http://www.tectonic.co.za/view.php?src=rss&id=839 By Jason Norwood-Young 30 January, 2006 In an exclusive interview on Friday, infamous hacker Kevin Mitnick told Tectonic that, given the choice between finding security vulnerabilities in closed and open source, he'd prefer to attack an open source environment. "Open source would be easier [to hack]," admits ex-hacker turned security consultant Mitnick. "It's less work." Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called "fuzzing". Fuzzing means putting fake data - such as really long strings - into portions of the application that allow user input. "You want to make that function call fail. Does it cause an exception? If it does then the programmer probably hasn't validated the input. You could supply your code in a particular manner - thus tricking the application or function into executing your own code. Hackers want to execute their own code - preferably with privileges - and then they gain control. "On the face of it, open source software is more secure," says Mitnick. "A lot of eyes are looking at the code. You'd think that with OSS, with more people looking at the code, you're more apt at finding security holes. But are enough people really interested?" Mitnick does qualify his statement carefully - it's six of one and half-a-dozen of the other. "Then again, a lot of people are really good at reverse engineering. You can obtain illicit copies of [proprietary] source code," he says diplomatically. Mitnick was arrested in 1995 by the FBI for hacking. He served five years in prison, including eight months in solitary confinement after it was alleged that he could launch nuclear missiles by whistling into a telephone. He will be in South Africa next month for the ITWeb Security Summit 2006, and will speak about social engineering and wireless security. He runs Microsoft Windows XP Pro, Microsoft Windows 2003 Server, Debian, Gentoo and Solaris. Currently he's penning an autobiography to clear up some myths about himself. And no, you can't launch a nuclear attack by whistling into a telephone. _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Jan 30 2006 - 23:11:15 PST