Joanna’s Shocking Confession: There Exists Some Amount Of Money For Which I Would Agree To See BluePill Detected By Lawson, Ferrie, Dai Zovi and Ptacek.
Joanna will accept our challenge, provided that:
We provide her with 5 laptops, to make a random guess less than 3% likely to win the bet.
Our tests don’t crash or halt the machine.
Our tests don’t peg the CPU for more than 1 second.
We open-source our tools (and she’ll open-source her rootkit).
We arrange to have her paid $384,000.
Our response:
Sure.
Wokay.
Irie! (hat tip: Ryan Naraine)
Yept.
Why would we pay you $384,000 to buy a rootkit we already know we can detect?
Here’s what’s going to happen:
We’re going to get up on stage
for free
at Black Hat
for free
and explain how our detection techniques work
for free
and show our code
for free
whether or not you accept our challenge.
and
If, by some stroke of luck, you manage to get Blue Pill 2.x to the point where you’re confident it actually works…
our challenge stands.
You don’t even have to pay us for it!
[Update: 7/5]
Dave Aitel, regarding SysCan ‘07:
Today at lunch: 1300 Singapore time Title of Talk: Detecting BluePill Speaker: Edgar Barbosa (COSEINC)
45 Comments so far
Leave a reply
Why be so arrogant ? Thanks to Rutkowska’s work you can have achieve your researches. She doesn’t want you to pay her for the development but more for the time lost to develop. Which is rather different ihmo.
Or is this a way for Matasano to make some advertisement? In all cases this is childlike and doesn’t benefit to the security field.
Getting up on stage for free at Black Hat? What happened to speaker honorariums?
But the $384000 is an interesting thought. I guess it’s true that rootkits (like 0days) only have a monetary value while not being unreleased. Once they are used at least once, chances are the victim or anyone in between got them for free.
So the real question might be: How do you sell something that looses so much value once you can no longer prove that you are the only one possessing it?
FX: That’s a good point. But our slide deck and stuff will be available online for free. I suppose if you wanted to hold us to it, we’d webcast a second talk. For free!
Kttmm: I’m not sure what not wanting to pay $384,000 to another security company has to do with being arrogant. We just wanted to pit our detection techniques against her rootkit.
You said ‘Why would we pay you $384,000 to buy a rootkit we already know we can detect?’.
If you read the post of Joanna she said
‘We believe that we would need about 6 months full-time work by 2 people to turn it into such a commercial grade creature that would win the contest described above. We’re ready to do this, but we expect that *somebody* compensate us for the time spent on this work. We would expect an industry standard fee for this work, which we estimate to be $200 USD per hour per person.’
I read *somebody* not *you*. It could be Symantec, Kaspersky or Microsoft or any company interested… She just wants to compensate the time spent on developing the rootkit which is not “business work”, and doesn’t bring in money.
.
If you are really so sure to win I don’t even see why you want to challenge. Otherwise her proposition seems fair because the time passed on the development is time lost for her business.
What is arrogant is the tune of the post, the title and the fact that you oppose “for free” with the sum she asked as if she was just greedy.
How strange that her work on BluePill should be compensated at “her standard bill rate”, but ours should be pro bono. I have an alternative suggestion: we’ll do our detection work for free, and she’ll do hers for free. We’ll take a leap of faith and do our detection work for free without waiting for her to confirm.
By the way, my read on “untenably large amount of money” as a condition for the challenge isn’t “greed”. It’s something else.
An idle calculation: to earn 416,000 USD (approx 307,500 EUR right now), Holy Father would have had to sell only about 615 licenses (@ 500 EUR/license) for Hacker Defender - an eminently detectable rootkit by today’s standards.
Not that I’m suggesting you’d have to compete with the earning potential of such unscrupulous business, since none of the parties involved are about to turn to that business model.
If Joanna should win such a challenge, then we’d be in the interesting situation of having a rootkit in the wild, complete with source, that is entirely undetectable by present techniques - which could put anyone following Holy Father’s business model out of business rather quickly…
I like the cash demand, it makes it look like she accepted your challenge all while never having to show the goods. If bulepill is undetectable (as she claimed) you would never need to make a new version for the challenge….she is admitting that she was “overstating” its capabilities.
Hmm.. I think Kttmm has this pegged rather well. If I received a challenge like that (assuming I have anywhere near Joanna’s skill, which I don’t) asking me to “prove a negative” as it were, and I knew it would take a significant time to complete it to my satisfaction, I’d ask for money too.
Just because she asked for money first doesn’t make her request bad. You guys are perfectly within your rights to ask someone to pay you for your time too.
I don’t see any cowardice, greed, or conspiracy theories here. She knows the work that needs to be done to meet/beat your challenge; she knows about how much time it will take; she’s not willing to eat ramen noodles for 6 months just to show up your hubris.
Just one quick point. I came to your BLOG after reading your response on /. I thought I would like to check out your response, since you made such an elegant and mature comment on /.
What a surprise I got when I read your response. Do you feel you have to SHAME Joanna into doing this little project with you? Then why the snobbish attitude? You seemed like a pretty decent fellow over on /., I think if I were you, I would re-read my BLOG and tone it down just a bit.
