Fyodor

http://www.whitedust.net/article/41/Interview:_Fyodor/

By Mark Hinge and Peter Prickett
17 Oct 2005

WD> What first drew you into the world of computing?

My father is a hobbyist programmer, so I grew up with computers. In
the early days I used an Apple ][ and Vic-20. By the time I really
learned how to program, we had a PC XT. I thought DOS was cool, so
UNIX really blew my mind when I discovered it in high school. That was
where I got into security, too, as my friend David and I had shell
accounts on the same ISP and would continually hack each others'
accounts :).

WD> Why did you create Nmap? [1]

In The Cathedral and the Bazaar [2], Eric Raymond notes that 'every
good work of software starts by scratching a developer's personal
itch.' That was certainly my motivation for creating Nmap. I had a
whole directory of scanners, including Julian Assange's Strobe, the
reflscan SYN scanner, the UDP scanner from SATAN, a FIN scanner from
Uriel Maimon, and many more. They all have very different options and
limitations. I would want to use one scanner with an option from
another. So initially I made my own modified versions of each scanner.
Eventually, I decided the best approach was to create my own scanner
from scratch. It would support all of the major scan types while being
fast and efficient against large networks. Thus, Nmap was born. I used
it myself for a while, and then released it to the public in a 1997
Phrack Article [3]. I hoped people would find it useful, but
considered the project 'done' at that point and was ready to move onto
new things. So much for that! I was overwhelmed with the response to
Nmap, with so many people sending improvements that I released a new
version. That cycle has continued for more than 8 years now :).

WD> Have you ever been concerned that Nmap is used for blackhat
purposes?

I doubt that Nmap has ever been used for blackhat purposes. OK, maybe
once or twice :). But seriously -- there is no way I can write a
program that allows you to audit your own networks for security risks
without also enabling bad guys to do the same. And trying to limit
distribution to only 'good guys' is a lost cause.

I believe that on balance, Nmap is a major net benefit to Internet
security. If that ever becomes untrue, I will cease development.
Another tool I have written is an advanced denial of service utility
named Ndos, which I have used effectively to briefly disable the web
presence of major corporations (at their request and under controlled
circumstances). I have not publicly released Ndos because I fear that
it would be used more for abuse than for constructive purposes.

WD> Your most famous piece of software is, obviously, Nmap. What over
pieces of software have you created? How successful have they been?

I used to work for an Internet startup company, which was purchased by
Netscape, which was then purchased by AOL, which then merged with Time
Warner. Phew! I created (and helped create) a number of popular online
applications during that period, though none are really relevant to
the security community.

Most of the time I write something new, I try to architect it so that
it fits into Nmap. For example, OS detection [4] and version detection
[5] could easily be standalone applications, but I decided to build
them into Nmap instead.

This summer, Google generously agreed to sponsor 10 student Nmap
developers [6] as part of their Summer of Code program. One of the
most exciting projects is Ncat by Chris Gibson. This is a reinvention
of Ncat with cool features such as IPv6, better portability and
documentation, connection encryption and authentication, inetd-like
capability to spawn multiple concurrent applications, connection
redirection, and more. One neat feature is connection brokering, which
allows multiple hosts behind NAT gateways to communicate with each
other through a centralized Ncat server. It shares a lot of code I
wrote for Nmap, including the Nsock and Nbase portable networking
libraries.

Other interesting Summer of Code projects include:

• Doug Hoyte nearly tripled the size of the version detection database
  

  and added OS/device type/hostname detection to the system. The
  database now contains about 3,000 entries for more than 350 service
  protocols (X11, SNMP, SMTP, etc.)

• Zhao Lei added more than 350 OS detection fingerprints to Nmap [7],
  

  bringing the total to 1684. He also helped design a 2nd generation
  OS detection (stack fingerprinting) system

• Adriano Monteiro designed and implemented an advanced Nmap GUI and
  

  results viewer named UMIT [8] (screenshots) [9].

