funsec mailing list archives
Re: McAfee really DOES write new Malware! Wholey Moley!
From: Rich Kulawiec <rsk () gsp org>
Date: Wed, 30 Sep 2009 21:47:02 -0400
On Wed, Sep 30, 2009 at 01:18:15PM -0400, Blanchard_Michael () emc com wrote:
True, but to study the enemy you must study HIS tactics and HIS maneuvers. Not create brand new ones and study them. You must study existing malware, pull it apart, debug it, decompile it, see what makes it tick. Then extrapolate and try to predict the "bad guy's" next move based upon his past behavior. How can we study what the real bad guys are if we create something completely different than what the bad guys would ever think of?
I think there are two problems with this reasoning. Let me tackle the second paragraph first. The bad guys are resourceful, well-funded, diligent, and very smart. (We're not stupid, and they've been kicking our asses for years.) There's no value in speculating what they have or haven't thought of, first, because there's no way to really know, and second, because they've already demonstrated a LOT of ingenuity -- certainly far more than we have. I think it's pointless to worry that we might give them new ideas: they're already producing those in great profusion, as we can tell just from the few samples that comes to our attention. Now as to the first paragraph, I disagree there as well. One of the reasons why the security "industry" is a miserable failure (nod to Marcus Ranum) is our collective failure of imagination. We don't train people to think like attackers, and we do train them to deal with the attacks that we already know about. This Is Not Working. We need to train people to be ingenious, devious bastards (and bastardettes) because only then will they have the kind of mindset that's necessary to defend against the attacks we *don't* already know about. Yes, this approach carries risks: we might wind up teaching the bad guys something they don't already know. We see a few of the people we've trained decide to switch sides. All possible. But IMHO it's still way better than what we're doing now. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: No AV? Shock, horror!, (continued)
- Re: No AV? Shock, horror! Drsolly (Sep 25)
- Re: No AV? Shock, horror! Blanchard_Michael (Sep 28)
- Re: No AV? Shock, horror! Dan Kaminsky (Sep 28)
- Re: No AV? Shock, horror! Blanchard_Michael (Sep 28)
- Re: No AV? Shock, horror! Nick FitzGerald (Sep 28)
- Re: No AV? Shock, horror! Michael Collins (Sep 29)
- McAfee really DOES write new Malware! Wholey Moley! Blanchard_Michael (Sep 29)
- Re: McAfee really DOES write new Malware! Wholey Moley! Rich Kulawiec (Sep 29)
- Re: McAfee really DOES write new Malware! Wholey Moley! chris (Sep 29)
- Re: McAfee really DOES write new Malware! Wholey Moley! Blanchard_Michael (Sep 30)
- Re: McAfee really DOES write new Malware! Wholey Moley! Rich Kulawiec (Sep 30)
- Re: No AV? Shock, horror! Blanchard_Michael (Sep 28)
- Re: No AV? Shock, horror! Drsolly (Sep 25)
- Re: No AV? Shock, horror! Dan Kaminsky (Sep 29)
- Re: No AV? Shock, horror! Blanchard_Michael (Sep 29)
- Re: No AV? Shock, horror! Kenneth L. Bechtel, II (Sep 29)
- Re: No AV? Shock, horror! Blanchard_Michael (Sep 29)
- Re: No AV? Shock, horror! Michael Collins (Sep 29)
- Re: No AV? Shock, horror! Dan Kaminsky (Sep 29)
- Re: No AV? Shock, horror! Rich Kulawiec (Sep 30)
- Re: No AV? Shock, horror! Michael Collins (Sep 29)
- Re: No AV? Shock, horror! Toralv_Dirro (Sep 28)
- Re: No AV? Shock, horror! Dan Kaminsky (Sep 28)