Rootkits: Subverting the Windows Kernel

← Back to Stories (view on slashdot.org)

Rootkits: Subverting the Windows Kernel

Posted by ryuzaki0 on Tuesday August 16, 2005 @06:20AM from the only-for-bad-people dept.

nazarijo (Jose Nazario) writes "A group of people out there, let's call them 'elite hacker d00ds,' are able to skillfully craft Windows rootkits that evade almost any known detection system. Some people want to know how this is done, be they aspiring elite hackers, security professionals who have to try and find these rootkits, or just interested parties. If you're one of them, Grog Hoglund and James Butler's new book, Rootkits: Subverting the Windows Kernel is for you. It's focused like a laser on how to defeat detection at various levels in the Windows OS once you're in." Read on for the rest of Nazario's review. Rootkits: Subverting the Windows Kernel author Grog Hoglund and James Butler pages 352 publisher Addison-Wesley Longman rating 9 reviewer Jose Nazario ISBN 0321294319 summary A highly technical tour of how to develop and detect Windows rootkits

Some may wonder if Hoglund and Butler are being irresponsible by writing a book that shows you how to bypass detection. If you look closely, however, you'll see that all of the methods they outline are detectable by current rootkit revealing mechanisms. And they also show you how to detect many new rootkits in the process. I consider this book to be a responsible contribution to the community, professionals and amateurs alike, in the finest tradition full disclosure.

The book is organized into three major sections, even if it's note explicitly marked as such. The first section serves as an introduction to the topic and some of the high level concepts you'll need to know about Windows, control mechanisms, and where you can introduce your code. The second part is a highly technical tour of the techniques used to hook your rootkit in and hide it, And the third section is really one chapter covering detection of rootkits.

The first few chapters, which serve to introduce the topic, get technical right away. Chapter 2, for example, shows you some basic mechanisms for hooking in your rootkit. If you're getting lost at this point, you'll want to probably augment your reading with a Win32 internals book. The resources listed by the authors, though, are great. By this point you can also see that the writing is clear and the examples contribute perfectly to the topic. Hardware hooking basics are covered in chapter 3, which should give you some indication of the book's pace (quick!).

By the time you get to chapter 4 and discussing how to hook into both userland and the kernel, you're getting at some very valuable material. Although the book focuses on kernel hooking, a brief description of userland hooking is provided. Chapter 5 covers runtime patching, a black art that's not well known. This is almost worth the full price of admission, but the material gets even better.

In chapters 6-9 you get into some serious deep voodoo and dark arts. In these chapters you'll learn the basics of direct kernel object manipulation, layered device drivers (which can save you a lot of work), hardware manipulation, and network handling. All of these are techniques used by rootkit authors to varying degrees and effect, so you should become familiar with them. The code examples are clear and functional, and you'll learn enough to write a basic rootkit in only about 150 pages. Simple keyboard sniffers and covert channels are described in the code examples. Useful stuff.

I can't say I found many errors or nits in the book. There's some problems at times getting the code formatting just right, and what appear to be a few stray characters here and there, but nothing too obvious to me. Then again, I'm not a Windows kernel programmer, so I don't feel qualified to comment on the correctness of the code.

In the finest tradition of using a blog and dynamic website to assist your readers, the authors have set up rootkit.com, which nicely supplements their book. Most of the resources they mention in the book are available here, as well as a great array of contributors and evolving techniques. Without the book the site is still useful, but together they're a great combination. Too many books lose their value once you read them, and some books stay with you because you're having difficulty understanding the authors. Rootkits will stay near you while you develop your skills because it's a lot of material in a small space, and although it's very clearly written, there is a deep amount of material to digest. You'll be working with this one for a while.

My only major wish for this book is for it to have covered detection more significantly. One chapter covers how to detect rootkits, and although you may be able to look for some specific telltale signs of rootkits depending on how they were introduced, a more complete coverage of this approach would have made the book even more worthwhile.

Rootkits is an invaluable contribution in the wider understanding of advanced attack and hacker techniques. Previously, much of this material was known to only a handful of people, and assembling your own knowledge base was difficult. Hoglund and Butler write clearly, use great code examples, and deliver an excellent book on a high technical and specialized topic. If you're interested in learning how to write your own rootkit or detect someone else's rootkit on your system, you should definitely start with this book.

You can purchase Rootkits: Subverting the Windows Kernel from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

381 comments

Min score:

Reason:

Sort:

It is an interesting book by confusion · 2005-08-16 06:24 · Score: 3, Interesting

Hopefully the hax0rs are not the only ones reading this. There are some valuable lessons for MS and security providers.

Jerry
http://www.cyvin.org/
1. Re:It is an interesting book by Iriel · 2005-08-16 06:28 · Score: 1
  
  So how many years do you think it will be until Microsoft cares about it? ;) </toungeincheek)
  
  --
  Perfecting Discordia
  www.stevenvansickle.com
2. Re:It is an interesting book by ryanr · 2005-08-16 06:45 · Score: 3, Insightful
  
  What do you think Microsoft is going to do about it? If someone has system access there isn't anything to be done about them moving in with a rootkit.
  
  Oh wait, did you mean you want Palladium? Microsoft is way ahead of you, then.
3. Re:It is an interesting book by Miriku+chan · 2005-08-16 08:40 · Score: 1
  
  rtfa please
  
  the new rootkits not only do not modify files on disk, they no longer modify dynamic libraries and only a tiny stub is present in memory. the whole rootkit is hidden in fake virtual memory
  
  these holes are quite serious and make detecting them near impossible.
  
  --
  shaolin punk, activist post-industrial
4. Re:It is an interesting book by ryanr · 2005-08-16 08:47 · Score: 1
  
  Perhaps you should do a little reading on what Palladium is.
5. Re:It is an interesting book by Ambient+Sheep · 2005-08-16 09:00 · Score: 1
  
  It's a thought, isn't it? Publicise how to make rootkits, until we're all drowning in them a few years down the line, then sell us all Palladium as a fix, with all the DRM/privacy implications as "a necessary inconvenience".
6. Re:It is an interesting book by Anonymous Coward · 2005-08-16 10:29 · Score: 0
  
  Palladium is now called NGSCB.
7. Re:It is an interesting book by Fyre2012 · 2005-08-16 11:05 · Score: 0
  for those wondering "wtf is Palladium?"
  from epic.org
  
  Introduction
  In June 2002, Microsoft released information regarding its new "Palladium" initiative. Palladium is a system that combines software and hardware controls to create a "trusted" computing platform. In doing so, it would establish an unprecedented level of control over users and their computers.
  
  Palladium could place Microsoft as the gatekeeper of identification and authentication. Additionally, systems embedded in both software and hardware would control access to content, thereby creating ubiquitous Digital Rights Management schemes that can track users and control use of media. Microsoft expects to have elements of the system in place by 2004.
  
  Professor Ross Anderson has written an extensive FAQ on the Palladium system. Seth Schoen of EFF has published a detailed summary of a meeting about Palladium.
  
  Known Elements of the Palladium System
  
  The system purports to stop viruses by preventing the running of malicious programs.
  
  The system will store personal data within an encrypted folder.
  
  The system will depend on hardware that has either a digital signature or a tracking number.
  
  The system will filter spam.
  
  The system has a personal information sharing agent called "My Man."
  
  The system will incorporate Digital Rights Management technologies for media files of all types (music, documents, e-mail communications). Additionally, the system purports to transmit data within the computer via encrypted paths.
  --
  This is not the greatest .sig in the world, no. This is just a tribute.
8. Re:It is an interesting book by vsprintf · 2005-08-16 11:09 · Score: 1
  
  Palladium is now called NGSCB.
  
  Hmm. Impossible to pronounce - probably an attempt at security through obfuscation. Or maybe they found out they couldn't trademark "palladium" . . . no, wait, a company that can trademark "windows" could trademark anything. Okay, it's Microsoft, they're obviously up to no good. :)
9. Re:It is an interesting book by Anonymous Coward · 2005-08-16 11:32 · Score: 0
  
  The Palladium/NGSCB project was canceled and the team dismantled a while back.
10. Re:It is an interesting book by vsprintf · 2005-08-16 11:54 · Score: 1
  
  The Palladium/NGSCB project was canceled and the team dismantled a while back.
  
  Whoa! Now, suddenly it's total denial. There was even a grisly dismantling of the people involved. Obviously a stealth project. Could it get any worse? :)
11. Re:It is an interesting book by ryanr · 2005-08-16 12:06 · Score: 1
  
  Indeed. The technical and security capabilities behind something like Palladium are quite atractive. Rootkits are an excellent example of why. It's the loss of control over your own machine that has everyone freaked out, myself included.
12. Re:It is an interesting book by ryanr · 2005-08-16 12:24 · Score: 1
  
  Indeed you are correct. It was already called the "Next Generation Secure Computing Base" when I went up to interview for a job working on it. :) I find that more people know the term Palladium, though. Another (presumbaly different?) AC pointed out that it has been "cancelled". I believe that it was cancelled as it was previously constituted. The general project isn't dead at Microsoft, though.
13. Re:It is an interesting book by rodgster · 2005-08-16 12:27 · Score: 1
  
  I think I saw something like this a while back.
  
  launching from the notify (basically shell, even present at safe mode command prompt). Randomly renamed and recreated on shutdown & reboot.
  
  files didn't exist while running.
  
  some kinda of api hijack as a file (tcptrace.exe, iirc) wasn't viewable (dir, attrib, etc). Some kind of ADS (alternative data stream) thus wouldn't service pack?
  
  I'd never seen anything like it before. Nasty.
  
  --
  Who will guard the guards?
14. Re:It is an interesting book by Beryllium+Sphere(tm) · 2005-08-16 17:46 · Score: 1
  
  >If someone has system access there isn't anything to be done about them moving in with a rootkit.
  
  Unless the system has mandatory access control, or any other alternative to the common but foolish design in which {root|Administrator} can do absolutely anything. One of the first papers about Unix mentioned that the root account was a security problem and that was in the 70's.
  
  There are some SELinux machines on the net with their root passwords posted. They stay up somehow.
15. Re:It is an interesting book by ryanr · 2005-08-16 18:04 · Score: 1
  
  I didn't say "root", I said system. As in sufficient access to control the access control mechanisms. For example, a kernel bug.
My opinion by Umbral+Blot · 2005-08-16 06:25 · Score: 5, Interesting

I own this book and I thought it was great. I am not a rootkit creator, but I am woking with drivers, and the information this book gives is great for a driver developer. This book is very straight forward and understandable, even for someone with little driver experiance, unlike many resources for driver developers. Also it gives actual source code to illustrate concepts, unlike many books which spend too much time covering concepts and too little getting those concepts to do actual work for you.

--

Philosophy.
1. Re:My opinion by sean23007 · 2005-08-16 07:54 · Score: 4, Insightful
  
  I think the fact that a book about rootkits is considered good documentation by a driver developer is demonstrative of the sorry state of affairs of drivers these days. Most exploits and crashes are due to bugs in drivers ... perhaps it wouldn't be so bad if driver developers didn't have to code their driver as if it were hijacking the OS.
  
  (No offense to the parent post, of course. I'd like better driver documentation too.)
  
  --
  
  Lack of eloquence does not denote lack of intelligence, though they often coincide.
2. Re:My opinion by mcrbids · 2005-08-16 15:40 · Score: 1
  
  Most exploits and crashes are due to bugs in drivers ... perhaps it wouldn't be so bad if driver developers didn't have to code their driver as if it were hijacking the OS.
  
  Except that they have to.
  
  It'd be nice if a Transportation engineer didn't have to build the roads and tracks as if people's lives depended on it - but they do. Case closed.
  
  Software runs on hardware. The purpose of the Operating System is to abstract the hardware from the software programs. Drivers are the key to making the Operating System work with large amounts of hardware. Thus, drivers can (and do) affect critical aspects of timing, order of operations, and resource sharing, and so belong at the very core of the Operating System, in the (ahem) kernel.
  
  Perhaps, instead of building safe roads with well-placed lights, we should just wrap all our cars with 25 feet thick layers of bubble wrap?
  
  Then those transportation engineers wouldn't have to build those roads as if lives depended on it! Wouldn't that be worth it??!?
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
3. Re:My opinion by sean23007 · 2005-08-17 01:17 · Score: 1
  
  That's pretty spurious. First, I didn't imply that stable drivers weren't important to the overall stability of the system. In fact, I believe that was one of my core premises.
  
  Second, what I was actually talking about was not that drivers should be removed from the kernel or made (somehow) so that they cannot affect the system's stability. I was saying that there is very little to absolutely no documentation on how to write a good, stable device driver. So people who wish to write one have to use books like this, and the techniques in it, which are designed not for stable device drivers, but for exploiting bugs in the operating system and executing possibly malicious code. Clearly, it is not an optimal situation for drivers.
  
  And third, the current device driver situation, when applied to your transportation engineer metaphor, is more like: the transportation engineers aren't allowed to learn how to build a road except by studying the machines meant to destroy roads, and they absolutely won't communicate with other transportation engineers to pass on the trade. Wouldn't it be nice if transportation engineers tried to improve the quality of their roads and communicated with each other so that roads don't randomly intersect without stoplights or proper merging lanes? What, they already do that? Well, why can't device driver developers do the same thing? Wouldn't that be worth it??!?
  
  --
  
  Lack of eloquence does not denote lack of intelligence, though they often coincide.
4. Re:My opinion by slapout · 2005-08-17 04:54 · Score: 1
  
  I understand what you mean. Most of the documentation on device drivers either has too little sample code (ie, it won't compile without a lot of other stuff) or they try to implement a dozen things and make the code way too confusing!
  
  --
  Coder's Stone: The programming language quick ref for iPad
I wonder... by squoozer · 2005-08-16 06:25 · Score: 2, Insightful

...how long it will be beofre someone tries to ban books like this?

--
I used to have a better sig but it broke.
1. Re:I wonder... by varmittang · 2005-08-16 06:35 · Score: 1, Troll
  
  I don't know, how long do you think it will take to reach Hillary Clinton.
  
  --
  -----BEGIN PGP SIGNATURE-----
  12345
  -----END PGP SIGNATURE-----
2. Re:I wonder... by TripMaster+Monkey · 2005-08-16 06:38 · Score: 3, Funny
  
  If hacker knowledge is outlawed, only outlaws will have hacker knowledge.
  
  --
  ____
  ~ |rip/\/\aster /\/\onkey
3. Re:I wonder... by ndansmith · 2005-08-16 06:47 · Score: 2, Interesting
  
  If they are not banned outright, don't be suprised if your FBI file is augmented when you check this book out from the library.
4. Re:I wonder... by Anonymous Coward · 2005-08-16 06:51 · Score: 0
  
  Yeah didn't the patriot act include getting library records about what books you check out?
5. Re:I wonder... by computational+super · 2005-08-16 06:53 · Score: 1
  
  Hehe - the first thing I thought when I read the review was, "I wonder if I can buy it at Barnes & Noble... with cash?"
  
  --
  Proud neuron in the Slashdot hivemind since 2002.
6. Re:I wonder... by meringuoid · 2005-08-16 06:54 · Score: 1
  
  ...how long it will be beofre someone tries to ban books like this?
  How long does it take to say 'terrorists'?
  That, plus about thirty seconds.
  
  --
  Real Daleks don't climb stairs - they level the building.
7. Re:I wonder... by failure-man · 2005-08-16 07:02 · Score: 4, Funny
  
  Cash is suspicious. Use a gift card that you bought with cash at a different store. And use a disguise. Nothing's less suspicious than a guy in a trenchcoat buying a book with blackhat potential with a gift card . . . . . . .
8. Re:I wonder... by Anonymous Coward · 2005-08-16 07:38 · Score: 0
  
  they can have my outlaw hacker when they pry his crushed throat from my dead cold hands
9. Re:I wonder... by lgw · 2005-08-16 08:03 · Score: 1
  
  I bought a cryptography-related math textbook through Amazon, and a week later got a spam mail from them: "Since you're interested in hacking, you might like these other hacking books, you hacker." Cash would seem called for in this case.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
10. Re:I wonder... by squoozer · 2005-08-16 08:05 · Score: 1
  
  Man that's deep.
  
  It's not so much the knowledge that would be outlawed so much as telling people. It's not much of a stretch of the imagination to see how the DMCA could cover this type of work. IANAL so maybe I am missing somthing that would prevent it's application in this case - I don't think so though..
  
  --
  I used to have a better sig but it broke.
11. Re:I wonder... by lgw · 2005-08-16 08:06 · Score: 1
  You don't even need to invoke terrorism. You're already a hacker. Any of the Four Horsemen of the Internet Apocalypse will do:
  
  Drug dealers
  Terrorists
  Hackers
  Child pornographers
  Mention of any of those four groups works equally well for passing whatever law is needed next. It's not worth getting too concerned about, however - hot-buttons are nothing new in America or in representative government in general, and we've done OK so far.
  --
  Socialism: a lie told by totalitarians and believed by fools.
12. Re:I wonder... by l3v1 · 2005-08-16 08:29 · Score: 1
  
  If hacker knowledge is outlawed
  
  ...everybody who seeks knowledge will be outlawed.
  
  --
  I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
13. Re:I wonder... by Anonymous Coward · 2005-08-16 08:44 · Score: 0
  
  Hey, at least Amazon dosen't think you're a lesbian Eskimo who listens to emo rock. I still haven't figured that one out.
14. Re:I wonder... by Anonymous Coward · 2005-08-16 08:54 · Score: 0
  
  If guns are outlawed, only outlaws will have guns.
  
  Amazing how the same principle applies to different aspects of protection.
15. Re:I wonder... by varmittang · 2005-08-16 09:07 · Score: 1
  
  Ouch, I went from Funny to Troll. Sorry, I forgot my "=)".
  
  --
  -----BEGIN PGP SIGNATURE-----
  12345
  -----END PGP SIGNATURE-----
16. Re:I wonder... by jack_csk · 2005-08-16 14:06 · Score: 1
  
  It is hard to let people know that you are interested in computer security / fine-tuning. I'm not sure since when did people start putting equal sign between computer security studies and hacking(as in intrusion), even what you focus on is system-hardening or forensic.
17. Re:I wonder... by Anonymous Coward · 2005-08-16 16:44 · Score: 0
  
  If hacker knowledge is outlawed, only outlaws will have hacker knowledge.
  The NRA wants to talk to you.
Obligatory spelling/capitalization gripe by Anonymous Coward · 2005-08-16 06:26 · Score: 0

Okay, so after glancing at the first two paragraphs, I had immediately caught three typos/spelling errors/capitalization problems. ARGH.
1. Re:Obligatory spelling/capitalization gripe by SlayerofGods · 2005-08-16 06:30 · Score: 4, Funny
  
  Yah I saw them too. Everyone knows it's not 'elite hacker' but rather 'l33t hax0r'
  Damn editors.
  
  --
  
  Technology, the cause of and solution to all of life's problems.
2. Re:Obligatory spelling/capitalization gripe by anandamide · 2005-08-16 06:43 · Score: 5, Funny
  
  Okay, so after glancing at the first two paragraphs, I had immediately caught three typos/spelling errors/capitalization problems. ARGH.
  
  Sorry, that's spelled 'ARGV'.
3. Re:Obligatory spelling/capitalization gripe by Chosen+Reject · 2005-08-16 06:51 · Score: 1, Informative
  
  security professionals who have to try and find these rootkits
  This one bothers me. How does one go about just trying without trying anything in specific. It's like humming with your mouth open!
  It's "try to find".
  
  --
  Stop Global Warming!
  Just say no to irreversible processes!
4. Re:Obligatory spelling/capitalization gripe by Stanistani · 2005-08-16 07:16 · Score: 1, Funny
  
  >Well woop the freakin' doo.
  
  That's "whoop de"...
  
  *slides under rug*
  
  --
  You can't talk about Wikipedia's flaws on Wikipedia
5. Re:Obligatory spelling/capitalization gripe by skiman1979 · 2005-08-16 08:21 · Score: 1
  
  It's like humming with your mouth open!
  You mean you can't hum with your mouth open? If you open your mouth and close off your throat, you get the same sound effect. At least I do. Yes, I have too much free time on my hands haha!
  
  --
  Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
6. Re:Obligatory spelling/capitalization gripe by linuxfanatic1024 · 2005-08-16 08:53 · Score: 1
  
  Isn't it 1337 h4X0r?
  
  --
  Microsoft-free since March 28, 2004
7. Re:Obligatory spelling/capitalization gripe by Inthewire · 2005-08-18 14:22 · Score: 0
  
  Some fucker I share a parking garage with has the license plate "H4XOR"
  
  --
  
  Writers imply. Readers infer.
Re:31337 by Rosco+P.+Coltrane · 2005-08-16 06:26 · Score: 0, Troll

Duh... You can't make a book about, say, subverting the NetBSD kernel. You have to have something to write to make a book you know.

