Slashdot Mirror
Rootkits Head for Your BIOS
Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).
Where are such tools? If I knew such things existed, I would have experimented in "bricking" some of my machines YEARS ago
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Good thing my Pentium machine is running on a motherboard so old you can't flash the BIOS... I, for one, welcome our new BIOS-munging rootkit overlords.
"This is platform independent," Heasman said. "We can write a backdoor for Windows that will elevate privilege, and turn around and use the code on Windows."
:-)
Perhaps he meant, "We can write a backdoor for Windows that will elevate privilege, and turn around and use the code on... MacOsX."?
What about EFI?
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
They should just make the motherboard have a physical switch on it that stops your bios from getting written to. For the number of times i've had to flash my bios, it'd be a small price to pay to have to open my computer , just to have the piece of mind that some virus wasn't overwriting my bios. If it was a software setting, then there would be a way around it, but if there was a physical switch, that disconnected the write lines, then it would probably be pretty hard for a hacker to get around that.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
it worked for floppy disk.. I want a little hardware switch that cuts the write lines @ the bios
Is there an easy way to disable BIOS writes? A jumper or some such? The sort of person who would be upgrading their BIOS could reasonably be expected to move one jumper.
I have always wondered why viruses didn't do this before-- virus rewriting tools are all over the place waiting to be bundled up with a worm for internet delivery.
In other words, anything this guy says or does is in my mind suspect .... he writes rootkits and other forms of "attacking software", so for all we know this asshole is getting ready to post example code to the net. It wouldn't be the first time.
I've just switched to Macs after 17 years of PC ownership* (Dos, then Windows, then Linux). Boy, am I feeling smug right at this moment.
* I first typed 'ownershit' by mistake - Thinking about it, this might actually be a more accurate word to describe the joys of being a PC user.
"It is going to be about one month before malware comes out to take advantage of this," said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. "This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in."
Maybe add a physical unit that you need to move by hand in order to change the BIOS or Flash memory.
Or, if you suspect your computer has already been compromised, use an online/flash drive/external detection tool (independent from the O/S and all software) can be run to find out if you computer has been infected. (It works for the Microsoft Security guys)
The tool would have to check the computer's flash, BIOS, and currently running programs and notify you if it is being blocked/disabled/changed...and then fix the problem or tell you what to do to fix it.
He who knows best knows how little he knows. - Thomas Jefferson
I'm wondering at the possibility this has been done before and not detected because no one looks there?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
It is going to be about one month before malware comes out to take advantage of this.
That's an extremely specific prediction. I think we know who they should look at first when these rootkits show up...
Developers: We can use your help.
I played around with BIOS programming awhile in college, after I successfully bricked a computer I got a new motherboard with dual BIOS. This may need to be something incorporated more so your computer can recover when some malware bricks it. We all know that virus code does exactly what they want it to do, I bet more problems occur from inept virus writers than actually virus in the BIOS.
There are two contradicting principles here.
Many home users want that second kind of functionality. Partly because they don't want to bother with the details, partly because they are mentally challenged. They really like to be able to update the Computer's BIOS as easy as visiting a web site or running any kind of program. Unfortunately, this is what they get. And so do we.
I'm glad people in the mainstream are beginning to notice this. I saw proof of concept BIOS trojan code as early as '99. It honestly changed my view of the internet, law enforcement, and all of society. While everyone else is busy labelling each other,"Paranoid conspiracy theorist" I've been sitting back thinking,"You dumbass. He's probably right." In all reality the NSA doesn't need wiretaps. If they really wanted you they'd have MS serve up a specially crafted banner ad when you check your Hotmail.
Real malware doesn't let itself be known. It sits in the background to aid the people watching you.
fast as fast can be. you'll never catch me.
