Slashdot Mirror
New Developments From Microsoft Research
prostoalex writes "Information Week magazine runs a brief report from Microsoft Research, showcasing some of the new technologies the company's research division is working on. Among them — a rootkit that eliminates other rootkits, a firewall that blocks the traffic exploiting published vulnerabilities, a system for catching lost e-mail, a honeypot targeted at discovering zero-day exploits, and some anti-phishing applications."
Who says Microsoft is dying eh? I mean, man, with great ideas like that, how could they ever?
How we know is more important than what we know.
> a rootkit that eliminates other rootkits
Well, there goes kernel stability.
I'm really not sure I want a future Norton RootKit Protector installing itself, bugs and all, into my kernel.
It really is good to see that Microsoft is trying to do some good things. I mean they ARE the huge company that they are, so it really is good to see that they are trying to do things better. However, a rootkit to change a rootkit does not sound like a good idea... But a firewall like they are talking about does seem pretty interesting. I hope to see good stuff come out. As a Windows user, this is good news for me.
Yay, I have a sig.
a rootkit that eliminates other rootkits
Yes, but what about rootkits that eliminate rootkits that eliminate other rootkits? Muhahaha
How the fuck does email get "lost"? How could that happen? Even a server crash should not cause that.
Why not, instead, spend the time and money finding the real problem in your email system and fixing that? I handle about 1,500 in-bound messages a day. By their calculations, I should be losing 15 or so, every day. Yet that does not seem to be happening.
What do they mean by 'rootkit that eliminates other rootkits'? Do they even know what a rootkit is?
From the TFA, 'GhostBuster' seems to be a reincarnation of Sysinternal's RootkitDetector (can't say it wasn't expected, since they were bought by Microsoft)
And I thought the kernel was the thing which eliminated all the rootkits.
Banu
Install your OS, drivers, patches and apps all at once. Back it up via dd in Linux, or use Norton Ghost.
IMO that trumps the "rootkit" solution.
--- Grow a pair, liberals... stop letting the Republicans bully you!
I'm not computer security engineer, but Shield sounds an awfully lot like Snort... am I wrong?
They've put out quite a few interesting experimental languages for the .NET platform.
.NETified classes) looks pretty cool.
In particular f# (ocaml with
Can anyone in the know comment on how doing research for a company like microsoft compares to doing CS research at a university? I'd imagine the pay would be somewhat better, but are there other tradeoffs like reduced freedom?
Microsoft is re-inventing "intrusion detection" and "packet analysis". Save yourself some stress and deploy Snort today.
http://www.snort.org/
> a rootkit that eliminates other rootkits
:P
So being evil installing rootkits is not enough?
One rootkit to rule them all!
Turfer? Whats that? Also, FUCK, here goes my karma for a off topic post. -_-
Yay, I have a sig.
If you fix the problem of "lost" emails, then why run a system to find alert people to email that is not lost any more?
If your system is unreliable, adding complexity usually does not make it more reliable. You need to fix the problem at the lowest level possible.
Since this is Microsoft, they're probably referring to Exchange/Outlook. Exchange is mostly database driven now. If you're losing messages in your database, having someone re-send them is NOT the approach you want to take.
You have what is known as "database corruption" and that does NOT spontaneously solve itself. You have a serious problem.
...but it doesn't mention research on how they will help Novell kill itself... :(
Yes, that was how it was designed.
And how will Microsoft know that
Isn't there already a protocol for receiving notification when the recipient receives the message? But no one uses it because it would just make the spammers' lives too easy.
I keep all our email logs. I can tell you exactly what messages were sent and whether the receiving machine accepted it and when. If there's a problem beyond that point, it is either the server (fix the server) or the admin (why is the admin deleting email) or the user claiming that "I never got it".
Again, since I keep the logs of every transaction, I don't see that "I never got it" very often.
You can't solve the problem of malicious rootkits by fighting it with other rootkits. There is always going to be someone smarter out there that will defeat it. The solution will involve finding the root cause of people creating rootkits. Why do people release these types of malware in the first place?
Boeing cuts reliability and safety funding while Boeing Research announces the availability of individual passenger parachute systems. You can pay Boeing an extra $5 per flight to enable your seat's advanced parachute and fire suppression system. So when the plane falls apart in mid-air or crashes and burns, you survive to fly another day.
Yippee-fucking-do.
