough so it might break stuff
- When people hear "fuzzing" they imediately think http, THERE IS MORE TO FUZZING THAN JUST HTTP !!!
- You can fuzz:
-- Network protocols
-- Network stacks
-- Arguments, signals, stdin, envvar, file descriptors,
-- Api's (syscalls, library calls)
-- Files
In general, most of the time it is a waste of time, but if you are "lucky" you could find a vulnerability and maybe with a little more research a way to exploit the code.
More information can be found at this PDF Article - http://static.23.nu/md/Pictures/FUZZING.PDF (Very Large 90+ Pages)
Windows? I haven't used that since 1999. Fix the Slashdot Problems
He's got the same general (valid) outlook that the rest of us have: open-source code is easier to tinker with because you can see how and why it works. That is an intrinsic element of having open-source code.
Just because Mitnick has said what thousands - neigh - millions have said before, doesn't mean it's new and exciting. Doesn't make it news.
Informatus Technologicus
one question, just for clarification, when he says: "source is more secure, but leaves you wondering questions if enough people are really interested in securing open source code." what he's saying is that it *could* be more secure, if people would care enough about security? i'm not trying to be a smartass, i'm truly confused.
What's a "sig"?
Once again proving his technical prowess!
http://religiousfreaks.com/I wonder what he means by "prefers". Is it more fun to sit around reading someone's crappy code than to use the trial-and-error approach crackers use with closed-source software?
The empirical evidence suggests that people don't have an especial lot of trouble cracking CSS.
I guess if you have the source you can grep for reads and examine them for overflow vulnerabilities, but I wonder how much easier even that would be vs. just trying it.
Sheesh, evil *and* a jerk. -- Jade
Famous hacker says it's easier to find holes when they let you look at the source! News at 11!
:-)
Is this really all that suprising? If you've got a mentality of "how can I break this?" it's much easier to figure out how if you can look at how it's built. Unfortunately, having a hacker able to look at a system is not the same thing as having the original designers catch the issue. If you wait until hackers get ahold of it, they'll find ways to exploit the problem before the patch is in wide distribution. That's what makes this dangerous.
Thankfully, the majority of those who are looking at the code have less selfish reasons, and are happy to share any issues they see. Thus the "many-eyes" philosophy depends heavily on the good will of the common man. Personally, I wouldn't have it any other way.
Javascript + Nintendo DSi = DSiCade
> Anyone want to explain what this 'fuzzing' is?
For teenagers it means to skip shaving for a few days.
Not sure how that helps crack software, though. Maybe it gives you a 1337 look that inspires more experienced crackers to share their secrets.
Sheesh, evil *and* a jerk. -- Jade
Is it just me, or does Kevin Mitnick (I'm assuming that's Mitnick in the article) look an awful lot like a young Steve Guttenberg?
"Software Academy" coming to a theatre near you?!?
Come on now, how many times have I seen the same statement greeted with derision here?
To be honest, when you look at the incentive for securing OSS vs Closed Source code, neither one is all that enticing.
As of now, there's really no penalty with selling code that isn't secure. It's accepted (for some reason) that computer code will have holes, and you really, really have to have a horrible program before anyone will think of ditching it. Even then if it's mission critical (all the more reason to be secure) it seems people are loathe to switch to something else.
So as a coder for a Closed Source app., my motivations would be:
1. Make the boss happy. Get code done.
2. Once program A is done, start work on next money making program.
3. Patch when boss says it's necessary to patch.
For Open Source it's not that much better. The only real motivation to write good code is so that it's either accepted into the project in the first place, and then once accepted everyone doesn't poke holes in your crappy code.
The difference is that people coding OSS are doing it because they want to, so hopefully have a little more motivation to look at the other code in their project. It's interesting to them, so they're a bit more likely IMO to look at it. The person getting paid has no incentive to look at the code (at least while on work time) unless the boss tells them to. Since rehashing old code doesn't usually make money, the only time to look at old code is when a patch is a necessity.
Separated at birth?
He who knows best knows how little he knows. - Thomas Jefferson
I think I'd agree with Kevin if he said:
"I'd prefer to hack open source with FEW AUTHORS."
There's no doubt that lots of eyes and a security focus have helped Apache, but there's lots of open source shitware (for example, just Google up a list of PHP messageboards) that don't have basic input validation controls, require too much access to the operating system, use plain-text or unsalted MD5 passwords or contain other gaping holes.
