Interview: H. D. Moore

H. D. Moore is the creator of the Metasploit security exploit framework, and is one of the people behind Brower Fun, which became notorious for their "month of browser bugs".

Mister Moore will present his project, and the latest version of the accompanying framework. He will discuss the lessons learned since the start of the project.

What's the goal of your talk?

I hope to encourage attendees to try the Metasploit Framework and expand their interest in exploits and security. I expect an interesting discussion about open-source licensing, vulnerability disclosure, and the future of exploit development.

We understand that you're pro "full disclosure" regarding vulnerability reports?

I believe in sharing detailed vulnerability information and exploit code whenever possible. This information is essential to security software developers and providers of security services. Full disclosure shares many core values and benefits with the open-source software model.

Some of your actions have received quite some press coverage in the past. Do you actively seek that media attention?

A relationship with the media is critical when you have no marketing budget. I work with the media to increase public awareness of the Metasploit Project and ensure the accuracy of any articles that cover the projects I work on. The end result is a well-informed public and increased growth of the Metasploit user base. Besides, its fun :-)

In the coming years, do you see IT security increasing or worsening?

Vulnerabilities just keep piling on, they never go away. The body of knowledge required to identify and remediate security issues is going to keep increasing until old systems are replaced. Windows NT 4.0 is no longer supported by Microsoft and can be compromised with an off-the-shell exploit, yet many companies still have NT servers. The mantra of "keeping your systems patched" doesn't work when the commercial entity that sold you the system stops supporting it.

Microsoft has dropped support for Windows XP SP0 and SP1 (as of October 2006), even though many of its customers have not moved to SP2. The addition of the Windows Genuine Advantage checks in SP2 will prevent many users from receiving security updates. The end result -- thousands of XP desktops that will stay vulnerable until replaced.

This trend applies to open-source software as well. Although the open-source model allows anyone to apply their own security fixes to a piece of software, not many users have the time or experience to do so. The result is that the project maintainer (and downstream maintainers for various distributions) are solely responsible for the security fixes of that product.

Hundreds (thousands?) of companies are using embedded Linux in their products. What happens when these companies go out of business or stop providing updates for their products? Even if a volunteer effort is created to produce patched firmware and new packages, there is a slim chance that your average consumer will be able to find and apply the updates. This trend is especially common with printers, scanners, and other networked office devices. Many vendors only release updated firmware for new device models, leaving security flaws unpatched. As an example, some versions of the Busybox application contain a HTTP server that is vulnerable to a directory traversal attack. An advisory was released in September of 2006, but very few product vendors released an updated firmware image containing this new release. The results -- an unkown number of products that suffer from a serious information leak, one that can easily lead to a complete compromise of the device.

In summary, I believe that the challenges of IT security will continue to increase, even if the operating systems and applications drastically improve.

To counter this -- which current trends are actually beneficial to IT security?

Automated updated systems are becoming common for not only commercial products, but open source applications as well. These systems provide an excellent way for vendors to distribute in a timely and consistent manner. The Mozilla Firefox browser is a great example of a product that protects its users via an auto-update mechanism.

What plans are in store for the Open Source Vulnerability Database?

You would have to ask the maintainers of this project, I provide advice when I can, but I am not involved in the day-to-day operations of the project.

How is the contact with the 'script kiddie' "community"?

Entertaining. Many security professionals used to be script kiddies and many script kiddies may end up becoming security professionals. I try to encourage education and suggest that they focus on the long-term benefits of having security experience. Not many companies will trust a person to secure their network if that person has a criminal record :-)

Keep on 1337-ing, and see you at FOSDEM!


Additional links:

Creative Commons License
This interview is licensed under a Creative Commons Attribution 2.0 Belgium License.