nosystem said:
Wow. That's a point. So basically if there is/can be a "good" rootkit there is probably nothing that can be done, except installing a new system.
If a rootkit infected BIOS, it will recover itself even after fresh installation from a trustful CD.
Infected code in a BIOS control access to a hard drive and usually drop some shit to a boot record that later using OS API to access some external sites to grab an actual rootkit and infect new, fresh system. (Simplified workflow)
That was the point of Microsoft to require hardware makers to use cryptographically signed "UEFI secure boot" if they want to use Windows 8 with their products.
(While idea of cryptographically signed "UEFI secure boot" is a good one, it may push out of business operation systems that doesn't have such power as Microsoft has and can't supply hashes for "UEFI secure boot" to all motherboard production plants)
There is work that insure originality of non modified operation system by employing
UEFI to protect OS on early boot stage(Thanks to Matthew Garrett and others who pick this), but it isn't finished yet.
nosystem said:
I have to read more about rootkits and maybe start playing around writing one to understand that better. Any recommendations (books, other ressources) about that?
"FreeBSD Device Drivers: A Guide for the Intrepid" ISBN-10: 1593272049 ISBN-13: 978-1593272043
"Designing BSD Rootkits: An Introduction to Kernel Hacking" ISBN-10: 1593271425 ISBN-13: 978-1593271428
nosystem said:
Ok, you can't be 100% sure but most rootkits wouldn't survive the process, right?
I didn't see a rootkit for FreeBSD that employing cooperation with infected BIOS, but it isn't a fact that it doesn't exist, because such parasites already exist for the Windows and Linux.
nosystem said:
So the whole point is trust.
If you don't have access to equipment that allow analyze hardware and crew who understand how to use such equipment, then - yes, inspecting hardware isn't a task for us, regular individuals.
nosystem said:
Will the datacenter sell me infected software and/or hardware.
I doubt on that. Datacenters is a pretty competitive market and their managers looking for any possible ways to drop expensive.
So, for a regular datacenter embedding additional software - it is an additional financial loading.
Most problem may come with outsourced personal that may running datacenters and here is more probability that something is behind a scene.
If you are on a collocation with your own box, then IMHO it is a much more trustful solution.
nosystem said:
So the only way would probably be to get some hardware that I feel like I can trust, inspect it, then setup a clean FreeBSD system myself, go with my own car to the datacenter, put the server in it's rack, and pray that nothing happens.
I saw once with my own eyes on collocation a box that was literally wrapped with a chain that prevented opening a box
While it is a "good" over protection
, I think that a simple seal and simple lock on a box may help to stop climb inside a box datacenter's personal and curious collocation neighbors.
Private cage is also a good choice if you are going to keep very sensitive data and can afford its price.
Most datacenters are SAS 70 certified so it is already a good level of trust.
nosystem said:
If the whole file-system is encrypted though, it might be harder to setup a software rootkit
If you will use standard encryption it will require you to supply password on any rebooting which will require you to buy some KVM over IP box to be able to do that.
Anyway I think KVM over IP is "must have" for collocation, just check with datacenter if they allow additional "on top small boxes".
Many datacenters provide free "power strip" (that allow to switch off/on a box in case of complete unresponsive), but some offer it at additional cost or don't provide it at all, so check it too.
