tag:blogger.com,1999:blog-24586388.post4491938186982426867..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: We're ready for the Ptacek's challenge!Joanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger19125tag:blogger.com,1999:blog-24586388.post-4291868677736398292008-02-19T10:15:00.000+01:002008-02-19T10:15:00.000+01:00«Each of them could be in a state 0 or 1 (i.e. inf...«Each of them could be in a state 0 or 1 (i.e. infected or not).»<BR/><BR/>vs<BR/><BR/>«each machine as either being infected (1) or not (0).»<BR/><BR/>— inconsistency.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-59708917916914496742007-08-05T20:16:00.000+02:002007-08-05T20:16:00.000+02:00Hello,I know this is a late comment so it might no...Hello,<BR/><BR/>I know this is a late comment so it might not even be seen, but wouldn't it be fair also to have at least 2 of those machine (or a certain percentage of the runs if you just use one machine) to sometimes run a normal VMM (legit), like VPC and VMWare (perferrably a not so popular one as well. That you disclose on that day only)?<BR/><BR/>I don't know if Vista has VMM bit enabled by default, I believe windows 2003 R2 does, but you would still want another kind of hypervisor in there to add some challenge, no?<BR/><BR/>So that the detection tool not only has to detect a VMM because that would likely not be a challenge especially if they provide controlled hardware. But really has to detect bluepill in particular.<BR/><BR/>Maybe I am missing something obvious and all this isn't really adding to the challenge, I usually do =)<BR/><BR/>I would also require 2 runs (of 5 machines) or 10 runs with one machine without a single false detection, 3% is still quite likely, people do win the lottery =)<BR/><BR/>Also, even though Thomas added that 1 or 5 machine doesn't matter, and given that he is the detector and not cheater (thus amusing he is more honest), it might not matter. But if you want to cheat then having them networked and identical surely adds possibilities =)<BR/><BR/>Sure it doesn't have anything to do with the statistical validity, but it surely adds to the detector's available statistical/heuristical methods it can use =).<BR/><BR/>Especially if you control the hardware.<BR/><BR/>I am probably off base, but still that's my little nickel,<BR/>NiclasNiclas Lindgrenhttps://www.blogger.com/profile/03891837646942365216noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-33408031575429273652007-07-10T16:52:00.000+02:002007-07-10T16:52:00.000+02:00So... It's supposed to include this "BluePill dete...So... It's supposed to include this "BluePill detector" with the OS?[DevNull]https://www.blogger.com/profile/04603542955590366729noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-87083548147835843002007-07-09T20:54:00.000+02:002007-07-09T20:54:00.000+02:00Joanna, I also agree with the post above about the...Joanna, I also agree with the post above about the CPU usage and time constrains, it is really few and if the detector searches for the blue pill on an on-demand basis I think the user shouldn't get disturbed, after all he/she requested the scanning, so say, 10 seconds shouldn't matter at all. I agree however if the scanning is active, in such case it shouldn't waste almost all the CPU time just for testing.<BR/><BR/>devnull, remember that it is supposed that you don't know before hand that you are infected, so crashing the system to perform this task is not acceptable in any way.(even if it chash due to a vulnerability in blue pill because there could be another non-malware driver with the same or similar buggy code).LocoDelAssemblyhttps://www.blogger.com/profile/01681867943537973897noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-53825832842770944762007-07-05T16:16:00.000+02:002007-07-05T16:16:00.000+02:00The requirement of not consuming 90% of CPU for mo...The requirement of not consuming 90% of CPU for more than 1 second because it would be disturbing to the user isn't consistent with the resource demands of any traditional anti-malware (or general applications for that matter). I think what you really mean is that it would be disturbing to bluepill ;-)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-84627801514681109742007-07-04T14:59:00.000+02:002007-07-04T14:59:00.000+02:00Joanna,I think that if I had a threat like that on...Joanna,<BR/><BR/>I think that if I had a threat like that on my PC, I would not bother about my machine crashing sometimes in the whole checking-process and using all the processor as far the detection tool<BR/>detects it. Fair price to pay for removing a bicho like that!.<BR/><BR/>Regards.[DevNull]https://www.blogger.com/profile/04603542955590366729noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-49867265859665494502007-07-03T19:19:00.000+02:002007-07-03T19:19:00.000+02:00To be honest, even if they do detect it, the test ...To be honest, even if they do detect it, the test environment is much friendlier than the real world. Thus their techniques must be based on something "solid" as opposed to timing and the related because this will be worthless outside the lab and they might as well lose. I have spoken with a source who knows their stuff, this is the real deal. They have said upon release of the source code that it will almost certainly be the cause of significant security problems. Nice job on the *ware and thanks for the inspiration.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-71808062809402969372007-07-03T16:27:00.000+02:002007-07-03T16:27:00.000+02:00Oh-oh-oh... Some specimens of womenfolk drive me m...Oh-oh-oh... Some specimens of womenfolk drive me mad. "Never tell never"...