OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Dailydave] Blue Pill (abusing AMD's virtualization to write rootkits)

From: Dave Aitel (daveimmunityinc.com)
Date: Thu Jun 29 2006 - 03:41:01 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just got back from inhaling the sands of the Sahara desert for a bit
(mmm, gritty). I noticed that people are finally banging back at MS
for their weird "responsible disclosure is an industry standard"
fallacy. The only person Microsoft managed to convince of this was,
oddly enough, Jeniffer Granick. I have to assume that's because she's
tight with Chris Wysopal, who's now, I would imagine, at Veracode
chewing through VC funds. The terms in Microsoft advisories that HDM
rankled at always annoyed me too - largely because they were a
massively huge monopoly picking publicly on people who are, for the
most part, 15 years old independent researchers. It's unseemly and
unworthy of a company that wants to do business with the world as a
trusted partner to act that way. In a similar vein Thomas Ptacek wrote
on his company's weblog that "*Microsoft could buy a year of the
entire vulnerability research community for less than $80MM
<http://www.matasano.com/log/231/vulnerability-research-in-numbers/>,
even at premium rates.* That?s less than the cost of a mediocre
security startup."

In response, I can only think of one of Daniel Keys Moran's
conversations in "The Last Dancer" (roughly paraphrased here from memory):

Obodi: Who hires the best hackers?
Michelle: No one hires the best hackers.
Obodi: We hired you.
Michelle: I work for you because I believe in your cause. Otherwise
you couldn't _afford_ me.

This is one of the benefits of being non-VC funded. Immunity is quite
literally not for sale.

VM Based rootkits are hot right now. Joanna mentions a few things in
this article about her new VM-based rootkit. I know Dino is also
talking about similar things soon (at BlackHat)?

http://www.eweek.com/article2/0,1895,1983037,00.asp

I guess it's a permanent thing that a new operating system comes out
with new security features and people point out that those features
don't, in any sense of the word, work.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEo5IcB8JNm+PA+iURAq4vAKC5PRuFOsOCvOGMk6xQn+K2acE72QCg5+bP
g0FkrmW9oilP1l0X8QThgyY=
=nTX/
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave