slides/rootkits.html

<!DOCTYPE html>
<html lang="en"><head>
<script src="quarto_files/clipboard/clipboard.min.js"></script>
<script src="quarto_files/quarto-html/tabby.min.js"></script>
<script src="quarto_files/quarto-html/popper.min.js"></script>
<script src="quarto_files/quarto-html/tippy.umd.min.js"></script>
<link href="quarto_files/quarto-html/tippy.css" rel="stylesheet">
<link href="quarto_files/quarto-html/light-border.css" rel="stylesheet">
<link href="quarto_files/quarto-html/quarto-html.min.css" rel="stylesheet" data-mode="light">
<link href="quarto_files/quarto-html/quarto-syntax-highlighting-dark.css" rel="stylesheet" id="quarto-text-highlighting-styles"><meta charset="utf-8">
  <meta name="generator" content="quarto-1.5.56">

  <title>Rootkits</title>
  <meta name="apple-mobile-web-app-capable" content="yes">
  <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui">
  <link rel="stylesheet" href="quarto_files/revealjs/dist/reset.css">
  <link rel="stylesheet" href="quarto_files/revealjs/dist/reveal.css">
  <style>
    code{white-space: pre-wrap;}
    span.smallcaps{font-variant: small-caps;}
    div.columns{display: flex; gap: min(4vw, 1.5em);}
    div.column{flex: auto; overflow-x: auto;}
    div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
    ul.task-list{list-style: none;}
    ul.task-list li input[type="checkbox"] {
      width: 0.8em;
      margin: 0 0.8em 0.2em -1em; /* quarto-specific, see https://github.com/quarto-dev/quarto-cli/issues/4556 */ 
      vertical-align: middle;
    }
  </style>
  <link rel="stylesheet" href="quarto_files/revealjs/dist/theme/quarto.css">
  <link rel="stylesheet" href="ics.css">
  <link href="quarto_files/revealjs/plugin/quarto-line-highlight/line-highlight.css" rel="stylesheet">
  <link href="quarto_files/revealjs/plugin/reveal-menu/menu.css" rel="stylesheet">
  <link href="quarto_files/revealjs/plugin/reveal-menu/quarto-menu.css" rel="stylesheet">
  <link href="quarto_files/revealjs/plugin/reveal-chalkboard/font-awesome/css/all.css" rel="stylesheet">
  <link href="quarto_files/revealjs/plugin/reveal-chalkboard/style.css" rel="stylesheet">
  <link href="quarto_files/revealjs/plugin/quarto-support/footer.css" rel="stylesheet">
  <style type="text/css">

  .callout {
    margin-top: 1em;
    margin-bottom: 1em;  
    border-radius: .25rem;
  }

  .callout.callout-style-simple { 
    padding: 0em 0.5em;
    border-left: solid #acacac .3rem;
    border-right: solid 1px silver;
    border-top: solid 1px silver;
    border-bottom: solid 1px silver;
    display: flex;
  }

  .callout.callout-style-default {
    border-left: solid #acacac .3rem;
    border-right: solid 1px silver;
    border-top: solid 1px silver;
    border-bottom: solid 1px silver;
  }

  .callout .callout-body-container {
    flex-grow: 1;
  }

  .callout.callout-style-simple .callout-body {
    font-size: 1rem;
    font-weight: 400;
  }

  .callout.callout-style-default .callout-body {
    font-size: 0.9rem;
    font-weight: 400;
  }

  .callout.callout-titled.callout-style-simple .callout-body {
    margin-top: 0.2em;
  }

  .callout:not(.callout-titled) .callout-body {
      display: flex;
  }

  .callout:not(.no-icon).callout-titled.callout-style-simple .callout-content {
    padding-left: 1.6em;
  }

  .callout.callout-titled .callout-header {
    padding-top: 0.2em;
    margin-bottom: -0.2em;
  }

  .callout.callout-titled .callout-title  p {
    margin-top: 0.5em;
    margin-bottom: 0.5em;
  }
    
  .callout.callout-titled.callout-style-simple .callout-content  p {
    margin-top: 0;
  }

  .callout.callout-titled.callout-style-default .callout-content  p {
    margin-top: 0.7em;
  }

  .callout.callout-style-simple div.callout-title {
    border-bottom: none;
    font-size: .9rem;
    font-weight: 600;
    opacity: 75%;
  }

  .callout.callout-style-default  div.callout-title {
    border-bottom: none;
    font-weight: 600;
    opacity: 85%;
    font-size: 0.9rem;
    padding-left: 0.5em;
    padding-right: 0.5em;
  }

  .callout.callout-style-default div.callout-content {
    padding-left: 0.5em;
    padding-right: 0.5em;
  }

  .callout.callout-style-simple .callout-icon::before {
    height: 1rem;
    width: 1rem;
    display: inline-block;
    content: "";
    background-repeat: no-repeat;
    background-size: 1rem 1rem;
  }

  .callout.callout-style-default .callout-icon::before {
    height: 0.9rem;
    width: 0.9rem;
    display: inline-block;
    content: "";
    background-repeat: no-repeat;
    background-size: 0.9rem 0.9rem;
  }

  .callout-title {
    display: flex
  }
    
  .callout-icon::before {
    margin-top: 1rem;
    padding-right: .5rem;
  }

  .callout.no-icon::before {
    display: none !important;
  }

  .callout.callout-titled .callout-body > .callout-content > :last-child {
    padding-bottom: 0.5rem;
    margin-bottom: 0;
  }

  .callout.callout-titled .callout-icon::before {
    margin-top: .5rem;
    padding-right: .5rem;
  }

  .callout:not(.callout-titled) .callout-icon::before {
    margin-top: 1rem;
    padding-right: .5rem;
  }

  /* Callout Types */

  div.callout-note {
    border-left-color: #4582ec !important;
  }

  div.callout-note .callout-icon::before {
    background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAAIKADAAQAAAABAAAAIAAAAACshmLzAAAEU0lEQVRYCcVXTWhcVRQ+586kSUMMxkyaElstCto2SIhitS5Ek8xUKV2poatCcVHtUlFQk8mbaaziwpWgglJwVaquitBOfhQXFlqlzSJpFSpIYyXNjBNiTCck7x2/8/LeNDOZxDuEkgOXe++553zfefee+/OYLOXFk3+1LLrRdiO81yNqZ6K9cG0P3MeFaMIQjXssE8Z1JzLO9ls20MBZX7oG8w9GxB0goaPrW5aNMp1yOZIa7Wv6o2ykpLtmAPs/vrG14Z+6d4jpbSKuhdcSyq9wGMPXjonwmESXrriLzFGOdDBLB8Y6MNYBu0dRokSygMA/mrun8MGFN3behm6VVAwg4WR3i6FvYK1T7MHo9BK7ydH+1uurECoouk5MPRyVSBrBHMYwVobG2aOXM07sWrn5qgB60rc6mcwIDJtQrnrEr44kmy+UO9r0u9O5/YbkS9juQckLed3DyW2XV/qWBBB3ptvI8EUY3I9p/67OW+g967TNr3Sotn3IuVlfMLVnsBwH4fsnebJvyGm5GeIUA3jljERmrv49SizPYuq+z7c2H/jlGC+Ghhupn/hcapqmcudB9jwJ/3jvnvu6vu5lVzF1fXyZuZZ7U8nRmVzytvT+H3kilYvH09mLWrQdwFSsFEsxFVs5fK7A0g8gMZjbif4ACpKbjv7gNGaD8bUrlk8x+KRflttr22JEMRUbTUwwDQScyzPgedQHZT0xnx7ujw2jfVfExwYHwOsDTjLdJ2ebmeQIlJ7neo41s/DrsL3kl+W2lWvAga0tR3zueGr6GL78M3ifH0rGXrBC2aAR8uYcIA5gwV8zIE8onoh8u0Fca/ciF7j1uOzEnqcIm59sEXoGc0+z6+H45V1CvAvHcD7THztu669cnp+L0okAeIc6zjbM/24LgGM1gZk7jnRu1aQWoU9sfUOuhrmtaPIO3YY1KLLWZaEO5TKUbMY5zx8W9UJ6elpLwKXbsaZ4EFl7B4bMtDv0iRipKoDQT2sNQI9b1utXFdYisi+wzZ/ri/1m7QfDgEuvgUUEIJPq3DhX/5DWNqIXDOweC2wvIR90Oq3lDpdMIgD2r0dXvGdsEW5H6x6HLRJYU7C69VefO1x8Gde1ZFSJLfWS1jbCnhtOPxmpfv2LXOA2Xk2tvnwKKPFuZ/oRmwBwqRQDcKNeVQkYcOjtWVBuM/JuYw5b6isojIkYxyYAFn5K7ZBF10fea52y8QltAg6jnMqNHFBmGkQ1j+U43HMi2xMar1Nv0zGsf1s8nUsmUtPOOrbFIR8bHFDMB5zL13Gmr/kGlCkUzedTzzmzsaJXhYawnA3UmARpiYj5ooJZiUoxFRtK3X6pgNPv+IZVPcnwbOl6f+aBaO1CNvPW9n9LmCp01nuSaTRF2YxHqZ8DYQT6WsXT+RD6eUztwYLZ8rM+rcPxamv1VQzFUkzFXvkiVrySGQgJNvXHJAxiU3/NwiC03rSf05VBaPtu/Z7/B8Yn/w7eguloAAAAAElFTkSuQmCC');
  }

