Forgot your password?
typodupeerror
Security The Internet

Fyodor Answers Your Network Security Questions 277

Posted by Roblimo
from the eating-script-kiddies-for-breakfast dept.
You asked nmap creator Fyodor many excellent questions, and his answers (below) are just as excellent. You'll want to set aside significant time to read and digest this interview, because Fyodor didn't just toss off a few words, but put some real time and energy into his answers.

1) Interesting stories involving nmap?
by Neologic

Nmap has obviously become a huge success in the *nix world. I would wager that practically all sysadmins and security folk use nmap. With this sort of use by such creative and lazy people, there must have been some interesting stories involving nmap, perhaps unusual uses of it, or funny anecdotes. Are there any you would like to share?

Fyodor

The coolest use ever was undoubtedly when Trinity used it to try and save the human race :). But the use I find most gratifying are the Chinese students and residents who have written me about how they use Nmap to locate open proxies. These proxies allow for surfing the uncensored Internet, including the news, educational, pornographic, religious, open source software, government, political, search engine, and human rights sites that are blocked by the Great Firewall of China.

Many of the best features in Nmap came from the user community in ideas if not implementation. For example, the protocol scan (-sO) determines what IP protocols (TCP, UDP, GRE, etc.) a host is listening for. I had not thought of this, but the idea and patch came out of the blue one day in an email from Gerhard Rieger. On another day, a guy named Saurik sent a patch called Nmap+V that allows Nmap to do basic service/version fingerprinting against open ports. It has attracted a cult following, and I plan to add similar functionality to Nmap this year. The initial Windows port by eEye arrived similarly. Despite all these great suggestions, certain other user-contributed ideas are not on the agenda.

Then there are a small handful of users who detect problems nobody else would ever notice, like 4 byte/host memory leaks. They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years. They can't be spammers, as they are intelligent and also use more sophisticated scan techniques than you would need to just find SMTP servers.

2) Recent increases in anal-retentiveness...?
by Zeriel

There's been a marked increase in system administrators thinking that anything even remotely resembling a network scan is eeeeevil (case in point, last year I almost got kicked out of college for scanning port 80 on my dorm subnet looking for interesting websites to read)...

What do you think can be done to make scanning IP addresses/ports have less of a negative stigma? This is in the same sort of category as legit vs. illegit uses of anything else (P2P, whatever)--what's the rationale for punishing something that could maybe lead to criminal activity, and how can we make network scanning tools have practical uses again?

Fyodor

That is an excellent question, and one that concerns me as well. But first, I think your final statement is too extreme. I would guess 90% of network scanning is non-controversial. You will rarely be badgered for scanning your own machine or the networks you administer. The controversy comes when scanning other networks. There are a lot of (good and bad) reasons for doing this sort of network exploration. Perhaps you are scanning the other systems in your {dorm, department, cable LAN, conference LAN} to look for publicly shared files (FTP, SMB, WWW, etc.). Or perhaps your just trying to find the IP of a certain printer. Maybe you scanned your favorite web site to see if they are offering any other services, or because you are curious what OS they run. Perhaps you are just trying to test connectivity, or maybe you wanted to do a quick security sanity-check before handing off your credit card details to that ecommerce company. You might be conducting Internet research, or be bored on a rainy afternoon. Or are you conducting reconnaissance in preparation for a breakin attempt?

The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first. I've seen a few people with non-administrative roles land in hot water after deciding to "prove" network insecurity by launching an intrusive scan of the entire company or campus. Admins tend to be more cooperative when asked in advance than when woken up at 3AM by an IDS alarm claiming they are under massive attack.

You compared Nmap to P2P tools in having a "negative stigma". In both cases, one effective way to fight the stigma is to limit your own use to "legitimate" purposes. Use BitTorrent to download RedHat ISOs, but not Matrix Reloaded. Use Nmap to secure and monitor your computers, but not to attack other networks. And if you decide to attack other networks anyway, please be courteous and set the evil bit.

Now I'll admit that I don't always obtain explicit permission before scanning other networks. I don't believe (but IANAL) that a simple port/OS scan of a remote system is or should be illegal. Any machine connected to the Internet will be scanned so often that most admins ignore such "white noise" anyhow. But scan other networks often enough, and someone will eventually complain. So my advice would be:

  1. Don't do anything controversial from your work or school connections. Even though your intentions may be good, you have too much to lose if someone in power (boss, dean) decides you are a malicious cracker. Do you really want to explain your actions to someone who may not even understand the terms "port scanner" or "packet"? Spend $10 bucks a month for a dialup or shell account. You didn't really violate this rule, as scanning your dorm subnet for just port 80 should not even be remotely controversial!
  2. Target your scan as tightly as possible. If you are only looking for web servers, specify -p80 rather than scanning all 65,535 TCP ports on each machine. If you are only trying to find available hosts, do an Nmap ping scan. Don't scan a /16 when a /24 will suffice. The random scan mode now takes an argument specifying the number of hosts, rather than running forever. So consider -iR 1000 rather than -iR 10000 if the former is sufficient. Use the default timing (or even "-T Polite") rather than "-T Insane".
  3. Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent Idle Scan technique. But remember there is always a trade-off. You will be harder to detect if you launch scans from an open WAP far from your house, with 17 decoys, while doing followup probes through a chain of 9 open proxies. But if anyone (such as Tsutomu Shimomura) does track you down, they will be mighty suspicious of your intentions.

I occasionally consider adding some sort of "notification packet" prior to a scan that would give hosts the chance to respond and opt-out. This would be like the /robots.txt directives currently used to control polite Web robots. Perhaps the format could even include a text string that IDS systems could log, like: nmap -sS -p- -O -m "Direct questions about this scan to ops at x3512" 192.168.0.0/16 nmap -sS -p- -O -m "mY n4m3 iZ Zer0 |<00L and I'll 0wn j0o%#@" targetcompany.com/24 Of course Nmap would have an option to omit the notification or to send it and ignore any negative responses. Some scanners, such as ISS Internet Scanner already send out NetBIOS popup messages to scanned hosts by default, and other scanners use syslog. I won't be adding any features like this to Nmap unless I see substantial demand and the obvious issues are worked out.

3) OS fingerprinting
by neoThoth

What are the latest advances in fingerprinting networked devices that seem most promising to you? I have started reading papers on HTTP fingerprinting and such and wonder how these will figure into the NMAP architecture. What are the most elusive OS's that aren't on the NMAP OS fingerprint database?

Fyodor

There are a number of OS detection techniques I hope to add this year. One is to guess (or calculate) the initial TTL of response packets, since this varies by OS. Some operating systems also "reflect" your own chosen TTL under various circumstances. Then there are some newer TCP options, such as selective ack that I might test for. Explicit Congestion Notification (RFC 2481/3168) also shows promise. I'll probably add all of these at once later this year, after discussions with the Nmap-dev list. If you wish to participate, you can join that list by sending a blank email to nmap-dev-subscribe@insecure.org. There is also a low volume, moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 15,000 current members by mailing nmap-hackers-subscribe@insecure.org [archives].

While adding new fingerprinting techniques is fun and exciting, improving the signature database often ads more value. The DB now contains more than 850 signatures, from the Acorn RISC OS and Aironet wireless LAN bridge to the ZoomAir wireless gateway and Zyxel Prestige routers. We're talking gaming consoles, phones, PBX systems, PDAs, webcams, networked power switches, you name it! New fingerprints are submitted daily.

Application level fingerprinting (including HTTP) is coming. I usually regret stating dates, but I hope to develop this functionality within the next 3 months.