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
rootkits... by ph4te · 2005-08-16 06:27 · Score: 0

All natural bandaids!

--
OMG SOEMOEN SI H4X0RING MAI B0X3N!1!
Rootkit Sleuthing IRL by chota · 2005-08-16 06:28 · Score: 5, Informative

Here's a story of some peeps from Microsoft Product Support Services who got a call about a weird crash in Exchange; tracked it down with the debugger, and found a pretty well-hidden rootkit. In fact, it would've remained hidden if it didn't have a bug in it!

Don't believe everything the debugger is telling you!!! (aka Rootkit)
1. Re:Rootkit Sleuthing IRL by ndykman · 2005-08-16 06:57 · Score: 1
  
  Great link. Pretty impressive work to solve an Exchange crash, and it's a good example of how to use kernel/user debuggers to solve complex crashes. I'd like to hear more stories like that one. You could learn a lot.
  
  It just goes to show, you never can really tell what's really going on without some real effort.
2. Re:Rootkit Sleuthing IRL by Monstard · 2005-08-16 07:09 · Score: 2, Interesting
  
  Wow, I read up on rootkits. Amazing. And hacker defender reads like a manifesto on hacking PCs.
  
  As I Mac user I keep hearing about how much more secure Macs are than PC's, and sort of believe that. But in reality, what is the true security of a Mac vs. a PC? I mean, I *want* to believe I have the more secure system, but complacency is the surest way to hack a system. So, anybody know the real deal.
  
  If a Mac hacker was as motivated as any PC hacker, could a rootkit like hacker defender be installed just as easily on a Mac?
3. Re:Rootkit Sleuthing IRL by Anonymous Coward · 2005-08-16 07:35 · Score: 0
  
  Microsoft Product Support Services tracked down a bug? WTF?
4. Re:Rootkit Sleuthing IRL by Anonymous Coward · 2005-08-16 07:48 · Score: 0
  
  Microsoft Product Support Services tracked down a bug? WTF?
  
  It was a bug in someone else's code. Support services are expert at pointing the finger (you choose which one).
5. Re:Rootkit Sleuthing IRL by Tony+Hoyle · 2005-08-16 07:53 · Score: 1
  
  What's kinda funny I went to the hacker defender website (they don't exactly hide themselves) and there's a big advert for this book!
We've got to stop them! by The+Woodworker · 2005-08-16 06:28 · Score: 3, Funny

DMCA...no, that won't work. How about PATRIOT ACT! Yeah, those damn terrorists and their first amendment.

--
Give a man a fish and he'll eat for a day. Teach him to fish and he'll wipe out the species.
1. Re:We've got to stop them! by Anonymous Coward · 2005-08-16 06:36 · Score: 1, Insightful
  
  Nah, the Patriot Act by itself won't work. I know, let's bri^h^h^hlobby congress to revive the CBDTPA, and let's have them call it something else so the sheeple won't know any difference. When we get that, we wil use it along with the patriot act to exe^h^h^hhunt down those tourists.
  
  Sincerely
  
  George W. Bush
  President of Hali^h^h^h^h The United States of America
  
  Richard Cheney
  Vice President of Hali^h^h^h^h The United States of America
  
  Bill Ga^h^h^h^h^h^h^h
2. Re:We've got to stop them! by xmorg · 2005-08-16 06:59 · Score: 1
  
  I agree with The Woodworker. These are terrorists, and need to go to Guantanimo. You can hit them with DMCA and Patriot act charges.
3. Re:We've got to stop them! by Nutria · 2005-08-16 07:50 · Score: 1
  
  These are terrorists, and need to go to Guantanimo. You can hit them with DMCA and Patriot act charges.
  
  Pull your head out of Michael Moore's ass, stop jerking off to www.moveon.org, and give evidence that people violating the PATRIOT Act are being sent to Guantanamo.
  
  I'll just presume that you tossed the DMCA reference because you were trying to be /. hip.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
4. Re:We've got to stop them! by Anonymous Coward · 2005-08-16 08:22 · Score: 0
  
  the ^h / ^w 'joke' is seriously fucking lame.
5. Re:We've got to stop them! by Anonymous Coward · 2005-08-16 09:11 · Score: 0
  
  stfu fascist
6. Re:We've got to stop them! by tivoKlr · 2005-08-16 09:34 · Score: 1
  
  Yeah, I'm sick of those pesky tourists too. Maybe we should legislate them out of existance...
  Ha.
  
  --
  Ocean is land, covered with water.
7. Re:We've got to stop them! by Nutria · 2005-08-16 10:40 · Score: 1
  
  stfu fascist
  
  Wow, that's the most cogent response I've ever read on /.
  
  Too bad you're a chicken sh*t AC.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
easy stuff by Anonymous Coward · 2005-08-16 06:28 · Score: 0

making windows rootkits is almost as easy as making linux rootkits, almost.
Don't tell girls you're going to root their box by Anonymous Coward · 2005-08-16 06:28 · Score: 5, Funny

I was chatting up this chick in a bar last night and I said, "Yeah, I could root your box in about five seconds," and she slapped me! I thought that would impress the chixxors!
1. Re:Don't tell girls you're going to root their box by game+kid · 2005-08-16 07:14 · Score: 1
  
  You should have specified a more reasonable timeout period.
  
  Like, about four minutes. ;)
  
  --
  You can hold down the "B" button for continuous firing.
2. Re:Don't tell girls you're going to root their box by Anonymous Coward · 2005-08-16 07:40 · Score: 0
  
  You should have lied and told her you'd spend at least 5 minutes rooting her.
3. Re:Don't tell girls you're going to root their box by Bill+Dog · 2005-08-16 08:24 · Score: 1
  
  "Yeah, I could root your box in about five seconds," and she slapped me!
  
  (I apologize in advance for this.)
  
  It could have been worse, you could've gotten the Blue Scream of Death.
  
  --
  Attention zealots and haters: 00100 00100
4. Re:Don't tell girls you're going to root their box by GPLDAN · 2005-08-16 09:21 · Score: 3, Funny
  
  I used to have a machine which had the DNS name "fishysmell". When people asked me why I called it that, I told them "because it's a box."
  
  Ah.... nevermind....
5. Re:Don't tell girls you're going to root their box by Anonymous Coward · 2005-08-16 09:56 · Score: 0
  
  My Personal Favorite.
  
  "I rooted your girlfriends box, and didn't use a trojan."
  
  Hope I didn't screw that up. Forgot where I got it from. Probably thinkgeek.com
6. Re:Don't tell girls you're going to root their box by Jonti · 2005-08-16 19:03 · Score: 1
  
  I was chatting up this chick in a bar last night and I said, "Yeah, I could root your box in about five seconds ... "
  That's what you get for being so damn selfish.
  If you'd mentioned you could keep going for an hour or two, she might have been more interested.
hmm.. by Anonymous Coward · 2005-08-16 06:28 · Score: 0

So that's why I get all these blue screens of death... I must have a root kit installed on my machine.. oh wait..
Hmmmm by chriso11 · 2005-08-16 06:29 · Score: 2, Funny

I keep thinking I need this book just to secure my own PCs and also help out friends...

You have to love the windows environment.

--
No, I don't trust in god. He'll have to pay up front, like everybody else.
Although good for security experts, by Tolkien · 2005-08-16 06:29 · Score: 0, Flamebait

I'll bet /. anything that this book is going to start churning out script kiddies.

--
how is babby formed?
1. Re:Although good for security experts, by g0bshiTe · 2005-08-16 06:53 · Score: 2, Interesting
  
  I doubt it would do them much good, I suppose you would have to have more technical knowledge than the average script kiddie to make effective use of this title.
  
  Not to mention know how to read.
  
  --
  I am Bennett Haselton! I am Bennett Haselton!
2. Re:Although good for security experts, by tiptone · 2005-08-16 08:10 · Score: 1
  
  Doubt it, script kiddies are just that, kiddies running scripts that someone else wrote. The info in this book would go right over the heads 99.99999% of the script kiddies on the planet.
  
  --
  Please don't read my sig.
I need this by SLASHAttitude · 2005-08-16 06:30 · Score: 1

This is something I have been interested in for some time. I can not wait to get this book and give it a once over.
Subversion enough? by gmac63 · 2005-08-16 06:30 · Score: 1

I though merely installing Windows was subversion enough. Am I wrong?

-Security d00d

--

INSERT INTO comment VALUE('Doh!') WHERE user='you';
1. Re:Subversion enough? by Anonymous Coward · 2005-08-16 08:37 · Score: 0
  
  yes, lol!!!! ROFLCOPTER!!!!
2. Re:Subversion enough? by Anonymous Coward · 2005-08-16 10:20 · Score: 0
  
  I though merely installing Windows was subversion enough. Am I wrong?
  
  Yes. You're also an idiot Slashbot who failed to score some cheat karma by blasting MS for the nth time.
Re:Great! (not) by Anonymous Coward · 2005-08-16 06:31 · Score: 2, Insightful

It is nice to see that you took the time to post a knee-jerk response, but could not be bothered to read the first paragraph of the article.

Some may wonder if Hoglund and Butler are being irresponsible by writing a book that shows you how to bypass detection. If you look closely, however, you'll see that all of the methods they outline are detectable by current rootkit revealing mechanisms. And they also show you how to detect many new rootkits in the process. I consider this book to be a responsible contribution to the community, professionals and amateurs alike, in the finest tradition full disclosure.
The great thing about this book by Rosco+P.+Coltrane · 2005-08-16 06:31 · Score: 1

It's also a useful tool for advocates who try to convince people to switch from Windows to another OS (no, not just Linux), the argument being "look, you wonder if Windows is insecure? how about a whole friggin book, with an ISBN and all, about how to do nasty things in Windows despite A/V software and anti-spywares!"

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
1. Re:The great thing about this book by defile · 2005-08-16 06:37 · Score: 3, Insightful
  
  It's also a useful tool for advocates who try to convince people to switch from Windows to another OS (no, not just Linux), the argument being "look, you wonder if Windows is insecure? how about a whole friggin book, with an ISBN and all, about how to do nasty things in Windows despite A/V software and anti-spywares!"
  
  Which OS were you talking about? I could swear the ones you might name have hacking books written about them too.
2. Re:The great thing about this book by dioscaido · 2005-08-16 06:52 · Score: 1
  
  Yeah, thank god it is so much more difficult to write root kits of unix/linux/osx!!LOL!1!one! :)
3. Re:The great thing about this book by LurkerXXX · 2005-08-16 07:00 · Score: 3, Insightful
  
  Yeah, it'd be terrible to use an OS with rootkits available for it.
  Instead of windows they could switch to Linux or a *BSD or MacOS.
  Oh wait, almost all OS's out there right now have rootkits for them.
4. Re:The great thing about this book by Cheapy · 2005-08-16 07:06 · Score: 1
  
  You seem to forget that rootkits were originally a Unix thing. You know, a kit that would replace 'netstat', 'w', and other commands with modified versions so the regular users wouldn't notice any illegal activity.
  
  --
  Would you kindly mod me +1 insightful?
5. Re:The great thing about this book by Flossymike · 2005-08-16 08:12 · Score: 1
  
  So that would be the gnu/HURD ... I joke because I love :-)
  
  Ok, a quick google and I even came across a discussion on the possibility of it.
6. Re:The great thing about this book by Anonymous Coward · 2005-08-16 08:26 · Score: 0
  
  Good old OS/2.... It got left out. No wonder why I still use OS/2.
  
  Nathan
7. Re:The great thing about this book by Caligari · 2005-08-16 08:37 · Score: 1
  
  Maybe an operating system such as OpenBSD which the reviewer has his written his own book about.
  
  --
  The moving cursor writes, and having written, blinks on.
Does this still work? by meditation_dude · 2005-08-16 06:35 · Score: 2, Informative

I remember people had Linux boot disks for changing the Windows NT admin password. But does this kind of thing still work for Windows XP and the server editions? I wonder if Microsoft will take this info and use it in Windows Vista to counteract rooting.
1. Re:Does this still work? by TripMaster+Monkey · 2005-08-16 06:43 · Score: 3, Funny
  
  But does this kind of thing still work for Windows XP and the server editions?
  
  Short answer: yes.
  Long answer: hell yes.
  
  There is no such thing as security if you have physical access to the box. Period.
  
  --
  ____
  ~ |rip/\/\aster /\/\onkey
2. Re:Does this still work? by pandrijeczko · 2005-08-16 06:52 · Score: 1
  
  Using a Linux boot disk means you can forget about the NT admin password anyway - just mount the Windows NTFS partition onto the Linux filesystem and you can take off any information you want...
  Incidentally, you can do this with just about OS, even another Linux box - it's the fact that Linux can recognise just about any partition type there is (with the correct kernel/modules in place) that makes this work.
  
  --
  Gentoo Linux - another day, another USE flag.
3. Re:Does this still work? by morgan_greywolf · 2005-08-16 06:56 · Score: 2
  
  There is no such thing as security if you have physical access to the box. Period. Exactly. You could boot from alternate media, swap hard drives, or heck, you could even just put the system hard drive(s) in your pocket. That's why locking down desktops is basically pointless for anyone that knows what they're doing.
  
  --
  My blog
4. Re:Does this still work? by Anonymous Coward · 2005-08-16 06:58 · Score: 0
  
  Windows doesn't have much to say about security before it has started. Even Linux, etc. are vulernable to this sort of attack.
  
  You can lock these things out by disabling booting from anything but the hard drive in BIOS and password protecting it. (at least for Windows, iirc you can just add parameters at the bootloader prompt to get into linux)
  
  Of course if an attacker can open up the machine and reset BIOS, they pretty much physically "own" it to begin with.
5. Re:Does this still work? by emidln · 2005-08-16 07:08 · Score: 1
  
  ahem, *cough*, encryption, *cough*
  
  This is why on systems that demand physical security in an insecure location we use loopback encryption. Welcome to 1999!
6. Re:Does this still work? by Grantmillie · 2005-08-16 07:11 · Score: 2, Informative
  
  One thing I just recently learned when trying to recover files from a bad boot sector drive along the same lines is Windows security for protecting profile specific data (my documents etc.) can just as easily be hacked using nothing more than windows. All you have to do is load the drive on another windows machine, when you try to view the files and you get an "access denied" message, merely go through the advanced security settings on the folder and there is the option to apply your own security settings directly over the old ones. Bam, easy access.
7. Re:Does this still work? by RetroGeek · 2005-08-16 07:14 · Score: 3, Insightful
  
  There is no such thing as security if you have physical access to the box. Period.
  
  Which is why you need disk encryptors. The entire disk is encrypted. Go ahead, access it outside the OS environment. All you get is random bits.
  
  Yes, you can try to brute force the password, but that takes many, many CPU cycles, and much time.
  
  Google it
  
  --
  
  - - - - - - - - - - -
  I am a programmer. I am paid to produce syntax not grammar. Deal with it.
8. Re:Does this still work? by SharpFang · 2005-08-16 07:20 · Score: 3, Funny
  
  You can always booby-trap the case.
  
  --
  45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
9. Re:Does this still work? by gardyloo · 2005-08-16 07:44 · Score: 1
  
  You can always booby-trap the case.
  
  *Boingooingooingo!* Boobs!
  
  No, that's just going to increase the attacks.
10. Re:Does this still work? by Tony+Hoyle · 2005-08-16 07:56 · Score: 1
  
  And also (slightly OT) why DRM won't work.
11. Re:Does this still work? by fbjon · 2005-08-16 08:14 · Score: 1
  
  My old high school did this. On machines with Windows 95 or 98, too little ram for anything, Quantum Bigfoot drives (slooow), and the encryption was hardware based. On ISA cards. You can imagine the swapping, when a 16mb Windows runs out of memory.
  The reason, of course, was that some people *ahem* had been taking the liberty to bring in their own hard drives to put in the computer, in order to use the (then) fat pipe at school to download all kinds of not-safe-for-anywhere stuff, in addition to other interesting things (keylogging peoples passwords, changing their course registrations to fit more noble needs (chicks and or good teachers), generally wreaking teen havoc).
  The disk encryption was an effort to weed out the jungle that it was back then :)
  
  --
  True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
12. Re:Does this still work? by amliebsch · 2005-08-16 08:17 · Score: 1
  
  You can do the exact same thing in pratically any other OS. Yes! Even Linux! Permissions are only as secure as the environment is willing to respect them. Next time, you might want to enable Windows data encryption. Lose the key and you'll NEVER recover those files.
  
  --
  If you don't know where you are going, you will wind up somewhere else.
13. Re:Does this still work? by lgw · 2005-08-16 08:30 · Score: 2, Insightful
  
  Encryption on disk helps, but like any security measure, it merely delays the attacker. Unless you do file-by-file encryption without any help from the system in storing the keys, of course, but that's not the normal case (and these days any key you can memorize is weak).
  
  Beyond that special case, NOTHING is safe vs an in-circuit emulator. If the machine can access those files, the key is in memory at some point. If I can't give myself rights to debug that point, I'll replace the CPU with a hardware emulator that lets me have my way with *everything* without any running process being the wiser. (ICEs are actually very cool to work with, great for recovering source from encrypted object code and other fun tricks.)
  
  Physical access to a machine is access to the data, sooner or later.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
14. Re:Does this still work? by ErikTheRed · 2005-08-16 08:31 · Score: 1
  
  Almost every OS / filesystem has this problem (need to recover / replace your linux root password? boot off a CD and mount the / filesysten, and read or edit /etc/passwd or /etc/shadow).
  
  You can get around this problem in Windows by encrypting files for a specific user - this is built into NTFS. As far as I know, this is only good for user-level security (no groups), and if you force-change the user's password all files encrypted for that user are lost.
  
  Even with this, though, it pays to remember the old saw - "Boot access is root access". Good IT security always needs to remember physical security as well!
  
  --
  
  Help save the critically endangered Blue Iguana
15. Re:Does this still work? by ErikTheRed · 2005-08-16 08:35 · Score: 1
  
  Yes, they work nicely on 2K/XP/2K3 but many of them are no longer tested on NT4 and don't work properly (as I've found out the hard way) - yes some people still run that crap.
  
  --
  
  Help save the critically endangered Blue Iguana
16. Re:Does this still work? by Anonymous Coward · 2005-08-16 08:36 · Score: 0
  
  Or boot from your favorite livecd with NTFS (read-only) support and mount the NTFS partition. You will then be able to read any file you want. NTFS ACL's are not meant to secure the data, but control access to it when being accessed from inside of Windows.
  
  If you want to easily secure (with the intent being to keep the contents of the data from being understood) data on a Windows box, you should investigate using Encrypted File System (EFS). EFS allows you to encrypt on a per-file basis in a fairly secure manner. This encryption is done transparently to the logged in user (reads and writes to encrypted files require no user interaction). EFS will encrypt each file with a generated File Encryption Key (FEK) (default of 128-bit DESX on W2K and XP, AES on XPSP1+ and W2K3) which in turn is encrypted with the public key of public-private key pair. The encrypted FEK is stored in the encrypted file's header. The private key is stored inside the user's profile information (which, on XP+, is also encrypted by a hash of the user's password to prevent password reset attacks).
  
  The encrypted files can also have Data Recovery Agents defined, which are other designated users that can decrypt the files in case a user cannot remember their password (and therefore the contents of the file would be "lost forever"). These agents also have entries in the encrypted file's header for an encrypted FEK that is encrypted using their public key. For Windows 2000, an agent is required for EFS to function. By default, this is the local admin (without domain) or domain admin (with domain). For Windows XP, there is no default agent defined for computers that are not joined on a domain (and XP supports EFS with no recovery agent defined).
  
  In addition to this, there are some tools that can be used to further secure the data. The syskey utility can be used to encrypt the SAM database (that contains password information) using a passphrase-derived key entered on startup or a key from a floppy disk. There is also the cipher utility that has the ability to encrypt and decrypt files, and to completely wipe clean the deleted data on a volume (writes all zeros, then all ones, then random data - it takes considerable amount of time on any large disk).
  
  I hope some of this information you find useful. Please don't rely on ACL's to secure your data, as that is not the intention of ACL's. Insert standard "caveat emptor" statement here about there's nothing truly secure, but using these techniques you should be able to reasonably secure your data on your Windows volumes.
17. Re:Does this still work? by RetroGeek · 2005-08-16 08:42 · Score: 1
  
  If the machine can access those files, the key is in memory at some point.
  
  Yes, well, then you remove the key of course. See SecureDoc.
  
