Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Controversial Security Paper Nixed From Black Hat 144

coondoggie writes us with a link to the Network World site, as he tends to do. Today he offers an article discussing the cancellation of a presentation which would have undermined chip-based security on PCs. Scheduled during the Black Hat USA 2007 event, the event's briefing promised to break the Trusted Computing Group's module, as well as Vista's Bitlocker. Live demos were to be included. The presenters pulled the event, and have no interest in discussing the subject any more. "[Presenters Nitin and Vipin Kumar's] promised exploit would be a chink in the armor of hardware-based system integrity that [trusted platform module] (TPM) is designed to ensure. TPM is also a key component of Trusted Computing Group's architecture for network access control (NAC). TPM would create a unique value or hash of all the steps of a computer's boot sequence that would represent the particular state of that machine, according to Steve Hanna, co-chair of TCG's NAC effort."
This discussion has been archived. No new comments can be posted.

Controversial Security Paper Nixed From Black Hat

Comments Filter:
  • Reason for pull? (Score:4, Interesting)

    by gravos ( 912628 ) on Friday June 29, 2007 @09:23AM (#19688665) Homepage
    So, did they pull because they had a problem with the demos at the last minute, or is there a more sinister conspiracy-type explanation for this retraction?
    • Re:Reason for pull? (Score:5, Interesting)

      by Baron_Yam ( 643147 ) on Friday June 29, 2007 @09:28AM (#19688717)
      I would definitely be very interested to find out if it is a case of the presenters discovering they hadn't really done what they claimed, or if they folded under threat of litigation.

      This is interesting enough geek news that I expect some tech journalist somewhere will follow up on it.
      • DMCA anyone? (Score:5, Insightful)

        by TheSciBoy ( 1050166 ) on Friday June 29, 2007 @09:57AM (#19689113)

        My guess is that they could not go to the US from fear of being arrested for breaking the DMCA/some other law. I for sure wouldn't go to the US under any circumstances with information on how to defeat any kind of security.

        Security by obscurity still seems to be the mantra.

        • Maybe instead of finishing their presentation at the last minute, they went to white castle [imdb.com].
        • by Anonymous Coward
          Every security system in existance has a vulnerability, wether its the passwords, the keys, or the algorithms involved. Every security system in existance is only secure while this information is unknown, therefore every security system in existance is essentially 'security through obscurity'.

          The term 'security by obscurity' has it's place, but it seems like another phrase in a growing list that Slashbots just seem to latch onto whenever they feel like karma whoring (like 'DMCA invocation').
          • Every security system in existance has a vulnerability, wether its the passwords, the keys, or the algorithms involved. Every security system in existance is only secure while this information is unknown, therefore every security system in existance is essentially 'security through obscurity'.

            Close. The "security through obscurity" mantra is about how much knowledge is required to defeat a system. Knowing the algorithms involved shouldn't be enough. One should have direct access to the system's key(s).

            The issue isn't that there's a piece of secret knowledge that unlocks the system. That's a given - passwords, cryptographic keys, etc. are referred to as "secrets" and have nothing to do with the "obscurity" part of the mantra. The issue is whether enough study of a system or general knowledg

          • Re: (Score:3, Informative)

            by ajs318 ( 655362 )
            The point is that with something like public-key encryption using an Open Source algorithm, the only thing that has to be kept secret, and does not even have to be shared with the other party, is the decryption key. And you can prove that (if you've studied enough maths). You are in total charge of the only thing that needs to be kept secret for your communications to be secure.

            Whereas, with something like Skype -- which uses a closed-source implementation of christ-knows-what algorithm and handles its
        • Re: (Score:3, Insightful)

          by dpilot ( 134227 )
          So you're really saying rather than "security by obscurity", how about "security by threat of Gitmo"?
        • Security by obscurity still seems to be the mantra.

          Security by ignorance is the mantra.

