Windows Vista and Rootkits

Hi all, I couldn't find a newsgroup specific to Vista listed, so I'm posting
here...

Can anyone tell me if Vista will include any security features designed to
thwart rootkits, or are we still looking at third party software for such
malware? The news I've read about the rootkit software on certain Sony music
CDs and how it's already been used to get past some online game's cheat
controls, etc) caught my eye.

I'm aware of the reduced user privs feature...Just hope it works right!

Thanks,
Sir Tim

Miha
Fri Nov 04 15:19:17 CST 2005

Hi,

If I am administrator (or root) on the computer (it actually doesn't matter
what operating system since none of the operating systems are immune to
this) I will always be able to install RootKit on the computer... Even if
you install 3rd party tool - there is nothing stopping person with
administrator access from shutting down this 3rd party tool (like e.g.
antivirus or "anti-rootkit" tool).

--
Mike
Microsoft MVP - Windows Security

"Sir Timbit" <sir_timbit@hotmail.com> wrote in message
news:OU%23IdgW4FHA.3136@TK2MSFTNGP09.phx.gbl...
> Hi all, I couldn't find a newsgroup specific to Vista listed, so I'm
> posting here...
>
> Can anyone tell me if Vista will include any security features designed to
> thwart rootkits, or are we still looking at third party software for such
> malware? The news I've read about the rootkit software on certain Sony
> music CDs and how it's already been used to get past some online game's
> cheat controls, etc) caught my eye.
>
> I'm aware of the reduced user privs feature...Just hope it works right!
>
> Thanks,
> Sir Tim
>

Roger
Fri Nov 04 16:48:14 CST 2005

Vista will introduce some new technologies that assist in
addressing the problem (which is currently existant in any
OS BTW). However, until we see the fruits from the much
more radical rearchitecting happening in the trusted computing
initiative I doubt that we will see a final, total solution.
The situation is basically this. An OS has to keep track of
things, and have access methods allowing it to use that
tracking. So, as long as ways can be found to "work around"
or maybe I should say "work through" those access methods
for a set of critical tracked items types, then rootkitting systems
is a possibility. If you see, it is sort of a chicken and egg issue.
The system has to track. The only thing it has to track with is
itself. So what it uses to track is right there, potentially pre-
emptible.
Let me just put it this way. This is a hard problem that has been
around for decades. But, be assured, some of the best minds
are trying to craft undefeatable resolutions.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Sir Timbit" <sir_timbit@hotmail.com> wrote in message
news:OU%23IdgW4FHA.3136@TK2MSFTNGP09.phx.gbl...
> Hi all, I couldn't find a newsgroup specific to Vista listed, so I'm
> posting here...
>
> Can anyone tell me if Vista will include any security features designed to
> thwart rootkits, or are we still looking at third party software for such
> malware? The news I've read about the rootkit software on certain Sony
> music CDs and how it's already been used to get past some online game's
> cheat controls, etc) caught my eye.
>
> I'm aware of the reduced user privs feature...Just hope it works right!
>
> Thanks,
> Sir Tim
>

Karl
Fri Nov 04 19:29:32 CST 2005

The point of root kits is that they fool the operating system, so the point
is you can't really trust the operating system [e.g. Windows]. MS has tools
and research that are already helping customers with root kits today, but
they're separate from the OS, and maybe always will be. I think it's proper
for MS to concentrate within Windows on preventing root kits rather than
trying to detect them from within the OS. Also, Windows is intended to work
for everyone by default and be extensible for people who want to customize.
This usually means that you're always best off choosing your favorite third
party security tools, no matter what OS you use, because everyone has
different needs, preferences, technical skill and tolerance for the effort
it takes to configure those tools. Tools you choose and install [whether
from a third party or optional tools from www.microsoft.com/downloads]
become your responsibility, whereas tools that are bundled with the OS
become a liability for Microsoft if they become a nuisance.