  --
  
  - - - - - - - - - - -
  I am a programmer. I am paid to produce syntax not grammar. Deal with it.
18. Re:Does this still work? by lgw · 2005-08-16 08:51 · Score: 1
  Like I said, it does help. But software-based encryption has its limits:
  
  Gain physical access
  Install rootkit
  Wait for you to use any software encryption product, no matter how good
  Access all your data with the key you just revealed
  ???
  Profit!
  
  There are pure-hardwareat-rest encryption systems that solve this problem, but they cost thousands and are still vulnerable to physical access if someone leaves the keycard in them.
  --
  Socialism: a lie told by totalitarians and believed by fools.
19. Re:Does this still work? by dmaxwell · 2005-08-16 09:14 · Score: 1
  
  Yes it does. I have used the Linux based NT password changing CD on Windows 2000 and XP Pro (various service packs). Barring a major change in how passwords are stored in the registry, it will work for some time to come. As a matter of fact, it will let you change any registry key if you know what you are looking for. I don't believe you can browse the registry in any friendly sort of way with it but you can rewrite any arbitrary key by name.
  
  I suppose an encrypted registry could break this but that is fraught with difficulties all it's own.
20. Re:Does this still work? by HermanAB · 2005-08-16 09:34 · Score: 1
  
  Of course! Maintenance of Windows machines would be impossible otherwise. When I'm called in to fix something, the owners of the machines never know what the admin passwords are, so the only way I can get the job done is by changing the password with a Linux tool.
  
  --
  Oh well, what the hell...
21. Re:Does this still work? by Anonymous Coward · 2005-08-16 10:04 · Score: 0
  
  Yep,
  
  You can by the CD from a comercial source. I think it is called Win Terminals. No not related to the actuall win terms. It is not linux. It acutally loads and looks and feels like a M$ OS.
  
  The other is call UBCD Which is here
  http://sourceforge.net/projects/ubcd
  
  It is a life saver sometimes..
22. Re:Does this still work? by RetroGeek · 2005-08-16 10:45 · Score: 1
  
  Install rootkit
  
  To what?
  
  The entire hard drive is encrypted. There IS no OS visible as such until the encryption key (and physical key) are used.
  
  --
  
  - - - - - - - - - - -
  I am a programmer. I am paid to produce syntax not grammar. Deal with it.
23. Re:Does this still work? by lgw · 2005-08-16 11:39 · Score: 1
  
  Is this a software or hardware product? Hardware encryption works fine, though it's often quite expensive (and people tend to leave the physical keys with the device), but of course with physical access one could swap out a physical key reader for one that secretly records the key (as happens with ATMs from time to time).
  
  Software encryption needs *something* unencrypted to boot and begin decrypting the rest of it. Again, that piece can be replaced with one that records the key used (or physical keyloggers could be installed, or whatever).
  
  Anytime an attacker has physical access to where the encryption is done, you're potentially compromised unless you're aware this has happened.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
24. Re:Does this still work? by Mostly+a+lurker · 2005-08-16 12:30 · Score: 1
  
  these days any key you can memorize is weak
  Not true. Assuming an arbitrary length key is allowed, something like "Jack and Jill ran up the hill to fetch a pail of water" or "she sells sea shells on the sea shore" are both easy to remember and are strong keys.
25. Re:Does this still work? by Anonymous Coward · 2005-08-16 12:38 · Score: 0
  
  How many IT people would die...
  
  Dells used to have this restraining arm for the pci cards, near had my eye taken out more than once. I imagine if a built in flamethrower or poison darts were enabled I would be a dead duck by now.
26. Re:Does this still work? by taernim · 2005-08-16 13:14 · Score: 1
  
  Aren't those referred to by Data as "booty-traps" these days? ;)
  
  --
  "PC Load Letter? What the $@#% does that mean?!"
27. Re:Does this still work? by jack_csk · 2005-08-16 14:10 · Score: 1
  
  What if you managed to encrypt the whole file system? Surely the encryption has a possiblity to be broken finally, but it definitely would give you a better standing.
28. Re:Does this still work? by Anonymous Coward · 2005-08-16 18:43 · Score: 0
  
  The attacker could easily brute force the passphrase. It is just a matter of finding someone who knows the passphrase and applying brute force to them (often using a rubber hose on the bottom of their feet) until they tell you what you want to know. Good old rubber hose cryptanalysis works every time and requires very little resources to work.
29. Re:Does this still work? by RetroGeek · 2005-08-17 01:38 · Score: 1
  
  Is this a software or hardware product?
  
  Secure Doc
  
  --
  
  - - - - - - - - - - -
  I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Root a box by totallygeek · 2005-08-16 06:36 · Score: 2, Informative

In Australia, to root something is to have sexual intercourse with it. So, chatting with some chick about rooting her box may get you a slap. You should buy her a drink first.

Where I learned this. Well, about the rooting, not about the smoothing over chicks.

--
Click here or here.
1. Re:Root a box by Aardpig · 2005-08-16 07:29 · Score: 4, Funny
  
  Outside Australia, in the rest of the world, to explain the joke as though nobody else gets it is to demonstrate that you don't have much of a sense of humour yourself.
  
  --
  Tubal-Cain smokes the white owl.
2. Re:Root a box by Anonymous Coward · 2005-08-16 07:52 · Score: 0
  
  Wow, you got modded informative for explaining the guy's own joke back to him.
3. Re:Root a box by Anonymous Coward · 2005-08-16 08:02 · Score: 0
  
  Yea - I found out the hard way when I was referring to my "fanny pack"... a common term for a belt bag for money. The Aussies call it a "BumBag"...
  
  Anyway, it was rather embarrassing... so, even in other countries that speak your language, one has to be careful how they call things, especially slang words... "fanny" is a pretty dirty word down under.... something that others should know.
  
  I hope /. won't censor this... for using the word, but my context is not meant to be "dirty". :-)
4. Re:Root a box by bombadillo · 2005-08-16 08:56 · Score: 1
  
  In America "box" is slang for... a part of the Woman you try to "root" :)
5. Re:Root a box by dreavien · 2005-08-16 15:32 · Score: 1
  
  On behalf of those of us who didn't "get it"
  
  WE SALUTE YOU!
Wow by ryanr · 2005-08-16 06:36 · Score: 3, Interesting

I don't think I've ever seen Jose be so complimentary about a book before. Nice job, guys. I have the book as well, and I like what I've seen so far, but I haven't read enough yet to comment meaningfully.

I will point out though that the rootkit.com site has been around for a few years now, and obviously predates the book. In fact, I hope the book will explain in greater detail a lot of the technical topics from the site that are often only presented via code.
Re:Great! (not) by Anonymous Coward · 2005-08-16 06:37 · Score: 0

oh my god dude its crackers man CRACKERS are the bad ones, hackers are us angelic coders that do the world nothing but good. Oh my god why don't you understand me its just like at school when everyone made fun of me for being different they just didnt understand whaaaaaaaaaaaaaaaaa listen to me! hear me!
"Greg", not "Grog" by Anonymous Coward · 2005-08-16 06:37 · Score: 1, Informative

That's GREG HOGLUND. Not 'Grog Hegland'!

Sheesh, it's even written down on the front cover of the book that you supposedly have in front of you while reviewing it!
1. Re:"Greg", not "Grog" by Anonymous Coward · 2005-08-16 07:53 · Score: 0
  
  Grog Heglund is a much scarier name, though.. I'd suggest he change it.
2. Re:"Greg", not "Grog" by Anonymous Coward · 2005-08-16 09:38 · Score: 0
  
  Grog Hegland is actually a secret Norwegian Celtic rum distilary on an Island in the North Sea.
w00t by vga_init · 2005-08-16 06:39 · Score: 3, Funny

r0x0rz j00r b0x0rz, d00d
1. Re:w00t by j_cavera · 2005-08-16 06:42 · Score: 1
  
  Probably the first time in Slashdot's history that that comment is actually on topic...
  
  --
  #include "humorous_pop_culture_reference.h"
d00d! ill be l33t h4xx0r!! by filesiteguy · 2005-08-16 06:40 · Score: 0

So if I'm reading this correctly, I can break into a Windows workstation?
I won't need a Knoppix CD?

I should try this on my workstation...

...oh, wait. I run Linux. Nevermind.

What I like is that people are becoming more aware of the vunerabilities in these systems, which include Windows NT/XP/Vista (a single-user system subverted to multi-use) and Linux/Unix/Mac (which are multi-user to begin with.)

--
The Kai's Semi-Updated Website Thingy
1. Re:d00d! ill be l33t h4xx0r!! by meringuoid · 2005-08-16 06:52 · Score: 1
  
  I should try this on my workstation... oh, wait. I run Linux. Nevermind.
  Good for you. For any panicking Windows users - move to UNIX and never worry about rootkits ever again!
  Really, go ahead. You can trust me ;-)
  
  --
  Real Daleks don't climb stairs - they level the building.
2. Re:d00d! ill be l33t h4xx0r!! by Anonymous Coward · 2005-08-16 07:07 · Score: 0
  
  And if you aren't running encrypted file systems on your Linux workstation, I can break into it if I have a Knoppix CD or other wise have physical access. What's your point? You think there has never been a rootkit out for Linux? Riight.
3. Re:d00d! ill be l33t h4xx0r!! by Anonymous Coward · 2005-08-16 07:08 · Score: 1, Informative
  
  which include Windows NT/XP/Vista (a single-user system subverted to multi-use)
  
  just as sort of a postscript here, that is absolutely false
4. Re:d00d! ill be l33t h4xx0r!! by filesiteguy · 2005-08-17 04:25 · Score: 1
  
  Actually, AC, you're kinda right. Windows NT/2K/XP/Vista is still a single-user system. Though you "can" run WTS on top of the sytem, the OS was never designed to be multi-user or play well in networked environments.
  My bad.
  
  --
  The Kai's Semi-Updated Website Thingy
Hey, by TransEurope · 2005-08-16 06:42 · Score: 0, Flamebait

do we really want that the Internet becamesa place of a higher order and full control?
I think a little bit of chaos and anarchy is a really good thing.
And warzones are producing relly good payed jobs ;)
Re:Great! (not) by superpulpsicle · 2005-08-16 06:42 · Score: 0, Troll

But.... crackers get no attention. Hackers cause malicious attacks, they are the ones changing the world above politics and corporate BS.

If it wasn't for these spyware/adwares/hacks, there would have never been a need for firefox. That's just 1 tiny example.
Easy. by Anonymous Coward · 2005-08-16 06:48 · Score: 0

How to subvert the Windows kernel? Just run it.
Spiff by RenegadeRunner · 2005-08-16 06:49 · Score: 1

Wanna check the book out myself, given such the good response. I share several other's sentiments in believing it will be put to good use for the sake of security and everyone's wellfare, but let's be real: script kiddies eat this stuff up.
1. Re:Spiff by rel4x · 2005-08-16 07:13 · Score: 1
  
  hmm...while I share your general dislike for the people that would use this information in a less than responsible fashion, I feel the need to point out that Script Kiddies are probably not going to be toying with layered device drivers...their only draw would be code samples, and those are EVERYWHERE already. These people would probably be a bit more skilled.
  
  --
  
  Before you mod me funny, think, perhaps I was insightfully funny?
Fat bloated kernels by drgonzo59 · 2005-08-16 06:50 · Score: 4, Interesting

The lesson in this article should be also that there is something wrong with the Windows kernel if there can be written whole books about how to make rootkits for it. The same can go for the Linux kernel. (Yeah that's right, I bashed _the_ penguin on the head, mod me down!)
Kernels are so big and bloated that there is almost %100 chance of there being some exploitable whole in them. If the "good hackers" discover it, it will be patched, if the "bad hackers" discover it, they will make rookits.
A lot of the code that is not tested and buggy is in the drivers, and I don't understand why do current operating systems still have drivers that are run in the kernel instead of in the user space. The machines are fast enough to switch contexts between the display, mouse, sound, disk and communication with the ports. The kernel should be very small and only implement the security policies and handle communications between devices. If the hacker manages to exploit a hole in the display driver, the driver will not crash the system. These are called secure microkernels or separation kernels. I think the present 4Ghz machines can hangle a %10 slowdown at the expense of say, %80, improved security. In 18 months, the speed will double anyway ;)
Check out this paper from NIST that talks about this. Also, more general info about it here
1. Re:Fat bloated kernels by arkanes · 2005-08-16 07:14 · Score: 5, Informative
  
  You can make a rootkit for any OS, even a minimal microkernel, unless your OS runs out of ROM or there's similiar hardware level measures in place. A rootkit is the end result of an exploit, not an exploit itself - the tricky part is getting sufficent access to install a rootkit.
2. Re:Fat bloated kernels by TheRealMindChild · 2005-08-16 07:16 · Score: 1
  
  I don't understand why do current operating systems still have drivers that are run in the kernel instead of in the user space
  
  Two words: Context Switches
  
  --
  
  "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
3. Re:Fat bloated kernels by SharpFang · 2005-08-16 07:17 · Score: 1
  
  Andy? Andrew Tannenbaum? I didn't know you read Slashdot. By the way, I thought Linus has already explained that matter to you!
  
  (no, 20% efficiency/speed lost is NOT an acceptable loss)
  
  --
  45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
4. Re:Fat bloated kernels by drgonzo59 · 2005-08-16 07:17 · Score: 1
  
  You are right, I was just thinking that a small (couple of thousand lines) open source microkernel will have much less exploits than a kernel that is a million lines together with drivers and everything else that can run in kernel space.
5. Re:Fat bloated kernels by LnxAddct · 2005-08-16 07:19 · Score: 1
  
  OMG! Andrew Tanenbaum reads slashdot! Now all we need is for Linus to step up again and we can recreate 1992!
  Regards,
  Steve
  
  P.S. Hi Andy!
6. Re:Fat bloated kernels by Anonymous Coward · 2005-08-16 07:22 · Score: 0
  
  Six words: read the rest of his post
7. Re:Fat bloated kernels by docgnome · 2005-08-16 07:25 · Score: 1
  
  The only thing I disagree with is that a 4GHz box can handle 10% slowdown. This is not to say that your idea is bad, or that it should not be done, because I think it should be. I think what you should have said, is that any slowdown that the user will see is acceptable for the added security. However, I doubt anyone will do this simply because the "1337 h4x0rz" will say "Omg! sl0w!" without understanding the reasons behind said slowness.
8. Re:Fat bloated kernels by Anonymous Coward · 2005-08-16 07:26 · Score: 0
  
  How horribly misguided can one article be?
  
  Yes, the size of Linux (or whatever) guarantees that there will be holes. That is totally irrelevant as, more often than not, the security holes by which infection arrives are in user space.
  
  Oh, and NT is a micro kernel. It's sooo much more secure because of that. 80% (see? "%" in back) is a number you just poured out of your ears and it seems to have no significant digits.
  
  Finally, did speeds double over the past 18 months? Do we expect them to double over the next 18 months. (No, and no.)
9. Re:Fat bloated kernels by nightcrawler77 · 2005-08-16 07:30 · Score: 1
  
  Microsoft is introducing a User Mode Driver Framework that will allow less performance-sensitive drivers to run in user-mode. From what I've heard, video drivers and probably network drivers (especially gigabit drivers) won't be usable if run from user-mode (which is understandable). But it does look like a good start at introducing some more granularity to the way drivers are run in Windows.
  
  The real trick here is run under a non-admin account. No matter what protections are put in place, an administrator will always have a clear shot to the kernel.
  
  By the way, I took a class at Black Hat this year from the two authors of this book. They really know their stuff...highly recommended.
  
  --
  "Power corrupts, and absolute power corrupts absolutely." -- Lord Acton
10. Re:Fat bloated kernels by zymano · 2005-08-16 07:39 · Score: 1
  
  That wasn't his point.
  
  The more code you throw in an OS kernel then you have more exploitable code.
  
  He's talking microkernel.
11. Re:Fat bloated kernels by linuxfanatic1024 · 2005-08-16 07:56 · Score: 1
  
  Andrew Tanenbaum, I presume? Well, if the Linux kernel was designed this way, then Linus would have the same problems the HURD team has. And Windows NT's kernel is a microkernel.
  
  The same can go for the Linux kernel. (Yeah that's right, I bashed _the_ penguin on the head, mod me down!)
  
  Even though my nickname might suggest otherwise here, I actually agree with this. It's incredibly difficult, if not impossible, to write something that's perfect. Linux really is no different.
  
  If the "good hackers" discover it, it will be patched, if the "bad hackers" discover it, they will make rookits.
  
  This is about Windows. Windows is closed-source/proprietary, so "good hackers" won't be able to fix the system.
  
  A lot of the code that is not tested and buggy is in the drivers, and I don't understand why do current operating systems still have drivers that are run in the kernel instead of in the user space.
  
  There's a reason for this: if userspace programs were allowed to directly control the hardware (like Windows 9x), it causes major problems like freeze-ups and crashes. That's why they are kernel-space. Though X11 is technically user-space, it can still create security holes.
  
  If the hacker manages to exploit a hole in the display driver, the driver will not crash the system.
  
  How is this good? Without the display driver, how can you see what is going on?
  
  I think the present 4Ghz machines can hangle a %10 slowdown at the expense of say, %80, improved security.
  
  Microkernels do not guarantee security. And where do you get these numbers? I also have barely seen any 4 GHz machines.
  
  --
  Microsoft-free since March 28, 2004
12. Re:Fat bloated kernels by lgw · 2005-08-16 07:58 · Score: 2, Insightful
  
  The preformance / security tradeoff was a bit different 13 years ago. The best decision in 1992 isn't necessarily the best decision today. Folks are *far* more concerned about security today, and CPU performance doesn't seem as large a concern.
  
  This sort of slow change is normal in any engineering field. You have to adapt to changing materials and changing requirements.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
13. Re:Fat bloated kernels by drgonzo59 · 2005-08-16 08:06 · Score: 2, Interesting
  
  The point of the post of was that in 1992 the top of the line might have been 60MHz machines, now you can overclock a pentium to 6Ghz, so we are talking about 100x speedup. The bus+memory didn't speed up as much, but still it many times faster. So in 1992 you couldn't do context switches fast enough, today you can and you might not notice much of a difference.
  The problem is that people do want performance, but after their box gets rooted and their hard drive erased, they tend to change their priorities. I sure could have lived with a 10% slowdown and play Quacke at 90 fps instead of 100 fps if that meant that I had a more secure OS and my box did get rooted.
  In 1992 for Linus, performance was very important. I don't think he anticipated the popularity of Linux and that one day people would be using it on their desktops and they will be connected to the net, and script kiddies will turn them into zombies.
  But it is not 1992 anymore and I think it is time to reconsider. Security is becoming more and more important and slowdown can be compensated by just buying a faster CPU next year.
14. Re:Fat bloated kernels by I'm+Don+Giovanni · 2005-08-16 08:11 · Score: 0
  
  "The lesson in this article should be also that there is something wrong with the Windows kernel if there can be written whole books about how to make rootkits for it. The same can go for the Linux kernel."
  
  Please...
  I'm sure that there are those that can write books on how to break into a car, too.
  
  --
  -- "I never gave these stories much credence." - HAL 9000
15. Re:Fat bloated kernels by Jessta · 2005-08-16 08:13 · Score: 1
  
  I don't understand why do current operating systems still have drivers that are run in the kernel instead of in the user space.
  
  Because everyone is developing the linux kernel with hardly any developers working in HURD.
  
  --
  ...and that is all I have to say about that.
  http://jessta.id.au
16. Re:Fat bloated kernels by l3v1 · 2005-08-16 08:26 · Score: 1
  
  The same can go for the Linux kernel.
  
  So you saying it's as easy to develop rootkits for a closed source kernel as for a fully open source one ? Or vice versa ? With both you'd be wrong. I can't help wondering what more one could do [regarding windows rootkits] if the kernel source would be known...
  
