Windows Secure Boot to abolish rootkits ...duh

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Why did I not hear about this month old news from you security experts
when we had a rootkit discussion a few weeks ago? Rafter? Dave?
Because you did not know about it?  What else don't you not know?

RL

http://www.zdnet.com/blog/bott/why-do-linux-fanatics-want-to-make-windows-8 =
-less-secure/4100?tag=3Dnl.e539

Summary: Windows 8 isn=92t even in beta yet, and already the FUD is
flying fast and furious. A small group of activists are whipping up
controversy over the UEFI secure boot feature even as they admit the
feature isvaluable and worthwhile.=94 Here=92s the real story.

The FUD is flying fast and furious over Windows 8, and the OS isn=92t
even in beta yet.

The Free Software Foundation (FSF) is organizing a petition-signing
campaign over Microsoft=92s announced support for the secure boot
feature in next-generation PCs that use Unified Extensible Firmware
Interface (UEFI) as a replacement for the conventional PC BIOS. My
ZDNet colleague Steven J. Vaughan-Nichols is urging his readers to
sign the petition with a bit of deliberately inflammatory language,
calling itUEFI caging.=94

The crux of their argument is that Microsoft is deliberately requiring
a change in next-generation hardware that will make it impossible to
wipe off a Windows installation and install Linux. They are wrong, and
their effort to whip up public fury is misguided at best and cynical
at worst.

Allow me to illustrate by turning the argument around in an equally
cynical way, with an equally inflammatory rhetorical flourish:

People who make their living in the Linux ecosystem are demanding that
Microsoft disable a key security feature planned for Windows 8 so that
malware authors can continue to infect those PCs and drive their
owners to alternate operating systems.

Oh, wait. Now that I think about it, that=92s actually pretty close to
the truth.

Here=92s the reality. Malware authors are getting more creative and more
vicious. A rootkit that can infect key operating system files can hide
itself so thoroughly that it is virtually impossible to detect. The
TDL4 rootkit is probably the best known and most deadly of the bunch.
It can patch the Windows Boot Configuration Database, overwrite key
system modules, and disable driver signing requirements, just for
starters. It is a nightmare to clean up.

The secure boot feature pulls the rug out from under this rootkit and
everything like it. Those key boot files that the rootkit tampers with
are digitally signed. With Secure Boot enabled, any modification to
those files is detected at startup by the UEFI code-signing check, and
the system stops in its tracks. Rootkit foiled, user protected,
recovery possible.

Re: Windows Secure Boot to abolish rootkits ...duh

RayLopez99 wrote:

Quoted text here. Click to load it

“There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say we know there are
some things we do not know. But there are also unknown unknowns – the
ones we don't know we don't know.”

—Former United States Secretary of Defense Donald Rumsfeld
--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan  (Colbert Report)



Re: Windows Secure Boot to abolish rootkits ...duh

On 25/11/2011 10:45 AM, G. Morgan wrote:
Quoted text here. Click to load it


There are also unknown knowns: things we know, but don't realise we=20
know, because we misconstrue the problem. Happens a lot more often than=20
you might think. Mr Rumsfeld was a frequent victim of this type of=20
obliviousness.

Have a good day,
Wolf K.


Re: Windows Secure Boot to abolish rootkits ...duh


Quoted text here. Click to load it

When you get a chance, read the memo "Rumsfeld Rules".  ;-)



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Windows Secure Boot to abolish rootkits ...duh

On Fri, 25 Nov 2011 11:50:23 -0500, "David H. Lipman"

Quoted text here. Click to load it

Now my head hurts!

George.

Re: Windows Secure Boot to abolish rootkits ...duh

On 25/11/2011 11:55 AM, George wrote:
Quoted text here. Click to load it

It's just a logic matrix:

            I Know    I Don't know
Known        |        |        |
            ____________
Unknown     |    X    |        |
            ____________

On the example, the X is a "known unknown": that is, I know there's=20
something I don't know, but (of course) I don't know what it is.  A lot=20
of  "journalists" made fun of Rumsfeld's characterisation, because they=20
never took logic in high school. It was a unit my senior English classes =

for over 20 years. It's simple really, much simpler than finite algebra. =
;-)

Wolf K.


