CLSID Shitlist Series Beyond

Donate $25 for two DVDs of the Cryptome collection of files from June 1996 to the present

23 October 2010

CLSID Shitlist Series Beyond - Response

A sends:

Re: http://cryptome.org/0002/clsid-beyond.htm

I just read that article and I'm forced to note that it is a bit misleading. The author pretends that, by taking snapshots, one can return the system into a preliminary state under which we can assure some "innocence" from its part. That's not correct. First because nearly all systems have hooks/calls established a priori and which can be used to put things back in place. Second, most systems are inherently vulnerable at their "installed from fresh" phase and this becomes more critical as older the systems become.

I have met several cases when attacks are successful during the installation of new machines. There was one that ocurred even before the system proceded to unpack and install the new software. And this incident is some 10 years old. Yes, this was mostly related to a Linux system but things are not better on Windows. There, it takes some minutes more and things could go pretty bad. But it is worthless to consider which OS is weaker. In fact, some years ago, there were security watchlists which counted how many minutes it took to break into several OSes "installed from fresh".

So, if you want to be real sure you don't have any trouble - install from fresh under an isolated environment. And take the good care to install all necessary stuff to protect the machine, before you take that "golden snapshot".

But don't think the "golden snapshot" is the absolute panacea you were waiting for. If snapshots don't return partitions and/or the whole system into that same clean state from "fresh install", then you may have some bigger trouble ahead. In fact there are a few venues to go back in, specially if your snapshots/restores are made on a live machine. In one case, a downloader was inserted right into one of the "untouchable" files Windows has. A nearly incredible thing as that file cannot be changed while Windows is running. And no matter the attempts to return "all" the system to its "original" state, things always ended by having the same malware running again.

But there is a bigger problem on snapshots - anyone has to take into account that returning systems to its "age of innocence" is not an option for many.

Anyway, the only right way to secure a computer system is the one described by some military many years ago - Unplug it, pick it up, drop it into a deep mineshaft, cover it with concrete and shoot the team who accomplished the mission.

Not so right anyway... You also have to pick up you revolver and shoot yourself. Then information will be in total security.

Nearly... In fact there is nothing universal here. For information to be Information, it has to flow always.