  --
  I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
17. Re:Fat bloated kernels by drgonzo59 · 2005-08-16 08:29 · Score: 1
  
  >This is about Windows. Windows is closed-source/proprietary, so "good hackers" won't be able to fix the system.
  You are right, I just meant that eventually MS will be embarassed about the new hole in their application and tell some intern to fix.
  >>If the hacker manages to exploit a hole in the display driver, the driver will not crash the system.
  >How is this good? Without the display driver, how can you see what is going on?
  I think it is very good if you are also running something else that cannot crash even if the display driver starts acting crazy. I was thinking also of the server environment. Also the separation kernel can perhaps detect that the display driver is malfunctioning and re-initialize it without restarting the system.
  >>I think the present 4Ghz machines can hangle a %10 slowdown at the expense of say, %80, improved security.
  >Microkernels do not guarantee security. And where do you get these numbers? I also have barely seen any 4 GHz machines.
  By running the device drivers in user space security will be improved as the OS can still mentain control of the machine even during the failure of the device driver. A separation kernel is very small, maybe a couple thousand lines long. Compare that to the Linux kernel that is hundreds of thousands + of lines including drivers. I think it is quite obvious that it is much easier to mentain and debug a 1000 lines program than a 500,000 lines program. That is where the improved security comes it.
  Many of the Green Hills' OS'es work on this principle, and whenever you board a Boeing airplane, it is probably the Green Hills software that is flying it. As much as I like Linux, I don't think I want the Almighty Penguin to fly my over the Atlantic.
  The point of the post was that it is probably time to apply some of separation kernel guidelines to the desktop PCs.
  The 4Ghz, 10% and 80% numbers are there just to illustrate the point I didn't do any benchmarks, it was just a guess to show that there will be a _small_ performance hit at a much _greater_ improvement in security.
18. Re:Fat bloated kernels by Anonymous Coward · 2005-08-16 08:30 · Score: 0
  
  --A lot of the code that is not tested and buggy is in the drivers--
  
  That's why Windows warns you when you try to install a kernel mode driver that is not signed. I've never had a problem with a signed driver.
  
  --I don't understand why do current operating systems still have drivers that are run in the kernel instead of in the user space--
  
  Because the kernels used in "current" operating systems were written a decade or more ago.
  
  In Vista, MS is moving most of the drivers out of kernel to user space.
  
  Rootkits are not the result of bloated kernels. It doesn't matter how small the kernel is, if someone can get access to the system, it can be modified.
19. Re:Fat bloated kernels by flibuste · 2005-08-16 08:31 · Score: 1
  
  Two words: Context Switches
  
  More words: read until the end of the post before hitting reply. The guy explains that context switch is affordable with the speed of today's machines...and points out that it will double soon anyway.
  
  Two words: Please read
20. Re:Fat bloated kernels by Anarke_Incarnate · 2005-08-16 08:33 · Score: 0, Troll
  
  60MHz machines, now you can overclock a pentium to 6Ghz, so we are talking about 100x speedup
  only to the uninformed who think that
  A. Mhz = speed B. Cannot tell the difference between different marketing names (not all "pentiums" are the same or from the same family
  Try again. Mhz is not a linear speed progression metric. I can run 10Ghz over a copper wire, WHOA that is fast.
21. Re:Fat bloated kernels by drgonzo59 · 2005-08-16 08:33 · Score: 1
  
  I was just saying that in general, it is easier to find a hole in a huge bloated program than in a smaller program. Just because the Linux kernel is open source doesn't mean there won't be any root kits for it. In fact there have been!. How many time s did you go through the 100,000+ lines of code looking for bugs?
22. Re:Fat bloated kernels by SLi · 2005-08-16 08:36 · Score: 2, Interesting
  
  (no, 20% efficiency/speed lost is NOT an acceptable loss)
  
  I've been wondering about this. In a huge number of cases I would gladly swap 20% or even 50% of the speed for absolute guaranteed security. And in my opinion in lots of cases it would be the obviously correct choice (if there was such a choice, that is). What makes people value their security so little?
23. Re:Fat bloated kernels by grozzie2 · 2005-08-16 08:43 · Score: 3, Interesting
  
  The kernel should be very small and only implement the security policies and handle communications between devices.
  This is all fine and dandy in theory, but, out here in the real world, device drivers still have to talk to hardware directly. When a device driver sends commands to hardware that will effectively pre-empt data bus operations at the hardware level (outside of cpu control), you have to sit back and go 'gotta trust the driver code'. Unless the kernel has full knowledge of the consequences of all hardware i/o operations, it's really pointless to run it thru a mapping layer so that the kernel actually does the io on behalf of a higher level program.
  I remember once many years ago, somebody showing me a shiny new install of WindowNT, and they were telling me it was a secure, crash proof box. I chuckled, and took a look at some of the installed hardware. I then proceeded to sit down, start 'debug', write a value to one video port, and another value to another video port. Screen went blank, machine sat there for a while, then it reset. It's not hard to set a video card into a state where it's going to assert wait on the memory bus until an event occurs, yet pre-program the device so that the event will never occur. At that point, the main bus is effectively dead, the cpu can no longer access memory, game over. This 'exploit' took advantage of a not so well known flaw in Video Seven graphics controllers.
  The hardware attached to the various busses on modern computers has the ability to halt/corrupt the bus. As long as that's the case, there's no point trying to put a kernel layer in between to 'protect' the system, unless the kernel layer has full knowledge of all aspects of the hardware in question, and will prevent such conditions from being set up. This is typically the responsibility of [drum roll] the device driver for the device [/drum roll].
  If you are suffering from driver instability problems, then, you are part of the problem. You chose to buy the cheapest crap, and then sit back blaming 'somebody else' because the driver support is crap. You had the opportunity to vote with your wallet, buy stuff that's well supported, and doesn't have stability problems. If the market as a whole actually used this 'vote with the wallet' clout, the state of affairs would be different, because only vendors providing good support would survive in the marketplace. Sadly, that's not the case. The market is driven by 'the cheapest price' and you get what you pay for.
  The computer I'm using to write this, doesn't have any driver stability problems. I paid a little extra to get a set of video cards (plural, I have 3 displays on this computer) that would operate cleanly, and not cause problems in a multi-display environment. I paid a little extra for a motherboard that's known to be solid and reliable. I paid a little extra for a disk that doesn't have a history of failures.
  I voted with my wallet, because I understand, it's not physically possible for an operating system running on the cpu to recover from problems generated in the hadware. If a given device corrupts a data bus, or asserts reset at the wrong time, there are going to be problems. The key is, buy the devices that dont do that, and choose the ones that have a track record of good software support in the form of drivers.
  I have zero sympathy for folks that complain about buggy drivers all the time. It was your choice to buy the crap hardware. You saved a few bucks, and bought a stack of aggrivation. That's your choice, but, there were other choices. You could have chosen to make informed purchases, and buy based in quality rather than price.
  As long as the operating system is something that runs ON TOP OF THE HARDWARE, it's going to be subject to the problems of the hardware. The software support for the hardware is part and parcel of the package. Isolating drivers up to user space is NOT going to solve the problem, because that driver is still going to be manipulating dat
24. Re:Fat bloated kernels by drgonzo59 · 2005-08-16 08:44 · Score: 2, Insightful
  
  Did you read the post at all? I was not talking about Mhz to performance ratio in different pentium and amd models. The point was that there was a _large_ speed increase in processing power since 1992 - that is all you should read into it. If you think there wasn't a _large_ speed increase in the last 14 years, then you don't live in the real world. It might not have been 100x it might have been 90.3x, that is not the point!
  In _general_ on the same processor the faster the clock speed the greater computational throughput. If Mhz!=speed, then underclock you machines to 100Mhz, see if you'll notice a difference...
  I can run 10Ghz over a copper wire, WHOA that is fast.
  Good for you. Whatch the output power and keep it away from the brain and the reproductive organs.
25. Re:Fat bloated kernels by Anonymous Coward · 2005-08-16 08:44 · Score: 0
  
  on the part about userland device drivers, NO.
  the security implications of even attempting something like this are insurmountable. Who is going to handle the HD driver? you? with my files on it? um same problem with the network. the vpn plugin. the pci bus (that controls all devices on the bus). I guess it is fine for the video card and mouse+key if all we were making was a single user desktop. But then would _your_ keylogger still work when I sat down? In the very few places you could actually do this would save you next to nothing in overall system security, so that is why no-one has bothered.
  
  The only reason nist is writing about it is because the m@#$ft morons told every hardware manufacturer on the planet "dont worry about standards/api's/compatibility, write your own badly written device driver and we will be happy to execute it as a kernel-mod with full system privs."...... idiots.
  --jboss
26. Re:Fat bloated kernels by Lost+Found · 2005-08-16 08:54 · Score: 1
  
  Ugh. Thankfully, you're not making any important decisions. Personally, I'm more worried about having a kernel that doesn't perform like ass. Microkernels can lick my balls and fucking like it.
  
  I would have figured that by now the lessons of Mach & friends would ring loud and clear... sure, it looks great on paper, but oh, what's that? System calls take 4 times as long? FUCK THAT!
  
  There are more proper ways to handle system security than to try the Java idiom of "lets make everything a tiny little object and shoot XML all over the place!" which would be the equivalent "wrong" in user-land.
27. Re:Fat bloated kernels by Anonymous Coward · 2005-08-16 08:55 · Score: 0
  
  Man! Where can I get one of those 4Ghz machines at?
28. Re:Fat bloated kernels by drgonzo59 · 2005-08-16 09:02 · Score: 1
  
  Talk to this guy. He'll hook you up ;)
29. Re:Fat bloated kernels by SharpFang · 2005-08-16 09:09 · Score: 1
  
  1) It does not guarantee security, just lowers the risk. Go for OpenBSD...
  2) Maintain "Sufficient" security while achieving "Maximum" performance is preferred over the opposite, especially that the performance never seems quite "sufficient" no matter what.
  
  --
  45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
30. Re:Fat bloated kernels by ultranova · 2005-08-16 09:33 · Score: 1
  
  The lesson in this article should be also that there is something wrong with the Windows kernel if there can be written whole books about how to make rootkits for it. The same can go for the Linux kernel. (Yeah that's right, I bashed _the_ penguin on the head, mod me down!)
  
  No you didn't. You said that if whole books can be written about how to make rootkits for Linux kernel, there can be something wrong with it. Since you didn't say that any such books actually exists, you simply claimed that an if-then (actually, if - then maybe, since you said "the same can go" instead of saying "the same goes" - but I'll assume that you meant the latter) relationship exists, not that the "if" part is true, and therefore failed to bash Linux in any way.
  
  Furthermore, the relationship you established is nonexistant. I can write books about breaking the laws of thermodynamics. I don't know how to break the laws of thermodynamics, but I can write books about the subject nonetheless. I'm not saying that the writers of this book wouldn't know how to break Windows's security; only that being able to talk at length about security flaws in some particular system doesn't say anything about how many or severe flaws are in said system.
  
  Finally, could we please get an improved lameness filter that filters out the endless "I'll be modded down for this" posts ?
  
  A lot of the code that is not tested and buggy is in the drivers, and I don't understand why do current operating systems still have drivers that are run in the kernel instead of in the user space. The machines are fast enough to switch contexts between the display, mouse, sound, disk and communication with the ports.
  
  This might surprise you, but some of us actually have an use for all that CPU power that modern machines have. I, for example, render Pov-Ray images and play games.
  
  The kernel should be very small and only implement the security policies and handle communications between devices. If the hacker manages to exploit a hole in the display driver, the driver will not crash the system.
  
  No, it will only either blank the screen, giving me a fun task of rebooting my machine or the misbehaving driver blind, or possibly show me garbage data to fool me into doing something stupid.
  
  Besides, how often are security flaws actually a result of a kernel exploit, and not an exploit in an userspace program running at root privileges ?
  
  I think the present 4Ghz machines can hangle a %10 slowdown at the expense of say, %80, improved security.
  
  Sure, if you only need a 3.6Ghz processor for your workload. But if you do, why did you pay for 4Ghz processor in the first place ?
  
  In 18 months, the speed will double anyway ;)
  
  At which point you lose 800Mhz worth of speed, if the loss stays at 10%.
  
  No matter how much CPU power you have, it is insufficient for something you want to do. Therefore, a 10% slowdown is simply unacceptable.
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
31. Re:Fat bloated kernels by AvitarX · 2005-08-16 09:38 · Score: 1
  
  Also, Linus did schange his mind already.
  
  Linux is written in C mostly and is quite cross platform.
  
  If everybody is refoering to the same flame war I remember Linus was all like, (parafrased) "Bitch, I don't need cross platform, I POSIX and glibc and you do the same thing with your kernel and they each can be monoplatform"
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
32. Re:Fat bloated kernels by networkBoy · 2005-08-16 09:54 · Score: 1
  
  "If the market as a whole actually used this 'vote with the wallet' clout, the state of affairs would be different, because only vendors providing good support would survive in the marketplace. Sadly, that's not the case. The market is driven by 'the cheapest price' and you get what you pay for."
  
  [nitpick]not always is it clear whom will have better support till it's too late[/nitpick]
  -nB
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
33. Re:Fat bloated kernels by Anonymous Coward · 2005-08-16 10:06 · Score: 0
  
  In 18 months, the speed will double anyway ;)
  
  You mean the way they've doubled since the 3.4GHz was released in Q1 '04?
34. Re:Fat bloated kernels by Anonymous Coward · 2005-08-16 10:07 · Score: 0
  
  You have misunderstood what rootkits are, it seems. A less bloated kernel would probably be even easier to write rootkits for. The rootkit is not the exploit. The rootkit is what you install once the exploit has been used.
35. Re:Fat bloated kernels by Krach42 · 2005-08-16 10:09 · Score: 2, Insightful
  
  I'll take this one on. Let's start with minimal microkernel, then build ontop of that an OpenBSD like subsystem. (just because it has the resources that I'm aware of, and will be using.)
  
  Now, all the absolutely vital system components that could be used for the exploitation of the system for a rootkit. Mark those system immutable.
  
  Now, the hacker needs physical access, and single user mode to hijack your system. I'd call that as secure as you can get.
  
  Now, granted... like you said, this is the end of the exploit. If they had sufficient eploits to get physical access and single user mode, well then, I suppose they *could* install a root kit.
  
  But how many script kiddies do you let into your house?
  
  --
  
  I am unamerican, and proud of it!
36. Re:Fat bloated kernels by Thuktun · 2005-08-16 10:39 · Score: 2, Insightful
  
  You can make a rootkit for any OS, even a minimal microkernel, unless your OS runs out of ROM or there's similiar hardware level measures in place. A rootkit is the end result of an exploit, not an exploit itself - the tricky part is getting sufficent access to install a rootkit.
  
  Depends on whether you're talking a remote or local rootkit, doesn't it? All bets are off when you can tweak the machine directly, but an OS can be secured sufficiently to not run any code from the outside.
37. Re:Fat bloated kernels by dotgain · 2005-08-16 11:13 · Score: 1
  
  I think 10% is a pretty conservative estimate. Say you're ray-tracing, being very cpu-bound and not very io-bound. You'll still get few context switches because drivers for IO aren't being called very often. If you do something heavy on the disks, like `find /', you'll probably use more CPU due to lots of context switches, but still leave plenty of idle time due to always waiting on the disk. So in either of those (admittedly specific) situations, I don't believe we'll notice any penalty.
  In addition, maybe processors of the future will have new instructions for things like context switches and interrupt handling. Hell, they may already, I've seen more sparc asm than x86.
38. Re:Fat bloated kernels by coyote-san · 2005-08-16 11:27 · Score: 1
  
  If you want to get pedantic the architecture of the chips have also changed significantly and your criticism is equally malinformed.
  
  What improvement is due to the reduced number of clock cycles required for each operation?
  
  What improvement is due to the addition of an extremely high speed L1 cache? The L2 cache?
  
  What improvement is due to multicore optimizations?
  
  What improvements are due to improved software algorithms?
  
  We tend to forget the last point since it seems most of our work is reinventing the same wheel, but there are a lot of applications where there's been a greater impact from improved algorithms than there's been from improved hardware.
  
  --
  For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
39. Re:Fat bloated kernels by Anonymous Coward · 2005-08-16 11:34 · Score: 0
  
  As a general idea that is good, but in practice, any exploitable code is just that: Exploitable code. I don't see how microkernels are going to improve that. Esp. given that the Xbox has 3 bugs in 512 bytes of security-driven boot code that made it ineffective.
  
  As long as humans are involved programming will always be iterative and evolving. In both circumstances an inability to completley envision every possible use for your code will stop you. Micro or Monilith.
40. Re:Fat bloated kernels by witte · 2005-08-16 11:57 · Score: 1
  
  >I think the present 4Ghz machines can hangle a %10 slowdown at the expense of say, %80, improved security.
  
  You are of course right, but Ati/Nvidia sells performance, not security.
41. Re:Fat bloated kernels by boelthorn · 2005-08-16 12:06 · Score: 1
  
  You might want to check out DROPS, the Dresden Real-Time Operating System at http://os.inf.tu-dresden.de/ . With some coding you can use Linux device drivers, but they are separated into their own L4/Fiasco task (L4 is a second generation microkernel family). Thus a device driver may crash, but only parts of the system using it are affected. And as every task may have its own address space it is quite resilient against various security problems.
  
  Another very promising project is L4/Hurd (http://www.gnu.org/software/hurd/hurd-l4.html), which will eventually produce a modern UNIX-like operating system for which it will be a joy to write drivers, filesystems, you name it. :)
42. Re:Fat bloated kernels by boelthorn · 2005-08-16 12:12 · Score: 1
  
  L4 microkernels show that context switches can be made quite fast. L4Linux is almost on par with "normal" Linux. One of the problems is that current CPUs are not designed for ultra-fast context-switches, some do even require a full cache flush. We will see what the future brings...
43. Re:Fat bloated kernels by boelthorn · 2005-08-16 12:17 · Score: 1
  
  It is more like 5% speed loss, if you call this "loss".
44. Re:Fat bloated kernels by pegr · 2005-08-16 12:47 · Score: 2, Funny
  
  You can make a rootkit for any OS, even a minimal microkernel, unless your OS runs out of ROM or there's similiar hardware level measures in place.
  
  That's it, I'm breaking out my Commodore 64!
45. Re:Fat bloated kernels by zymano · 2005-08-16 12:58 · Score: 1
  
  That sounds nice but you know the saying ........
  
  KISS = Keep It Simple Stupid.
  
  Less can be better in the kernel because it can be scrutinized better.
  
  But your right also. If every 30 million lines or more linux kernel can be eyeballed for overflows then that would work i suppose. It's just hard to do.
46. Re:Fat bloated kernels by pVoid · 2005-08-16 13:00 · Score: 1
  
  These guys, in this book, are talking about local rootkits (layered device drivers etc).
  Anyone who says their OS is secure from local rootkits is a fool. Mind you, this is different from saying that you can allow users to use your system, but as soon as you allow a user to run *his* code on your system, all bets are off regarding infalibility.
  This is not to say that there can never be an OS that's invulnerable to local root exploits. It's just that it's highly unlikely today.
47. Re:Fat bloated kernels by Anonymous Coward · 2005-08-16 13:06 · Score: 0
  
  This is all fine and dandy in theory...
  It works well in practice too. Real systems have been built and fielded based on these principles, and you continue to refer to them as if they only exist in the lab.
48. Re:Fat bloated kernels by ozmanjusri · 2005-08-16 14:11 · Score: 1
  
  You can make a rootkit for any OS, even a minimal microkernel, unless your OS runs out of ROM
  
  This is part of the real answer to most of these security issues. Design an OS with a clear separation of OS, application and data spaces.
  
  Make the OS space entirely ROM, and only updateable through a replacement ROM (DVD or similar cheap media), application space hardware locked to read only by default, but unlockable with a removable USB crypto key for installs. Make the data spaces RW, but include some form of versioning in the FS to protect the user from accidents.
  
  Obviously, some applications need to autostart, so there needs to be a single, simple, clearly visible (to the user), autostart list in the data space. Likewise, config settings are also data, and need to be stored in non-geek human readable form in the data space. The emphasis must be on simple, readable config settings. It's the machine's job to read human data, not a human's job to read machine data.
  
  If you remove the places in the operating system where malware can make itself invisible, you remove the malware.
  
  --
  "I've got more toys than Teruhisa Kitahara."
49. Re:Fat bloated kernels by kneeless · 2005-08-16 15:48 · Score: 1
  
  You should've read Phrack #63. They had an article on hiding processes. It uses the same functions that the Linux kernel uses to destroy processes to hide them. Unless OpenBSD doesn't kill processes somehow, there's something there. The only saving grace to it is the security levels, which are in Linux 2.6 now.
  
  --
  Bran muffins and whiskey.
50. Re:Fat bloated kernels by billsoxs · 2005-08-16 16:00 · Score: 2, Interesting
  
  I'll take this one on. Let's start with minimal microkernel, then build ontop of that an OpenBSD like subsystem. (just because it has the resources that I'm aware of, and will be using.)
  Now, all the absolutely vital system components that could be used for the exploitation of the system for a rootkit. Mark those system immutable.
  Wouldn't this also stop auto updates and similar? Of course provided that your code is perfect the first time there would be no need - but as a previous post pointed out - we is human and we makes mistakes
  
  --
  This message was brought to you by "Lack of Sleep."
51. Re:Fat bloated kernels by billsoxs · 2005-08-16 16:23 · Score: 1
  
  I can run 10Ghz over a copper wire, WHOA that is fast.
  To the GP post, This is what you call an antenna. It radiates power all over the place. I have forgotten where the frequency is but some place up there the resistance becomes 'large' (in a relative sense) and Cu is not a real good metal for moving power. This is why most waveguide sections are Ag coated and not Cu. (I'll have to try to remember to get my UG students to do the calculations next time I teach the class.)
  
  --
  This message was brought to you by "Lack of Sleep."
52. Re:Fat bloated kernels by billsoxs · 2005-08-16 16:38 · Score: 1
  
  You mean the way they've doubled since the 3.4GHz was released in Q1 '04?
  I was going to reply but it was not worth it.
  
  --
  This message was brought to you by "Lack of Sleep."
53. Re:Fat bloated kernels by Anonymous Coward · 2005-08-17 04:15 · Score: 0
  
  I call bullshit. Show one--just one--that provably doesn't suffer from the issues that GP brings up.
54. Re:Fat bloated kernels by Inthewire · 2005-08-18 14:10 · Score: 0
  
  The problem with pulling things out of your ass is that people tend to ignore those things while backing away from the fetid layer of shit coating those things.
  BR /.
  
  --
  
  Writers imply. Readers infer.
55. Re:Fat bloated kernels by Anonymous Coward · 2005-08-22 22:19 · Score: 0
  
  I would have figured that by now the lessons of Mach & friends would ring loud and clear... sure, it looks great on paper, but oh, what's that? System calls take 4 times as long? FUCK THAT!
  
  The parent is ignorant of the facts. There are general purpose microkernels with lower system call latency than Linux, WinXP, or FreeBSD.
  Judging all microkernels by chosing Mach as representative is like judging all MS OSes by chosing DOS 1.0 as representative.
  Mach was the first successful microkernel. It was designed in 1984, before anyone knew much at all about microkernels.
  L4 has lower system call latency and faster inter-process communication than Linux, FreeBSD, or WinXP. With fewer than 20 system calls to optimize, it doesn't take a lot of work to optimize system calls.
  QNX, VxWorks, and BeOS all are very responsive microkernel OSes that are somewhat in general useage. Cisco's IOS-XR is based on QNX's microkenel. There's a non-trivial probability that you're utilizing a high performance microkernel to browse Slashdot through VxWorks, IOS-XR, or QNX in a DSL/Coble Modem, router, or satellite.
  I don't have numbers off hand for the performance of UNICOS on Chorus as compared to UNICOS on bare metal, but I doubt Cray would have shipped it if it ran sluggishly. If anyone needs to maintain a reputation for fast OSes, it's Cray.
  Browse some of the papers at L4Ka.org. Even a quick-and-dirty port of Linux to run in userspace on L4 (with an explicit goal of minimizing changes to Linux) shows only a 5% to 10% performance penalty for running Linux on L4. Furthermore, Linux on L4 performs much better than mkLinux even when Linux is running inside Mach's address space (as in Mach being used as a monolithic kernel).
  In short, Mach is a dog.
  If system call latency is the metric, then whichever OS the parent used to post is also a dog.
56. Re:Fat bloated kernels by Anonymous Coward · 2005-08-23 02:02 · Score: 0
  
  Andrew Tanenbaum, I presume? Well, if the Linux kernel was designed this way, then Linus would have the same problems the HURD team has. And Windows NT's kernel is a microkernel.
  
  The HURD's problem isn't that it's a microkernel. The HURD's problem is they want every advanced feature in the book, from release 1.0. For instance, they want transparent checkpointing, and some kind of "market" system where processes bid for RAM.
  There are plenty of microkernel OSes out there in the marketplace. QNX and VxWorks are pretty common for embedded applications. You can run some flavors of QNX as an x86 desktop *NIX. Cisco's IOS-XR is based on QNX's microkernel. Don't forget that BeOS was a decent operating system, much more responsive than the mainstream monolithic OSes of its day.
  NT's kernel is less of a microkernel than Linux. Linux at least runs a good portion of the graphics subsystem in the userspace X11 server. Since NT 4.0, even the GDI has been merged with the NT kernel. There are efforts on both the MS and Linux fronts to make nice clean APIs for userspace drivers, but these APIs aren't mature yet.
Shameless plug by republican+gourd · 2005-08-16 06:52 · Score: 3, Interesting

Since its vaguely on topic, and I'd like feedback if I can get it, here is some shameless whoring for a Free rootkit detection program I wrote:

Heres the URL

This is a multithreaded script that establishes socket connections between the threads and tries to pass a keyphrase between them. The assumption is that even if windows is compromised, a successfull TCP connection will indicate that the port is really not in use, regardless of what netstat says. Unless a rootkit is slick enough to make multiple programs share a port regardless of SO_REUSEADDR, this should catch it. The drawback, unfortunately, is that it can take a significant amount of time to scan 65,000 odd ports in this manner. Anyway, its GPL, so have at it.
1. Re:Shameless plug by Dunbal · 2005-08-16 07:56 · Score: 1
  
  OMFG I downloaded your program and ran it and npW my b0xrz i5 t3h pWnd u b4sTa6E Lo1!!!
  
  I am kidding, of course ;)
  
  --
  Seven puppies were harmed during the making of this post.
2. Re:Shameless plug by svkal · 2005-08-16 09:11 · Score: 1
  
  Quite clever, and as far as I can see it'd work well at the moment.
  
  Theoretically, though, I suppose it could be bypassed by secretly remapping the ports actually used when attempting either to listen on a 'bad' port, or to connect to a 'bad' port on localhost. If this technique were to go into widespread use, that possibility might go from theoretical to practical. You could presumably make the technique more secure very simply by using two entirely different scripts instead of multithreading, allowing the user to run the "caller" from another machine. (Even if that machine too were compromised, the rootkit couldn't remap outgoing connections because it has no way of knowing whether the remote host has had the rootkit applied or not.)
  
  Going into the less practical ways of defeating your scanning method; it assumes that the port used is constant. If, as you say, it takes a fair bit of time to do the scan, it is theoretically possible to have a chance of escaping it by periodically having the connection/open port hop around in the port numbers, still remaining accessible to the outside by using a deterministic algorithm based on time or some such input that is relatively predictable from the outside. This won't ever give the illicit connection more than a chance at dodging the scan, however, and the idea has other significant problems, so I'll wager it's not really a consideration of great importance.
  
  Another thing to consider is that the rootkit, having hidden the 'real' netstat functionality, might still have access to it. If it does, a sufficiently advanced rootkit could detect a scan - not having to be as indiscreet about the matter as your program - and shut all network functionality down for a moment as the scan passes it.
  
  Writing generic tools to detect rootkits on the systems that they are running on is certainly an interesting problem. In principle, the rootkit has all the advantages, in effect preparing a virtual machine to deceive your program. The fact that the computer might be on a network, however, changes things slightly in your favour: the rootkit now has to operate correctly vis-a-vis the legitimate network, while hiding the illegitimate activity, and in certain circumstances, that might be nearly impossible. Your task in writing a network-based rootkit detector, then, would be to alter the 'legitimate' network patterns to make the existence of an illegitimate network as hard as possible.
  
  (The ideal state, I suppose, would be to have the legitimate network suddenly expect all 2^16 ports to operate correctly at once, but this is impossible due to technical limitations.)
  
  Note: I might have said something silly in the above, given that I'm not a security expert in any way. Sorry if I did. Just consider it random thoughts on the matter from a complete amateur. (Also, I confess I didn't read the entire source of your script - it might have addressed some of these issues already.)
3. Re:Shameless plug by Anonymous Coward · 2005-08-16 10:00 · Score: 0
  
  I think that could be easily defeated by installing an LSP (layered service provider) in between your program[s] and the TCP/IP stack.
  
  The layered service provider could intercept any calls to bind() on the port being used by the rootkit, and pass that info along to the process with the socket listening on that port [rootkit owned]. It would then return a successful bind msg to the process calling bind().
  
  When a new connection comes in, the socket buffers around 10 bytes of data, checking for the rootkit "HELLO" signature - if absent, it forwards the connection to the application that tried to bind that port. If present, it processes as it normally would.
4. Re:Shameless plug by republican+gourd · 2005-08-16 10:02 · Score: 2, Informative
  
  This could be largely incoherent, its been a long day:
  
  Regarding the "hop around the port numbers" tactic, depending on how much hopping they do, this would actually make them more findable. One of the major issues I ran into writing this script in originally was what happens to a socket set once the connection is dropped. The TCP/IP stack doesn't actually remove the connection, it sits around in a waiting-for-death state (I have forgotten the actual technical name at the moment) until it has been idle for the timeframe of twice the maximum time to live. The technical reason for this is that it is conceivable that some errant packet may go all the way out by 1 ttl unit, and then wander back by 1 other ttl unit, and until it is no longer possible that any packets will make it home, the stack holds onto that port rather than reassigning it a new connection.
  
  The fun part here is if my scanner scanned numerically, and the OS also is assigning outgoing ports numerically, what you end up with is a mess of everybody stomping on themselves in order (crashing on 1000, then 1001, then 1002... etc) for hundreds and hundreds of ports.
  
  What a port-hopper would run into a situation where his *old* connection, even if he had given it up, would still show up on the scanner as 'in use' for something on the order of an entire minute after the connection was dropped. A substantial amount of port hopping would (after some mathematically calculatable limit) actually make you more easily detectable.
  
  Regarding the client/server version, that wouldn't alleviate my biggest concern: a patched network stack that does an inspect/pass on of interesting packets. If the rootkit is capable of saying "hey, thats mine!" and holding packets that it knows are intended for it and simply passes on all other packets to the "real" port, it wouldn't need to worry about whether or not the machines talking to it were rootkitted or not. They could concievably simply use the Evil Bit for that determination.
  
  I don't think our local script kiddies are going to be that clever though. The way I figure it, if we can force the kiddies to push deeper into the kernel to avoid detection, the harder it will be for their tricks to be version independent and the better off we'll be.
5. Re:Shameless plug by Anonymous Coward · 2005-08-16 10:08 · Score: 0
  
  Might be interesting to try and install a *second* LSP at the top of the stack for the express purpose of comparing notes with the eventual recipient port. Depending on how LSPs were chained (could I reliably put a new one on the outermost edge, despite a rootkit?) this could alleviate that concern. I may have to play with that idea a bit.
6. Re:Shameless plug by svkal · 2005-08-16 10:30 · Score: 1
  
  Hm, I had momentarily forgotten about the "near-death" state(its name eludes me too at the moment). That would certainly eliminate the benefits gained by port-hopping almost entirely, and put a serious dent in any capability to react to a detected scan. If we're picky, though: I don't know too much about TCP/IP implementation, but wouldn't it be possible for an intricate rootkit to patch the stack to actually remove the connection when the rootkit requests it? (It's not as if the rootkit would care about technical reliability in such a case.)
  
  Regarding the client/server version, that wouldn't alleviate my biggest concern: a patched network stack that does an inspect/pass on of interesting packets. If the rootkit is capable of saying "hey, thats mine!" and holding packets that it knows are intended for it and simply passes on all other packets to the "real" port, it wouldn't need to worry about whether or not the machines talking to it were rootkitted or not. They could concievably simply use the Evil Bit for that determination.
  
  Hm, I don't really understand this. If we assume that the rootkit can recognise its own packets(which I agree should be trivial) and trick a listener into believing that it is the sole listener on a port which it is actually sharing with the "evil" connection - both of which seem required for the concept you're describing - wouldn't that fool the combined client/server just as efficiently? The entire scheme seems to hinge upon the assumption that a "listener" can't be tricked into believing that it is alone on a port when it's actually not.
  
  I do agree that actual rootkits are probably not going to be as clever as this - it's certainly easier to talk about this stuff than implement it.
7. Re:Shameless plug by republican+gourd · 2005-08-16 10:48 · Score: 1
  
  > wouldn't that fool the combined client/server just
  > as efficiently?
  >
  
  Yep. That was the point I was trying to make (badly)... there really isn't any point in making it client/server because it would be defeated with the same trick, the client/server complexity wouldn't buy you anything.
8. Re:Shameless plug by Krunch · 2005-08-16 13:03 · Score: 1
  
  Good idea but I think it could be somewhat easily defeated by portknocking. The rootkit would never really listen on any port until it receive some special ICMP packets or something.
  
  --
  No GNU has been Hurd during the making of this comment.
The need for ROM kernels by G4from128k · 2005-08-16 06:53 · Score: 5, Interesting

The core problem with detecting a rootkit is that the detection software would seem to need to run inside the infected codespace. Unless the detector is 100% self-contained (e.g., involves NO calls to OS API during the detection process) the detector is itself detectable and defeatable by a skilled rootkit. Since invoking any software on a running system means calling APIs of that system (to read the executable, spawn a new process, etc.) and those APIs are not trustworthy on a rooted system, detection seems like a tricky problem.

The solution is either to boot the detector from its own media (inconvenient if you want to scan your system for rootkits on any regular basis) or to create a ROM core to the OS that is totally incorruptible. To be safe, this core needs to be not patchable or modifiable by any software running outside the ROM.

The point is that no computer can trust code fragments stored of writable media. The only way to really secure a system is with hardware (i.e., functionality embedded in a chip) or ROM-based software.

Moving to ROM isn't without its challenges. The writers of the code will actually need to be very good at their jobs because they won't be able to fix the problem later with a simple patch. But maybe the core of an OS should be this way -- based on very well-written code that does not need patching.

--
Two wrongs don't make a right, but three lefts do.
1. Re:The need for ROM kernels by Animats · 2005-08-16 07:11 · Score: 5, Insightful
  
  A secure microkernel is quite possible, but, as Ballmer once said, "If we stopped adding features to Windows, it would become a commodity, like a BIOS. And Microsoft is not in the BIOS businees".
2. Re:The need for ROM kernels by coolsva · 2005-08-16 07:20 · Score: 1
  
  Read recently that in the XBox, there is some 512 bytes of code in the ROM (well hidden) that can authenticate the boot code, this way Im sure a future version of Windows can be sure that it is started without any rootkit exploits (ROM boot code refuses to execute exploited OS)
3. Re:The need for ROM kernels by Bastian · 2005-08-16 07:48 · Score: 1
  
  I fail to see the connection.
  
  I grew up with my mommy telling me that an operating system and a kernel are two different things.
  
  If Microsoft thinks that they need to alter the Windows kernel every time they add a feature to the OS, I think I see why they have so many quality control problems.
4. Re:The need for ROM kernels by Dunbal · 2005-08-16 07:52 · Score: 1
  
  But maybe the core of an OS should be this way -- based on very well-written code that does not need patching.
  
  It doesn't even need to be "very well written". Look at BIOS code, for example. It doesn't exactly have a reputation as the most elegant and efficient code in the world. It just has to WORK, and be unmodifiable.
  
  I am not a programmer - I mean I used to dabble in programming years ago way back when. Did some assembler, some pascal, and some C/C++. I am way out of date though.
  
  --
  Seven puppies were harmed during the making of this post.
5. Re:The need for ROM kernels by elgatozorbas · 2005-08-16 08:24 · Score: 1
  
  Moving to ROM isn't without its challenges. The writers of the code will actually need to be very good at their jobs because they won't be able to fix the problem later with a simple patch.
  
  Not neccesarily, the ROM can also be implemented like flash ram, which can be write-protected by a (hardware) jumper. If you need to patch you remove the jumper and write. I am not saying this would be fast, but it is feasible.
6. Re:The need for ROM kernels by Jarnis · 2005-08-16 08:52 · Score: 1
  
  And even THAT got 0wned. Witness modchips...
  
  MS and their cronies have a solution already lined up. It's called 'trusted computing'. As an additional bonus, it will make sure that the user won't be able to do anything MS and their cronies don't want you to do on your computer.
  
  All in the name of security, of course.
  
  Freedom or security, which one you want? :)
7. Re:The need for ROM kernels by Jarnis · 2005-08-16 08:59 · Score: 1
  
  BIOS?
  
  Unmodifiable?
  
  Umm... I modified mine last week. By running a windows application (WinFlash).
  
  Sure, I think it requires admin rights, but it sure modified the BIOS.
  
  It's not a longshot to make a piece of malware that knows how to flash, say, the 20-30 most common motherboards and 0wn them via BIOS. I think the only reason it hasn't been done so far is because today's OSes hardly use BIOS for anything. Tho I guess you could make BIOS to load haxx0red version of, say, NTLDR and via that compromise everything silently.
8. Re:The need for ROM kernels by Dunbal · 2005-08-16 09:21 · Score: 1
  
  Yeah ok. I'm a dinosaur. Way back when, BIOS was not on EPROM chips and you couldn't flash it. You had to buy a new chip for $100.
  
  My point remains though. BIOS is not like the best or fastest code in the world. It just does the job.
  
  --
  Seven puppies were harmed during the making of this post.
9. Re:The need for ROM kernels by Anonymous Coward · 2005-08-16 09:55 · Score: 0
  
  "The writers of the code will actually need to be very good at their jobs because they won't be able to fix the problem later with a simple patch."
  Why not use a flash rom OS, and an MD5 checked restorable system from external media. I am sure that Microsoft has considered this but a bullet proof OS is not in the cards in Redmond. The reason Microsoft does not do exactly this is that they can make more money by constantly making the user upgrade the core.
  I believe that they know that if they ever do make a core that is bullit proof then they will hit a sales peak and then have no room for growth. Having a chip based OS will finally happen, but not as long as Gates and Co have complete control of the industry.
  Funny.. to post this I was forced to decode the word despot, which seems strangely appropriate.
10. Re:The need for ROM kernels by fbg111 · 2005-08-16 10:30 · Score: 1
  
  Of course, they can still add new features to new versions of a ROM-based Windows kernel, just not retroactively. New boxen would still get the new features, just not old boxen. A compromise, but possibly worth it for the security gains. Bit of a red herring, his comment...
  
  --
  Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
11. Re:The need for ROM kernels by Tim+C · 2005-08-16 10:37 · Score: 1
  
  Yes, and that job is to initialise the hardware, load the OS bootloader, then get the hell out of the way. It's far, far simpler than a kernel, and does far less.
  
  --
  It's official. Most of you are morons.
12. Re:The need for ROM kernels by LegendLength · 2005-08-16 15:22 · Score: 1
  
  Without trying to sound rude, you are missing the parent's point. Microsoft don't want to keep a standard and static kernel because it would then become a commodity. This is also the reason why the kernel has such an 'interesting' design in the first place IMO.
13. Re:The need for ROM kernels by LegendLength · 2005-08-16 15:25 · Score: 1
  
  And even THAT got 0wned. Witness modchips..
  I don't think users will have to worry about downloading an infected mod chip!
14. Re:The need for ROM kernels by Animats · 2005-08-16 18:18 · Score: 1
  
  Right. It's quite possible to build a system, such as QNX, where there's a small microkernel that changes very little. All it really does is manage memory, timers, interprocess communication, and CPU dispatching. It can be placed in ROM if desired, and in embedded systems, it often is.
  Everything else, including drivers, file systems, and networking, is a user program. This doesn't limit extensibility. USB and FireWire support were added without kernel changes. (Hardware drivers do need some privileges, but they really are user programs. You can kill them without a reboot and start another copy. I've written and debugged drivers without rebooting.) Even hardware drivers work through the standard POSIX API; there's no special "driver mode".
  If Microsoft designed a system that modular, removing, say, Internet Exploder or Media and DRM Player would be trivial. Microsoft needs a tangled system to lock in users. Ballmer has admitted this.
15. Re:The need for ROM kernels by tengwar · 2005-08-19 23:00 · Score: 1
  
  Moving to ROM isn't without its challenges. The writers of the code will actually need to be very good at their jobs because they won't be able to fix the problem later with a simple patch. But maybe the core of an OS should be this way -- based on very well-written code that does not need patching.
  
  Not necessarily. In the GSM world, it's possible to update phones and SIMs securely (in the sense that only the operator can do it) using OTA ("over the air") provisioning. This involves having the device check the incoming message for a valid sequence number, and some form of shared secret is used (I think this probably uses the GSM Ki mechanism rather than public key). If the message is not duly authenticated, the upgrade is discarded. This would have some down-sides for general purpose computers, since the owner would have to trust the equivalent of the network operator, but it is possible in principle.
It will never happen. by WindBourne · 2005-08-16 06:56 · Score: 1

Instead, when you buy the book, the FBI/DOJ will be studying who you are. Use cash.