  div.callout-note.callout-style-default .callout-title {
    background-color: #dae6fb
  }

  div.callout-important {
    border-left-color: #d9534f !important;
  }

  div.callout-important .callout-icon::before {
    background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAAIKADAAQAAAABAAAAIAAAAACshmLzAAAEKklEQVRYCcVXTWhcVRS+575MJym48A+hSRFr00ySRQhURRfd2HYjk2SSTokuBCkU2o0LoSKKraKIBTcuFCoidGFD08nkBzdREbpQ1EDNIv8qSGMFUboImMSZd4/f9zJv8ibJMC8xJQfO3HPPPef7zrvvvnvviIkpC9nsw0UttFunbUhpFzFtarSd6WJkStVMw5xyVqYTvkwfzuf/5FgtkVoB0729j1rjXwThS7Vio+Mo6DNnvLfahoZ+i/o32lULuJ3NNiz7q6+pyAUkJaFF6JwaM2lUJlV0MlnQn5aTRbEu0SEqHUa0A4AdiGuB1kFXRfVyg5d87+Dg4DL6m2TLAub60ilj7A1Ec4odSAc8X95sHh7+ZRPCFo6Fnp7HfU/fBng/hi10CjCnWnJjsxvDNxWw0NfV6Rv5GgP3I3jGWXumdTD/3cbEOP2ZbOZp69yniG3FQ9z1jD7bnBu9Fc2tKGC2q+uAJOQHBDRiZX1x36o7fWBs7J9ownbtO+n0/qWkvW7UPIfc37WgT6ZGR++EOJyeQDSb9UB+DZ1G6DdLDzyS+b/kBCYGsYgJbSQHuThGKRcw5xdeQf8YdNHsc6ePXrlSYMBuSIAFTGAtQo+VuALo4BX83N190NWZWbynBjhOHsmNfFWLeL6v+ynsA58zDvvAC8j5PkbOcXCMg2PZFk3q8MjI7WAG/Dp9AwP7jdGBOOQkAvlFUB+irtm16I1Zw9YBcpGTGXYmk3kQIC/Cds55l+iMI3jqhjAuaoe+am2Jw5GT3Nbz3CkE12NavmzN5+erJW7046n/CH1RO/RVa8lBLozXk9uqykkGAyRXLWlLv5jyp4RFsG5vGVzpDLnIjTWgnRy2Rr+tDKvRc7Y8AyZq10jj8DqXdnIRNtFZb+t/ZRtXcDiVnzpqx8mPcDWxgARUqx0W1QB9MeUZiNrV4qP+Ehc+BpNgATsTX8ozYKL2NtFYAHc84fG7ndxUPr+AR/iQSns7uSUufAymwDOb2+NjK27lEFocm/EE2WpyIy/Hi66MWuMKJn8RvxIcj87IM5Vh9663ziW36kR0HNenXuxmfaD8JC7tfKbrhFr7LiZCrMjrzTeGx+PmkosrkNzW94ObzwocJ7A1HokLolY+AvkTiD/q1H0cN48c5EL8Crkttsa/AXQVDmutfyku0E7jShx49XqV3MFK8IryDhYVbj7Sj2P2eBxwcXoe8T8idsKKPRcnZw1b+slFTubwUwhktrfnAt7J++jwQtLZcm3sr9LQrjRzz6cfMv9aLvgmnAGvpoaGLxM4mAEaLV7iAzQ3oU0IvD5x9ix3yF2RAAuYAOO2f7PEFWCXZ4C9Pb2UsgDeVnFSpbFK7/IWu7TPTvBqzbGdCHOJQSxiEjt6IyZmxQyEJHv6xyQsYk//moVFsN2zP6fRImjfq7/n/wFDguUQFNEwugAAAABJRU5ErkJggg==');
  }

  div.callout-important.callout-style-default .callout-title {
    background-color: #f7dddc
  }

  div.callout-warning {
    border-left-color: #f0ad4e !important;
  }

  div.callout-warning .callout-icon::before {
    background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAAIKADAAQAAAABAAAAIAAAAACshmLzAAAETklEQVRYCeVWW2gcVRg+58yaTUnizqbipZeX4uWhBEniBaoUX1Ioze52t7sRq6APio9V9MEaoWlVsFasRq0gltaAPuxms8lu0gcviE/FFOstVbSIxgcv6SU7EZqmdc7v9+9mJtNks51NTUH84ed889/PP+cmxP+d5FIbMJmNbpREu4WUkiTtCicKny0l1pIKmBzovF2S+hIJHX8iEu3hZJ5lNZGqyRrGSIQpq15AzF28jgpeY6yk6GVdrfFqdrD6Iw+QlB8g0YS2g7dyQmXM/IDhBhT0UCiRf59lfqmmDvzRt6kByV/m4JjtzuaujMUM2c5Z2d6JdKrRb3K2q6mA+oYVz8JnDdKPmmNthzkAk/lN63sYPgevrguc72aZX/L9C6x09GYyxBgCX4NlvyGUHOKELlm5rXeR1kchuChJt4SSwyddZRXgvwMGvYo4QSlk3/zkHD8UHxwVJA6zjZZqP8v8kK8OWLnIZtLyCAJagYC4rTGW/9Pqj92N/c+LUaAj27movwbi19tk/whRCIE7Q9vyI6yvRpftAKVTdUjOW40X3h5OXsKCdmFcx0xlLJoSuQngnrJe7Kcjm4OMq9FlC7CMmScQANuNvjfP3PjGXDBaUQmbp296S5L4DrpbrHN1T87ZVEZVCzg1FF0Ft+dKrlLukI+/c9ENo+TvlTDbYFvuKPtQ9+l052rXrgKoWkDAFnvh0wTOmYn8R5f4k/jN/fZiCM1tQx9jQQ4ANhqG4hiL0qIFTGViG9DKB7GYzgubnpofgYRwO+DFjh0Zin2m4b/97EDkXkc+f6xYAPX0KK2I/7fUQuwzuwo/L3AkcjugPNixC8cHf0FyPjWlItmLxWw4Ou9YsQCr5fijMGoD/zpdRy95HRysyXA74MWOnscpO4j2y3HAVisw85hX5+AFBRSHt4ShfLFkIMXTqyKFc46xdzQM6XbAi702a7sy04J0+feReMFKp5q9esYLCqAZYw/k14E/xcLLsFElaornTuJB0svMuJINy8xkIYuL+xPAlWRceH6+HX7THJ0djLUom46zREu7tTkxwmf/FdOZ/sh6Q8qvEAiHpm4PJ4a/doJe0gH1t+aHRgCzOvBvJedEK5OFE5jpm4AGP2a8Dxe3gGJ/pAutug9Gp6he92CsSsWBaEcxGx0FHytmIpuqGkOpldqNYQK8cSoXvd+xLxXADw0kf6UkJNFtdo5MOgaLjiQOQHcn+A6h5NuL2s0qsC2LOM75PcF3yr5STuBSAcGG+meA14K/CI21HcS4LBT6tv0QAh8Dr5l93AhZzG5ZJ4VxAqdZUEl9z7WJ4aN+svMvwHHL21UKTd1mqvChH7/Za5xzXBBKrUcB0TQ+Ulgkfbi/H/YT5EptrGzsEK7tR1B7ln9BBwckYfMiuSqklSznIuoIIOM42MQO+QnduCoFCI0bpkzjCjddHPN/F+2Yu+sd9bKNpVwHhbS3LluK/0zgfwD0xYI5dXuzlQAAAABJRU5ErkJggg==');
  }