4) Stepping into a network security career
by Anonymous Coward

I'll be graduating this month with a shiny new BS in Computer Science. I've done plenty of Unix sysadmin work throughout college and even deployed some high-interaction honeynets. I'm very interested in network security and systems programming. Do you have any advice for people in my situation who want to head into a career in network security?

Fyodor

Congratulations on your graduation! Unfortunately (for newcomers), the security field is one that often expects substantial experience and references. This is partly because these jobs require extraordinary trust, and also because of an aversion to mistakes. Everyone makes mistakes, but they can be extraordinarily costly in security and neophytes tend to make more of them. But don't lose hope! Talented security minds are still in very high demand, just be aware that you will have to work even harder to prove yourself.

Here are my suggestions for anyone starting out in network security, whether for fun or profit:

Step 1: Learn everything you can

  1. You may wish to start with reading a general overview of security, such as Practical Unix and Internet Security 3rd Edition.
  2. Reading alone won't teach you much. Hands-on experience is critical, so I would set up at least a basic test network. At the very minimum you should have a Unix box or two and a Windows machine (because these are very common in the real world). You can use very cheap machines, or even emulate a large network with virtualization software such as VMWare.
  3. Next you should learn more about how attacks are performed. Take a look at the excellent and free Open Source Security Testing Methodology Manual (OSSTMM). This document aims to provide a comprehensive framework for security testing. But it mostly lists tasks to perform, without specifying how to do so. You will gain a lot from this manual if you research the tasks you don't know how to complete, and if you actually try performing the tasks on your test network. If this manual is too curt or hard to follow, you could try a more verbose book on vulnerability assessment, such as Hacking Exposed 4th Edition.
  4. Now that you understand many of the general security ideas, it is time to get current. This is one area that has actually become easier in the last decade. The thinking used to be that vulnerability information should only be distributed to well-known and trusted administrators and security researchers through private digests such as Zardoz. This was a disaster for many reasons, and the full disclosure movement was born. In the last couple of years things have started to shift toward more limited ("responsible") disclosure and there is also a disturbing pay-money-for-early-disclosure trend. But information is still much more available than it used to be. Most of the news is carried on mailing lists, and I archive the ones I consider the best at Lists.Insecure.Org. You must subscribe to Bugtraq, and I would also highly recommend pen-test, vuln-dev, and security-basics. Read at least the last 6-12 months of archives. Choose other lists that correspond to your interests. SecurityFocus also offers a security-jobs list which is an excellent resource for finding jobs or just understanding what employers desire.

    There are two major reasons for reading Bugtraq. One is that you must react quickly to new vulnerabilities by patching your servers, notifying your clients, etc. You can get this by simply scanning the subject lines or advisory summaries for bugs that directly apply to you. But then you will miss out on another crucial purpose of Bugtraq. Actually understanding a vulnerability helps you defend against it, exploit it, and identify/prevent similar bugs in the future. When you are lucky, the advisory itself will provide full details on the bug. Check out this excellent recent advisory by Core Security Technologies. Note how they describe exactly how the Snort TCP Stream Reassembly vulnerability works in detail and even include a proof-of-concept demonstration. Unfortunately, not all advisories are so forthcoming. For bugs in Open Source software, you can understand the problem by reading the diff. The next step is to actually write and test an exploit. I would recommend writing at least one for each general class of bug (buffer overflow, format string, SQL injection, etc.) or whenever a bug is particularly interesting.

    Be sure to read the latest issues of Phrack and the research papers posted to the mailing lists. Send your comments and questions to the authors and you may start interesting discussions. Read well-regarded books on the security topics that interest you most.

    I can't emphasize enough that you should intersperse hands-on work with all of this reading. Install unpatched RedHat 8 (or whatever) and run Nmap and Nessus against it. Then compromise it remotely, maybe via the latest Samba hole. Start out with a prewritten exploit from Bugtraq, which isn't quite as easy as it sounds. You may have to modify the 'sploit to compile, brute force the proper offset, etc. Then break in again using a different technique, and your own exploit. Install Ethereal and/or tcpdump and ensure you understand the traffic on your network during both your exploitation and normal network activity. Install Snort on an Internet-facing machine and watch the attacks and probes you'll experience. Wander around your neighborhood with Kismet, Netstumbler, or Wellenreiter on your Laptop or PDA to look for open WAPs. Install DSniff and execute an active MITM attack on an SSH or SSL connection between two of your computers. Take a look at my Top 75 Tools List and ensure you understand what each does and when it would be useful. Try out as many as you can.

  5. Take a vacation, or at least a weekend camping! You deserve it! The steps above would probably take at least 3-12 months full-time, depending on your motivation level and the depth and breadth of your research.
Step 2: Now apply your newfound knowledge

Now you have learned enough to be dangerous. At this point, you would have little trouble obtaining most certifications, after studying the specifics of each topic. If your main goal is to find a job quickly, perhaps adding these extra feathers to your cap might be worthwhile. But I think your best bet is to prove your knowledge by joining and contributing to the security community. While this does indeed help others, it isn't an entirely selfless act. It improves your skills, leads to important contacts, and demonstrates your knowledge and ability in a constructive way. The latter is important if securing a career is one of your goals. These steps should also be fun! If not, perhaps you should keep looking at other fields. Here are some ideas:

Start participating with insightful comment and answers on the mailing lists. This is very easy and serves as a great learning experience, way to meet people, and garners some name recognition. If a security manager with a stack of 60 resumes recognizes your name, that is a huge win!

When a new worm or a big new vulnerability comes out, everyone wants to know the details. If you stay up all night disassembling the worm/patch and write the first comprehensive analysis, many folks will find that valuable. And you will learn a lot. Let your first priority be quality - if someone beats you to it, just compare your results with theirs to see if you (or they) missed (or misinterpreted) anything. You can also post your own exploits, although that is more of a political hot potato.

Attending security conferences is a great way to learn, party with fellow hackers, and network (in every sense of the word). Much better is to speak at these conferences. This field changes rapidly so there are always new topics and technologies to discuss. You don't have to be a well-known expert with a long history - just learn your topic well and put in the effort for a quality presentation. You could present at Defcon, at one of the more commercial events, or at a smaller regional con like ToorCon, CodeCon, Hivercon, etc. Among other advantages (often free admission/travel/hotel), this is a great way to meet people with similar interests. I spoke at the latest CanSecWest and have submitted a proposal for the next Defcon.

Now that you've seen and understand a wide variety of software vulnerabilities from your Bugtraq research, start finding your own. You can start by downloading any PHP app from Sourceforge. Most of those are hopelessly vulnerable to Cross-Site-Scripting, SQL injection, and/or remote code execution by "remote include" directives. Many (if not most) Windows shareware daemons are also vulnerable to simple buffer overflows and format-string bugs. Notify the authors and then write an advisory. After a few of these "easy targets", try breaking some more widely deployed programs.

Write a security tool! I could list some suggestions, but by this point you will have many of your own ideas as to what is needed. Scratch an itch.

I hope this helps. If you want more suggestions, Ask Slashdot. From that story, I found this post particularly insightful, especially the emphasis on "people skills". I don't claim to have any, but understand the value :).

5) Have you ever been tempted to use your gifts...
by Tim_F

...in a negative manner?

Have you ever hacked into someone else's computer? Have you ever considered it? What would cause you to think of doing this? Would your tools (nmap, etc.) be enough to allow you to do this?

And if you haven't, why is that the case?

