WEBVTT - What is a rootkit? 0:00:00.280 --> 0:00:02.840 Brought to you by the reinvented two thousand twelve camera. 0:00:03.160 --> 0:00:08.920 It's ready. Are you get in touch with technology? With 0:00:09.039 --> 0:00:17.800 tech Stuff from how stuff works dot com. Hello again, everyone, 0:00:17.840 --> 0:00:20.520 and welcome to tech Stuff. My name is Chris Poulette. 0:00:20.600 --> 0:00:23.000 I'm an editor at how stuff Works dot com. And 0:00:23.040 --> 0:00:24.919 as usual, the person sitting across to me at this 0:00:25.000 --> 0:00:28.000 table while we do this thing as senior writer Jonathan Strickland. 0:00:28.120 --> 0:00:31.440 The world isn't run by weapons anymore, or energy or money. 0:00:31.680 --> 0:00:34.560 It's run by little ones and zeros, little bits of data. 0:00:34.920 --> 0:00:40.240 It's all just electrons. Today, we're going to start off 0:00:40.240 --> 0:00:45.080 with a little Facebook feedback. This comes from j B 0:00:45.240 --> 0:00:47.159 and j B says, Hey, guys, I just heard you 0:00:47.159 --> 0:00:50.000 mentioned something called a root kit or something like that 0:00:50.080 --> 0:00:53.160 on the back end of your podcast on piracy. I'd 0:00:53.159 --> 0:00:55.640 really love to hear all about all the nasty little 0:00:55.680 --> 0:00:59.960 digital bacteria and viry floating around on the web, perculating 0:01:00.040 --> 0:01:02.480 in the minds of hackers like the mouth of a 0:01:02.560 --> 0:01:06.960 Komodo dragon. Thanks for the greatly entertaining and interesting podcast. 0:01:07.040 --> 0:01:12.640 Cheers and happy holidays. Wow that's a greatly entertaining Yeah. 0:01:12.680 --> 0:01:16.520 I have to point out jb um komodo dragon's mouth 0:01:16.760 --> 0:01:21.200 actually don't percolate. I heard they're cleaner than humans mouth. 0:01:22.160 --> 0:01:23.959 I'm sorry, I think you have another animal. I'm pretty 0:01:23.959 --> 0:01:26.320 sure if a komodo dragon bites me, the bacteria would 0:01:26.360 --> 0:01:29.119 be worse than than your general human I'm not saying 0:01:29.120 --> 0:01:31.120 that there aren't humans out there who could give a 0:01:31.160 --> 0:01:33.600 komodo dragon a run for the money in the bacteria department. 0:01:33.640 --> 0:01:36.959 But how about we get this back on track. Okay, 0:01:37.000 --> 0:01:39.319 so we're gonna talk about root kits now. We've already 0:01:39.319 --> 0:01:43.839 talked about various kinds of worms and viruses in previous episodes, 0:01:43.880 --> 0:01:47.760 but we never really got into root kits. Um And Uh, 0:01:47.840 --> 0:01:51.240 it's interesting because a root kit on its own by itself, 0:01:51.280 --> 0:01:53.400 I mean, really, you could say this about just about anything, right, 0:01:53.400 --> 0:02:00.800 But it's just a tool. It's not necessarily m malicious. 0:02:01.400 --> 0:02:03.920 It doesn't have to be malicious, but I think it's 0:02:03.960 --> 0:02:09.360 probably more than not used as a tool to take 0:02:09.440 --> 0:02:14.440 control of a computer or infect it so thoroughly with 0:02:14.560 --> 0:02:20.600 some kind of malware that it is virtually, if not completely, undetectable. Right, 0:02:20.720 --> 0:02:22.880 let's let's let's try and break this down a bit 0:02:22.919 --> 0:02:27.120 so root kit if you want to be perfectly technical 0:02:27.160 --> 0:02:30.200 about the the definition. A root kit on its own 0:02:30.240 --> 0:02:34.320 does not take control of a computer. Know what it 0:02:34.360 --> 0:02:37.840 does is it allows you to maintain control over a 0:02:37.840 --> 0:02:40.920 computer you've already compromised, but you do it in a 0:02:40.919 --> 0:02:45.919 way that gets shielded from the victims computer. Well, not 0:02:46.400 --> 0:02:50.200 the original the first root kits weren't necessarily that great 0:02:50.280 --> 0:02:54.040 at shielding themselves. But well we can get into that. 0:02:54.080 --> 0:02:56.280 I mean just but yeah, keep going. Okay, So, so 0:02:56.440 --> 0:03:00.680 rooting is kind of going back to Unix terminology. Yeah, 0:03:00.680 --> 0:03:04.000 I mean, hackers of all stripes, good and