[FDE] Data protection strategies, FDE and file/folder

Allen netsecurity at sound-by-design.com
Sat Jul 21 04:33:54 MDT 2007 

Curt Wilson wrote:

[snip]

> Sure, you can load some things without being admin. However, from what I
> understand most malware in the wild still assumes admin. 

[snip]

> I don't imagine it will be that way long though.

[snip]

> I guess there is no good way around this....

The question I have for you is: How do we know how the bleeding 
edge of malware is constructed?

The reason I posit this question is because it seems to me that 
awareness of malware in the wild only occurs when it is either 
badly constructed and it gives itself away, like the Morris worm, 
or it actually causes detected harm of some sort that we actually 
attribute to the correct cause.

To give an example, I'll use one from medicine. How many years 
and how many quack "cures" was it from the first thought that 
ulcers could be bacterially induced until it was an accepted 
fact? The first hint was published by a family doctor in JAMA in 
1954 and ignored for 40+ years. Finally in 1998 researchers 
proved that Helicobacter pylori was the root cause of 80+% of all 
ulcers. *Then* somebody noticed the original research.

How much effort and wasted money could have been saved if the 
first real clue, which was merely a suggestion that it merited 
further investigation, had been followed up on?

I think we are in the same position with regard to malware. So my 
view is that just because we have only seen malware with a given 
assumption does not mean that malware based on alternative 
assumptions does not exist. It may be that we do not have the 
proper view or diagnostic tools to hand to see it.

You are correct that the conversation might be drifting away from 
FDE, but I don't see that as bad in this case. It is much like 
the problems I run into all the time where the positive business 
case is the only one presented. Then everyone is surprised when 
it is discovered that the solution fails because corner cases 
were not thought about in order to chose or create the correct 
solution.

My sense is that FDE needs to be looked at from all the various 
vectors, even imaginary ones, where it might be compromised and 
see if it can be constructed in such a way as to meet the 
mentally constructed possible threat vectors. If we don't see 
analyze all the potential threats and see how to overcome them we 
*will* be caught between a rock and a hard place sooner or later.

But then, I have been *known* to be *wrong* on occasion.

Best,

Allen

More information about the FDE mailing list