          If someone points out a flaw in your security (whether it be a computer, or a bank, or a firebase) logic dictates that you should hear them out at the very least. If indeed you have problem, thank them and then FIX IT, because they are doing you a favor. What seems to be happening nowadays is the exact opposite. Those who are exposing security issues are intimidated into self-censorship and their knowledge ignored.
      • Re: (Score:2, Informative)

        by luckysam ( 1122059 )
        There is no conspriracy... The presenters' visa to enter USA has been under FBI name check for over a year ...
      • This is interesting enough geek news that I expect some tech journalist somewhere will follow up on it.
        I heard Brian Krebs is already on the case.
    • FTA:

      A spokesman for the conference was unable to offer more information. "At their request, they are no longer presenting. That is all the info I have," said the spokesman, Nico Sell, in an e-mail.
      (emphasis mine)
    • by j0nkatz ( 315168 ) <anon@memph i s g e e k .com> on Friday June 29, 2007 @09:38AM (#19688849) Homepage
      Who cares???

      It's iPhone Day!!!
    • by PoliTech ( 998983 ) on Friday June 29, 2007 @10:13AM (#19689291) Homepage Journal
      As for why they cancelled the presentation, last year Cisco sued Black Hat conference organizers after a security researcher demonstrated a method for running unauthorized code on a Cisco router. That, or there was a deal made.

      My question is why would anyone place their information security "Trust" in MS BitLocker, or Indochinese hardware (TPM chips) that likely already contain built in backdoors for John Law, and corporate drones?

      Open Source Full disk encryption is fast and free, open source Firewalls and process restricting software are available for those who just can't resist getting infected with the latest malware. Most Open Source security software developers are likely NOT under the control of Big Brother in any form, be it corporate drones or big government fascists.

      So while I'm a little disappointed that the Back Hatters decided to forgo the presentation of cracking TPM, since it was never trustworthy or secure to start with, and since anyone serious about security would never use such a faux security scheme at the outset, cracking TPM and "Trusted Computing" was only a curiosity anyway.

      The "Trusted Computing Initiative" is simply a way to provide vendors "Plausible Deniability" and to limit liability for allowing exposed data, nothing more.

      • by computational super ( 740265 ) on Friday June 29, 2007 @10:53AM (#19689747)
        As for why they cancelled the presentation, last year Cisco sued Black Hat conference organizers after a security researcher demonstrated a method for running unauthorized code on a Cisco router.

        And still there are people, even here on Slashdot, who insist that anonymous speech is not a precondition for free speech.

      • My question is why would anyone place their information security "Trust" in MS BitLocker, or Indochinese hardware (TPM chips) that likely already contain built in backdoors for John Law, and corporate drones?

        Open Source Full disk encryption is fast and free


        And why would you trust it any more than MS or Cisco or others? Using "Open source" as an equivalent of "cryptographically impregnable" is a dangerous misconception. A serious company selling security solutions has a compelling interest to ensure t
        • And why would you trust it any more than MS or Cisco or others?

          You do make some very good points, but because the Full Disk encryption software is not a chip soldered to my Motherboard. If the encryption software I choose is full of holes, I can then replace it with a certified paid product or another open source product.

          The issue here is that the "security" offered by MS and TPM isn't all that secure to start with, and you can't get rid of it whether you want it on there or not ... at least not without

        • by WNight ( 23683 ) *
          But what financial incentive does a company have to make your encryption secure? Maybe a little if they're 1) good and 2) dedicated. Bruce Schneier has a rep worth keeping.

          Microsoft on the other hand? Even MS-bashing aside, they have a horrible reputation for security even still. They offer no guarantees of correctness and no warranties (expressly) in the case of failure, even known problems.

          An independent coder on the other hand is at least protecting his files...
        • And why would you trust it any more than MS or Cisco or others? Using "Open source" as an equivalent of "cryptographically impregnable" is a dangerous misconception. A serious company selling security solutions has a compelling interest to ensure the correctness and robustness of their solution; an anonymous coder doesn't really, even assuming he's a bona fide developer trying to provide a good solution, and not some russian hacker really curious about your credit card number.