bad, uh 0:03:04.400 --> 0:03:07.639 frequently referred to the root user, the person who has 0:03:07.639 --> 0:03:11.000 all the administrative rights to the machine right the fewest, 0:03:11.160 --> 0:03:14.840 the fewest restrictions are placed upon the root user. So 0:03:15.000 --> 0:03:16.880 fear me for I am root. Yeah. You can think 0:03:16.880 --> 0:03:20.280 of you can think of different um uh levels of user. 0:03:20.320 --> 0:03:22.520 You know, you've got your your general user, You've got 0:03:22.520 --> 0:03:26.160 your administrator, who usually has greater access than you know, 0:03:26.240 --> 0:03:28.919 your regular user. And then you've got the root user, 0:03:28.960 --> 0:03:32.560 which is usually like a system administrator, who might even 0:03:32.720 --> 0:03:35.640 be able to access things that the administrator can't access. 0:03:36.000 --> 0:03:39.040 It's one of my friends, purposefully with this in mind, 0:03:39.200 --> 0:03:43.640 named his computer all evil. Oh, it's the root of 0:03:43.680 --> 0:03:46.880 all evil. Yes, got you. I thought that was the 0:03:46.960 --> 0:03:49.680 love of money. But at any rate, is apparently this 0:03:49.720 --> 0:03:54.839 person and his or watched out. Um, so yeah, it's 0:03:55.040 --> 0:03:58.560 it's uh too. To root a computer is to get 0:03:58.600 --> 0:04:01.120 that level of access. And you can even do that, 0:04:01.200 --> 0:04:03.800 not just by you know, stealing a password or hacking 0:04:03.800 --> 0:04:07.920 a password or whatever. You can infect a system level 0:04:08.040 --> 0:04:12.480 operation and get system level access to a machine. Now, 0:04:12.480 --> 0:04:15.640 system level access and root access are more or less 0:04:15.680 --> 0:04:18.480 the same thing, but a system there are hackers who 0:04:18.480 --> 0:04:20.440 will tell you system level access is the way to 0:04:20.440 --> 0:04:24.680 go because this is where there are practically no restrictions whatsoever, 0:04:24.960 --> 0:04:27.080 and you can do anything to the core of that 0:04:27.160 --> 0:04:30.520 machine that you want. That's really the goal of the 0:04:30.600 --> 0:04:32.640 root kits is to get control of the core of 0:04:32.640 --> 0:04:35.680 the machine and then to hold onto that as long 0:04:35.720 --> 0:04:39.680 as possible. And while the early root kits didn't necessarily 0:04:39.760 --> 0:04:43.800 shield uh the the invasion from prying eyes so that 0:04:43.839 --> 0:04:48.320 the victim would remain unaware, since then that's pretty much 0:04:48.360 --> 0:04:49.920 the way to go because if you want to have 0:04:50.120 --> 0:04:53.359 if you want to maintain control, it's best if the 0:04:53.440 --> 0:04:57.400 victim never even knows that there, that they are a victim. Right. 0:04:58.760 --> 0:05:01.719 In doing some research, A consulted one of my favorite 0:05:02.160 --> 0:05:08.040 UH tech research sites, tech target UM and the first 0:05:08.240 --> 0:05:11.880 root kits started showing up on networks in the early 0:05:14.160 --> 0:05:17.720 UM and at that point we weren't talking about, you know, 0:05:18.120 --> 0:05:21.000 rooting Windows or Mac machines. They were looking at Sun 0:05:21.040 --> 0:05:26.840 and Linux based operating systems. UM. But now, of course UM, 0:05:27.160 --> 0:05:29.520 things have changed some wide and you could find root 0:05:29.600 --> 0:05:33.719 kits for pretty much every operating system. UM. I've never 0:05:33.760 --> 0:05:37.800 really heard of one for Mac os, but with its 0:05:37.880 --> 0:05:40.960 roots in BSD, I wouldn't be a bit surprised. I 0:05:41.000 --> 0:05:43.520 did come across one while I was researching. So, I mean, 0:05:43.600 --> 0:05:48.279 the concept itself is platform agnostic. It doesn't matter what 0:05:48.400 --> 0:05:50.960 platform we're talking about ways to break into a system 0:05:51.000 --> 0:05:54.440 and get that level of access, that deep level of access. 