Re: No Defense Against Windows Rootkits?
From: Imhotep (Imhotep_at_nospam.net)
Date: 09/29/05
- Next message: Imhotep: "RealPlayer and Helix Player in Linux security scare"
- Previous message: Imhotep: "Re: No Defense Against Windows Rootkits?"
- In reply to: nemo_outis: "Re: No Defense Against Windows Rootkits?"
- Next in thread: nemo_outis: "Re: No Defense Against Windows Rootkits?"
- Reply: nemo_outis: "Re: No Defense Against Windows Rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Sep 2005 01:00:51 -0400
<snip>
>
> Perhaps I misread your post - did you not frame the central question in
> terms of Windows being closed-source?
>
> But, no, I see I did NOT misread your post - that is indeed how you
> framed the question. And the point of my response was that framing the
> problem that way is unhelpful - a red herring, in fact. Open- or closed-
> source has very little to do with the problem of rootkits - or with
> solutions.
Do you generally quote yourself? Neither do I. That was the introduction of
the story where I first came across the article...hence the quotes.
"Spyware bad guys (and also phishing people) started using rootkits
technology to stay hidden in a system. The problem is that at the moment
the technology to defend a Windows system from these things is very poor.
In fact antivirus companies have just started adding basic anti-rootkits
technology. So the problem is serious, and well outlined by this question:
Is the closed source code of Windows preventing us from actively defending
our systems?"
Although, I do believe in the merit of open source and open standards over
proprietary source and standards...
> In fact, rootkits are common on many of the open-source *nices (and have
> "migrated" to closed-source Windows only relatively recently). The
> *nices are where rootkits first came to prominence, emphasizing my point
> that open- or closed-source is hardly the central aspect.
Now idea how this topic became an open source vs proprietary source
discussion...
Yes, rootkits first hit unixes about 10 years ago when windows 95 was just
new...now they are being used against Windows. Now, using *that* as a
justification for "...emphasizing my point that open- or closed-source is
hardly the central aspect" is weak at best.
> So what part of my point did you find confusing or unclear?
I understand your point, I just don't agree with it. There are many more
things to consider when comparing open standards/open source to proprietary
source/proprietary standards than just the history of rootkits...
>
>
> Incidentally, FWIW means "for what it's worth." I would have expected
> an old-timer to be familiar with acronyms and buzzwords, but, if not, let
> me refer you to, for instance:
Nah, I am not a member of the acronym fad group. I'll just spell it out,
thank you.
> http://kb.iu.edu/data/adkc.html
>
>
>
>>> Unix or Windows rootkits operate at the level of binaries. Where the
>>> binaries come from (open- or closed-source) is immaterial.
>>
>> Ah...ok...again not sure what that has to do with the article or what
>> point your are trying to make...
>
>
> Again, my point is that open- or closed-source is not the key aspect. A
> rootkit compromises the OS at the executable binaries level and NOT at
> the source-code level.
All binaries are "born" from source :-)
>
>
>
>
>>> Regards,
>>>
>>> PS Full HD OTFE encryption provides a large measure of protection
>>> (although not complete protection) against rootkits and other
>>> malware.
>>
>> Another is *not* running user's accounts with any privileges...which
>> is one of the easiest (well, if you use UNIX/Linux/BSD) things you can
>> do.
>>
>>> PPS The only complete protection (passing over hardware tampering
>>> such as compromised BIOSs) is something like hash-checking essential
>>> files after booting from a known-good CD.
>>
>> Sure but that would be a real pain-in-the-ass to do everytime you
>> boot. Also, if you do not reboot frequently that measure becomes
>> useless (ie you need to reboot with a cd with the saved file hashes to
>> detect a break in after the fact)
>
>
> There are a number of protections that can be applied against rootkits:
> before, during, or after the fact.
>
> Windows, whatever its other deficiencies, has rich and sophisticated
> permissions, policies, and control mechanisms - every bit the match of
> the *nices. While I concede unhesitatingly that most users don't use
> them and often run naked in admin mode, that is not an inherent flaw of
> the OS.
Honestly, I will take FreeBSD over MS whatever everytime.
One of the more serious problems with Windows was how it, and third party
software, did not address non privileged users very well. This has resulted
in people running their accounts with local admin privs. Would you surf the
the Internet logged in as admin? Why would you surf the web in *your*
account with admin privs since, really, they are the same account with
respect to system privileges....
The other problem with Microsoft is, frankly, they are too busy with other
projects to really make quality software. They are too busy, trying to
maintain too many markets and have become reliant on the attitude of "what
else are you going to run on your desktop?" This arrogance has caused them
to lose touch with their customer's needs.
> Next: If you do not have constant control and custody of the machine,
> there is a significant risk that someone can manually install a rootkit,
> no matter what permission mechanisms the OS invokes when running. Full
> OTFE HD encryptiuon is a significant protection against this major class
> of risk any time the system is not running! The alternative is
> validating everything from known-good sources before each boot (or just
> taking your chances, I suppose).
>
> Regards,
Im
- Next message: Imhotep: "RealPlayer and Helix Player in Linux security scare"
- Previous message: Imhotep: "Re: No Defense Against Windows Rootkits?"
- In reply to: nemo_outis: "Re: No Defense Against Windows Rootkits?"
- Next in thread: nemo_outis: "Re: No Defense Against Windows Rootkits?"
- Reply: nemo_outis: "Re: No Defense Against Windows Rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