...Bob v2.0 for Vista !! ;)
We miss Bob !
Please, Melinda, think about it !
-- Rastignac was here.
I think he means an astroturfer - http://catb.org/jargon/html/A/astroturfing.html, specifically definition 2.
And for those who dont like to click on links, astroturfing in this sense basically means that the poster is being paid by Microsoft to appear to be 'an ordinary joe', in an attempt to create the appearance of popular low level support.
Like a politcal party activist writing letters to newspapers, pretending to be the public.
If this were really happening, what would you think?
Everytime i visit slashdot there seems to a article about microsoft and windows/vista not sure if it is bad timing on my part.
http://en.wikipedia.org/wiki/Law_of_Attraction Law of Attraction how to attract everything you desire in your life using this Universal Law, all im saying is that microsoft products are something i really do not want to attract into anyones life, can we have a website function to remove microsoft articles for are viewing please, eg use this checkbox to filter microsoft articles...
I hope (not really) this research goes better then the trilion dollars they invested in MSN Search only to loose even more market share...
A turfer is a short name for a person who lays down astro turf. Astroturfing is laying fake grass, or fake comments for PR purposes.
I thought he was struggling to say something positive about a mediocre to bad press release, indicating someone with alternate motives, like an astroturfer, or just a Microsoft fanboy maybe.
From what I know of the Microsoft research, is that it is patent fishing net so that in the future they can sell/control techologies. Basically covering future turf, so that they can control cash flows and maybe make some money on top of it selling the patents. Control in such way if fooling company developing their product would have some nice feature that will partly infringe on the patent. Then microsoft can hurt the company and tell it what to do. And tech is developed far enough to have an idea for patent, and then dropped. Sort of like slugs sliming up the IP territory.
I might be wrong, its been a while.
We couldn't root their root of our rootkit. Don't you just hate that?
The whole anti-virus, anti-phishing, anti-zero-day exploits is getting out of hand. You can't fix a PEBKAC with layer upon layer of kludges.
There appears to be no legitimate purpose to such research.
1. A rootkit that eliminates other rootkits can probably also be eliminated, so this research does not really solve a problem.
2. Rather than perfecting a rootkit, they should be working towards making a rootkit an impossibility in their OS.
3. If you can write a rootkit, eliminating other rootkits does not appear to be that large of a challenge in the first place.
4. If you want to eliminate a rootkit, reinstalling the OS seems like a better idea.
5. There are countless illicit uses of such software.
Are they developing this rootkit in an effort to develop new security for their OS? I don't get it.
Invisible processes battling each other for CPU, RAM, disk space and Internet bandwidth resources. And all I want to do is send some resumes, check the news and email and browse some sites. Ubuntu just got a much larger partition. Screw this crap, seriously.
I would advocate to any *NIX sys admin here - CHECK OUT usenix.org and www.sage.org. They put out some of the best *NIX shows and programs out there - REALLY!!!! I say this, because one of their sponsors is Microsoft Research. Dont' get me wrong, I generally don't like the MS approach to doing things, but I will definitely say that their are those within MS who know things. Happy Adminining, Unsung_Admin
If this is microsoft innovation, it's not very innovative. All these 'technologies' are basically extra layers of software to fix the bugs in the first layers ... be it security (phishing stuff, adaptive firewalls, etc etc) or losing emails ... which should not happen anyway and we already have basically the same technique they're developing in the mail protocol, namely confirming a received email.
---
"The chances of a demonic possession spreading are remote -- relax."
I was more speaking from a layman point of view: figuring that if you could have 2 systems to stop e-mails being lost which don't interfere with each other then you double your fun, so to speak.
:)
If what you say is true and it might make the problem worse, then I can see where you're coming from
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Lemme get this straight. A company is working on a rootkit for their own OS. Now, it could be me, but if I didn't sleep through OS programming, as the maker of the OS I already have total control over everything in it (provided my user allows me to have it, which is pretty much a given with MS OSs). Why do I need a rootkit?
Not to mention that Vista was trumped to be the most secure, un-hackable system ever. How do you install a rootkit on it? I thought it is impossible (spare your corrections, I know it is possible no matter what. I just want to get an answer from the guys that keep telling me it is impossible to rootkit Vista).
So we're now at the "who gets deeper into the system" war. Because one thing is a given, 3 days after the MS rootkit to destroy other rootkits, the rootkit to destroy the MS rootkit is rolling out. Then it's a month 'til patchday and... you know the drill, we already live it.