0:05:54.600 --> 0:05:58.600 And when you're really talking about things like the you're 0:05:58.600 --> 0:06:01.599 talking about things that are are integral to the way 0:06:01.600 --> 0:06:05.479 the computer operates, and in a way, there's it's gonna 0:06:05.520 --> 0:06:08.600 be really difficult to ever prevent root kits from happening 0:06:08.720 --> 0:06:12.200 or or rooting a computer from happening, UM, just because 0:06:12.520 --> 0:06:14.920 as long as you understand how the computer works, you 0:06:15.000 --> 0:06:17.200 have to be able to get to that that core 0:06:17.240 --> 0:06:19.080 of the computer. I mean if you if you weren't, 0:06:19.400 --> 0:06:21.680 then these applications that you build on top of the 0:06:21.720 --> 0:06:24.200 computer would never work because they have to refer back 0:06:24.240 --> 0:06:27.799 to the core to get things like instructions and um 0:06:28.000 --> 0:06:30.479 and what. We can talk a little bit about the 0:06:30.560 --> 0:06:34.160 sort of stuff that that the core does. When I'm 0:06:34.160 --> 0:06:35.920 talking about the core, I'm really I'm talking about the 0:06:35.960 --> 0:06:39.800 kernel of the operating system. Yeah, or talking the very 0:06:39.800 --> 0:06:41.560 I mean the kernel. If you think about a kernel 0:06:41.640 --> 0:06:45.760 of corn or seed. That's really what we're talking about, 0:06:45.839 --> 0:06:50.120 is the the core of the operating It's it's really 0:06:50.120 --> 0:06:52.360 a foundation that everything else is built upon. So this 0:06:52.400 --> 0:06:55.160 is kind of getting to the point of an operating 0:06:55.200 --> 0:06:59.680 system that interacts with the hardware on a machine. So 0:06:59.800 --> 0:07:03.080 this is the This is the layer of programming of 0:07:03.200 --> 0:07:08.479 coding that allows the hardware and the software to work 0:07:08.520 --> 0:07:11.680 with one another. Without this, the hardware wouldn't be able 0:07:11.640 --> 0:07:13.480 to software wouldn't be able to interact with the hardware 0:07:13.520 --> 0:07:16.280 at all. It would just be you know, gobbledygook. So 0:07:16.840 --> 0:07:19.360 the sort of stuff that the colonel does, UM, it's 0:07:19.400 --> 0:07:23.360 in charge of process management. So we've talked a little 0:07:23.400 --> 0:07:26.720 bit about clock cycles. If you use working clock cycles, 0:07:26.720 --> 0:07:29.640 they have a certain number of clock cycles per second. Well, 0:07:29.920 --> 0:07:33.640 something has to assign those cycles to the various applications 0:07:33.640 --> 0:07:36.920 that are running on that machine. That's the colonel's job. 0:07:38.000 --> 0:07:39.720 And colonel, by the way, we're spelling it k E 0:07:40.040 --> 0:07:42.640 R in E L. We're not talking about Mr Sanders. 0:07:43.080 --> 0:07:45.480 So you know it's gonna say, you know, if the 0:07:45.520 --> 0:07:47.360 colonel does a good enough job ed it, it could 0:07:47.480 --> 0:07:52.080 it could receive our promotion. Yeah. And if otherwise, it's 0:07:52.160 --> 0:07:54.800 just fingerlicking good yes. But then if you then you 0:07:54.920 --> 0:07:57.040 end up with the possibility of a general fault in 0:07:57.080 --> 0:08:01.560 which case and then that's a major disaster. But I 0:08:01.600 --> 0:08:08.400 think that's better to kept private. Uh ouch. So anyway, 0:08:08.400 --> 0:08:12.520 we're gonna leave behind the horrible military puns military computing puns, 0:08:12.520 --> 0:08:17.280 which is anyway, So you've got the process management, where 0:08:17.280 --> 0:08:21.160 the kernel is deciding which which processes are getting, how 0:08:21.240 --> 0:08:24.600 many clock cycles per second? Um. Then you also have 0:08:24.640 --> 0:08:28.720 things like file access. The kernels in charge of ultimately 0:08:29.040 --> 0:08:35.239 how how programs access files and how the files are organized, 0:08:35.520 --> 0:08:38.280 and it has to provide sort of a consistent logical 0:08:38.360 --> 0:08:42.239 interface for file systems. It's also in charge of security 0:08:42.280 --> 0:08:45.040 to some point. It's it's in charge of administering permission 0:08:45.040 --> 0:08:49.160 between the processes and memory allocation, so it's also in 0:08:49.240 --> 0:08:53.200 charge of memory UM. With these