  div.callout-warning.callout-style-default .callout-title {
    background-color: #fcefdc
  }

  div.callout-tip {
    border-left-color: #02b875 !important;
  }

  div.callout-tip .callout-icon::before {
    background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAAIKADAAQAAAABAAAAIAAAAACshmLzAAADr0lEQVRYCe1XTWgTQRj9ZjZV8a9SPIkKgj8I1bMHsUWrqYLVg4Ue6v9BwZOxSYsIerFao7UiUryIqJcqgtpimhbBXoSCVxUFe9CTiogUrUp2Pt+3aUI2u5vdNh4dmMzOzHvvezuz8xNFM0mjnbXaNu1MvFWRXkXEyE6aYOYJpdW4IXuA4r0fo8qqSMDBU0v1HJUgVieAXxzCsdE/YJTdFcVIZQNMyhruOMJKXYFoLfIfIvVIMWdsrd+Rpd86ZmyzzjJmLStqRn0v8lzkb4rVIXvnpScOJuAn2ACC65FkPzEdEy4TPWRLJ2h7z4cArXzzaOdKlbOvKKX25Wl00jSnrwVxAg3o4dRxhO13RBSdNvH0xSARv3adTXbBdTf64IWO2vH0LT+cv4GR1DJt+DUItaQogeBX/chhbTBxEiZ6gftlDNXTrvT7co4ub5A6gp9HIcHvzTa46OS5fBeP87Qm0fQkr4FsYgVQ7Qg+ZayaDg9jhg1GkWj8RG6lkeSacrrHgDaxdoBiZPg+NXV/KifMuB6//JmYH4CntVEHy/keA6x4h4CU5oFy8GzrBS18cLJMXcljAKB6INjWsRcuZBWVaS3GDrqB7rdapVIeA+isQ57Eev9eCqzqOa81CY05VLd6SamW2wA2H3SiTbnbSxmzfp7WtKZkqy4mdyAlGx7ennghYf8voqp9cLSgKdqNfa6RdRsAAkPwRuJZNbpByn+RrJi1RXTwdi8RQF6ymDwGMAtZ6TVE+4uoKh+MYkcLsT0Hk8eAienbiGdjJHZTpmNjlbFJNKDVAp2fJlYju6IreQxQ08UJDNYdoLSl6AadO+fFuCQqVMB1NJwPm69T04Wv5WhfcWyfXQB+wXRs1pt+nCknRa0LVzSA/2B+a9+zQJadb7IyyV24YAxKp2Jqs3emZTuNnKxsah+uabKbMk7CbTgJx/zIgQYErIeTKRQ9yD9wxVof5YolPHqaWo7TD6tJlh7jQnK5z2n3+fGdggIOx2kaa2YI9QWarc5Ce1ipNWMKeSG4DysFF52KBmTNMmn5HqCFkwy34rDg05gDwgH3bBi+sgFhN/e8QvRn8kbamCOhgrZ9GJhFDgfcMHzFb6BAtjKpFhzTjwv1KCVuxHvCbsSiEz4CANnj84cwHdFXAbAOJ4LTSAawGWFn5tDhLMYz6nWeU2wJfIhmIJBefcd/A5FWQWGgrWzyORZ3Q6HuV+Jf0Bj+BTX69fm1zWgK7By1YTXchFDORywnfQ7GpzOo6S+qECrsx2ifVQAAAABJRU5ErkJggg==');
  }

  div.callout-tip.callout-style-default .callout-title {
    background-color: #ccf1e3
  }

  div.callout-caution {
    border-left-color: #fd7e14 !important;
  }

  div.callout-caution .callout-icon::before {
    background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAAIKADAAQAAAABAAAAIAAAAACshmLzAAACV0lEQVRYCdVWzWoUQRCuqp2ICBLJXgITZL1EfQDBW/bkzUMUD7klD+ATSHBEfAIfQO+iXsWDxJsHL96EHAwhgzlkg8nBg25XWb0zIb0zs9muYYWkoKeru+vn664fBqElyZNuyh167NXJ8Ut8McjbmEraKHkd7uAnAFku+VWdb3reSmRV8PKSLfZ0Gjn3a6Xlcq9YGb6tADjn+lUfTXtVmaZ1KwBIvFI11rRXlWlatwIAAv2asaa9mlB9wwygiDX26qaw1yYPzFXg2N1GgG0FMF8Oj+VIx7E/03lHx8UhvYyNZLN7BwSPgekXXLribw7w5/c8EF+DBK5idvDVYtEEwMeYefjjLAdEyQ3M9nfOkgnPTEkYU+sxMq0BxNR6jExrAI31H1rzvLEfRIdgcv1XEdj6QTQAS2wtstEALLG1yEZ3QhH6oDX7ExBSFEkFINXH98NTrme5IOaaA7kIfiu2L8A3qhH9zRbukdCqdsA98TdElyeMe5BI8Rs2xHRIsoTSSVFfCFCWGPn9XHb4cdobRIWABNf0add9jakDjQJpJ1bTXOJXnnRXHRf+dNL1ZV1MBRCXhMbaHqGI1JkKIL7+i8uffuP6wVQAzO7+qVEbF6NbS0LJureYcWXUUhH66nLR5rYmva+2tjRFtojkM2aD76HEGAD3tPtKM309FJg5j/K682ywcWJ3PASCcycH/22u+Bh7Aa0ehM2Fu4z0SAE81HF9RkB21c5bEn4Dzw+/qNOyXr3DCTQDMBOdhi4nAgiFDGCinIa2owCEChUwD8qzd03PG+qdW/4fDzjUMcE1ZpIAAAAASUVORK5CYII=');
  }

  div.callout-caution.callout-style-default .callout-title {
    background-color: #ffe5d0
  }

  </style>
  <style type="text/css">
    .reveal div.sourceCode {
      margin: 0;
      overflow: auto;
    }
    .reveal div.hanging-indent {
      margin-left: 1em;
      text-indent: -1em;
    }
    .reveal .slide:not(.center) {
      height: 100%;
    }
    .reveal .slide.scrollable {
      overflow-y: auto;
    }
    .reveal .footnotes {
      height: 100%;
      overflow-y: auto;
    }
    .reveal .slide .absolute {
      position: absolute;
      display: block;
    }
    .reveal .footnotes ol {
      counter-reset: ol;
      list-style-type: none; 
      margin-left: 0;
    }
    .reveal .footnotes ol li:before {
      counter-increment: ol;
      content: counter(ol) ". "; 
    }
    .reveal .footnotes ol li > p:first-child {
      display: inline-block;
    }
    .reveal .slide ul,
    .reveal .slide ol {
      margin-bottom: 0.5em;
    }
    .reveal .slide ul li,
    .reveal .slide ol li {
      margin-top: 0.4em;
      margin-bottom: 0.2em;
    }
    .reveal .slide ul[role="tablist"] li {
      margin-bottom: 0;
    }
    .reveal .slide ul li > *:first-child,
    .reveal .slide ol li > *:first-child {
      margin-block-start: 0;
    }
    .reveal .slide ul li > *:last-child,
    .reveal .slide ol li > *:last-child {
      margin-block-end: 0;
    }
    .reveal .slide .columns:nth-child(3) {
      margin-block-start: 0.8em;
    }
    .reveal blockquote {
      box-shadow: none;
    }
    .reveal .tippy-content>* {
      margin-top: 0.2em;
      margin-bottom: 0.7em;
    }
    .reveal .tippy-content>*:last-child {
      margin-bottom: 0.2em;
    }
    .reveal .slide > img.stretch.quarto-figure-center,
    .reveal .slide > img.r-stretch.quarto-figure-center {
      display: block;
      margin-left: auto;
      margin-right: auto; 
    }
    .reveal .slide > img.stretch.quarto-figure-left,
    .reveal .slide > img.r-stretch.quarto-figure-left  {
      display: block;
      margin-left: 0;
      margin-right: auto; 
    }
    .reveal .slide > img.stretch.quarto-figure-right,
    .reveal .slide > img.r-stretch.quarto-figure-right  {
      display: block;
      margin-left: auto;
      margin-right: 0; 
    }
  </style>
</head>
<body class="quarto-dark">
  <div class="reveal">
    <div class="slides">

