Re: [Full-Disclosure] National Database of Variants with Fixes-non-vendor specific

From: Rainer Duffner (rainer_at_ultra-secure.de)
Date: 08/11/04

  • Next message: Kurt Lieber: "[Full-Disclosure] [ GLSA 200408-09 ] Roundup filesystem access vulnerability"
    To: John Hall <j.hall@f5.com>
    Date: Wed, 11 Aug 2004 23:55:40 +0200
    
    

    Am Mi, 2004-08-11 um 22.03 schrieb John Hall:

    > No, seriously, I wouldn't put it past our current administration
    > and the tinfoil hat wearers at the FBI (yes, they got theirs too)
    > or worse, the jackboot wearers at the FBI (and elsewhere at the fed),
    > to fantasize about pushing such a dictum upon the US AV vendors (not
    > even crediting that a significant portion of the AV market is held
    > by non-US vendors), but realistically, it seems unlikely they'd be
    > successful in such an approach.

    Just take the Airline passenger screening as an example.
    Even European Airlines have to comply to rules and regulations that
    clearly violate European Data Protection Standards (and laws !!!).
    But what happens ? Nothing, everybody silently complies, because in the
    end, people just want to fly and airlines want to give passengers that
    warm fuzzy feeling about security...
    (And the US threatened to terminate all landing-permissions for all
    airlines that wouldn't comply. Most (almost all actually) caved in)

    I'd like some members of the European commision who voted in favor of
    this approach be given a full body cavity search in a US-airport because
    they ticked "no pork" on their menu-card for the flight (and really only
    wanted to say that they are vegetarians and started an argument with
    customs about this fact) ....
    Then perhaps they'd know how dangerous this whole thing is.

    Ahem. Back on topic:
    Such an approach would be very successful, because probably nobody can
    ignore the US-AV-market.
    No comply = No sale. It's simple as that (I guess).

    > Going even further off-topic (par for the course for FD), does
    > anyone have any ideas how they might create such a trojan (there
    > seems to be no mention of self-replication in any of the articles)
    > that could be recognized and ignored by AV software, but prevent
    > others from using the same methodology to shield their malware?

    Easy. Just make it part of the operating system kernel (i.e. Windows).
    It's probably more of a root-kit than a trojan.
    If it's done well enough (and I trust certain 3-letter-acronym-bodies of
    the US administration to be able to do that _very_ well) AV-products
    wouldn't even be able to detect it even if they wanted to.

    So persuading some shitty AV-vendors not to detect a kernel trojan that
    probably uses an API that came with the OS anyway seems pretty simple.

    The signature-format of all AV-products (execpt clam-av) is closed
    anyway - the sigs are probably even encrypted for added security.

    It's just like normal wiretapping: everybody (every Telco) does it, and
    nobody likes to talk about it, because it would be bad for the business
    and scare-off customers.

    That's also why I don't trust AV-products more than for detecting Joe
    Scriptkiddy's selfmade virus of yesterday (and even that they do just
    barely).

    Anyway, the discussion is really pretty pointless, I admit, because
    nobody can prove either side. People like me will attribute the fact
    that no one has found such a beast (magic lantern) in the wild to the
    fact that it's really well hidden, whereas other people ("occams razor"
    anybody?) will simply point out that is doesn't exist.

    cheers,
    Raine
    PS: Jesus, they even have a wikpedia entry for that:
    http://en.wikipedia.org/wiki/Tinfoil_hat

    -- 
    ===================================================
    ~     Rainer Duffner - rainer@ultra-secure.de     ~
    ~           Freising - Munich - Germany           ~
    ~    Unix - Linux - BSD - OpenSource - Security   ~
    ~  http://www.ultra-secure.de/~rainer/pubkey.pgp  ~
    ===================================================
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Kurt Lieber: "[Full-Disclosure] [ GLSA 200408-09 ] Roundup filesystem access vulnerability"

    Relevant Pages

    • Re: Airlines sue FBI, CIA over Sept. 11
      ... NEW YORK - Airlines and aviation-related companies sued the CIA and the FBI ... Airlines Inc. and The Boeing Co. asked to interview the deputy chief of the ...
      (misc.survivalism)
    • Re: Airlines sue FBI, CIA over Sept. 11
      ... NEW YORK - Airlines and aviation-related companies sued the CIA and the ... asking a federal court to let them interview investigators ... CIA's Osama bin Laden unit in 2001 and an FBI special agent assigned to ...
      (misc.survivalism)
    • Re: Airlines sue FBI, CIA over Sept. 11
      ... NEW YORK - Airlines and aviation-related companies sued the CIA and the FBI ... Airlines Inc. and The Boeing Co. asked to interview the deputy chief of the ...
      (misc.survivalism)
    • Airlines sue FBI, CIA over Sept. 11
      ... NEW YORK - Airlines and aviation-related companies sued the CIA and the FBI ... The separate lawsuits in U.S. District Court in Manhattan asked a judge to ...
      (misc.survivalism)