It may sound contradictory, but the hacker behind the Month of Kernel Bugs, or MOKB, project actually said he believes in responsible disclosure. Throughout November, the man known as LMH has been releasing daily exploits for unpatched kernel-level flaws in operating systems?including Windows, Linux, Mac OS X, Solaris and FreeBSD. In an interview with Senior Editor Ryan Naraine, LMH explains the motivation for the project, weighs in on vulnerability disclosure ethics and rips software vendors that downplay security flaws.
Can you introduce yourself? Who is LMH?
I have a name, as we all do. LMH is, in fact, a reference to my real name. The reason for "hiding" behind it is that while I don’t mind appearing on public mailing lists, news media, etc., I want to be recognized by the work I do.
What prompted you to do the MOKB project? Any particular reason for focusing on kernel bugs?
The original intent was to get a general overview of the current state of kernel-land code, but I was also pushed by the fact that some bugs apparently were being patched silently, without proper disclosure or credits to researchers.
What’s wrong with silent fixes? Microsoft says that anything it finds itself will be fixed silently because releasing information only serves to help attackers.
It’s wrong when developers and vendors are dishonest. Actually, silent fixing aids attackers. Someone who thinks that no one can notice a silent fix by either reverse engineering or simple mining of change logs is definitely someone harmful to himself, his company and the user base of the product itself.
I’ve said it already: I’m not a fan of full disclosure, but sometimes you get the feeling that developers and vendors don’t deserve the privilege/advantage of being warned about them.
I’ve also seen another criticism that your Linux kernel bugs are mere low-risk DoS [denial of service] issues. Is there a concern that you might be overblowing things?
You’re right?some are low-risk. However, there are issues that have some other implications. DoS issues, when it comes to file system bugs, also lead to file system corruption, especially with Linux. I’m not overblowing issues. I’m simply explaining the security implications.
The fact that some developers aren’t familiar with those might lead to criticism, and I get the feeling that some people want me to do their homework as well, and they feel cheated when I don’t give all the relevant details about a specific issue.
Read the full story on eWEEK.com: Inside the Mind of a Hacker.