Fyodor

I never do script-kiddie style "hack any random vulnerable box on the Internet" cracking. But sometimes I will launch targeted attacks at specific companies. I'll usually start with just a web browser and various search engines to learn everything I can about my target. I need to understand what the company does, who it partners with, and whether it has any corporate siblings, subsidiaries, or parents. Beyond that, posts by individual employees can be a gold mine. Besides providing names and titles for social engineering and brute force password attacks, the IPs in the mail/news routing headers can be very valuable. One of the reasons I run my own mailing list archive is to maintain access to the raw mail folders which contain the routing info and X-no-archive posts that web archives strip out. Another advantage to locating employees is that you can send them trojan executable attachments, which can be a very effective way into the network.

Next I'll gather known IP network information on the companies via DNS, whois, regional registries like ARIN, routing info, Netcraft, etc. Then comes the scanning (I tend to use Nmap), application-probing, vulnerability discovery, and exploitation stages.

Of course, I only do this when the company is paying me to do so. Performing these pen-tests offers several advantages over blackhat activity:

  1. You don't go to jail (If you've worded your contract carefully.)
  2. Instead of having to keep your übertechniques secret to avoid prosecution, you get to demonstrate them to management.
  3. They actually pay you for this! And you are helping to protect them and the privacy of their customers.

Now some people might ask how you gain these skills without practicing on other networks first. Cheap hardware and the evolution of free UNIX operating systems have made this much easier than in the past. See the previous answer for some suggestions. And remember that you can always work together with friends, or participate in hacking contests like Defcon's Capture the Flag.

6) You'll have seen a lot of breakins.
by Hulver

During your time running Honeypots, you'll have seen a lot of compromised systems. Is there any incident that's really stuck in your mind because of the audacity of the attempt, or the stupidity of the person attempting the breakin.

Fyodor

On the humorous front, one attacker was was running a public webcam during his exploits, so we were able to watch him crack into our boxes in real time :). I will resist the urge to link a screenshot. His rough location was determined when we noticed Mrs. Doubtfire playing on his TV and correlated that with public schedule listings. He was working with a Pakistani group, but was actually on the US East Coast.

In the "disturbing audacity" front, this year we found that a group of crackers had broken into an ecommerce site and actually programmed an automated billing-sytem-to-IRC gateway. They could obtain or validate credit card numbers by simply querying the channel bot! Expect a more detailed writeup soon.

7) What makes a honey net enticing?
by cornice

It seems that many of the honey nets that the average hobbyist would run are built to attract a lesser cracker. What I mean is that ports are left open that normally would not be left open. Services are running that normally should not, etc. I think that a really smart fish would see this as nothing but a cheap lure and refuse the bait. Do you think it's possible to fool the really smart fish? Is is possible to bait with something enticing enough without tipping off the big fish? Does publication of your work make this task more difficult?

Fyodor

Excellent question, and I had many of the same concerns upon joining the project. Then I remembered that most of the attacks and real-world compromises are committed by these marginally skilled script kiddies. So there is still a lot of value in understanding their tools, tactics, and motives. Despite this apparent limitation, I have been surprised by some of the sophisticated things we have found. For example, the first known "in the wild" attack using the Solaris dtspcd vulnerability was caught by one of our honeynets and resulted in this CERT advisory. Then one of our Honeynet Alliance members had their Win2K honeypot compromised and joined into a botnet with 18,000 machines! Attackers on such a grand scale won't even know all of the companies they have compromised, much less whether any of the systems are honeynets.

I do believe baiting the "smart fish" might be possible, but I have never done this. Is not legally entrapment, as we aren't any sort of police force, but I am not very comfortable with the idea. If someone attacks my box that is just unobtrusively sitting on the network, I believe the attacker should have no expectation of privacy for his activities on the system. Things become more complex if I try to lure the attacker.

8) IPv6
by caluml

Do you think that with the very large address space of IPv6 that random scanning for a certain port will die off? (I notice nmap doesn't support random IPv6 address scanning - maybe you've already come to the same conclusion?) Simply put, the chances of finding a machine if it's not advertised anywhere will be very much reduced. Will this make people lazy and complacent, trusting on the large numbers involved to protect them?

Fyodor

Finding a machine by by pinging a completely random 128-bit address will probably never be effective. Fortunately, we won't have to! Nmap does not even do that for 32-bit IPv4 addresses - it is smart enough to skip huge blocks of address space that are unallocated or used for private (RFC1918, localhost) addresses. We will also see patterns emerge for IPv6. For example, they may often be allocated sequentially so that finding one leads to many others. I am waiting until adoption rises and we start seeing these patterns emerge before I can implement them appropriately in Nmap. Certain new DNS features may also prove useful for locating IPv6 machines and networks.

9) standalones and small home nets
by zogger

it seems like most of the emphasis is on enterprise networks, but that still leaves millions and millions of home machines and small home networks just stuck. What do you see as some of the trends and solutions for those people? Their data and system integrity is just as important to them as any corporations is, and usually not having the appropriate skill set, is even harder to implement.

Fyodor

I am afraid the focus by security companies on enterprise networks will continue, as that is where the money is. The good news is that securing small home networks is far easier. But that doesn't make it simple, nor mean that many people will bother. I would categorize the risks into 3 categories:

Traditional network server vulnerabilities: Your average home user doesn't need to run any network daemons or have any TCP/UDP ports open to the Internet. Most of the time they only have 1 IP, used either by a standalone PC or a NAT device (e.g. "broadband router") in front of their small network. This is a good configuration, as it limits what attackers can reach directly. But you need to be sure that the IP doesn't have any unnecessary ports open. You can verify this by running 'netstat' on the Windows or UNIX machine using the IP. I would also recommend confirming using a port scanner such as Nmap. Here are example commands:

nmap -p- -sS -T4 -v -O [your IP]
nmap -p- -sU -v [ your IP ]
The TCP and UDP scans could be combined into one execution, but are listed separately since the TCP scan may go much faster. Remote UDP scans are also less reliable against some heavily filtered hosts. You may have to rely on the netstat info or configuration details in this case.

Any open ports found should be evaluated with extreme prejudice. Unless clearly necessary, close Windows file sharing, external NAT device admin ports, and everything else found.

Don't forget the wireless backdoor! Blocking the Internet link from your private machines is insufficient if anyone can hop on your open WLAN and attack your machines. WEP isn't perfect, but the 104-bit (so-called 128-bit) version should at least keep people from accidentally connecting to your network or sniffing your data. Be sure to set a good password and upgrade to recent firmware for your WAP and other network devices.

Subscribe to the security advisory lists for all the operating systems (and devices, if available) you run. Major vendors such as RedHat, Debian, FreeBSD, Mandrake, and Microsoft all offer these. Most even offer automatic updates if you desire that.

Client vulnerabilities: Once you close the services you don't need (ideally all of them), client vulnerabilities must be addressed. Keeping your web browser and mail reader up-to-date is particularly crucial. Also harden them as much as possible. For example, IE is full of holes but at least has a good interface for site-by-site security policies (Tools -> Internet Options -> Security). Go through and neuter the "Internet zone" settings by disabling ActiveX and Java. In the rare case that sites need this, find an alternative site or add them to the trusted zone. If your are really serious about security, neuter "trusted sites" and "local intranet" privileges as well. Many recent IE vulnerabilities trick the browser into using the wrong zones. Consider using a different browser. Also configure your mailer to disregard HTML and JavaScript.

