http://hert.org/story.php/46/ By sulla August 19, 2004 Kismet is simply the best war driving tool out there plus it's free as in GPL. It runs on linux, *BSD, Mac OS X and even on your little linux PDA. The brain and guts driving its development is Mike Kershaw alias Dragorn, works during the day on IBM mainframes and hack kismet code at night. Mike graciously agreed to a HERT interview to tell us a little bit more about himself, his view on WiFi security and the future of Kismet. What is your background? I've been running Linux for about 10 years now, and programming since I was a wee larva on a TI-99a console. What do you do for living? My non-wireless alter ego gets paid for doing work with big iron - IBM mainframes and large numbers of virtual servers. What were you working on before you started kismet? Nothing of any great notice -- I've always had a continual slow trickle of code for various projects, bugfixing other software I use, etc. Kismet was my first public project that really caught on. I guess you probably consider yourself a hacker. Define hacking? My preference is the old-school definition - if you mean digging into things, figuring out how they work, and having fun learning, of course! Tell us about the first time you played with wireless networks and what motivated you to start coding kismet? I'd gotten a cheap linksys card and was poking around and found Airsnort. At the time, the drivers only supported PF_NETLINK sockets to fetch packets, which meant only one program could capture packets at a time, and airsnort had no capabilities to dump the packets to a file - watching the number of packets seen count up isn't much fun if you can't do anything with them! Kismets very beginnings were a set of modifications to airsnort to display SSIDs and log the data to a dumpfile that ethereal could read. Once I got a cisco card, I had to rewrite the capture system to support different drivers, and it just grew from there and became it's own program entirely. Did you imagine that the security of wifi networks would be so bad?? Definitely not at the beginning! Now I've become entirely jaded towards security as a whole (or rather, peoples complete lack of it) and not much surprises me when it comes to open wireless networks. Despite all the press about it, the overall percentage of unencrypted networks is still at about 80% (*), and companies still make the news for exposing personal data over insecure networks. (*) Percentage gathered from the pc running in my car that monitors all the time I bought a linksys wrt54g access point 2 weeks ago and by default WPA encryption isn't enabled and the password was admin. Wifi products are marketed as reliable and secure. Don't you think they give a false sense of security? I think it all depends what environment you're using the network in. Most home users are, bluntly, boring: The chances of someone spending the time to crack WPA (or even WEP) just to get to your network connection is pretty slim, especially when they can just go 10 feet down the road and find an open one. For most people at home, WPA should be just fine. I think the program really comes in in the small office segment. If you run a business that handles personal information about customers, I DEFINITELY wouldn't trust WEP or WPA alone. Unfortunately, the same group likely to buy consumer hardware like this for a smaller office is the same group least likely to understand the security implications. I don't know how this can be solved, other than more education about security. What do you think of the WiFi Alliance's effort to fix WEP with WPA? Will 802.11i finally raise the bar high enough in terms of security? It's a step forwards, for sure, but it's not going to solve everything, Infact, work is being done now which exposes holes in the key distribution used by most vendors - the IEEE spec doesn't specify that the backend Radius connection has to be encrypted, and once that is known the entire key exchange can be extracted. Have you obtained any financing? major sponsor or donation for your project? I've gotten continual donations of hardware from users who want better support for different cards - without that, I don't think Kismet would work as well as it does with as many different cards. Obviously, I won't turn down donations of any sort, but I don't spend a lot of time actively seeking them. Are you working on a commercial version of Kismet? Nope, no real plans for a commercial version. I'm a big fan of open source, Kismet couldn't haven gotten to where it is without other open source projects for me to learn from and draw upon, and I wouldn't feel right turning it into a commercial product. On the vendor side, do you think any products could compete with Kismet? what do you think of Air Defense? I've got a comment I usually make when asked that: "Anyone who can afford AirDefense isn't going to even consider an open source product." I don't really view myself in direct competition with them, though of course I hope to keep advancing Kismet until it can be considered enterprise-quality as well. To some extent, the commercial vendors will always be a step ahead, since they sign NDAs and get full information on the chipsets, while the open source side is limited to the information which is made public. What's the status of the plugin architecture and api? Still working on it. Every release brings Kismet a little closer to supporting plugins, as more and more of the core of the program gets rewritten and modularized. Soon I'll be replacing large sections of code and redesigning the core packet handlers to be modular, I've got about 5000 lines pending completion to merge in now. Kismet is running as root and it uses pcap and ethereal libs; have you implemented some kind of privilege separation like in openssh yet? Actually it's had that for a very long time - it does a combination of process separation and priv dropping. Current versions of Kismet spin a separate process and communicate via IPC to perform root operations like channel control, while the main packet capture/parsing/logging/etc process drops privs to the specified user immediately after binding to the interfaces. It's possible to disable this, but I don't suggest it at all. I know you receive patches from kismet users; I submitted one once :) but it seems that kismet is still a one man show. I'm always happy to get patches and talk to people about changes. At the moment I don't really have anything set up to allow anyone else direct access to change the code. Part of it is my own coding style - I usually have a very clear idea of where I want the code to go and how I want new features to work, which unfortunately makes it somewhat exclusive. I'd like to think I'm fairly approachable with new ideas however, and I try to make the interfaces to interact with Kismet as open as possible (for example, the client/server protocol and the FIFO named pipe) Netstumbler always get a lot of press even though it is a very inferior program compared to Kismet; doesn't that piss you off sometimes? I'm sure theres enough media attention to go around. Really, netstumbler targets a bit of a different audience. It doesn't bother me much. What do you think of kismac, bsd airtools, abbadon's airjack? Kismac is some good code, their name causes a little confusion but they do a good job of making an OSX-native tool. Airjack is more proof of concept than really workable. What computers and equipment do you own? You probably receive a bunch of hardware donations from users who want you to support specific network devices. I've got a sony laptop for most of my development, and I try to get one of each chipset out there to help with support. How hard would it be to reverse engineer and implement a RFMON driver for Airport Extreme and other broadcom chipsets? Fairly difficult. You'd have to set up a lowlevel debugger in windows and trace every memory write it does to the pcmcia card, and then try to interpret them. I haven't even attempted it since I don't run windows anywhere. What's on your todo list? New tcp core, new packet path, plugins, new IDS stuff, general rewrite and cleanup of a lot of code, and general cleanup and stability fixes. Always something. War Driving in town using kismet kindda reminds me of the VL glasses in William Gibson's novel, Virtual Light. These data-glasses overlays data and plans on top of your vision, the same way you can imagine wireless networks and IP packets bouncing from building to building. There are 3d GPS navigation gizmos on the market already; do you have any long term plan to implement realtime 3d mapping? It would be fun! I've toyed with the idea, of course, anyone who's interested can write a gl client to tie into the client/server protocol. Besides kismet any other projects or ideas? I'm finishing up the cleanup of the smart-ap code I wrote for hope5 to try to manage intelligent groups of access points in hostile environments like hacker conventions. Your girlfriend or wife isn't jealous you spend a lot of time on computers? Well, I'm single at the moment. I suppose that answers that question. -m _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Fri Aug 20 2004 - 03:29:03 PDT