          See, I've worked for and wit
    • by WED Fan ( 911325 ) <akahige@trashmaCOUGARil.net minus cat> on Friday June 29, 2007 @10:46AM (#19689651) Homepage Journal

      Or, perhaps, like in science, they discovered a flaw in their own methodology that rendered the presentation pointless. It does happen. How many times has someone yelled eureka, only to have some genius say, "Uh, Bob, you still have the machine plugged into the grid, it's not under its own power"?

      • Re: (Score:3, Insightful)

        by Blue Stone ( 582566 )
        >"Or, perhaps, like in science, they discovered a flaw in their own methodology that rendered the presentation pointless. It does happen

        Then why did they not just say that?

  • If the chip is secure, then no mere presentation can undermine its security. If it's not secure, then there's no security to undermine. Don't shoot the messenger.
    • by AP2k ( 991160 ) on Friday June 29, 2007 @09:37AM (#19688837)
      ...Or kick him down a well.
    • Re: (Score:3, Insightful)

      If the chip is secure, then no mere presentation can undermine its security. If it's not secure, then there's no security to undermine. Don't shoot the messenger.


      Agreed. Another possibility is that one of them discovered a flaw with their method. Eleventh-hour bugs right before demos are the most evil ones of all.
      • by BunnyClaws ( 753889 ) on Friday June 29, 2007 @09:52AM (#19689045) Homepage

        Agreed. Another possibility is that one of them discovered a flaw with their method. Eleventh-hour bugs right before demos are the most evil ones of all.

        Ding! Ding! Ding! This more than likely is the case. What is more likely to happen? These guys getting silenced and quietly removing their presentation or these guys figuring out they were wrong and quietly removing their presentation. If there was a threat from the company there would have been a leak about the reason for pulling the plug on the presentation. More than likely the presenter discovered a flaw and quietly pulled the plug.

        • Re: (Score:3, Interesting)

          by TheSHAD0W ( 258774 )
          "The demonstration would include a few live demonstrations. For example, one demonstration will show how to login and access data on a Windows Vista System (which has TPM + BitLocker enabled)," the abstract said.

          If they were able to do that, most likely they had what they said they had. I'm betting they were threatened with a lawsuit or a criminal complaint.
        • What is more likely to happen?

          I think what's more likely to happen is parties with a business interest in these technologies paying the presenters off to lay low for a time. If I had found a security flaw, and was offered, say $10,000 to shut my mouth about it, I'd do it. It's going to come out anyway, but the delay might be worth millions of dollars... Especially if they manage to find a fix in that time.

          • Re: (Score:3, Interesting)

            by geekoid ( 135745 )
            YOu would need to put 3 more zeros on that to shut me up, minimum.
            Because when it gets found out, I would not be trusted in the future.
            • by Overzeetop ( 214511 ) on Friday June 29, 2007 @11:43AM (#19690449) Journal
              How about -$100,000 and possible jail time? Not an unusual price for a criminal investigation, say, for a DMCA violation. These guys really do play hardball, and if you're lawyer agrees with their lawyers, you'd have to have quite a set to go to a public forum where the authorities are waiting for you to finish your talk so they can take you downtown, along with your presentation as proof to turn over to the DA.

              Not saying it's right...but there are both carrots and sticks, and I have no doubt they are both used.
              • by jZnat ( 793348 ) *
                If your lawyer agrees with their lawyers, you might have found an awful lawyer! He/she could probably be disbarred for not working for their client to the best of their ability (the lawyer oath and whatnot)...
              • "your" = belonging to you
                "you're" = you are

        • by _Sprocket_ ( 42527 ) on Friday June 29, 2007 @10:56AM (#19689801)

          What is more likely to happen? These guys getting silenced and quietly removing their presentation or these guys figuring out they were wrong and quietly removing their presentation.