There is no technical solution to social problems. As long as people are dumb enough to click everything offered to them while they're running on admin or root privileges, those things will exist and they will work. Now, with Vista finally trying to run on low privileges, the social engineering part will become bigger to get the user to grant more privileges when necessary for the bug to survive, but since pretty much EVERY program will need those for installation, people will hand out those privileges like freebies, because it's customary that a new program needs them.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
>>>"a rootkit that eliminates other rootkits"
The one rootkit to rule them all!!
I knew they were up to something.
Syllable 0.62 is here at last!!!
all of these idea's they are supposedly comming up with, are rip off's of existing technologies. i mean come on, rootkits that remove other rootkits? finding lost email? fuck none of this stuff is even remotely interesting in how it works or what it does. PR spin is all it's good for.
If you mod me down, I will become more powerful than you can imagine....
seriously anti-phishing applications? is that really necessary? how about a jpeg desktop background, that says "THINK DAMN IT!!!" i think that might prevent most if not all problems with malware.
That's nothing, I hear Google invested one Gillion dollars.
Sounds like good old fashioned down and dirty engineering/development to me.
I know they're also doing research work at Microsoft research, but this sure ain't it.
Microsoft Research is developing technology for finding rootkits by using their own deceptive behavior against them. Known as GhostBuster, it relies on analyzing and comparing system information at both a high level--from a Win32 API, for example--and a low level--such as the raw disk information. Any difference in the two views--for example, the low-level view indicating a file not present in the high-level view--makes a compelling case that a rootkit is trying to hide.
Simply not true!
I mean, since it is the Exact description of how RootkitRevealer works, I suppose (I'm sure) that it is the same product. For those who do not know,Microsoft acquired sysinternals (maker of RootkitRevealer) a few months ago.
Apple iProduct. Non importa cosa sia, lo comprerete!
So, would this Microsoft research project violate some Super DMCA laws? For example, in Illinois, we have Public Act 92-728, which is the Illinois Super DMCA. This act was responsible for "killing" the LaBrea Tarpit software package.
Since IANAL, I will quote the writeup from the LaBrea website:
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
The "classic" honeypot is pretty much dead. Nobody uses a 0day against a random machine anymore. At the very least, one tries to avoid certain IPs and IP Ranges that are known to host pots. Whether MS wants to believe it or not, those lists exist. One of my pots has been discovered a while ago and on that machine, I've never had any detections since, except a few scriptkids that don't count.
Even "detecting" pots that simulate a user's behaviour and look actively for forged sites and such are getting out of usefulness, since a lot of distributors already start hardening their attacks against aggressive farming. Or they require you to go through very detailed steps that a bot cannot reproduce. I've recently had my first captcha-protected exploit (was a porn site, and what user wouldn't solve a captcha to get his pic when he surfed there just for that in the first place?).
Forget honeypots. Unless you put a human behind that VM it's running on. Automated pots are becoming less and less useful with attackers becoming more and more aware of them. Especially you can dump any kind of "honeypot kit", they are known and their quirks are tested painstakingly before an attack takes place.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'm waiting for Microsoft Research to come up with an elegant component architecture that encourages code reuse, reliability and portability with a simple interface that allows even novice users to write simple programs, and where the focus is on data in human readable format with simple input and output formats, and where everything is considered a tool, and there's lots and lots of them.
Oh, wait ...
Seriously, can someone point to something tangible and put into use that's come out of Microsoft Research? The only thing that comes to my mind is netscan, which, while interesting, is put to use only by usenet trolls. For all their billions, and their talent, we should be trembling in anticipation of The Next Big Thing. What we do see, on the other hand, shows up on Slashdot for the audience to have fun with.
Simple automatically generate new rootkits to download on every windows machine, every 24/hours, using an exploit generator to generate the different rootkits, or just pay hackers to create the rootkit while selling the subscription for the anti-rootkit rootkit.
I can see where this is going.
Can we boot to the rootkit and eliminate the layers of bloatware like IE and Outlook? Something like the old DDT shell in ITS - the debugger was the shell, eliminating the overhead of a shell. If we could boot to the rootkit, and just run the applications we needed, a lot of the overhead of Windows could probably be eliminated. All those things in the task list you have no idea what they are, like NMSSvc.exe, and the registry...