Remember to pay careful attention to security warnings, whether they come from IE, Mozilla, your ssh client, or anything else. Don't just click OK. And don't shoot yourself in the foot when configuring your apps. It is hard to entirely blame the vendor when users tell P2P apps or Windows filesharing to share their whole drive without any password. Failing to change default passwords or enable basic restrictions on X Window or FTP servers is only slightly more forgivable. All of these errors happen frequently! The apps/devices should be secure by default, but you have the ultimate responsibility for protecting your data.

Malware: This is what I consider the biggest problem on desktops: people running applications they can't trust. Email borne viruses, worms and trojans are an obvious example. Be very careful what you click on. Unfortunately, it is very difficult to know what to trust. Mail is trivial to forge, and even the "proper" installers for many P2P applications infest your computer with loads of invasive spyware. Even Intuit TurboTax was caught writing to customers' boot information track.

What can you do? My honest suggestion is to run peer-reviewed open source applications on a free OS such as Linux or FreeBSD. You still have to be careful, but these problems are far less prevalent on UNIX platforms, which also have better tools and procedures to deal with them.

What if dumping Windows is not an option? Run NT/2K/XP instead of Win9X/ME, and try to run everything you can as an unprivileged (non-administrator) user. Be extraordinarily careful about what you install and run, and make frequent backups. You might also want to look into a personal firewall such as Zone Alarm (limited free version.

10) What is your favourite tool?
by Noryungi

I have just read your top 75 security tools list. Thank you for posting all this information, which I am going to study very carefully.

One question though: in all these tools, which one is your personal favourite? (This excludes Nmap, of course).

Fyodor

I have far too many favorites among this great group to choose just one! But here are a few developers and tools that are particularly worthy of mention:

One of the people I most admire in the security field is Solar Designer. He is a guru in networking, security, and low level kernel/assembly/architecture details. He has also created many tools that security professionals use daily. Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community.

Among SD's tools is John the Ripper, my longtime favorite local password hash cracker. It has been around forever, but was written with a flexible and powerful interface while keeping extensibility in mind. So it is still as useful in these days of shadowed password files and MD5/Blowfish hashes as it was back in the days of crypt() and unprotected /etc/passwd. Lately SD has been working on the Owl secure GNU/Linux distribution, which can be installed on disk for hardened systems like firewalls, or booted and run from CD as an easy way to run security tools such as John and Nmap.

Another of those "brilliant yet still nice" security developers is Dug Song. Even after the seminal "Insertion, Evasion, and Denial of Service" paper by Ptacek and Newsham, many IDS vendors continued to ignore the problem. When Doug released Fragrouter (now fragroute), which implements some of these attacks, vendors finally took notice! He has also written the excellent libdnet library, but my favorite of his tools is DSniff, a suite of tools for advanced network sniffing and "monkey-in-the-middle" attacks. It even handles ARP poisoning and other techniques for sniffing hosts on a switched LAN.

While I'm on this topic, let me also give "mad props" to the Hping2 packet prober, Kismet wireless stumbler, Ethereal packet decoder, Netcat, recent THC releases, Snort IDS, the Nessus vulnerability scanner, and all the other great Open Source tools out there!

I would also like to thank Slashdot for granting me this interview and to everyone who asked such excellent questions. I only wish I had time to answer more of them. Then again, I have probably rambled on enough. Now it is your turn to ramble in the comments :).

Cheers,
Fyodor

This discussion has been archived. No new comments can be posted.

Fyodor Answers Your Network Security Questions

Comments Filter:
  • how long? (Score:5, Interesting)

    by scubacuda (411898) <scubacuda@gm a i l . com> on Friday May 30, 2003 @11:45AM (#6077370)
    about once per 700,000 IPs

    Just curious. Anyone know how long that would take?

    I've used just about everyone scanning tool out there, but they've always been a relatively few addresses. (And I never really timed them)

    • Re:how long? (Score:2, Informative)

      by grub (11606)

      That depends a lot on what options you use. For instance using
      --max_parallelism <foo>
      can really increase your scan speed.
      man nmap
      is your friend. :)
    • by SavingPrivateNawak (563767) on Friday May 30, 2003 @12:02PM (#6077534)
      My question would have been more like "So, does this '1 in 700000' bug exist or not? Tell us WHO ARE YOU TRYING TO COVER, Mr Fyodor!!"

      Maybe I wouldn't say the last part after all...
    • Re:how long? (Score:4, Insightful)

      by gazbo (517111) on Friday May 30, 2003 @12:14PM (#6077650)
      Another question is how long it would take to realise that one of the questions [slashdot.org] modded to +5 and authored by a certain Egg Troll, is mysteriously missing.

      It is worth mentioning how much interest the question generated, how on-topic it was, and how significant it was.

      Oh, but it wasn't sycophantic enough, I guess. Jesus, why bother throwing the interview questions out to the users at all if they're going to be stripped of all but the most anodyne.

      • Re:how long? (Score:5, Insightful)

        by Ryan Amos (16972) on Friday May 30, 2003 @05:19PM (#6080610)
        Do you honestly think he would reply to such a question? He would more than likely deny the incident ever happened, get pissed off at slashdot readers, and generally get nowhere. Besides, bringing up every mistake this guy has made in the past gets nobody anywhere. I personally am glad slashdot didn't post said question. This is a tech site, not a gossip column. To post such a question would be irresponsible, pointless and plain wrong. Just because it's scandalous doesn't mean anyone cares.
      • Re:how long? (Score:3, Insightful)

        by evilviper (135110)
        Ahem, I believe it would have been left out for the utter lack of any evidence that the story is true.

        The only references ever posted are links to other slashdot posts that make the same claims... Of course, all of these /. posts are made by KNOWN TROLLS, and many even with "troll" in their username, just to make it clear.

        One post said the screenshots were posted to insecure.org. Why don't you hop on over to archive.org and find the archive of these screenshots? That would at least give you a shred of
    • If you don't know where to scan, it would take a while. On the other hand, how often do you just scan things totally at random? If they guy scans 700K IPs, he probably know where they are, or at least has a very good idea where to search.
  • Wow (Score:5, Insightful)

    by PaulGrimshaw (605950) <mail.paulgrimshaw@com> on Friday May 30, 2003 @11:46AM (#6077384) Homepage
    Thats one of the best interviews Ive read on /. and thats with only a passing interest in this area. Cool!
    • Re:Wow (Score:2, Insightful)

      by Salamanders (323277)
      Agreed... I know beans about security, and that was a damn fun read.
    • no kidding, but then thats what you get from someone so interested in the subject i guess.
    • I try to avoid posting "me, too" comments, but: me, too. This is the first /. article that I've actually hardcopied. Thanks to Fyodor for taking the time to prepare such great responses.
    • Ditto to that comment.

      I think one of the best parts of this interview was his detailed explanation of how to get experience and "break in" to this industry - I'm tempted to get started (there's a relevant course I may take in the last year of my degree concerning sysadmin & network programming, and this'd be a great primer).

      I'm impressed that this guy gave us that much of his time, and his thoughts. That's certainly the longest interview I've read here.

    • one of the best interviews Ive read on /.

      Absolutely. Full marks - great questions and WONDERFUL answers!

      I'm off now to clear my schedule for 12 months so I can implement all his suggestions.

    • --Agreed, this is one of /.'s best articles ever. Now for the newbie:

      HOWTO close certain ports on your Linux machine: (this is an example Debian/Knoppix installed-to-HD box)

      #### Cut+paste after these lines into /usr/local/bin/stopsvcs
      #### Don't forget to chmod u+x stopsvcs, run as root.