elements, if you fiddle 0:08:53.320 --> 0:08:56.640 with these elements at all, then you can create an 0:08:56.720 --> 0:09:01.439 environment where you can run secret process is and it 0:09:01.520 --> 0:09:04.720 doesn't appear to the user at all. Yeah, I think 0:09:05.040 --> 0:09:07.520 I think it would be safe to say, I mean, 0:09:07.520 --> 0:09:09.600 based on my understanding of this, that we're talking about 0:09:09.640 --> 0:09:14.080 stuff that's sort of in between the operating system, almost 0:09:14.320 --> 0:09:17.240 like the layer the operating system that you see and 0:09:17.280 --> 0:09:20.400 the computer itself. So it's it's basically buried under anything 0:09:20.400 --> 0:09:22.760 that you're going to be able to to see visually. 0:09:22.760 --> 0:09:24.120 You can't go in there and go, wait a minute, 0:09:24.160 --> 0:09:27.880 what's that program? UM, which may be talking about a 0:09:27.880 --> 0:09:30.800 deeper level than that. Yeah, Now, I mean I was 0:09:30.840 --> 0:09:33.720 reading up on it at a Computer World and Paul 0:09:33.800 --> 0:09:37.600 Roberts said that for early root kits, what you would 0:09:37.600 --> 0:09:39.560 be able to do is look at the way the 0:09:39.600 --> 0:09:44.240 computer is using memory, UM, whether there are any communications 0:09:44.280 --> 0:09:49.000 going on back and forth between the computer and a 0:09:49.080 --> 0:09:53.480 network of you know whatever kind UM. Basically those are 0:09:53.559 --> 0:09:55.960 clues to tell you that something is going on. If 0:09:56.000 --> 0:09:58.960 you can't attribute those processes to something that is already 0:09:59.000 --> 0:10:02.880 running on that machine, there may be a root kit installed. 0:10:02.960 --> 0:10:07.320 And that's one way that for earlier root kits, um 0:10:07.400 --> 0:10:10.400 you would be able to tell that something strange was 0:10:10.440 --> 0:10:13.280 going on. Right, Yeah, These these levels of root kits 0:10:13.280 --> 0:10:16.520 we would probably call user level. Yeah, so your user 0:10:16.600 --> 0:10:19.480 level root kit is existing on top of the operating system. 0:10:19.480 --> 0:10:23.640 It's actually kind of running like an additional application, right Like, 0:10:23.720 --> 0:10:26.559 So it's so you might be running maybe three applications 0:10:26.559 --> 0:10:29.800 on your computer, and this would be a fourth mysterious application, 0:10:30.360 --> 0:10:32.880 um where if you if you were careful enough and 0:10:32.880 --> 0:10:34.960 looked around, you would be able to see evidence of 0:10:35.000 --> 0:10:37.760 it running, and therefore you would know that possibly something 0:10:37.840 --> 0:10:42.600 was wrong. So user level user um level root kits 0:10:42.640 --> 0:10:47.760 are not the most um secure for the hacker. Right now, 0:10:47.880 --> 0:10:50.000 there's a chance the hacker will be found out, or 0:10:50.040 --> 0:10:52.360 at least the hackers work will be found out. Right, 0:10:52.400 --> 0:10:54.920 and of course he or she whomever it was that 0:10:54.920 --> 0:10:58.080 that put it in place, you know, the point is 0:10:58.120 --> 0:11:00.480 to keep it on there as long as possible. So 0:11:00.480 --> 0:11:03.400 they got more ingenious with ways to find to hide 0:11:03.400 --> 0:11:07.080 it machine. And and then we're getting into kernel level 0:11:07.440 --> 0:11:09.760 root kits, and these are the nasty ones. This is 0:11:09.800 --> 0:11:12.800 insidious stuff here, because you're talking about messing with the 0:11:12.920 --> 0:11:15.960 very core of the computer. And it's kind of like 0:11:16.320 --> 0:11:19.360 if you could imagine someone being able to invade your 0:11:19.400 --> 0:11:21.679 mind and change your way of thinking in such a 0:11:21.720 --> 0:11:24.000 way that you couldn't tell that there was someone messing 0:11:24.040 --> 0:11:26.199 with you. I mean, it's it's it's that kind of 0:11:26.320 --> 0:11:31.400 level of of sneakiness. Yeah. Roberts's article said that the 0:11:31.440 --> 0:11:36.040 more modern kernel level root kits can basically go in 0:11:36.080 --> 0:11:41.080 and erase their tracks. They shut down any sign of 0:11:41.760 --> 0:11:43.640 whatever it is that they're doing in there. They can 0:11:43.760 --> 0:11:48.080 encrypt communication between the computer and the network so that 0:11:48.920 --> 0:11:50.679 even if you could tell what's going on, you couldn't. 0:11:50.720 --> 0:11:53.240 You can't tell what's going on, right, Yeah, it'll it'll 0:11:53.240 --> 0:11:56.319 do stuff like essentially, it'll it'll fiddle with the memory 0:11:56.440 --> 0:11:59.000 so that it looks like it's not using any memory. 