Just make damn sure that there are no (huge) bugs in the bios and burn it to a chip that can't be flashed. I admit that this is perfect for _everyone_ but I'd bet that 99% of computers never have the BIOS flashed so why make it writeable at all. The people that might want to flash their BIOS are probably also the sort of people that would pay a little more for an flashable version. Assuming you want a fairly generic BIOS that will work for a number of machine configurations make one with a tiny bit of writable memory that _just_ stores settings (e.g. non-executable). I imagine this sort of arrangement would be cost effective for tier one manufacturers.
I used to have a better sig but it broke.
and you people thought trolls were 3vi1...using any variety of sun boxen running debian is a sick combination...doubt these rootkits will be manipulating openboot image ...even so, sun motherboards have a write enable/disable for the obp....
Way way back in the summer of 1994 we use to have viruses that would write themselves to the boot sector of our hard drives and some of them would even overwrite our Bios. I wouldn't expect you to know about it, since it happened so long ago but, those were tough times. Some PC manufacturers would even put antivirus detection software in their Bios to detect and prevent these Bios viruses. Sometimes it worked. Other times your system was hosed!
Grandad Admin.
In all seriousness, I am surprised at the lack of malicious viruses today. In yesteryears, viruses wiped out data, wiped out file allocation tables, wiped out Bioses, wiped out PCs. In comparison, todays "malware" seems rather tame or even benign.
"This is platform independent," Heasman said. "We can write a backdoor for Windows that will elevate privilege, and turn around and use the code on Windows."
Can't you password protect your bios from being accessed? Or does that have nothing to do with overwriting it? Someone more knowledgeable give me clue.
If the board uses one of the larger DIP style EEPROM BIOS chips, wouldn't it be simple to identify the write lines (from the manufacturer's data sheet)? You could then pull the chip, and 'flag' the associated pins (bend them out, so they no longer enter the socket) and re-insert the chip.
A little tricky maybe, but better than nothing for now..
There's a Starman, waiting in the sky / He'd like to come and meet us, but he hasn't got the time.
Comment removed based on user account deletion
Sounds like something MS should implement into Vista. It sure wouldn't make it any worse!
And long live to the assholes that keep proposing it as a sane method to keep things secure.
IANAL but write like a drunk one.
I gave up compiling ACPI support into my kernel a while ago. On a machine that doesn't get suspended/hibernated, it seemed to provide no appreciable benefit other than automatically shutting the system down when I pressed the power button, and I can live without that. Now it looks as if my ACPI-less kernel also has the happy side-effect of protecting me from a potential exploit. Nice.
-Stephen
I'm sure my bios has some built in protection to stop it's self being over-written by a virus. I'll ave to double check now when I get home.
In the not too distant future, next Sunday A.D.
I can't wait until one of these is widespread AND badly written. Once several thousand computers stop booting and are potential ruined (umm... you need a new motherboard... this is not covered under warranty). God help whoever wrote and distributed it. He will hang.
Watched my good friend do this about two years ago. Don't forget your network attached Axis camera's can be used as staging places too.
Since my BIOS sucks and is broken anyway (horribly wrong IRQ routing table, references to nonexistent variables in the battery status), I override the whole DSDT with my own AML code and just ignore what the BIOS says.
Of course this is on FreeBSD. Linux has the capability to override the BIOS's ACPI code as well. Unfortunately Windows doesn't -- or more accurately only the checked (debug) builds of Windows do. I can change the annoying S4 behavior of my laptop, but my friend who runs Windows on the same model is stuck with it...
This posting is clearly spreading it. This is part of a calculated attempt to fear computer users into accepting Trusted Platform Modules which currently exist as UFOs on the new Intel iMacs. When I say UFOs I mean Undocumented Functioning Object. It's installed on my motherboard. It's true that the TCG has made much of the documentation about their modus operandi and even Apple has some OLD documentation about this, the real agenda here is spreading Fear, Uncertainty, and Doubt about their platforms in their current implementations and ease our transition into the TPM future.
