-
Website
http://www.matasano.com/log -
Original page
http://www.matasano.com/log/897/joannas-shocking-confession-there-exists-some-amount-of-money-for-which-i-would-agree-to-see-bluepill-detected-by-lawson-ferrie-dai-zovi-and-ptacek/ -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
Or is this a way for Matasano to make some advertisement? In all cases this is childlike and doesn't benefit to the security field.
But the $384000 is an interesting thought. I guess it's true that rootkits (like 0days) only have a monetary value while not being unreleased. Once they are used at least once, chances are the victim or anyone in between got them for free.
So the real question might be: How do you sell something that looses so much value once you can no longer prove that you are the only one possessing it?
If you read the post of Joanna she said
'We believe that we would need about 6 months full-time work by 2 people to turn it into such a commercial grade creature that would win the contest described above. We're ready to do this, but we expect that *somebody* compensate us for the time spent on this work. We would expect an industry standard fee for this work, which we estimate to be $200 USD per hour per person.'
I read *somebody* not *you*. It could be Symantec, Kaspersky or Microsoft or any company interested... She just wants to compensate the time spent on developing the rootkit which is not "business work", and doesn't bring in money.
.
If you are really so sure to win I don't even see why you want to challenge. Otherwise her proposition seems fair because the time passed on the development is time lost for her business.
What is arrogant is the tune of the post, the title and the fact that you oppose "for free" with the sum she asked as if she was just greedy.
Not that I'm suggesting you'd have to compete with the earning potential of such unscrupulous business, since none of the parties involved are about to turn to that business model.
If Joanna should win such a challenge, then we'd be in the interesting situation of having a rootkit in the wild, complete with source, that is entirely undetectable by present techniques - which could put anyone following Holy Father's business model out of business rather quickly...
Just because she asked for money first doesn't make her request bad. You guys are perfectly within your rights to ask someone to pay you for your time too.
I don't see any cowardice, greed, or conspiracy theories here. She knows the work that needs to be done to meet/beat your challenge; she knows about how much time it will take; she's not willing to eat ramen noodles for 6 months just to show up your hubris.
What a surprise I got when I read your response. Do you feel you have to SHAME Joanna into doing this little project with you? Then why the snobbish attitude? You seemed like a pretty decent fellow over on /., I think if I were you, I would re-read my BLOG and tone it down just a bit.
Note that we don't ask for anything from her if we win. She's owed this challenge, because we're (loudly) asserting her approach to hiding rootkits won't work.
Joanna does not have to accept our challenge --- and, indeed, she does not appear to be planning on doing so --- but any assertions she makes about the quality of our work (at least vis a vis Blue Pill) do suffer from her unwillingness back them up.
Joanna has never made Blue Pill available to arbitrary researchers of any stripe. Because our team has actually produced a hardware-virtualized rootkit of our own, and because we are admirers of Joanna's work, we of course take her at her word. But let's be clear: we're being far more open about our project than Joanna has been or plans to be about Blue Pill.
Both of you are obviously pretty fervent that you win the challenge...so, from your P.O.V.s, it'd be pretty good odds.
Just a thought.
Best, Hal
Anyhow, we have already two parties.One that support Joanna and one that doesn't.This is okay, but the money are spoiling all the fun we were programmed to.
Joanna Rutkowska says she has an undetectable rootkit. Thomas and his team detecting another rootkit similar to blue pill would prove that their detector could detect rootkits, but it wouldn't test Joanna Rutkowska's claim that Blue Pill is an undetectable rootkit.
"I don’t think “blog” and “shame” are acronyms."
I thought they were synonyms.
Anyways looking forward to seeing how this one plays out.
Do you have anything to say about anti-aliasing? I'm really interested in what you have to say. Here's what John Gruber said about anti-aliasing several years ago: http://daringfireball.net/2003/03/antiantialiasing.
John Gruber has something in the neighborhood of 19 billion times more readers than I do, which likely puts the unit of measurement between his readership and yours into AU's. Did you know people --- normal people --- actually wear t-shirts with his blog logo on it? And that's, like, all he does! I'm pretty impressed.
So yeah, a bit tricky for me to figure out what you meant by "the Gruber of security blags". I thought you might have meant, "among the best ever". I liked your xkcd joke, though. I thought it was witty. And I think you're witty. Which is why I'm waiting for what you think about virtualized malware. Or anti-aliasing. Your call!
In her blog, JoANna has mentioned that the previous version of BluePill is owned by COSEINC. She has also implied that the previous version is far more mature than the current version. Ptacek: If Thomas Lim is willing, would you be willing to open up the challenge to the previous version of BluePill as well? This would also allow us to have a BluePill Bakeoff!!
It is interesting to me that people are attacking Ptacek, et al, for giving JoANna the opportunity to prove her claims. I didn't notice the same people complaining when JoANna was attacking the hardware acquisition researchers. She claimed in her blog, in her BlackHat presentation, and in the press that three different research groups were unwilling to give her access to their PCI card implementations. When she contacted these groups did she tell them what she was attempting to subvirt their systems? Did she give them the opportunity to verify her claims in an unbiased evaluation?
If you are going to get up on stage and criticize others or make sensational claims, you better make sure that your shit don't stink! Researchers need to decide if they are willing to put up or shut up!
Other researchers outside of Matasano have seen Vitriol. You are also welcome to see it. We'd be willing to entertain requests from other researchers if there was something productive they wanted to do with it. We're unlikely to publish weaponized malware; these aren't vulnerabilities that people need to patch.
As to the specifics of the rules and structure, well, I'm just enjoying the show!
Closing the covert channels seems at a minimum very difficult, and may very well be impossible in a system where physical resources are shared. Ad hoc measures can probably be of value here
This came out as his conclusion of the attempt to address the theoretical imposibility of effective VM isolation due to covert channels that Butler Lampson pointed out in short paper in Communications of the ACM in 1973.
JoANna : if you are reading this blog to see what is happing why cant you arrange for the previous prod BluePill to be put to the test at least people who paied for it would know that it was money well spent
Many security decisions are tradeoffs made based on the state of the art. How long should my encryption keys be? How much do I need to worry about network security vs application security? How much effort should vendors put into detection of virtualized rootkits vs conventional ones? If Lawson, Ferrie, Dai Zovi and Ptacek are correct, then that last question has a fairly easy answer. If they just stand up their and make unsubstantiated claims, then we really don't know.
P.S. Lawson, Ferrie, Dai Zovi and Ptacek, please come up with a snappy name for your detector, so I don't have to copy-paste your names every time I want to refer to it. "kthxbai"
http://lists.immunitysec.com/pipermail/dailydave/2007-July/004446.html
Today at lunch:
1300 Singapore time
Title of Talk: Detecting BluePill
Speaker: Edgar Barbosa (COSEINC)
The posted the challenge. Joanna said it is a "funny" challenge. Ok why is it funny? Then she asks for money @ 200$/hr. Ok is that not greed? 350K is not greed? Ok may be it isn't. But if she needs 350K to make her rootkit undetectable, then why the F she claimed it is undetectable right now. First make it undetectable and then claim.
She is good in communication and I would give her that. Due to her communication she sounds more genuine or less arrogant. But i don't think she is that genuine. If she was truly, she would accept the challenge and test it. If her rootkit is detectable then she should openly accept that bluepill is not invisible and come back when she makes it fully invisible.