          While I definitely agree that its very plausible the researchers simply discovered that they goofed, I would also note that there is historical precedent [slashdot.org] for other motivations.
      • by jimpop ( 27817 ) *
        Another, another possibility is that they previously signed an NDA (possibly having even sold the exploit for $$) and are now contractually prevented from further discussion.
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      The problem is that there are still people who believe in the concept of "security through obscurity", which can be undermined quite easily by pointing out the big gaping holes hidden under a few fluffy buzz-words, and if a messenger shows up trying to tell people about it, the owner of those holes will attempt to discourage them through any means available, including "shooting the messenger".
      It's very possible that the whole thing was called off because they didn't want to get treated like
    • Don't shoot the messenger.

      Not only that, but the messengers shouldn't give up so easily. They have a responsibility to disclose their findings instead of letting people rely on insecure solutions, or letting them fall victim to losing control of what their PC can/can't do.
    • Re: (Score:2, Troll)

      benhocking "If the chip is secure, then no mere presentation can undermine its security. If it's not secure, then there's no security to undermine."

      The TPM is designed to prevent the hardware owner from having access to at least one of the digital keys within it, and thereby to prevent the hardware owner from having control over software running in the "trusted", walled-off mode. It is therefore a DRM chip, not a "security" chip.

      "Secure" in the sense you are using is from the key-holders' point of view, lik
      • I was wondering how long it was going to take someone to work some totally non sequitur U.S.-bashing into a technical discussion ... and there you went and did it!
      • In case it wasn't clear, I did not write the summary nor the article that the summary references. I was just pointing out that, regardless of how one feels about DRM or TPM and what is being secured against, the concept that a presentation could undermine security implies a security based on obscurity, which is no security at all.
    • I would just solve the whole presentation problem (assuming that the chip is not secure) by responding to litigation by responding with "False Adversiting"
  • by WalterGR ( 106787 ) on Friday June 29, 2007 @09:29AM (#19688725) Homepage

    coondoggie writes us with a link to the Network World site, as he tends to do.

    (emphasis mine.) Interesting. First time for such meta-commentary by a slashdot editor? I don't think we ever saw the same for one of Roland Piquepaille's many submissions...

    • by Aoreias ( 721149 )
      coondoggie's profile website in is networkworld.com Roland's links to his blogs are rarely if ever the primary source for the submission, but rather a 'for more information...'
  • by denis-The-menace ( 471988 ) on Friday June 29, 2007 @09:29AM (#19688733)
    Now crackers will have an advantage and the rest of us will be blind-sided.

    I don't like the whole [trusted platform module] (TPM) because we consumers are are not trusted in the whole scheme.

    But for the few us techies that get this P.O.S. "security" system foisted upon them by their clueless/soldout management, wouldn't be nice to be able to explain why the hacker(s) got through the night before?
    • Its not really about consumers. The customers that this system sells to are people who have computers that they let other people use, such as companies or governments. This offers them protection against stupid/disgruntled employees. You will note in the article, the attack is targeted at controlled network access, such as protected networks that you find in say, a bank.

      If you see this stuff in your commercial home system, it is mostly because, having spent the money to develop this technology for big c
      • PC hardware companies have one customer: Microsoft.

        They have to sell their hardware to Microsoft. Oh, sure Microsoft doesn't pay for it directly-- they get consumers (both free citizens and corporations) to do that for them. However, the hardware companies must please Microsoft if they hope to be able to sell their hardware.

        If Microsoft feels they are beset by an upstart operating system, one that does not have the financial or political clout to become "trusted," they may very well demand their suppliers p
      • You are mistaken, because you think Microsoft's customer is the end-user or even the corporate buyer but it isn't. Microsoft's customer here is the RIAA and the MPAA and their constituents, and you're just an ATM machine to them.
        • by ajs318 ( 655362 )
          Would that be one of those ATM machines where you type in your PIN number, then?

