Windows Secure Boot to abolish rootkits ...duh

[RayLopez99]

Why did I not hear about this month old news from you security experts
when we had a rootkit discussion a few weeks ago? Rafter? Dave?
Because you did not know about it? What else don't you not know?

RL

http://www.zdnet.com/blog/bott/why-...o-make-windows-8-less-secure/4100?tag=nl.e539

Summary: Windows 8 isn’t even in beta yet, and already the FUD is
flying fast and furious. A small group of activists are whipping up
controversy over the UEFI secure boot feature even as they admit the
feature is “valuable and worthwhile.” Here’s the real story.

The FUD is flying fast and furious over Windows 8, and the OS isn’t
even in beta yet.

The Free Software Foundation (FSF) is organizing a petition-signing
campaign over Microsoft’s announced support for the secure boot
feature in next-generation PCs that use Unified Extensible Firmware
Interface (UEFI) as a replacement for the conventional PC BIOS. My
ZDNet colleague Steven J. Vaughan-Nichols is urging his readers to
sign the petition with a bit of deliberately inflammatory language,
calling it “UEFI caging.”

The crux of their argument is that Microsoft is deliberately requiring
a change in next-generation hardware that will make it impossible to
wipe off a Windows installation and install Linux. They are wrong, and
their effort to whip up public fury is misguided at best and cynical
at worst.

Allow me to illustrate by turning the argument around in an equally
cynical way, with an equally inflammatory rhetorical flourish:

People who make their living in the Linux ecosystem are demanding that
Microsoft disable a key security feature planned for Windows 8 so that
malware authors can continue to infect those PCs and drive their
owners to alternate operating systems.

Oh, wait. Now that I think about it, that’s actually pretty close to
the truth.

Here’s the reality. Malware authors are getting more creative and more
vicious. A rootkit that can infect key operating system files can hide
itself so thoroughly that it is virtually impossible to detect. The
TDL4 rootkit is probably the best known and most deadly of the bunch.
It can patch the Windows Boot Configuration Database, overwrite key
system modules, and disable driver signing requirements, just for
starters. It is a nightmare to clean up.

The secure boot feature pulls the rug out from under this rootkit and
everything like it. Those key boot files that the rootkit tampers with
are digitally signed. With Secure Boot enabled, any modification to
those files is detected at startup by the UEFI code-signing check, and
the system stops in its tracks. Rootkit foiled, user protected,
recovery possible.

 

[G. Morgan]

What else don't you not know?

“There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say we know there are
some things we do not know. But there are also unknown unknowns – the
ones we don't know we don't know.â€

—Former United States Secretary of Defense Donald Rumsfeld
--

"I don't like to discriminate against terrorists based on nationality.
If you declare war on the United States and you want to kill us,
We're going to kill you first, period."

October 19, 2011 - Ali Soufan (Colbert Report)

 

[David H. Lipman]

There are also unknown knowns: things we know, but don't realise we know, because we
misconstrue the problem. Happens a lot more often than you might think. Mr Rumsfeld was
a frequent victim of this type of obliviousness.

When you get a chance, read the memo "Rumsfeld Rules". ;-)

 

[Man-wai Chang]

The Free Software Foundation (FSF) is organizing a petition-signing

campaign over Microsoft’s announced support for the secure boot
feature in next-generation PCs that use Unified Extensible Firmware
Interface (UEFI) as a replacement for the conventional PC BIOS. My
ZDNet colleague Steven J. Vaughan-Nichols is urging his readers to
sign the petition with a bit of deliberately inflammatory language,
calling it “UEFI caging.”

Is UEFI BIOS really so reliable and secured once flashed?

 

[Man-wai Chang]

The secure boot feature pulls the rug out from under this rootkit and

everything like it. Those key boot files that the rootkit tampers with
are digitally signed. With Secure Boot enabled, any modification to
those files is detected at startup by the UEFI code-signing check, and
the system stops in its tracks. Rootkit foiled, user protected,
recovery possible.

We should respect people who wish to bet their lives on Window$, BUT, we
should also respect people who know how to dual-boot multiple operating
systems! There are programs that wanna be cross-platformed.

Anyway, it's just a disk. Swap it and everything should be fine.

 

[FromTheRafters]

Why did I not hear about this month old news from you security experts
when we had a rootkit discussion a few weeks ago? Rafter? Dave?
Because you did not know about it? What else don't you not know?

I don't know lots of things, but this wasn't one of them. It falls under
my mention of the TPM's other uses and the issues some people have with
those other uses.

 

[RayLopez99]

On the example, the X is a "known unknown": that is, I know there's
something I don't know, but (of course) I don't know what it is.  A lot
of  "journalists" made fun of Rumsfeld's characterisation, because they
never took logic in high school. It was a unit my senior English classes
for over 20 years. It's simple really, much simpler than finite algebra. ;-)

Wolf K.

Well cretin if you really took a logic class you'd know that the
choice of what to put in your truth table when you have two negatives
is arbitrary. Thus the classic Greek riddle: "All Cretians are liars;
I am a Cretian". So is he lying or not? Could be either one; depends
on how you set up your truth table, no pun intended.

RL

 

[RayLopez99]

I don't know lots of things, but this wasn't one of them. It falls under
my mention of the TPM's other uses and the issues some people have with
those other uses.