0:11:59.000 --> 0:12:03.800 It'll fiddle with um the kernel's ability to manage processes 0:12:03.800 --> 0:12:06.440 so it looks like there are no additional processes running. 0:12:06.840 --> 0:12:10.000 It's when you're again, when you have access to that 0:12:10.160 --> 0:12:13.440 level of the operating system, you can really manipulate it. 0:12:13.480 --> 0:12:16.240 In such a way that no one can tell that 0:12:16.440 --> 0:12:19.320 that there's something hinky going on, and and that encryption 0:12:19.400 --> 0:12:22.200 is a really tricky part two, because there are files 0:12:22.240 --> 0:12:24.640 associated with these root kits. I mean, the way this 0:12:24.679 --> 0:12:26.640 works is the hacker first has to get access to 0:12:26.720 --> 0:12:29.319 your machine, right and either they're going to do that 0:12:29.440 --> 0:12:33.559 by using social engineering and fulling you into into revealing 0:12:33.559 --> 0:12:36.079 your password, or they're going to the hacket. They're going 0:12:36.160 --> 0:12:38.800 to brute force it where they just guess it the 0:12:38.800 --> 0:12:41.520 password until it works. Once they have access to your 0:12:41.520 --> 0:12:44.440 machine and they install these files, they have to have 0:12:44.480 --> 0:12:46.320 it disguised in such a way so that you you 0:12:46.400 --> 0:12:49.800 don't just uncover it immediately and say, oh, well, here's 0:12:49.800 --> 0:12:51.720 the problem. There these files on my machine that don't 0:12:51.760 --> 0:12:55.040 belong here. By encrypting it, they've they've given it kind 0:12:55.040 --> 0:12:58.600 of a disguise. And they've also been known to layer 0:12:58.880 --> 0:13:04.199 traffic on traffic from another legitimate program going through an 0:13:04.200 --> 0:13:07.199 open port that is available for that program to access. 0:13:07.240 --> 0:13:11.679 So basically any communication is hidden along with sort of 0:13:11.720 --> 0:13:14.560 like putting something in the prison mail and in the 0:13:14.760 --> 0:13:18.400 laundry to smuggle it outside. It's it's hiding it in 0:13:18.559 --> 0:13:21.640 something else that's legitimately supposed to be there, and that 0:13:21.760 --> 0:13:25.000 makes it extremely hard to detect. Yeah, and you may 0:13:25.040 --> 0:13:28.319 wonder like, well, how how can you get kernel access 0:13:28.440 --> 0:13:32.160 to you know? But one of the ways is UM 0:13:32.400 --> 0:13:37.240 using device drivers. Device drivers, Yes, because these device drivers, 0:13:37.280 --> 0:13:39.959 these are the this is what allows again your computer 0:13:40.040 --> 0:13:42.079 to interact with devices that you hooked up to it. 0:13:42.160 --> 0:13:46.160 So like a printer driver for example, UM, you can 0:13:46.280 --> 0:13:49.559 you can infect a or you can create a device 0:13:49.640 --> 0:13:52.360 driver that is actually a root kit. And by the 0:13:52.480 --> 0:13:55.280 very nature of the drivers, they have to have access 0:13:55.320 --> 0:13:57.960 to the kernel in order for them to work. So 0:13:58.120 --> 0:14:00.760 your computer just says, oh, well, this is a legitimate, 0:14:01.280 --> 0:14:03.960 you know, piece of code here that I need to incorporate, 0:14:04.480 --> 0:14:08.240 and in reality, it's this root kit that's hiding the 0:14:08.280 --> 0:14:12.400 activity of the hacker. UM, we haven't really I'm sorry 0:14:12.480 --> 0:14:13.839 you were about to say something to go ahead, but 0:14:14.400 --> 0:14:16.960 we haven't really talked about why anyone would install a 