It's not difficult to see that these mechanisms could potentially be part of an much larger agenda. You see it happening all around you, RFID, Ubiquitous Surveillance, Presidentially Endorsed Wiretapping, etc. The controls on your movements are getting tighter and tighter. It's not paranoia, it's paying attention. Connect the dots is an easy game, even children can do it.
The most damning aspect of this technology is the lack of transparency required by the implementor, in that they can (at their discretion) use closed source to track users, enforce DRM restrictions where previous 'fair use' and other uses were traditionally allowed. The real question is, even for shareholders, how much is too much? Is the quest for maximizing profit hobbling our society?
Don't look to the skies for UFOs, look on your motherboard, and demand answers for undocumented ICs
if I claimed I was emperor just because some watery tart lobbed a scimitar at me they'd put me away!
Let me ask an obvious question - on a Linux box is root access required in order to write to the BIOS? If so that is some protection.
No comment re windows boxes.
On the bright side, Sony Vio owners don't need to worry. Their BIOS comes pre-hacked, so there's no room for more malware!
"Live Free or Die." Don't like it? Then keep out of the USA
"Just make damn sure that there are no (huge) bugs in the bios and burn it to a chip that can't be flashed."
There are some MB's that come with a back-up BIOS for such an occasion.
"Assuming you want a fairly generic BIOS that will work for a number of machine configurations make one with a tiny bit of writable memory that _just_ stores settings (e.g. non-executable)."
Most BIOS'es have default settings already.
...by scaring people into upgrading to newer DRM'd systems?
It makes me wonder.
If McAfee can cry wolf to get Mac users to subscribe, then I wouldn't be surprised if Hoglund accepted pay to write something like this.
Shouldn't operating system be able to block BIOS updates?
I have a great follow-on idea: How about writing a perfect OS, so patches are never needed?
Seriously, even your cellphone is complex enough to need bugfixes via firmware updates. Better testing would be nice, but until then, I'd prefer fixable bugs over unfixable ones.
However, nothing sucks worse than having a bug that you know can be fixed, and a manufacturer who's abandoned the product line. That's the argument for open firmware, where the users can support their own devices long after the commercial incentive to do so has dried up.
People who put a big "Upgradable firmware to support future features!" on the box, then fail to add support for *anything* after the product hits shelves, should be the subject of vicious consumer protection lawsuits. (IOMega HipZip and your "phantom vorbis firmware", I'm looking at you!)
"The average non-technical home user shouldn't be messing around with the BIOS in the first place."
Yes. Leave that to the computing "priesthood" to do that. We know what's best for you.
Seriously the BIOS as a point of contention (future or otherwise) doesn't have to be. Some MB's for example have a "safe mode" were if the BIOS get's messed up? It can be easily fixed. No need to call the local geek, and have him do some "voodoo" to your machine, then charge out the nose for it.
On a platform designed to Trusted Computing Group standards, this type of BIOS hack would be a lot harder to pull off. It's not all about using the TPM for DRM to stop music piracy ... there are legitimate security concerns like this that cause companies & business to look at security standards.
All this talk of rootkits, but little about BIOS viruses.
I have a scary scenario for y'all.
A virus that spreads over networks, stays quiet until a certain date/time GMT and then BOOM wipes the BIOS of hundreds of thousands of Windows boxes around the world in one fell swoop.
Can you spell "Black Screen of Death"?
Does anyone remember the Chernobyl virus? It worked on a good number of BIOSes, even though it was poorly written. Imagine if someone took the time to do it right.
"Love of fame is the last thing even the wise give up." - Tacitus (55 - 120 AD)
It is another thing entirely to break a system, to gain control of it, patch it so that it continues to run without a watchful user ever noticing that anything has changed, while gaining complete control of the entire system.
This is what today's malware strives for, and what tomorrow's malware will accomplish.
Luke: "I'm not afraid."
Yoda: "You will be."
