HD Moore is probably known to everyone who is following information security field. HD is author of many projects (www.digitaloffense.net) including Metasploit framework, that was recently acquired by Rapid7. He shared his experience with this transition process at this years Black Hat DC conference in his talk: Metasploit and Money.
Slo-Tech: Let's start with the usual question: please introduce yourself to our readers (education, programming skills, professional career, current job, etc). Also, how/when did you became involved in computer security.
HD Moore: My name is HD Moore (first name is just the letter 'H') - I have been involved in computer security in various forms since the early 90s, when I got my start on the local BBS scene. While in high school, I started working on a single-computer version of the SHADOW project (heuristical IDS), which became a reference for my first job as a programmer for the Department of Defense through a contracting agency. About 10 months later, some of the folks I worked with decided to move to commercial work, and brought me into the founding team of my first startup. I spent five and a half years there before joining the initial BreakingPoint team in 2005. In 2009, I joined Rapid7 as part of the Metasploit acquisition and currently serve as both the Chief Security Officer and Chief Architect of the Metasploit Framework.
Slo-Tech: Can you describe a typical working day in the life of professional security researcher?
HD Moore: My day generally starts by absorbing information; reading mailing lists, checking exploit repositories, catching up on email, reading Twitter, scanning blogs, and generally getting a feel for what changed recently. The constant feed of security information is necessary to keep track of new issues and to respond before opportunities are wasted.
Slo-Tech: Your opinion on full-dislosure/responsible dislosure. Does it really work? »Anti-sec movement«, and some respected security folks too, thinks it is not working. Also, what do you think about governments that are criminalizing FD like France?
HD Moore: Personally I have always been on the far end of full-disclosure; my own experience has shown that the fastest way to fix a problem is by publicizing an exploit for it. Countries with laws restricting information disclosure are hurting themselves in two ways; first, the limits on disclosure lead to less public bugs, which lead to less patches, resulting in less secure software overall. Second, these laws result in local security researchers moving to avoid potential prosecution for their daily work.
Slo-Tech: Speaking about »Anti-sec«, do you think they're »fighting« for the right cause? Can Internet really be safer place without full-disclosure? The question that comes in my mind is who will guard the guardians in that case.
HD Moore: Every few years a new round of folks tries to make this case. The latest group has no compelling arguments that weren't made 15 years ago. The point is it doesn't matter; neither vendors nor »anti« groups control the disclosure process, only the researchers do. As long as organizations ignore security problems until they are made public and as long as there are incentives to publishing information on these flaws, the status quo won't change. The only external factor that could change this is the criminalization of security research. This has long-term downsides for information security as a whole.
Slo-Tech: No doubt that security researcher of your fame has been contacted by many major IT corporations. Can you describe your experiences with them while reporting bugs. Did any corporation ever threaten you or maybe even tried to sue you?
HD Moore: I have seen a few legal threats over years. Developers generally just want to make their products better, it's the marketing and management folks that can have a knee-jerk reaction to a security advisory and try to kill disclosure with legal costs. For the most part, these are just threats, as soon as the information is public its cheaper to just fix the problem than try to sue the researcher who found it.
Slo-Tech: What about job opportunities? Did any of these companies or government agencies ever offered you a job? It is quite surprising that you're not security consultant/developer in some large IT company.
HD Moore: I enjoy working for small, fast-paced companies doing innovative work. There are definitely benefits to working for large companies, but autonomy and the ability to move fast in a new direction are generally not part of them.
Slo-Tech: Metasploit was sold to Rapid7. Many users now fear that it may become commercial or even worse - that this is the end of Metasploit. How can you assure users that neither of this is not going to happen and what can we expect from Metasploit in the future.
HD Moore: The Metasploit Framework will always be open source - our licensing guarantees that. We do plan on offering commercial services and haven't ruled out commercial product offerings, but these would be in addition to the free Metasploit Framework we provide today.
Slo-Tech: How many people are involved in Metasploit project? Not long ago I saw job announcement for Ruby developer so it looks like you guys have in plans to expand msfdev team.
HD Moore: The Rapid7 team is six people, all actively working on the Metasploit Framework in one way or another. Outside of Rapid7, the community development team is active, and we receive tons of patches and exploits from the community in general.
Slo-Tech: What do you think about »no more free bugs« initiative? Obviously there's a market for selling bugs, but can this ever become regular practice? Did you ever sold any of your exploits?
HD Moore: The core concept I agree with; researchers should be free to do what they want to with the vulnerabilities they find, including selling them to the vendor if thats what makes sense. Personally, I don't see a point in selling bugs to the product vendor, but have no problem with others doing so.
Slo-Tech: Can buffer overflows (heap/stack based) still be considered as a major security theat now that we have all these protection mechanisms implemented? Which are some new exploitation techniques that will arise in the near future?
HD Moore: Typical memory corruption flaws are becoming harder to find and even harder to exploit on modern platforms. However, keep in mind that these bugs apply to more than just desktop PCs. Every single product with a micro-controller or low-end processor has the potential to run arbitrary code given the right input. I predict that as memory corruption flaws lose their importance in the PC world, they will become much more widely exploited in embedded devices. The return-oriented-programming and JIT techniques extend the lives of existing flaws, but they depend on precise knowledge of the memory layout or a third-party application to generate the executed segment. Either way, these are going to become even harder to reliably exploit in the future.
