RE: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!]

["Randy Abrams" <abrams () eset com>]

> -----Original Message-----
> From: funsec-bounces () linuxbox org 
> [mailto:funsec-bounces () linuxbox org] On Behalf Of Blue Boar
> Sent: Wednesday, December 28, 2005 1:11 PM
> To: Gadi Evron
> Cc: funsec () linuxbox org
> Subject: Re: [funsec] Re: Malware sharing? People are full of 
> shit [was: Getyour computer viruses here!]
>
> Gadi Evron wrote:
> > Then let us agree most Bad Guys won't bother with it as they have better
surces?
> I think to be completely fair, there will someday be at least 
> one Bad Guy for whom the site in question will be the most 
> reliable source of the desired malware.  I'm not saying he's 
> a smart or successful bad guy, just that he has bad 
> intentions and wants some particular piece of malware for 
> nefarious purposes.
>
> Does that constitute failure?  I don't think it does.  If the 
> userbase is 99% people researching anti-malware, and 1% bad 
> guys, I call that success.  if it were reversed, 1% 
> researchers and 99% bad guys, then I would say it was a 
> failure, and should be shut down.

Success or failure needs to be compared against the alternative. I haven't
seen the argument that these files can't be shared in a more secure manner
with a 99.9% success rate. If you trade 99.9 for 99 with no good reason,
then it is a failure to realize a better result. Complete failure? No.

> Not a failure in the sense that he has no legal basis nor 
> right to do so, (IMNSHO) but in the practical sense that it 
> is effectively doing more harm than good.

But perhaps it is doing more harm than good given the alternative of vetting
people.

> You can also factor in a percentage of stupid people if you 
> like, those with the proper intentions, but lack the skill or 
> care, and infect themselves and others.  Many consider them 
> as bad or worse than Bad Guys.

Yeah, there is also the angle of protecting people from themselves, as well
as protecting others from their ignorance. For non-replicating malware you
might have a bit of an argument that the incompetent can learn from their
errors, but with replicating malware the incompetent inflict their errors on
others. Even with non-replicating malware the result may be that information
on a shared computer is inappropriately compromised for another user.

> To lump a lot of the (current and ex) AV guys into one small 
> bucket, it has been my experience that they consider the one 
> bumbling bad guy or incompetent good guy to constitute a 
> total failure.  AV guys, feel free to defend yourselves 
> against my mischaracterization, if appropriate.  To pick on 
> someone in particular, I've seen Nick take some very extreme 
> positions on this kind of thing, for example.

I've been working with AV for about 8 years or so now, so I'll respond from
an AV point of view. There are definitely AV radicals who accept nothing
less than perfection, except in the performance of AV products :) I'm not
one of those. I do think that there are good reasons to limit access to some
things. I think for malware it is a more responsible and socially
considerate thing to make attempts to ensure that you only provide access to
people you have reason to believe will not abuse the code. I don't think
there is absolute failure or success, but that only 1 in 99 do bad things in
an open system where you might have a record of 1 in 999 or better does
recommend that latter system. 

I'm just not seeing where people intelligent enough to research these things
are not able to find resources and build a trust relationship.

> In short, I think Val should continue, and we all see what happens.
>
>                                       BB

I think providing unvetted access is unwarranted.

Cheers,

Randy

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.