<section id="title-slide" class="quarto-title-block center">
  <h1 class="title">CS 3710</h1>
  <h2 class="subtitle">Introduction to Cybersecurity</h2>
  <p class="titlep">&nbsp;</p>
  <div class="titlesmall"><p>
    <a href="http://www.cs.virginia.edu/~asb">Aaron Bloomfield</a> (aaron@virginia.edu)<br>
    <a href="http://github.com/aaronbloomfield/ccc">@github</a> | <a href="index.html">↑</a> | <a href="?print-pdf"><img class="print" width="20" src="../slides/images/print-icon.svg" style="top:0px;vertical-align:middle;background-color:transparent"></a>
  </p></div>
  <p class="titlep">&nbsp;</p>
  <h2 class="subtitle">Rootkits</h2>
</section><section id="TOC">
<nav role="doc-toc"> 
<h2 id="toc-title">Contents</h2>
<ul>
<li><a href="#/rootkits" id="/toc-rootkits">Rootkits</a></li>
<li><a href="#/sony-fiasco-description" id="/toc-sony-fiasco-description">Sony Fiasco: description</a></li>
<li><a href="#/sony-fiasco-aftermath" id="/toc-sony-fiasco-aftermath">Sony Fiasco: aftermath</a></li>
</ul>
</nav>
</section>
<section>
<section id="rootkits" class="title-slide slide level1 center">
<h1>Rootkits</h1>

</section>
<section id="rootkits-and-the-sony-fiasco" class="slide level2">
<h2>Rootkits and the Sony Fiasco</h2>
<ul>
<li>A 2005 attempt by Sony/BMG Music to implement a copy protection scheme on audio CDs has generated interest in rootkits</li>
<li>We will study rootkits in general and then use the Sony debacle as a case study</li>
<li><a href="https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal">Wikipedia article</a></li>
</ul>
</section>
<section id="rootkits-1" class="slide level2">
<h2>Rootkits</h2>
<ul>
<li>A <em>rootkit</em> is an exploit that permits an attacker to execute commands with root privileges
<ul>
<li>i.e.&nbsp;as root on Linux or as Administrator on Windows</li>
<li>It does this <em>while hiding the activity to avoid detection</em> by system administrators</li>
</ul></li>
<li>To hide from a system administrator on a Unix system, the attacker would want to suppress displays of attacker processes, attacker files, attacker logins, etc.</li>
</ul>
</section>
<section id="rootkits-2" class="slide level2">
<h2>Rootkits</h2>
<ul>
<li>To do this, <em>several</em> utilities (e.g.&nbsp;ps, ls, users) would need to be replaced with versions that will hide files, logins, and processes
<ul>
<li>Hence, this is a <em>kit</em> (collection) of <em>Trojan Horse</em> utility programs</li>
<li>Not a virus; almost all rootkits do not try to replicate; their purpose is to control a single system</li>
</ul></li>
</ul>
</section>
<section id="rootkit-varieties" class="slide level2">
<h2>Rootkit Varieties</h2>
<ul>
<li>Because a rootkit can hide files and processes, there is great variety to rootkit attacks:
<ul>
<li>Hiding backdoors, keyloggers, spam, or DOS programs</li>
<li>Allowing zombie use of the computer</li>
<li>Hiding a program that copies chat sessions out, relaying private info back to the attacker</li>
</ul></li>
<li>All of these, and more, have occurred with rootkit attacks, e.g.&nbsp;the <a href="http://www.rootkit.com/board_project_fused.php?did=proj12">FU rootkit</a></li>
</ul>
</section>
<section id="kernel-level-rootkits" class="slide level2">
<h2>Kernel Level Rootkits</h2>
<ul>
<li>A kernel level rootkit adds to, or modifies, the OS kernel code to patch or hook system calls, so that the Trojan Horse version hides info about the attacker
<ul>
<li>Often done in Linux with a Loadable Kernel Module</li>
<li>Windows equivalent is usually a loadable device driver</li>
</ul></li>
</ul>
</section>
<section id="application-level-rootkits" class="slide level2">
<h2>Application Level Rootkits</h2>
<ul>
<li>Application level rootkits patch or replace a significant application with a Trojan Horse version
<ul>
<li>Easier than kernel level to do; also easier to detect</li>
</ul></li>
</ul>
</section>
<section id="detecting-rootkits" class="slide level2">
<h2>Detecting Rootkits</h2>
<ul>
<li>Major problem: The OS is not trustworthy during the scanning process, if there is a kernel mode rootkit present</li>
<li>Most reliable solution: Shut down system, scan the hard drive from an external connection, with no OS running</li>
<li>How often do users want to do this???
<ul>
<li>Need scanners similar to antivirus scanners</li>
</ul></li>
</ul>
</section>
<section id="stealth-detection" class="slide level2">
<h2>Stealth Detection</h2>
<ul>
<li>To bypass a (potentially) compromised OS, an AV software will directly call the BIOS to access the disk</li>
<li>If the results differ, then the <em>stealth detector</em> raises the alarm and tries to find the malware</li>
</ul>
</section>
<section id="stealth-detection-continued" class="slide level2">
<h2>Stealth Detection continued</h2>
<ul>
<li>An existing stealth detector in an AV scanner can be modified to find a stealthy rootkit</li>
<li>The stealth detector lists directory contents, file sizes, etc., in system directories, using two means:
<ul>
<li>Normal OS calls</li>
<li>Direct BIOS calls</li>
</ul></li>
<li>If the two results differ, it is likely that a rootkit is on the system, hiding some files</li>
</ul>
</section>
<section id="rootkit-countermeasures" class="slide level2">
<h2>Rootkit Countermeasures</h2>
<ul>
<li>Simple rootkit counter-measure: when they detect a scanner’s presence, they stop hiding things
<ul>
<li>Scanner process names are well known and can be detected</li>
<li>If they stop hiding files, then the stealth detector does not sense anything wrong</li>
<li>When the stealth detector process ends, the rootkit starts hiding files again</li>
</ul></li>
</ul>
</section>
<section id="rootkit-countermeasures-1" class="slide level2">
<h2>Rootkit Countermeasures</h2>
<ul>
<li>Defeating the countermeasures:
<ul>
<li>An integrity database keeps a list of system directory files gathered at system installation
<ul>
<li>Then check BIOS and OS listings of the system directories against the DB to find new files</li>
</ul></li>
<li>Just before running, the stealth detector executable is renamed to a random name (e.g.&nbsp;gT54xZc7.exe) to evade detection by the rootkit
<ul>
<li>The rootkit will continue to operate, and the listings from the OS and BIOS will differ</li>
</ul></li>
</ul></li>
</ul>
</section>
<section id="removing-a-rootkit" class="slide level2">
<h2>Removing a Rootkit</h2>
<ul>
<li>The rootkit has replaced, patched, or hooked kernel code, interrupts, device drivers, and/or system services and their registry entries
<ul>
<li>System is unreliable, yet system operations are needed to remove files, etc.</li>
</ul></li>
<li>Extremely difficult to remove a rootkit without damaging the system
<ul>
<li>Hooked or patched service might be totally absent after removal</li>
</ul></li>
<li>Standard approach: Save valuable data files, then reformat the disk and reinstall the OS. Ouch!</li>
</ul>
</section>
<section id="removing-a-rootkit-continued" class="slide level2">
<h2>Removing a Rootkit continued</h2>
<ul>
<li>There are rootkit detectors that have their own file system drivers for NTFS, FAT32, FAT16, etc., and can perform disinfection without using the usual system calls
<ul>
<li>e.g.&nbsp;<a href="http://www.rootkitdetector.com/">RkDetector</a></li>
</ul></li>
<li>Integrity database identifies files to remove, and infected files that need to be restored to prevent re-infection</li>
</ul>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
</section></section>
<section>
<section id="sony-fiasco-description" class="title-slide slide level1 center">
<h1>Sony Fiasco: description</h1>

