Sheesh, don't you watch C-Span? You send a few personal internets through the tubes, and the enormous amounts of material will get in line and be delayed.
No it is not. US law apparently says that you can be guilty of an offense without ever going there
Yeah, that's true. I guess I should have said that should be the difference. I think it's absurd that someone can be charged for something they did that was legal when and where they did it.
There are actually a few other ways to detect if you are running inside a VM, e.g. use of a non-priviledged instruction that reveals information about memory mappings (here).
That only would detect VMWare-style virtualization; to the best of my knowledge, the hardware virtualization that's now in chips (VT and whatever AMD calls theirs) should eliminate this possibility and force you to go with timing tests.
Wrong. If I control the CPU as kernel level, I can do anything I want.
That's true.
The OS is too untrustworthy after you hook it on a network (in Windows case especially).
Windows is no more vulnerable once you've got a kernel hook than Unix/Linux/whatever is. If anything, Linux is more vulnerable because figuring out the appropriate places to hook in Windows is a lot harder without source.
("Security through obscurity" is a bad idea -- but obscurity can be a layer and be helpful as long as you design and implement the rest of the system as if the obscurity wasn't there.)
(The increased vulnerability of Windows comes from the fact that it's easier to inject your code. The above only applies once you have a suitable kernel of your code running in ring 0.)
What does Kernel Level mean to you?
It means you're running in ring 0, privileged mode, CPL 0, whatever you want to call it. It means you can *theoretically* do anything.
I'm just saying that I don't think there are any non-VM rootkits that hide themselves so thoroughly that they can't be detected, because doing so is a difficult problem because there's way more that you have to trap if you want to be completely hidden than it initially seems. Like ALL I/O requests.
Or rather, does Microsoft allow you to do extensive reprogramming? I know of extensive Linux kernel, GLibc, and usermode program backdooring. You hit one, and theres still all the others. Essentially, if you have no reference system to verify good data/files, you're screwed.
Again, in theory, yes. In practice, now, there's still a lot you can do.
Assuming you'd actually store data in the registry if you're using a backdoor. That just strikes me as friggin stupid.
It really isn't; it's a perfectly legit method of ensuring that your rootkit is loaded if you can deal with the low-level/high-level scan thing or don't care if it's detectable with that method.
I'd store my data across the whole system in stupid stuff like user settings, whitespace on text and html files, files near commonly executed programs, and other various random places. And the backdoor would be hidden in plain sight, but in no recognizable form. It should take no more than 50 KB to start a backdoor, and the rest loaded from a distributed amount of places that the backdoor would have access to... local machines and the internet.
That's fine.
Remember, my point is that if you have detectable information on the disk (e.g. something you could find with a signature-based scan), you MUST be able to vet all I/O requests to the disk. That means requests through the file APIs, requests for specific blocks sent to devices, and I/O requests that might be issued from other drivers. (For instance, you have to be prepared for detection software to load its own device driver and issue I/O requests itself.) Of course, if you can intercept all I/O instructions then the first two come free. Your rootkit must then be able to mutate the data that's returned so that it hides its presence but is still sane. This very well may mean that you have to understand NTFS and FAT, though it's possible that you could get all needed information from existing kernel data structures.
I don't think such a rootkit is known to exist right now, and I don't think we'll see one. It's now easier to drop the OS into a virtual machine and have a VM-based rootkit. (Though I'm somewhat skeptical about a sudden loss of speed tipping people off, it should be possible in theory to make this undetectable to software running in the guest OS.)
Oh bother... If I had a Kernel Level rootkit, I can SHIM all your commands through it and filter what I want you to see. You can guarantee that I will hide my program ID, memory used, swap used, location on fixed disks, and any network data transmitted/received
If that's ALL you hide, then you'll be found by all of these tools.
You ALSO have to mess with low-level I/O requests; if an application can say "I want block #17" you need to be able to mutate the returned data if it's a directory block or something like that. On Windows if you have detectable information in the registry, you also need to intercept all requests to the registry hives (either by file name or block number) and mutate the information in them to hide your data.
If you can analyze the volume directly (and be sure of the integrity), you CAN'T hide data on it.
If you have to run a "checking program" on a corrupted system, what makes you think you'll get good results? I keep drilling this point, but all you do is give dumb comments.
I don't think there's a rootkit now that has the sophistication to hide from all the above avenues of detection.
There's no reason why they MUST work, but for now they do a decent job.
Also, making the same attack persist after reboot is only a matter of disabling SFC and altering userinit.exe, explorer.exe or whatever you like. Your rootkit detector will come up clean everytime.