Re: Windows Secure Boot to abolish rootkits ...duh

Quoted text here. Click to load it


Well cretin if you really took a logic class you'd know that the
choice of what to put in your truth table when you have two negatives
is arbitrary.  Thus the classic Greek riddle: "All Cretians are liars;
I am a Cretian".  So is he lying or not?  Could be either one; depends
on how you set up your truth table, no pun intended.

RL

Re: Windows Secure Boot to abolish rootkits ...duh

RayLopez99 wrote:
Quoted text here. Click to load it

There's not enough data to come to a logical conclusion.

If the statement "All Cretians are liars" is assumed to be true, it
doesn't necessarily mean that they *always* lie. The second statement
may or may not be a lie, but it is not affected by the first statement's
being taken as true in any event.

It's different if a cretian declares himself to be lying when he states
he is lying, and there's no truth-table for that recursive function.

Re: Windows Secure Boot to abolish rootkits ...duh

On 26/11/2011 7:34 PM, FromTheRafters wrote:
Quoted text here. Click to load it

Oh, I see Ray took the time to answer my post. Pity he didn't spend some
time _before_ answering to make sure he understood what a logic matrix is.

Oh well, I guess he's happy rooting around under the straw.

Wolf K.

Re: Windows Secure Boot to abolish rootkits ...duh


Quoted text here. Click to load it

A logic matrix is the same as a Truth Table, true or false?

Sooo-wee!  Enjoy your time in the mud.

RL

Re: Windows Secure Boot to abolish rootkits ...duh

Quoted text here. Click to load it

Is UEFI BIOS really so reliable and secured once flashed? ;)

Re: Windows Secure Boot to abolish rootkits ...duh

Quoted text here. Click to load it

We should respect people who wish to bet their lives on Window$, BUT, we
should also respect people who know how to dual-boot multiple operating
systems! There are programs that wanna be cross-platformed.

Anyway, it's just a disk. Swap it and everything should be fine. :)

Re: Windows Secure Boot to abolish rootkits ...duh

RayLopez99 wrote:
Quoted text here. Click to load it

I don't know lots of things, but this wasn't one of them. It falls under
my mention of the TPM's other uses and the issues some people have with
those other uses.

Re: Windows Secure Boot to abolish rootkits ...duh

Quoted text here. Click to load it

OK sounds reasonable albeit a bit CYA.  Any opinions on whether UEFI
is a good foil to rootkits welcome.  Let's assume that the door to the
user's computer is secured with a nice lock so a bad guy cannot
"flash" another BIOS onto the user's motherboard.

RL

Re: Windows Secure Boot to abolish rootkits ...duh

RayLopez99 wrote:
Quoted text here. Click to load it

Be that as it may, my point then and now is that having measured
(hashed) the earliest code, you will need to have the data that you
compare it to, in storage that is accessible by the program doing the
comparing. You measure the code, compare the measurement to the stored
equivalent, and release a key to allow you to take the next step.

All this, even before you have access to disk.

Unfortunately, use of the TPM goes beyond that early boot axis integrity
checking aspect - extending into OS and "Application"
integrity/licensing DRM crap and possible tagging.

Re: Windows Secure Boot to abolish rootkits ...duh

Quoted text here. Click to load it

We have two alleged claims facing off.

http://arstechnica.com/business/news/2011/11/security-researcher-defeats-wi =
ndows-8-secure-boot.ars

Given windows previous track record of security, plus the "technology"
used to "secure" a bootup procedure, I've got my bets placed on
Kleissner.  I'm not trying to be a negative nancy, but statistical
probability is clearly in his favor.

Re: Windows Secure Boot to abolish rootkits ...duh


Quoted text here. Click to load it

Nope.  Thanks for the link, but you bought into the PR generated by
the cybercriminal Kleissner.

From the comments section... see below.

RL

.and of course the exploit depends on having physical access to the
machine, which makes it more of a sensationalist headline than
anything else. Physical access to the machine always means security is
compromised, regardless of how you go about doing it. The root
methodology for compromise has exactly NOTHING to do with Windows 8 or
secure boot, except for the fact that he's latching onto a PR storm in
a bottle and ratching up his name in the process. Ars has nicely
complied by using a sensationalist headline without further details to
make it seem more legit. Congrats.

Site Timeline