--
I prefer the "u" in honour as it seems to be missing these days.
And with it I can hack the gibson in 3 seconds ... by PalmKiller · 2005-08-16 06:57 · Score: 2, Funny

oh nevermind
Rootkit Revealer by IHawkMike · 2005-08-16 06:58 · Score: 1

You can get a great tool for detecting rootkits as well as a nice little explanation of them here.
No Obligatory Snipery? by sadomikeyism · 2005-08-16 06:59 · Score: 3, Funny

Where is the "I for one welcome our rootkit overlords"? Or the "ALL YOUR ROOT ARE BELONG TO US"?

--
"Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves
1. Re:No Obligatory Snipery? by Anonymous Coward · 2005-08-16 07:47 · Score: 0
  
  I, for one, welcome our rootkit overlords.
2. Re:No Obligatory Snipery? by Anonymous Coward · 2005-08-16 08:08 · Score: 0
  
  I it's for Windows, shouldn't it be called an administratorkit?
3. Re:No Obligatory Snipery? by wpmegee · 2005-08-16 08:18 · Score: 1
  
  Bow before me, for I am root.
4. Re:No Obligatory Snipery? by sadomikeyism · 2005-08-16 08:45 · Score: 1
  
  "Getch yer stinkin' rootkit offa me, you damned dirty hacker!"
  
  --
  "Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves
Rootkit revealer by markh1967 · 2005-08-16 07:01 · Score: 4, Informative

If you run Windows and want to check if your system has a rootkit installed try running Rootkit revealer.
It scans all files and registry entries at a high and low level then compares the two to see which files and registry entries were hidden to the high level scan.

--
Input error. Replace user and press any key to continue.
1. Re:Rootkit Revealer by IHawkMike · 2005-08-16 07:03 · Score: 1
  
  The L got left off the URL. Sorry. Try again
2. Re:Rootkit Revealer by Marc2k · 2005-08-16 08:26 · Score: 1
  
  I've found some of the SysInternals tools absolutely vital to running (much less debugging or cleaning virus remnants) a Windows system, I literally couldn't live without ProcessXP.
  
  --
  --- What
3. Re:Rootkit revealer by sadomikeyism · 2005-08-16 09:35 · Score: 1
  
  I want to say this has been helpful this afternoon. Ran this while McAfee was freshly updated and some apparently dormant viruses popped up like rats fleeing a sinking ship. I've now deleted the non-McAfee and non-MS files it detected... the rootkits are typically hidden temp files. Deleting one's temp directories (then creating new ones) cleans them out quite well. Good reccomendation...
  
  --
  "Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves
predictions? by dioscaido · 2005-08-16 07:03 · Score: 2, Insightful

How many readers won't know what a root kit is, and declare 'ha, see! windowze is insecure, glad I run [alternate]'? :}
1. Re:predictions? by Anonymous Coward · 2005-08-16 08:05 · Score: 0
  
  I think just you so far.
2. Re:predictions? by taniwha · 2005-08-16 09:11 · Score: 1
  
  there's a reason they're called 'root' kits and it has NOTHING to do with windoze - first caught one of these on my home sun box back in the early 90s - however you using this as an excuse to trash people should be modded 'flamebait'
Re:Great! (not) by jurt1235 · 2005-08-16 07:04 · Score: 3, Insightful

If you are running MS windows, is it then really your computer? Look good at the licensing, it might reveal some things in the really small print......

Ok, you got moderated as a troll, this should really score good!

--

My wife's sketchblog Blob[p]: Gastrono-me
Why are you reviewing this book? by slavemowgli · 2005-08-16 07:05 · Score: 0, Troll

I'm not a Windows kernel programmer, so I don't feel qualified to comment on the correctness of the code.

Um... then why are you reviewing this book? Shouldn't you be at least somewhat familiar with the topic it covers? Saying that you didn't find any errors or omissions is akin to someone like me reviewing a book on - say - how to do brain surgery and concluding that it's good because I couldn't find any downsides.

When you don't know anything about the topic in question, then it's not surprising that you don't find anything that's wrong with the book. But it also means that your review is, basically, worthless.

--
quidquid latine dictum sit altum videtur.
1. Re:Why are you reviewing this book? by LurkerXXX · 2005-08-16 07:23 · Score: 1
  
  Jose is a security guru. That's why he's qualified to review a book on security. He's very familiar with the topic. Most of the same security rules can be applied to many different systems.
2. Re:Why are you reviewing this book? by Dunbal · 2005-08-16 07:27 · Score: 1
  
  Ahh brain surgery.
  
  Let me enlighten you to the "Law of Neurosurgery".
  
  33% of the patients stay the same or improve
  33% of the patients get worse
  33% of the patients die
  
  The "brain surgeon" is one of the most sued professionals around, through no fault of his/her own. 'Tis the nature of the beast. You had better hope that you never need brain surgery ;)
  
  --
  Seven puppies were harmed during the making of this post.
3. Re:Why are you reviewing this book? by slavemowgli · 2005-08-16 11:28 · Score: 2, Interesting
  
  Oh, I sure do. I once briefly worked in a clinic for neurosurgery once (this was a summer job during school; I wasn't actually involved with the medical side of things in any way) - it was rather scary at times.
  
  We also a considerable amount of accident victims, too, though, and in the case of those, I think that even a 33% chance to improve isn't so bad, because otherwise, they'd have a 100% chance of dying.
  
  --
  quidquid latine dictum sit altum videtur.
Linux is NOT UNIX! by Anonymous Coward · 2005-08-16 07:05 · Score: 1, Interesting

Linux isn't the only kernel, *cough* (UNIX Clone) that has or can have rootkits, other UNIX(tm) variants too - including FreeBSD and somewhat possible on OpenBSD; but Linux being the most common for such in-securities by clueless admins running clueless windows-like/wannabe Linux distros. Odd that they call this a 'rootkit' for MS Windows though, doesn't make sense as there is no 'root' user by default in MS Windows.
-Linux, for those who hate MS.
-*BSD, for those who love UNIX.
1. Re:Linux is NOT UNIX! by Anonymous Coward · 2005-08-16 07:52 · Score: 0
  
  No, GNU's not UNIX.
2. Re:Linux is NOT UNIX! by Krach42 · 2005-08-16 10:33 · Score: 1
  
  I will say for a fact that OpenBSD has rootkits available for it.
  
  Most assuredly, because I've actually had one installed by a cracker on my OpenBSD box.
  
  The one remote exploit in OpenBSD's default install and I get bit by it... AFTER having patched 5 other machines against it.
  
  --
  
  I am unamerican, and proud of it!
A pundit comment by Anonymous Coward · 2005-08-16 07:06 · Score: 0

Lasers don't focus, they naturally produce a beam of light in which all the photons are travelling in approximately the same direction.

just fyi.
She wasn't impressed with my 3.5" floppy, either by spun · 2005-08-16 07:06 · Score: 1

She said I couldn't root her box because my hard drive was too small and I didn't have enough RAM. Then she said that all her ports were closed unless I had a fat pipe. Chicks these days, they want top of the line hardware, let me tell you.

--
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Aw... Windows is growing up... [sniff] by bersl2 · 2005-08-16 07:11 · Score: 1

I have been waiting for the day that Windows rootkits will start compromising the various detection utilities as well, such that the only way to remove the kits is to run read-only from a trusted environment. Then they will all discover how deep the rabbit hole goes. Or something like that.

This is not a troll, because I think that is a sign of forthcoming higher maturity.
Dupe by wardle · 2005-08-16 07:12 · Score: 1

see this article!
Is this a response to that "Ask Slashdot" article?
P.S. This is a joke.
Re: by Anonymous Coward · 2005-08-16 07:16 · Score: 0

Use sparingly, please. The effect just isn't the same when you beat it to death like that.
legal by Khashishi · 2005-08-16 07:17 · Score: 1

Is this book legal?
1. Re:legal by egypt_jimbob · 2005-08-16 08:32 · Score: 1
  
  Amendment I
  
  Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.
  
  --
  I am a leaf on the wind. Watch how I soar.
2. Re:legal by grozzie2 · 2005-08-16 09:07 · Score: 1
  
  Depends on what country you are in, but, for most countries, yes. There are moves afoot to change that in some of them these days.
  In it's current form, probably nothing wrong with that book in the usa today. But, change the title to "the terrorist guide to computer compromise", with no change of the contents, and it'll surely earn you a one way ticket to a beachfront resort in cuba...
3. Re:legal by Khashishi · 2005-08-17 06:33 · Score: 1
  
  Oh I thought the bill of rights got repealed. Maybe I was mistaken.
Sample chapter here by Karamchand · 2005-08-16 07:17 · Score: 1

Try before you buy and check out the book's sample chapter, Leave No Trace now!
ROM Microkernels, but they won't help by jfengel · 2005-08-16 07:18 · Score: 1

There is a middle path, where perhaps the ROM can be modified only with very particular acknowledgement from the user. Say, the mod has to be burned onto a CD and booted, and before overwriting itself the existing ROM asks, "Are you 100% sure you got this from a reliable source?" It could even check the Net to check the signature, if it had sufficient IP stack built in.

This works best with microkernel architecture, which lets out Linux and Windows but OS X could conceivably go there. (And Windows actually could do it as well, since it is built around a kind of overblown microkernel.)

But still, the protected kernel isn't really the problem. You can't really hard-code detection software into it because there are always new rootkits that would require mods to the protected kernel. I just showed that it could be done, but it would be deliberately awkward, and so there's plenty of time for a new flaw to be exploited.

It would make it easier to clean the infection off your system without reinstalling, but if you're wiping out everything above the microkernel, you're effectively reinstalling anyway. During a regular reinstall, the BIOS acts as the micro-microkernel. So it's all the same.
1. Re:ROM Microkernels, but they won't help by G4from128k · 2005-08-16 07:47 · Score: 1
  
  There is a middle path, where perhaps the ROM can be modified only with very particular acknowledgement from the user. Say, the mod has to be burned onto a CD and booted, and before overwriting itself the existing ROM asks, "Are you 100% sure you got this from a reliable source?" It could even check the Net to check the signature, if it had sufficient IP stack built in.
  
  How can the ROM know that it got a valid user response (or that the user even saw the ROM's request) unless 100% of the UI is in ROM? All the rootkit needs to do is fake the user's acknowledgment or subvert the user into saying yes to something seemingly innocuous. To create a truely secure system, some part of it must be 100% secure from social engineering.
  
  This works best with microkernel architecture, which lets out Linux and Windows but OS X could conceivably go there. (And Windows actually could do it as well, since it is built around a kind of overblown microkernel.)
  
  Either a microkernal or a compact bootstrap OS could do the job.
  
  But still, the protected kernel isn't really the problem. You can't really hard-code detection software into it because there are always new rootkits that would require mods to the protected kernel. I just showed that it could be done, but it would be deliberately awkward, and so there's plenty of time for a new flaw to be exploited.
  
  Although new rootkits can emerge, they all share a key characteristic of modifying the OS in some way. The ROM detector does not need to know about the latest "Rootd00dWormoxor.Z" infection, it only needs to be able to detect that key routines of the OS (in RAM or on media) have been compromised. Your suggestion of signature checking is an excellent one and should suffice to detect the presence of a rootkit. Once alerted, the user would reboot their machine from a more up-to-date secured-media OS copy and work to clean the infection.
  
  It would make it easier to clean the infection off your system without reinstalling, but if you're wiping out everything above the microkernel, you're effectively reinstalling anyway. During a regular reinstall, the BIOS acts as the micro-microkernel. So it's all the same.
  
  Yes, the BIOS could serve as the micro-microkernel if it were in ROM, not Flash memory as seems to be the current fashion. Flash makes the BIOS vulnerable to rootkit corruption. A truly secure system would not be modifiable in any way (other than replacing the ROM chip).
  
  --
  Two wrongs don't make a right, but three lefts do.
2. Re:ROM Microkernels, but they won't help by jfengel · 2005-08-16 09:05 · Score: 1
  
  How can the ROM know that it got a valid user response (or that the user even saw the ROM's request) unless 100% of the UI is in ROM?
  
  I was proposing a limited UI that could ask the question without any help from the rest of the OS. Basically, what happens in BIOS today on Intel architectures: there's enough for a text-based UI right on the chip.
  
  Or do it the way some routers do, with a web-based UI, again right on the chip. That would enable remote upgrades. Authentication would be tricky, but not impossible.
3. Re:ROM Microkernels, but they won't help by G4from128k · 2005-08-16 09:40 · Score: 1
  
  I was proposing a limited UI that could ask the question without any help from the rest of the OS. Basically, what happens in BIOS today on Intel architectures: there's enough for a text-based UI right on the chip.
  
  OK, I see that as a possibility -- the first Macintoshes managed to stuff a GUI into a few hundred kB. But I fear it would still be only safe during a hard reboot as a rootkit could easily fake screens of BIOS UI, and ask the user to do something that exposes the password for changing the microkernel ("Danger, virus detected." "Clean"/"Ignore"...... "Please enter admin password"). To be safe, the unrootable software needs to have its own private, direct access to the I/O channels (or contain read-only code for the core APIs for the UI).
  
  Or do it the way some routers do, with a web-based UI, again right on the chip. That would enable remote upgrades. Authentication would be tricky, but not impossible.
  
  Good point! I'm willing to be proven wrong, but I'm very skeptical of anything network-based as the rootkit could easily be a man-in-the-middle. Unless the ROM implements its own secure networking stack it could never be sure that the incoming or outgoing packets weren't being tampered with by the rootkit. The threat is the a rootkit could inject its own packets asking to modify the microkernel or replace valid microkernel modification packets with rooted ones.
  
  It's a real tinfoil hat situation. The only way to securely modify the microkernel is to ensure that every connection in the modification process is unmodifiable by a rootkit.
  
  --
  Two wrongs don't make a right, but three lefts do.
4. Re:ROM Microkernels, but they won't help by drsmithy · 2005-08-16 11:54 · Score: 1
  
  This works best with microkernel architecture, which lets out Linux and Windows but OS X could conceivably go there. (And Windows actually could do it as well, since it is built around a kind of overblown microkernel.)
  Unfortunately, OS X is about as much a "microkernel" as Windows NT is. Which is to say it was sort of a microkernel a long time ago, but practical requirements have long since moved most things into kernel space.
Does This Violate The DRMCA? by Cheirdal · 2005-08-16 07:22 · Score: 1

I would think books that specifically tell how to bypass security in proprietary commercial applications would be a violation of the Digital Rights Millenium Copyright act.
1. Re:Does This Violate The DRMCA? by Anonymous Coward · 2005-08-16 07:34 · Score: 0
  
  You're all a joke, from your writing in "leet case" to acting like a script kiddy.
2. Re:Does This Violate The DRMCA? by Cheirdal · 2005-08-16 07:38 · Score: 1
  
  Nice insightful comment there, skippy.
3. Re:Does This Violate The DRMCA? by Dachannien · 2005-08-16 07:47 · Score: 1
  
  You mean the Digital Millennium Copyright Act, or DMCA? The DMCRA is something else altogether, and the "DRMCA" doesn't even exist.
  
  In response to the question you tried to ask, though, no. Bypassing security is not a DMCA violation. The DMCA forbids bypassing schemes that restrict access to copyrighted works.
4. Re:Does This Violate The DRMCA? by BillyBlaze · 2005-08-16 08:08 · Score: 1
  
  I would think that any law that outlaws a book would be a violation of the First Ammendment of the US Constitution.
5. Re:Does This Violate The DRMCA? by Cheirdal · 2005-08-16 08:53 · Score: 1
  
  Thanks. Good answer. I feel like its deja vu. Someone may have explained this same thing too me a few months ago on here and I forgot.
original sin by Anonymous Coward · 2005-08-16 07:25 · Score: 0

"If a Mac hacker was as motivated as any PC hacker, could a rootkit like hacker defender be installed just as easily on a Mac?"
Unlike PC users, Mac users aren't evil, soulless bastards, so they would never do anything as low-down as write a rootkit.
She said my rootkit must be stealth by Anonymous Coward · 2005-08-16 07:26 · Score: 0

Because she couldn't even tell when I had it installed in her box. I don't no respect. No respect at all, I tell ya.
Re:31337 by Anonymous Coward · 2005-08-16 07:28 · Score: 0

One book you'd find handy is a grammar one...
Excellent: I will use AJAX to deploy my rootkits by veganopolis · 2005-08-16 07:32 · Score: 0

All of the pieces are coming into place. The world will crumble before me. With this book, and the power of AJAX I will rule!

But seriously, so when is MS going to sue these guys and the DOD target these enemy combatants???

lol, well, I wouldn't be surprised. Did I tell you about this guy that I read about recently? He was arrested for swinging a knife in front of his father. So he went to jail for a year because he was convicted for "terrorist threats". THE DUDE WAS DRUNK...

I mean come on, haven't we all got drunk and swung a knife in front of our fathers and threatened to... oh wait... must focus on AJAX rootkits!
In the finest tradition of Slashdot whining, by Knights+who+say+'INT · 2005-08-16 07:33 · Score: 1

What is with the constant irritating use of "In the finest tradition of"?

In any case, good to see long articles. Slashdot should have more of them.
It works - unless you encrypt the filesystem by arete · 2005-08-16 07:35 · Score: 2, Informative

If you encrypt the Windows Filesystem then there is no trivial way to get the data without the decryption key. This is breakable given time, etc. depending on how strong the encryption is.

It also makes it a royal pain to recover if certain things go wrong.

If you DIDN'T encrypt the filesystem then it is absolutely trivial to change the admin password, to put the disk in another machine, to boot linux and read the HD... etc. Because the data is completely insecure.

This is COMPLETELY THE SAME on Linux. You can boot any normal linux install from a boot disk and reset the root password. Actually in Linux you don't even usually need a disk, you just need to enter init=bash in LILO (depending on LILO/Linux settings; this can certainly be turned off)

Security means not giving people physical access, or at a minimum restricting the boot sequence to only be harddrive, locking the CPU, locking the BIOS and locking the boot loader. This is true in any OS.

--
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
Woohoo!!! by eno2001 · 2005-08-16 07:36 · Score: 1, Funny

I just got the winning bid on a Cray MP-X computer! I've wanted one of these since I was in high school back in 1988. It runs some old Unix variant called UniCOS, but considering the clock speed and RAM, I'm pretty sure it shouldn't be too hard to get Windows XP 64-bit running on it. That's one thing that always makes me laugh is how people are always buying the "latest and greatest" Pentium crap when it would be more cost effective to get a Univac, VAX or PDP-11 and just set up some x86 emulation on it to run Windows at blazing speeds.

I'm a Windows hacker and I know how to do all kinds of leet things with WIndows that would amaze the experts. In fact, I have a few tricks up my sleeve that even Bill Gates doesn't know about. But getting a Cray to run Windows is going to be one of my best feats ever. I prepped my home office for the possibility of getting a Cray about a year ago and cleared away a little space and got a grounded 110 vac outlet installed (my house doesn't have grounded outlets except for this one).

One of my oldest friends who knew me back in high school used to argue that if he could set up a cluster of five or ten Amigas, he'd outperfomr the Crays. Now I can finally get him to see the truth. My Cray running Windows XP is gonna smoke his thirty node Amiga cluster. It just goes to show you that Intel is a bunch of liars. Every time they've raised the clock speed on their procs, they've dropped the amount of bits that can be processed by the proc so things improve in an incremental way. Whereas, Seymore Cray got it right the first time when he chose massively parallel computing over serial prosessing. With Windows XP's SMP support it should be able to take full advantage of the Cray's parallel architecture. Just wait until I get Halo running on this beast!

--
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
1. Re:Woohoo!!! by MadMorf · 2005-08-16 09:05 · Score: 1
  
  I'm a Windows hacker and I know how to do all kinds of leet things with WIndows that would amaze the experts...With Windows XP's SMP support it should be able to take full advantage of the Cray's parallel architecture. Just wait until I get Halo running on this beast!
  
  God I hope this is a joke...
  
  --
  Goofy, Geeky Gifts and More!
2. Re:Woohoo!!! by Orrin+Bloquy · 2005-08-16 09:14 · Score: 1
  
  And then it's gonna be the BEST PROM EVER!
  
