User:Pnm/Rootkit peer review

Based on the December 10 version of the article.

While several sections of the article are well-referenced, others don't cite enough sources:
 * Installation and cloaking
 * Detection (and each subsection except Alternative trusted medium)
 * Public availability

Many sections contain examples of original research, synthesis, or attributions not backed up by the cited sources (Sony rootkit scandal, Installation and cloaking, Detection, Removal, and Public availability):
 * "The public-relations fallout for Sony BMG was compared by one analyst to the 1982 Chicago Tylenol murders. " Not in source. The source does describes the seriousness of the incident, not the public-relations fallout. (This is I've heard the Tylenol case cited as an example of excellent crisis communications and the Wikipedia article states J&J was widely praised for how it handled the incident.)
 * "The installation of rootkits is commercially driven, with a Pay-Per-Install (PPI) compensation method for distributors. " Dubious, unsupported by the source, and contradicts statements in Rootkit and the statement, "rootkits can serve a variety of ends" (from the lead). The source is about a single rootkit – name it instead, instead of implying it's typical. (Is it typical? If that's a verifiable claim, find a good source and keep it in!)
 * "Given the stealth nature of rootkits, there are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media. " Synthesis. The sources support that some "some believe the only reliable way..." but neither source credits "the stealth nature of rootkits."
 * "Most of the rootkits available on the Internet are constructed as an exploit or academic "proof of concept" to demonstrate varying methods of hiding things within a computer system and taking unauthorized control of it." The statement is not supported by the source. It says "some," not "most", includes the phrase "for now," and its tone further implies serious qualifications to the statement.
 * "Most of the rootkits available on the Internet are constructed as an exploit or academic "proof of concept" to demonstrate varying methods of hiding things within a computer system and taking unauthorized control of it." The statement is not supported by the source. It says "some," not "most", includes the phrase "for now," and its tone further implies serious qualifications to the statement.

The article has two neutrality problems:
 * The paragraph on the Sony rootkit scandal obscures what it's trying to say in order to sound NPOV. It should be rewritten to be more direct, less detailed, and more objective. Amazingly it buries the link to the main article Sony BMG CD copy protection scandal near the end of the paragraph, yet links to Sony BMG eight times. The reference to the 1982 Chicago Tylenol murders has a referencing problem (explained above).
 * The article gives undue emphasis to beneficial rootkits. The lead sentence does so by omitting "unauthorized." The last sentence of the lead paragraph says rootkits have "negative connotations" (using connotation implies merely subjective negativity). (The primary use of rootkits is gaining and preserving unauthorized access to a computer system.)
 * The article gives undue emphasis to beneficial rootkits. The lead sentence does so by omitting "unauthorized." The last sentence of the lead paragraph says rootkits have "negative connotations" (using connotation implies merely subjective negativity). (The primary use of rootkits is gaining and preserving unauthorized access to a computer system.)

The caption on the illustration of security rings is confusing. After reading ring (computer security) I'm still confused. Is it possible to show the hypervisor ring (Ring -1) in such a diagram? (Also, I think the image at ring (computer security) is better.)

The article could be improved by applying the MOS:
 * Wikilinks: The link to type polymorphism is irrelevant, should be polymorphic code, I think. Linking to exploit (computer security) using the words "security vulnerabilities" is confusing. Link to profiling (computer programming) is irrelevant.
 * Peacock: "The best and most reliable method"
 * Wordy prose: "Once a rootkit is installed, it allows an attacker to mask the ongoing intrusion and maintain privileged access to the computer by circumventing normal authentication and authorization mechanisms." "It is not uncommon to see a compromised system in which a sophisticated, publicly-available rootkit hides the presence of unsophisticated worms or attack tools that appear to have been written by inexperienced programmers." "System hardening represents one of the first layers of defence against a rootkit, to prevent it from being able to install. Applying security patches, implementing the principle of least privilege, reducing the attack surface and installing antivirus software are some standard security best practices that are effective against all classes of malware. Once these measures are in place, routine monitoring is required."
 * Section structure could be improved. Gaining access should probably be separated from cloaking. Cloaking shouldn't be re-discussed under Detection. Types is not descriptive – how about "Mechanics of operation" or "How rootkits work". "Sony rootkit scandal" could easily be a section.
 * Copyediting: "Uses" section could be organized and copyedited to be clearer and more helpful (to start, separate the few helpful uses to differentiate them). "Installation and cloaking" section could benefit from copyediting. "Difference-based" contains a very long sentence. "User mode" contains a long quote from Symantec that should be paraphrased instead.
 * See also links Hacker con and SANS Institute don't appear to be relevant. Host-based intrusion detection system ought to be mentioned in the body of the article (perhaps instead).
 * Capitalization of Avast! Antivirus.
 * Capitalization of Avast! Antivirus.

The article could be improved by providing more context for its factual statements:
 * Lead: Why are rootkits so important? (Along these lines: A typical attack on a computer system uses a rootkit. Rootkits are effective because they're difficult to detect.)
 * History: The first paragraph of the history section needs better context. (It's an aside on the technology of rootkits' predecessors. It succeeds Ken Thompson chronologically so it also feels out-of-order.
 * History: Ken Thompson's lecture on transitive trust is quite relevant but needs to be placed in context better. The paragraph also contains a lot of analysis which is likely original research. The talk should be put in context more, and analyzed less.
 * Continuity throughout: The article covers rootkits in personal computing and in multi-user systems with "administrators", but seems to switch back and forth instead of adequately bridging these two contexts.