      #!/bin/sh
      # Close port 21:
      /etc/init.d/proftpd stop

      # Close all offered ports in /etc/inetd.conf:
      /etc/init.d/inetd stop

      # Close port 111:
      /etc/init.d/portmap stop

      #Close port 25:
      killall smail

      ps ax

      ##########

      1. Run the
  • There's a good writeup here [slashdot.org], but the gist is that Fyodor is not above r00ting the Windows box of someone who fooled him into thinking they were a linux chick.

    Don't mess with a black-hat's untapped sex drive, I guess. Still seems weird that we're looking at small-time black-hat scum as Intervew material.
    • by Anonymous Coward
      I guess it's clear that certain editors and usermods don't want this issue creeping into the discussion, but it's important. Would Consumer Reports let a car thief review cars?
    • Interesting... and he flat out denies that he would use his powers for evil.

      So who is lying here?
    • Pfft. (Score:3, Interesting)

      by Jetifi (188285)

      You're getting your panties in a twist about some asshat kid who was stupid enough to ''troll'' someone who knew how to get his own back.

      To be honest, I don't care. Some trolls can be really, really funny (the Adequacy crowd comes to mind), but I really don't give a fig what happens to juvenile, antisocial idiots who use the anonymity of the ''net to piss in the communal pool.

      • What does that say about somebody who will track down a kid and "own" his computer because he was pathetic enough to seek dates on Slashdot of all places, instead of oh...say...real life? Sounds like a complete twat and quite antisocial if you ask me.
    • This question keeps being asked, and with all the cached [trollaxor.com] content [trollaxor.com] on the web that points to this being legitmate, why doesn't Fyodor [slashdot.org] just post a simple comment about it and either deny it or come clean? What about someone at Slashdot who may have witnessed it?

      I'm really curious to know!
    • by glwtta (532858) on Friday May 30, 2003 @12:58PM (#6078090) Homepage
      From this point, he launched nmap against Sdem's box (he didn't have the money for a more effective port scanner) and was greeted with the holy grail of sorts for BlackHats

      I'm sorry, but a combination of overly grandiloquent (for lack of a better word) language and irrelevant cheap-shots is just the sort of thing that makes me not take a post seriously.

      Oh, and what exactly do you need to do to be "Interview material" for slashdot? Over and over I am amazed at these comments that seem to equate slashdot with some sort of relevant news-source - it's a bloody blog for geeks for gods sake. The interview was interesting, far more so than most of the stuff we see here (I am sure Marcelo Tosatti's character is far above that of this "black-hat scum" - anyone remember his fascinating interview?), and quite frankly that's enough for me.

    • That was so funny, when Fyodor hacked that guy. I still have the screenshots he posted to insecure.org!

      Stupid troll! Fyodor, keep up the good work, maybe if you hack all the trolls and wipe their hard drives, Slashdot won't have so many goat-gross out links and stuff!
    • I still have a copy of this [trollaxor.com] lying around, funniest thing I ever saw!

      Note to Slashdot readers: Fyodor is on the prowl! You want to post http://goatse.cx (DO NOT CLICK) gross-out links to Slashdot? Fyodor is our head of security and if you fuck with us he's gonna hack your machine and delete your fucking hard drive.

      That should teach you little fuckers some manners!
    • nice TROLL (Score:2, Insightful)

      by ph0t0n (675998)

      Hi Krog,

      Congratulations - this troll got modded much higher than your last one [slashdot.org]. Your astroturfing has also been effective. I like how Bold Marauder [slashdot.org] (impressive trolling history) both posted in this thread a request to "mod the parent up" [slashdot.org] and also posted a similar request [slashdot.org] to the Trolltalk forum.

      Your posts all get modded as trolls because they are, not because the Slashdot editors and interview subjects are part of a massive conspiracy. I like how the troll journal to you linked to says these people ar

      • I don't know anything about whether any of this is illegal or not, but I just wanted to say that I saw Fyodor's page on www.insecure.org where he hacked that guy, and it looked exactly like this [trollaxor.com]. So, it really happened, though I don't know about it being illegal or maybe even trolling or whatever.

        I think it was kind of funny to see what trolls really do in their "spare time". (-:

        -Hanna
    • I'm still waiting for Captain Crunch's interview responses to the fact that he likes to get raver boys stoned out of their gourds and then fuck them in the ass.

      Aaah, who am I kidding. The raverbois enjoyed every minute of it.

    • The victim has commented on this happening elsewhere in the discussion [slashdot.org] (currently at -1). It's true that sdem was not exactly the smartest of trolls, and trolls can be annoying, but to suggest that as a justification of Fyodor's criminal acts is simply ludicrous.
    • by fv (95460) * <fyodor@insecure.org> on Friday May 30, 2003 @04:24PM (#6080152) Homepage
      > Still seems weird that we're looking at small-time black-hat scum as
      > Intervew material

      I know that the best approach is to ignore you trolls, even as your slander becomes more and more outrageous. I will admit that I did some trolling of the trolls last year. Big mistake - they have much more of an appetite and time for this than I do. It has been a year and they still continue to write new stories that are more and more absurd. Perhaps I should be flattered that they consider me so important. The troll journal you linked accuses me of "illegally penetrating computers across state lines" and that "Fyodor even submitted his "troll hunting" story to Slashdot, though it was rejected". Another page [geocities.com] includes a fake interview with me, a fake Nmap bug, and notes that I have been "pushing crystal meth on the street for a few months." It has also been said that I am "obviously a terrorist [insecure.org]" and that Nmap "is spyware to spy on the american people [insecure.org]". So I have learned to deal with abusive criticism. Another Slashdot journal currently says "Fyodor is ... a depraved, insidious hacker hell-bent on criminal intrusions into systems owned by minors!" Even I couldn't help but chuckle at that one :). Replying is useless, since the trolls are just looking for attention and care nothing of accuracy. But I will make a few points lest anyone else take the trolls seriously:

      • I am not a terrorist, and have never sold drugs.
      • I did not actually break into any troll boxes, although I did imply that in a misguided attempts to use some of their trolling rhetorical devices against them. I stand by my posting history [slashdot.org].
      • Much of the content in the journal you posted is an outright fabrication and the lies and accusations change by the minute! This (currently score 5) post [slashdot.org] quotes text that I saw in this journal an hour ago. Now it is gone, and many other changes have been made as well. Be careful of linking to Troll journals, or they may turn into goatse links.
      • Some of his lies are self-evident. How could he possibly know much of this stuff, such as that I submitted this as a Slashdot story? I have never submitted any story whatsoever to Slashdot. If there is some sort of public interface to the submission queue that I am unaware of, please post it. You will not find any submissions from me. Note that these [slashdot.org] were all submitted by other people.
      • I have not been "advised by legal counsel not to speak about it in public." If I was to speak with lawyers, it would be about their slander campaign. But they aren't even close to being worth the effort.
      • They claim I hacked a troll named Sdem who is a member [trollaxor.com] of Trollaxor.Com. That page currently admits that he has moved on to harassing other security folks - he is now impersonating Theo de Raadt [slashdot.org], the leader of OpenBSD.

      I could go on, but I have a much more important project to work on today. I won't post further on this troll topic, no matter how much you trolls slander and attack me in your journals and replies to this post. And don't bother posting "YHBT," I know. Hopefully Slashdot moderation will eventually catch up with your games and we can focus on interesting security subjects rather than troll gossip and manufactured scandals.