Without those extra eyes helping out...yes, many open source projects are easier to hack than similar closed source projects.
Oh, really? I think so.
In this day and age with all of the security problems (especially with MS), OSS trying to gain market share, I'd think that every OSS coder would be really mindful of any potential holes. Especially if he knew that another developer would be looking at it. I would be really embarassed (if I were a developer) if I got an email saying something to the effect of "Hey dumbass, nice job of preventing buffer overflow there at line: xxx in abcdef.c! Don't worry, no one will EVER exploit that hole!"
I always wonder my questions.
How does this "la" file automagically get execute permissions? Enquiring minds want to know...
"Kevin Mitnick (turned security consultant) has come out to say that he'd prefer to 'hack' open source code vs proprietary closed code. "
...and as long as we're at it:
You may now start the never ending "hacker vs. cracker" terminology debate...
Linux is better than windows
KDE is better than gnome
emacs is better than vi
Alex, I'll take keybindings not used by Emacs for $400....
Infamous cracker Kevin Mitnick (turned security consultant) has come out to say [...]
/.?
Why does race have to enter every discussion on
Mitnick is a bit of an tired old turd nowadays, though I suppose to some suits at M$ he must appear to be a l33tHaxor - methinks this is another FUD attack by the Redmond Antichrists on that cancerous, commie, UnAmerican Open Source Movement!
The dude was a social engineer. I've seen no evidence that he ever wrote an exploit himself.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Mitnick's 'hacking' mostly involved social engineering.
He is not a true hacker, just a highly technical con artist.
We all have seen how difficult it is to hack Microsoft's closed-source, proprietary code.
I'm sure there's a hundred things wrong with what I've said, I'm not a hacker--I just like to point out possible security holes.
Let's dive into what *is* wrong...
First of all, files in your home directory are normally not in your $PATH on any Linux system. Anyone who has their system set up like this, *let alone* having their $HOME have priority over /sbin and /usr/sbin, deserves to be shot.
Secondly, a webserver should (and does by default in any distro I know of) runs as the nobody/httpd/apache/someone user, and does not have a home directory. So any exploit in the web server would not allow you to write a 'la' binary anywhere.
Third, your whole attack scheme is just a big run around for no reason. If you can write a binary called 'la', why wouldn't you just write it as 'ls' in the first place, istead of crossing your fingers and hoping he mistypes? And if you can write a binary to disk, you can also obviously execute it, so why don't you? Why would you wait around? Is it because you hope someone is going to log in as root and run it? Because if that is the case, you will be way out of luck, because root *never* has $HOME in his path (and the webserver shouldn't be able to write to /root anyways).
This isn't how these kinds of attacks work... what *usually* happens is, the buffer overflow allows one to write and execute files as the unprivilidged user. The cracker attacks and does this to gaina remote shell on the machine, as this unprivilidged user. They then use this shell to try to find holes in other system services that may not be remotely exploitable, for example say mysql or postgresql. If mysql is running locally and not set up right, they could use it to gain full superuser privilidge by SELECT'ing to a file. Then, all bets are off.
I fail to understand the obsession with hackers and security!
These people are like art critics.
They can't write great code themselves so they pick apart other peoples. A valuable niche job to be sure, but not deserving of some sort of "star" status of their own.
Why is there not more attention on the great developers? I don't see many interviews of kernel devs......
Can we please stop calling common conning "social engineering?" The term itself if a con to make a common shyster seem like a legitimate professional. Unless he was involved in, say, eugenics or public education, this term painfully overstates the actions and qualifications of its practitioners.
I feel insulted... Do we really need a "security expert" to tell us that the preference is to hack open source code vs. just binary object code? I mean, come on...
Alexander "brunes69" de Large: Oy! Lookie what we have here, droogies
Droogies: [in unison] HE FORGOT ABOUT PERMISSIONS!
Alexander "brunes69" de Large: [bending over with his cane against his cod piece] That's right. And what happens to slashdotters we viddie that make mistakes?
Droogie A: We brow beat them into a bloody pulp
*Alex and the droogs continually beat the poor slashdotter while emitting "Singing in the Rain"*
eldavojohn: Please
My work here is dung.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
A handful of quotes and a 3-line bio synopsis? Gimme a break.