OK sounds reasonable albeit a bit CYA. Any opinions on whether UEFI
is a good foil to rootkits welcome. Let's assume that the door to the
user's computer is secured with a nice lock so a bad guy cannot
"flash" another BIOS onto the user's motherboard.

RL

 

[FromTheRafters]

Well cretin if you really took a logic class you'd know that the
choice of what to put in your truth table when you have two negatives
is arbitrary. Thus the classic Greek riddle: "All Cretians are liars;
I am a Cretian". So is he lying or not?

There's not enough data to come to a logical conclusion.

If the statement "All Cretians are liars" is assumed to be true, it
doesn't necessarily mean that they *always* lie. The second statement
may or may not be a lie, but it is not affected by the first statement's
being taken as true in any event.

It's different if a cretian declares himself to be lying when he states
he is lying, and there's no truth-table for that recursive function.

 

[FromTheRafters]

OK sounds reasonable albeit a bit CYA.

Be that as it may, my point then and now is that having measured
(hashed) the earliest code, you will need to have the data that you
compare it to, in storage that is accessible by the program doing the
comparing. You measure the code, compare the measurement to the stored
equivalent, and release a key to allow you to take the next step.

All this, even before you have access to disk.

Unfortunately, use of the TPM goes beyond that early boot axis integrity
checking aspect - extending into OS and "Application"
integrity/licensing DRM crap and possible tagging.

 

[idbeholda]

Why did I not hear about this month old news from you security experts
when we had a rootkit discussion a few weeks ago? Rafter? Dave?
Because you did not know about it?  What else don't you not know?

RL

http://www.zdnet.com/blog/bott/why-do-linux-fanatics-want-to-make-win...

Summary: Windows 8 isn’t even in beta yet, and already the FUD is
flying fast and furious. A small group of activists are whipping up
controversy over the UEFI secure boot feature even as they admit the
feature is “valuable and worthwhile.” Here’s the real story.

The FUD is flying fast and furious over Windows 8, and the OS isn’t
even in beta yet.

The Free Software Foundation (FSF) is organizing a petition-signing
campaign over Microsoft’s announced support for the secure boot
feature in next-generation PCs that use Unified Extensible Firmware
Interface (UEFI) as a replacement for the conventional PC BIOS. My
ZDNet colleague Steven J. Vaughan-Nichols is urging his readers to
sign the petition with a bit of deliberately inflammatory language,
calling it “UEFI caging.”

The crux of their argument is that Microsoft is deliberately requiring
a change in next-generation hardware that will make it impossible to
wipe off a Windows installation and install Linux. They are wrong, and
their effort to whip up public fury is misguided at best and cynical
at worst.

Allow me to illustrate by turning the argument around in an equally
cynical way, with an equally inflammatory rhetorical flourish:

People who make their living in the Linux ecosystem are demanding that
Microsoft disable a key security feature planned for Windows 8 so that
malware authors can continue to infect those PCs and drive their
owners to alternate operating systems.

Oh, wait. Now that I think about it, that’s actually pretty close to
the truth.

Here’s the reality. Malware authors are getting more creative and more
vicious. A rootkit that can infect key operating system files can hide
itself so thoroughly that it is virtually impossible to detect. The
TDL4 rootkit is probably the best known and most deadly of the bunch.
It can patch the Windows Boot Configuration Database, overwrite key
system modules, and disable driver signing requirements, just for
starters. It is a nightmare to clean up.

The secure boot feature pulls the rug out from under this rootkit and
everything like it. Those key boot files that the rootkit tampers with
are digitally signed. With Secure Boot enabled, any modification to
those files is detected at startup by the UEFI code-signing check, and
the system stops in its tracks. Rootkit foiled, user protected,
recovery possible.

We have two alleged claims facing off.

http://arstechnica.com/business/news/2011/11/security-researcher-defeats-windows-8-secure-boot.ars

Given windows previous track record of security, plus the "technology"
used to "secure" a bootup procedure, I've got my bets placed on
Kleissner. I'm not trying to be a negative nancy, but statistical
probability is clearly in his favor.

 

[RayLopez99]

Oh, I see Ray took the time to answer my post. Pity he didn't spend some
time _before_ answering to make sure he understood what a logic matrix is..

Oh well, I guess he's happy rooting around under the straw.

Wolf K.

A logic matrix is the same as a Truth Table, true or false?

Sooo-wee! Enjoy your time in the mud.

RL

 

[RayLopez99]

http://arstechnica.com/business/news/2011/11/security-researcher-defe...

Given windows previous track record of security, plus the "technology"
used to "secure" a bootup procedure, I've got my bets placed on
Kleissner.  I'm not trying to be a negative nancy, but statistical
probability is clearly in his favor.

Nope. Thanks for the link, but you bought into the PR generated by
the cybercriminal Kleissner.

From the comments section... see below.

RL

..and of course the exploit depends on having physical access to the
machine, which makes it more of a sensationalist headline than
anything else. Physical access to the machine always means security is
compromised, regardless of how you go about doing it. The root
methodology for compromise has exactly NOTHING to do with Windows 8 or
secure boot, except for the fact that he's latching onto a PR storm in
a bottle and ratching up his name in the process. Ars has nicely
complied by using a sensationalist headline without further details to
make it seem more legit. Congrats.