offline
- SVITAC
- Legendarni građanin
- Pridružio: 28 Apr 2003
- Poruke: 5919
- Gde živiš: Beograd
|
Pre nego što nastavite sa čitanjem .. odgovorite sami sebi na pitanje 
http://www.rootkit.com/newsread.php?newsid=504
Citat:Rootkits are under attack in the press and it’s very important for the rootkit community to stand up for their technology. A rootkit is no more malware than netcat, yet both will be flagged as such by a virus scanner. Rootkits, like netcat (netcat:a very useful network administrators tool), are just a software technology. It’s how technology is used that gives intention (btw, this is a very old old argument that predates the transistor). It is important for the rootkit community to discuss legitimate uses for rootkits, else we may face contrived legislation or otherwise bad marks that thwart continued open development.
Rootkits are about hiding data. There are legitimate reasons to hide data both personally and in the enterprise. Many people are implying that rootkits are inherently deceptive. Deceptive is a strong word, too strong. Deception is an intent, not a technology. A rootkit hiding data is no more deceptive than a software program using a packer to prevent static reverse engineering. Hiding one’s code in the packed binary is not deception, it protection. Hiding does not imply deception. More importantly, it does not imply maliciousness.
Rootkits would be unnecessary if the operating system already had reliable data hiding features. Current operating system security controls, such as the “hidden” property on a file, are easily defeated. Overall, the operating system does not supply the required architecture enabling us to hide data. And, moreover, we don’t trust the operating system to be secure. From a security perspective, the operating system has failed us time and again. As usual, we have to take measures of control based on security through obscurity (which, debatedly, is the most effective kind of security - supposedly secure non-obscure systems have been exploited ad nauseum).
Rootkits are largely security through obscurity. A rootkit is only as good as the secret tricks employed. One argument against rootkits has been that they can be turned against you. In some cases, if discovered, that a rootkit can be used to hide an attacker’s malicious data. But this implies somehow that you aren’t able to detect your own obscurities being used against you. If you develop a rootkit for use in your enterprise, chances are very slim that an attacker could hijack your rootkit without being detected. And, most attackers would never do this anyway. Attackers will arrive with their own obscure tricks and their own rootkits.
Are rootkits dangerous to a system? Some people argue that rootkits may contain vulnerabilities that expose your system to attack. But, a rootkit is just software. All software exposes a system to exploitation, rootkit or not. There is nothing special about rootkit software that makes it more prone to vulnerabilities or a better target for software exploitation. A rootkit is just like any other application written in c/c++ using standard libraries and inherits the same software problems. Rootkits are no more dangerous to a system than any of the tens of thousands of printer drivers running at ring 0 and not signed by Microsoft.
Ethically, are rootkits just a bad idea? Technology aside, the ethical question is the one that gets people most emotional. Fortunately, the ethical question of workplace monitoring is muted. The fact is that a corporation can monitor any computer within the enterprise at any time for any reason. If a corporation wants to use rootkit technology to track insider threats, monitor employees, or control compartmented digital information, they have a right (and in some cases, even a duty) to do so.
The ethical question of DRM is much more hotly debated. I already wrote a statement about Sony’s use of DRM ( see http://www.rootkit.com/newsread.php?newsid=403 ) which garnered me many hate mails. But, after exploring this issue last year (after the Warden debacle) I discovered that the law is on the side of DRM. Rootkit technology has a place for software and data protection, and to implement DRM in software requires tamper-proofing, period. No tamper-proofing means no DRM.
The ethical question tends to orbit the idea of “user control”. Some people argue that because rootkits thwart user control, they are unethical. But there is a very simple answer to this: if a rootkit can be removed from a system (by authorized personnel) with no long lasting repercussion upon the system then user-control is maintained. Of course, the employee might not agree, but they are not the user in this case. The administrators of the network are the legitimate users and they never lose control.
In general, the ethical question about rootkits boils down to simple user-consent, contracts, and license agreements. If someone doesn’t want your rootkit with the rest of your software, then they don’t have to install your software. If they uninstall your software, uninstall ALL of your software, rootkit included – it’s a software package in totality. If an employee wants the job, they accept the contract. User consent is given in all these cases and the ethical question is mute.
In one ridiculous case in recent press, someone compared rootkits to network worms! How many times does it need to be said that rootkits are not viruses or worms? A self-propagating program pays no heed to license agreements, EULA’s, or user-consent in any way. If you’re afraid of being cut by the knife, then don’t play in the kitchen. Rootkits are a powerful technology with many legitimate and sought after applications for data security. Casting rootkits as malware is both naïve, and damaging to an otherwise healthy community of developers and scientists. The rootkit community contributes a wealth of information and capabilities for those of us who protect networks and data. Rootkits are as good as you want them to be.
-Greg Hoglund
|