"Sir Timbit" <sir_timbit@hotmail.com> wrote in message
news:OU%23IdgW4FHA.3136@TK2MSFTNGP09.phx.gbl...
> Hi all, I couldn't find a newsgroup specific to Vista listed, so I'm
posting
> here...
>
> Can anyone tell me if Vista will include any security features designed to
> thwart rootkits, or are we still looking at third party software for such
> malware? The news I've read about the rootkit software on certain Sony
music
> CDs and how it's already been used to get past some online game's cheat
> controls, etc) caught my eye.
>
> I'm aware of the reduced user privs feature...Just hope it works right!
>
> Thanks,
> Sir Tim
>
>

Imhotep
Sat Nov 05 12:17:51 CST 2005

Sir Timbit wrote:

> Hi all, I couldn't find a newsgroup specific to Vista listed, so I'm
> posting here...
>
> Can anyone tell me if Vista will include any security features designed to
> thwart rootkits, or are we still looking at third party software for such
> malware? The news I've read about the rootkit software on certain Sony
> music CDs and how it's already been used to get past some online game's
> cheat controls, etc) caught my eye.
>
> I'm aware of the reduced user privs feature...Just hope it works right!
>
> Thanks,
> Sir Tim


There are things you CAN do to make it more difficult. First and foremost,
and I do not care what anyone says, do NOT give yourself and other users
local admin/root privs. Think of it like this: Rootkits NEED privs to
install themselves. If you do not have them, but are tricked into executing
something, the rootkit install will fail (you do not have the sufficient
privs to install software)...this formula is the same for all OSes (Linux,
BSD, UNIX, Apple an Windows)

Unfortunately, with the exception of Windows, these OSes do not require you
to have local root privs to run software. Windows has brought some bad
habits to the PC World, as well as most Software companies, by writting
software that expects you, the local user, to have admin privs. Thus making
rootkits, spyware, trojans and general crapware very easy to install.

Take the UNIX best practice approach: Remove ALL users from the root/admin
group...

Imhotep

Imhotep
Sat Nov 05 12:22:22 CST 2005

Miha Pihler [MVP] wrote:

> Hi,
>
> If I am administrator (or root) on the computer (it actually doesn't
> matter what operating system since none of the operating systems are
> immune to this) I will always be able to install RootKit on the
> computer... Even if you install 3rd party tool - there is nothing stopping
> person with administrator access from shutting down this 3rd party tool
> (like e.g. antivirus or "anti-rootkit" tool).
>

Yup. The problems is this. If you want to detected the most sophisticated
rootkit, you need to pull the disk and analyze it using another machine.
Running any rootkit detector on a infected machine is quite dangerous
because you can never be 100% sure that you are not infected.

In short pull the disk, mount the disk as a data disk. Then run a rootkit
analyzer....

Imhotep

Imhotep
Sat Nov 05 12:50:32 CST 2005

Roger Abell [MVP] wrote:

> Vista will introduce some new technologies that assist in
> addressing the problem (which is currently existant in any
> OS BTW).

> However, until we see the fruits from the much
> more radical rearchitecting happening in the trusted computinbg
> initiative I doubt that we will see a final, total solution.

Trusted computing, in my opinion will make things worse. I do not trust any
institution to tell me what "software" is safe or what I can install or not
install...after all Sony's software, would have undoubtedly been listed as
"safe". To make matters worse, would some of the 3rd party kootkit
analyzers (open Source) have even worked? So called "Trusted Computing" is
nothing more than Microsoft's DRM...to protect their markets and not their
user's right of fair use.

"Trusted Computing" is nothing more than an attempt at big corporations to
control what software and from whom you will be able to install and use.
The ultimate goal will be to migrate to a "pay-per-use" system. Now with
"trusted computing" they (ie Microsoft and software companies) can now
enforce this marketing strategy...however, it is being marketed as a "huge
security advantage" to the masses. haha you are about to be suckered like
you have never been before...and it is going to be quite painful...

MS Zombie trolls need not reply.

