http://www.whitedust.net/article/41/Interview:_Fyodor/ By Mark Hinge and Peter Prickett 17 Oct 2005 WD> What first drew you into the world of computing? My father is a hobbyist programmer, so I grew up with computers. In the early days I used an Apple ][ and Vic-20. By the time I really learned how to program, we had a PC XT. I thought DOS was cool, so UNIX really blew my mind when I discovered it in high school. That was where I got into security, too, as my friend David and I had shell accounts on the same ISP and would continually hack each others' accounts :). WD> Why did you create Nmap? [1] In The Cathedral and the Bazaar [2], Eric Raymond notes that 'every good work of software starts by scratching a developer's personal itch.' That was certainly my motivation for creating Nmap. I had a whole directory of scanners, including Julian Assange's Strobe, the reflscan SYN scanner, the UDP scanner from SATAN, a FIN scanner from Uriel Maimon, and many more. They all have very different options and limitations. I would want to use one scanner with an option from another. So initially I made my own modified versions of each scanner. Eventually, I decided the best approach was to create my own scanner from scratch. It would support all of the major scan types while being fast and efficient against large networks. Thus, Nmap was born. I used it myself for a while, and then released it to the public in a 1997 Phrack Article [3]. I hoped people would find it useful, but considered the project 'done' at that point and was ready to move onto new things. So much for that! I was overwhelmed with the response to Nmap, with so many people sending improvements that I released a new version. That cycle has continued for more than 8 years now :). WD> Have you ever been concerned that Nmap is used for blackhat purposes? I doubt that Nmap has ever been used for blackhat purposes. OK, maybe once or twice :). But seriously -- there is no way I can write a program that allows you to audit your own networks for security risks without also enabling bad guys to do the same. And trying to limit distribution to only 'good guys' is a lost cause. I believe that on balance, Nmap is a major net benefit to Internet security. If that ever becomes untrue, I will cease development. Another tool I have written is an advanced denial of service utility named Ndos, which I have used effectively to briefly disable the web presence of major corporations (at their request and under controlled circumstances). I have not publicly released Ndos because I fear that it would be used more for abuse than for constructive purposes. WD> Your most famous piece of software is, obviously, Nmap. What over pieces of software have you created? How successful have they been? I used to work for an Internet startup company, which was purchased by Netscape, which was then purchased by AOL, which then merged with Time Warner. Phew! I created (and helped create) a number of popular online applications during that period, though none are really relevant to the security community. Most of the time I write something new, I try to architect it so that it fits into Nmap. For example, OS detection [4] and version detection [5] could easily be standalone applications, but I decided to build them into Nmap instead. This summer, Google generously agreed to sponsor 10 student Nmap developers [6] as part of their Summer of Code program. One of the most exciting projects is Ncat by Chris Gibson. This is a reinvention of Ncat with cool features such as IPv6, better portability and documentation, connection encryption and authentication, inetd-like capability to spawn multiple concurrent applications, connection redirection, and more. One neat feature is connection brokering, which allows multiple hosts behind NAT gateways to communicate with each other through a centralized Ncat server. It shares a lot of code I wrote for Nmap, including the Nsock and Nbase portable networking libraries. Other interesting Summer of Code projects include: * Doug Hoyte nearly tripled the size of the version detection database and added OS/device type/hostname detection to the system. The database now contains about 3,000 entries for more than 350 service protocols (X11, SNMP, SMTP, etc.) * Zhao Lei added more than 350 OS detection fingerprints to Nmap [7], bringing the total to 1684. He also helped design a 2nd generation OS detection (stack fingerprinting) system * Adriano Monteiro designed and implemented an advanced Nmap GUI and results viewer named UMIT [8] (screenshots) [9]. * Ole Morten Grodaas designed and implemented another advanced Nmap GUI and results viewer (its nice to have choices in open source!) named NmapGUI. Further details and download links are here) [10]. It is worth noting that these GUIs aren't simple wrapper scripts for people who have trouble remembering Nmap command-line options. They offer powerful features for visualizing and searching large scan results. While the program is over, all of these developers have continued active development to improve their projects, which aren't yet fully polished and debugged. People interested in helping with development and testing of these or any other Nmap-related projects are encouraged to join the nmap-dev [11] (high volume, unmoderated) and nmap-hackers [12] (low volume announcements) lists. WD> How long did Exploit World [13] run for? What were it's aims? What caused it to come to an end? I launched Exploit World in 1995 and updated it regularly until the summer of 1998. The aim was to catalog vulnerabilities in a full-disclosure manner that includes bug details and even exploits. This was another 'scratch an itch' project -- I kept such a database for my own purposes anyway, so I decided to put it up online so everyone could benefit from it. While the exploits are all ancient, the site is still pretty popular because it is the first Google hit for various phrases such as 'ping of death'. The problem, as so many exploit and vulnerability archives have learned over the years, is that maintenance is hard and tedious work. As the Nmap project grew to take up most of my time, I lost the motivation to continue with Exploit World. Plus, there were other good archives by that point in time and so redirecting the effort to Nmap was more useful. WD> We have been asking the question is hacking an art or a science? What is your opinion? The question makes it sounds like these are exclusive. Science can be creative and beautiful like art. Also, the term 'hacking' is overburdened with meanings. But I'll try to answer anyway. I consider programming and vulnerability research and exploitation to be more science/engineering than art. You are drawing upon a large base of knowledge and using a methodology to achieve a desired practical and verifiable result (such as busting root). That is not to say that hacking is pure methodology that could