0:14:17.040 --> 0:14:20.400 root kit. UM. There are a lot of different reasons 0:14:20.400 --> 0:14:22.360 that hackers might want to do it. One is if 0:14:22.400 --> 0:14:26.600 a hacker is is essentially a spam farm. If a 0:14:26.640 --> 0:14:31.680 hacker is making money by sending spam out to various recipients, 0:14:32.680 --> 0:14:34.880 they they don't want to send spam out from their 0:14:34.880 --> 0:14:37.360 own machine because if you do that, then you can 0:14:37.400 --> 0:14:40.880 be tracked down and caught. Now, we talked about and 0:14:40.920 --> 0:14:43.040 there's another reason to we We talked about this on 0:14:43.080 --> 0:14:48.520 a on a podcast a long time ago. UM distributed computing. 0:14:49.320 --> 0:14:54.520 The the using distributing computing to spread out processors are 0:14:54.560 --> 0:14:58.360 spread out a task among multiple processors. Now there's only 0:14:58.400 --> 0:15:03.080 so much one computer could do. Now the hacker could 0:15:03.920 --> 0:15:07.600 buy a lot of computers and have them all send 0:15:07.640 --> 0:15:11.120 out spam, or they could write a piece of software 0:15:11.360 --> 0:15:15.240 that other people could put on their computers, either willingly 0:15:15.360 --> 0:15:19.320 or if you can manage it unwillingly very sneakily. Um. 0:15:19.520 --> 0:15:21.960 And uh, you know, have all these people do it 0:15:22.000 --> 0:15:26.760 for you. Um. And that's that's the tricky part. But 0:15:26.840 --> 0:15:28.640 that's that's one of the reasons why they would do it, 0:15:28.720 --> 0:15:31.640 is to spread out that work over multiple computers without 0:15:31.720 --> 0:15:34.280 having to work over the money for lots of computers. 0:15:34.280 --> 0:15:36.480 It also makes you more detectable if all the traffic 0:15:36.560 --> 0:15:39.640 is coming from you. Yeah, so uh yeah, you can 0:15:39.800 --> 0:15:42.400 create an exploit to give you the access to the computer. 0:15:42.480 --> 0:15:44.880 And that exploit is is the that's that's kind of 0:15:44.880 --> 0:15:48.520 like kicking the door in the root kit part is like, uh, 0:15:48.680 --> 0:15:50.480 setting it all up so it looks like the door 0:15:50.560 --> 0:15:53.800 was never kicked in. You've erased you know, you've removed 0:15:53.840 --> 0:15:56.760 all your fingerprints, but you're still hiding in the house. Um. 0:15:56.800 --> 0:15:59.160 It also allows you to do things like spy on 0:15:59.360 --> 0:16:02.600 the person machine or all the traffic that goes through 0:16:02.640 --> 0:16:04.680 that machine. If it's the case of like a web server, 0:16:05.040 --> 0:16:07.080 that's true, they could be they could be looking at 0:16:07.120 --> 0:16:09.760 your passwords, they could be recording your key strokes. They 0:16:09.760 --> 0:16:11.760 could be packett sniffing to find out what kind of 0:16:11.840 --> 0:16:16.280 data you are sending across networks. Yeah, so that's of 0:16:16.280 --> 0:16:20.200 course a very dangerous thing if it's uh, if it's 0:16:20.320 --> 0:16:23.240 a machine that's in charge of passing along secure data, 0:16:23.800 --> 0:16:26.400 like you know, any kind of government machine or even 0:16:26.440 --> 0:16:28.800 a corporate machine, even personal machines. Really, I mean, when 0:16:28.800 --> 0:16:31.280 you get down to it, you don't want some unknown 0:16:31.320 --> 0:16:36.360 party to have access to all your information. Now should 0:16:36.400 --> 0:16:39.840 we should we mention a particular root kit? Are you 0:16:39.840 --> 0:16:43.680 thinking stucks net? I wasn't thinking stucks net, But actually 0:16:43.720 --> 0:16:46.280 I didn't know that stucks net was a root kit. 0:16:46.400 --> 0:16:49.200 I heard it referred to as something else. There's a 0:16:49.280 --> 0:16:51.680 root kit element to it, but refer to yours and 0:16:51.680 --> 0:16:54.280 then I'll talk about stucks net UM. Okay, Well, the 0:16:54.280 --> 0:16:57.480 one I was going to talk about is x cp UM. 0:16:57.720 --> 0:16:59.840 This is something that actually I think this is the 0:16:59.840 --> 0:17:02.560 one that we were referring to before. It's the one 0:17:02.600 --> 0:17:08.199 that security expert Mark Rassinovich of sis Internals found. He 0:17:08.240 --> 0:17:13.119 had popped to Sony Music CD into his computer and uh, 0:17:13.680 --> 0:17:17.119 now the memories coming back, yes, and it had a 0:17:17.119 --> 0:17:21.679 piece of copy protection. Again, you know, this is not 0:17:21.800 --> 0:17:25.520 something where Sony was trying to hack on into people's computers. 