Is it not possible to create a dongle of some sort that comes with the motherboard that prevents the BIOS from being flashed unless it is present? I know it adds a level of complexity and the common - oh damn I've lost the darn dongle - issues but couldn't it prevent this type of root kit from getting installed? It seems that BIOS is too important to be left open like that...
This is just a bunch of worthless FUD. Programs have been able to write to the BIOS flash ROM for years now. It's not by any means a new concept. What suddenly makes next month the date that all of these thousands of BIOS-infecting rootkits are going to be released?
And what, exactly, would a rootkit or virus want with the BIOS? Does a BIOS even have enough "extra room" to accomodate either? How about platform-independent versions? That's just an idiotic claim if I've ever seen one.
Just sounds to me like this John Heasman is your average "computer security expert" trying to stir up issues and catch some rays in the media spotlight thanks to some worthless but impressive-sounding (to idiots) premise. He needs to go back and finish his MSCE so he can do something useful with his life.
At least the ones in the T and G series either don't have jumpers, or they are shipped with the jumpers set to enable. I have had to flash my BIOS a few times on different models and opening the case would have been a real hassle.
Early computers came with "Mask ROM", which couldn't be reprogrammed, and were only inexpensive if manufactured in large quantities, but they were ABSOLUTEY proof against software manipulation. As a compromise, I'd like to get a "simple" PROM technolgy into the BIOS socket. These are programmable ONCE (like a CD-R), and COULD be made such that after being burned that once, never can they have anything added to it (the way a CD-R can be blocked for further recording into blank areas). Maybe I should be a little more specific. Suppose a new empty PROM has every bit set to '1'. Burning the PROM constitutes permanently changing certain bits to '0'. If not "closed", then malware could do an additional burn and change some of the '1's that you wanted to keep into more '0's, thereby trashing the BIOS. Yes, I know that this overall notion is inconvenient when you want to update the BIOS (you need a brand new blank PROM, every time). I'll accept that as the price to keep malware out of my BIOS, thank you!
"We can write a backdoor for Windows that will elevate privilege, and turn around and use the code on Linux."
Problem is, we have to actually exploit and infiltrate the system itself to be able to access the BIOS. Of course having root access to a system one can compromise the system's firmware, given that the the BIOS is not write-protected. Similar virii existed in the '80's, but IIRC they would simply nuke the BIOS to prevent the system from booting without a hard flash (or replacing the CMOS).
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
Even if there was a switch, it would enabled by default. :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Okay, so first they say
Yet, an insider attacker could flash their laptop before they leave a company and then use the rootkit, which would survive reinstallation of the operating system. The insider could then gain access to the corporate network at a later time.
And then they say in the paragraph after
Because the amount of memory that could be used by an attacker in the BIOS firmware is small, it is unlikely that an entire rootkit will be stored in the motherboard's memory. Instead, only specific functions and bootstrap code would likely be hidden there.
So... how will the virus survive after a format? It bootstraps code on the hard drive.. which... just got formatted... excellent plan!
Plus, what's the virus gonna do, turn off my PC?
This is way outside my area of understanding. Could someone briefly explain what a BIOS rootkit could actually do if it was installed?
Naively, I would have thought that an OS rootkit would have already have access to my files, along with the full resources of the OS. What additional damage could a a BIOS rootkit do? Would it have access to anything other than disk files? Could it, for example, send data out (i.e. my credit card #) over a network connection, or does the BIOS need extra help to access that stuff?
They are all AMD boards (I don't use Intel, no flame, just a personal choice), so maybe the mother board chip sets have something to do with them putting BIOS jumpers on board.
.6 Ogg) would be fine.
I will take this chance to ask you about AMD motherboards, could you recommend me a decent Momo manufacturer/model for AMD?, I am looking towards building an AMD64 machine but I really do not know which Mobo to buy. I have always thought ASUS is good, although I have only used it for Intel, I would like to know about 2 kinds of motherboards, first one without anything integrated (or with the less integreated components possible) just usb, firewire (if possible) and RAID (0+1), sata and 4 GB of memory.