be reproduced by a robot or shell script. True breakthroughs usually require great creativity. But this also is true of biology, chemistry and just about any other science. My major in college was molecular and cellular biology until I switched it to computer science, and there were many parallels. WD> On your site you claim 'there are aspects of the hacker community that disgust me', can you give us examples? I hate to see people out there causing wanton damage just for attention. Compromising some school network just so that you can delete their web pages and post some self-aggrandizing rant about how skilled you are and how dumb the admin must be does not help make the world a better place. Such antics won't impress anyone worth impressing either. Illegal activity motivated by money is at least as bad. I hate to see security tools and information misused for spamming, propagating worms, extortion, etc. One of the Google SoC applicants listed on his resume that 'I am the leader of small programming band that developes ... email retrive application (from sites, newsgroups, brut force selection) for spam distribution'. WTF? Since when is that something to be proud of? I'm not saying that these people are part of the hacker community per se, but they are often using some of our tools and techniques. While conducting illegal/hurtful activity for money makes my blood boil, I'm not anti-capitalist. Sourcefire was recently acquired for $225,000,000, and I say good for them! Especially if they keep their commitment to continue GPL Snort development. WD> How do you feel about Tenable's announcement [14] that Nessus 3 will be closed source? I am disappointed by that move, as I feel that source code availability is critical for trusting important security tools. Nessus' open source nature was one of its biggest advantages over a myriad of commercial competitors. Heck -- their official slogan was 'the open-source vulnerability scanner' until this month. This leaves a vacuum in the security community for a new open source vulnerability scanner (or fork of Nessus 2.2). Several groups (Gnessus, Sussen, Porz-Wahn [15]) have stepped up to the plate in launching these forks, and I hope that at least one of them succeeds. One of Tenable's justifications for closing the Nessus source was that few people contributed. It is easy to take the open source tools we depend on for granted, and forget that open source is a two way street. The bazaar software model doesn't work so well with everyone taking and not contributing back. In my Nessus response [16], I suggest a few ways that programmers and non-programmers can support projects they use and enjoy. Rather than mope over the loss of open source Nessus, we can treat this as a call to action and a reminder not to take valuable open source software such as Ethereal, DSniff, Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted. Note that I have no plans to change the license for Nmap. It has been distributed under the GPL for more than eight years and I am happy with that license. WD> Do you consider yourself to be a hacker? Yes. WD> In order to be a hacker do you need to be part of the 'scene'? Absolutely not. Some of the smartest guys I know are your stereotypical anti-social nerds that spend all of their time hacking, driven by an insatiable passion for technology. Yet they don't care for attention, recognition, or the whole social scene. That doesn't make them any less of a hacker. WD> Do you know Tony Watson? Yes. I live in Palo Alto, a few miles from Google's headquarters in Mountain View. While Google has screwed up the already obscenely high housing values around here by minting so many millionaires, a side benefit is that they have recruited many great security minds from around the world. Niels Provos, Paul (Tony) Watson, 0100, and other cool hackers now call the area home. While I'm glad that Tony moved here, I've knew him previously from his CanSecWest appearances. Speaking of Tony, I hear that he gave a great interview for Whitedust [17] :) [Yeah we really liked talking to him he's one cool cat :) -psg]. WD> Do you have a day job? I work for my own company, Insecure.Com LLC. The primary business is licensing Nmap technology for inclusion in commercial products. Companies are welcome to use Nmap for free if they comply with the GPL (make their product open source), but those wanting to use Nmap in proprietary products must pay a license fee. This allows me to work on Nmap full time. It also benefits users of those proprietary tools, which are often specialized for different purposs than Nmap. The code these companies get is exactly the same as GPL Nmap. I also do some pen-testing and vulnerability assessment gigs, though I'm too busy to take on new clients for the next year or so. WD> You co-authored a best selling book last year named Stealing the Network: How to Own a Continent. What is it about? This was an exciting project because it is hacker fiction, as opposed to the technical documentation that I usually write. I teamed up with FX, Joe Grand, Kevin Mitnick, Ryan Russell, Jay Beale and several other hackers to write individual stories that combine to describe a massive electronic financial heist. Unlike your average Hollywood portrayal (Swordfish, Hackers, The Net, etc.), we portrayed realistic attacks and technology. For example, my character Sendai uses Nmap, Hping2, Ndos, and similar tools to exploit network configuration and software vulnerabilities commonly found in the wild. Syngress (the publisher) was cool enough to let me post my chapter online for free [18]. I am also working on a book on network scanning with Nmap. I only have a couple chapters left to draft, though the editing and publishing phase will take months. [1] http://www.insecure.org/nmap/p51-11.txt [2] http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ [3] http://www.insecure.org/nmap/p51-11.txt [4] http://www.insecure.org/nmap/nmap-fingerprinting-article.html [5] http://www.insecure.org/nmap/versionscan.html [6] http://seclists.org/lists/nmap-hackers/2005/Jul-Sep/0000.html [7] http://seclists.org/lists/nmap-hackers/2005/Jul-Sep/0002.html [8] http://sourceforge.net/projects/umit [9] http://umit.sourceforge.net/screenshots/umit_pics/ [10] http://seclists.org/lists/nmap-dev/2005/Jul-Sep/0125.html [11] http://cgi.insecure.org/mailman/listinfo/nmap-dev [12] http://cgi.insecure.org/mailman/listinfo/nmap-hackers [13] http://www.insecure.org/sploits.html [14] http://mail.nessus.org/pipermail/nessus/2005-October/msg00035.html [15] http://www.gnessus.org/ [15] http://sussen.sourceforge.net/ [15] http://porz-wahn.berlios.de/homepage/about.php [16] http://seclists.org/lists/nmap-hackers/2005/Oct-Dec/0000.html [17] http://www.whitedust.net/article/31/Interview:_Paul_Watson/ [18] http://www.insecure.org/stc/ _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Oct 16 2005 - 21:23:46 PDT