• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Interview with a security professional - HD Moore

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles

View previous topic :: View next topic  
Author Message
alt.don
SF Boss
SF Boss


Joined: 04 Mar 2003
Posts: 16777079


Offline

PostPosted: Sat Jun 11, 2005 5:51 pm    Post subject: Interview with a security professional - HD Moore Reply with quote

Continuing with our series of “Interview with a security professional” I am very happy to announce that HD Moore of Metasploit Framework fame has generously contributed his time to answer some questions for us.

Question

Where do you see Metasploit two years from now?

HDM’s Answer

Rap songs, groupies, and scandals on the news. Oh wait, that was CDC. With any luck, two years will give us time to develop a full suite of security tools and exploit information resources. Metasploit will always be a community project, where it goes really depends on who contributes and how much time they have.


Question

Have software patents ever been an obstacle to your work in the security field?

HDM’s Answer

Not yet, but I believe that any obstacles we encounter will be simple to work around. I worry much more about the lobbying groups that are trying to restrict vulnerability disclosure and the release of exploit code. This is one of the reasons why I appreciate companies like Core Security Technologies and Immunity -- they have businesses to protect and can put up a tougher legal fight than a small group of open-source developers Wink

Question

What are your thoughts on security professionals who use your program, but cannot code an exploit themselves?

HDM’s Answer

Use what you need, when you need it. If you are doing a job and need a working exploit, you have three choices: public code, commercial code, or doing it yourself. If you can't find public code to do the job, its a business decision – fork over some cash for a commercial toolkit or invest some time to write the code yourself. If you are unwilling to spend the resources to do your job, be honest with your client (whether its your own company or a third party), and make up for it in research and documentation. Many companies are not willing to train their staff or purchase commercial tools, leaving it up the analyst to fudge their way through reports and make vague statements about the risk of any unverified flaws.

Question

Were you to start over again, which would you learn first; TCP/IP or programming?

HDM’s Answer

Are you serious? Programming! Network traffic is no fun unless you can write code to play with it.

Question

What motivates you to continue maintaining Metasploit? It must be a very time intensive project after all, with little or no donations?

HDM’s Answer

My motivation comes from being able to work with intelligent people and produce a tool that people actually find useful. The development team and our contributors are always coming up with interesting ideas; I doubt I could run out of new things to work on, even if this was my full-time job.

Between the four members of the development team, we probably sink 2 to 5 hours a night, every weekday, into the project. On the weekends, it can be anywhere from 10 to 60 hours, depending on how close to a release we are. Most of my time goes into the boring stuff – updating the web site, maintaining the update system, responding to email, and investigating bug reports.

Donations have not been bad, besides the $633 we received via the web site, one generous user contributed $500, and many others have offered to donate hardware or development time. The cash donations have been used to replace failing hardware, keep domain registrations current, and cover a pizza once in a while. The primary metasploit.com server is about to be replaced by a donated dual Xeon rig, which should give us some breathing room for computation-heavy projects like the Opcode Database. Code contributions are starting to increase, but there seems to be a gap between those who can write exploits and those who write readable Perl Wink

Question

Do you feel the upper echelon of the hacking world, such as yourself should do more Metasploit like projects?

HDM’s Answer

Someone should have told me about this echelon thing -- I wonder if they give out hats or shirts? There are very few people who have the skills, job freedom, and personal inclination to pour their time into an open-source security project -- especially one focused on the offensive side. Not many security companies believe in full disclosure in the first place – either for marketing reasons or due to the perceived legal risk (ethics can be a convenient rationale). Not every researcher believes in giving away information and tools to the public; many are happy just sharing with their peers and presenting at the occasional conference. I am ecstatic that these folks contribute as much as they do, either through research papers or the occasional submission to an open-source project.

Question

What programming language would you counsel someone to learn as their first, and why?

HDM’s Answer

Nearly every major application and operating system is written in C or a subset of it (C++, Obj-C, etc). The GNU compiler runs or has a target for nearly every platform and operating system. Every serious debugger has special extensions for viewing C structures in compiled code. Most scripting languages simply wrap the standard C library or system API. The problems that you encounter when learning C will give you insight into why things like off-by-ones, format strings, and buffer overflows are so prevalent.

Question

Do you believe that Microsoft is finally taking security as seriously as they should? There certainly seems to be progress by using the lack of IIS 6 exploits as an example.

HDM’s Answer

Security concerns (valid or not) are hurting their bottom line and they have no other choice but to take it seriously. I have met a few members of the Secure Windows Initiative team and can say they believe in their goals and are given no few resources to accomplish them. Microsoft has a huge task ahead and has hired some brilliant security people to help with it. Whether the overall improvements are enough to make a difference still remains to be seen. I believe that their documentation and insecure developer samples are going to be a weak point for a while -- there is no patch for bad education. IIS 6 will fall (publicly), just give it some time Wink

Question

Where do you see exploit developers training their sights next? Is there a field that is ripe for exploitation?

HDM’s Answer

New technologies and network protocols are being developed all the time, its just a matter of what becomes prevalent enough to be worth targeting. As VoIP popularity rose, so did the number of attacks and public vulnerabilities. Recently, I have been poking around with common network backup and disaster recovery software. Nearly everyone runs it, its considered a core function of network security, and its usually wide frikkin open Wink

Question

Do you think the non-executable stack available in some CPU’s has dramatically altered the way exploit coders have gone about their business?

HDM’s Answer

Ask anyone familiar with Solaris exploits, it only adds a few minutes to the development time. If enough Windows systems start to enforce page execute permissions, exploits will simply evolve around it. ASLR and policy enforcement do a much better job of annoying exploit developers.


On behalf of the membership and myself I would like to extend a big thank you to HD Moore for his time. It is always great to get answers from someone as talented as HDM.


This interview is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> News // Columns // Articles All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register