[ISN] Interview: Fyodor

InfoSec News isn at c4i.org
Mon Oct 17 00:04:23 EDT 2005


http://www.whitedust.net/article/41/Interview:_Fyodor/

By Mark Hinge and Peter Prickett
17 Oct 2005 

WD> What first drew you into the world of computing?

My father is a hobbyist programmer, so I grew up with computers. In 
the early days I used an Apple ][ and Vic-20. By the time I really 
learned how to program, we had a PC XT. I thought DOS was cool, so 
UNIX really blew my mind when I discovered it in high school. That was 
where I got into security, too, as my friend David and I had shell 
accounts on the same ISP and would continually hack each others' 
accounts :).

WD> Why did you create Nmap? [1]

In The Cathedral and the Bazaar [2], Eric Raymond notes that 'every
good work of software starts by scratching a developer's personal
itch.' That was certainly my motivation for creating Nmap. I had a
whole directory of scanners, including Julian Assange's Strobe, the
reflscan SYN scanner, the UDP scanner from SATAN, a FIN scanner from
Uriel Maimon, and many more. They all have very different options and
limitations. I would want to use one scanner with an option from
another. So initially I made my own modified versions of each scanner.  
Eventually, I decided the best approach was to create my own scanner
from scratch. It would support all of the major scan types while being
fast and efficient against large networks. Thus, Nmap was born. I used
it myself for a while, and then released it to the public in a 1997
Phrack Article [3]. I hoped people would find it useful, but
considered the project 'done' at that point and was ready to move onto
new things. So much for that! I was overwhelmed with the response to
Nmap, with so many people sending improvements that I released a new
version. That cycle has continued for more than 8 years now :).

WD> Have you ever been concerned that Nmap is used for blackhat 
purposes?

I doubt that Nmap has ever been used for blackhat purposes. OK, maybe 
once or twice :). But seriously -- there is no way I can write a 
program that allows you to audit your own networks for security risks 
without also enabling bad guys to do the same. And trying to limit 
distribution to only 'good guys' is a lost cause.

I believe that on balance, Nmap is a major net benefit to Internet 
security. If that ever becomes untrue, I will cease development. 
Another tool I have written is an advanced denial of service utility 
named Ndos, which I have used effectively to briefly disable the web 
presence of major corporations (at their request and under controlled 
circumstances). I have not publicly released Ndos because I fear that 
it would be used more for abuse than for constructive purposes.

WD> Your most famous piece of software is, obviously, Nmap. What over 
pieces of software have you created? How successful have they been?

I used to work for an Internet startup company, which was purchased by 
Netscape, which was then purchased by AOL, which then merged with Time 
Warner. Phew! I created (and helped create) a number of popular online 
applications during that period, though none are really relevant to 
the security community.

Most of the time I write something new, I try to architect it so that
it fits into Nmap. For example, OS detection [4] and version detection
[5] could easily be standalone applications, but I decided to build
them into Nmap instead.

This summer, Google generously agreed to sponsor 10 student Nmap
developers [6] as part of their Summer of Code program. One of the
most exciting projects is Ncat by Chris Gibson. This is a reinvention
of Ncat with cool features such as IPv6, better portability and
documentation, connection encryption and authentication, inetd-like
capability to spawn multiple concurrent applications, connection
redirection, and more. One neat feature is connection brokering, which
allows multiple hosts behind NAT gateways to communicate with each
other through a centralized Ncat server. It shares a lot of code I
wrote for Nmap, including the Nsock and Nbase portable networking
libraries.

Other interesting Summer of Code projects include:

* Doug Hoyte nearly tripled the size of the version detection database 
  and added OS/device type/hostname detection to the system. The 
  database now contains about 3,000 entries for more than 350 service 
  protocols (X11, SNMP, SMTP, etc.) 

* Zhao Lei added more than 350 OS detection fingerprints to Nmap [7], 
  bringing the total to 1684. He also helped design a 2nd generation 
  OS detection (stack fingerprinting) system 

* Adriano Monteiro designed and implemented an advanced Nmap GUI and 
  results viewer named UMIT [8] (screenshots) [9]. 