On the other hand an AMD motherboard with a decent video chip (nothing fancy, just for displaying X) and a sound chip (that can play OK
It would be okey if both of them had plenty (5?) PCI-E (this is the standard now no?) slots as from what I have seen almost all mobos come with only 2 or 3 nowadays.
p.s. sorry for the offtopic post, it is just not easy to find people that know about PC's out of slashdot (and I do not have time to browse on other forums). anyway, got the karma
Ubuntu is an African word meaning 'I can't configure Debian'
"If you want to mess with your computers internals that's fine by me, but don't go crying that IT'S TOO HARD!!! Get the expertise, it's freely available on teh intarweb, and do a proper job. If you can't do it, that proves that it's a valuable skill and you should pay someone else to do it for you."
But the present method DOES a "proper job". Why make things difficult so you can have a job?
"(I know, responding to an AC is a sign of madness, like talking to trees)"
And arrogance is the precurser to your job being downsized, buggy-whipped, and outsourced.
I know my memory has faded, but didnt 'dark avenger' erase the flash on some HD's, and 'CIH' do this to flash based PC bioses?
/me hugs his atari ST
Even if they didnt, this never was that hard to do by accident.. Ever powercycle a PS/2 while it was updating? Good chance you had to send it back to IBM.
Lets hear it for modern technology..
---- Booth was a patriot ----
No one wants to hang Bill Gates, though he has done what you worry about. Fines and jail, yes, hanging no.
Friends don't help friends install M$ junk.
"...do not pass goal, do not collect $200."
that would be "do not pass Go, do not collect $200.", a reference to the game Monopoly.
From what I've seen lately with people "brickifying" their iMacs... isn't it incredibly simple to do this with the latest EFI spec? As simple as dropping a rootme.efi file onto a hard drive and rebooting. Fortunately you have to use sudo to enable those EFI modules, won't be so pretty when Windows starts using it though.
Cwm, fjord-bank glyphs vext quiz
1992 - NEC puts a flash-disable jumper on their 386SX motherboards (defaults to block)
1995 - Korean student kills BIOS chips with CIH virus
1996 - Korean Army (his new employer) basically says boys-will-be-boys
2000 - Phoenix Technologies* BIOS drops visible files on desktops of fresh Windows installs.
2001 - Slashdot users discuss thisfor a few days and it goes away for 5 years.
* (Phoenixnet for Award BIOS 1999)
The suggestion here seems to be that code could be installed into the ACPI routines assuming the author could figure out how to do that and how to reflash the BIOS within Windows. Since most, if not all, BIOS'es are compressed it would be an incredible feat (and unique to a platform) to accomplish such a thing even it were technically possible (highly unlikely). Ignoring that, ACPI code can't do JACK SHIT! This is a complete joke---a scam designed to make a select few "experts" money, much like the Y2K "catastrophe". Appalling FUD from shameless liars is all this is.
Their EFI modules are gonna be toast just like that last article said could happen. Huh, BIOS? Oh shit......
"Are you sure you want to execute NAKED BRITNEY.JPG.exe?"
YYYYEEEEEEEEEEEEEEEEEEEEEEESSSS!!!!!
cheap labor conservatives - they want to keep you hungry enough to be thankful for minimum wage.
My amiga 1000 was totally destroyed by a virus which got into the pram in 1988. No way to get it out that I ever found.
...you probably don't need to be flashing the damned thing.
Well, in TV Land, it's always true. Notice how the bad guys always "destroys" a computer by blasting the monitors with a shotgun (or a .44, or whatever), while generally leaving the box under it intact? I guess computers in TV/Movie land are useless if they can't output the gratuitous graphics and sounds. And of course, if it's on TV, it must be true!
-- "This world is a comedy to those who think, a tragedy to those who feel."
