Thursday, August 02, 2007

I have reached the intellectual level of the sports spectator in an armchair: Comment first, read and understand later. After the last Blog comment, I actually went to read the slides of Joanna's presentation. To summarize: I find the slides informative and well-thought-out. I found that the empirical bits appear plausible and well-researched. The stuff following slide 90 was very informative. It is one of the most substantial slide decks I have read in recent times.

Some points to take home though: Whoever writes a rootkit puts himself in a defending positions. Defending positions against all known attacks is possible given perfection on the side of the defender. That is bloody hard to achieve. There is no doubt that for any given attack one can think of a counter attack, but it's a difficult game to play that doesn't allow for errors.

I think the core point that we should clarify is that rootkits should not fall into an adversary's hand to be analyzed. Once they are known, they fall into a defending position. Defending positions are not long-term substainable, as software has a hard time automatically adapting to new threats.

Once you accept that the key to a good rootkit is to use methods unknown to the victim, one might also be tempted to draw the conclusion that perhabs the virtualisation stuff is too obvious a place to attempt to hide in. But that is certainly open to discussion.

Enough high-level blah blah. I am so looking forwards to my vacation, it's not funny.
Post veröffentlichen

4 comments:

pdp said...

I totally agree. If I wanted to hide a rootkit, I would rather do it within an application that is common and it is used on a daily basis, like a browser for example. Writing rootkit for Firefox is like a walk into the park and Antivirus Agents, Researchers and everybody else will never suspect that hidden threat. Moreover, it can be updated on demand with newer version. So yes, I agree.

Dr. ARM said...

The intellectual level of the sports spectator in an armchair? D'oh, poor Halvar, that is really an unfortunate way of attending Black Hat. I do not feel better either, since I am writing this comment on my Powerbook, and am hoping nobody will hack it as I am working!

However, let us hope there will be soon a Black Hat conference in the true north (still) strong and (still) free. I am in Calgary now and even though Alberta sometimes looks like a cross between Montana and Texas (people with cowboy hats shouting Yeeee-Haaay, no kidding, and oil company buildings everywhere), you *do* breathe a different air (and very dry, too - my nose is always bleeding).

At immigration here I could tell without any problem that I was coming here to do "joint research work" at the University, where I would simply be paid a honorary for one talk (one day is less than the five days for which you need a business visa) and reimbursement for all expenses, and then go to a conference. They wanted to know what the conference was, and my involvement. When the immigration officer heard I am a co-organiser of this canadian-only conference series, he smiled and he said "Oh, so you are doing something FOR us, that's nice!" and I could pass without problems. And that's a conversation I have 1 to 3 times a year, coming to Canada. Never there's been a problem.

40 minutes in the queue, then just 20 seconds talking to the officer. Oh yes, I told them I was bringing coffee and chocolate, too. No problem.

However, of the three times in my life I went to or through the U.S., once I was searched. I must be a suspect because I am an italian coming from a different country (Germany) and wearing a beard (must be a terrorist!).

Well. Maybe we can organise something in Canada together, too ;)

Or we could bring Black Hat to Bochum, too?

Antenore

Abhishek said...

Hello sir,
I am searching for link Exchange and technoratti faves partners.
heres my link : http://tekabhi.blogspot.com

Let me know your opinion.
Regards,
Abhi

Unknown said...

bluepill should be there for referencing only. something that shows "new possibilities for a new computer chip". not more.

[as a sport spectator] i have learned that joanna is unsharp but can come up with something; that ptacek's qualities do not transcend utterance [about the obvious]; and that above the obvious, only edgar barbosa has been.

further, whoever speaks of using bluepill in the wild, is [just] more naive than joanna.


in completing, a sport spectator comments not before, not after reading or understanding. he comments only...

understanding "rutkowska-matasano thing" is out of question.

--t