* Ole Morten Grodaas designed and implemented another advanced Nmap 
  GUI and results viewer (its nice to have choices in open source!) 
  named NmapGUI. Further details and download links are here) [10]. 
  It is worth noting that these GUIs aren't simple wrapper scripts 
  for people who have trouble remembering Nmap command-line options. 
  They offer powerful features for visualizing and searching large 
  scan results. 

While the program is over, all of these developers have continued
active development to improve their projects, which aren't yet fully
polished and debugged. People interested in helping with development
and testing of these or any other Nmap-related projects are encouraged
to join the nmap-dev [11] (high volume, unmoderated) and nmap-hackers
[12] (low volume announcements) lists.

WD> How long did Exploit World [13] run for? What were it's aims? What 
caused it to come to an end?

I launched Exploit World in 1995 and updated it regularly until the 
summer of 1998. The aim was to catalog vulnerabilities in a 
full-disclosure manner that includes bug details and even exploits. 
This was another 'scratch an itch' project -- I kept such a database 
for my own purposes anyway, so I decided to put it up online so 
everyone could benefit from it. While the exploits are all ancient, 
the site is still pretty popular because it is the first Google hit 
for various phrases such as 'ping of death'.

The problem, as so many exploit and vulnerability archives have 
learned over the years, is that maintenance is hard and tedious work. 
As the Nmap project grew to take up most of my time, I lost the 
motivation to continue with Exploit World. Plus, there were other good 
archives by that point in time and so redirecting the effort to Nmap 
was more useful.

WD> We have been asking the question is hacking an art or a science? 
What is your opinion?

The question makes it sounds like these are exclusive. Science can be 
creative and beautiful like art. Also, the term 'hacking' is 
overburdened with meanings. But I'll try to answer anyway. I consider 
programming and vulnerability research and exploitation to be more 
science/engineering than art. You are drawing upon a large base of 
knowledge and using a methodology to achieve a desired practical and 
verifiable result (such as busting root). That is not to say that 
hacking is pure methodology that could be reproduced by a robot or 
shell script. True breakthroughs usually require great creativity. But 
this also is true of biology, chemistry and just about any other 
science. My major in college was molecular and cellular biology until 
I switched it to computer science, and there were many parallels.

WD> On your site you claim 'there are aspects of the hacker community 
that disgust me', can you give us examples?

I hate to see people out there causing wanton damage just for 
attention. Compromising some school network just so that you can 
delete their web pages and post some self-aggrandizing rant about how 
skilled you are and how dumb the admin must be does not help make the 
world a better place. Such antics won't impress anyone worth 
impressing either. Illegal activity motivated by money is at least as 
bad. I hate to see security tools and information misused for 
spamming, propagating worms, extortion, etc. One of the Google SoC 
applicants listed on his resume that 'I am the leader of small 
programming band that developes ... email retrive application (from 
sites, newsgroups, brut force selection) for spam distribution'. WTF? 
Since when is that something to be proud of? I'm not saying that these 
people are part of the hacker community per se, but they are often 
using some of our tools and techniques.

While conducting illegal/hurtful activity for money makes my blood 
boil, I'm not anti-capitalist. Sourcefire was recently acquired for 
$225,000,000, and I say good for them! Especially if they keep their 
commitment to continue GPL Snort development.

WD> How do you feel about Tenable's announcement [14] that Nessus 3
will be closed source?

I am disappointed by that move, as I feel that source code
availability is critical for trusting important security tools.  
Nessus' open source nature was one of its biggest advantages over a
myriad of commercial competitors.  Heck -- their official slogan was
'the open-source vulnerability scanner' until this month. This leaves
a vacuum in the security community for a new open source vulnerability
scanner (or fork of Nessus 2.2). Several groups (Gnessus, Sussen,
Porz-Wahn [15]) have stepped up to the plate in launching these forks,
and I hope that at least one of them succeeds.

One of Tenable's justifications for closing the Nessus source was that
few people contributed. It is easy to take the open source tools we
depend on for granted, and forget that open source is a two way
street. The bazaar software model doesn't work so well with everyone
taking and not contributing back. In my Nessus response [16], I
suggest a few ways that programmers and non-programmers can support
projects they use and enjoy. Rather than mope over the loss of open
source Nessus, we can treat this as a call to action and a reminder
not to take valuable open source software such as Ethereal, DSniff,
Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted.