Let's not forget that the newer Intel Pentium processors, and the AMD equivalents, support downloadable microcode. This means it is theoretically possible to create a virus that runs within a single processor instruction. Ok, granted that's a stretch more inline with something seen on the sci-fi channel, but the capability is there to compromise a system.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Do other portions of motherboard flash typically get used for any configuration data in addition to holding BIOS or similar functionality? If so, it'd be difficult to prevent writes without also preventing changes to the configuration data. Disabling writes would seem simple otherwise, even with no jumper provided. It shouldn't be hard to identify the write-enable pin and force the state of it (taking care not to run excessive current through whatever drives it).
I've wondered if similar potential security problems might be hidden in the flash memory present on many hard drives. It would seem simple in theory for a drive to lie about it's actual size leaving space for hidden code or data logging on disk. It also seems possible that a drive could allow hiding code or data inside of the "bad blocks" space. Perhaps data could be hidden between the end of a file and the end of the allocated block it resides in. Do disk drivers zero that space? There is also the issue of modifications to existing code or adding something in the free space of the drive flash.
I also don't understand what the potential is for hostile modifications to the disk driver.
If there aren't ways of insuring such things are clean code, are there at least simple ways of comparing critical code/files with some reference state?
For instance in OS X, is there a command line tool that could give an MD5 sum of drivers, other critical files, and contents of flash?
On Mac OS X, I haven't seen disk utilities that allow such things as picking from several drivers, or wiping/retesting bad-blocks etc. Are there Unix tools that can be run from the terminal to do such things?
To what extent are disk tools themselves a security threat? I vaguely recall reading about an OS X defragmenter called iDefrag that phoned home with a bunch of user data if it detected a known compromised serial number. While the author may have felt such behavior was justified, it seems like such a utility could be easily made to call somewhere else with user data instead.
If a vendor (like Sony) would hide a rootkit on an audio CD, what assurance do any of us have that there isn't something just as bad hidden in the firmware of an optical drive or motherboard when it ships? Talk about closed source... who gets to examine the code in the hardware?
And there should be a third read only chip containing the original bios, which could somehow be loaded in the case of an emergency/mistake. BIOS chips can't really be that expensive, so putting extra security measures in place to not get your system hosed are important.
Gigabyte have had this for a few years now. They call it Dual Bios.
I'm thinking it would probably be a good idea to contact the supplier or motherboard (or BIOS) manufacturer specifying your wish for a "spare" bios chip, so as to atleast have one clean chip "offline," just in case something should happen to the one being on-line.
-After all, if they truly are inexpensive, and the supplier is cool about peddling loose chips, then why not say "thank you; may I have another," and get crackin'?
If the new BIOS'es haven't physically changed their form-factor from "good 'ol pinlegs of the past," and the ROM-size is >/= the "modern" one's, maybe it'd been a good sparetime activity to flash some of those chips that you have lying around in your old computers, so as to have multiple offline backups of "whatever turns her on"..
A horse can't be sick, you know, even if he wants to.
Got a question about your sig. You say it's not a MacBook Pro? Then why does Apple call it that?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
the mac bios can only be written if paper clip is pushed into hole in front.
ALL macs have that safety feature. It is used often (every few years) to put in new firmware from apple to fix apple mistakes taht affect booting from firewire and such. But unless it (the flashrom write enable) is depressed at startup NO SOFTWARE can hack your flashrom. It has to be pressed during startup and a confirmation beep exists on many macs to let you know the button functioned.
The flashrom is user safe too!!! It has two copies, two checksums for them, and a THIRD mini image that can be used to load both the others in case both of THEM are corrupt (power out during flash)
apple is smart. This has been the case for the first iMac ever and all macs that allow flashing of firmware.
pc designers are not as secure and safe as Apple. You are wrong.
The mac 'bios' (a huge amount of code written in an Open firmware protocol using a Forth interpreter) can only be written if paper clip is pushed into hole in front at bootup.
