Re: Re: Malware sharing? People are full of shit [was: Get your computer viruses here!]

[Nick FitzGerald <nick () virus-l demon co uk>]

Blue Boar to Gadi:

> > Then let us agree most Bad Guys won't bother with it as they have better
> > surces?
>
> I think to be completely fair, there will someday be at least one Bad 
> Guy for whom the site in question will be the most reliable source of 
> the desired malware.  ...

Yep -- the less-than-competent-but-able-to-learn-enough-to-be-more-
concerningly-effective/dangerous/nasty/etc

Note that this option is _greatly exacerbated_ because this site plans 
not only making samples available (which, alone, don't terribly much 
help the tragically inept), but also making _detailed analysis_ openly 
available, and it's the added value of that analysis, presumably mostly 
done by MUCH better minds than the quasi-clueless bad guys of the sort 
mentioned above, that is really of value to the less clueful of the bad 
guys.  The really clever bad guys don't need our help (and often could 
teach most of us a thing or two) but fortunately they are relatively 
rare.  The near-clueless-but-still-worringly-dangerous bad guys will 
_LOVE_ this site and the _intended_ benefits of improved analysis, etc, 
etc will more than equally accrue to such miscreants, compared to the 
malware analysts the site's creators hope to attract.

> ...  I'm not saying he's a smart or successful bad guy, 
> just that he has bad intentions and wants some particular piece of 
> malware for nefarious purposes.

Or, more importantly, wants to find some cunning trick to beat some 
otherwise effective control commonly deployed in his intended victim 
base.  The smart bad guys that worked out how to circumvent all the new 
anti-anti-antivirus mechanisms in the new JamScan scanner or all the 
anti-anti-JamWall software firewall will keep that info to themselves 
(it's a competitive advantage to them, after all, and we are now 
talking about a largely commercialized malware scene), but if some 
smart RE posts all the gory details in their analysis at this site, the 
"dumb" bad guys will also, _very quickly_ be compromising their victims 
using those tricks.

Anyone who contributes analysis to this site will thus be _helping_ the 
largely-gormless-but-still-potentially-dangerous bad guys (who, today, 
are still somewhat in the majority I think).

> Does that constitute failure?  I don't think it does.  If the userbase 
> is 99% people researching anti-malware, and 1% bad guys, I call that 
> success.  if it were reversed, 1% researchers and 99% bad guys, then I 
> would say it was a failure, and should be shut down.

I disagree.  The actual "improvement" in anti-whatever deployed on end-
user systems that this site provides will be somewhere between 
negligible and none.  That will be at the cost of slight, but more than 
enough to be worrying "improvement" in the code of the bad guys.  That 
certainly is NOT a desirable trade-off (well, unless you actually are 
one of the bad guys...).

> Not a failure in the sense that he has no legal basis nor right to do 
> so, (IMNSHO) but in the practical sense that it is effectively doing 
> more harm than good.

But it _is_ likely to do more harm than good, as I just explained...

> You can also factor in a percentage of stupid people if you like, those 
> with the proper intentions, but lack the skill or care, and infect 
> themselves and others.  Many consider them as bad or worse than Bad Guys.

8-)

Hey, I'm quite certain that if we take all the guns off everyone so the 
stupid people stop shooting themselves in the feet, the stupid people 
will then just find other ways of accidentally maiming themselves.  As 
someone once said (or, if not, they should have), the trouble with 
making something idiot-proof is that evolution is continually refining 
our idiots...

> To lump a lot of the (current and ex) AV guys into one small bucket, it

And why not -- we like it in here!   8-)
 
> has been my experience that they consider the one bumbling bad guy or 
> incompetent good guy to constitute a total failure.  AV guys, feel free 
> to defend yourselves against my mischaracterization, if appropriate.  To 
> pick on someone in particular, I've seen Nick take some very extreme 
> positions on this kind of thing, for example.

My extreme position here, specifically _relative to self-replicating 
code_ (aka "viruses"), is that "we" (I'll perhaps inappropriately speak 
as if for the whole of traditional AV here) have always taken the 
position that to act responsibly we MUST first ensure we do no further 
harm.  Boiled-down, a part of that means making self-replicating code 
available to anyone who is not equally responsible is _totally 
unacceptable_ behaviour.  When it comes to non-replicating code you 
could, with some support from me and others, but probably not all of 
traditional AV, argue that such restrictions on sample sharing not only 
can, but perhaps even should, be eased somewhat.

This (slightly) more liberal position still causes trouble for the site 
under discussion however, for as it is now it makes no distinction 
between non-replicating and self-replicating samples.  But, if in an 
effort to assuage those of us (and here I do not just mean AV -- many 
other security professionals outside AV take a similar stand on this) 
with very strong views on the uncontrolled sharing of viral material, 
it did make that distinction, it runs into the paradox of removing its 
raison d'etre, as to determine whether submitted samples were viral or 
not, would require "someone very trustworthy" to (near-)fully analyse 
the samples and Val would end up with the same dilemma s/he has 
acknowledged ignoring in the current design...

> In short, I think Val should continue, and we all see what happens.

I strongly hope s/he doesn't...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.