Imhotep


> The situation is basically this. An OS has to keep track of
> things, and have access methods allowing it to use that
> tracking. So, as long as ways can be found to "work around"
> or maybe I should say "work through" those access methods
> for a set of critical tracked items types, then rootkitting systems
> is a possibility. If you see, it is sort of a chicken and egg issue.
> The system has to track. The only thing it has to track with is
> itself. So what it uses to track is right there, potentially pre-
> emptible.
> Let me just put it this way. This is a hard problem that has been
> around for decades. But, be assured, some of the best minds
> are trying to craft undefeatable resolutions.

S
Sat Nov 05 21:04:20 CST 2005


"Imhotep" <Imhotep@nospam.net> wrote in message
news:wrGdnQ_h-MZkY_HenZ2dnUVZ_tqdnZ2d@adelphia.com...

> Trusted computing, in my opinion will make things worse.

As in: we'll see more rootkits?

> "Trusted Computing" is nothing more than an attempt at big corporations to
> control what software and from whom you will be able to install and use.
> The ultimate goal will be to migrate to a "pay-per-use" system.

Nope. The user will always have choice of which operating system and what
software packages they would install. I'm not even sure that the new
technology will allow software companies to make sure their software is paid
for. Integrity of the code will be enforced, is all.


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

Alun
Sat Nov 05 22:11:14 CST 2005

Imhotep wrote:
> Trusted computing, in my opinion will make things worse. I do not trust
> any institution to tell me what "software" is safe or what I can install
> or not install...after all Sony's software, would have undoubtedly been
> listed as "safe". To make matters worse, would some of the 3rd party
> kootkit analyzers (open Source) have even worked? So called "Trusted
> Computing" is nothing more than Microsoft's DRM...to protect their
> markets and not their user's right of fair use.

Okay, so you've spent a lot of time, apparently, reading the hysteria. Have
you read or listened to any of the technical presentations on what NGSCB
(Next-Generation Secure Computing Base, which is what you appear to be
talking about) is going to do? Not that I expect you to have done so, given
many of your previous comments. [Even about the Sony DRM thing, where we
happen to agree]

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Roger
Sun Nov 06 02:06:52 CST 2005

Perhaps we do not understand the same capability set
as what will be delivered as outcrop from the effort.

"Imhotep" <Imhotep@nospam.net> wrote in message
news:wrGdnQ_h-MZkY_HenZ2dnUVZ_tqdnZ2d@adelphia.com...
> Roger Abell [MVP] wrote:
>
>> Vista will introduce some new technologies that assist in
>> addressing the problem (which is currently existant in any
>> OS BTW).
>
>> However, until we see the fruits from the much
>> more radical rearchitecting happening in the trusted computinbg
>> initiative I doubt that we will see a final, total solution.
>
> Trusted computing, in my opinion will make things worse. I do not trust
> any
> institution to tell me what "software" is safe or what I can install or
> not
> install...after all Sony's software, would have undoubtedly been listed as
> "safe". To make matters worse, would some of the 3rd party kootkit
> analyzers (open Source) have even worked? So called "Trusted Computing" is
> nothing more than Microsoft's DRM...to protect their markets and not their
> user's right of fair use.
>
> "Trusted Computing" is nothing more than an attempt at big corporations to
> control what software and from whom you will be able to install and use.
> The ultimate goal will be to migrate to a "pay-per-use" system. Now with
> "trusted computing" they (ie Microsoft and software companies) can now
> enforce this marketing strategy...however, it is being marketed as a "huge
> security advantage" to the masses. haha you are about to be suckered like
> you have never been before...and it is going to be quite painful...
>
> MS Zombie trolls need not reply.
>
> Imhotep
>
>
>> The situation is basically this. An OS has to keep track of
>> things, and have access methods allowing it to use that
>> tracking. So, as long as ways can be found to "work around"
>> or maybe I should say "work through" those access methods
>> for a set of critical tracked items types, then rootkitting systems
>> is a possibility. If you see, it is sort of a chicken and egg issue.
>> The system has to track. The only thing it has to track with is
>> itself. So what it uses to track is right there, potentially pre-
>> emptible.
>> Let me just put it this way. This is a hard problem that has been
>> around for decades. But, be assured, some of the best minds
>> are trying to craft undefeatable resolutions.
>