0:17:25.560 --> 0:17:29.080 But uh, that's effectively what they did. Do you know, 0:17:29.200 --> 0:17:31.399 it wasn't their intent. Yeah, they weren't trying to do 0:17:31.440 --> 0:17:35.520 anything nefarious, unless you consider protecting their intellectual what they 0:17:35.520 --> 0:17:40.000 considered their intellectual property, as nefarious, and some people do. UM. 0:17:40.040 --> 0:17:43.480 But uh, basically what he discovered, you know, being a 0:17:43.520 --> 0:17:45.399 security expert, he knew what he was looking for in 0:17:45.480 --> 0:17:48.160 terms of this. He discovered this root kit had been 0:17:48.160 --> 0:17:51.800 installed by a music CD. Now, there were dozens of 0:17:52.119 --> 0:17:57.080 CDs that Sony released with this UM, including Celine, Dion, Disks, 0:17:57.200 --> 0:18:01.639 Neil Diamond, Um, all kinds of other people. Uh, you 0:18:01.760 --> 0:18:05.600 just described half my music collection. Ricky Martin, there's the 0:18:05.600 --> 0:18:08.080 other I was looking for for great big names, but 0:18:08.320 --> 0:18:12.840 labels like Epic Columbia, UM, Epic Legacy, Columbia Legacy, and 0:18:12.880 --> 0:18:14.520 there were there were lots more. I just got that 0:18:14.560 --> 0:18:18.240 list actually from from the e f F, the Electronic 0:18:18.280 --> 0:18:23.800 Frontier Foundation. Yes, that's only a partial list. Um, so yeah, 0:18:23.840 --> 0:18:26.119 I mean they had basically there there there were tailtell 0:18:26.160 --> 0:18:28.800 signs in the outside packaging it says, uh, this is 0:18:28.840 --> 0:18:32.600 compatible with these different computers. Um, you know, why would 0:18:32.640 --> 0:18:34.840 a music CD need to have that on there? Well, 0:18:34.880 --> 0:18:38.320 it turns out the root kit is compatible with that. Now, 0:18:38.359 --> 0:18:41.040 if you play this on a Mac running Mac os ten, 0:18:41.800 --> 0:18:44.120 you can see the root kit file. But the root 0:18:44.200 --> 0:18:46.520 kit file does not work on a Mac. It's it's 0:18:46.640 --> 0:18:49.400 engineering for Windows PCs. That's a good point. Yeah. Root 0:18:49.480 --> 0:18:52.600 kits tend to work with specific uperating systems or specific 0:18:52.720 --> 0:18:56.280 families of operating systems. When you hear about Windows, root 0:18:56.359 --> 0:18:59.679 kits usually will only work on certain like you know, 0:18:59.800 --> 0:19:04.400 like Windows XP and a few other versions of Windows. 0:19:04.400 --> 0:19:05.879 But it won't work on all of them because not 0:19:05.920 --> 0:19:08.600 all of them are based on that same uh, that 0:19:08.720 --> 0:19:12.920 same code. Yeah, but In this case, Sony was basically 0:19:12.920 --> 0:19:16.520 trying to get access to the user's computer to protect 0:19:16.840 --> 0:19:20.280 the copies from being made of the music. Now it 0:19:20.320 --> 0:19:24.119 could actually sniff what stuff like what sites you visited 0:19:24.200 --> 0:19:26.600 and how you and what kind of files you were sending. 0:19:26.640 --> 0:19:29.320 So if you were theoretically trying to share the music 0:19:29.359 --> 0:19:32.600 across the network, it could detect that people had a 0:19:32.600 --> 0:19:34.840 problem with this. Yes, lots of people had a big 0:19:34.840 --> 0:19:37.640 problem with this, and corporate sponsored group kids are not 0:19:37.680 --> 0:19:42.159 good Sony. Uh, I think was was pretty embarrassed by 0:19:42.160 --> 0:19:46.320 the whole thing. They eventually, uh you know, discontinued this practice. 