  --
  "Made up/misattributed quote that makes me look smart. I am on /. and I must look smart."
3. Re:Woohoo!!! by navyjeff · 2005-08-16 09:48 · Score: 1
  
  He's gone mad with power!
Obligatory 'Monkey Island' quotes by Anonymous Coward · 2005-08-16 07:38 · Score: 0

And then ye must drink grog with us. GROG! GROG! GROG! ... and we're getting dangerously low on grog.
Re: Is it easy to get rooted for Macs? by chota · 2005-08-16 07:39 · Score: 5, Informative
Well, it's not really an Apples-to-Apples comparison, of course. But to answer your question, No, it could not be installed "just as easily." However, once installed, it might be "just as difficult" to remove or detect. :)

Two main points:
1. It all comes down to default user permissions. On Windows (by default), everyone is an admin, so, with one wrong click, and you really can bring your system to its knees. With OSX, users are just users by default, and you have to authenticate to install something potentially nasty. I've observed that the actual *authentication* (typing in a super-user password, different from your own) is enought to get a user sit back and think "Gee, maybe I shouldn't do this." Contrast this with the Windows equivalent of a popup with 2 buttons, "Run" and "Don't Run." People condition themselves to click the "Run" button automatically. This is because of the inherent differences in the OS.
  - Windows has a legacy of having its users being administrators; therefore, the vast majority of Windows apps assume that they can write files and registry entries willy-nilly. (If you don't think it's that bad of a problem, talk to a knowledgable and responsible Windows network admin, trying to secure a general-access lab that MUST have Adobe and Macromedia apps on it -- it's a nightmare, I tell you)!
  - Mac OSX, in contrast, since it didn't have a "legacy" (i.e., it was architected from the ground up, and purposefully did NOT include backward-compatibility), all apps written for OSX simply must be written to the security spec, or they simply won't work. Additionally, with 10.4, Apple has proven that they care more about security and logic in the OS than backward compatibility (whether you think that's good or bad, it's there) -- witness the extreme breakage of pretty much every non-Apple OSX network utility.
2. OSX has Single User Mode . There is no Windows equivilent. Safe mode is a laughable comparison. With OSX's Single User Mode, you can pretty darn easily clean up our theoretical infected machine.
3. Third point that doesn't really count: Although I hate to stereotype; Apple users are generally smarter than Windows users. There, I said it.
Disclaimer: I am a Windows network admin (and MCSE:2003 certified), but I lead a double life where I use and administer a small network of Macs.
More misspellings by foobar_fred · 2005-08-16 07:41 · Score: 1

Misspellings til the cows come home

A group of people out there, let's call them 'elite hacker d00ds,' are able to skillfully craft Windows rootkits that evade almost any known detection system.

Shouldn't that be '1337 h4x0/2 d00dz'??? FOR THE LOVE OF GOD, STOP THE MADNESS!!

--
feh.
Re: Okay, Okay, Okay, but... by Anonymous Coward · 2005-08-16 07:45 · Score: 0

Have you ever tried to drink a Greg? Grog is much easier on the mouth and throat! -- Posted Anonymously by a coward.
Kernels can all have rootkits. by DaedalusHKX · 2005-08-16 07:53 · Score: 1

That being said, windows is just notorious for crappy code in name of ease of use (which they achieve to some extent or other but with too much tradeoff and too much cpu hunger).

I have run both BSD and Linux in various flavors. I eventually settled on Debian and Gentoo. Gentoo for home and office use and Debian OR Gentoo for servers. If I need a rock solid monster server, then its probably gentoo or bsd.

Going onto security...

Rootkits have always been a threat to admininstrators everywhere, but in windows, even spyware can autoinstall various programs, and it takes a lot of work and authorization from microshit to actually change anything in the OS without violating the EULA.

Going on from there...

In any of the OSS *nixes *nuxes or *bsd's you're free to modify or change how the system works. Nobody will sue you or void your warranty. You're also free to learn how to code to standards that microsoft later revises and creates their own incompatible and buggy versions around.

This may sound like a troll but think closely, and you'll see I'm right. It isn't the fact that an OS can have rootkits... its that in windows, almost anything can install a rootkit without antivirus or spyware proggies to stop it (and most windows IDS are clunky at best and expensive for most small shops to own or operate.)

Last of all, think about it. Everyone talks about "securing your windoze box". WHY?!?! If an average user has to go through ALL that work (in their perspective) after they paid 300 bucks for that POS, then why not download linux or buy a batch of cds from cheapbytes. Same amount of work, better results, safer system (relatively) and linux will not fall apart if you disable system services. And you don't have to waste 20 minutes on the phone if you want to reinstall the system or pay MORE just to install it on another system. It helps if you make a donation to your preferred project

--
" What luck for rulers that men do not think" - Adolf Hitler
1. Re:Kernels can all have rootkits. by drsmithy · 2005-08-16 13:52 · Score: 1
  
  Rootkits have always been a threat to admininstrators everywhere, but in windows, even spyware can autoinstall various programs, and it takes a lot of work and authorization from microshit to actually change anything in the OS without violating the EULA.
  What are you trying to change - that you're supposed to be able to change - that you think you need special authorisation from Microsoft to do so ?
  This may sound like a troll but think closely, and you'll see I'm right. It isn't the fact that an OS can have rootkits... its that in windows, almost anything can install a rootkit without antivirus or spyware proggies to stop it [...]
  Simply not running as Administrator stops 99% of malware in its tracks (just like on any other multiuser OS).
2. Re:Kernels can all have rootkits. by DaedalusHKX · 2005-08-16 14:17 · Score: 1
  
  Exactly, how many REGULAR home users can do this?
  
  Windows is primarily sold on its "merits" as being easy to use. Most home users and more than half of the business users I ever dealt with had to be hand held through plugging in their printers to the back of the machine and checking outlet power...
  
  These are not people who would even understand not running as admin (especially when a new piece of software comes in and they need to use it tomorrow but can't afford another $200.00 to $300.00 bill to have a tech come out for 2 or 3 hours. (1 hour of work waiting for app to install and patches to come down, some driving each way, which also gets billed to them. And don't forget the extra 2 hours to practice with them and make sure they know WTF they are doing... (nevermind watching them go insane when they have to install apps as admin, but end up reverting to userland for everything else... wait till you see their frustration (after which they'll argue that the bill isn't right, because you made things harder, etc)
  
  How then, is this any "easier" than linux or bsd?
  
  Oh, and are you familiar with Shatter Attacks ? (I believe in more educated computing environments (i.e. non windows) they are called Privilege Escalation Attacks. I seem to recall that Microsoft claimed to have fixed theirs (especially the one from the winlogon process), but to this day, even a guest account on their graphical console can be used to subvert restrictions by the most trivial virus programs out there... I can't write one but I know at least 3 coders who can (but won't, that's a different story).. I happen to live with one of them, the only issue being that he's sworn never to write a line of code for M$ ever again. What about hard core hackers who know the innards of windows and its sourcecode far more than my recently graduated roomie and his friends?
  
  Anyways, a lot of what you say sounds like you get your training and education from the MCSE camp, where almost everything works on paper and supposedly works in real life too. I was an MCSE, before I shelved that crap, trust me, even IF M$ was the best coding group ever, the users they cater to, are still the stupidest bunch ever... there is no practical way to teach them safe computing practices and have them adhere to them. They will do what is easiest and most convenient.
  
  --
  " What luck for rulers that men do not think" - Adolf Hitler
3. Re:Kernels can all have rootkits. by ryanr · 2005-08-16 18:13 · Score: 1
  
  Why would not being Administrator be a significant barrier for malware?
4. Re:Kernels can all have rootkits. by drsmithy · 2005-08-17 13:23 · Score: 1
  
  Exactly, how many REGULAR home users can do this?
  You're missing my point. You said "its that in windows, almost anything can install a rootkit without antivirus or spyware proggies to stop it". This is not correct.
  How then, is this any "easier" than linux or bsd?
  OS X handles this situation best, although the simple fact is 90% of people will quite happily type in their password whenever prompted for it, making this sort of "protection" pretty weak.
  Oh, and are you familiar with Shatter Attacks ?
  Yes. It's a local privilege escalation attack that exploits applications that aren't properly written.
  [...] but to this day, even a guest account on their graphical console can be used to subvert restrictions by the most trivial virus programs out there [...]
  Funny how none of them do - I've yet to see a piece of malware that running as a non-Admin didn't stop.
  What about hard core hackers who know the innards of windows and its sourcecode far more than my recently graduated roomie and his friends?
  Then the situation is no different on Windows than it is on any other OS.
  Anyways, a lot of what you say sounds like you get your training and education from the MCSE camp [...]
  Not that it's relevant, but 90% of my "training and education" is from the coal face as a unix admin.
  They will do what is easiest and most convenient.
  This is precisely why 90% of "security problems" are the end user's fault and why _any_ platform with the prevalence of Windows would have similar issues.
5. Re:Kernels can all have rootkits. by drsmithy · 2005-08-17 13:29 · Score: 1
  
  Why would not being Administrator be a significant barrier for malware?
  Strictly speaking it's not, as most malware doesn't really need higher privileges to do most of the things it does. However, a great deal of the stuff around today fails as soon as it can't write to parts of the registry and filesystem it expects to be able to.
6. Re:Kernels can all have rootkits. by ryanr · 2005-08-17 17:16 · Score: 1
  
  True. But I'm starting to see a significant amount of the binaries that I analyze check to see if they are admin, and do different things based on that, and/or install themselves to multiple "startup" registry locations, including at least one HKCU.
  
  If Windows culture were such that everyone switched to using a non-admin account, the malware is fully ready to adapt.
  
  In fact, if I understood correctly, some of the MS05-039 worms this week are in essense using a local priv escalation. On XP & Win2K3 boxes, you can't get to the named pipe over the anonymous connection. However, one it's running on the box... you can use the loopback interface, and you are authenticated, and can attach the named pipe.
Re:Sounds like you've got the problem solved... by Anonymous Coward · 2005-08-16 07:57 · Score: 0

Get to work implimenting it then Skippy!
Yes, but... by dhasenan · 2005-08-16 08:01 · Score: 1

Yes, but it's only if they explicitly request a specific record. Libraries don't like serving this type of information.
:D by Gentlewhisper · 2005-08-16 08:01 · Score: 1

Addison.Wesley.Professional.Rootkits.Subverting.th e.Windows.Kernel.Jul.2005.eBook-DDU.chm

--
Online backup with Mozy, sounds like Ozzie, but more!
as if someone cares(i mean the subject line) by sbeashwar · 2005-08-16 08:03 · Score: 0

A decent personal firewall like Kerio, will just expose all those foolish things that Windows tried to do without your knowledge. A properly configure personal firewall is good enough. After all nobody intends to use it for anything but entertainment. I haven't found a player as good as PowerDVD on linux once that happends I will make the switch for ever.
Ugh. by Sheepdot · 2005-08-16 08:04 · Score: 5, Informative

I hate it when non-technical posts get rated as informative. First off, as others here have misstated, rootkits are essentially malicious drivers or kernel-level backdoors. They are *not* exploits, not bugs, and not driver cracks. Rootkits are essentially malware that runs at a higher level than most malware, with the intention of using API-hooking to misreport filesystem, process, and network status. The expertise required to make them is generally several orders higher than DDOS zombies or botnets. Though ironically, that same kind of malware is almost always installed and then subsequently hidden by the rootkit after one is installed.

I only felt it necessary to mention this because of those individuals who seem to think rootkits themselves are exploits to get escalated privileges. While some rootkits get installed via "shatter attacks" and other priviledge escalation exploits, they themselves aren't doing any exploiting.
1. Re:Ugh. by speck · 2005-08-16 09:33 · Score: 1
  
  Rootkits are essentially malware that runs at a higher level than most malware, with the intention of using API-hooking to misreport filesystem, process, and network status.
  
  Don't you mean lower-level? In the sense of device drivers being lower-level than, say, the application layer, where spyware and similar processes would more commonly reside? (I'm not trying to nitpick here, I'm genuiney curious.)
2. Re:Ugh. by Sheepdot · 2005-08-18 04:09 · Score: 1
  
  You are correct, I did mean lower-level.
brass ring, not halo by Anonymous Coward · 2005-08-16 08:06 · Score: 0

I retract my previous statement.
yes and no by hummassa · 2005-08-16 08:07 · Score: 1

IIRC, the Windows encrypted filesystem keeps the key together with the data, still needing that the key passphrase is somewhat strong.
There are Linux encrypted filesystems that permit you to keep your key in another media (like an USB drive or a floppy or a cd-rom).

--
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
1. Re:yes and no by amliebsch · 2005-08-16 08:24 · Score: 1
  
  There are Linux encrypted filesystems that permit you to keep your key in another media (like an USB drive or a floppy or a cd-rom).
  Windows too.
  
  --
  If you don't know where you are going, you will wind up somewhere else.
Re:Great! (not) by Anonymous Coward · 2005-08-16 08:08 · Score: 0

...there would have never been a need for firefox.

Awg! Heresy! <tears at clothes and eyes> You got modded down for that. Talking about no need for Firefox, even hypothetically, here on /. is like walking into a fundie church and standing up and saying maybe there is no god.
Re: Is it easy to get rooted for Macs? by Anonymous Coward · 2005-08-16 08:10 · Score: 0

On Windows (by default), everyone is an admin
Um, not true.
5 seconds? by Anonymous Coward · 2005-08-16 08:15 · Score: 0

She probably slapped you cause you'd be done in 5 seconds...
External devices? by Marc2k · 2005-08-16 08:20 · Score: 1

The solution is either to boot the detector from its own media (inconvenient if you want to scan your system for rootkits on any regular basis).

That's not necessarily the case. Initially when I thought about it, I was thinking "Hm, a USB dongle would be a great device for that, just boot to the dongle periodically, and have it scan the drives." Of course, that would only really prevent rootkits in home computers [possibly], because you're absolutely right, no one in their right mind is going to hire some dude to go around to all the workstations after hours and clean out machines with a physical device. But what about a network device? Something that could sit on a local area network (and obviously never, ever touch the outside world), and remotely scan workstations. It wouldn't necessarily need to be read-only (though it could be), you'd just have to have lots of protections in place (i.e. using quarantined memory spaces or even devices, so that scanning a cleverly infected machine couldn't trick the scanner into infecting other machines on the localnet).

--
--- What
1. Re:External devices? by cnettel · 2005-08-16 08:58 · Score: 1
  
  How do you intend to perform the remote scanning? LAN boot?
  On the other hand, even booting from its own media isn't any panacea if you even distrust the BIOS.
leave kit by shallow+monkey · 2005-08-16 08:30 · Score: 1

What windows actually needs is a good leavekit, showing people how to leave MS behind forever.
Don't Beat Detection, Change It! by Anonymous Coward · 2005-08-16 08:32 · Score: 0

Just change the detection system to display an error saying "An illegal operation has occurred" and users will blissfully ignore the detection system as if nothing unusual had happened.
subverting the Windows kernel? by cahiha · 2005-08-16 08:38 · Score: 0, Troll

What's the fun in that? Even assuming that the Windows kernel developers know what they are doing in terms of security (debatable), the Windows kernel just hasn't been designed to withstand these kinds of attack.
1. Re:subverting the Windows kernel? by cnettel · 2005-08-16 09:08 · Score: 1
  
  No, it allows the user to load unsigned code in kernel space! Those bastards...
2. Re:subverting the Windows kernel? by Anonymous Coward · 2005-08-16 09:20 · Score: 0
  
  So do Linux and Macintosh kernels, and we'd be cursing if they didn't.
Rootkits and you by hexed_2050 · 2005-08-16 08:38 · Score: 1

I always considered Windows XP a rootkit itself.

--
Valkyrie is about to die! Wizard needs food -- badly!
Re: Is it easy to get rooted for Macs? by Anonymous Coward · 2005-08-16 08:44 · Score: 0

have you ever had a girlfriend long enough to get to the nasty part of the month?
Yes, rootkits are now in Malware by ErikTheRed · 2005-08-16 08:45 · Score: 4, Interesting

I found an interesting pop-up generating piece of malware several weeks ago that appeared to use rootkit-type techniques to hide itself. It was invisible from the process lists (including the nicer command line ones) and the filesystem. I was able to track it down and delete it (unfortunately, the machine was several hundred miles away and I was working on it remotely, otherwise I would have booted off a CD and made a copy of the little bugger), but it was a royal pain in the ass to do.

For the interested (some of the details might be slightly off because I've consumed a lot of booze between then and now, but the overall gist is correct), I found the malware by using SysInternals RegMon to find the process ID that kept replacing the registry entries that loaded it. That Process ID couldn't be killed by any of the tools I could find (because they check to see if the pid is valid before trying to terminate it, and it had stealthed itself to the point where the ID appeared to be invalid ... grrr). So I used ProcMon to kill any threads associated with the pid - the process was invisible, but you could still find the threads by which libraries they were using and kill them there (use the search command). Once the threads were killed, I could overwrite the loader file (you couldn't read it, copy it, list it, etc., but it would give you an error if you tried to overwrite it while the threads were running).

--

Help save the critically endangered Blue Iguana
1. Re:Yes, rootkits are now in Malware by value_added · 2005-08-16 11:36 · Score: 4, Interesting
  
  Your post reminds me of something I read on the NTBugTraq mailing list. I don't have a link so I'll quote it below.
  CWS, CoolWebSearch, is a particularly nasty incarnation of ad-ware. CWS is widely discussed on the web, but it's poorly understood and procedures to remove it are often lengthy, cumbersome and ineffective. ... The shield-DLL installs itself to the following registry value in NT4-type systems:
  
  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
  
  Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based application running within the current logon session." IOW, any ad-ware found here runs concurrently with _every_ program launched. It is truly astonishing that such a registry location exists.
  
  Here's what the CWS shield-DLL manages to do:
  
  1. It prevents almost all registry editors from displaying it as an AppInit_Dlls value. This list includes, but is not limited to: Regedit.exe (even if renamed), Regedt32.exe, Reg.exe, Autoruns, HijackThis, and, my favorite (because I wrote it), the "Silent Runners.vbs" script. The _only_ program known to display it, for unknown reasons, is the freeware Registrar Lite 2.0, available here: http://www.resplendence.com/reglite/
  
  2. It prevents all GUI and command line tools from listing it or deleting it. This list includes, but is not limited to: Windows Explorer, DIR, ATTRIB, CACLS, and DEL.
  
  3. The .DLL file has eccentric security permissions (SYNCHRONIZE and FILE_EXECUTE) and is READ-ONLY. Once the shield-DLL is removed from memory, an Admin must reset security to delete the file.
  
  4. It has a unique name on every system it infects.
  
  5. It ensures that a BHO starts up with IE at every boot.
  
  6. If the BHO is deleted, it restores the BHO under a new name at the next boot.
  I'm sure you'd agree it's interesting reading. The conclusions one can draw are numerous, but I can't resist the comment that every time the folks at at Systernals decide to write a program, Microsoft should feel embarrassed.
Slashdot doesn't give a flying fuck what you write by Anonymous Coward · 2005-08-16 08:57 · Score: 0

You can write any old shit you please. No God damned censorship here, fuck no. You could call someone a Jesus-sodomizing, ball-licking, cunt-faced piece of monkey jizz and no one would care. That's fucking great, don't you think?
Re: Is it easy to get rooted for Macs? by linuxfanatic1024 · 2005-08-16 09:07 · Score: 3, Informative

Not true? Yes it is. Windows XP sets up one admin account for the user, and it doesn't encourage using an unprivileged account. In fact, most Windows users think that it is best to use the admin account all the time (because of the reasons I just mentioned and also the fact that so many USER APPLICATIONS need administrative privileges (like games) when they really shouldn't need these privileges.

--
Microsoft-free since March 28, 2004
www.hxdef.org by Dante · 2005-08-16 09:14 · Score: 1

This might be a site worth looking into.

www.hxdef.org

Don't go there with IE

--
"think of it as evolution in action"
Runs at a higher level? by Tetravus · 2005-08-16 09:30 · Score: 1

So device drivers are high level programs now, eh?

Perhaps I will need that HC11 assembly I learned in school after all. ;-)
1. Re:Runs at a higher level? by Anonymous Coward · 2005-08-17 03:15 · Score: 0
  
  I think he meant a higher privilege level.
2. Re:Runs at a higher level? by Sheepdot · 2005-08-18 04:12 · Score: 1
  
  Sorry, I meant higher privileges, but lower implementation-level.
Re:And with it I can hack the gibson in 3 seconds by Courtney+Gibson · 2005-08-16 09:43 · Score: 1

Careful... I've been to Soviet Russia. ;-)
Apple should patent root-kitting WinXP by WillAffleckUW · 2005-08-16 09:46 · Score: 1

turnabout's fair play for MSFT patenting the iPod ...

--
-- Tigger warning: This post may contain tiggers! --
1. Re:Apple should patent root-kitting WinXP by DaveCBio · 2005-08-16 12:53 · Score: 1
  
  What does that have to do with anything? Or is this just another dogpile anti-MS quip? If you want to make some informed comment on the problems with Windows security then go for it, but talk about a red herring. Also, if you want to go down that road how would you feel if it was Apple enforcing a patent (as they have in the past)?
Re: Is it easy to get rooted for Macs? by Anonymous Coward · 2005-08-16 10:16 · Score: 0

but I lead a double life where I use and administer a small network of Macs

so you're living on the down-low?

ha ha ha ha ha ha ha
Stop calling script-kiddies hackers! by Anonymous Coward · 2005-08-16 10:16 · Score: 0

(Deprecated) A malicious meddler who tries to discover sensitive information by poking around. Hence "password hacker", "network hacker". The correct term is cracker.

