The whole, well-documented Sony DRM (rootkit) fiasco motivated me to better understand rootkits; so, I picked up Rootkits: subverting the Windows kernel. As defined by authors Greg Hoglund and James Butler: “A rootkit is a set of programs and code that allows a permanent and undetectable presence on a computer.” In and of themselves, rootkits are not inherently bad; they are just technology. It’s their use that can be questionable, illegal or legitimate.

Sony’s Thomas Hesse is quoted in InformationWeek as saying: “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” Rootkits gives you clear answers and should reinforce in your mind how disingenuous this attempted downplay by Sony really is.

Reading this text reminded me of a previous job I had to write an NDIS/TDI packet driver for a previous generation of IPTV and video on demand (VOD) set-top boxes. Seeing IRPs, IOCTLs, Blue Screens of Death and the details of user-mode and kernel-level development reminded me of learning device driver development under Jamie Hanrahan and leveraging the resources of OSR.

Here are some more of the impressions this read produced in me:

  • Rootkits can easily be seen as a book of special category patterns. It’s build from the bottom-up approach is effective in this regard (i.e. compose more complex patterns from smaller, simpler ones).
  • Where type safety and scripting languages are concerned, ease of use applies generally (i.e. ease of malicious use as well as ease of expected, legitimate use). So, be careful when adding scripting support into software that a backdoor is not created at the same time.
  • “Hiding in plain sight” techniques like steganography deserve better understanding.
  • Perhaps stating the obvious: “As long as there are people, people will want to spy on other people. This means that rootkits will always have a place in our technology. Backdoor programs and technology subversions are timeless!”
  • Perhaps stating the obvious again: Ring Zero rootkit privileges > Ring Three administrative program privileges
  • With knowledge comes power and with power comes responsibility. The greater the power, the greater becomes the responsibility–both for the author as well as the consumer.
  • Accepting responsibility means staying ever vigilant, never relaxing and constantly evolving. There is a healthy paranoia where security preparedness is concerned.
  • Clearly, the power of observation and correlation applies when studying rootkits.

In closing, the following quote from Rootkits causes me to think–an inverse line of thought–about ECM, content analytics and consequential/healthy information re-architecture: “The best way to counter forensics is with stealth: If no attack is suspected, then no forensics are likely to be applied to the system.” Once you have content under management, how do you know anything more about that content (e.g. its value, its accessibility, its currency, its half-life, etc.)?