Roger
Sun Nov 06 02:20:40 CST 2005

again, you show a slanted view of history here . . .
> Unfortunately, with the exception of Windows, these OSes do not require
> you
> to have local root privs to run software. Windows has brought some bad
> habits to the PC World, as well as most Software companies, by writting
> software that expects you, the local user, to have admin privs.
The reality is that this is a legacy of IBM DOS, and other early
"personal" operating systems. Windows, in the non-NT, evolved
DOS family did nothing to change this. Windows in the NT line
however has with each release attempted to "push", albeit too
gently for me, the software industry (MS app divisions included)
into using a model that supports containment. Things are still not
there, but if you look you will see it has been a lot like how the
government deals with people. Take a little ground, wait, take
a little more, again wait, . . . With regrets, I much understand
how MS cannot dictate to the independent software industry
that they must write code that meets full containability needs as
to where it lives, where it persists state, where it writes temps,
what APIs it expects to be able to use, etc. - at least not all at
once and not without some sort of ground-swell of consumer
support to encourage the ISVs to comply. Doing so would be
seen as dictatorial, impeding the ISVs from marketing what they
have in hand and requiring expense on their part to be able to
run on the platform, etc.. All matter that lawyers could love.
The issue has not been what MS would like. It is what is in
any realistic way possible in moving ISVs from the old world
of DOS legacy personal OSs to real OSs. On the other hand,
MS has not made it so that you, I, or anyone else cannot make
our installs behave as we wish - provided we are happy not
running the poorly crafted software of these ISVs.


"Imhotep" <Imhotep@nospam.net> wrote in message
news:ssGdnZMDDNDIavHenZ2dnUVZ_smdnZ2d@adelphia.com...
> Sir Timbit wrote:
>
>> Hi all, I couldn't find a newsgroup specific to Vista listed, so I'm
>> posting here...
>>
>> Can anyone tell me if Vista will include any security features designed
>> to
>> thwart rootkits, or are we still looking at third party software for such
>> malware? The news I've read about the rootkit software on certain Sony
>> music CDs and how it's already been used to get past some online game's
>> cheat controls, etc) caught my eye.
>>
>> I'm aware of the reduced user privs feature...Just hope it works right!
>>
>> Thanks,
>> Sir Tim
>
>
> There are things you CAN do to make it more difficult. First and foremost,
> and I do not care what anyone says, do NOT give yourself and other users
> local admin/root privs. Think of it like this: Rootkits NEED privs to
> install themselves. If you do not have them, but are tricked into
> executing
> something, the rootkit install will fail (you do not have the sufficient
> privs to install software)...this formula is the same for all OSes (Linux,
> BSD, UNIX, Apple an Windows)
>
> Unfortunately, with the exception of Windows, these OSes do not require
> you
> to have local root privs to run software. Windows has brought some bad
> habits to the PC World, as well as most Software companies, by writting
> software that expects you, the local user, to have admin privs. Thus
> making
> rootkits, spyware, trojans and general crapware very easy to install.
>
> Take the UNIX best practice approach: Remove ALL users from the root/admin
> group...
>
> Imhotep

S
Sun Nov 06 04:01:11 CST 2005

G'day:

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:O9N9Tsq4FHA.3976@TK2MSFTNGP15.phx.gbl...

> The reality is that this is a legacy of IBM DOS, and other early
> "personal" operating systems. Windows, in the non-NT, evolved
> DOS family did nothing to change this. Windows in the NT line
> however has with each release attempted to "push", albeit too
> gently for me, the software industry (MS app divisions included)
> into using a model that supports containment. Things are still not
> there, but if you look you will see it has been a lot like how the
> government deals with people. Take a little ground, wait, take
> a little more, again wait, . . . With regrets, I much understand
> how MS cannot dictate to the independent software industry
> that they must write code that meets full containability needs as
> to where it lives, where it persists state, where it writes temps,
> what APIs it expects to be able to use, etc. - at least not all at
> once and not without some sort of ground-swell of consumer
> support to encourage the ISVs to comply. Doing so would be
> seen as dictatorial, impeding the ISVs from marketing what they
> have in hand and requiring expense on their part to be able to
> run on the platform, etc.. All matter that lawyers could love.
> The issue has not been what MS would like. It is what is in
> any realistic way possible in moving ISVs from the old world
> of DOS legacy personal OSs to real OSs. On the other hand,
> MS has not made it so that you, I, or anyone else cannot make
> our installs behave as we wish - provided we are happy not
> running the poorly crafted software of these ISVs.


