Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sebek2 - A Kernel-based Data Capture Tool

Posted by michael on from the i-spy-with-my-little-eye dept.

LogError writes "Sebek is a piece of code the lives entirely in kernel space and records either some or all data accessed by users on the system. This paper is a detailed discussion of Sebek, how it works and its value."

4 of 74 comments (clear)

  1. Great tool in the right hands by mpeg4codec · · Score: 4, Insightful

    This can just as easily be modified and used by blackhats as an advanced rootkit, though. Like everything, it's a double-edged sword.

    1. Re:Great tool in the right hands by moreati · · Score: 5, Insightful

      True, like anthing this has Good and Evil uses, but since it is kernel resident then it requires either a reboot or a siutable set of hooks in the running kernel so it can be loaded as a module.

      Thus the impact of malicuous use of this technology could be mitigated by disabling loadable modules once booted, limiting access to kernel structures by loaded modules, using some varient of TCPA (rootkit module not signed), and/or only accepting shutdown signals from the local console.

      In a corporate environment however I could see this used as a virtually undetectable piece of snitch software, ie for spying on employees at their workstation, even if they have root.

      Regards

      Alex

  2. Palladium can fix this. by Anonymous Coward · · Score: 1, Insightful
    As much as we like to complain about trusted computing initiatives; I think palladium can help.

    If I remember right, one component dealt with keycodes being replaced with encrypted and digitally signed packets that could only be decoded by the process authenticated by the palladium hardware.

    Any spyware, even in the kernel couldn't get the key to decrypt these packets.

    If this is right, and if anyone remembers the details, please help fill me in. No doubt, dozens or hundreds will correct me if I'm wrong. :-)

  3. Plonked off the high horse by poptones · · Score: 2, Insightful
    There are nearly 3/4 of a million registered users of slashdot. Like it or not, cowboy, this isn't a site that caters exclusively to those "already in the know." It's an advocacy site as much as anything, and the readers here are going to come from thousands of difference backgrounds and have thousands of different viewpoints.

    this article is interesting. I'm not an admin of a corporate wan and there's only so much damage that can be done to a home network, so my interest is not sufficient to compel me to "search for it" anymore than my interest in particle physics would drive me to "search for" the latest technical papers on particel accelerators.

    If this offends your l33t sensibilities then you need a thorough ass kicking by RMS and JP Barlow to remind you of why sites like slashdot even exist.