HD Moore has a matter-of-fact way of talking that belies his uncanny ability to draw the public eye. In just the past month, the 25-year-old Texan, who started the open source Metasploit Project in 2003, made headlines for promising to release a new bug for the Internet Explorer Web browser each day in July. By the end of July, he was in the news again: releasing a Web-based tool that uses the Google search engine to locate malicious programs.
InfoWorld Senior Editor Paul Roberts caught up with Moore, who is also director of security research at BreakingPoint Systems in Austin, Texas, to talk about Metasploit, project management, and full disclosure.
InfoWorld: Why did you launch Metasploit in the first place?
HD Moore: In 2003 there was … a doldrum in the security area. A lot of the people who were active publishers of information got jobs or decided to do something else. At the same time, private companies started to hoard security information, so people started saying, “Why should I give this information away when I can sell it to iDefense?” Metasploit was about creating a toolkit and a framework for developing new exploits quickly, allowing people to cut through the boilerplate stuff and develop something new.
IW: How did you grow the project to where it is now?
HDM: Knowledge spread mostly by word of mouth. People would say, “That’s cool.” [Metasploit lead developer] Spoonm … e-mailed us and said, “Your software sucks.” And I was like, “OK, why don’t you rewrite it?” So he did. In the exploit community, you’ve got to appeal to ego. Make it a challenge. That’s what they live for. As a project manager, it’s my job to say, “OK. How can we do better?” One reason that Metasploit has done so well is that there’s no holier-than-thou attitude.
IW: What should enterprise IT staff know about Metasploit?
HDM: I’m always wary of recommending Metasploit for use in a company, because your employer may have rules that forbid the use of programs like this. I think it can be a nice way to follow up after a third-party vulnerability assessment. The company you hire should be able to prove that the vulnerabilities they’ve discovered are real. Not just say, “Oh, I found 20 bugs -- fix them.” Tools like Metasploit can verify that, by running an exploit and seeing if it works. Unlike public exploits, you can also be sure that [Metasploit] isn’t installing back doors.
IW: You caught heat for releasing a new IE vulnerability every day in July, as if you were aiding and abetting the enemy.
HDM: That comes with territory. Any time you supply information to anybody, you’ve got to supply it to everybody. We saw this a couple years back, where CERT was allowing some customers to purchase vulnerability information in advance, then someone took that information and generated an exploit from it. Partial disclosure never works. You just end up catering to special groups that you deem trustworthy enough to have access. If I make something public, it’s not just to a group that I consider trustworthy.
IW: You recently unveiled a Google-based malicious code locator, akin to the one security firm Websense said it developed. What was behind that?