How very true.

Vendors still often ask elevated privilege for their software without
providing good justification. The most recent example that I came across is
IBM WebSphere MQ on Windows. ame happens in case of other operating systems,
often resulting in vulnerable installations. You will be amazed how much
some rely on security through obscurity.


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

Karl
Sun Nov 06 08:30:04 CST 2005


"Imhotep" <Imhotep@nospam.net> wrote in message
news:ssGdnZIDDNDDZfHenZ2dnUVZ_smdnZ2d@adelphia.com...

> Yup. The problems is this. If you want to detected the most sophisticated
> rootkit, you need to pull the disk and analyze it using another machine.
> Running any rootkit detector on a infected machine is quite dangerous
> because you can never be 100% sure that you are not infected.
>
> In short pull the disk, mount the disk as a data disk. Then run a rootkit
> analyzer....

Well, note that that's necessary sometimes, not always. There is benefit in
trying the easiest method first, even if it isn't 100% reliable. Especially
when you're talking thousands of computers infected across a network,
pulling all the hard drives may not be affordable.

Alun
Sun Nov 06 17:19:28 CST 2005

S. Pidgorny <MVP> wrote:
> Vendors still often ask elevated privilege for their software without
> providing good justification. The most recent example that I came across
> is IBM WebSphere MQ on Windows. ame happens in case of other operating
> systems, often resulting in vulnerable installations. You will be amazed
> how much some rely on security through obscurity.

My favourite example is still Quickbooks. Why on earth should I need to be
an administrator, just so that I can add (and occasionally multiply) some
numbers? At one point, Intuit, the makers of Quickbooks, even asserted that
this was deliberate, that you'd want someone trustworthy running your
accounting software, and that this could only be achieved by requiring
administrator access.

Microsoft has been asking, since the mid-90s, in various white-papers, that
developers of 32-bit applications should limit the requirement for
administrator access to only those tools that really need it. Granted, some
of their own applications and tools don't follow that suggestion, but while
Microsoft has been steadily removing the administrator-only requirement from
their own software, third-party vendors are often far more stubborn.

Call up your favourite vendor today, and ask them when you can get a version
of their software that runs successfully under a restricted user account.

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Mark
Mon Nov 07 00:42:52 CST 2005

"Alun Jones" <alun@texis.invalid> wrote in message
news:-OydnVaM7IEdEvPenZ2dnUVZ_sqdnZ2d@comcast.com...
> S. Pidgorny <MVP> wrote:
>> Vendors still often ask elevated privilege for their software without
>> providing good justification. The most recent example that I came across
>> is IBM WebSphere MQ on Windows. ame happens in case of other operating
>> systems, often resulting in vulnerable installations. You will be amazed
>> how much some rely on security through obscurity.

I thought the next Windows Server had disabled all unsigned kernel table
patching?

--
- Mark Randall
http://zetech.swehli.com

"Those people that think they know everything are a great annoyance to those
of us who do"
Isaac Asimov

Roger
Mon Nov 07 01:30:35 CST 2005

"Alun Jones" <alun@texis.invalid> wrote in message
news:-OydnVaM7IEdEvPenZ2dnUVZ_sqdnZ2d@comcast.com...
> S. Pidgorny <MVP> wrote:
>> Vendors still often ask elevated privilege for their software without
>> providing good justification.
> My favourite example is still Quickbooks. Why on earth should I need to
> be an administrator, just so that I can add (and occasionally multiply)
> some numbers? At one point, Intuit, the makers of Quickbooks, even
> asserted that this was deliberate, that you'd want someone trustworthy
> running your accounting software, and that this could only be achieved by
> requiring administrator access.
>

I have been aware of the Quickbooks dissatisfaction for years (going
on 5 now) and of the unmoving stance of Intuit, but I had missed that
explaination/claim - which is good as I may not have yet stopped laughing
!!!

