OSS is an easier hack: Mitnick

By   |  January 30, 2006

Slashdotted?
In an exclusive interview on Friday, infamous hacker Kevin Mitnick told Tectonic that, given the choice between finding security vulnerabilities in closed and open source, he’d prefer to attack an open source environment.

“Open source would be easier [to hack],” admits ex-hacker turned security consultant Mitnick. “It’s less work.”

Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called “fuzzing”.

Fuzzing means putting fake data – such as really long strings – into portions of the application that allow user input. “You want to make that function call fail. Does it cause an exception? If it does then the programmer probably hasn’t validated the input. You could supply your code in a particular manner – thus tricking the application or function into executing your own code. Hackers want to execute their own code – preferably with privileges – and then they gain control.

“On the face of it, open source software is more secure,” says Mitnick. “A lot of eyes are looking at the code. You’d think that with OSS, with more people looking at the code, you’re more apt at finding security holes. But are enough people really interested?”

Mitnick does qualify his statement carefully – it’s six of one and half-a-dozen of the other. “Then again, a lot of people are really good at reverse engineering. You can obtain illicit copies of [proprietary] source code,” he says diplomatically.

Mitnick was arrested in 1995 by the FBI for hacking. He served five years in prison, including eight months in solitary confinement after it was alleged that he could launch nuclear missiles by whistling into a telephone. He will be in South Africa next month for the ITWeb Security Summit 2006, and will speak about social engineering and wireless security.

He runs Microsoft Windows XP Pro, Microsoft Windows 2003 Server, Debian, Gentoo and Solaris. Currently he’s penning an autobiography to clear up some myths about himself. And no, you can’t launch a nuclear attack by whistling into a telephone.

Comments

12 Responses to “OSS is an easier hack: Mitnick”

  1. tudor
    January 30th, 2006 @ 12:00 am

    You don\’t think that Mitnick is trying to sell his computer security consultancy…….or perhaps tickets are going slowly for his upcoming South African lectures.

  2. Uno Engborg
    January 30th, 2006 @ 12:00 am

    I would say that fuzzing sometimes is far easier than looking at millions of lines of code. Even though knowing the code could make it easier to do something fun, evil, or even useful once you get in.

    The problem for the potential FOSS cracker is that there are far more people that want the code to work than there are people that want to destroy it. So problems tend to be fixed very quickly.

    By the way, Mitnik did his crimes by going after the weakest link in a computer system, the HUMANs running them. As long as you can do that, it doesn\’t really matter if you can read the code or not.

  3. Reginald Eugenia
    January 30th, 2006 @ 12:00 am

    Ahh the old \”security through obscurity\” garbage. Could someone please tell me how exactly Kevin Mitnick could be considered any kind of authority on modern security? What are his credentials outside of going to jail for hacking ancient closed source systems from 20 years ago?

  4. uhh
    January 30th, 2006 @ 12:00 am

    And no, you can\’t launch a nuclear attack by whistling into a telephone.

    Technically, if you were to accurately reproduce the tones generated by a modem, connected to a remote dial-in of some russian missile site, you could start whistling the tones and launch the missle.

  5. alice burgett
    January 30th, 2006 @ 12:00 am

    Windows has been easily compromised from its inception without access to source code. Nobody bothers with reverse-engineering, sheesh, it\’s not necessary. Go to the back of the class, mr mitnick.

  6. andrew
    January 31st, 2006 @ 12:00 am

    \”He served five years in prison…\”

    The writer of the article neglected to mention without a trial.

    Mitnick spent four years in pre-trial, and then struck a deal to do one more year and avoid a trial. – ed

  7. TurboDisturbo
    January 31st, 2006 @ 12:00 am

    I just have to laugh….

    Every time I see a comment about computer security from Kevin Mitnick, it makes me chuckle.

    During the technology boom, Kevin was, well shall we say \”occupied\” with things that would prevent him from learning about the real intricies of security; i.e. hardware based security, Cisco infrastructures, what the TCP/IP stack really did to hurt Windows, etc.

    I have known Kevin for a very long time; 28 years to be exact. I did lose touch with him after he was first incarcerated.

    His methods of hacking relied heavily on the ignorance of others; which he was most fond of bragging about.

    For instance, he would write a program that would blatantly gain him access to a system. After compilation, he would coerce a computer operator to run his program; claiming he has problems with the execution.

    If the operator ran the program from the root ( at that time the (1,* accounts ), the privileged commands he placed within the program would give him access to the information he was looking for.

    At the time he was particularly interested in Digital Equipment machines running an operating system called RSTS/E.

    Well, 20 something years have gone by. I have kept tabs on him from time to time, read a lot of what he has been able to publish lately and kept an eye on some of his associates he used to hack with back in the day. I have reached the following conclusions :

    1. Kevin is not qualified to make decisions about computer security. Just read his comments on Open Source to figure that out.

    2. I would believe that he has not mastered another programming language or current operating system such as Windows to fully understand how vulnerable those systems are to attack.

    3. I also believe that he is still in cahoots with at least one of the people that he hacked with, making him the biggest security risk there is.

    Kevin was a grand manipulator. I am sure that his skills in that area have improved exponentially. I bet he could talk Oedipus into leaving home.

    Caveat Emptor.

  8. Tony Cossey
    February 1st, 2006 @ 12:00 am

    the comments on OSS and source code availability are true enough but with any operating system a careful user will always check for software updates anyway, rendering expoits closed. The most effective black hats find an exploit and keep it \’under their blacks hats\’ as knowledge is power (and admin rights). However to argue the OSS standpoint hundreds of white hats are reviewing OSS code to block security loopholes, so its a double edged sword.

  9. Sam L
    February 3rd, 2006 @ 12:00 am

    It is easier to vandalize a public park than it is to vandalize a locked gated community. Any low life dope know that. How much easier? Not much if the community is watching. How tempting, less if the dope has any ethics and less if the community is willing to both belt the culprit, and ignore loud mouthed ex-vandals. What most hackers need is to \”get a life\”…..and terrible ticket sales.

  10. Frank J
    July 5th, 2007 @ 12:00 am

    Sam L, you don\’t know what you are talking about. You are just mad because Hackers are smarter than you and they understand computer\’s better than you. Also, About low lives, you cannot make fun of them because you most likely are one.

  11. Frank J
    July 5th, 2007 @ 12:00 am

    Sam L, you don\’t know what you are talking about. You are just mad because Hackers are smarter than you and they understand computer\’s better than you. Also, About low lives, you cannot make fun of them because you most likely are one.

  12. Tom
    August 13th, 2007 @ 12:00 am

    Kevin, left quite a good impression from that movie. I refuse to stop myself from getting inspired by him.

Comments are closed