funsec mailing list archives
Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!]
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 30 Dec 2005 00:17:31 +1300
Blue Boar to me:
And that benefits who most?Anyone who doesn't want to be dependent on someone else for their AV needs.
And these people writing their own malware scanners and analysing hundreds upon hundreds of samples a week to keep their scanners up to date (if you're doing true generics and heuristics properly you don't need samples at all) are who?
Look, I'll come out and say it. The AV companies have an ivory tower attitude; they think they can decide who deserves to know something and who doesn't. If I don't have a "legitimate" need, if I won't agree to keep secrets, then I'm not deserving.
Dude -- don't confuse who someone works for with who someone is. If you think AV _companies_ control sample sharing in the AV industry you have very little grasp on how things really work. That's not to say that the occasional company does not have very strict policies about who gets to decide what is shared with whom, even within the industry, but in general the relationships are person to person, for the simple reason that people can trust other people (or not) but a person cannot trust a "company" and a company, being inanimate, has no such thing as a sense of trust.
Those of us who have grown up in a world of full disclosure when dealing with vulnerabilities and exploits are never going to buy into that. That attitude carries over into the malware world. Malware IS different, but it's close enough that we are going to see it the same as any other "dangeous information." I don't think you guys in your bucket are ever going to agree with us over here in our bucket.
Unless we buy your bucket and you want to keep waorking... 8-)
I don't wish to discourage discussion, but I think there is a basic doctrinal difference that we aren't going to get past.
For sure, and I agree that the difference is essentially doctrinal, but when it comes to self-replicating malware there is a significant hard- core in the AV domain that will not budge and that may raise a huge problem (in terms of continuing relationships with those in AV) for those outside AV that find simplistic schemes such as Val's acceptable.
Yes, I have a basic attitude problem about being left out of the loop if I wish to play. It's a big part of the issue, so let me be open about that.I've been in the "vetted" category before. ...Do you mind me asking where and when? Was it in AV or some other security niche?I used to work at SecurityFocus, which was at best quasi-AV. We published analysis reports, IDS signatures, instructions for manual detection & removal, etc... I was one of the guys who did a lot of the malware analysis. They are Symantec now, but this was prior to that. I was provided samples by McAfee, Symantec, Kaspersky, Trend, and probably a few others I can't recall.
Were those samples provided on a personal basis from someone who happened to be a McAfee/Symantec/Trend/etc employee, or as the result of an "official" company-to-company type approach? The latter is quite different from the former and may be associated with explicit NDAs, publicity stipulations and so on... But that's _not_ the trusted relationship model that is widely fostered among AV professionals.
I have also been provided samples since I left, and no longer had even that tenuous grasp on officialdom. ...
The professionally preferred, trusted relationship model has nothing to do with company affiliation (well, beyond that you may approach someone you have an association with who happens to work at company X because you know from some publicity or whatever that they have seen whatever). It transcends employment relationships -- even ignores them -- and the word "official" has very little, if any, significance. Yes, it means that you, the working security professional have to make connections, get known to others within your specialty field and establish a good trust relationship with them, but that's much better than being at the whim of some crack-head employer or corporate head office legalista.
... These are more recent and more on the sly, so that I don't care to name names. ...
That's OK, no names needed. Those folk presumably have some degree of trust _in you_, at least sufficient to entrust samples of whatever based on their evaluation of the risk presented. If I knew you professionally I may well do the same thing too, and if a few of the folk I already really trust in such matters said "he's a good guy" I would extend my trust in their judgement.
... That is based on (I assume) part my reputation, and part the fact that the AV guys aren't always as stringent as they claim to be, when dealing in private. ...
You are, I think, confusing "official" with "trust relationship" activity. Companies publicly (tend to) talk about the former, but those working in the industry tend to work on the latter basis. Once you understand that _and_ work on developing the right kinds of relationships, you would better understand how we actually do things and that the above is not at all "odd" (or even inconsistent, unless you are one of the corporate legal eagles -- even many of the management types who may be seen publicly spouting the "official company line" type position know that to varying degrees their staff actually work by that other model and _need_ to; some of them have learnt it from keen personal experience).
... In those cases, the usual restriction I'm given is to share as I please, but to not name sources.
That is commonly the basis of such relationships -- we don't want to be part of someone else's publicity, as they (usually) do not want to be part of ours. Newcomers (usually newcomer _companies_) looking for PR usually don't get this at all and wonder why no-one will share samples from them when they "require" credit in any publicity, web description material, etc for supplying the sample. (The "ego" value of being approached by someone working for a big competitor because you happened to be the first to find something brings out the skiddie in some, who completely miss that they have not seen _any_ of the 138 _other_ new malwares processed in that competitor's labs that day and that they would not, themslves, accept a reciprocal credit requirement should they want samples of any of those things from that competitor...)
So, as a vetted guy I could get the samples, but it was with strings attached, or with delays. For example, if I emailed someone at an AV company, the response would be typically... stall... stall... ok, our sig file update is now released, sure you can have a sample!
Well, sometimes the person you need to talk to is literally incommunicado while working on something new. Isolated analysis setups in some company labs mean pretty much totally (networkologically) isolated. (In such cases it helps to have multiple connections so you can ask someone else who is not working the same thing and may be in and out of the lab and thus likely to see their Email sooner...) Further, individual trust relationships may bypass some of the "official" "we'll send samples to others when we ship detection" rules (though the samples may come with "please don't do PR until.." requests and such, which are understandable, and when your focus is ensuring your customer's protection, shouldn't greatly upset anything). Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Re: Malware sharing? People are full of shit [was: Get your computer viruses here!], (continued)
- Re: Re: Malware sharing? People are full of shit [was: Get your computer viruses here!] Joe Jaroch (Tera Innovations, Inc.) (Dec 29)
- RE: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Randy Abrams (Dec 28)
- Re: Re: Malware sharing? People are full of shit [was: Get your computer viruses here!] Aviram Jenik (Dec 29)
- Re: Re: Malware sharing? People are full of shit [was: Get your computer viruses here!] Drsolly (Dec 29)
- RE: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Randy Abrams (Dec 28)
- RE: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Randy Abrams (Dec 28)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Blue Boar (Dec 28)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Gadi Evron (Dec 28)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Nick FitzGerald (Dec 28)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Blue Boar (Dec 28)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Nick FitzGerald (Dec 29)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Drsolly (Dec 29)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Gadi Evron (Dec 30)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] James Kehl (Dec 30)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Drsolly (Dec 30)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Nick FitzGerald (Dec 30)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Drsolly (Dec 30)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Gadi Evron (Dec 30)
- Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Drsolly (Dec 29)
- RE: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Gadi Evron (Dec 28)
- RE: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!] Randy Abrams (Dec 28)