Re: Re: summary of the "sharing samples" thread from my view-point

[Pierre Vandevenne <pierre () datarescue com>]

Good Afternoon,

NF> Seriously, I want (in fact, need) to know the answer to this.

The issue isn't black or white. If it were, we wouldn't have been
discussing it since dawn.

The current vetting systems for malware sharing are a bit like
freemasons clubs. There are real obstacles, and I am not talking about
technical ones, for competent newcomers to enter the field. And I am
not talking individuals either. Some significant companies have been
excluded from those clubs for one reason or another. (and I am not
talking about mine, in our case the situation is simple: if the new
sample is problematic from an analysis point of view, we get it and
are asked to fix things in a worry; if the new sample isn't
problematic, we'll never hear about it and won't care.) It works a bit
like political parties, friends, lobbyists and all that kind of
stuff.

I once had the hobby of analyzing viruses. One day, I analyzed a
significant one and understood, by sheer luck, one peculiar, until
then unseen, activation routine. I believe you independently
understood it as well, if I remember the mail exchanges we had then...
(no need to name anything, the point isn't there)

The funny thing is that some big names of the industry had initially
missed or misunderstood the routine. After reading a couple of bogus
analysis on the web, I fired up a few e-mails. Responses from industry
pundits ranged from "we'll investigate" to "Pierre, don't try to play
with those things, you might hurt yourself". Quite funny, coming from
people who, in some cases, were actually going to hurt themselves a
few days later...

That's when it occurred to me that a lot of talented newcomers, except
the ones that followed rules such as formally applying for an a-v job
with a member company would have major trouble contributing usefully.

Current "good guys" systems are a bit inadequate: it can't be denied,
no matter how hard it is attempted. But I agree with you that the
equivalent of a VX board isn't an adequate response.

-- 
Best regards,
Pierre                            mailto:pierre () datarescue com
  

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.