I was once the victim of a fuzzing. It left me walking bow-legged for weeks.
Look, everyone knows that opening your source is a double-edged sword. It's not like your intent to open source summons the Buffer Overflow Fairy who magically waves their Valgrind wand and your code is perfect. The whole point is to get the bugs out in the open so that everyone can see them and patches can be submitted by a larger number of contributors. The idea is that it gets rid of the bugs faster.
The fact that Mitnik says this doesn't damage the case for open source at all. The Captain Obvious comments are just pointing out that Mitnik is just saying, "I like easier work over harder work." Or maybe, "It's really fucking tedious to analyze a binary without the source." Does that stop people from finding bizzare bugs in closed source code? Absolutely not.
Slashdot. It's Not For Common Sense
Haven't you seen the movie "Hackers"? When you're breaking into computers the _only_ thing that matters is how cool you look.
All of you who are commenting that this is an obvious idea may be missing the point.
;)
We all know that security through obfuscation in cryptography is stupid: peer review illuminates the crevices the architect never conceived. But is all open source code subject to this same sort of peer review? If you've ever worked on an open source project, how much time to do sit down and pour over the code looking for security flaws.
Essentially, it's the same problem with Wikipedia: peer-review requires 1) the skill of the peers matches or exceeds the skill of the author, and 2) peers are actually reviewing, and 3) peers are trustworthy. It's the second criterion that Mitnick was questioning.
What's more, since it seems like accidental (and very subtle) bugs result in most security holes that don't get noticed. Wouldn't it then be trivial for someone with a great amount of skill to simply insert a hole? Either by subtle manipulation of existing code or by direct implementation in a segment which they are responsible for coding. If its done well, the 'oops, coding error!' excuse could always be proffered in the event the tampering was detected.
If I wanted to attack a system which I knew ran on OSS (and I had mad coding skillz), I think I would try to obtain some method of working on one of their software packages. Either directly or by 'acquiring' someone else's permissions if that was easier. Then I would insert a piece of backdoor code in a little used (or often used-'hidden in plain sight') code segment. Once the next release is running on that system, exploit the code, and get out. Depending on my goals, the operation could very likely be done before a hole is found and a patch is issued. As a small bonus anyone else installing that software would have the same vulnerability. Of course, some user level app won't be able to induce this scenario, but you get the idea.
Proprietary software doesn't have this vulnerability in so much as the programmers are much more tightly regulated by a company who has legal and monetary interests in controlling its code base and holding its employees accountable. (whether this actually happens is another discussion)
For all the self-righteousness of the open source movement, I remain convinced that the primary reason that more open-source packages are not targeted for attack is because they are not an appealing target. Specific implementations are not in popular use (globally), or they are too close to home. Meaning its preferable to attack your enemy than your family.
Now, for what it's worth, much that seems obvious isn't true. It seems like a good notion that open software allows people to more easily figure out how to fix holes. This is certainly true. However, it also makes it easier for hackers to find holes as well.
The fact is, assuming we had two nominally identical projects, one closed-source and one open-source, bugs would be easier to find by *everybody,* good and bad. The question, which Mitnick alluded to, is this - are there sufficiently more good-guy" eyes on the code to ensure that bugs are found/fixed more quickly, to account for the fact that bad guys can find bugs faster?
The answer to that question isn't a guaranteed "Yes." In many cases it works, but I don't think in all. I realize that people around here like the notion of free software. I do too. But that doesn't mean that it works in practice the way it does in theory. We have to actually question how many people are actively maintaining the code compared to how many "bad guys" are looking to exploit it. I think for most projects this ends up working for us, but it's not guaranteed.
In other words, taking for granted that OSS is more secure because it's OSS is a dangerous mistake.
Get real... Apache's an appealing target. Which web server has more exploits for it? IIS.
There is absolutely nothing in your little hypothetical situation that couldn't be accomplished in closed source as well- and in actuality, it'd be easier as the audits wouldn't be as intense (Witness the WMF debacle for proof of something that should have been caught that wasn't in Closed Source software.).
Simply put, what you claim isn't. But I'm confusing this discussion by including facts, aren't I?