</section>
<section id="the-sony-cd-fiasco-of-2005" class="slide level2">
<h2>The Sony CD Fiasco of 2005</h2>
<ul>
<li>In late October 2005, Mark Russinovich (operator of the SysInternals blog) tested the latest version of RootkitRevealer (RKR)
<ul>
<li>Russinovich practiced very safe computing, and even wrote an article on detecting rootkits for the June, 2005, edition of Windows IT Pro</li>
</ul></li>
<li>Much to his surprise, RKR revealed a large number of hidden system files on his PC, an obvious symptom of a rootkit infection <!-- - His [blog entry](http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx) --></li>
<li>His <a href="https://techcommunity.microsoft.com/t5/windows-blog-archive/sony-rootkits-and-digital-rights-management-gone-too-far/ba-p/723442">blog entry</a></li>
</ul>
</section>
<section id="what-rkr-revealed" class="slide level2">
<h2>What RKR revealed</h2>
<p>(from Mark Russinovich’s <a href="https://techcommunity.microsoft.com/t5/windows-blog-archive/sony-rootkits-and-digital-rights-management-gone-too-far/ba-p/723442">blog entry</a>)</p>
<div style="zoom:125%">
<p><img data-src="images/rootkits/120874iADC4E49896E0D0DA.webp"></p>
</div>
<p>Note that these files were hidden (last column) and many started with <code>$</code>sys<code>$</code></p>
</section>
<section id="sony-cd-fiasco-continued" class="slide level2">
<h2>Sony CD Fiasco continued</h2>
<ul>
<li>To confirm that he had detected a rootkit, Russinovich analyzed the system with his own tool, LiveKd (Live Kernel Debugger)</li>
<li>LiveKd detected that the system services table (a table of function pointers) had function pointers patched into it that were obviously not in the address range of the kernel
<ul>
<li>See 2nd screen shot in his <a href="https://techcommunity.microsoft.com/t5/windows-blog-archive/sony-rootkits-and-digital-rights-management-gone-too-far/ba-p/723442">blog entry</a> (next slide)</li>
</ul></li>
<li>Disassembling one of these functions showed it was from the aries.sys device driver, which was one of the hidden files detected by RKR</li>
</ul>
</section>
<section id="what-rkr-revealed-1" class="slide level2">
<h2>What RKR revealed</h2>
<p>(from Mark Russinovich’s <a href="https://techcommunity.microsoft.com/t5/windows-blog-archive/sony-rootkits-and-digital-rights-management-gone-too-far/ba-p/723442">blog entry</a>)</p>
<div style="zoom:150%">
<p><img data-src="images/rootkits/120875i356D5B86892D50CA.webp"></p>
</div>
<p>The circled function pointers are clearly different than the others</p>
</section>
<section id="sony-cd-fiasco-continued-1" class="slide level2">
<h2>Sony CD Fiasco continued</h2>
<ul>
<li>While the directory was hidden, once he knew of its existence from RKR, he could open a command prompt window and change directory (CD command) directly into it</li>
<li>Sure enough, there were the rootkit device drivers and other files:</li>
</ul>
<div style="zoom:150%">
<p><img data-src="images/rootkits/120877iF162AA11C8819F51.webp"></p>
</div>
</section>
<section id="sony-cd-fiasco-continued-2" class="slide level2">
<h2>Sony CD Fiasco continued</h2>
<ul>
<li>Using IDA Pro to disassemble the entire driver, Russinovich discovered that it hooked enough system services to hide “every file, directory, Registry key or process whose name begins with <code>$</code>sys<code>$</code></li>
<li>To confirm, he made a copy of notepad.exe called <code>$</code>sys<code>$</code>notepad.exe, and it disappeared from view!</li>
</ul>
</section>
<section id="sony-cd-fiasco-continued-3" class="slide level2">
<h2>Sony CD Fiasco continued</h2>
<ul>
<li>Russinovich also detected unsafe race conditions in the rootkit device driver</li>
<li>After renaming the driver, he rebooted and the rootkit was no longer active
<ul>
<li>All files were visible</li>
<li>A string dumping tool revealed that the files were part of a product called “Essential System Tools” from a company called “First 4 Internet”</li>
</ul></li>
</ul>
</section>
<section id="sony-fiasco-the-plot-thickens" class="slide level2">
<h2>Sony Fiasco: The Plot Thickens</h2>
<ul>
<li>The First 4 Internet web site had nothing about “Essential System Tools” or aries.sys, but revealed that the company developed Digital Rights Management (DRM) software, including a copy protection application called XCP</li>
<li>Google revealed that the company had DRM contracts with several major audio CD companies, including Sony/BMG Music</li>
</ul>
</section>
<section id="sony-fiasco-the-plot-thickens-1" class="slide level2">
<h2>Sony Fiasco: The Plot Thickens</h2>
<ul>
<li>Russinovich recalled having just recently bought and played a Sony/BMG CD (ironically, entitled <em>Get Right with the Man</em>) that required you to install its media player in order to play it on a PC <img data-src="https://m.media-amazon.com/images/I/81GEYZrDJBL._SS500_.jpg" alt="image"></li>
</ul>
</section>
<section id="sony-fiasco-the-plot-thickens-2" class="slide level2">
<h2>Sony Fiasco: The Plot Thickens</h2>
<ul>
<li>When he played the CD again, there was an increase in CPU usage by process <code>$</code>sys<code>$</code>DRMServer.exe</li>
<li>The Services tab of Process Explorer identified the app as “Plug and Play Device Manager,” which is an obvious attempt to mislead the user into thinking that this is a core Windows service, which it is not:</li>
</ul>
<div style="zoom:150%">
<p><img data-src="images/rootkits/120882iB7E2EE5C2ABE9DA1.webp"></p>
</div>
</section>
<section id="sony-fiasco-the-plot-thickens-3" class="slide level2">
<h2>Sony Fiasco: The Plot Thickens</h2>
<ul>
<li>Russinovich found no means to uninstall the rootkit
<ul>
<li>And no mention in the EULA (End User License Agreement) that software that could not be uninstalled was going to be installed on his system</li>
<li>So he removed the files and their associated registry keys manually and rebooted</li>
</ul></li>
</ul>
</section>
<section id="sony-rootkit-cant-uninstall" class="slide level2">
<h2>Sony Rootkit: Can’t Uninstall</h2>
<ul>
<li>Manual installation led to a major problem, as is often the case with rootkits:
<ul>
<li>The CD drive had now disappeared from the system’s view</li>
</ul></li>
<li>Windows permits a form of device driver chaining called device filtering, and XCP had installed a device filter called Crater.sys (another ironic name) that had cratered his system by tunneling into the device driver chain for the CD drive</li>
</ul>
</section>
<section id="sony-rootkit-cant-uninstall-1" class="slide level2">
<h2>Sony Rootkit: Can’t Uninstall</h2>
<ul>
<li>When he tried to delete the registry entries that accomplish the chaining, he got an “access denied” error</li>
<li>Luckily, he was expert enough to work around that and delete the chained drivers for both the CD drive and the IDE channel for the CD drive (Cor.sys)</li>
</ul>
</section>
<section id="sony-rootkit-problems" class="slide level2">
<h2>Sony Rootkit Problems</h2>
<ul>
<li>User is not told the software will be installed and cannot be uninstalled</li>
<li>A user who is notified by a rootkit detector that there are hidden files, and who then deletes those files, will lose the use of the CD drive and probably not know what to do about it</li>
</ul>
</section>
<section id="sony-rootkit-problems-1" class="slide level2">
<h2>Sony Rootkit Problems</h2>
<ul>
<li>A legal problem: Philips owns the trademark to the “CD” symbol, and forbids its use on any non-pure audio CD</li>
<li>Any intruder now could install files that begin with <code>$</code>sys<code>$</code> and piggyback onto the XCP rootkit, getting his files hidden for free!</li>
</ul>
</section>
<section id="the-fiasco-hits-the-fan" class="slide level2">
<h2>The Fiasco Hits the Fan</h2>
<ul>
<li>The October 31, 2005 <a href="https://techcommunity.microsoft.com/t5/windows-blog-archive/sony-rootkits-and-digital-rights-management-gone-too-far/ba-p/723442">blog entry</a> led to major media coverage</li>
<li>Sony at first said that the EULA warned about the software, and that the EULA told how to uninstall it
<ul>
<li>Later admitted this was not true, started providing uninstall instructions</li>
</ul></li>
<li>Business Week article revealed Sony was warned on October 4 (!) by F-Secure, an AV vendor</li>
</ul>
</section>
<section id="the-fiasco-hits-the-fan-1" class="slide level2">
<h2>The Fiasco Hits the Fan</h2>
<p>Classic quote:</p>
<blockquote>
<p>Most people don’t even know what a rootkit is, so why should they care about it?</p>
</blockquote>
<p>by Thomas Hesse, President, Global Digital Business, Sony/BMG</p>
</section>
<section id="the-sony-patch" class="slide level2">
<h2>The Sony Patch</h2>
<ul>
<li>Sony got First 4 Internet to provide a patch to update the rootkit</li>
<li>The 3.5MB “patch” included a whole new version of the DRM software</li>
<li>Immediately after installing it, Russinovich noticed a new entry called MediaJam in the Add/Remove Programs list:</li>
</ul>
<div style="zoom:150%">
<p><img data-src="images/rootkits/120890i6BD0152633D058EB.webp"></p>
</div>
<p>(from his <a href="https://techcommunity.microsoft.com/t5/windows-blog-archive/more-on-sony-dangerous-decloaking-patch-eulas-and-phoning-home/ba-p/723452">second blog entry</a>) <!-- (from his [second blog entry](http://blogs.technet.com/markrussinovich/archive/2005/11/04/more-on-sony-dangerous-decloaking-patch-eulas-and-phoning-home.aspx)) --></p>
</section>
<section id="the-sony-patch-continued" class="slide level2">
<h2>The Sony Patch continued</h2>
<ul>
<li>MediaJam was a heretofore unused name</li>
<li>Clicking on it to uninstall it produced an error! Another uninstallable package!</li>
<li>The patch just provides the ability to unload the device driver, restoring the system to its normal state
<ul>
<li>However, unloading the driver when it is about to execute could crash the system, due to a race condition in the driver’s design</li>
</ul></li>
</ul>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
</section></section>
<section>
<section id="sony-fiasco-aftermath" class="title-slide slide level1 center">
<h1>Sony Fiasco: aftermath</h1>