Bob, thank you, but I don’t think “blog” and “shame” are acronyms.
“romandas”, this doesn’t seem complicated to me. She has a rootkit, which she has made claims about. We have a detection tool. We claim that our detection tool will detect her rootkit. It would be asinine for us to make that claim without offering her a chance to disprove it. She has that chance now.
Note that we don’t ask for anything from her if we win. She’s owed this challenge, because we’re (loudly) asserting her approach to hiding rootkits won’t work.
Kttmm: we’re going to get up on stage and claim that our research will detect Blue Pill now and will detect Blue Pill 6 months from now. If we didn’t offer Joanna a chance to argue that claim, we’d be unfair. Joanna is being offered full access to our detection work in order to verify it.
Joanna does not have to accept our challenge — and, indeed, she does not appear to be planning on doing so — but any assertions she makes about the quality of our work (at least vis a vis Blue Pill) do suffer from her unwillingness back them up.
Joanna has never made Blue Pill available to arbitrary researchers of any stripe. Because our team has actually produced a hardware-virtualized rootkit of our own, and because we are admirers of Joanna’s work, we of course take her at her word. But let’s be clear: we’re being far more open about our project than Joanna has been or plans to be about Blue Pill.
This might sound old fashioned…but why not just turn this into a wager instead of a prepaid job? Winner takes all.
Both of you are obviously pretty fervent that you win the challenge…so, from your P.O.V.s, it’d be pretty good odds.
Just a thought.
Because a wager would give Joanna something to lose. We just want to know whether we’re right about being able to detect virtualized rootkits; the “you keep the hardware” part of the challenge is just us being playful.
Thomas, really looking forward to it. Is there any idea to talking about subversion of trusted computing modules vis-a-vis virtual rootkits? Basically, shimming the app layer, simulating talking to a TPM, to fake it out (go above, not below).
Best, Hal
So it’s just because you want to be proven correct (sort of a childish but base human desire) or in your words “we just want to know whether we’re right”. If you are so adamant that your code will detect Blue Pill-esque rootkits why do you need whats-her-face to show blue pill just use whatever rootkit you tested your code on (which we can infer from your statements must be similar to Blue Pill) for the Black Hat presentation. Tit.
In the last days, I keep reading all the stuff about this “challenge”, and as far as I can see all this lost the main scope. Had started as a “let’s prove our concepts”, and at the end, Joanna, raised the stake unfairly when she asked for the money. In my opinion, if she’s willing some money, it would be more fair to say “I give you 416.000 USD if you detect the “viagra”, if not, you give me 416.000 USD.
Anyhow, we have already two parties.One that support Joanna and one that doesn’t.This is okay, but the money are spoiling all the fun we were programmed to.
Knuth, can you explain to me why you don’t want to know if Blue Pill is detectable?
Knuth:
Joanna Rutkowska says she has an undetectable rootkit. Thomas and his team detecting another rootkit similar to blue pill would prove that their detector could detect rootkits, but it wouldn’t test Joanna Rutkowska’s claim that Blue Pill is an undetectable rootkit.
Ptacek == the Gruber of security blags
Is that an insult or a compliment?
(Because you know the best insults — or compliments — always leave you wondering)
I think a lot of people are mistaking their playfulness for hubris.
TP,
“I don’t think “blog” and “shame” are acronyms.”
I thought they were synonyms.
Anyways looking forward to seeing how this one plays out.
It’s totally an insult, but you, of all people, would take it as a compliment.
h0nk, do you have anything at all to say about virtualized malware? I’m really interested in what you have to say. Here’s what I said, several months ago: http://www.matasano.com/log/680/detecting-virtualized-rootkits/.
Do you have anything to say about anti-aliasing? I’m really interested in what you have to say. Here’s what John Gruber said about anti-aliasing several years ago: http://daringfireball.net/2003/03/antiantialiasing.
John Gruber has something in the neighborhood of 19 billion times more readers than I do, which likely puts the unit of measurement between his readership and yours into AU’s. Did you know people — normal people — actually wear t-shirts with his blog logo on it? And that’s, like, all he does! I’m pretty impressed.
So yeah, a bit tricky for me to figure out what you meant by “the Gruber of security blags”. I thought you might have meant, “among the best ever”. I liked your xkcd joke, though. I thought it was witty. And I think you’re witty. Which is why I’m waiting for what you think about virtualized malware. Or anti-aliasing. Your call!
Ptacek you’re coward!!!
I personally appreciate the work Ptacek, et al, are doing. I actually think this type of challenge is extremely beneficial to the security community. There has been a growing trend among security conferences to allow a small group of security researchers to make sensational claims without releasing the code to back up those claims. As a result, people are simply left speculating. This same group of researchers are constantly seeking the press attention but are unwilling to accept the responsibility for their actions or their words.
In her blog, JoANna has mentioned that the previous version of BluePill is owned by COSEINC. She has also implied that the previous version is far more mature than the current version. Ptacek: If Thomas Lim is willing, would you be willing to open up the challenge to the previous version of BluePill as well? This would also allow us to have a BluePill Bakeoff!!