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Mr. Mitnick is forgetting that most people want to see the proprietary software code because it is closed to prying eyes. Where as OSS being open to everyone is less appealing. And any issues that need to be fixed will be in a shorter time due to more people around the globe working on it. Where as with Proprietary software you have a small team working on it. They also have the added task (in Microsoft's case) of it having to be test on many different systems due to the large and various types of machines the software is being run on.
it implies there is science to it when the proponents sound more like motivational speakers who are like "learn my pick-up secrets and you can date any woman you want...." yeah right.
plus, social engineering was as term used to refer to the soviets implimenting central social planning well before mitnick turned it into a little money spinner, so to anyone aware of that earlier usage it sounds dreadful.
straight from the horse's mouth
And he may know a few things more than a typical /. person, but his "theory" hasn't held up under any sort of scrutiny.
What I mean is, in theory, he feels he can crack an OSS based box because he can analyse the source code, but in reality, it's easier to crack a proprietary box. So his theory doesn't appear to hold up to simple analysis of what happens in the real world.
It's kind of like the theory that SUVs are safer than other cars, which would appear to be common sense. But it falls apart when you consider real world applications and SUV's are no more or less safe than anything else.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
On the surface that may be true, but any professional programmer knows that deadlines never or rarely leave time for exhaustive security audits. More often than not, new features get thrown in at the last minute, so any security bug gets hidden deeper and the problem is compounded. Open source doesn't have those artificial schedule restrictions forcing programmers to write crap code. Not that crap code doesn't occur, because it most definitely does. The difference is that with open source, it's likely to be found earlier than later because there isn't an annoying Project Manager telling people to implement one more feature. Even though some users hate it when developers say, "it will be released when it's ready", that mindset leads to better quality.
"Mitnick was arrested in 1995 by the FBI for hacking. He served five years in prison, including eight months in solitary confinement after it was alleged that he could launch nuclear missiles by whistling into a telephone." ...following the previous 40 years of whistling past the graveyard to deal with nuclear missiles.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
I'm sorry, but wasn't most of Mitnick's attacks performed with information obtained through hacking by use of social engineering? How does this make him an expert on code?
He found exploits in OpenVMS and tricked users into giving him information. How does this make him different from what we now call a phisher? I think a bit too much credence is being given to an outdated dinosaur who's gone from "effective con-man" to "not quite as effective con man". I can't say he's completely ineffective now... obviously his verbal flatulence is still being posted on news sites apparently. Sorry, but IMO, Mr. Mitnick's on his 16th minute, and the industry's growing tired.
Evil Walrus >83=
You exposing your entire source code for public scrutiny, and this is more secure the closed proprietary software?
How and why?
I think people are deluded into thinking that because a project like Linux is secure, and that Linux is Open Source, ergo Open Source software must be secure. This is convoluted and dangerous logic.
I think OSS is the most insecure software out there. Think of it. Anybody could take RedHat's source code, create their own distro filled with back doors and zombie daemons, and then distribute this OS supposedly under the guise of a secure RedHat release. This goes with any of the countless personalized Linux distros out there. Same goes for Open Office, etc, etc, etc. If you are not careful (and it is easy not to be careful when OSS is distributed largely with P2P software and bit torrents), you can end up purposely installing a corrupted OS or application whose code base as been hacked INTERNALLY and exposes your data to great risk.
Also, your security protocols and measures are all exposed to public scrutiny. Perhaps among the Open Source community that this exposure allows them to create more secure software, by collectively working to plug holes and make the code base rock solid. But this ignores the fact that people with the same skill set but with vastly different intentions can use the same source code to FIND holes and to WRITE exploits using the original source code as its base. Wouldn't it be more difficult to find a security flaw if it uses the original source code as its base.
I just never bought the whole OSS is more secure then proprietary software bit. The fact you have to reverse engineer proprietary software (which is full of guess work) and THEN start to find ways of exploiting it suggests proprietary software is more secure by obscurity. I think people are just making assumptions based on the fact that Windows, a closed OS, is not secure, thus closed software is less secure. Its the same mistake as assuming OSS is more secure because Linux is more secure. OS X isn't open source (for the most part) and it is secure.
In the end, I think that if someone truly wanted to target OSS and make it a victim of hackers they would more easily find exponentially greater security flaws and deliver more damaging payloads simply by the fact they can use the ACTUAL code as a basis for their attacks. OSS has the benefit of being treated with respect by the hacker and OSS communities, its a hobbyist community after all, why sabotate your favourite pasttime? But if OSS produces the dominant OS and applications of choice for the corporate and government communities I think this whole myth of OSS as being more secure will be ended, very quickly.
