Exclusive Interview: Going Three Levels Beyond Kernel Rootkits

[Guest]

Linux driver problems? No 3G support? What year does she live in, 2002? I'm writing this stuff over a 3G connection which seems to be running fine and was far more easier to set up than it was in Windows XP. All I had to do was to select my modem model from a list as well as my ISP and there it was.

Sure, there are some vendors who don't support Linux at all, especially with WLAN cards, but my experience with Linux device support has been impressive. No search for driver CDs or whatnots, just plug it in and it works like magic!

 

[BillLake]

I found the article insightful. I think the Security by Isolation is key also. I do find that Joanna Rutkowska perspective enlightening. I use all OS's in specific reasoning. In place of her red machine, I have substitued a Live OS CD based system. This prevents any persistant attacks unless they can hack the hardware. I use VM to run most of my other daily task and a dual boot MacBook Pro with OS X and Vista to do my "important" work. It does create some difficulty in your daily life but you get used to it very quickly. The hardest part is not getting confused as to what your working on. I think her idea of a very thin hypervisor is great, then an OS that just creates the GUI environment you desire and then that individual app. This seperation would be awesome and mitigate lots of the issue we see today.

 

[dangerous_23]

could TOMS do a howto on creating a setup using VMs to enhance one's security? - what firewall, network settings, (e.g. what type of host interface in VM manager) and what browser settings etc, would you use for a typical home network with an adsl modem with built in lan and wireless.

 

[Guest]

The "security by obscurity" using heterogeneous systems is itself a pretty significant security risk. You only wish to compromise a single system to access the central data. Attacking all systems simultaneously with a random attack vector is more likely to find that one of those many heterogeneous systems is going to be vulnerable to it, and then you're in.

You can't harm the other systems, but you have the data, which is all that you want.

 

[Guest]

"... all those systems use those big monolithic kernels which host all those third-party developed drivers"

I would like to know what thinks of the GNU Hurd in this respect. Is is more secure?

 

[Guest]

A bit interesting article, with some serious inaccuracies. Anyway, it's always worth to look on the other side of the coin:

http://www.virtualization.info/2006/08/debunking-blue-pill-myth.html
http://blogs.zdnet.com/security/?p=340

And more.

 

[moschops]

If I'd read all the comments first I might not have bothered to read the article, however I'm glad I did. Happy to see Tom's including some more in depth topics with people who know what they are talking about. Sure the interview style with chat and desire to add introductory material doesn't do the subject justice, but I did appreciate it. As for some people not understanding it - well there are plenty of Tom's Guide in depth articles on processors, memory technology and such that contain a lot of material I'm sure 95% of readers have no clue about so what's the bid deal.

As for the comments about whether she is hot or not, geez guys (and yes, it is guys making all those comments), GTFU (grow the f**k up) and find some other website to get your kicks over.

 

[000001]

While you were asking for security advice from the, 'expert'

$ uname -a
Linux heze.lunarpages.com 2.6.9-78.0.22.ELsmp #1 SMP Thu Apr 30 19:14:39 EDT
2009 i686 i686 i386 GNU/Linux
$ grep invisi /etc/passwd
invisi6:x:32181:32182::/home/invisi6:/usr/local/cpanel/bin/noshell
$ host invisiblethingslab.com
invisiblethingslab.com has address 216.97.235.20
$ /sbin/ifconfig | grep 216.97.235.20 | head -n 1
inet addr:216.97.235.20 Bcast:216.97.235.255 Mask:255.255.255.0

[DIR] WysiwygPro/ 10-May-2006 04:07 -
[TXT] about.html 18-Jul-2008 04:02 3k
[TXT] blog.html 07-May-2006 13:34 2k
[DIR] bluepillproject/ 13-Oct-2008 20:23 -
[DIR] cgi-bin/ 27-Aug-2005 02:10 -
[TXT] code.html 18-Jul-2008 04:03 6k
[TXT] contact.html 18-Jul-2008 04:03 2k
[TXT] events.html 18-Jul-2008 04:11 23k
[DIR] gallery/ 17-May-2006 02:36 -
[DIR] images/ 18-Jul-2008 04:03 -
[TXT] index.html 18-Jul-2008 04:02 5k
[DIR] invisiblethingslab/ 17-Jul-2009 07:41 -
[DIR] itl_ftp/ 26-Nov-2008 11:52 -
[TXT] joanna.asc 12-Feb-2008 12:57 4k
[TXT] newsarchive.html 10-May-2006 10:10 8k
[TXT] papers.html 18-Jul-2008 04:03 18k
[DIR] papers/ 04-Jan-2009 13:50 -
[DIR] priv/ 12-Aug-2007 07:11 -
[DIR] pub/ 05-Feb-2008 07:32 -
[TXT] robots.txt 04-Mar-2008 07:27 1k
[TXT] speaking.html 18-Jul-2008 04:06 5k
[TXT] style.css 18-Jul-2008 04:03 4k
[DIR] tools/ 04-Mar-2008 07:29 -

 

[Guest]

Saw and listened to her at BlackHat this year. She is wicked smart. The real deal, no doubt. Excellent interview.

Little advice to the interviewer; your Jedi mind tricks won't work on her. You picked the wrong person to try to showcase you cyber security skillz.

