funsec mailing list archives

Re: McAfee really DOES write new Malware! Wholey Moley!

From: Rich Kulawiec <rsk () gsp org>
Date: Wed, 30 Sep 2009 21:47:02 -0400

On Wed, Sep 30, 2009 at 01:18:15PM -0400, Blanchard_Michael () emc com wrote:

   True, but to study the enemy you must study HIS tactics and HIS
maneuvers.  Not create brand new ones and study them.  You must study
existing malware, pull it apart, debug it, decompile it, see what makes
it tick.  Then extrapolate and try to predict the "bad guy's" next move
based upon his past behavior.

  How can we study what the real bad guys are if we create something
completely different than what the bad guys would ever think of?


I think there are two problems with this reasoning.  Let me tackle
the second paragraph first.

The bad guys are resourceful, well-funded, diligent, and very smart.
(We're not stupid, and they've been kicking our asses for years.)
There's no value in speculating what they have or haven't thought of,
first, because there's no way to really know, and second, because 
they've already demonstrated a LOT of ingenuity -- certainly far more
than we have.  I think it's pointless to worry that we might give them
new ideas: they're already producing those in great profusion, as we can
tell just from the few samples that comes to our attention.

Now as to the first paragraph, I disagree there as well.  One of
the reasons why the security "industry" is a miserable failure (nod
to Marcus Ranum) is our collective failure of imagination.  We don't
train people to think like attackers, and we do train them to deal with
the attacks that we already know about.  This Is Not Working.  We need
to train people to be ingenious, devious bastards (and bastardettes)
because only then will they have the kind of mindset that's necessary
to defend against the attacks we *don't* already know about.

Yes, this approach carries risks: we might wind up teaching the bad
guys something they don't already know.  We see a few of the people
we've trained decide to switch sides.  All possible.  But IMHO it's
still way better than what we're doing now.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: No AV? Shock, horror!, (continued)
- Re: No AV? Shock, horror! Drsolly (Sep 25)
  - Re: No AV? Shock, horror! Blanchard_Michael (Sep 28)
    - Re: No AV? Shock, horror! Dan Kaminsky (Sep 28)
    - Re: No AV? Shock, horror! Blanchard_Michael (Sep 28)
    - Re: No AV? Shock, horror! Nick FitzGerald (Sep 28)
    - Re: No AV? Shock, horror! Michael Collins (Sep 29)
    - McAfee really DOES write new Malware! Wholey Moley! Blanchard_Michael (Sep 29)
    - Re: McAfee really DOES write new Malware! Wholey Moley! Rich Kulawiec (Sep 29)
    - Re: McAfee really DOES write new Malware! Wholey Moley! chris (Sep 29)
    - Re: McAfee really DOES write new Malware! Wholey Moley! Blanchard_Michael (Sep 30)
    - Re: McAfee really DOES write new Malware! Wholey Moley! Rich Kulawiec (Sep 30)
    - Re: No AV? Shock, horror! Dan Kaminsky (Sep 29)
    - Re: No AV? Shock, horror! Blanchard_Michael (Sep 29)
    - Re: No AV? Shock, horror! Kenneth L. Bechtel, II (Sep 29)
    - Re: No AV? Shock, horror! Blanchard_Michael (Sep 29)
    - Re: No AV? Shock, horror! Michael Collins (Sep 29)
    - Re: No AV? Shock, horror! Dan Kaminsky (Sep 29)
    - Re: No AV? Shock, horror! Rich Kulawiec (Sep 30)
    - Re: No AV? Shock, horror! Michael Collins (Sep 29)
    - Re: No AV? Shock, horror! Toralv_Dirro (Sep 28)
    - Re: No AV? Shock, horror! Dan Kaminsky (Sep 28)

(Thread continues...)