Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!]

[Nick FitzGerald <nick () virus-l demon co uk>]

Blue Boar to Randy Abrams:

> > Success or failure needs to be compared against the alternative. I haven't
> > seen the argument that these files can't be shared in a more secure manner
> > with a 99.9% success rate. If you trade 99.9 for 99 with no good reason,
> > then it is a failure to realize a better result. Complete failure? No.
>
> I thought the implied benefit was pretty self evident; More people with 
> access means better, quicker, more complete analysis.  

And that benefits who most?

Often it most benefits the less-than-clueful-but-still-worrying malware 
writers.  Recall that these days these are NOT skiddies trying to get a 
"worst mass-mailing virus ever" headline, but folk making dirty money 
writing nasty, dirty code for the scum of the earth that are the spam 
lords, spyware and adware pushers, etc.  These guys only need a small 
advantage for a few days to greatly enhance the return they make for 
the scummy work.  Laying bare the details of some clever new malware 
trick in an openly accessible way as this site does (will?) means that 
the bad guys can drink from that trough, make our lives tougher, and, 
WORSE, make the lives of those the better analysis this site is 
supposed to (eventually) make better (i.e. the security vendors', aka 
"our", customers) MUCH WORSE.

> ...  You don't have to 
> trust the AV companies, wait for them, etc...  You don't have to agree 
> that that will happen, but I see that as the motivation.

History is littered with failures made of the best intentions...

> I've been in the "vetted" category before.  ...

Do you mind me asking where and when?

Was it in AV or some other security niche?

> ...  And still, I would have to 
> wait for responses, be at a competitive disadvantage (I was asking 
> competitors for samples), have to agree to or negotiate a bunch of 
> sharing rules, couldn't re-publish some of my work, couldn't get a lot 
> of critique of my disassembly, and so on...

And I'm sure this still happens, but my experience is that the rest of 
security _outside of AV_ is MUCH worse at this than AV, despite Gadi's 
recent tanty to the contrary...

> One might argue that Val's site is of greater benefit to the non-AV 
> people, ...

And I do argue that -- in fact, that it is is of most value to malware 
authors is the greater of my two main concerns (the other being that it 
will inevitably distribute some amount of self-replicating code).

> ... and I suspect that is part of the motivation.

So you think Val _wants_ to help the bad guys?   8-)

Honestly, I think that is an inevitable consequence of a cluelessly 
simplistic approach to trying to fix what is a really difficult 
problem.  It is an entirely foreseeable outcome if enough clue and 
experience is applied, but apparently neither are available in 
sufficient quantities to Val, so I think it is an unexpected outcome 
from his/her perspective.


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.