--
ra

Alun
Mon Nov 07 13:55:24 CST 2005

Roger Abell [MVP] wrote:
> "Alun Jones" <alun@texis.invalid> wrote in message
> news:-OydnVaM7IEdEvPenZ2dnUVZ_sqdnZ2d@comcast.com...
>> S. Pidgorny <MVP> wrote:
>>> Vendors still often ask elevated privilege for their software without
>>> providing good justification.
>> My favourite example is still Quickbooks. Why on earth should I need to
>> be an administrator, just so that I can add (and occasionally multiply)
>> some numbers? At one point, Intuit, the makers of Quickbooks, even
>> asserted that this was deliberate, that you'd want someone trustworthy
>> running your accounting software, and that this could only be achieved by
>> requiring administrator access.
>>
>
> I have been aware of the Quickbooks dissatisfaction for years (going
> on 5 now) and of the unmoving stance of Intuit, but I had missed that
> explaination/claim - which is good as I may not have yet stopped laughing
> !!!

I kid you not - amusingly enough, it's a story they told to Microsoft
Research. Read the whole story at:

ftp://ftp.research.microsoft.com/pub/tr/TR-2005-15.doc

Oh, but on a second reading, I realise it's TurboTax, not QuickBooks, that
is being discussed.

"a publicly available transcript of a discussion with an Intuit customer
service representative suggests that requiring Admin privileges was a quick
fix solution to data privacy concerns. Because Admins already have complete
control of the system, leaking information about other users through the
application does not represent an increased exposure of private data if the
user viewing the information is already an Admin"

Lovely, yes?


Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Imhotep
Mon Nov 07 19:29:17 CST 2005

Roger Abell [MVP] wrote:

> Perhaps we do not understand the same capability set
> as what will be delivered as outcrop from the effort.
>
> "Imhotep" <Imhotep@nospam.net> wrote in message
> news:wrGdnQ_h-MZkY_HenZ2dnUVZ_tqdnZ2d@adelphia.com...
>> Roger Abell [MVP] wrote:
>>
>>> Vista will introduce some new technologies that assist in
>>> addressing the problem (which is currently existant in any
>>> OS BTW).
>>
>>> However, until we see the fruits from the much
>>> more radical rearchitecting happening in the trusted computinbg
>>> initiative I doubt that we will see a final, total solution.
>>
>> Trusted computing, in my opinion will make things worse. I do not trust
>> any
>> institution to tell me what "software" is safe or what I can install or
>> not
>> install...after all Sony's software, would have undoubtedly been listed
>> as "safe". To make matters worse, would some of the 3rd party kootkit
>> analyzers (open Source) have even worked? So called "Trusted Computing"
>> is nothing more than Microsoft's DRM...to protect their markets and not
>> their user's right of fair use.
>>
>> "Trusted Computing" is nothing more than an attempt at big corporations
>> to control what software and from whom you will be able to install and
>> use. The ultimate goal will be to migrate to a "pay-per-use" system. Now
>> with "trusted computing" they (ie Microsoft and software companies) can
>> now enforce this marketing strategy...however, it is being marketed as a
>> "huge security advantage" to the masses. haha you are about to be
>> suckered like you have never been before...and it is going to be quite
>> painful...
>>
>> MS Zombie trolls need not reply.
>>
>> Imhotep
>>
>>
>>> The situation is basically this. An OS has to keep track of
>>> things, and have access methods allowing it to use that
>>> tracking. So, as long as ways can be found to "work around"
>>> or maybe I should say "work through" those access methods
>>> for a set of critical tracked items types, then rootkitting systems
>>> is a possibility. If you see, it is sort of a chicken and egg issue.
>>> The system has to track. The only thing it has to track with is
>>> itself. So what it uses to track is right there, potentially pre-
>>> emptible.
>>> Let me just put it this way. This is a hard problem that has been
>>> around for decades. But, be assured, some of the best minds
>>> are trying to craft undefeatable resolutions.
>>


I am sorry Roger, I have read your posts and you seem to be an intelligent
guy. However, we will have to agree to disagree on this. "Trusted
Computing" is a scam....my comments are above.