Slo-Tech: Without any doubt script kiddies are large segment of Metasploit users. How do you deal with them? Are you trying to help or just ignore them? Also don't you think that, while most security professionals point to script kiddies like »plague«, it is simple fact that many respected security researchers were script kiddies once.
HD Moore: For all of the assumptions about the number of script kiddies using Metasploit, we really don't see that many. The reason is simple; Metasploit isn't friendly for that kind of use. With the size of the framework and the intricacies of the console interface, most of the complaints and questions we see are about how to use the framework. Keep in mind that traditionally public exploits were just ./something; having to learn the console and what the payloads mean is more of a time investment than these kinds of users are willing to put in. One advantage to being involved in Metasploit this long (7 years now), is that I have watched some of users go from kiddie to pro. From a support side, we try to help anyone who asks, but that help stops the second we see any sign that they are doing something illegal.
Slo-Tech: HD Moore is considered a »security rock star« among IT professionals and hacking community around the world. On the other hand Linus Torvalds once said that »security business is a media circus«, a fear spreading industry whom only goal is to make profit. How do you deal with this cult of personality and media in general?
HD Moore: Linus has much more to deal with than I do; I like working on code and I like it when people use that code to do cool things; for me the media is just a way to announce new features and drive interest in the projects that I work on.
Slo-Tech: I won't ask you which OS is more secure (Windows/Linux/Mac OSX) because I know you're using Linux and that may be pretty good indicator ;-)
HD Moore: Oddly enough, I started using Windows 7 as a desktop platform this year, after running Linux-only since 1995. The reason has little to do with Microsoft and everything to do with VMWare, Truecrypt, and Linux hardware compatibility. The laptop I use for primary development has three video outputs (internal, DVI, HDMI) and the Linux nVidia drive can't recognize the DVI output correctly. Since I spend 90% of my time working inside of virtual machines anyways (with the last 10% being my browser and email), the choice of base platforms doesn't matter so much these days. With that said, I still disable everything I can in the Windows host and avoid using the host for any import work.
Slo-Tech: Is SDL the final solution for Microsoft to reduce bugs in their code?
HD Moore: SDL exists because some sort of process was needed; it will continue to evolve over time, but will likely stay 6 months behind the latest techniques, permanently. The fun thing about security is it moves really quickly and there is always another way to attack (or defend) a particular issue.
Slo-Tech: Which was the first exploit you wrote (I remember ida_overflow.pl from 2002 but I'm quite sure that's not the first one) and what was the funniest bug you found. Also, I suppose not all the bugs you reported are patched so which is the »longest runner« (in days unpatched).
HD Moore: This depends on your definition of exploit - I have been writing security tools since 1997 or so, including some that led to command execution. I didn't really jump into assembly until 2000 or so, and it wasn't until I started working on Metasploit in late 2002 that I really dove into SEH bugs. If you count command execution, probably some BBS code from the mid-90s, otherwise either the IIS IDA was the first public flaw I had written an exploit for (http://digitaloffense.net/tools/ida_ove...). About the same time, I wrote a remote exploit for an ISAPI component used by an online banking system. This took the vendor about six years to finally patch and they ended up buying and installed Cisco Security Agent on customer web server as a workaround.
Slo-Tech: Regular question for the end: any 0-day laying on your hard-drive right now :D
HD Moore: Nothing really fun at the moment; but here is an old (but fun) exploit. There is a product called jBase which acts as a proxy of sorts between database clients and servers. In its default configuration, it allows anonymous connections to create a new workspace; one of the parameters for this workspace is the command to execute when it starts :)
<workspace name='anyRandomName' startupScript='cmd.exe /c …' nAvailableServers='1' workspaceAccount='root' anonymousClientAccount='root' workspaceUsers='*' action='add'/>
We thank HD Moore for the interview.
Slo-Tech: Introduce yourself to our readers (job, education, interests, etc) and please explain if your real surname is Spender or Spengler :-) Also, was Brad ever member of any Black hat group? Brad Spengler: Brad Spengler (not Brad Spender), though the similarity in the names isn't a coincidence, ...
english version Ime HD Moore je najbrž poznano vsakomur, ki mu informacijska varnost ni ravno deveta vas. HD je namreč avtor številnih projektov (http://www.digitaloffense.net) med katerimi je tudi ogrodje Metasploit, ki je nedavno prešlo v last družbe Rapid7. Svoje izkušnje s procesom tranzicije je ...
Introduction: We continue our series of interviews with a slightly »unusual« talk this time: Peter Van Eeckhoutte may be unknown to readers who don't follow the InfoSec scene on a daily basis. But he is well known to the international security community and his name is climbing fast on the ...
Slo-Tech: Can you please introduce yourself? Rafal Lukawiecki: Absolutely. My name is Rafal Lukawiecki and I work for Project Botticelli Ltd., which is a small consulting company based in Ireland. Over there I specialize in [st.link http://en.wikipedia.org/wiki/Business_intelligence business intelligence] ...
- Jure Čuhalev ::
Slo-Tech: Can you introduce yourself? Seth: My name is Seth Bindernagel and I am the director of localization for Mozilla Firefox. Slo-Tech: Our community regularly follows nightly builds of Opera, Firefox, Chrome, etc. as it’s a very competitive landscape. How do you see it from the Firefox perspective? Seth: ...