<BR/><BR/>Dear Joanna,<BR/><BR/>I understand that you need some money and reputation. Everybody need that.<BR/>But remember that there is exist some critical mass of crazy ideas, after which your image will be destroyed.<BR/><BR/>My suggestion to you: do smth. real instead populism.<BR/><BR/>Best regards,<BR/>not your fanAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-52659327299062785282007-07-02T08:24:00.000+02:002007-07-02T08:24:00.000+02:00Well, Joanna, you empower conditions for contest.....Well, Joanna, you empower conditions for contest... But all your (and your team, of course) additional requirements are "one-side", doesn't you think ? For "fair play" I suggest establish some prize for Ptacek's team in case of successful detection of "blue pill" (they also will did some work, isn't ?).<BR/>Are you ready for fair contest with equivalent requirements and benefits, Joanna?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-17102696272153499432007-06-30T22:04:00.000+02:002007-06-30T22:04:00.000+02:00This is neo.Dear Joanna, stay strong, I believe yo...This is neo.<BR/><BR/>Dear Joanna, stay strong, I believe you.<BR/><BR/>You will winner because you try to be best and noting more!<BR/><BR/>The Reason You ExistAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-45067402743355174652007-06-30T17:24:00.000+02:002007-06-30T17:24:00.000+02:00We're not comparing between the two machines. If J...We're not comparing between the two machines. If Joanna wants to use 1 machine, that's fine. If she wants to use 5, that's fine. The number of machines in the challenge needn't have anything to do with its statistical validity.Thomas Ptacekhttps://www.blogger.com/profile/14479575601987181670noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-69552700021733174522007-06-30T13:20:00.000+02:002007-06-30T13:20:00.000+02:00Well KTMM, sounds like they have a detector that t...Well KTMM, sounds like they have a detector that they think will work against a rootkit which Joanna has previously said was 100% undetectable. They're enjoying the fact that this is no longer being claimed, for sure, but this industry isn't known for polite handshakes and pleasantly amicable discussions over cups of tea.<BR/><BR/>In other news, developers in Poland get paid a lot of money.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-30055871640977348592007-06-29T23:20:00.000+02:002007-06-29T23:20:00.000+02:00Joanna I suggest you demand fewer, not more system...Joanna I suggest you demand fewer, not more systems. If they are so confident that they can detect the presense of the rootkit, let them do so in a vacuum. That is, only one machine will be used. At the begining of the contest, you flip a coin: heads, install rootkit; tails, drink coffee for an hour. At the end of the hour, they run their code and declare the machine infected or rootkit free.<BR/>My reasoning is this: Very few people in the "real world" have access to two identical systems during a rootkit infection crisis to compare behavior. If they insist on more than one system, then make certain that they have <B>different</B> processors, <B>varying</B> memory speeds, <B>varying</B> disk drives so that no system to system comparisons can be reasonably made.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-19153792770960725602007-06-29T11:29:00.000+02:002007-06-29T11:29:00.000+02:00The reactions on the side of Matasano Chargen are ...The reactions on the side of Matasano Chargen are pathetic (http://www.matasano.com/log/897/joannas-shocking-confession-there-exists-some-amount-of-money-for-which-i-would-agree-to-see-bluepill-detected-by-lawson-ferrie-dai-zovi-and-ptacek/). <BR/><BR/>It's like they are trying to get promotion on your name. We don't all feel like in a movie, we all feel like in a stupid tabloid.<BR/><BR/>Keep the good vibes.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-19919388340117474532007-06-29T00:12:00.000+02:002007-06-29T00:12:00.000+02:00From what I know the Black Hat Vegas 2007 doesn't ...From what I know the Black Hat Vegas 2007 doesn't mark the end of the world, so I don't see any problem for having this done at some other conference (maybe even BH) in 2008...<BR/><BR/>Anyway, thank you for clearing this up -- now we all feel like in a good Hollywood movie ;)Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-21408865742694421242007-06-29T00:06:00.000+02:002007-06-29T00:06:00.000+02:00So Joanna, if you think it'll take 12 man (or woma...So Joanna, if you think it'll take 12 man (or woman) months to get to the point of winning such a contest, is it safe to say you don't think it's going to happen? I suppose definitely not in time for BH.Jordanhttps://www.blogger.com/profile/08341608982649448622noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-25384503697469428382007-06-28T22:58:00.000+02:002007-06-28T22:58:00.000+02:00Nothing has changed on our end -- we're still read...Nothing has changed on our end -- we're still ready for the challenge! We would love to take part, actually.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-4158768241805549482007-06-28T21:06:00.000+02:002007-06-28T21:06:00.000+02:00Nate has responded to your conditions lady, the wo...Nate has responded to your conditions lady, the world awaits with bated breath to see what happens next. You can see his post at - <BR/><BR/>http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-82650899320896433982007-06-28T20:54:00.000+02:002007-06-28T20:54:00.000+02:00I've posted my response here. Let's try to make t...I've posted my response <A HREF="http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/" REL="nofollow">here</A>. Let's try to make this happen.Unknownhttps://www.blogger.com/profile/11280644250533859717noreply@blogger.com