But if you don't hide files, you leave yourself as open to signature-based detection as viruses are, so your typical virus scan should pick it up. Even if you can obfuscate yourself well enough to hide from signature-based scans, if you alter system files like userinit or explorer, you are vulnerable to tripwire-like systems.
So if you want to protect against that but remain persistent, you're back to hiding files or file data, which means you have to address the low-level/high-level type scan that these tools do.
If a native app can analyze the disk volume directly it can identify malicious drivers and reveal them to a friendly Win32 application that can remove them after a reboot...
There's no fundamental reason why they couldn't intercept the I/O requests from your native app and return false but consistent data there.
It's just very difficult to do, which is why rootkits try to skirt detection based on the Strider: Ghostbuster method (do a low-level scan of the on-disk filesystem data structures, compare to the results from the FindNextFile API; do a low-level parse of the registry hives, compare to the registry APIs; etc.) by UNHIDING the hidden/changed data from the rootkit detector rather than hiding from the low-level scans.
If you're running on an infected system, you can't be guaranteed to find anything.
Things which will NOT destroy the Earth:.... * Detonating all the nuclear weapons ever created simultaneously, either all at one location or strategically placed around the globe. This will irradiate pretty much the entire globe and kill an awful lot of people, animals and plants, but will actually destroy very little of the planet itself.
In all seriousness, though, if this has Kirk and Spock at the Academy, it is 100% guaranteed to feature a scene in which Kirk rigs the Kobayashi Maru simulator....I can't tell if that would be really cool or destroy the mysticism of it.
It might be naivety on his part, but I can't really say that it's his fault because the studios' accounting practices should be (if they are not) illegal. Wikipedia says he won his case, so I guess the courts agreed.
The BBC article I read also is not fully clear; it's possible that his contract was in place a long time ago.
I can not imagine ever thinking $250 million is not enough FOR MY OWN back account. It would be different if I owned a company but still that is more money than the GDP of some countries. Good god.
What if he wanted to start a company?
Or finance his own movie? Become the next Lucas. (Though hopefully without the decline into sucktitude.)
Or what if he's just concerned about the principle of the thing and is tired of seeing the studios screw the actual artists out of money through "questionable" accounting that produces values like Spiderman making no profit. (Stan Lee said he wasn't wasn't paid anything until he sued Marvel despite the movie grossing over $800m worldwide, having a production budget of under $140 million, and a contract that said he was to be paid 10% of profits.)
Interesting. I would guess then that they're treating selling fake drugs the same as selling the real thing (instead of a grade or so below as the generic inchoate crime section generally specifies); any idea if this is true?
There's a specific law against dealing fake drugs, though.
Are you sure about that? I can't speak to the federal system of laws, but at least in states that model their criminal codes after the Model Penal Code, there's no specific "attempted blah" crimes, but just an overall "a person commits an attempt when, with intent to commit a specific crime, he does any act which constitutes a substantial step toward the commission of that crime" clause in the general section of the code. For instance, here's PA's, here's New York's, and here's Virginia's. (VA doesn't define attempt, but they have a generic attempt section.)
Now, the federal code is more twisted than the MPC, so it may explicitly define attempts. Anyone know?
(Of course, copyright infringement of the sort we're talking about here is more or less not a criminal matter so this doesn't really apply.)...if they're the copyright holders, I have to believe that they're authorizing you to have it by distributing it like that
They aren't authorizing you to have it because they aren't distributing it. They're distributing random data.
It could be that the standards are different in different places. I bet a 3.5 at CMU means rather more than a 3.5 at, say, my undergrad alma mater for example.
Actually this post is wrong: the recent use of "iPhone" dates back over a year. There's a Linksys iPhone that was available as early as November 2005. (Linksys is owned by Cisco.)
It still could have been named with a thought to creating a conflict with a potential Apple name, but that's at least no longer obviously the case.
That's why Ford slapped the "Cobra" name on the recent Mustang--if they didn't the trademark could conceivably be used by another car builder with impunity.
Sort of how Cisco slapped the "iPhone" name onto their, well, iPhone about a month ago. No doubt it was to increase pressure and get more money from Apple, but I think they're legally in the clear in terms of having an enforcible trademark.
Cisco can hardly argue damages; they have no "iPhone" product from which Apple is causing confusion.
Besides this you mean. (Which, granted, may have been created with the intent of trying to squeeze some money out of Apple as it's a very recent product.)
Sheesh, don't you watch C-Span? You send a few personal internets through the tubes, and the enormous amounts of material will get in line and be delayed.
No it is not. US law apparently says that you can be guilty of an offense without ever going there
Yeah, that's true. I guess I should have said that should be the difference. I think it's absurd that someone can be charged for something they did that was legal when and where they did it.