          I seem to recall that they have their electronics on a single PCB board.
  • Trusted Computing is one security measure I'd like to see broken.
    • Just virtualize it.
      • Re: (Score:3, Informative)

        by Anonymous Coward
        The whole point of the design, almost the whole reason for having the hardware in the first place, is that you can't virtualize it. Neither a VM nor a computer without the chip can impersonate a computer with the chip, because they don't have the signed crypto keys which are (supposedly unextractably) embedded in the chip. It doesn't help if your VM is running inside a TC computer, because the TC device won't see the computer as running trusted software (it'll see the hypervisor, which will NOT be trusted u
        • by ajs318 ( 655362 )
          Except that there is no way for software to determine whether or not it is running in a virtualised environment. (If there was, that would indicate your virtualisation is not being done right.) Your virtual environment just has to listen for the challenges and send the correct responses. And you can know, by examining the software which is running within the virtualised environment, exactly what response it is expecting.
          • Re: (Score:3, Informative)

            Except that there is no way for software to determine whether or not it is running in a virtualised environment. (If there was, that would indicate your virtualisation is not being done right.) Your virtual environment just has to listen for the challenges and send the correct responses. And you can know, by examining the software which is running within the virtualised environment, exactly what response it is expecting.

            You misunderstand the way the TPM works. TPM chip computes a running checksum of a num

            • by ajs318 ( 655362 )
              Whatever happens, the software is looking for a particular response from the TPM chip -- even if it asserts the "challenge" indirectly by address-knocking or something. You can determine from the software what it's looking for, and feed it the right things.

              To all intents and purposes, TPM is just a password embedded into the motherboard. All you have to do is examine the hash function and the expected value, and then you can create something that hashes to the same thing. The hash function probably won
              • by Hizonner ( 38491 )

                That would be true if it were local software that was doing the checks. The idea of the TPM is that you can use it to prove to a remote computer, not under your control, that your machine is running "blessed" software. The bank can verify that you're running an OS it's comfortable with. An online DRM system can refuse to hand over the key to decrypt media unless you prove your computer is "uncompromised" (and therefore won't make a copy of either the key or the media). You can virtualize your end, but you

                • by ajs318 ( 655362 )
                  If the checking is being done remotely, then your computer must be sending properly-formed packets down the network -- because properly-formed packets are the only thing you can send over the network. That kind of nullifies the address-knocking scheme (it doesn't matter what language the Natives speak amongst themselves, if it has to be translated into English before the messenger can deliver it to their Chief far away). There's still a chink in the armour.

                  TPM is beatable. I'd even go so far as to say
                  • If the checking is being done remotely, then your computer must be sending properly-formed packets down the network -- because properly-formed packets are the only thing you can send over the network. That kind of nullifies the address-knocking scheme (it doesn't matter what language the Natives speak amongst themselves, if it has to be translated into English before the messenger can deliver it to their Chief far away). There's still a chink in the armour.

                    You keep forgetting that each packet is encrypted

              • by BLKMGK ( 34057 )
                Suggest further reading on the subject....

                Yes, the software is expecting certain kinds of responses blah blah and you can modify the software to accept other inputs as valid. Except that the software is signed and verified at bootup by the TPM. TPM is a chain of trust sort of thing with the root of that trust buried in a chip filled with crypto and digital signatures. Many (damn near all actually) of the suggestions posted here so far violate that chain of trust and will be spotted by the TPM and a flag thr
  • by packetmon ( 977047 ) on Friday June 29, 2007 @09:34AM (#19688795) Homepage
    Yanked why? ... Maybe because security experts have already exposed *stolen/old/re-hashed concepts* [seclists.org] and they didn't want to be embarrassed...
  • by MMC Monster ( 602931 ) on Friday June 29, 2007 @09:34AM (#19688797)
    ...that there is more money just selling the presentation to the highest bidder. Then present it a year later.

    Correct me if I am wrong, but if someone adds something like this to a remote execution virus, they can install a virtual machine underneath Windows (any version) and have access to all data, including encrypted volumes?