When developing something like this (ie. the covert rootkit eliminator), why do people always broadcast it as loudly and as far as they possibly can? Wouldn't keeping it super-top-secret be more effective at stopping rootkits?
Ghostbuster was described, tested, and PUBLISHED first. After Ghostbuster got /.ed the first time, Sysinternals came out with Rootkit Revealer in less then a week (the Sysinternals guys are GOOD, and Microsoft wasn't releasing Ghostbuster due to internal political issues.) THe big difference: Ghostbuster does a high/low scan with low being a "reboot to trusted media". Rootkit Revealer just uses two different APIs to do the high/low scan, as the SysInternals guys are part of the very few people who truely understand the registry and Windows file system.
Note that Ghostbuster, by requiring a reboot, is more intrusive but harder to fool. Rootkit Revealer on the other hand, can be fooled by a sophisticated rootkit which works at the very low level, yet does not require rebooting, which allows it to work without taking the system down.
Test your net with Netalyzr
Singularity is a Microsoft Research project started in 2003 to build a highly-dependable operating system in which the kernel, device driver, and applications are all written in managed code. The lowest-level x86 interrupt dispatch code is written in assembly language and C. Once this code has done its job, it calls the kernel, whose runtime and garbage collector are written in C# and run in unsafe mode. The hardware abstraction layer is written in C++ and runs in safe mode. There is also some C code to handle debugging. The computer's BIOS is only called during the 16-bit real-mode bootstrap stage; once in 32-bit mode, Singularity never calls the BIOS again, but rather calls device drivers written in C#. During installation, CIL opcodes of the C# kernel are compiled into x86 opcodes using the Bartok research project. Bartok is an optimizing compiler written in C# for translating CIL into x86.
The Microsoft Singularity page... with a completely crippled module system (no functors) and a crippled object system (no structural subtyping) no less. F# is very little more than a bearable syntax for .NET, i.e. it's a PR exercise which only really shows how limited the .NET runtime is.
- that cracked me up : one rootkit to bring delete them all, and in the darknes bind them
Read radical news here
this is microsoft innovation in action... coming up with tech to fix the symptoms instead of actually fixing the problem...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
"a rootkit that eliminates other rootkits"
Make OS that can't be rootkited.
"a firewall that blocks the traffic exploiting published vulnerabilities"
Sounds like an application level firewall.
"a system for catching lost e-mail"
Make an email system that don't lose emails.
"a honeypot targeted at discovering zero-day exploits"
Make an OS that fails safe in the presence of zero-day exploits.
"some anti-phishing applications"
Make an online identity system that can't be phished.
davecb5620@gmail.com
I'm sad that Microsoft Research is just playing catch-up with Microsoft Windows :*(
(In TFS it's all about security. Crucial but boring.)
Why does this not sound like research?
Stephan
http://stephan.sugarmotor.org
One rootkit to rule them all, one rootkit to find them. One rootkit to bring them all and in the kernel bind them.
It's interesting that Microsoft seems to be mostly focused on reactive security measures rather than proactive ones. It's true that they are adding some proactive security to Vista, like making some services run with lower privileges than they had in the past but, still, most of the stuff they are talking about has to do with identifying a threat and then blocking it.
Will Microsoft still be a viable competitor in the future? I mean, if this is all they're working on right now...
On a different note, did any of you realise that not a single computer is being advertised as having Vista installed? It was released already, no?
"Free software" is a matter of liberty, not price.
Oooooh, I developed something like that in my spare time in 1998 when I worked at the Netherlands' biggest telco helping them build services on top of their internet backbone. A database which contained information on known vulnerabilities, exploitable versions of software, exploit traffic, locally installed software, network traffic (from monitoring agents), network architecture and the relevant QoS and security policies. All the information was used to produce router/firewall scripts, upgrade warnings (for locally installed, exploitable software), intrusion warnings according to security policies, violations of the security policies (eg. telnet open on *nix, etc.), performance warnings etc. The information was regularly updated from agents on all local machines. It never got deployed as far as I know but still...
I guess I'm not the only one who made something like this either. It is, well, sort of obvious given the common use of computers and software to automate recurring tasks (eg. configuring firewalls for blocking vulnerabilities). In 'my' case the firewalls/routers could be configured to block traffic only to systems which had exploitable versions installed.