</section>
<section id="privacy-issues" class="slide level2">
<h2>Privacy Issues</h2>
<ul>
<li>Sony denied that the software caused any security or privacy violations</li>
<li>However, network activity sniffers detected the software connecting to Sony servers and trans-mitting the unique serial ID number of the CD</li>
<li>Analysis shows that the communication with sonymusic.com just checks for updates to album art, song titles, etc.
<ul>
<li>Still, this was denied by Sony until it was proven, is not mentioned in the EULA, and is not configurable</li>
</ul></li>
</ul>
</section>
<section id="security-exploits" class="slide level2">
<h2>Security Exploits</h2>
<ul>
<li>As predicted, the hiding of all files beginning with <code>$</code>sys<code>$</code> was a vulnerability waiting to be exploited, and it has now been exploited by <a href="http://news.bbc.co.uk/2/hi/technology/4427606.stm">at least three viruses</a>
<ul>
<li>Security firm Sophos reported that spam emails, subject “Photo Approval Deadline,” were using the <code>$</code>sys<code>$</code> prefix to install the <a href="https://www.zdnet.com/article/trojan-horses-targeting-sony-drm-rootkit-found/">Stinx-E Trojan Horse</a> (backdoor software)</li>
</ul></li>
</ul>
</section>
<section id="security-exploits-continued" class="slide level2">
<h2>Security Exploits continued</h2>
<ul>
<li>The World of Warcraft online multiplayer game has an anti-cheating system that scans running processes for cheats
<ul>
<li>Cheat processes are now being created with the <code>$</code>sys<code>$</code> prefix, escaping detection for any cheater who first buys a Sony CD and plays it on their PC</li>
<li><a href="http://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/">Article from The Register</a></li>
</ul></li>
</ul>
</section>
<section id="security-exploits-continued-1" class="slide level2">
<h2>Security Exploits continued</h2>
<ul>
<li>Anti-virus software vendors were reluctant to target the DRM software at first, perhaps because Sony might sue them</li>
<li>After the exploits were reported, they all began to update their scanners to disable or remove the Sony/BMG rootkit</li>
<li><a href="https://www.cnet.com/news/microsoft-will-wipe-sonys-rootkit/">CNET article</a></li>
</ul>
</section>
<section id="sony-cd-not-on-pcs" class="slide level2">
<h2>Sony CD: Not on PCs</h2>
<ul>
<li>What if you play the Sony/BMG CD on a stereo, car stereo, portable player, etc., and not on a PC?</li>
<li>The trick to the implementation is that Sony made the first CD track (outer edge) a data track containing a loader to load the DRM software from the innermost tracks</li>
</ul>
</section>
<section id="sony-cd-not-on-pcs-continued" class="slide level2">
<h2>Sony CD: Not on PCs continued</h2>
<ul>
<li>If you load a copied CD onto your PC, it will not have the Sony media player installed (with the encrypted IDs for your system) and will examine the outer track to see what kind of CD it is</li>
<li>The CD will look like a data CD and will endlessly spin around reading the data track</li>
<li>In your car stereo, the data track will just be ignored and the player will skip to the audio track … or will it?</li>
</ul>
</section>
<section id="sony-cd-not-on-pcs-continued-1" class="slide level2">
<h2>Sony CD: Not on PCs continued</h2>
<ul>
<li>Some car and portable players have the ability to play various mixed format CDs, with song title data etc. mixed with audio</li>
<li>There have been reports of failures to play the CDs by some portable and car CD players</li>
</ul>
</section>
<section id="bypassing-the-protection" class="slide level2">
<h2>Bypassing the Protection</h2>
<ul>
<li>Users who understand the implementation have already reported that they can disable the entire DRM scheme by using a Sharpie marker to cover the outer track
<ul>
<li><del><a href="http://articles.techrepublic.com/5100-1009-5985845-2.html">Article from Tech Register</a></del></li>
</ul></li>
<li>According to the DMCA, any technology used to bypass copy protection is illegal!</li>
<li>A little Scotch tape that just covers some of the outer track also makes the PC treat it as a pure audio CD</li>
</ul>
</section>
<section id="sony-fiasco-the-aftermath" class="slide level2">
<h2>Sony Fiasco: The Aftermath</h2>
<ul>
<li><a href="http://news.bbc.co.uk/1/hi/technology/4424254.stm">Sony sued</a>: in California (class action suit), by Texas attorney general, another class action suit expected in New York</li>
<li><a href="https://netmix.com/sony-drm-forces-recall-of-cds/">Sony DRM Forces Recall of CD’s</a></li>
<li><a href="http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html">Security Expert Bruce Schneier summarizes the case and the disturbing implications</a></li>
<li><a href="https://www.computerworld.com/article/2821897/settlement-ends-sony-rootkit-case.html">Settlement ends Sony rootkit case</a></li>
</ul>
</section>
<section id="sony-fiasco-final-ironies" class="slide level2">
<h2>Sony Fiasco: Final Ironies</h2>
<ul>
<li>Hackers disassembled and reverse engineered the rootkit code
<ul>
<li>It was GPL software and is therefore being used in violation of copyright law</li>
</ul></li>
<li>The author of the stolen code?
<ul>
<li>“DVD Jon” Johansen, the Norwegian infamous for writing the “DeCSS” code that cracked the copy protection software once used on DVDs</li>
<li><a href="https://yro.slashdot.org/story/05/11/17/1350209/dvd-jons-code-in-sony-rootkit">Slashdot article</a></li>
<li>He was prosecuted but acquitted in the DeCSS case</li>
</ul></li>
<li>Fun aside: <a href="https://www.cs.cmu.edu/~dst/DeCSS/Gallery/index.html">Gallery of CSS Descramblers</a></li>
</ul>
<div class="quarto-auto-generated-content">
<p><img src="images/quarto.png" class="slide-logo"></p>
<div class="footer footer-default">
<p><a href="https://aaronbloomfield.github.io/ics" class="uri">https://aaronbloomfield.github.io/ics</a></p>
</div>
</div>
</section></section>
    </div>
  </div>