I haven't thought of anything clever to put here, but then again most of you haven't either.
A guy gets arrested for tricking people into giving him passwords and then using them.
a decade later, he's an industry pundit, and people pay attention to what he says. How many thousands of people did the same things Mitnick did, but didn't get caught?
Should we worry about their opinions too?
I'm lazzy: Kevin Mitnik
I'm positive, don't belive me look at my karma
Really? Is that why FireFox is such a bloated memory hog? Oh, sorry, that's a feature not a bug...
Get ahold of Digital Equipment Corporation's source code and use it to blackmail DEC employees into doing what you want or else you'll distribute the code.
So, Mitnick, were you ever indicted for that one?
Is this idiot some kind of god for all you kids? Who cares what such pathetic person have to say about Open Source or Free Software?
... or is it that he, a retired felon, has to support
;), is worth more than
the position of M$ as part of his release agreement?
The guy has no real significance; about the only impressive
thing he ever accomplished was become referenced on dozens of
2600 covers.
The idea of Mitnick, while it may have inspired thousands
of people (to do what, I have no idea
any of his own ideas.
Move along. Nothing to see here. Mod parent down.
Why would you listen to anything Mitnick has to say? His attacks were based on social engineering, and he got caught. He's missed nearly a decade of technological development, and he wasn't a technical genius to start with either. And if it hadn't been for Shimomura's and Markoff's success in manipulating and blowing the story out of proportion for their own fame and fortune, Mitnick wouldn't have been more than a footnote.
Looks like the EU officials are so flustered by submitting source code in lieu of documentation that they are forgetting some basics of protocol and negotiation.
I've been asked to put '.' in the default path at several places. This seems to be a common request in giant-bloated-java-crapware-land where you have to source in half a dozen scripts' worth of environment variables to get things to work properly. When I argued against it people acted me like I had bats flying out of my nose.
I dunno if this kind of thing is much used except by malevolent insiders. Same for buffer overruns, I haven't seen any buffer overruns do anything but crash a Solaris or Linux server in a long time. It's so much easier to just get hold of some personal info (I won't even say "steal" personal info, it's so easy) and social your way in nowadays.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Fuzzing is feeding a program with malformed input to see whether there are any vulnerabilities such as buffer overruns which may be exploitable. Of course, you'd know that if you'd read the article...
OMGZ , George Bush was attacked by a giant socialist weasel !!!!
LOL
google "32 trillion offshore needs IRS attention"
The standard counterargument for most of them is "A similar potential exists in proprietary software also, but is less easy to detect and repair."
I don't want to flog this point too vigorously, because it's clear that in practice the quality and security of any software is derivative of many factors, both in the development environment and during its installation and operation.
We know that open source is, in principle, subject to extensive peer review, but as with proprietary software, the effectiveness of that review is not guaranteed. What's more significant to security, in my view, is that open source encourages forms of installation which can be directly repaired, and complementarily, encourages a culture of system administration which values deep expertise. Proprietary software, on the other hand, tends to be monolithic, and in my experience tends to attract an insufficiently expert sort of system administration for consideration of security.
The peer review model is not a perfect sieve, but it has proven effective in science for centuries. So fundamentally I think we're on the right track with open source. In practical terms, I think there's some interesting work ahead of us. One area, for example, is the authentication and validation required for highly distributed development. Progress in this area would benefit both open source and proprietary development models, with the greatest benefit, however, accruing to open source.
Work on the modularity of system components is another area of ongoing benefit to security. It's simply the continued application of known software engineering principles, and it stands to benefit both open source and proprietary software by encouraging interoperability. Interoperability means choice, which can be choice in favor of more reliable and secure modules over lesser ones. In practice, open source developers seem to be generally in favor of interoperabilty whereas proprietary developers are often encouraged to defeat it.
Parity: What to do when the weekend comes.
What relationship does Open Source software have with getting free long distance calls by hacking Telcom Switches?
Check the fruit of the tree.
real men hack ALSA
So when Mitnick says it is easier to hack OSS software, people say "duh"
When Microsoft says "making our stuff open source will make it easier to find vulnerabilities", people say "Stop FUDing, Microsoft"
I dont see how can you beleive it when Mitnick says it and how you can refute it when Allchin says the same thing.
My opinions are my own, and do not necessarily represent those of my employer.