Nice that Microsoft Labs does something similar but it is not really worthy of the term 'research' IMnsHO, more application development.
--frank[at]unternet.org
The security holes that allow exploits, spam robots and email loss (due to robot spam flood), are all due to bugs and wrongly designed software.
I thought research would be new ideas, rather than workarounds for design flaws.
>a user's Web browser would identify passwords and other sensitive information when keyed into HTML forms on Web pages. When those passwords are in- put into a new site, that incident would be reported to a server. If the server detects an unusual number of logons to the new site, it could send out a signal that the site should be investigated for a phishing scam.
Why compromise people's surfing privacy to get a delayed warning that you should start an investigation of a phishing site that will be gone in a few days?
Why not
o Cache, on the client, a list of triples of hashed passwords (please salt them this time), public keys of the sites the passwords go to, and expiration dates of the public keys.
o For each use of password in browser, extract public key of destination site and if (key != storedkey(hash(password)) && !expired(storedkey(hash(password)) { block_transaction(); alertuserandofferoverride();}
Optional: report the incident to a server at some place that has a good working relationship with law enforcement in Romania
Optional: have a backup check that suppresses the alert if the destination is in the same ??class C ?? to allow for server farms but catch redirects to weird phishy countries. Just a heuristic.
Add a wrinkle for the case of people using the same password on multiple sites. It still works, the phishing site won't be in the list of sites that go with the given password.
Which is no more than what ssh has been doing for, how many years now?
Maybe I should write a browser plugin as a publicity giveaway.
So with API support that doesn't fully know how to utilize ADS, they are going to try and detect MY rootkit that is hiding in streams... yeah right.
"You've got Lost mail!"
It seems that no matter what MS does, they can't win!
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!
Oh, okay. Thanks. I wish that Microsoft would pay me. Fuck, my dads on Strike with Goodyear right now so I could really use the money. Hear that Microsoft? I can be bought... For the right price!
Yay, I have a sig.
I thought Microsoft Research was a couple guys in a room with a Mac and a spiral notebook....
*LOL* That happened at a place I once worked for; their solution was simply to migrate people over to a new Exchange server. Eventually we regained the ability to access data on the old Exchange server, but we were never able to combine the accounts which was a real hassle.
A few weeks ago the boss came by and asked about using Exchange (we're a mostly UNIX shop running Sendmail) and rather than berating the product simply asked him if he liked receiving his email. If you're running Exchange you will have a major outage at some point.
The worst that's ever happened on our Sendmail servers is that some application starts nailing a box with debug email, the load spikes, mail processing slows and the spool possibly fills causing new messages to be rejected. Eventually some admin comes along and fixes the issue (typically by changing the app's email alias to /dev/null for a while) and the messages that were originally rejected are resubmitted.
Is this obvious or non-obvious? I got tired of running tripwire on my home computers for the time it takes to scan through umpteen 100s of thousands of files I have (backing up work I do). Even a bare system still takes a while. Not having to generate signatures would be nice, in some ways.
But, for the same security reasons for running a live boot CD, file comparison of the basic OS files is neat, too. But, eventually someone might figure a way around this, too.
I wonder if we'll have to sign an agreement so we don't sued for using this technique...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
How about Microsoft finally documenting the various system calls for its IEEE 1394 driver stack? They have steadfastly refused to release docs of any type regarding its 61883.sys driver. So not only is there not source code, there's no interface definition either. And no samples. People have been wanting documentation on 61883 out of MS for over 4 years now. Nada. The MSDN library is as lame as ever when it comes to 61883 and the 1394 stack.
Innovate, schminnovate. I want to see them support what they've already got.
They are working on a bugfix release?
Ceterum censeo Microsoftem esse delendam
I'm not surprised that MS Research had noticed the problem and *begun* working on it.
Then, being faster & nimbler, Mark R. actually wrote his program. Now, MS has acquired the rights to it, which should make their research go a lot faster.
Unless I'm mistaken, the article didn't portray Ghostbuster itself as a rootkit.
1. Float an idea
2. Get ground down in implementation
3. Buy someone else's
4. Profit!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
MSR *had an implementation* before Russinovich heard about it. Furthermore, their implementation at the time was more complete (except for the detection arms race I mention in a couple other posts) than RootkitRevealer is even now.
There's plenty to bash MS for. You don't have to make up crap.
...I can do on my Linux box??? I don't understand why this is "innovation"?