  <script>window.backupDefine = window.define; window.define = undefined;</script>
  <script src="quarto_files/revealjs/dist/reveal.js"></script>
  <!-- reveal.js plugins -->
  <script src="quarto_files/revealjs/plugin/quarto-line-highlight/line-highlight.js"></script>
  <script src="quarto_files/revealjs/plugin/pdf-export/pdfexport.js"></script>
  <script src="quarto_files/revealjs/plugin/reveal-menu/menu.js"></script>
  <script src="quarto_files/revealjs/plugin/reveal-menu/quarto-menu.js"></script>
  <script src="quarto_files/revealjs/plugin/reveal-chalkboard/plugin.js"></script>
  <script src="quarto_files/revealjs/plugin/quarto-support/support.js"></script>
  

  <script src="quarto_files/revealjs/plugin/notes/notes.js"></script>
  <script src="quarto_files/revealjs/plugin/search/search.js"></script>
  <script src="quarto_files/revealjs/plugin/zoom/zoom.js"></script>
  <script src="quarto_files/revealjs/plugin/math/math.js"></script>
  <script>window.define = window.backupDefine; window.backupDefine = undefined;</script>

  <script>

      // Full list of configuration options available at:
      // https://revealjs.com/config/
      Reveal.initialize({
'controlsAuto': false,
'previewLinksAuto': true,
'pdfSeparateFragments': false,
'autoAnimateEasing': "ease",
'autoAnimateDuration': 1,
'autoAnimateUnmatched': true,
'menu': {"side":"left","useTextContentForMissingTitles":true,"markers":false,"loadIcons":false,"custom":[{"title":"Tools","icon":"<i class=\"fas fa-gear\"></i>","content":"<ul class=\"slide-menu-items\">\n<li class=\"slide-tool-item active\" data-item=\"0\"><a href=\"#\" onclick=\"RevealMenuToolHandlers.fullscreen(event)\"><kbd>f</kbd> Fullscreen</a></li>\n<li class=\"slide-tool-item\" data-item=\"1\"><a href=\"#\" onclick=\"RevealMenuToolHandlers.speakerMode(event)\"><kbd>s</kbd> Speaker View</a></li>\n<li class=\"slide-tool-item\" data-item=\"2\"><a href=\"#\" onclick=\"RevealMenuToolHandlers.overview(event)\"><kbd>o</kbd> Slide Overview</a></li>\n<li class=\"slide-tool-item\" data-item=\"3\"><a href=\"#\" onclick=\"RevealMenuToolHandlers.togglePdfExport(event)\"><kbd>e</kbd> PDF Export Mode</a></li>\n<li class=\"slide-tool-item\" data-item=\"4\"><a href=\"#\" onclick=\"RevealMenuToolHandlers.toggleChalkboard(event)\"><kbd>b</kbd> Toggle Chalkboard</a></li>\n<li class=\"slide-tool-item\" data-item=\"5\"><a href=\"#\" onclick=\"RevealMenuToolHandlers.toggleNotesCanvas(event)\"><kbd>c</kbd> Toggle Notes Canvas</a></li>\n<li class=\"slide-tool-item\" data-item=\"6\"><a href=\"#\" onclick=\"RevealMenuToolHandlers.downloadDrawings(event)\"><kbd>d</kbd> Download Drawings</a></li>\n<li class=\"slide-tool-item\" data-item=\"7\"><a href=\"#\" onclick=\"RevealMenuToolHandlers.keyboardHelp(event)\"><kbd>?</kbd> Keyboard Help</a></li>\n</ul>"}],"openButton":true},
'chalkboard': {"buttons":true},
'smaller': false,
 
        // Display controls in the bottom right corner
        controls: false,

        // Help the user learn the controls by providing hints, for example by
        // bouncing the down arrow when they first encounter a vertical slide
        controlsTutorial: false,

        // Determines where controls appear, "edges" or "bottom-right"
        controlsLayout: 'edges',

        // Visibility rule for backwards navigation arrows; "faded", "hidden"
        // or "visible"
        controlsBackArrows: 'faded',

        // Display a presentation progress bar
        progress: true,

        // Display the page number of the current slide
        slideNumber: 'h.v',

        // 'all', 'print', or 'speaker'
        showSlideNumber: 'all',

        // Add the current slide number to the URL hash so that reloading the
        // page/copying the URL will return you to the same slide
        hash: true,

        // Start with 1 for the hash rather than 0
        hashOneBasedIndex: false,

        // Flags if we should monitor the hash and change slides accordingly
        respondToHashChanges: true,

        // Push each slide change to the browser history
        history: true,

        // Enable keyboard shortcuts for navigation
        keyboard: true,

        // Enable the slide overview mode
        overview: true,

        // Disables the default reveal.js slide layout (scaling and centering)
        // so that you can use custom CSS layout
        disableLayout: false,

        // Vertical centering of slides
        center: false,

        // Enables touch navigation on devices with touch input
        touch: true,

        // Loop the presentation
        loop: false,

        // Change the presentation direction to be RTL
        rtl: false,

        // see https://revealjs.com/vertical-slides/#navigation-mode
        navigationMode: 'default',

        // Randomizes the order of slides each time the presentation loads
        shuffle: false,

        // Turns fragments on and off globally
        fragments: true,

        // Flags whether to include the current fragment in the URL,
        // so that reloading brings you to the same fragment position
        fragmentInURL: false,

        // Flags if the presentation is running in an embedded mode,
        // i.e. contained within a limited portion of the screen
        embedded: false,

        // Flags if we should show a help overlay when the questionmark
        // key is pressed
        help: true,

        // Flags if it should be possible to pause the presentation (blackout)
        pause: true,

        // Flags if speaker notes should be visible to all viewers
        showNotes: false,

        // Global override for autoplaying embedded media (null/true/false)
        autoPlayMedia: null,

        // Global override for preloading lazy-loaded iframes (null/true/false)
        preloadIframes: null,

        // Number of milliseconds between automatically proceeding to the
        // next slide, disabled when set to 0, this value can be overwritten
        // by using a data-autoslide attribute on your slides
        autoSlide: 0,

        // Stop auto-sliding after user input
        autoSlideStoppable: true,

        // Use this method for navigation when auto-sliding
        autoSlideMethod: null,

        // Specify the average time in seconds that you think you will spend
        // presenting each slide. This is used to show a pacing timer in the
        // speaker view
        defaultTiming: null,

        // Enable slide navigation via mouse wheel
        mouseWheel: false,

        // The display mode that will be used to show slides
        display: 'block',

        // Hide cursor if inactive
        hideInactiveCursor: true,

        // Time before the cursor is hidden (in ms)
        hideCursorTime: 5000,

        // Opens links in an iframe preview overlay
        previewLinks: false,

        // Transition style (none/fade/slide/convex/concave/zoom)
        transition: 'none',

        // Transition speed (default/fast/slow)
        transitionSpeed: 'default',

        // Transition style for full page slide backgrounds
        // (none/fade/slide/convex/concave/zoom)
        backgroundTransition: 'none',

        // Number of slides away from the current that are visible
        viewDistance: 3,

        // Number of slides away from the current that are visible on mobile
        // devices. It is advisable to set this to a lower number than
        // viewDistance in order to save resources.
        mobileViewDistance: 2,

