Slashdot Mirror
Mitnick on OSS
comforteagle writes "Infamous cracker Kevin Mitnick (turned security consultant) has come out to say that he'd prefer to 'hack' open source code vs proprietary closed code. "Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called 'fuzzing'." He further says that open source is more secure, but leaves you wondering questions if enough people are really interested in securing open source code."
In other news, it's easier to see where you are going when you have your eyes open.
He's got the same general (valid) outlook that the rest of us have: open-source code is easier to tinker with because you can see how and why it works. That is an intrinsic element of having open-source code.
Just because Mitnick has said what thousands - neigh - millions have said before, doesn't mean it's new and exciting. Doesn't make it news.
Informatus Technologicus
I wonder what he means by "prefers". Is it more fun to sit around reading someone's crappy code than to use the trial-and-error approach crackers use with closed-source software?
The empirical evidence suggests that people don't have an especial lot of trouble cracking CSS.
I guess if you have the source you can grep for reads and examine them for overflow vulnerabilities, but I wonder how much easier even that would be vs. just trying it.
Sheesh, evil *and* a jerk. -- Jade
Famous hacker says it's easier to find holes when they let you look at the source! News at 11!
:-)
Is this really all that suprising? If you've got a mentality of "how can I break this?" it's much easier to figure out how if you can look at how it's built. Unfortunately, having a hacker able to look at a system is not the same thing as having the original designers catch the issue. If you wait until hackers get ahold of it, they'll find ways to exploit the problem before the patch is in wide distribution. That's what makes this dangerous.
Thankfully, the majority of those who are looking at the code have less selfish reasons, and are happy to share any issues they see. Thus the "many-eyes" philosophy depends heavily on the good will of the common man. Personally, I wouldn't have it any other way.
Javascript + Nintendo DSi = DSiCade
Granted, you had a disclaimer about mistakes, but...
This is all assuming that the home dir or the working dir is in the path.
Come on now, how many times have I seen the same statement greeted with derision here?
I think I'd agree with Kevin if he said:
"I'd prefer to hack open source with FEW AUTHORS."
There's no doubt that lots of eyes and a security focus have helped Apache, but there's lots of open source shitware (for example, just Google up a list of PHP messageboards) that don't have basic input validation controls, require too much access to the operating system, use plain-text or unsalted MD5 passwords or contain other gaping holes.
Without those extra eyes helping out...yes, many open source projects are easier to hack than similar closed source projects.
The dude was a social engineer. I've seen no evidence that he ever wrote an exploit himself.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
I agree completely with the parent post. Also I know when I work on any open source projects I make double sure that my code looks right and that I didn't do something stupid because I don't want to get torn apart on a mailling list of my peers.
Also when working on open source it may not be so much that other people are looking over your code for bugs, but that someone might be looking over your code for bugs. I don't know many programmers who like to get shown up on their abilities.
However when working on closed source you tend to just get it working, meet the deadline, and get on with life. Most times you don't have someone looking over your shoulder at each line of code.
The nice thing about Windows is - It does not just crash, it displays a dialog box and lets you press 'OK' first. Reg
Look, everyone knows that opening your source is a double-edged sword. It's not like your intent to open source summons the Buffer Overflow Fairy who magically waves their Valgrind wand and your code is perfect. The whole point is to get the bugs out in the open so that everyone can see them and patches can be submitted by a larger number of contributors. The idea is that it gets rid of the bugs faster.
The fact that Mitnik says this doesn't damage the case for open source at all. The Captain Obvious comments are just pointing out that Mitnik is just saying, "I like easier work over harder work." Or maybe, "It's really fucking tedious to analyze a binary without the source." Does that stop people from finding bizzare bugs in closed source code? Absolutely not.
Slashdot. It's Not For Common Sense
>One more thing about the article, the beauty of OSS is that it is impossible to implement security through obfuscation [wikipedia.org]--a major pitfall to security in application design.
Careful with the word impossible.
Can you really guarantee that for every OSS project, there are enough people looking through each bit of code trying to look for any "security through obscurity"-type issues?
If there are 1,000 submitters, most of whom are working on features, can you guarantee that everyone's code is getting audited? That there is no code where they all thing to themselves "Well, there are enough other people on this... I really don't need to look in here, I have better things to do."
