Revoking Atsiv's digital certificate: has Microsoft become the "Software Police"?
Besides the obvious 
, why would anyone call Microsoft the "Software Police?" Well, there was a clever and useful utility called Atsiv, by LinchpinLabs, which got around the 64-bit Vista limitations on loading unsigned drivers into the kernel.
This is new behavior for Microsoft OSes, in that you can only load digitally signed code into the kernel. No ifs, ands or buts. Theory was this would prevent rootkits from proliferating.
Atsiv got around this by using a signed driver to load other, unsigned code into the Vista kernel. In other words, the tool itself was signed, and it did the loading.
Now, although Microsoft and Symantec claim this is rootkit behavior, I can see some valid uses for this ... for example, testing code before signing it ... signing is not cheap and you don't want to do it unless you need to.
On rootkit.com, one of the developers of Atsiv gave his argument for the tool: One of the restrictions under Vista is enforced driver signing. Driver signing doesn’t prevent malware, it just prohibits freedom to choose, which on a general purpose operating system is simply not acceptable.
And that's a good question. At any rate, by working with Verisign, Microsoft had the digital certificate for Atsiv pulled (noted here on the Windows Vista Security blog). Not only that, they added it to the signature db for Windows Defender ... so now it's malware, right?
A signed file uniquely identifies the company that developed that file but when companies can be created and registered in jurisdictions known for protecting the privacy of company founders and directors you have to ask what does driver signing actually represent? Signed drivers can be signed by an arbitrary legally registered company. Absent any control over what the driver actually is or does, this provides no real additional security, other than removing author anonymity. So do the new Vista “features” improve system security or only impose limitations?
Comments on the blog post seemed to indicate most users were behind LinchpinLabs and critical of Microsoft and Verisign. For example, in this comment, Ben says "It would appear that Microsoft's aim is to ensure that peoples personal computers does what Microsoft wants them to do rather than necessarily what the owner wants them to do."
In this comment, Peter says "This sets a VERY bad precedent. As you said "the defense-in-depth measures provided by KMCS worked as expected." So the KMCS system worked as designed but you just didn't like what the driver did so you had it removed and revoked."
Personally, I feel this utility had valid uses, and I'm definitely uncomfortable with the fact the certificates can be revoked at any time. What about you readers? What do you think?
Posts
1 comments:
I would agree that it is a fair practice to revoke certificates for fraudulent or malicious applications.
However, what I do not agree is with Microsoft's self-interest policy. I believe the user should decide whether to run applications and what level of "security" we want on our computers. By far, Windows Defender is the most annoying "security" application I've seen and it doesn't even live up to it's name.
Despite the continuous attempts from Microsoft to maintain control, year after year it's been proven that Microsoft does a really lousy job at security, as Windows is by far, the operating system with the most security breaches on Earth.
Post a Comment