      Cheers,
      -Fyodor

      • Just to clarify... (Score:3, Interesting)

        by sllort (442574)
        As the author of the journal you're discussing, I feel obligated to reply. That's quite a rebuttal, but you skipped over the question at hand:

        Did you hack, or were you involved in breaking into, sdem's box? (y/n)
        Did you post these comments [trollaxor.com] bragging about it? (y/n)
        Did you post this web page [trollaxor.com] to your site, insecure.org? (y/n)

        You've written a whole lot there, I think what everyone would actually like to see is a simple yes or no answer. I'm sorry if you feel I've slandered you, and I promise if you honestly a
      • "I did not actually break into any troll boxes"


        I don't understand. I saw that hack archive you posted to your web site, insecure.org, in August. You had that whole "day in the life of a slashdot troll" with screenshots proving you'd broken in, even listing his real name and address. Now, at the time, I was rather proud of you, but... how did you post that hack archive to your web site if you didn't hack his box?

        I'm confused!
      • Dude, I don't know how you posted those screenshots of that troll's computer to your web site without hacking into his box, but that makes you even more awesome. Did you sneak into his dorm room and use your digital camera to take pictures of his monitor? I have NO idea how you did it, but I just wanted to say that when I saw your "Troll Hunting 101" page on insecure.org, I became your biggest fan - you put the trolls in their place.

        Thanks for a great interview, a great response, and a great tool! You rule
      • I know that the best approach is to ignore you trolls, even as your slander becomes more and more outrageous.

        Slander? Fyodor, Slander is an untrue statement made to defame. You posted a page to your web site which said "I hacked into this troll's computer" and you posted screenshots to prove it! I witnessed it!

        How could repeating this be slander?
      • Let's stick to the facts here and contrast two statements made by Mr. Fyodor (one posted to his domain, insecure.org [insecure.org] on 8/16/2002, and one posted to slashdot.org on 5/30/2003).

        First, the quote from today:

        I did not actually break into any troll boxes, although I did imply that in a misguided attempts to use some of their trolling rhetorical devices against them.

        And now, the quote from yesteryear [trollaxor.com]:

        Incidently, Sdem is also incompetent at securing his computer. That is a glaring deficiency for someone wh

      • by sting3r (519844) on Friday May 30, 2003 @05:54PM (#6080914) Homepage
        This incident raises some good points about whether or not there is a time and place for net.vigilantism. Clearly the perp behind this "linuxcsbabe" sham was guilty and deserved what he got. I can't imagine how anyone here could deny smiling as they read Fyodor's narrative about how he took over this internet troll's computer and made this sad teenager atone for his misdeeds. But the whole incident opens a Pandora's box, leaving us with many questions to ponder regarding this type of activity.

        • Who should take the law into their own hands? Obviously, a security expert such as Fyodor is unlikely to misidentify his aggressor. But there is a fine line between trusting somebody like Fyodor to take appropriate measures, and trusting an average sysadmin who has read some books on security but is prone to make mistakes. How can we juxtapose our need for justice with our need to make sure we punish the right person?
        • Are we hypocrites for denying the RIAA the right to punish those who steal from them? Certainly most of the Slashdot crowd will agree that the RIAA has no right to invade our computers looking for stolen music. Most of us would also agree that what Fyodor did was justified (and even humourous). But we need to ask ourselves: what is the distinction between the two behavioral patterns? Where do we draw the line?
        • Who is accountable? As we can see from this incident, Fyodor did indeed break the law almost a year ago, but he has not been prosecuted for it. Most of us would agree that he shouldn't have been - but technically, his troll-busting activities were illegal. Should these sorts of hacks be legalized or decriminalized under certain circumstances so that an honest, hard-working open source luminary (like Fyodor, Linus, or anyone else who commands respect in our community) does not need to fear the consequences of the actions they take to defend their networks?
        • by Osty (16825) on Friday May 30, 2003 @07:31PM (#6081531)

          Who should take the law into their own hands? Obviously, a security expert such as Fyodor is unlikely to misidentify his aggressor. But there is a fine line between trusting somebody like Fyodor to take appropriate measures, and trusting an average sysadmin who has read some books on security but is prone to make mistakes. How can we juxtapose our need for justice with our need to make sure we punish the right person?

          Law enforcement are the only ones who should enforce the law. It's not your duty or mine. Fyodor is just as human as anyone else, and is prone to make mistakes. Why is he more trusted than someone else? Because he wrote nmap? Bullshit. Batman et al are comic book characters. They're not real. Real-life vigilantes get in trouble.


          Are we hypocrites for denying the RIAA the right to punish those who steal from them? Certainly most of the Slashdot crowd will agree that the RIAA has no right to invade our computers looking for stolen music. Most of us would also agree that what Fyodor did was justified (and even humourous). But we need to ask ourselves: what is the distinction between the two behavioral patterns? Where do we draw the line?

          Yes, you're a hypocrite. How can you even consider this without laughing? If you're going to tell the RIAA that they can't do something (hack into someone's machine), what gives you the right to do it yourself? And if you do it yourself, where do you get off telling the RIAA they can't? There is no line to be drawn. Either it's legal or it's illegal.


          Who is accountable? As we can see from this incident, Fyodor did indeed break the law almost a year ago, but he has not been prosecuted for it. Most of us would agree that he shouldn't have been - but technically, his troll-busting activities were illegal. Should these sorts of hacks be legalized or decriminalized under certain circumstances so that an honest, hard-working open source luminary (like Fyodor, Linus, or anyone else who commands respect in our community) does not need to fear the consequences of the actions they take to defend their networks?

          I disagree. Fyodor should certainly be prosecuted. That he hasn't been does not make him any less guilty (and until the statute of limitation expires on this, he can be brought in and tried at any time). And as for legalizing these attacks, see above. You can't legalize it for Fyodor or Linus or someone you approve of but make it illegal for someone else like the RIAA. Either it's legal, in which case everyone could do it with impunity, or it's illegal and anyone who does it can be prosecuted (whether they are or not is not the point).


          In short, you're full of bullshit. You can't have your cake and eat it to. By supporting Fyodor's actions, you're no better than Fyodor himself.

      • "Fyodor is ... a depraved, insidious hacker hell-bent on criminal intrusions into systems owned by minors!"

        I'm sorry sir, but I do have to ask:

        Is user 95460 the real Fyodor Vaskovich?

        (ducks)

        JB
      • by sulli (195030) *
        Just admit you're a Black Hat, or at least a Charcoal-Grey Hat with a Black Silk Lining.

        I saw the screenshots on insecure.org back in August, and frankly I thought the incident was hilarious. I still think it's hilarious. Did you bite the obvious troll hook, line, and sinker? Yes. Did sdem deserve contra-harassment for his snookering of you? Probably. Did he deserve to have his personal info out for all to see? No. Will this whole thing blow over if you just fess up? Survey says yes.

        Of course it

  • by stanmann (602645) on Friday May 30, 2003 @11:49AM (#6077409) Journal
    The smart fish have either gone straight, or choose their targets so carefully that even if/when caught, the target is too humiliated or vulnerable to the information acquired that no charges can be filed.
  • by scubacuda (411898) <scubacuda@gm a i l . com> on Friday May 30, 2003 @11:51AM (#6077437)
    You compared Nmap to P2P tools in having a "negative stigma". In both cases, one effective way to fight the stigma is to limit your own use to "legitimate" purposes. Use BitTorrent to download RedHat ISOs, but not Matrix Reloaded. Use Nmap to secure and monitor your computers, but not to attack other networks. And if you decide to attack other networks anyway, please be courteous and set the evil bit.

    Yeah...I'm sure that all the people who submitted pics of Trinity's use of nmap did so without using BitTorrent to pirate Matrix Reloaded.