Its the US trying to enforce its laws within their borders.
In case you didn't notice, the site's based outside of the US, which means the crime's not being committed within the US.
The only wrinkle in this case is that it is my understanding they committed the offense while not in the US.
The only wrinkle?! That's the difference between not committing a crime and committing one!
The Exxon-Valdez oil spill trial is still ongoing, and that happened in 1989.
Man, and I just used my last mod points too...
There are actually a few other ways to detect if you are running inside a VM, e.g. use of a non-priviledged instruction that reveals information about memory mappings (here).
That only would detect VMWare-style virtualization; to the best of my knowledge, the hardware virtualization that's now in chips (VT and whatever AMD calls theirs) should eliminate this possibility and force you to go with timing tests.
Wrong. If I control the CPU as kernel level, I can do anything I want.
That's true.
The OS is too untrustworthy after you hook it on a network (in Windows case especially).
Windows is no more vulnerable once you've got a kernel hook than Unix/Linux/whatever is. If anything, Linux is more vulnerable because figuring out the appropriate places to hook in Windows is a lot harder without source.
("Security through obscurity" is a bad idea -- but obscurity can be a layer and be helpful as long as you design and implement the rest of the system as if the obscurity wasn't there.)
(The increased vulnerability of Windows comes from the fact that it's easier to inject your code. The above only applies once you have a suitable kernel of your code running in ring 0.)
What does Kernel Level mean to you?
It means you're running in ring 0, privileged mode, CPL 0, whatever you want to call it. It means you can *theoretically* do anything.
I'm just saying that I don't think there are any non-VM rootkits that hide themselves so thoroughly that they can't be detected, because doing so is a difficult problem because there's way more that you have to trap if you want to be completely hidden than it initially seems. Like ALL I/O requests.
Or rather, does Microsoft allow you to do extensive reprogramming? I know of extensive Linux kernel, GLibc, and usermode program backdooring. You hit one, and theres still all the others. Essentially, if you have no reference system to verify good data/files, you're screwed.
Again, in theory, yes. In practice, now, there's still a lot you can do.
Assuming you'd actually store data in the registry if you're using a backdoor. That just strikes me as friggin stupid.
It really isn't; it's a perfectly legit method of ensuring that your rootkit is loaded if you can deal with the low-level/high-level scan thing or don't care if it's detectable with that method.
I'd store my data across the whole system in stupid stuff like user settings, whitespace on text and html files, files near commonly executed programs, and other various random places. And the backdoor would be hidden in plain sight, but in no recognizable form. It should take no more than 50 KB to start a backdoor, and the rest loaded from a distributed amount of places that the backdoor would have access to... local machines and the internet.
That's fine.
Remember, my point is that if you have detectable information on the disk (e.g. something you could find with a signature-based scan), you MUST be able to vet all I/O requests to the disk. That means requests through the file APIs, requests for specific blocks sent to devices, and I/O requests that might be issued from other drivers. (For instance, you have to be prepared for detection software to load its own device driver and issue I/O requests itself.) Of course, if you can intercept all I/O instructions then the first two come free. Your rootkit must then be able to mutate the data that's returned so that it hides its presence but is still sane. This very well may mean that you have to understand NTFS and FAT, though it's possible that you could get all needed information from existing kernel data structures.
I don't think such a rootkit is known to exist right now, and I don't think we'll see one. It's now easier to drop the OS into a virtual machine and have a VM-based rootkit. (Though I'm somewhat skeptical about a sudden loss of speed tipping people off, it should be possible in theory to make this undetectable to software running in the guest OS.)
Oh bother... If I had a Kernel Level rootkit, I can SHIM all your commands through it and filter what I want you to see. You can guarantee that I will hide my program ID, memory used, swap used, location on fixed disks, and any network data transmitted/received
If that's ALL you hide, then you'll be found by all of these tools.
You ALSO have to mess with low-level I/O requests; if an application can say "I want block #17" you need to be able to mutate the returned data if it's a directory block or something like that. On Windows if you have detectable information in the registry, you also need to intercept all requests to the registry hives (either by file name or block number) and mutate the information in them to hide your data.
If you can analyze the volume directly (and be sure of the integrity), you CAN'T hide data on it.
If you have to run a "checking program" on a corrupted system, what makes you think you'll get good results? I keep drilling this point, but all you do is give dumb comments.
I don't think there's a rootkit now that has the sophistication to hide from all the above avenues of detection.
There's no reason why they MUST work, but for now they do a decent job.