Perhaps Kevin should stick to discussing social engineering, voice mail systems, and himself, three subjects on which he is a genuine expert. The only value of this article was to spark discussion on the term "fuzzing."
From what I remember, Mitnick was a social engineer; he just tricked a lot of people into giving him access. So what is he supposed to know about exploiting software vulnerabilities?
Why does anyone care what Mitnick has to say? Seriously, why does everyone still idolize him? I mean it was one thing to fight for his right to trial while he was being held by the Government, but that was the only reason he was ever labelled as a legend. I don't care any more about what he has to say than what relevance Cap'n Crunch has with regards to IP Telephony.
--->----
Then why has Windows been so easily and frequently compromised from its inception, without access to source code? Oh, I know! "because there are more Windows machines." Noooo. Wrong again. Because it is trivially easy. I know, all these years and tens of thousands of windows viruses, worms, trojans, spyware, rootkits, etc. really don't mean a thing! Because the source code is closed! Logic wins again!
we will end no whine before its time
It seems to me me that most of you didn't read the actual article, or are so used to reading code, that you can't understand written engilsh anymore..
"On the face of it, open source software is more secure," says Mitnick. "A lot of eyes are looking at the code. You'd think that with OSS, with more people looking at the code, you're more apt at finding security holes. But are enough people really interested?"
'On the Face of it' to most people translates to 'it look like', ' it seems', or any statement that postulates on accuracy of a theorem with out actually stating it's truth or relevance. Meaning he is postulating on what many beleive to be true but none can so far prove. ( some what like physists(sp?) and string theory.)
It seems to me that he is not actaully embracing this 'theorem' as a FACT, but more of a perception and is creating a discussion based on the theorem.
As for Mitnick being a Social Engineer, does it matter? He was able to gain access to systems through use of his mouth and his mind, at a time when few others had the ability. Are we saying that his contributions to what is known as hacking today were worthless? Yeah, he may have used social engineering, but many of the techniques he used paved the way for other hackers to gain the knowledge necessary to get where we have gotten thus far.
Einstein never saw much of the quantum physics we have today, does that mean that his contribution was minor or non existant? His work led to future work which led to new discoveries which lead to future work and fuure discoveries....Before we had iron hammers we used big rocks, but those big rock users still led the way to iron hammers......do not discount his words because you feel his early contibution were not up to later contributions
The sad thing is, the answer is yes.
There are plenty of commercial code verification tools (Coverity, which is a commercial version of the Stanford Checker, used with great effect on the Linux kernel, is an excellent example) and a substantial number of free tools designed for profiling and analysis (DAKOTA, KOJAK, Web100, TAHI, KTAU to name but a few) that can be mutilated/used to test for vulnerabilities.
As far as I know, the vendor of Coverity uses their checker to scan the Linux kernel from time to time, but I've never heard any mention of either Red Hat or OSDL doing likewise. Interesting, given that they actually do kernel development.
It's harder to assess who is using the free tools, but a glance at Freshmeat indicates that the number of total users is in the low hundreds. Of those, only a few are likely to be kernel developers with an interest in using the tools to debug/secure the Linux kernel. Indeed, the number is so low that the Linux Trace Toolkit has died, along with every single one of the enterprise-level event monitoring kernel patches.
Fortunately, I don't believe the number is zero. There are a few - a precious few - who do seem to be working on finding and fixing potentially (or actually) hazardous code in Linux. If I'd the cash, I'd nominate them for knighthoods for their fearless dragonslaying.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Why do people listen to Kevin Mitnick on technical issues? He never once wrote a single line of code. He never once used anything he himself had created. All he was good at was using other people's tools, making hime a glorified script kiddie with connections to get the tools he needed. The only difference between him and your average script kiddie is he had specific targets that usually had something he wanted which motivated his attacks, instead of just randomly hitting vulnerable systems.
He proved he was a moron when he used the same MIN/ESN pair for his OKI the entire time Shimomura was tracing him down.
Remember the Alamo, and God Bless Texas...
"Mitnick was arrested in 1995 by the FBI for hacking. He served five years in prison, including eight months in solitary confinement after it was alleged that he could launch nuclear missiles by whistling into a telephone."
LOL
that's about as bad as the whole Lance Armstrong is god BS.
the only permanence in existence, is the impermanence of existence.
