As most who work in the IT security field will tell you, all the software that we use is shipped in a vulnerable state. The security holes are there from day one, and if the good guys don’t find the bugs, the bad guys will. The only way to defend an operating system or an application against a bug is to know of the existence of the bug in the first place.
Just 10 years ago, the bug-hunting community was a mish-mash of hackers, system administrators and programmers. Many were geeks seeking kudos for finding the latest "zero-day" or "fresh" vulnerability.
Since then, IT security has become a booming business and vulnerability information is worth its weight in gold. Scores, if not hundreds of full-time bug hunters now spend their days earning hefty salaries pulling apart software and looking for bugs — a weird sort of third-party quality assurance service for software companies.
They disclose their findings to the vendor, which releases a patch, then they release information about the bug to the wider community. But what are the ethics of security research? How much information should researchers release when they find a bug?
'You talk about why people crack things; I think the benefit is that it keeps the vendors in line, its holds them accountable,” says Rick Forno, the former chief security officer of Internic. 'And chances are if the good guys find something, the bad guys have known about it longer than the good guys.'
US-based Forno is currently studying for a PhD on vulnerability disclosure at Curtin University in Western Australia. In his role as Internic’s CSO, he was responsible for securing the Internet’s root domain name servers — the core directories responsible for matching domain names to IP addresses. In short, they’re important machines.
While Forno defends security researchers who disclose information on the vulnerabilities they uncover — even "proof of concept exploit code", the software researchers sometimes release, which allows all and sundry to use the vulnerability — he says there’s a right way to do it and a wrong way.
'Knowledge is neutral. How do you use it, to patch a system or exploit a system,?' he asks. 'There is a big movement now to restrict adverse information ... but where do you draw the line between where information is deemed to be adverse or helpful. Too often people err on the side of caution.”
In this feature, you’ll hear from the hackers themselves, who largely serve the public interest. Some have disclosed information that’s led to computer worms being unleashed by unscrupulous hackers. Others have written tools the bad guys use to penetrate networks. All say they’ve acted in the public interest.
Are they mischievous characters or guardian angels? Read on and decide for yourself.David Litchfield is a security researcher, entrepreneur and accidental architect of one of the fastest spreading computer worms the Internet has ever seen; the Slammer SQL worm.
Security geeks often come from similar backgrounds. Raised by the pocket-protector sporting supergeeks of the 1960s, these guys and gals were twiddling with computers at the age that most of us were learning how to hold a crayon.
Not so for David Litchfield, who was already 23 when he decided to make the move into IT security in the late 90s, dropping out of a degree in zoology to pursue computer science studies. But the course ran too slow for his liking — he dropped out of university altogether and moved to London from Scotland to find work in IT. 'At first, I was working in pubs, doing a lot of canvassing while I was teaching myself computers,' he says.
Since his early days in IT, Litchfield has become, arguably, the most prominent database software security researcher in the world. And it was his research that made the Slammer worm possible. Litchfield had discovered a vulnerability in Microsoft’s SQL server product and decided, after the company had released a patch for the bug, to present details about the glitch to a security conference in 2002. 'The code I presented [at the Black Hat security conference] became the template for Slammer,' he says. 'There was six months between the release of the code and the worm.'
When it was unleashed on January 25 of 2003, Slammer wreaked havoc on the Internet. While it was relatively benign — it didn’t destroy any data on infected systems — it generated enough traffic to grind some corners of cyberspace to a near-total halt.
Why was a security researcher presenting information that could be used to cause so much disruption? Litchfield had uncovered a vulnerability in Microsoft’s flagship database server, SQL, that was so easy to exploit he considered the release of the code used to exploit it as a wake-up call for database administrators. 'I said if you don’t fix this it will become the next big worm,' he says.
As it turns out, he was right. Despite administrators having six months to apply a patch from Microsoft that would have eradicated the vulnerability he discovered, few, it seems, heeded his warning.
These days Litchfield doesn’t release “proof-of-concept” code like that used as the foundation for Slammer, but says the effect of his research, and even the worm itself, has been positive. 'At the time I did (regret releasing the code) but looking back, Slammer, thankfully, was benign. It didn’t have a malicious payload, it just screwed up a few weekends, and it’s really what brought patching to the boardroom,' he argues. 'Today if you come across a SQL server, nine out of 10 times it will be patched, so Slammer at least brought a change in the way people look at patching.'
You’d think Litchfield’s company, Next Generation Security Software, would hardly be on Microsoft’s Christmas card list after his research was used to knock over SQL servers, but NGS does a substantial amount of work for the software giant.
But he’s not cosy with all the major vendors. He’s been involved in a very public flamewar with Oracle’s chief security officer Mary Ann Davidson for years. 'Before the spat began I travelled over to Redwood Shores to have a coffee with her. I like the woman, she’s a nice person, but professionally I think she’s in the wrong job,' he says bluntly.