  • My Question (Score:5, Interesting)

    by rwiedower (572254) on Friday May 30, 2003 @12:03PM (#6077536) Homepage
    One of the people I most admire in the security field is Solar Designer. He is a guru in networking, security, and low level kernel/assembly/architecture details. He has also created many tools that security professionals use daily. Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community.

    Who exactly are the "stars" of the security community? Clearly, I'm not geeky enough to know...but I'd be interested if someone actually does know the "top 10 cool security stars".

    • by SuperDuG (134989) <beNO@SPAMeclec.tk> on Friday May 30, 2003 @12:48PM (#6077968) Homepage Journal
      The Top 10 Security Stars ...

      10. Kevin (you know ... Free Kevin)
      9. Trinity & Crash Override(fictional, but hot)
      8. Attrition Group
      7. L0pth/@Stake (I think they're corperate now)
      6. cDc (Cult of the Dead Cow)
      5. eEye (should see some of the things they do)
      4. Publishers of Bug Traq
      3. OpenBSD
      2. The guy no one knows because he's that good
      1. Go to DefCon and find out for yourself.

      I know some of these are a bit "old skool" but when I think security, this is what I think.

      • Maybe I'd add
        rainforest puppy and
        goobles (they are fruckin funny).

        • goobles (they are fruckin funny).

          True, but that would put them (probably as #1) on the top 10 computer security 'jesters', not this list.
          • Yeah, I should have written "btw. they are fuckin funny". Oh, and that I mistyped the name doesn't add to the sense of my post.

      • Since they were talking about "start" I suppose Theo de Raadt should be on the list instead of OpenBSD... Come to think of it, he is a "security guy" I've heard a lot about even though I don't have much dealings in the particular field.
        • A good security guy he is, but I don't think he would be on the top-10 alone. Much of the security in OpenBSD is due to other primary members of the OpenBSD team. PF, Systrace, etc. Neither were written by him, but by other members of the OpenBSD team. Each has a few pieces of his code, but not a lot.

          To a lesser extent, the same is true of OpenSSH. Hey does code some of it, but the large majority is done by others.
    • I can tell you, but then I have to kill you on reasons of National Security A-Somethings ...

      Damn, already said to much.

    • Re:My Question (Score:5, Informative)

      by graf0z (464763) on Friday May 30, 2003 @02:25PM (#6078988)
      Fyodor: Yet he never exhibits the arrogance, elitism, and egotism that sadly characterizes so many "stars" of the security community

      rwiedower: Who exactly are the "stars" of the security community?

      Some of them (in random order) are (most of them have achieved _much_ more than the supplied example):
      • Solar Designer (eg. OpenWall)
      • Dug Song (eg. dsniff)
      • Bruce Schneier (eg. couterpane), Niels Ferguson (eg. twofish)
      • Rivest, Shamir, Aldeman (RSA), Diffie, Rabin and all the other grandfathers of crypto
      • Niels Provos (eg openssh)
      • Theo DeRaadt & the OpenBSD-team
      • Wietse Venema (eg postfix, satan)
      • Daniel J. Bernstein ("DJB") (eg qmail, djbdns)
      • Ian Goldberg, Ross Anderson (eg. GSM-hack)
      • bugtraq & the masters of full disclosure (eg. aleph1)
      • Cypherpunks, cDc, team-teso, l0hpt, CCC, packetstorm, contributers of phrack-mag...
      • Neal Stevenson ;-)
      ... and all those i've forgotten. Some of these guru's are quite unpleasent in discussions. Google for postings of Theo or DJB for examples.
  • by mblase (200735) on Friday May 30, 2003 @12:03PM (#6077538)
    The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first.

    This is so obvious, I can't believe it needed to be said. And yet it does, because Geeks Like Us usually assume that other people Just Wouldn't Understand. The difference between extortion and contracting for services is that one does the job before asking for money, the other asks for money and then does the job. And this isn't very different.

    There are a zillion dangerous uses of a detectable port scan, and a zillion legitimate ones. The best way to make sure your legitimate uses are understood is to tell people what you're doing before you do it. Incidentally, this also goes for copying someone else's original works, buying dangerous substances at the hardware store, and the like. Yet I'm surprised at how few people bother (er, myself included).

    It's just courtesy, really. Keep it in mind.
    • Ahem. So assume a nice guy is going to port scan you; he calls up: "hey, I'm going to portscan your network, I'm so and so from such and such."

      What would a bad guy do?
      "hey, I'm going to portscan your network, I'm so and so from such and such" [lie]

      The sys admin on the other end of the phone isn't going to know the difference, or behave any differently.

      • The nice guy isn't going to just call. They're going to meet with management, sign contracts and agreements, define the scope of their investigations and then keep management in the loop. I would hope that most admins would not just blindly ignore an attack just because some random person called saying they were going to do some scanning.
    • I find it far easier to just accept that hey, I'm on the Internet, and someone from China can scan my ports. Even if they did warn me, I do not speak Chinese of any form.

      I can take steps to protect my servers (like, say, not putting them on the Internet, except for a few secured front-ends), so it's not a big deal.
    • by Strange Ranger (454494) on Friday May 30, 2003 @03:32PM (#6079692)
      Get permission before I do something suspicious?

      I disagree. I should only have to get permission before doing something that would otherwise be illicit. Suspicious is a far cry from illicit. If I'm sneaking through the forest on public ground with a gun do I need to carry a banner that says "I'm here to shoot deer, not people"? That would be ridiculous. Unless you actually break in somewhere the internet is a public place. Port scanning is a walk through the neighborhood. If I'm driving a candy apple red ferrari (suspicious) do I need get permission to take it on the road first and promise that I won't speed? Innocent until proven guilty is more than just a legal convention. It's common courtesy, and it's convenient. Getting permission to do every single benign yet possibly suspicious activity is inconvenient to the point of being debilitating.

      Not to mention that whole attitude scares me to no end. I already have to "Get Permission" and prove I'm not a terrorist every damn morning before I'm allowed to go up the elevator to do the job they pay me for. What next? Checkpoints at major intersections to prove we're not carrying bombs? Next thing you know they'll be violating people's rights, holding suspicious people in prison without trial without pressing charges. Oh wait, they're already doing that.

      This whole call-the-cops first and ask questions later scheme is getting frightening. I feel like I need a T-shirt that says "I'm not doing anything whatsoever that is illegal. I specifically plan to do nothing whatsoever that is even remotely illegal. If you deem my actions suspicous for any reason, you just don't have all the facts. Relax".

      Or maybe it's more practical if we all just spend an hour every morning getting permission for every single thing we're going to do that day?

      Hogwash. Just because someone stops to check out your fancy place, window shop, or see if your roof needs work (maybe leave you a flyer) doesn't mean they're casing the joint. When your security system involves hunting down (and usually trying to prosecute) those who merely seem suspicious, then you are the intrusive one who has stepped over the line. This is true whether you're a sysadmin or Uncle Sam.
      • I couldn't agree more, especially with the last paragraph.
      • This whole call-the-cops first and ask questions later scheme is getting frightening. I feel like I need a T-shirt that says "I'm not doing anything whatsoever that is illegal. I specifically plan to do nothing whatsoever that is even remotely illegal. If you deem my actions suspicous for any reason, you just don't have all the facts. Relax".

        I think I need that T-shirt too.

        Where can I order one? I checked CopyLeft and ThinkGeek, but they don't stock

    • The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first.

      Honestly, I'd say the safest thing to do is not perform the scan at all. Yes you "should be able to" and no you're "not doing anything wrong", but such is life. If it's not your machine don't scan it. And sometimes, even if it is your machine and its not your network don't scan it across the network, get off your ass and go to the other building/room/whatever. This co
  • They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years.