Get a clue people! Script-kiddies are no experts people! And it doesn't take a rocket scientist to exploit Windows either.
what's the problem? by Anonymous Coward · 2005-08-16 11:08 · Score: 0

you can just recompile your widnows kernel to ensure is not rootkited.
oh, can't you?
1. Re:what's the problem? by Anonymous Coward · 2005-08-16 15:50 · Score: 0
  
  Nope. Windows comes fully assembled and finished. You don't have to finish putting it together just to get it functional, thank god.
You're right, because.. by Anonymous Coward · 2005-08-16 11:15 · Score: 0

they won't know what to do with boobies.
Darwin? by misleb · 2005-08-16 11:18 · Score: 1

Darwin is a good example of a modern microkernel OS and it has terrible disk I/O because of all the extra overhead of having a microkernel. Why would we want to cripple all OS's like that? Or did Apple do something that made Darwin particularly slow? Most exploits are user land anyway. What would be the point?

-matthew

--
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
1. Re:Darwin? by Anonymous Coward · 2005-08-22 23:50 · Score: 0
  
  Darwin is a good example of a modern microkernel OS and it has terrible disk I/O because of all the extra overhead of having a microkernel.
  
  Modern? Microkernel? Bzzt. Wrong on both counts. Thanks for playng!
  Repeat after me: OS X and Darwin run on top of Xnu, a monolithic kernel based on the Mach microkernel, which was designed in 1984. It's NeXT's microkernel based on OSF Mach, merged with NeXT's BSD personality that used to run in userspace. The ancient OSF Mach microkernel, the drivers, the BSD personality, and nearly all of the memory management run in the kernel's address space in privileged mode (PPC)/ring 0 (x86). Xnu is a monolithic kernel based on a microkernel based on a monolithic kernel. Don't let the file name mach_kernel fool you. There's a lot more inside Xnu than OSF Mach 3.0.
  It's a great example of cutting edge technology from 1988 that got starved for development money in a dying company until the company was bought out in 1997. Think about it. NeXT more or less had OS X in 1988. Apple replaced Display Postscript with Display PDF and made things prettier, but the low-level stuff stayed pretty much unchanged.
  If you want an example of a modern microkernel, talk to Wind River, Cisco, QNX, or the BeOS/Zeta people. L4 is also a modern microkernel, but I'm not aware of any commercial products that use an L4 microkernel.
  I suspect that Cisco's IOS-XR (based on the QNX microkernel) will give the poster's OS of choice a run for its I/O money.
How much root could a rootkit root... by Anonymous Coward · 2005-08-16 11:21 · Score: 0

Hey, I thought Windows was the rootkit.

(Just upholding Slashdot tradition).
Re: Is it easy to get rooted for Macs? by E-Mind · 2005-08-16 11:27 · Score: 0, Offtopic

A guy was driving his car and got a call from his wife warning him about a radio news report of a dumbass that was driving in the opposite direction against traffic on the same road he was on. So the guy replied - 1 dumbass? I saw 50 already... Moral of the story - if everyone sais that Apple is overpriced - Guess what? It is. And as much as you would like to think so, buying overpriced goods is never smart.
Your OSX rootkit isn't a rootkit... by TheLittleJetson · 2005-08-16 11:31 · Score: 1

Where are the programs I compile to get root? Rootkit is a ready-to-go deployable root-getting suite.

What you have is a ~9 month old document showing some items of concern. Rootkit is not the same as "this system has some SUID root binaries on it..."
1. Re:Your OSX rootkit isn't a rootkit... by LurkerXXX · 2005-08-16 12:58 · Score: 1
  
  Sorry, I was googling fast.
  Here is the description of a real working rootkit.
  Start compiling.
Re: Is it easy to get rooted for Macs? by paranoidgeek · 2005-08-16 11:45 · Score: 1

The statement is true and it isnt true.

It is true that by default users are admins. It is also true that XP Home cant set NTFS perms. And it is very true that almost all PC companies set the default user to an admin ( for compatiblity reasons ).

However XP can have limited users and if you look at M$'s site long enough you can find that "Users are recomended to run as a limited user".

And the end of the day *nobody* i know uses a limited account.

--
Lima India November Uniform X-ray
One way around this by Anonymous Coward · 2005-08-16 11:51 · Score: 0

Instead of having the rootkit listening on a port, have the rootkit periodically try to communicate out. Then it doesn't need to bind any port, and will be missed by your scan.

A practical example of this are the IRC bot networks that are so popular in DDoS attacks. All of the bots connect to an IRC channel, and will do whatever they're told to do over IRC. (This is great for DDoS because the botmaster doesn't need to keep track of which machines are compromised, or even go and try to individually connect to them.)
1. Re:One way around this by Anonymous Coward · 2005-08-16 11:58 · Score: 0
  
  Unless they call out, get their instructions, and then *disconnect* again, it will be caught. There is no difference really between incoming and outgoing ports.
MCSE looks at bookshelf at Barnes & Noble by Anonymous Coward · 2005-08-16 12:17 · Score: 0

& spots:

1. Rootkits: Subverting the Windows Kernel

2. How to convince your CIO to go for that new 8-way Dell to run your file server for 30 people.

(you guess which book he/she will go for)
BeOS, baby!! by Anonymous Coward · 2005-08-16 12:21 · Score: 0

Which OS were you talking about? I could swear the ones you might name have hacking books written about them too.

It's not nice to swear, 'specially when you're wrong. Two words:

BeOS, baby!!!!!!!!!!!!!!!!!!!
I stand corrected. by hummassa · 2005-08-16 12:24 · Score: 1

Thanks.

--
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
I have a Palladium prediction by TheNarrator · 2005-08-16 12:39 · Score: 3, Interesting

I think when the Palladium platform is released, it will eventually be hacked or otherwise subverted by rootkit hackers. The rootkits will use the DRM restrictions of Palladium to prevent any tool from removing the rootkit. People who's computers get infected by these Palladium rootkits will be forced to throw entire computers out.
1. Re:I have a Palladium prediction by ryanr · 2005-08-16 12:48 · Score: 2, Interesting
  
  I've not heard of any proposal for nonvolitile storage for Palladium. So worst case, you'd have to reformat your hard drive and reinstall. Or are you being sarcastic?
  
  To address part of your point though, I DO believe that it will be possible for someone to find a hole inthe Palladium software, and install a rootkit on the "Secure" side. If they do it right, then you might have to reformat to get rid of it.
2. Re:I have a Palladium prediction by SilverspurG · 2005-08-16 15:36 · Score: 1
  
  The rootkits will use the DRM restrictions of Palladium to prevent any tool from removing the rootkit.
  That's enormously insightful. You're at least 5 years ahead of everyone else.
  
  I applaud you.
  
  --
  fast as fast can be. you'll never catch me.
3. Re:I have a Palladium prediction by UnapprovedThought · 2005-08-16 19:07 · Score: 1
  I've not heard of any proposal for nonvolitile storage for Palladium
  
  A TPM (trusted platform module) to be included on all computers and peripherals to be sold from now on (let me know if you find an exception...), whether onchip or as an external chip, has the following capabilities:
  
  Tamper-resistant secure key storage
  
  Key management
  
  Random number generation
  
  Key generation
  
  Boot process hashing
  
  The storage part sounds pretty nonvolatile to me...
4. Re:I have a Palladium prediction by ryanr · 2005-08-16 19:18 · Score: 1
  
  In the hardware examples I've been told about, this is a factory-set set of keys burned into the crypto processing chipset. One of the proposed features of a Palladium-like system is nonrepudiation. I.e. if they are trying to tie a piece of DRM music to only one machine, they don't want me swapping my keys about.
  
  So no, that wouldn't be a place that a piece of rootkit would move into.
5. Re:I have a Palladium prediction by UnapprovedThought · 2005-08-17 21:49 · Score: 1
  
  if they are trying to tie a piece of DRM music to only one machine, they don't want me swapping my keys about.
  Minor correction: It's their keys they don't want you swapping about. Technically, the EULA should state what they are currently claiming as their property, though it isn't always clear, because they often advertise media as if you could "own" it by paying some amount, but even with those the fine print insists that you only own a license to use it.
  Putting a rootkit, or a rootkit-enabler key onto a TPM protected computer would be more difficult, but if anyone could put it on there it would be an official vendor under the guise of some legitimate-sounding "remote maintenance" type of deal, which, if something goes wrong, could end up collecting more information about you than they let on during the EULA acceptance phase. How much information about you was given out, however, could be perfectly hidden away from your prying eyes, even though the data itself may reside on your "own" computer.
  As bad as current rootkits are, it has always been possible to recover from them without waiting on hold on a support hotline, or without having to repurchase all of your existing licenses, simply by reinstalling.
Linux does this well. MS's approach is broken. by Nailer · 2005-08-16 14:11 · Score: 1

What do you think Microsoft is going to do about it? If someone has system access there isn't anything to be done about them moving in with a rootkit.

What I'd like MS to do about it is make detection easier. I.e., record the checksum of every file installed by Windows and third party software, provide a way of backing up that checksum info, and a way to check the contents of the hard disk against the backed up check sums from a rescue CD.

Ie, just like Linux does.

MS current approach is to run a tool on the cracked system and hope it reports bad checksum,s then boot of a CD and check again to see if they're different. This provides no security whatsoever, as the inital app that runs on the system could be made to report whatever checksum it wants.
1. Re:Linux does this well. MS's approach is broken. by ryanr · 2005-08-16 14:16 · Score: 1
  
  You've got checksums for every single temp file on your Linux box, and all the slack space too? Impressive. :)
2. Re:Linux does this well. MS's approach is broken. by Nailer · 2005-08-17 11:13 · Score: 1
  
  Someone can install root kits without modifying binaries or libraries? Impressive too :).
3. Re:Linux does this well. MS's approach is broken. by ryanr · 2005-08-17 11:18 · Score: 1
  
  Sure thing. Never heard of boot sector viruses?
4. Re:Linux does this well. MS's approach is broken. by Nailer · 2005-08-17 12:43 · Score: 1
  
  How does that app, say a trojaned copy of grub stage 1, install itself to the bootsector?
  
  With a binary.
5. Re:Linux does this well. MS's approach is broken. by ryanr · 2005-08-17 17:10 · Score: 1
  
  With a binary
  
  Or from memory. Or from a binary, which is then erased. Or from a 'text' file that is really shellcode designed to only use ASCII characters. What's your point?
  
  There are tons of places hide rootkit code on the hard drive that do not fall under the category of binary files that you can check with tripwire.
  
  Whatever code runs first on boot gets to own the box.
6. Re:Linux does this well. MS's approach is broken. by Nailer · 2005-08-18 11:39 · Score: 1
  
  From memory: we're talking about root kits here, not buffer overflows. There are things like NX and memory randomization and safe programming to take care of that.
  
  Or from a binary: How did this binary get onto the system? Did someone download it, check its signature, and it was OK? How does this binary, which is then erased, constitute a root kit? All its done is left something in the MBR, and deleted itself so you can't tell what installed it. How does it perform the tasks necessary to cover activity and maintain access once root is achieved? Again, this doesn't sound like a root kit.
  
  If you can think of a way to maintain access from the point of having something installed merely in the MBR, and nothing left on the filesystem, I'm actually quite interested. Enlighten me (seriously - I'm not really into crappy Slashdot arguments, if you have some knowledge I don't have I'd be happy to hear it).
7. Re:Linux does this well. MS's approach is broken. by ryanr · 2005-08-18 13:07 · Score: 2, Insightful
  
  You've asked about three things:
  
  -How does one install a rootkit on a running box, while minimizing traces left behind
  -How do you leave your rootkit code on the machine such that booting it off of secure media and checking hashes of a class of files won't detect any changes
  -How do you maintain control over the machine from early in the boot process. Note that this isn't the only was to hide, depending on exactly what is checked in question two.
  
  How to get on the box in the first place is the easiest step. It's done all day, every day. Buffer overflows are not a solved problem. Buffer overflows are not the only way to break into a box. Your questions about binary signatures, hashes etc... at this point do not matter. You have nothing checking binaries on the fly. Or I can do my work using binaries with a perfectly valid signature, or binaries that already exist on the system. Or I can do everything in RAM. I believe all the popular exploit frameworks have options that work straight out of RAM. I know Metasploit does. I can install the rootkit into the live kernel by modifying kernel RAM. That was done several years ago.
  
  Question two: So, describe your file checking process to me. I believe you may have been originally talking about the RPM hash checking. That only covers a portion of your files. What about config files, your mail spool, your temp files, your documents, your log files, your profile files, and on and on. There are all these places code could be hidden. And then there is slack space, unused sectors, unpartitioned space, etc... Hiding isn't a problem.
  
  The third question is really the only hard one. There are simple cases, like DOS. Bootsector viruses are 20+ years old on DOS. Here's how I'd do one for Linux, conceptually. I wouldn't want to actually tackle this, mind you...
  
  Every operating system that wants to boot from a hard drive on a PC has to go through a particular process. After the BIOS is done, you sector 0, and start running it. Sector 0 knows enough to get to a several sectors, which know a little about a filesystem, which know how to find an OS-specific file, which switches the machine into real mode, and can load a disk driver, or a kernel, and so on.
  
  So, I would substitute a part of the boot sector or the next chain of sectors in the process. Instead of loading the next piece that gets us to the real grub, I load my modified grub, which I have hidden on the disk. My modified grub loads my modified kernel, which I have hidden on the disk. From there, I can use the rest of the real filesystem.
  
  The trick is, if you boot from a CD and inspect the filesystem, you find the original grub and kernel files. If you try to check things once Linux is up, my modified kernel is feeding you a version of reality that matches what you expect. I.e. if you check grub and the kernel file from the running Linux, it hands over copies of the original files for you to inspect.
8. Re:Linux does this well. MS's approach is broken. by Nailer · 2005-08-18 14:27 · Score: 1
  
  Question two: So, describe your file checking process to me. I believe you may have been originally talking about the RPM hash checking. That only covers a portion of your files.
  
  All the libaries and binaries and config files. As for non-executable stuff, like mail spools, documents, temp files, etc, it would indeed be possible to sneak exploit code into maliciously crafted mail messages, documents etc. But it seems Unix platforms in general seem to suffer from this problem less than Windows, mainly due to not using MSHTML.DLL.
  
  Scripts I expect to be either installed from packages or created or at least read by the local admin, but I might be a little too hopeful there.
  
  So, I would substitute a part of the boot sector or the next chain of sectors in the process. Instead of loading the next piece that gets us to the real grub, I load my modified grub, which I have hidden on the disk. My modified grub loads my modified kernel, which I have hidden on the disk. From there, I can use the rest of the real filesystem.
  
  The trick is, if you boot from a CD and inspect the filesystem, you find the original grub and kernel files. If you try to check things once Linux is up, my modified kernel is feeding you a version of reality that matches what you expect. I.e. if you check grub and the kernel file from the running Linux, it hands over copies of the original files for you to inspect.
  
  Damn good point.
  
  Thanks for an informative post.
9. Re:Linux does this well. MS's approach is broken. by ryanr · 2005-08-18 14:43 · Score: 1
  
  Well, thanks for listening instead of just disagreeing. That's unusual around here. :)
Actually, no, my thinking is bad. by Nailer · 2005-08-16 14:15 · Score: 1

MS approach works fine. Even if the initial check reports lies, checksumming the disk from the CD will report the real checksum. If they're different, the system is trojaned. If they're the same, but they're not the right checksums, the system is trojaned. Only of the checksums are the same and match the original files is the system OK.

Sorry, their approach is fine, I stand corrected.

However, it only works for MS apps and isn't a part of the OS, an area where Linux packages still have a significant advantage.
Beat rootkits. by Spit · 2005-08-16 14:48 · Score: 1

Compile all of the drivers yor system needs into the kernal and turn off module loading, ala OpenBSD.

--
POKE 36879,8
Re: Is it easy to get rooted for Macs? by BlueHands · 2005-08-16 15:36 · Score: 1

just so you know, i found it funny.....

--
I mod everyone down who says "I'll get modded down for this." I hate to disappoint.
3 is the new 2! by BlueHands · 2005-08-16 16:08 · Score: 1

You must be right - Your post proves it! your two main points become 3!! No windoze user could be that smart.

Firstly, your third point is less then useless as a point. Even if true, which is highly doubtful, it doesn't speak to the usability of the OS. I am certain that Solaris users are generally smarter then OSX users, does that mean it is better?

Secondly, while you might love that OSX has no legacy issues that advantage does come at a price - choice of hardware and software. You might be able to find all of your needs meet but then again some people have windows installed for years without ever getting an infection of any sort. To each his own.

As for single user mode, unless the OS is booting from a ROM, you still have the same problem: trying to fix an infected system within an infected system. Yes it maybe more powerful then safe mode and yes there maybe not be a current exploit that is still active even in single user mode but that is just a matter of time.

The fact is that mac's, just like firefox, don't offer an effective platform for infection. If/when macs have more then 30% of the market, thats when OSX will truly begin to deal with virus, worms and the like. It might be harder, even alot harder then windows boxes, it will happen and likely spread fast and hard (at first) when the first ones hit because arrogance will ensure that OSX admins aren't ready for it.

--
I mod everyone down who says "I'll get modded down for this." I hate to disappoint.
Re: Is it easy to get rooted for Macs? by Anonymous Coward · 2005-08-16 16:31 · Score: 0

"and MCSE:2003 certified" ... whooooo .. we are so impressed. Managed to fluke a kiddy-style multiple choice quiz did you (as well as forking out your surplus dollars into Billy-boy's pocket)?
Don't worry, we're all safe by Daytona89 · 2005-08-16 17:07 · Score: 1

...After all, we press Ctrl-Alt-Del before logging in, which protects our password! What more could we possibly need?
In Soviet Russia by subtropolis · 2005-08-16 17:18 · Score: 1

Windows® kernel subverts you!!

--
"Our interests are to see if we can't scale it up to something more exciting," he said.
Re:Great! (not) by jurt1235 · 2005-08-16 19:17 · Score: 1

Ok, I do not get it clearly. I was clearly not being nice to the moderators in my previous post (I was sort of asking for troll), but apparently your message is still considerd flamebait & troll + some insightful, and mine as insightful when it really was total c**p.

--

My wife's sketchblog Blob[p]: Gastrono-me
its what people will buy by rednuhter · 2005-08-17 00:16 · Score: 1

offer the asverage consumer two computers for the same price, one slow but secure and the other noticably faster and booting windows or opening outlook and they will (unfortunately) choose the later.
I for one, run a dual screen machine quite happily on an AMD 1.2Ghz machine but then linux lets me do that and securely.

--
ERR 411[Max number of witty sigs reached]
1. Re:its what people will buy by lgw · 2005-08-17 03:44 · Score: 1
  
  Agreed, but it takes a *large* performance difference to be noticable to the average user, which is why people will happily buy higher-MHz-but-slower machines. However, for average users outside of some gaming, the CPU is almost never the bottleneck, so you could double the CPU time for every operation without it being noticable. Geeks obsessed with framerate in some game might notice, but that's a different story.
  
  It's routine in business software development now to select compiler options that reduce performance significantly in hopes of catching buffer overruns and resource leaks. Heck, if a 20% overhead were really a concern, Java never would have become popular! If you're I/O bound, it just doesn't matter.
  
  I can remember when Linux was lightweight - 32 floppies IIRC. :) Now if I want to install on a 2 GB partition, I have to find someone more knowledgable than myself to safely remove the crap I don't need. But that's a different issue entirely.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
Re: Is it easy to get rooted for Macs? by rthille · 2005-08-17 17:47 · Score: 1

Mostly correct, but Single User Mode won't help you get rid of a smart rootkit. A smart rootkit will include a filesystem shim so you can't find any of the files that make up the rootkit. also, executing things like /bin/bash might run a different program than just reading /bin/bash (for checking checksums).
Basically, once you're root in unix you're god. The kernel can be replaced and from there the game is over. Only way to deal with it is to boot from known-good media.

--
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Security policy ? :-P by Anonymous Coward · 2005-08-20 09:57 · Score: 0

HURD people are trying to move to L4 microkernel, because MACH is unrepairably bad designed.
And one of the design flows is implementing security inside kernel :-D
what about condoms ? by Anonymous Coward · 2005-08-20 10:25 · Score: 0

physical access using condom - is it secure enough ?