Not saying it is epecially prone. I'd even be willing to say it is less prone, but I don't think you can say "impossible"
Now, for what it's worth, much that seems obvious isn't true. It seems like a good notion that open software allows people to more easily figure out how to fix holes. This is certainly true. However, it also makes it easier for hackers to find holes as well.
The fact is, assuming we had two nominally identical projects, one closed-source and one open-source, bugs would be easier to find by *everybody,* good and bad. The question, which Mitnick alluded to, is this - are there sufficiently more good-guy" eyes on the code to ensure that bugs are found/fixed more quickly, to account for the fact that bad guys can find bugs faster?
The answer to that question isn't a guaranteed "Yes." In many cases it works, but I don't think in all. I realize that people around here like the notion of free software. I do too. But that doesn't mean that it works in practice the way it does in theory. We have to actually question how many people are actively maintaining the code compared to how many "bad guys" are looking to exploit it. I think for most projects this ends up working for us, but it's not guaranteed.
In other words, taking for granted that OSS is more secure because it's OSS is a dangerous mistake.
Mr. Mitnick is forgetting that most people want to see the proprietary software code because it is closed to prying eyes. Where as OSS being open to everyone is less appealing. And any issues that need to be fixed will be in a shorter time due to more people around the globe working on it. Where as with Proprietary software you have a small team working on it. They also have the added task (in Microsoft's case) of it having to be test on many different systems due to the large and various types of machines the software is being run on.
I think the parent, and many others, wish they had some fame, a good job, and other such things. Nice try, though.
Wow, I have a better job than Mitnick, make more $$$ per year than him, don't have to fret with the fame, and I still think he knows less about hacking in todays world than I do. And I've never hacked a system in my life! But your like most lemmings today who believe that if a person roams around talk shows and writes some books on hacking that it he/she must be the defacto guru of hacking. Please. Thats like saying somebody that robbed banks 60 years ago are all-knowing-pros at how to rob the high tech banks of today. Time changes, and with it so do people.
You exposing your entire source code for public scrutiny, and this is more secure the closed proprietary software?
How and why?
I think people are deluded into thinking that because a project like Linux is secure, and that Linux is Open Source, ergo Open Source software must be secure. This is convoluted and dangerous logic.
I think OSS is the most insecure software out there. Think of it. Anybody could take RedHat's source code, create their own distro filled with back doors and zombie daemons, and then distribute this OS supposedly under the guise of a secure RedHat release. This goes with any of the countless personalized Linux distros out there. Same goes for Open Office, etc, etc, etc. If you are not careful (and it is easy not to be careful when OSS is distributed largely with P2P software and bit torrents), you can end up purposely installing a corrupted OS or application whose code base as been hacked INTERNALLY and exposes your data to great risk.
Also, your security protocols and measures are all exposed to public scrutiny. Perhaps among the Open Source community that this exposure allows them to create more secure software, by collectively working to plug holes and make the code base rock solid. But this ignores the fact that people with the same skill set but with vastly different intentions can use the same source code to FIND holes and to WRITE exploits using the original source code as its base. Wouldn't it be more difficult to find a security flaw if it uses the original source code as its base.
I just never bought the whole OSS is more secure then proprietary software bit. The fact you have to reverse engineer proprietary software (which is full of guess work) and THEN start to find ways of exploiting it suggests proprietary software is more secure by obscurity. I think people are just making assumptions based on the fact that Windows, a closed OS, is not secure, thus closed software is less secure. Its the same mistake as assuming OSS is more secure because Linux is more secure. OS X isn't open source (for the most part) and it is secure.
In the end, I think that if someone truly wanted to target OSS and make it a victim of hackers they would more easily find exponentially greater security flaws and deliver more damaging payloads simply by the fact they can use the ACTUAL code as a basis for their attacks. OSS has the benefit of being treated with respect by the hacker and OSS communities, its a hobbyist community after all, why sabotate your favourite pasttime? But if OSS produces the dominant OS and applications of choice for the corporate and government communities I think this whole myth of OSS as being more secure will be ended, very quickly.
I haven't thought of anything clever to put here, but then again most of you haven't either.
So when Mitnick says it is easier to hack OSS software, people say "duh"
When Microsoft says "making our stuff open source will make it easier to find vulnerabilities", people say "Stop FUDing, Microsoft"
I dont see how can you beleive it when Mitnick says it and how you can refute it when Allchin says the same thing.
My opinions are my own, and do not necessarily represent those of my employer.