 

[z3r0_f4ct0r]

I'm curious to know how Mac OS X implements security by isolation. It has no os level virtualization like FreeBSD with Jails, Solaris with Zones and Linux with VServer.

Apple has hired Ivan Krstic who has created bitfrost (based on Linux VServer) for OLPC but as of yet Mac OS X has no equivalent "Jails" mechanism.

A Jails mechanism would greatly improve security by isolation and with a lot less overhead on resources.

Thoughts?

 

[Guest]

I think she missed a phrack article about SMM: "---[ 3.1.1 - Cache-originated overwrites" when she says she discovered a vulnerability in the caching handling.

Also, I think she forgot to mention that Bluepill was created by a company, called Coseinc and together with other developers (so, she have not created Bluepill, she was a member of the team who did).

Probably she also forgot to say that when somebody sent her an email saying about SMM to be more powerful than virtualization she answered: "This is not research for me."

Also, she forgot to mention that a lot of people created kernel protections much before she ever talked about that, actually she used lots of concepts from StMichael (www.sf.net/projects/stjude) in 'her' solution for Windows.

Completely fake. She has good technical skills, but she is much better in Marketing than in reality.

 

[Guest]

I lost interest in the entire article as soon as she began speaking of how pretty her Mac is... seriously. I don't care how talented she is, now. I'm annoyed.

MY THOUGHTS EXACTLY AND THATS WHEN I SKIPPED TO THE COMMENTS
SO GLAD PEOPLE STILL THINK OUT THERE IN NEVER NEVER LAND!

 

[Guest]

besides... wtf does a mac user know about security

HAHA SEE I CAN MAKE UNINFORMED STATEMENTS TOO..

seriously tho.. they dont.. they suck
PC+LINUX=whybotherwithaslackintosh

 

[Guest]

"lot's of backslapping and i'm so smart"

+1

this person gets paid gobs of money to say that the way intel/mac/ms wanna go at it is the only way. but even with her jibberjabber/talking-up-her-sleeve whenever the interviewer suggested a variety of operating systems/hardware being useful, she still mentioned how several important and now useful-to-the-megacapitalisas strategies were being used by various linux operating systems 10 YEARS AGO.

she and those yobs love rolling around in the trough together. i'm going to give them as little of my money as possible to fart thru.

 

[chrysalis]

She talks some good stuff but she was way off when the interviewer tried to get her to understand the redundant setup a hospital may have, he was sayinf ia hospital used multiple operating systems, hardware types etc. so as to not have the same software/hardware setup everywhere then if a vulnerability was disovered they could simply turn them off or at least take off-line the affected equipment, she seemed to get confused and consider this as "security by obscurity" when it is not. It is in affect covering all basis allowing a hospital to keep functioning in the event of such a problem. Security by obscurity is doing things like hiding the version number or even faking the version number, moving the port number of a service etc. Basically hiding a problem instead of fixing it. She is very correct in that "security by obscurity" is very little against someone who wants to extract information from your systems but she is incorrect in labeling what he was saying as "security by obscurity".

 

[Device Unknown]

[citation][nom]000001[/nom]While you were asking for security advice from the, 'expert'$ uname -aLinux heze.lunarpages.com 2.6.9-78.0.22.ELsmp #1 SMP Thu Apr 30 19:14:39 EDT 2009 i686 i686 i386 GNU/Linux$ grep invisi /etc/passwdinvisi6:x:32181:32182:home/invisi6usr/local/cpanel/bin/noshell$ host invisiblethingslab.cominvisiblethingslab.com has address 216.97.235.20$ /sbin/ifconfig | grep 216.97.235.20 | head -n 1 inet addr:216.97.235.20 Bcast:216.97.235.255 Mask:255.255.255.0[DIR] WysiwygPro/ 10-May-2006 04:07 - [TXT] about.html 18-Jul-2008 04:02 3k [TXT] blog.html 07-May-2006 13:34 2k [DIR] bluepillproject/ 13-Oct-2008 20:23 - [DIR] cgi-bin/ 27-Aug-2005 02:10 - [TXT] code.html 18-Jul-2008 04:03 6k [TXT] contact.html 18-Jul-2008 04:03 2k [TXT] events.html 18-Jul-2008 04:11 23k [DIR] gallery/ 17-May-2006 02:36 - [DIR] images/ 18-Jul-2008 04:03 - [TXT] index.html 18-Jul-2008 04:02 5k [DIR] invisiblethingslab/ 17-Jul-2009 07:41 - [DIR] itl_ftp/ 26-Nov-2008 11:52 - [TXT] joanna.asc 12-Feb-2008 12:57 4k [TXT] newsarchive.html 10-May-2006 10:10 8k [TXT] papers.html 18-Jul-2008 04:03 18k [DIR] papers/ 04-Jan-2009 13:50 - [DIR] priv/ 12-Aug-2007 07:11 - [DIR] pub/ 05-Feb-2008 07:32 - [TXT] robots.txt 04-Mar-2008 07:27 1k [TXT] speaking.html 18-Jul-2008 04:06 5k [TXT] style.css 18-Jul-2008 04:03 4k [DIR] tools/ 04-Mar-2008 07:29 -[/citation]

Ok, this was hilarious. Guessing mot many understand what you did here, which makes it funnier.