Also, making the same attack persist after reboot is only a matter of disabling SFC and altering userinit.exe, explorer.exe or whatever you like. Your rootkit detector will come up clean everytime.
But if you don't hide files, you leave yourself as open to signature-based detection as viruses are, so your typical virus scan should pick it up. Even if you can obfuscate yourself well enough to hide from signature-based scans, if you alter system files like userinit or explorer, you are vulnerable to tripwire-like systems.
So if you want to protect against that but remain persistent, you're back to hiding files or file data, which means you have to address the low-level/high-level type scan that these tools do.
If a native app can analyze the disk volume directly it can identify malicious drivers and reveal them to a friendly Win32 application that can remove them after a reboot...
There's no fundamental reason why they couldn't intercept the I/O requests from your native app and return false but consistent data there.
It's just very difficult to do, which is why rootkits try to skirt detection based on the Strider: Ghostbuster method (do a low-level scan of the on-disk filesystem data structures, compare to the results from the FindNextFile API; do a low-level parse of the registry hives, compare to the registry APIs; etc.) by UNHIDING the hidden/changed data from the rootkit detector rather than hiding from the low-level scans.
If you're running on an infected system, you can't be guaranteed to find anything.
How to Destroy the Earth
In all seriousness, though, if this has Kirk and Spock at the Academy, it is 100% guaranteed to feature a scene in which Kirk rigs the Kobayashi Maru simulator. ...I can't tell if that would be really cool or destroy the mysticism of it.
It might be naivety on his part, but I can't really say that it's his fault because the studios' accounting practices should be (if they are not) illegal. Wikipedia says he won his case, so I guess the courts agreed.
The BBC article I read also is not fully clear; it's possible that his contract was in place a long time ago.
I can not imagine ever thinking $250 million is not enough FOR MY OWN back account. It would be different if I owned a company but still that is more money than the GDP of some countries. Good god.
What if he wanted to start a company?
Or finance his own movie? Become the next Lucas. (Though hopefully without the decline into sucktitude.)
Or what if he's just concerned about the principle of the thing and is tired of seeing the studios screw the actual artists out of money through "questionable" accounting that produces values like Spiderman making no profit. (Stan Lee said he wasn't wasn't paid anything until he sued Marvel despite the movie grossing over $800m worldwide, having a production budget of under $140 million, and a contract that said he was to be paid 10% of profits.)
Interesting. I would guess then that they're treating selling fake drugs the same as selling the real thing (instead of a grade or so below as the generic inchoate crime section generally specifies); any idea if this is true?
They are uploading *FAKE* torrents. As in not real ones. As in they aren't uploading the copyrighted content.
Um, where did you read that? Or are you making it up?
There's a specific law against dealing fake drugs, though.
...if they're the copyright holders, I have to believe that they're authorizing you to have it by distributing it like that
Are you sure about that? I can't speak to the federal system of laws, but at least in states that model their criminal codes after the Model Penal Code, there's no specific "attempted blah" crimes, but just an overall "a person commits an attempt when, with intent to commit a specific crime, he does any act which constitutes a substantial step toward the commission of that crime" clause in the general section of the code. For instance, here's PA's, here's New York's, and here's Virginia's. (VA doesn't define attempt, but they have a generic attempt section.)
Now, the federal code is more twisted than the MPC, so it may explicitly define attempts. Anyone know?
(Of course, copyright infringement of the sort we're talking about here is more or less not a criminal matter so this doesn't really apply.)
They aren't authorizing you to have it because they aren't distributing it. They're distributing random data.
WTF is a social offense?
Copyright infringement is at least a civil offense, and sometimes a criminal offense too.
It could be that the standards are different in different places. I bet a 3.5 at CMU means rather more than a 3.5 at, say, my undergrad alma mater for example.
Actually this post is wrong: the recent use of "iPhone" dates back over a year. There's a Linksys iPhone that was available as early as November 2005. (Linksys is owned by Cisco.)
It still could have been named with a thought to creating a conflict with a potential Apple name, but that's at least no longer obviously the case.
...it's a very recent product
Actually I take that back... there's a Linksys iPhone that was available as early as November 2005.
That's why Ford slapped the "Cobra" name on the recent Mustang--if they didn't the trademark could conceivably be used by another car builder with impunity.
Sort of how Cisco slapped the "iPhone" name onto their, well, iPhone about a month ago. No doubt it was to increase pressure and get more money from Apple, but I think they're legally in the clear in terms of having an enforcible trademark.
Cisco can hardly argue damages; they have no "iPhone" product from which Apple is causing confusion.
Besides this you mean. (Which, granted, may have been created with the intent of trying to squeeze some money out of Apple as it's a very recent product.)