OSS is an easier hack: Mitnick
In an exclusive interview on Friday, infamous hacker Kevin Mitnick told Tectonic that, given the choice between finding security vulnerabilities in closed and open source, he’d prefer to attack an open source environment.
â€œOpen source would be easier [to hack],â€ admits ex-hacker turned security consultant Mitnick. â€œIt’s less work.â€
Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called â€œfuzzingâ€.
Fuzzing means putting fake data â€“ such as really long strings â€“ into portions of the application that allow user input. â€œYou want to make that function call fail. Does it cause an exception? If it does then the programmer probably hasn’t validated the input. You could supply your code in a particular manner â€“ thus tricking the application or function into executing your own code. Hackers want to execute their own code â€“ preferably with privileges â€“ and then they gain control.
â€œOn the face of it, open source software is more secure,â€ says Mitnick. â€œA lot of eyes are looking at the code. You’d think that with OSS, with more people looking at the code, you’re more apt at finding security holes. But are enough people really interested?â€
Mitnick does qualify his statement carefully – it’s six of one and half-a-dozen of the other. â€œThen again, a lot of people are really good at reverse engineering. You can obtain illicit copies of [proprietary] source code,â€ he says diplomatically.
Mitnick was arrested in 1995 by the FBI for hacking. He served five years in prison, including eight months in solitary confinement after it was alleged that he could launch nuclear missiles by whistling into a telephone. He will be in South Africa next month for the ITWeb Security Summit 2006, and will speak about social engineering and wireless security.
He runs Microsoft Windows XP Pro, Microsoft Windows 2003 Server, Debian, Gentoo and Solaris. Currently he’s penning an autobiography to clear up some myths about himself. And no, you can’t launch a nuclear attack by whistling into a telephone.