• Ole Morten Grodaas designed and implemented another advanced Nmap
  

  GUI and results viewer (its nice to have choices in open source!)
  named NmapGUI. Further details and download links are here) [10].
  It is worth noting that these GUIs aren't simple wrapper scripts
  for people who have trouble remembering Nmap command-line options.
  They offer powerful features for visualizing and searching large
  scan results.

While the program is over, all of these developers have continued
active development to improve their projects, which aren't yet fully
polished and debugged. People interested in helping with development
and testing of these or any other Nmap-related projects are encouraged
to join the nmap-dev [11] (high volume, unmoderated) and nmap-hackers
[12] (low volume announcements) lists.

WD> How long did Exploit World [13] run for? What were it's aims? What
caused it to come to an end?

I launched Exploit World in 1995 and updated it regularly until the
summer of 1998. The aim was to catalog vulnerabilities in a
full-disclosure manner that includes bug details and even exploits.
This was another 'scratch an itch' project -- I kept such a database
for my own purposes anyway, so I decided to put it up online so
everyone could benefit from it. While the exploits are all ancient,
the site is still pretty popular because it is the first Google hit
for various phrases such as 'ping of death'.

The problem, as so many exploit and vulnerability archives have
learned over the years, is that maintenance is hard and tedious work.
As the Nmap project grew to take up most of my time, I lost the
motivation to continue with Exploit World. Plus, there were other good
archives by that point in time and so redirecting the effort to Nmap
was more useful.

WD> We have been asking the question is hacking an art or a science?
What is your opinion?

The question makes it sounds like these are exclusive. Science can be
creative and beautiful like art. Also, the term 'hacking' is
overburdened with meanings. But I'll try to answer anyway. I consider
programming and vulnerability research and exploitation to be more
science/engineering than art. You are drawing upon a large base of
knowledge and using a methodology to achieve a desired practical and
verifiable result (such as busting root). That is not to say that
hacking is pure methodology that could be reproduced by a robot or
shell script. True breakthroughs usually require great creativity. But
this also is true of biology, chemistry and just about any other
science. My major in college was molecular and cellular biology until
I switched it to computer science, and there were many parallels.

WD> On your site you claim 'there are aspects of the hacker community
that disgust me', can you give us examples?

I hate to see people out there causing wanton damage just for
attention. Compromising some school network just so that you can
delete their web pages and post some self-aggrandizing rant about how
skilled you are and how dumb the admin must be does not help make the
world a better place. Such antics won't impress anyone worth
impressing either. Illegal activity motivated by money is at least as
bad. I hate to see security tools and information misused for
spamming, propagating worms, extortion, etc. One of the Google SoC
applicants listed on his resume that 'I am the leader of small
programming band that developes ... email retrive application (from
sites, newsgroups, brut force selection) for spam distribution'. WTF?
Since when is that something to be proud of? I'm not saying that these
people are part of the hacker community per se, but they are often
using some of our tools and techniques.

While conducting illegal/hurtful activity for money makes my blood
boil, I'm not anti-capitalist. Sourcefire was recently acquired for
$225,000,000, and I say good for them! Especially if they keep their
commitment to continue GPL Snort development.

WD> How do you feel about Tenable's announcement [14] that Nessus 3
will be closed source?

I am disappointed by that move, as I feel that source code
availability is critical for trusting important security tools.
Nessus' open source nature was one of its biggest advantages over a
myriad of commercial competitors. Heck -- their official slogan was
'the open-source vulnerability scanner' until this month. This leaves
a vacuum in the security community for a new open source vulnerability
scanner (or fork of Nessus 2.2). Several groups (Gnessus, Sussen,
Porz-Wahn [15]) have stepped up to the plate in launching these forks,
and I hope that at least one of them succeeds.

One of Tenable's justifications for closing the Nessus source was that
few people contributed. It is easy to take the open source tools we
depend on for granted, and forget that open source is a two way
street. The bazaar software model doesn't work so well with everyone
taking and not contributing back. In my Nessus response [16], I
suggest a few ways that programmers and non-programmers can support
projects they use and enjoy. Rather than mope over the loss of open
source Nessus, we can treat this as a call to action and a reminder
not to take valuable open source software such as Ethereal, DSniff,
Ettercap, gcc, emacs, apache, OpenBSD, and Linux for granted.

