You might be surprised to learn that the mysterious hacker behind the MoKB (Month of Kernel Bugs) project actually believes in responsible disclosure. For the entire month of November, the man known simply as “LMH” is releasing a daily proof-of-concept exploit for unpatched kernel-level flaws in operating systems — including Windows, Linux, Mac OS X and FreeBSD. I caught up with LMH over IM and found him willing to explain the motivation for the project, share thoughts on disclosure ethics and argue that some OS vendors are more dangerous than hackers…
RN: Can you introduce yourself? Who is LMH? Is there a real name?
LMH: Well, I have a name as we all do. LMH is in fact a reference to my real name. The reason for ‘hiding’ behind it is that while I don’t mind appearing on public mailing lists, news media, etc., I want to be recognized by the work I do. A name is pretty much like a trademark, and I’m not into trading with my name, thus I prefer to use a rather simple nickname such as ‘LMH’. That way people focus on the work and not who has done it. It’s also good to keep a low profile sometimes. I’m based in Europe.
How did you get involved in security research?
I got involved at a young age, obviously not in the best manner. Like most people in the ‘scene’ I started as the rather annoying script kiddie, or high school prankster. Fortunately I got through that and started doing more useful work ;). I’ve been doing kernel-related development for some time now around some projects. I found Metasploit to be a serious, yet extremely fun playground where I met skillful individuals such as HD (Moore) and Matt Miller (skape). I’ve been contributing to Metasploit for some time now. I could say it’s my professional career but I try to get involved in other related activities in areas like physical security.
What prompted you to do the MoKB project? Any particular reason for focusing on kernel bugs?
One of the reasons was to have fun and find interesting issues. The original intent was to get a general overview of the current state of kernel-land code but I was also pushed by the fact that some bugs apparently were being patched silently (even if they were known for months). The ‘better-safe-than-sorry’ saying applied fairly well to the situation, so that also motivated me to release these bugs into the public domain.
What’s wrong with silent fixes? Microsoft says that anything they find themselves will be fixed silently because releasing information only serves to help attackers…
It’s wrong when developers and vendors are dishonest. It’s also contradictory to the apparent policy/motivations of a company if their business model focuses on security or open source software. Actually, silent fixing aids attackers. Someone who thinks that no one can notice a silent fix by either reverse engineering or simple mining of change-logs and development discussions is definitely someone harmful to himself, his company and the userbase of the product itself. [Full interview]