ALL macs have that safety feature. It is used often (every few years) to put in new firmware from apple to fix apple mistakes that affect booting from firewire and such. But unless it (the flashrom write enable) is depressed at startup NO SOFTWARE can hack your flashrom. It has to be pressed during startup and a confirmation beep exists on many macs to let you know the button functioned.
The flashrom is user safe too!!! It has two copies, two checksums for them, and a THIRD mini image that can be used to load both the others in case both of THEM are corrupt (power out during flash)
apple is smart. This has been the case for the first iMac ever and all macs that allow flashing of firmware.
I do admit that a mac can be HOSED so that it cannot boot by alterring non-executable data in flashram, but in theory COMMAND-OPTION-P-R will reset the bits back to safe factory defaults. Also dirvers that load from the hard drives BEFORE the OS, could be hijacked (but not on my macs... too long to explain).
pc designers are not as secure and safe as Apple. People here are wrong. Mac Users can rightfully be smug. They are immune from remote exploits from a wide range of ENGINEERING reasons as well. (at least 10 good reasons too lengthy to be listed here).
I fear FUTURE x86 macs (not current x86 models) may slowly devolve into Windows bootable machines perhaps even lacking the FIRMWARE protection button... but that is because Apple has very little talent in the building.... despite billions in the bank. Apple is a culture of dead wood and mediocrity engineers.
Joe Fourpack would flash the bios. All he would need is an e-mail instructing him that if he updates his computer by flipping this bios switch thingy and then clicking OK, he will be able to play the attached new pr0n file.
Note that Joe Fourpack is two short of a sixpack.
The price of freedom is eternal litigation.
Mine does.
This sounds rather like a 'nanobots may steal your car' type story but hey.
is to run my warez on a non-networked machine.
So go ahead and put whatever kind of asskit you want on my 'net machine.
It's a Pentium 3 throw-away!
No Brainer.
Pass it on!
I had to say this, but Rookits are going to blow up in Microsofts face. Hopefully it will force them to implement better user account security. in the mean time my clients are having to hire me at a increased rate and im learning alot.. but at the same time I feel for people that dont have any understanding of the power thirdparties have over home computers.
I think it's called TCPA?
It's just not Sony doing it, though.
Hoglund makes money off letting people cheat in WoW. This damages the enjoyability of the game for many people, making him in my mind what is commonly called an "asshat".
... what it did/does do is hash various bits of data including open window titles then send the hashes to Blizzard for checking against a database of known bad signatures (ie cheating apps).
You may have a reasonable point. This use is in contravention of the EULA. However, they run the Warden on ALL computers because they cannot know which ones belong to cheaters ahead of time. As I will show, this seriously compromises the security and privacy of anyone running WoW.
Furthermore, I for one adamantly refuse to play any such game on principle. I will not submit to this sort of digital strip search for any reason. There are plenty of games which do not require this sort of draconian intrusion onto one's computer.
The Warden doesn't "spy" on you, that's a ridiculous assertion
You say "doesn't." That verb is in the present tense. The Warden is code downloaded from WoW whose content can be changed at any time. ANY TIME. Please let that sink in. That makes it a trojan with a remotely downloaded payload. Although they can change that, of course. Granted, they do disclose that there may be some vague code doing something in the EULA. Kinda sorta. Assuming it hasn't changed to contradict the EULA since the EULA was written. And we all know how the EULA defense worked for Sony. The only difference here is that the code is required to play the game at all and that we don't actually know exactly what information it sends out (although, as I'll show below, we can get a pretty good idea thanks to a side channel attack).
As for "only sends back hashes" you do NOT know that. If you'd even bothered to read the whole description, you'd see that it sends back encrypted packets. So yes, it does root through all open windows, all processes in memory, etc. and it does hash them, but you have NO way of knowing what's in those packets. They can send the contents of any section of memory out with the hashes. They can throw the hashes away and send only content. Hell, someone on the very forum linked to described several megabytes of bandwidth getting used up by this over a few seconds. That's pretty clearly inconsistant with sending only the hashed information back.