        // The "normal" size of the presentation, aspect ratio will be preserved
        // when the presentation is scaled to fit different resolutions. Can be
        // specified using percentage units.
        width: 1050,

        height: 700,

        // Factor of the display size that should remain empty around the content
        margin: 0.1,

        math: {
          mathjax: 'https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.0/MathJax.js',
          config: 'TeX-AMS_HTML-full',
          tex2jax: {
            inlineMath: [['\\(','\\)']],
            displayMath: [['\\[','\\]']],
            balanceBraces: true,
            processEscapes: false,
            processRefs: true,
            processEnvironments: true,
            preview: 'TeX',
            skipTags: ['script','noscript','style','textarea','pre','code'],
            ignoreClass: 'tex2jax_ignore',
            processClass: 'tex2jax_process'
          },
        },

        // reveal.js plugins
        plugins: [QuartoLineHighlight, PdfExport, RevealMenu, RevealChalkboard, QuartoSupport,

          RevealMath,
          RevealNotes,
          RevealSearch,
          RevealZoom
        ]
      });
    </script>
    <script id="quarto-html-after-body" type="application/javascript">
    window.document.addEventListener("DOMContentLoaded", function (event) {
      const toggleBodyColorMode = (bsSheetEl) => {
        const mode = bsSheetEl.getAttribute("data-mode");
        const bodyEl = window.document.querySelector("body");
        if (mode === "dark") {
          bodyEl.classList.add("quarto-dark");
          bodyEl.classList.remove("quarto-light");
        } else {
          bodyEl.classList.add("quarto-light");
          bodyEl.classList.remove("quarto-dark");
        }
      }
      const toggleBodyColorPrimary = () => {
        const bsSheetEl = window.document.querySelector("link#quarto-bootstrap");
        if (bsSheetEl) {
          toggleBodyColorMode(bsSheetEl);
        }
      }
      toggleBodyColorPrimary();  
      const tabsets =  window.document.querySelectorAll(".panel-tabset-tabby")
      tabsets.forEach(function(tabset) {
        const tabby = new Tabby('#' + tabset.id);
      });
      const isCodeAnnotation = (el) => {
        for (const clz of el.classList) {
          if (clz.startsWith('code-annotation-')) {                     
            return true;
          }
        }
        return false;
      }
      const onCopySuccess = function(e) {
        // button target
        const button = e.trigger;
        // don't keep focus
        button.blur();
        // flash "checked"
        button.classList.add('code-copy-button-checked');
        var currentTitle = button.getAttribute("title");
        button.setAttribute("title", "Copied!");
        let tooltip;
        if (window.bootstrap) {
          button.setAttribute("data-bs-toggle", "tooltip");
          button.setAttribute("data-bs-placement", "left");
          button.setAttribute("data-bs-title", "Copied!");
          tooltip = new bootstrap.Tooltip(button, 
            { trigger: "manual", 
              customClass: "code-copy-button-tooltip",
              offset: [0, -8]});
          tooltip.show();    
        }
        setTimeout(function() {
          if (tooltip) {
            tooltip.hide();
            button.removeAttribute("data-bs-title");
            button.removeAttribute("data-bs-toggle");
            button.removeAttribute("data-bs-placement");
          }
          button.setAttribute("title", currentTitle);
          button.classList.remove('code-copy-button-checked');
        }, 1000);
        // clear code selection
        e.clearSelection();
      }
      const getTextToCopy = function(trigger) {
          const codeEl = trigger.previousElementSibling.cloneNode(true);
          for (const childEl of codeEl.children) {
            if (isCodeAnnotation(childEl)) {
              childEl.remove();
            }
          }
          return codeEl.innerText;
      }
      const clipboard = new window.ClipboardJS('.code-copy-button:not([data-in-quarto-modal])', {
        text: getTextToCopy
      });
      clipboard.on('success', onCopySuccess);
      if (window.document.getElementById('quarto-embedded-source-code-modal')) {
        // For code content inside modals, clipBoardJS needs to be initialized with a container option
        // TODO: Check when it could be a function (https://github.com/zenorocha/clipboard.js/issues/860)
        const clipboardModal = new window.ClipboardJS('.code-copy-button[data-in-quarto-modal]', {
          text: getTextToCopy,
          container: window.document.getElementById('quarto-embedded-source-code-modal')
        });
        clipboardModal.on('success', onCopySuccess);
      }
        var localhostRegex = new RegExp(/^(?:http|https):\/\/localhost\:?[0-9]*\//);
        var mailtoRegex = new RegExp(/^mailto:/);
          var filterRegex = new RegExp('/' + window.location.host + '/');
        var isInternal = (href) => {
            return filterRegex.test(href) || localhostRegex.test(href) || mailtoRegex.test(href);
        }
        // Inspect non-navigation links and adorn them if external
     	var links = window.document.querySelectorAll('a[href]:not(.nav-link):not(.navbar-brand):not(.toc-action):not(.sidebar-link):not(.sidebar-item-toggle):not(.pagination-link):not(.no-external):not([aria-hidden]):not(.dropdown-item):not(.quarto-navigation-tool):not(.about-link)');
        for (var i=0; i<links.length; i++) {
          const link = links[i];
          if (!isInternal(link.href)) {
            // undo the damage that might have been done by quarto-nav.js in the case of
            // links that we want to consider external
            if (link.dataset.originalHref !== undefined) {
              link.href = link.dataset.originalHref;
            }
              // target, if specified
              link.setAttribute("target", "_blank");
              if (link.getAttribute("rel") === null) {
                link.setAttribute("rel", "noopener");
              }
              // default icon
              link.classList.add("external");
          }
        }
      function tippyHover(el, contentFn, onTriggerFn, onUntriggerFn) {
        const config = {
          allowHTML: true,
          maxWidth: 500,
          delay: 100,
          arrow: false,
          appendTo: function(el) {
              return el.closest('section.slide') || el.parentElement;
          },
          interactive: true,
          interactiveBorder: 10,
          theme: 'light-border',
          placement: 'bottom-start',
        };
        if (contentFn) {
          config.content = contentFn;
        }
        if (onTriggerFn) {
          config.onTrigger = onTriggerFn;
        }
        if (onUntriggerFn) {
          config.onUntrigger = onUntriggerFn;
        }
          config['offset'] = [0,0];
          config['maxWidth'] = 700;
        window.tippy(el, config); 
      }
      const noterefs = window.document.querySelectorAll('a[role="doc-noteref"]');
      for (var i=0; i<noterefs.length; i++) {
        const ref = noterefs[i];
        tippyHover(ref, function() {
          // use id or data attribute instead here
          let href = ref.getAttribute('data-footnote-href') || ref.getAttribute('href');
          try { href = new URL(href).hash; } catch {}
          const id = href.replace(/^#\/?/, "");
          const note = window.document.getElementById(id);
          if (note) {
            return note.innerHTML;
          } else {
            return "";
          }
        });
      }
      const findCites = (el) => {
        const parentEl = el.parentElement;
        if (parentEl) {
          const cites = parentEl.dataset.cites;
          if (cites) {
            return {
              el,
              cites: cites.split(' ')
            };
          } else {
            return findCites(el.parentElement)
          }
        } else {
          return undefined;
        }
      };
      var bibliorefs = window.document.querySelectorAll('a[role="doc-biblioref"]');
      for (var i=0; i<bibliorefs.length; i++) {
        const ref = bibliorefs[i];
        const citeInfo = findCites(ref);
        if (citeInfo) {
          tippyHover(citeInfo.el, function() {
            var popup = window.document.createElement('div');
            citeInfo.cites.forEach(function(cite) {
              var citeDiv = window.document.createElement('div');
              citeDiv.classList.add('hanging-indent');
              citeDiv.classList.add('csl-entry');
              var biblioDiv = window.document.getElementById('ref-' + cite);
              if (biblioDiv) {
                citeDiv.innerHTML = biblioDiv.innerHTML;
              }
              popup.appendChild(citeDiv);
            });
            return popup.innerHTML;
          });
        }
      }
    });
    </script>
    

</body></html>