Note that I have no plans to change the license for Nmap. It has been
distributed under the GPL for more than eight years and I am happy
with that license.

WD> Do you consider yourself to be a hacker?

Yes.

WD> In order to be a hacker do you need to be part of the 'scene'?

Absolutely not. Some of the smartest guys I know are your
stereotypical anti-social nerds that spend all of their time hacking,
driven by an insatiable
passion for technology. Yet they don't care for attention,
recognition, or the whole social scene. That doesn't make them any
less of a hacker.

WD> Do you know Tony Watson?

Yes. I live in Palo Alto, a few miles from Google's headquarters in
Mountain View. While Google has screwed up the already obscenely high
housing values around here by minting so many millionaires, a side
benefit is that they have recruited many great security minds from
around the world. Niels Provos, Paul (Tony) Watson, 0100, and other
cool hackers now call the area home. While I'm glad that Tony moved
here, I've knew him previously from his CanSecWest appearances.

Speaking of Tony, I hear that he gave a great interview for Whitedust
[17] :) [Yeah we really liked talking to him he's one cool cat :) -psg].

WD> Do you have a day job?

I work for my own company, Insecure.Com LLC. The primary business is
licensing Nmap technology for inclusion in commercial products.
Companies are welcome to use Nmap for free if they comply with the GPL
(make their product open source), but those wanting to use Nmap in
proprietary products must pay a license fee. This allows me to work on
Nmap full time. It also benefits users of those proprietary tools,
which are often specialized for different purposs than Nmap. The code
these companies get is exactly the same as GPL Nmap.

I also do some pen-testing and vulnerability assessment gigs, though
I'm too busy to take on new clients for the next year or so.

WD> You co-authored a best selling book last year named Stealing the
Network: How to Own a Continent. What is it about?

This was an exciting project because it is hacker fiction, as opposed
to the technical documentation that I usually write. I teamed up with
FX, Joe Grand, Kevin Mitnick, Ryan Russell, Jay Beale and several
other hackers to write individual stories that combine to describe a
massive electronic financial heist. Unlike your average Hollywood
portrayal (Swordfish, Hackers, The Net, etc.), we portrayed realistic
attacks and technology. For example, my character Sendai uses Nmap,
Hping2, Ndos, and similar tools to exploit network configuration and
software vulnerabilities commonly found in the wild. Syngress (the
publisher) was cool enough to let me post my chapter online for free [18].

I am also working on a book on network scanning with Nmap. I only have
a couple chapters left to draft, though the editing and publishing
phase will take months.

[1] http://www.insecure.org/nmap/p51-11.txt
[2] http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/
[3] http://www.insecure.org/nmap/p51-11.txt
[4] http://www.insecure.org/nmap/nmap-fingerprinting-article.html
[5] http://www.insecure.org/nmap/versionscan.html
[6] http://seclists.org/lists/nmap-hackers/2005/Jul-Sep/0000.html
[7] http://seclists.org/lists/nmap-hackers/2005/Jul-Sep/0002.html
[8] http://sourceforge.net/projects/umit
[9] http://umit.sourceforge.net/screenshots/umit_pics/
[10] http://seclists.org/lists/nmap-dev/2005/Jul-Sep/0125.html
[11] http://cgi.insecure.org/mailman/listinfo/nmap-dev
[12] http://cgi.insecure.org/mailman/listinfo/nmap-hackers
[13] http://www.insecure.org/sploits.html
[14] http://mail.nessus.org/pipermail/nessus/2005-October/msg00035.html
[15] http://www.gnessus.org/
[15] http://sussen.sourceforge.net/
[15] http://porz-wahn.berlios.de/homepage/about.php
[16] http://seclists.org/lists/nmap-hackers/2005/Oct-Dec/0000.html
[17] http://www.whitedust.net/article/31/Interview:_Paul_Watson/
[18] http://www.insecure.org/stc/