Black Hat Showdown a No Down.
An eagerly awaited Security showdown at this year's Black Hat briefings in Las Vegas, between the developers of the Blue Pill hypervisor rootkit and a team that claims they can reliably detect it, is no more.
In establishing the ground rules for the face off, the Blue Pill developers requested a fee of $384,000 USD to be paid as compensation for time and resources used to develop the technology and bring it to a commercial stage of completion.
Nobody is claiming that the Blue Pill team should not be compensated for their efforts, but the amount that they have requested is enough to throw iced water over the concept of a show down at this year's Black Hat conference in Las Vegas.
Is this the market rate for complete control of a brand new rootkit? Or is it indicative of the hidden costs that software development and security research really bring to a company? The quoted market rate of $200 per hour might be within a reasonable bracket, but applying it for the length of time that the rootkit has been in development is generally being interpreted as unfair. Suggestions have been put forward that it may be worth closer to 15-20% of what they have asked for, but with trades for information like this it will always be worth what someone is willing to pay.
Other suggestions have been that it should be handled like a proper wager (where better to do it than Vegas), with each side fronting up their bet, and winner takes all.
The show down may not be a complete writeoff, however. The team who were lined up to detect the rootkit will still be presenting an outline at the Black Hat Briefings of the technology and guiding principles that will allow for detection of these hardware level rootkits.
After news of the initial challenge grabbed the attention of a lot of people, the subsequent cancellation has led to some interesting ideas about how to still achieve some sort of outcome and test the claims of both parties.
One of the most prominent concepts that has been put forward so far is for a good faith bet, where the detecting team places their tool online, and allows arbitrary third party use and testing of the tool to see whether it would comply with the initial guidelines of the test, and allow the Blue Pill team to internally test against it (that particular report would have to be accepted on good faith for accuracy).
While not the same as a public head-to-head test, it still allows most of the aims to be achieved, including the most stringent limitations placed on the detection tool (don't significantly degrade the user experience).
1 July 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.