Worse, even with the "only hashes" line of reasoning, it checked all the email addresses of his friends, etc. If they can ban you merely for *communicating* with the wrong folks, dammit, that's a problem.
it does not send personally identifiable information back to Blizzard
The information sent back is personally identifiable in that it's linked to your WoW account, which is linked to a credit card, which had better be linked back to the account holder. How do you think they ban people if they cannot identify them? Do you not think that they'll not know which account to cancel if a given credit card is maxed?
Please explain to me how you could possibly think otherwise. You cannot add that together and say it's "not personally identifiable" without utterly distorting the meaning of that phrase. Even if you try to justify that by saing that mom & dad are the ones actually paying for your account, it's pretty trivial to trace it back to you, in the end, and it's certainly identifiable.
Ever since this sordid incident, Hoglund has been a dirty name to me and many others familiar with it, and I don't trust him at all.
[...]
Like I said, it wouldn't surprise me a bit if he released code showing how to hack the BIOS, just like he teaches people how to write rootkits despite them having (as far as I'm aware) no legitimate uses.
That's a completely illogical line of reasoning. It's kinda like saying "I don't like you, so I'll assume that you'll do something criminal." Moreover, giving out information on ho
And maybe we wouldn't detect it even if we looked. The only reliable way to check for a kernel rootkit is to boot a clean kernel (e.g. from a CDROM). Now how do you boot a clean BIOS ? Today they are all flash-based rather than socket-mounted.
Will ever hear of microcode rootkits (stuff that alters the semantics of CPU instructions) ? Are microcode updates persistent ?
AC
> also a blackhat who enjoys developing cheats for World of Warcraft.
So cheating in a computer game makes you a blackhead nowadays? I'm getting old.
k2r
In cisco routers there is a chip with the hardcoded default IOS that ships with the router, it's essentially the failsafe.
So if you get a corrupt IOS image flashed to the eeprom, or somehow get compromised, running a certain command will allow you to boot using the failsafe.
This is what mobo manufacturers and OEM's should do. create a bootrom that is unflashable, for a safe and secure bios, and can be reverted to when you hold certain keys on system boot (or jumper), otherwise, it boots to the eeprom with the flashable bios.
this eeprom can be flashed with updates, but if it gets compromised, you can boot via the original, os or special bootdisk can be loaded, and you can flash the eeprom again with the latest update to clear out any tampering.
Of course they dont like these kinds of features, as a toasted mobo = more money for them, as a user will have to buy a new mobo. Hence why you only see nice features like these in enterprise grade hardware. Where hardcore failure means the company has to spend several thousand or several million on a new server, during this time can be make or break time for manufacturers as the company may eye better or newer solutions that may be less, or just better. Which can take away a good sized business account. Your average consumer when it comes to computers is more willing to just go out and buy something expensive rather than sit down and see how it could be fixed, they want it done fast and now, no matter the cost. not true in all cases, but when I've handled computer repair jobs, if the repair job is gonna take too much time, they'd rather just get a whole new machine.
The bios savior? See http://www.ioss.com.tw/web/English/RD1BIOSSavior.h tml
[Now, I'm off to lift my le... Um, visit... at another place.]
On the downside, that would probably be done as a jumper, and it can be quite difficult to find what the jumpers are on older hardware... which most often needs the BIOS update.
A backup BIOS might be another practical weapon. I think there are a few models on the market that use that as a feature. The main chip is the commonly-used flash BIOS so prevalent these days; but there is also a true ROM chip, with the original factory 1.0 BIOS on it. The BIOS flash utility lets you flash the BIOS from the backup, or you can boot with a particular jumper set to do it. (Yeah, still that jumper problem.) While not protecting against a BIOS flash, it does make it easier to restore if you accidently mistake an MP3 of William Shatner's "Mr. Tambourine Man".
//Information does not want to be free; it wants to breed.