    Hmmm - I can't help but think that maybe you shouldn't have mentioned that. Statements like that are exactly the kind of thing that people wanting to make security tools illegal are going to look for.
  • I always thought... (Score:2, Interesting)

    by unixbugs (654234)
    ...that if nmap had the functionality of, say, ethereal, built in, we'd all have a really good tool to audit every machine from here to Mars. True though how *nix has all of these tools for dealing with I/O between processes, it would still be nice to have the single ULTIMATE security auditing/IDS/educational user interface that could do some learning of its own and ask for input on-the-fly from the user as to enhance its ability to guess OS's and count boxen behind NAT, among other things. Or maybe I'll j
    • if nmap had the functionality of, say, ethereal, built in, we'd all have a really good tool to audit every machine from here to Mars.

      You have the code, make it happen! :-) Or, start a SourceForge project to make it happen. I'd love to have something like that, and I know C, so count me in.
  • not trinity (Score:5, Insightful)

    by akb (39826) on Friday May 30, 2003 @12:26PM (#6077740)
    Sorry to focus on this but after rewatching the nmap scene a few times after ... um obtaining Reloaded, it doesn't look to me like Trinity herself uses nmap. It looks to me like the woman before her (the one that was working on the computer, whose ship got blown up, and said "almost there") was the one that actually rooted the machine. It looked like Trinity just sat down, looked at the screen and typed in the password that the 'sploit had set.
    • I only saw it once...

      1) nmap - locate machine
      2) sshnuke - exploit buggy ssh daemon
      3) login and shutdown - save Neo's arse

      I think the nmapping had already been done, but Trinity used the sshnuke program and then shut down the machine.

      You'd think the Agents would have patched their server, really...

  • by jasondlee (70657) on Friday May 30, 2003 @12:54PM (#6078046)
    Fyoder didn't just toss off a few words, but put some real time and energy into his answers.

    Obviously, Fyoder hasn't read the Captain Kirk book on /. interviews...

    jason
  • by TheLastUser (550621) on Friday May 30, 2003 @01:47PM (#6078610)
    Start a free shell hosting server. Just do it on a server where you don't get charged for bandwidth.

    Then practice your skills trying to prevent your users from exploiting your, and other, servers.
  • I really admire Fyodor , and his capable mind, but I have a couple of comments:

    1) The -D option in nmap used to launch decoy scans while a real scan is being done, by spoofing the source
    address of legitimate servers and mixing these bogus scans with the real port scan. The target system will respond to the spoofed addresses and the real port scan.

    2) "But sometimes I will launch targeted attacks at specific companies"

    May some one please tell me what do these two points imply?? /*Why is there a penguin on
    • If you look a few lines below your second quote you will see:

      "Of course, I only do this when the company is paying me to do so."

      So he targets specific companies when he has a contract. So why does he have to hide with the -D option. I dunno, maybe he just wants to re-create a real attack scenario.

      In many years developing software in corporate settings, I have seen many bugs (not just security related) not being found before production release. Many companies shy away from rigorous testing procedures b

      • So he targets specific companies when he has a contract. So why does he have to hide with the -D option. I dunno, maybe he just wants to re-create a real attack scenario.

        Because a scan is usually just one of the first stages of a penetration test. It's basic reconnaissance. If he makes it too easy for the company it's hardly worth what they're paying for.

  • Thanks for answering my question, and doing it in depth, on behalf of all the "little guys" out here. I'm going to let this thread develop for a couple of days then save the entire thing.
  • by Spyder (15137) on Friday May 30, 2003 @03:28PM (#6079658)
    While I have enormous respect for Fyodor, and all he said was good stuff, but I think he left a few things out.

    OS security: Tear apart the bastille scripts and take a good look at the NSA Windows Security Guidelines, at the very least. He suggests to us to use whatever we can in a less privilaged context, but many OSs are very permissive out of the box.

    Network architcture: While Practical Unix and Internet Security is an excellent book, understanding networking components and security devices can be implemented in very complex systems. Understanding architecture is very important to the netwrok security white hat, and it's the piece as a BS/CS you get the least exposure to. I would suggest a reasonable understanding of the CCNP study materials, you may not need to design it, but you have teo understand it. Know the differences between the popular firewall vendors, maybe see if you can get one to play on.

    Encryption: As a BS/CS you likely have been exposed to some cryptography. For those that don't know the alogrithims, sync vs async, what a hash is, fixed vs variable key length cyphers, read Secrets and Lies or Practical Cryptography to get an idea of the issues. Once you know cryptography, get to know some PKI methods, understand the NSA certificate class definitions.

    Security Policies: If you expect to be working in an enterprise environment, oyu may want to familierize yourself with enterprise level securit policies like IOS 17799 and GASSP, and for healthcare related things, HIPAA. Many large insititutions use these as templates for their security policies and standards, talking the same language will help on many levels.

    Knowing the 'spliots is great, and being able to roll your own is sorely missing in a number of enterprise security orginizations. Problem is being a kept white hat isn't only pen testing, it's policy, architecture review, user information, and incedent response.

    I think the industry needs more hands on, internet age people. A large number of security pros now come from intellignce or military systems backgrounds. Internet security is a different enviornment, and what we have to offer is valuble.

    Good Luck,
  • by Robin Hood (1507) on Friday May 30, 2003 @05:08PM (#6080530) Homepage
    Then there are a small handful of users who detect problems nobody else would ever notice, like 4 byte/host memory leaks. They send me error messages with notes saying the bug happens "about once per 700,000 IPs". I have no idea what these guys are up to, but some have been sending me this kind of mail for years. They can't be spammers, as they are intelligent and also use more sophisticated scan techniques than you would need to just find SMTP servers.

    Isn't it obvious? They work for the NSA, of course! :-)

  • Hacking 101 (Score:4, Interesting)

    by stm2 (141831) <sbassi@genesdigita[ ].com ['les' in gap]> on Friday May 30, 2003 @11:12PM (#6082491) Homepage Journal
    I think this interview is the best ever published on /. It could be used to replace all outdated "hacking tutorials" that are floating around the net for years. I'm tired of reading how to built a now useless bluebox and old hacking techniques.
    I will point to this article to anybody who ask me how to start in computer security.
  • Port scanning (Score:3, Interesting)

    by Mark Bainter (2222) on Friday May 30, 2003 @11:19PM (#6082519)
    Now I'll admit that I don't always obtain explicit permission before scanning other networks. I don't believe (but IANAL) that a simple port/OS scan of a remote system is or should be illegal. Any machine connected to the Internet will be scanned so often that most admins ignore such "white noise" anyhow. But scan other networks often enough, and someone will eventually complain. So my advice would be:

    I would have to agree. I see scans all the time, and I tend to ignore most of the alerts when they come on their own. Getting scanned is a reality of being connected.

    However, if I get repeated scans from the same IP segment I know it's not a general scan. At that point they get dumped into the firewall drop table for awhile.

    The other exception is when I get scan alerts together with alerts for IDS matches. But these two account for a small number of incidents. Probably 90% at least of the scans I see hit and move on. Most are pretty focused scans as well, and don't exhaustively probe my network.

    I'm not sure I agree that a smaller focused scan will always draw less attention. For example, I always pay attention when I see probes across my network looking for open MS SQL Server ports. ;-) But, yeah, that's probably one of the exceptions that proves the rule.

There's a whole WORLD in a mud puddle! -- Doug Clifford

Working...