It is interesting to me that people are attacking Ptacek, et al, for giving JoANna the opportunity to prove her claims. I didn’t notice the same people complaining when JoANna was attacking the hardware acquisition researchers. She claimed in her blog, in her BlackHat presentation, and in the press that three different research groups were unwilling to give her access to their PCI card implementations. When she contacted these groups did she tell them what she was attempting to subvirt their systems? Did she give them the opportunity to verify her claims in an unbiased evaluation?
If you are going to get up on stage and criticize others or make sensational claims, you better make sure that your shit don’t stink! Researchers need to decide if they are willing to put up or shut up!
what up with the marketing circus? can’t you both just do your presentations in a way that lets the audience derive their own conclusions instead of trying to spoon feed those covering the event in a media-whoring frenzy? what’s next? the month of the ridiculously useless security challenges? Blah, I miss the Scriptors of Doom but I never thought I would miss the cDc “shows”
Ivan: come on. Explain to me how we give a talk about how well we can detect Blue Pill if Joanna won’t make Blue Pill available to researchers.
I could throw some hypothesis but I’d rather wait for the show. What I criticize is the whole “challenge” charade tho. it is just tech media (and blog) fodder, whether you detect Bluepill or not (either current or the uber-developed one) would not *prove* anything. Or maybe you’re all just having fun…
ohh btw, i haven’t seen Vitriol’s code either… where is it?
We haven’t made any claims about Vitriol; in fact, in the very first talk we gave about it, we allocated a good chunk of the talk to how we COULD detect it.
Other researchers outside of Matasano have seen Vitriol. You are also welcome to see it. We’d be willing to entertain requests from other researchers if there was something productive they wanted to do with it. We’re unlikely to publish weaponized malware; these aren’t vulnerabilities that people need to patch.
you said weaponized! aha! frankly i have nothing productive to do with either Vitriol or BluePill so I’ll admit my previous blog comment was purely rhetorical but I still fail to see why anybody (except maybe you and Joanna) should care about the proposed challenge
People should care about the proposed challenge because it’s a data point in the rootkit vs rootkit detection space. This is, you know, important, so that people can properly allocate resources.
As to the specifics of the rules and structure, well, I’m just enjoying the show!
@Jeremiah: Agreed, hopefully the presentations will indeed be good data points for some analysis but the challenge itself is not. Incidentally, here’s what Steven Lipner said back in 1975 with regards to the “VM confinment problem” in the context of Bell-LaPadula’s model:
Closing the covert channels seems at a minimum very difficult, and may very well be impossible in a system where physical resources are shared. Ad hoc measures can probably be of value here
This came out as his conclusion of the attempt to address the theoretical imposibility of effective VM isolation due to covert channels that Butler Lampson pointed out in short paper in Communications of the ACM in 1973.
Why cant you just run the detection on the older BluePill which JoANna claims to be better than the present dev version.
JoANna : if you are reading this blog to see what is happing why cant you arrange for the previous prod BluePill to be put to the test at least people who paied for it would know that it was money well spent
@ivan: I don’t see how the competition could have no value. We have here what are claimed to be two best-of-breed VM rootkit systems, one rootkit, and one detector. But we don’t actually get to see either of them (unless Ferrie, Dai Zovi and Ptacek release theirs, but I’m under the impression that BluePill won’t be released). So, we’ve got approaches and high-level overviews, but we don’t actually get to see how they stack up.
Many security decisions are tradeoffs made based on the state of the art. How long should my encryption keys be? How much do I need to worry about network security vs application security? How much effort should vendors put into detection of virtualized rootkits vs conventional ones? If Lawson, Ferrie, Dai Zovi and Ptacek are correct, then that last question has a fairly easy answer. If they just stand up their and make unsubstantiated claims, then we really don’t know.
P.S. Lawson, Ferrie, Dai Zovi and Ptacek, please come up with a snappy name for your detector, so I don’t have to copy-paste your names every time I want to refer to it. “kthxbai”
I call “Ruby Slippers”.
From Daily Dave:
http://lists.immunitysec.com/pipermail/dailydave/2007-July/004446.html
Oops, I should have added:
Today at lunch:
1300 Singapore time
Title of Talk: Detecting BluePill
Speaker: Edgar Barbosa (COSEINC)
who the fuck makes $200 an hour
Joanna made a claim so loud that Blue Pill is invisible. This has gained her reputation and money. Now comes Thomas and gang, they found that they can detect any hardware virtualiztion.
The posted the challenge. Joanna said it is a “funny” challenge. Ok why is it funny? Then she asks for money @ 200$/hr. Ok is that not greed? 350K is not greed? Ok may be it isn’t. But if she needs 350K to make her rootkit undetectable, then why the F she claimed it is undetectable right now. First make it undetectable and then claim.
She is good in communication and I would give her that. Due to her communication she sounds more genuine or less arrogant. But i don’t think she is that genuine. If she was truly, she would accept the challenge and test it. If her rootkit is detectable then she should openly accept that bluepill is not invisible and come back when she makes it fully invisible.