Note that I have no plans to change the license for Nmap. It has been
distributed under the GPL for more than eight years and I am happy
with that license.

WD> Do you consider yourself to be a hacker?

Yes.

WD> In order to be a hacker do you need to be part of the 'scene'?

Absolutely not. Some of the smartest guys I know are your 
stereotypical anti-social nerds that spend all of their time hacking, 
driven by an insatiable 
passion for technology. Yet they don't care for attention, 
recognition, or the whole social scene. That doesn't make them any 
less of a hacker.

WD> Do you know Tony Watson?

Yes. I live in Palo Alto, a few miles from Google's headquarters in 
Mountain View. While Google has screwed up the already obscenely high 
housing values around here by minting so many millionaires, a side 
benefit is that they have recruited many great security minds from 
around the world. Niels Provos, Paul (Tony) Watson, 0100, and other 
cool hackers now call the area home. While I'm glad that Tony moved 
here, I've knew him previously from his CanSecWest appearances.

Speaking of Tony, I hear that he gave a great interview for Whitedust
[17] :) [Yeah we really liked talking to him he's one cool cat :) -psg].

WD> Do you have a day job?

I work for my own company, Insecure.Com LLC. The primary business is 
licensing Nmap technology for inclusion in commercial products. 
Companies are welcome to use Nmap for free if they comply with the GPL 
(make their product open source), but those wanting to use Nmap in 
proprietary products must pay a license fee. This allows me to work on 
Nmap full time. It also benefits users of those proprietary tools, 
which are often specialized for different purposs than Nmap. The code 
these companies get is exactly the same as GPL Nmap.

I also do some pen-testing and vulnerability assessment gigs, though 
I'm too busy to take on new clients for the next year or so.

WD> You co-authored a best selling book last year named Stealing the 
Network: How to Own a Continent. What is it about?

This was an exciting project because it is hacker fiction, as opposed 
to the technical documentation that I usually write. I teamed up with 
FX, Joe Grand, Kevin Mitnick, Ryan Russell, Jay Beale and several 
other hackers to write individual stories that combine to describe a 
massive electronic financial heist. Unlike your average Hollywood 
portrayal (Swordfish, Hackers, The Net, etc.), we portrayed realistic 
attacks and technology. For example, my character Sendai uses Nmap, 
Hping2, Ndos, and similar tools to exploit network configuration and 
software vulnerabilities commonly found in the wild. Syngress (the 
publisher) was cool enough to let me post my chapter online for free [18].

I am also working on a book on network scanning with Nmap. I only have 
a couple chapters left to draft, though the editing and publishing 
phase will take months.

[1]  http://www.insecure.org/nmap/p51-11.txt
[2]  http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/
[3]  http://www.insecure.org/nmap/p51-11.txt
[4]  http://www.insecure.org/nmap/nmap-fingerprinting-article.html 
[5]  http://www.insecure.org/nmap/versionscan.html
[6]  http://seclists.org/lists/nmap-hackers/2005/Jul-Sep/0000.html
[7]  http://seclists.org/lists/nmap-hackers/2005/Jul-Sep/0002.html
[8]  http://sourceforge.net/projects/umit
[9]  http://umit.sourceforge.net/screenshots/umit_pics/
[10] http://seclists.org/lists/nmap-dev/2005/Jul-Sep/0125.html
[11] http://cgi.insecure.org/mailman/listinfo/nmap-dev
[12] http://cgi.insecure.org/mailman/listinfo/nmap-hackers
[13] http://www.insecure.org/sploits.html
[14] http://mail.nessus.org/pipermail/nessus/2005-October/msg00035.html
[15] http://www.gnessus.org/
[15] http://sussen.sourceforge.net/
[15] http://porz-wahn.berlios.de/homepage/about.php
[16] http://seclists.org/lists/nmap-hackers/2005/Oct-Dec/0000.html
[17] http://www.whitedust.net/article/31/Interview:_Paul_Watson/
[18] http://www.insecure.org/stc/






More information about the ISN mailing list