Of course it's easier to diff sources to find what was patched and it's even easier if there is some info in the release note... Please Kevin keep writing books, don't try to get back into security, it's over you're too old....Even during your "active" periode you were already leaking sploits...
If your data is so valuable that hackers spend mounths (or even years) to attack you by this stategy, you should never rely on pre-packaged software's security. It doesn't matter how resilient pre-packaged software development model is, it can always be broken by a well motivated human.
Rethinking email
...-.-
Is Kevin Mitnick relevant anymore? Why should I care about his opinion?
My brain does not WAD, even when I preview.
KFG
It's still too soon after Kevin Mitnick was all we heard about for awhile. I don't miss him yet. Go away for a few more years, Kevin (just stay out of jail)! Legends should be reclusive.
Proprietary source code is easier to find holes in because less people scrutinze the code for security holes. In other words, once you /have/ the code, everythings gravy.
I think I found my first bugs in AIX, SunOS 4, and Solaris (when Solaris was closed source) each inside 10 minutes. And that's a high estimate.
Really, just go away Mitnick you got arrested for being a con not a L33t haX0r. Give advise on conning people not technical matters.
Have you ever heard a person talk that has no clue what they are saying but still has to make it seem like they are experts. Only good thing mentioned was fuzzing -- "Mmmmmmm fuzzing"
(1+2 = 3) and (1+2 !=2) WTF really.
"open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called 'fuzzing'."
Mitnick was never that great a programmer. He was mostly a social engineer. Or so I've heard....
teleny, friend of cats.
I have no doubt Mr. Mitnick possesses /\/\@|) $k1//z. He could be a Nobel Laureate in Quantum Physics having successfully developed a working unified field theory and I'd still say that if he called up a secretary claiming to be the IT director asking for her password so he could get access to the company credit card numbers -- he'd be a Nobel Laureate who happened to also be a con artist, not a "social engineer." Con artistry has been around a lot longer than any field of engineering, so it is a bit suspect when a very basic ploy is fobbed off as anything but what it is: a con.
No real jail term for hacking OSS. Kevin you are releasing your changes?
The problem with these debates is... well.. security holes are patched by smart people and cretaed by the dumb ones. If you are a dumb adminstrator you might preface your $PATH with . and yes you would need to be shot.. but then again we're comparing you with most windows users, who also need to be shot.
While we're on the topic of linux "security flaws" try this one next time you see a college freshman logged into his terminal
cd ~
touch "-rf *"
logout
When the user logs on and sees this annoying file they should type
rm "-rf *"
but since they're a college freshman taking "Intro to basketweaving in Unix" they'll type
rm -rf *
(forgetting the quotes) and you'll laugh... and subsequently be damned to hell.
And as an FYI, in his book, The Art of Deception Kevin Mitnic condems the use of software hacks. He says that software is usually the strongest link in the system - it's the users who are foolish. He is considered such a great hacker/cracker, yet from his book he seemed much less technically literate than I had imagined. I wouldn't consider his mere opinion that open source software is more vunerable very persuasive. We are, however, admitting security flaws and simply sweeping them under the rug when we say "no intelligent user would do X." These are the users who may be administering our system - and the users who Mitnick preys on. If we want our computers more secure we need to start educating our communities and telling them to not open up e-mails from strangers saying "I love you"
In theory of course.
Considering Kevin has never written a line of code in his life (his MO was always that of a script kiddy) I can just imagine how much he's learned studying the sources for systems he wants to break into. He's much more into tricking stupid users into telling him their password than any real "system" hacking. He's always depending on the analysis (and code) of others for any system cracking.
Nice that he can make a living out this stuff though. Just goes to show that working hard for a degree and doing an honest days work is still the most boring and least rewarding way to make a living in this country. Of course that 4+ years in prison thing doesn't sound like much fun either.....
If the attack mechanism is only able to write files to a user's home directory, then an attack could go against one of: .bashrc .profile .bash_profile .cshrc .tcshrc .zshrc
.xsession .xinitrc .fvwmrc
It could also go against one of:
(also various GNOME and KDE start-up or menu files)
Going from user to root...
Via config files, take over the shell or menu system.
From there, take control of xterm, screen, gnome-terminal, or kterm. One may also wish to act as an X11 input method handler to grab keyboard activity.
Wait for the user to use su, sudo, or the GUI equivalent. Grab the password.