    Nah... I'm just paranoid.
  • by Seraphim_72 ( 622457 ) on Friday June 29, 2007 @09:37AM (#19688823)

    ...more of a dark gray hat then.
  • Give it time (Score:2, Insightful)

    by gen0c1de ( 977481 )
    Maybe they are putting it on the back burner, not releasing the information and giving it time to get to the point that once they do release it there will be a much bigger effect. As it is now TPM isn't wide spread yet so give it a bit of time and then break it.
    • Three possibilities:

      * Didn't actually work like they said

      * Wanted to make some cash-ola on the "sploit"

      Big Corporate Illuminati paid them off.

      * Found dead after listening Cowboy Neal drone on and on and on and on...

      Your choice.

  • Scheduled during the Black Hat USA 2007 event, the event's briefing promised to break the Trusted Computing Group's module, as well as Vista's Bitlocker. Live demos were to be included. The presenters pulled the event, and have no interest in discussing the subject any more.

    Maybe because it never existed?

    1.Announce you're going to present how to break Vista / TCM
    2.Collect $$$$ from registrations
    3.Claim the presentation is "cancelled"
    4.Profit!

    • by geekoid ( 135745 )
      Look at the history of the people who where going to present it.

      I would give the benefit of the doubt to them.

  • by I)_MaLaClYpSe_(I ( 447961 ) on Friday June 29, 2007 @10:01AM (#19689163)
    Nitin and Vipin Kumar are the creators of VBootkit [nvlabs.in] and they were covered previously on Slashdot here: VBootkit Bypasses Vista's Code Signing [slashdot.org].
  • I don't know how likely it is, but since no one has mentioned it I figured I would. Maybe they were simply offered a big pile of cash to keep quiet, and never speak of it again??
  • What takes fewer assumptions: To assume that MS or some other bigwhig of the TPA crowd sent them some Ahnulds with an "...or else" message, or to assume that they found out that either their presentation is flawed or that their findings aren't so new at all? Or maybe they want to up the hype (after all, they do have a security consulting company)?

    Seriously. Keep the conspiracy low.
    • by Darby ( 84953 )
      What takes fewer assumptions: To assume that MS or some other bigwhig of the TPA crowd sent them some Ahnulds with an "...or else" message, or to assume that they found out that either their presentation is flawed or that their findings aren't so new at all?

      You're going to slit your throat holding your razor backwards like that.

      The first obviously takes fewer assumptions. MS and various other companies have demonstrated repeatedly that that is *exactly* how they do business on a regular basis. So the only a
      • Either takes assumptions to come to the desired (i.e. existing) effect. The question is, who has to lose more from disclosing the basic reason for their withdrawal, and how likely is it to happen.

        Assumption: MS using legal muscle or threats to quench information about faulty TPA.
        Effect of exposure: MS getting flak from the community. Ok, doesn't faze them as we know. MS getting flak from the content providers relying on TPA. Would hurt them seriously more.
        Risk of exposure: High, a lot of people would actual
        • by Darby ( 84953 )

          Personally, I go with the third assumption. It makes the most sense.


          No, it really doesn't.
          The first choice you listed takes no real assumptions at all. We *know* that that is *exactly* what MS does in these situations, hence not only is it perfectly reasonable to assume they'd keep doing what they always do, it is the default assumption when dealing with them about anything.

          Now, it's perfectly possible that the third choice is actually correct, but you will never get there using the information available pl
  • Presenters Nitin and Vipin Kumar's presentation...

    Wasn't there some movie about this? Nitin and Kumar go to Black Hat, or some such?

  • Because we all know that hiding your head in the sand is a sound means of securing systems.
  • by fahrbot-bot ( 874524 ) on Friday June 29, 2007 @02:18PM (#19692713)
    Remember: TPM is there so the vendors can trust the PC, not the consumers (hardware owners) - who are, as far as the vendors are concerned, untrustworthy...

Do you suffer painful hallucination? -- Don Juan, cited by Carlos Casteneda

Working...