Imhotep

Imhotep
Mon Nov 07 19:31:36 CST 2005

S. Pidgorny wrote:

>
> "Imhotep" <Imhotep@nospam.net> wrote in message
> news:wrGdnQ_h-MZkY_HenZ2dnUVZ_tqdnZ2d@adelphia.com...
>
>> Trusted computing, in my opinion will make things worse.
>
> As in: we'll see more rootkits?
>
>> "Trusted Computing" is nothing more than an attempt at big corporations
>> to control what software and from whom you will be able to install and
>> use. The ultimate goal will be to migrate to a "pay-per-use" system.
>
> Nope. The user will always have choice of which operating system and what
> software packages they would install. I'm not even sure that the new
> technology will allow software companies to make sure their software is
> paid for. Integrity of the code will be enforced, is all.
>
>

Who will choose what code is "Valid"? Would Sony's rootkit code not be
included in the list???? Ask yourself that.

Imhotep

Imhotep
Mon Nov 07 19:55:03 CST 2005

Alun Jones wrote:

> NGSCB
> (


...a half step away from Palladium. MS is using the same old technique
"proding the cattle" by small steps....nothing more.

Imhotep

S
Tue Nov 08 02:27:20 CST 2005

"Imhotep" <Imhotep@nospam.net> wrote in message
news:bumdnYcV9qVlYvLenZ2dnUVZ_vmdnZ2d@adelphia.com...
> S. Pidgorny wrote:
>

>> Nope. The user will always have choice of which operating system and what
>> software packages they would install. I'm not even sure that the new
>> technology will allow software companies to make sure their software is
>> paid for. Integrity of the code will be enforced, is all.
>>
>>
>
> Who will choose what code is "Valid"? Would Sony's rootkit code not be
> included in the list???? Ask yourself that.

Whoever has created the code will sign it. Then the user will approve the
installation by accepting code from that vendor, after which the code can
actually execute. New process and memory management techniques will prevent
in-memory process manipulation, and you can bind particular binary to your
system by using cryptography implemented in hardware. Yes, you can run your
favourite open-source software. No, Sony rootkit wouldn't install or run.

Linus Torvalds once gave a good perspective on DRM:

http://marc.theaimsgroup.com/?l=linux-kernel&m=105115686114064

So NGSCB-compatible Linux kernel will be there (Novell and RedHat will make
sure). Universal DRM support in Linux and BSD will be there. NGSCB is
exactly about what we do with the digital signature in the software and
documents.

And you will always have an option not to use the TPM. In the end I suspect
it will be outlawed in communist contries, so you'll have choice of solution
providers.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

Imhotep
Tue Nov 08 23:16:04 CST 2005

Karl Levinson, mvp wrote:

>
> "Imhotep" <Imhotep@nospam.net> wrote in message
> news:ssGdnZIDDNDDZfHenZ2dnUVZ_smdnZ2d@adelphia.com...
>
>> Yup. The problems is this. If you want to detected the most sophisticated
>> rootkit, you need to pull the disk and analyze it using another machine.
>> Running any rootkit detector on a infected machine is quite dangerous
>> because you can never be 100% sure that you are not infected.
>>
>> In short pull the disk, mount the disk as a data disk. Then run a rootkit
>> analyzer....
>
> Well, note that that's necessary sometimes, not always. There is benefit
> in
> trying the easiest method first, even if it isn't 100% reliable.
> Especially when you're talking thousands of computers infected across a
> network, pulling all the hard drives may not be affordable.