It was Lichfield who released limited details of scores of vulnerabilities in Oracle products immediately after the launch of the company’s “Unbreakable” marketing campaign. The campaign suggested that Oracle software was secure, and Litchfield knew it wasn’t. So he set to work on breaking the company’s “unbreakable” products. 'I think it was the civic thing to do, to be honest,' he says. 'If you bought something from a shop, your details are in a database somewhere. To make that information safe, we need secure databases ... and Oracle isn’t doing that. There’s been a complete and utter failure from Oracle as far as I’m concerned.'It’s not always independent researchers who spend their days trying to break software and digital security mechanisms — sometimes the vendors get in on the action as well.
Cryptographer Scott Fluhrer, who works for Cisco, is probably best known for being one of the team responsible for sending the Wired Equivalent Privacy (WEP) standard to the computing graveyard.
WEP was the default standard for wireless network encryption, but a paper published in 2001 by Fluhrer and two Israeli researchers, Weaknesses in the Key Scheduling Algorithm of RC4, showed just how flawed the encryption scheme is.
You may be asking, at this point, why on Earth vendors are still shipping wireless networking equipment with WEP "security" built in? Well, one reason is for backwards compatibility, and the other is that it’s "better than nothing", but only marginally.
Thanks to Fluhrer and a few others, cracking WEP is trivial.
This means you can access your next door neighbour’s access point for free Internet access, or even sniff their data as it flies back and forth. Why you’d want to read your next door neighbour’s email is anyone’s guess, but you get the drift: WEP is useless.
If you want real wireless security, you’ll need WPA, or Wi-Fi Protected Access.
So what was Fluhrer’s motivation? He happily admits ego was involved, which makes one wonder: if someone admits to being motivated by ego, does that make them humble?
'As much as I’d like to say "it’s to make the world a more secure place", well, that really wasn’t my main goal,' he wrote in an email to PC Authority. 'Ultimately, I suspect it was that I could, and to show people I could.'
At least he’s honest.
Still, there were also some altruistic motives at play; Fluhrer says it’s important to research weaknesses in security schemes and make them public. 'After all, with security, it’s quite difficult to determine if what you’ve designed actually works; whether it is actually secure,' he explains. 'The only way we know to test that is to have skilled people try to break it. Given that, it’s obviously better to have the good guys break it first.'
The disclosure aspect is also important, Fluhrer says. 'It’s quite impossible to tell the good guys about the weakness without telling the bad guys about it too,' he argues. 'If we don’t publish the results, then any bad guy who stumbles on the same result will be able to break it at will. If we just claim to have results without publishing them, we wouldn’t be taken seriously… By publishing the results, we let companies who take security seriously update their equipment.'
So how did he break WEP?
'I did some simulations based on random sets of related (cryptographic) keys, and while I didn’t find the weakness I was looking for, I did notice an anomaly where occasionally, a set of related keys would act quite non-randomly,' he says. 'I tracked down what was happening in those cases, and found the basic observation the attack was based on.'
But Fluhrer misunderstood how WEP worked, so his research didn’t break WEP directly. 'At this point, I went to a technical conference, and ran into (Israeli researchers Itsik) Mantin and (Adi) Shamir. We decided to collaborate,' he says. 'Together, we refined the attack, including how these results could be applied to the real WEP protocol.'
The rest, as they say, is history.
Hacking tools: For better or worse?
Security research isn’t all about breaking software; sometimes it means creating it. Gordon Lyon, who’s better known by his handle Fyodor, achieved a fame of sorts when he wrote the Nmap network scanning software.
Nmap, a port-scanning utility, has become the de facto standard tool for good guys and bad guys alike. It’s a relatively simple piece of software that scans IP ranges for open or closed ports. It can identify running services, like Web-server or mail transfer software, Trojan software and even the operating system of the target machine.
But it wasn’t until his utility made a guest appearance in [i]The Matrix Reloaded[/i] that Fyodor got serious kudos from the geek elite. 'That was pretty awesome,' Fyodor told PC Authority. 'Especially since I had no idea it would happen.'
He’d scored tickets to a midnight showing when the movie was released. Sensing a “hacking scene” was approaching, Fyodor shuddered. 'I was like ‘oh no! These are always terrible!,' he says. 'Then I saw her (the Trinity character) whip out Nmap and was amazed.'
Fyodor’s movie companion, James Hong, the man behind the lurid dotcom operation hotornot.com, was as stunned as he was. Let me tell you, you can spend almost 10 years writing a port scanner, adding all sorts of great and useful features,' Fyodor says. 'But you don’t get nearly as much press from big new releases as when some hot celebrity chick in black vinyl uses Nmap for five seconds in a movie.'
But if anything, Fyodor finds Internet fame a little embarrassing. He took his nickname from Russian author Fyodor Dostoevsky. 'I’m a little embarrassed that a Google search for Fyodor now lists me before Dostoevsky,' he says. 'I guess it is hard to earn and maintain a decent PageRank when you’re dead.'
Fyodor, who’s now based in California and spends his days maintaining Nmap, says he never thought the side project would take off. He released it as open source software, and the response was overwhelming. 'Tons of people started sending me suggestions, improvement ideas [and] patches,' he says. 'So I decided to release one more version, and well, here it is nine and a half years later and I just released a version two nights ago.'
