Full Disclosure mailing list archives
Re: National Database of Variants with Fixes-non-vendor specific
From: Rainer Duffner <rainer () ultra-secure de>
Date: Wed, 11 Aug 2004 23:55:40 +0200
Am Mi, 2004-08-11 um 22.03 schrieb John Hall:
No, seriously, I wouldn't put it past our current administration and the tinfoil hat wearers at the FBI (yes, they got theirs too) or worse, the jackboot wearers at the FBI (and elsewhere at the fed), to fantasize about pushing such a dictum upon the US AV vendors (not even crediting that a significant portion of the AV market is held by non-US vendors), but realistically, it seems unlikely they'd be successful in such an approach.
Just take the Airline passenger screening as an example. Even European Airlines have to comply to rules and regulations that clearly violate European Data Protection Standards (and laws !!!). But what happens ? Nothing, everybody silently complies, because in the end, people just want to fly and airlines want to give passengers that warm fuzzy feeling about security... (And the US threatened to terminate all landing-permissions for all airlines that wouldn't comply. Most (almost all actually) caved in) I'd like some members of the European commision who voted in favor of this approach be given a full body cavity search in a US-airport because they ticked "no pork" on their menu-card for the flight (and really only wanted to say that they are vegetarians and started an argument with customs about this fact) .... Then perhaps they'd know how dangerous this whole thing is. Ahem. Back on topic: Such an approach would be very successful, because probably nobody can ignore the US-AV-market. No comply = No sale. It's simple as that (I guess).
Going even further off-topic (par for the course for FD), does anyone have any ideas how they might create such a trojan (there seems to be no mention of self-replication in any of the articles) that could be recognized and ignored by AV software, but prevent others from using the same methodology to shield their malware?
Easy. Just make it part of the operating system kernel (i.e. Windows). It's probably more of a root-kit than a trojan. If it's done well enough (and I trust certain 3-letter-acronym-bodies of the US administration to be able to do that _very_ well) AV-products wouldn't even be able to detect it even if they wanted to. So persuading some shitty AV-vendors not to detect a kernel trojan that probably uses an API that came with the OS anyway seems pretty simple. The signature-format of all AV-products (execpt clam-av) is closed anyway - the sigs are probably even encrypted for added security. It's just like normal wiretapping: everybody (every Telco) does it, and nobody likes to talk about it, because it would be bad for the business and scare-off customers. That's also why I don't trust AV-products more than for detecting Joe Scriptkiddy's selfmade virus of yesterday (and even that they do just barely). Anyway, the discussion is really pretty pointless, I admit, because nobody can prove either side. People like me will attribute the fact that no one has found such a beast (magic lantern) in the wild to the fact that it's really well hidden, whereas other people ("occams razor" anybody?) will simply point out that is doesn't exist. cheers, Raine PS: Jesus, they even have a wikpedia entry for that: http://en.wikipedia.org/wiki/Tinfoil_hat -- =================================================== ~ Rainer Duffner - rainer () ultra-secure de ~ ~ Freising - Munich - Germany ~ ~ Unix - Linux - BSD - OpenSource - Security ~ ~ http://www.ultra-secure.de/~rainer/pubkey.pgp ~ =================================================== _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: National Database of Variants with Fixes-non-vendor specific Clairmont, Jan M (Aug 10)
- RE: National Database of Variants with Fixes-non-vendor specific Gary E. Miller (Aug 10)
- Re: National Database of Variants with Fixes-non-vendor specific John Hall (Aug 10)
- Re: National Database of Variants with Fixes-non-vendor specific Gary E. Miller (Aug 10)
- Re: National Database of Variants with Fixes-non-vendor specific John Hall (Aug 11)
- Re: National Database of Variants with Fixes-non-vendor specific Gary E. Miller (Aug 11)
- Re: National Database of Variants with Fixes-non-vendor specific John Hall (Aug 11)
- Re: National Database of Variants with Fixes-non-vendor specific Rainer Duffner (Aug 11)
- Re: National Database of Variants with Fixes-non-vendor specific Nick FitzGerald (Aug 11)
- Re: National Database of Variants with Fixes-non-vendor specific John Hall (Aug 10)
- Re: National Database of Variants with Fixes-non-vendor specific Nick FitzGerald (Aug 11)
- RE: National Database of Variants with Fixes-non-vendor specific Gary E. Miller (Aug 10)
- <Possible follow-ups>
- RE: National Database of Variants with Fixes-non-vendor specific mjcarter (Aug 10)
- RE: National Database of Variants with Fixes-non-vendor specific Gary E. Miller (Aug 11)