True. It is a costly adventure. However, when dealing with 'kits you can
*not* trust the OS at all. The only real way you can trust the scan is by
pulling the disk...if you don't you can never be sure that you are getting
accurate results....

Imhotep

Roger
Sat Nov 12 12:26:19 CST 2005


"Imhotep" <Imhotep@nospam.net> wrote in message
news:bumdnYQV9qXwYvLenZ2dnUVZ_vmdnZ2d@adelphia.com...
> Roger Abell [MVP] wrote:
>
>> Perhaps we do not understand the same capability set
>> as what will be delivered as outcrop from the effort.
>>
>> "Imhotep" <Imhotep@nospam.net> wrote >
> I am sorry Roger, I have read your posts and you seem to be an intelligent
> guy. However, we will have to agree to disagree on this. "Trusted
> Computing" is a scam....my comments are above.
>
I think we have both been around this industry long enough to
know that there is no perfect solution to most things. I would
prefer to see the big names investing in investigating ways to
provide for a guaranteed, trustable computing platform than
not. That the issue is outstanding as to who is trusting, and
who is trusted, and what limits the ability to do any trusting
or distrusting is a statement about our society, or rather of
its delegation of critical decisions to government, to industry,
to . . . than it is of the technical aspects of what is being
developed. Anyway, until we see the different flavors of this
as it eventually comes about we are just sending smoke signals.
--
ra

Karl
Sun Nov 13 00:06:56 CST 2005


"Imhotep" <Imhotep@nospam.net> wrote in message
news:bumdnYQV9qXwYvLenZ2dnUVZ_vmdnZ2d@adelphia.com...

> >> Trusted computing, in my opinion will make things worse. I do not trust
> >> any
> >> institution to tell me what "software" is safe or what I can install or
> >> not
> >> install.
> >> "Trusted Computing" is nothing more than an attempt at big corporations
> >> to control what software and from whom you will be able to install and
> >> use. The ultimate goal will be to migrate to a "pay-per-use" system.

I'm as distrustful of DRM as you. However:

Trusted computing, as you probably know, is not a Microsoft / Intel thing.
Linux etc. have the concept as well. Regardless of what one thinks about
DRM, it clearly is a lot more than just DRM. Trusted computing includes
encryption, execution prevention, etc., things that aren't exactly related
to DRM or software use fees. As the administrator of your home computer or
corporate network, trusted computing would give you the ability to control
what programs and malware tries to run on your system, and potentially
control what other users and systems worldwide can do with the documents and
programs you make available to others.

Software companies already have the ability more or less to charge you per
use, most notably anti-virus companies that "lease" you their software on a
yearly basis, so DRM isn't really doing much in that regard but enforce the
existing EULAs you've already accepted. Being a near-monopoly, if Microsoft
wanted to raise its rates or change its software licensing model for Windows
and Office, it would have already done so.

http://en.wikipedia.org/wiki/Trusted_computing
http://en.wikipedia.org/wiki/NGSCB
http://en.wikipedia.org/wiki/Trusted_platform_module

S
Sun Nov 13 01:30:35 CST 2005

Hi Roger:

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OQ0xYa75FHA.1096@TK2MSFTNGP10.phx.gbl...
>
> I think we have both been around this industry long enough to
> know that there is no perfect solution to most things.

I wonder why you think Imhotep is an industry veteran like yourself. In my
experience those retranslating Slashdot to other forums, adding yet another
layer of anti-Microsoft and socialist rhetoric, are most often
lumpenproletariat without real job, much experience, knowledge or even
aspiration to have those.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

Frank
Sun Nov 13 09:28:13 CST 2005

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:e6mfsQC6FHA.884@TK2MSFTNGP14.phx.gbl
> Hi Roger:
>
> I wonder why you think Imhotep is an industry veteran like yourself.
> In my experience those retranslating Slashdot to other forums, adding
> yet another layer of anti-Microsoft and socialist rhetoric, are most
> often lumpenproletariat without real job, much experience, knowledge
> or even aspiration to have those.

Yes.

--
Frank Saunders, MS-MVP OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/