Today, Fyodor makes a crust by licensing Nmap to software companies that include it in their products. It’s a legitimate enterprise, but not even Fyodor himself saw it coming. 'One reason I used a handle was I was worried I’d get sued, harassed,' he says. 'But actually the response has been extremely positive in almost all cases.'
If someone is sophisticated enough to know what Nmap is, they also understand how much value it can bring them in terms of securing their own network, he adds. 'The very first step in securing your network is understanding what is really going on. So you whip out Nmap to inventory your systems, check whether any unexpected ports are listening, ensuring that your firewall is really behaving as you expect it to.'
Besides, the bad guys already had access to scanning technology prior to the release of Nmap, even if it wasn’t as sophisticated, Fyodor says.
At 29, Fyodor, a self-confessed workaholic, has some expensive hobbies, racing his BMW M3 coupe for kicks. 'I love to ski in the winters at Tahoe, I like driving fast, taking my car to the racetrack or going go-kart racing,' he says.
 |
| Fyodor, the author of the Nmap network scanning software |
It was Mudge (pictured on this page with former US President Bill Clinton) who in 1998 told the US Senate that hackers could take down the Internet in 30 minutes. Now he’s BBN Technologies’ technical director of national intelligence research and applications. BBN is a government contractor in the US, which provides services for several, unspecified US Government agencies.
He’s a cryptography and hacking expert. Read between the lines.
 |
| Pieter 'Mudge" Zatko |
As one of the members of L0pht Heavy Industries -- a Boston-based hacker collective that later formed the respected @Stake security company — Mudge was behind L0phtCrack, the creme de la creme of password crackers.
'L0phtCrack was a password-cracking tool I wrote for use on and against Microsoft Windows systems,' he told PC Authority. 'It ended up working extremely well, too well for many people's liking.'
At the time, he was responsible for auditing and maintaining several hundred systems. Most of them were Unix based, but increasingly he was being tasked with taking care of Windows boxes. 'There simply weren’t any tools to do the equivalent password cracking and auditing on MS Windows systems as there were for Unix,' he says. 'So I had to write my own ... during that time I started looking into what Hobbit, a legendary Boston area hacker, had been working on... he had pointed out to me that LANMAN, Microsoft’s legacy [password storage mechanism], didn’t look to be too well done. It sure wasn’t.'
What started out as an auditing tool turned into a demonstration that MS systems needed to be segmented on networks and treated as if their passwords were trivial to retrieve, which, thanks to L0phtcrack, they were. The tool completely broke Windows passwords. 'It was not a good tool, as many organisations and people claimed, for ensuring that users were choosing strong passwords based upon the amount of time that the program took to return the unencrypted password,' he says. 'It could, and usually did, return almost all of the passwords (on a targeted machine).'
With that in mind, it was no surprise that Mudge was a tad miffed when L0phtcrack became a successful commercial product. He’d demonstrated just how bad Windows passwords were -- auditing them became moot -- yet the market lapped up the tool as an auditing suite. 'Originally I released L0phtCrack free of charge for most uses under a BSD style licence,' he says.
Commercial users were supposed to pay a $25 fee, but no one was paying, and the tool had been downloaded hundreds of thousands of times from government networks. 'That didn’t bother me as much as the support emails that started showing up, primarily from the US Government,' he says. 'We put a trivial timeout mechanism in to the next release of the software, and when I say trivial we went out of our way to make sure it was easily "crackable".'
 |
| Mudge, (with long hair) at the White House. He is Technical Director, National Intelligence Research and Applications at BBN Technologies. |
The people who were going to crack the software were not people who would have paid for it in the first place, so Mudge let them use it and spread the word about how effective it was. Within a very short period of time, the software was pulling in revenues 'well into the six figure range'.
So what would Mudge say to those who’d charge him with writing a tool that can be used by the bad guys? 'Don’t eat anything but strained food. Outlaw hammers. Arrest anyone who owns or drives a car... these tools [can be] used by bad guys,' he says. 'The tool is not the issue. It’s the person behind the tool that one needs to worry about.'
In other words, password crackers don’t kill people, people kill people.
But it’s not just passwords that he’s known for breaking. Mudge also pioneered the techniques used to discover and exploit buffer overflow vulnerabilities. These are the class of vulnerabilities that lead to all the superworms -- Code Red, Slammer, Blaster and more. 'I’ll probably get a few thousand years tacked on to my Purgatory sentence for my contribution to the field of buffer overflows,' Mudge jokes.
Perhaps due to his relatively diverse expertise, Mudge is happy to weigh in on the Apple versus Windows security debate, a topic many sway away from.
Unfortunately, he says, there’s no clear winner. 'I’m a bit disappointed in Apple as they seem to be handling the security issue in the same marketing and PR fashion that Microsoft initially handled its security PR angle,' he says.
He has nothing against the company, he says, and is a fan of Steve Jobs. Likewise, he’s been impressed by the inroads Microsoft has made in its war on vulnerabilities. 'I’m also very impressed with how Microsoft, a very large organisation, has changed in how it handles security reports and patches in comparison to its initial "that vulnerability is completely theoretical" responses,' he says. '[But] the simple fact is that both OSes have security problems.'
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