0:19:46.680 --> 0:19:49.439 They did apologize for it as well. Yeah, yeah, it was. 0:19:49.560 --> 0:19:52.280 It was a pretty uh, pretty serious deal there for 0:19:52.320 --> 0:19:55.600 a little while, and I think it's safe to say that, 0:19:56.320 --> 0:20:02.320 you know, people were weary of doing things that way. Now, Um, 0:20:02.760 --> 0:20:04.560 I totally lost my train of thought. Well, I can 0:20:04.560 --> 0:20:06.560 pick it up with stuck snet if you like. Yeah, 0:20:06.600 --> 0:20:08.520 I mean it's it's but it's just seems to me 0:20:08.640 --> 0:20:11.040 kind of heavy handed that they would have gone to 0:20:11.160 --> 0:20:13.960 that much trouble to to do to install that level 0:20:14.000 --> 0:20:16.439 it was. It was definitely going above and beyond the 0:20:16.440 --> 0:20:21.760 call of duty to protect your music. Yeah, so stucks 0:20:21.800 --> 0:20:24.320 net is this, Uh. I remember what I was gonna say, 0:20:24.680 --> 0:20:26.520 Go ahead, Oh if you wanted to do If you 0:20:26.560 --> 0:20:28.760 wanted to do this, to disable the root kid, all 0:20:28.760 --> 0:20:30.679 you had to do was turn off auto run, but 0:20:30.720 --> 0:20:33.560 then the CD would not play in your computer. So 0:20:33.600 --> 0:20:36.520 what you ended up having to do was to basically 0:20:36.600 --> 0:20:39.520 to rip the CD and listen to it that way 0:20:39.600 --> 0:20:41.760 to avoid having the root kit installed. That was the 0:20:41.760 --> 0:20:45.120 part of strip the music from the CD. Well you're not. 0:20:45.240 --> 0:20:47.159 That's music still on the CD, but you had to 0:20:47.160 --> 0:20:49.000 copy it essentially onto your computer to be able to 0:20:49.000 --> 0:20:52.439 listen to it, which is probably exactly what they were 0:20:52.440 --> 0:20:54.600 trying to prevent you from me the first place. So 0:20:54.800 --> 0:20:56.720 not only did they not prevent people from doing it, 0:20:56.760 --> 0:21:00.240 but they also infected all these computers with various of 0:21:00.240 --> 0:21:04.560 a root kit fantastic stuck yes, which I can finally 0:21:04.560 --> 0:21:07.520 talk about this um now, stucks net is a pretty 0:21:07.640 --> 0:21:11.800 nasty uh thing that's going around, a malware that's going around. 0:21:12.080 --> 0:21:14.080 This is pretty current as if when we're recording this, 0:21:14.200 --> 0:21:16.040 it it just sort of popped out in the I 0:21:16.040 --> 0:21:21.160 would say fall and it Uh. It targets Windows systems 0:21:21.200 --> 0:21:25.399 and it's looking for industrial control systems and not just 0:21:25.480 --> 0:21:30.520 any industrial control systems. Yeah, they there's a lot of 0:21:30.520 --> 0:21:33.159 people refer to them as scatter systems s C A, 0:21:33.240 --> 0:21:37.360 d A. Which really that's not that's not entirely accurate, 0:21:37.480 --> 0:21:40.720 but it's fair enough to call it that. It's we're 0:21:40.720 --> 0:21:45.080 talking about program programmable logic controllers UM that are those 0:21:45.119 --> 0:21:49.720 are like a computers essentially that can be programmed from 0:21:49.760 --> 0:21:55.120 a Windows system and they are running industrial processes. So 0:21:55.440 --> 0:21:57.800 this is the sort of stuff you might find in 0:21:58.080 --> 0:22:02.240 a plant or a factory or like a massive utility 0:22:02.440 --> 0:22:06.160 might have these kind of machines in them. Yes, so 0:22:06.280 --> 0:22:08.400 you might think, well, why would you want to infect these? Well, 0:22:08.640 --> 0:22:11.720 theoretically you could infect them and then cause the machinery 0:22:11.800 --> 0:22:13.600 to behave in such a way that it would destroy 0:22:13.640 --> 0:22:17.840 itself or it cause damage to UH an entire area. 0:22:18.000 --> 0:22:21.080 You could you know, shut off region's water supply, bring 0:22:21.160 --> 0:22:25.240 down a power grid. You could cause you could theoretically, 0:22:25.320 --> 0:22:28.200 if you set machines to a particular setting, you could 0:22:28.200 --> 0:22:33.480 cause um, a factory to catch fire or a nuclear 0:22:33.520 --> 0:22:36.399 power plant to you know that could you could have 0:22:36.440 --> 0:22:39.800 a little meltdown, you could, um, you could turn off 0:22:39.960 --> 0:22:45.000