Drivers of the IT-security industry

The IT-security industry seems to be driven by two main factors:

• prestige
• money

While this makes sense for companies, from private researches one would expect nobler reasons like the simple desire to learn and share knowledge. For some researchers this might be the case, but there are not too many of them. One not so good example of the recent past is the stoned bootkit which was presented at the Black Hat 2009 in Las Vegas.

The author claims that his bootkit breaks TrueCrypt. High words. When looking at the project in detail, one finds out that the main concept of bootkits is not new. In fact, the theory is well known since a couple of years. In addition, many projects already implemented this concept.

The basic idea of a bootkit is similar to a rootkit. A bootkit is malicious software which gets written to the master boot record (= MBR) of a computer. But when are attackers able to write to the MBR of a victims computer? Basically there are two possibilities:

• The attacker has physical access to the machines
• The attacker has administrator privileges on the machine

In both cases, the game is simply over. An attacker which has either physical access or administrator privileges is no attacker anymore. He then owns the computer. Everything which happens from this point on is not of relevance anymore. Also, no software can help in such a case. The machine must be reinstalled.

Since the stoned bootkit lives in the MBR, the author implicitly assumes the victims computer to be already compromised. Otherwise, the bootkit simply can not reach the MBR. Of course, this does not break TrueCrypt in any way. Not even approximately. How can TrueCrypt ever defend a computer which already got compromised? How can any software do this? The answer is: It’s not possible. Security software is meant to defend healthy machines which are not compromised. As expected the TrueCrypt developers correctly identified the stoned bootkit attack as bogus.

The author of the bootkit did not just drew wrong and misleading conclusions, he also flamed the TrueCrypt developers in a pretty rude way – despite the fact that the TrueCrypt developers explained the situation to him in a simple and polite way.

This example should perfectly illustrate the “prestige”-factor which is intrinsic to the IT-security industry. The shameless self-portrayel of many individuals harms the whole security industry. Unaware people who stumble across one of the many badly researched articles about the stoned bootkit might get the impression that TrueCrypt suffers from a design flaw – which obviously is not the case.

Finally, the destruction of things will never require the same level of skill as the creation of things. Everybody is able to destroy a house. You just need a hammer and can start smashing the house wherever you want. But just some people have the skill to build a house. You need knowledge, experience and adequate material. The same applies to software development. Breaking software will never be as difficult and challenging as developing software. Unfortunately, inexperienced developers like the author of the stoned bootkit often receive much more approval than the people who actually deserve it: The TrueCrypt developers who do a very good job since many years.