Full Disclosure mailing list archives
Re: Re: Help put a stop to incompetent computer forensics
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 11 Aug 2005 23:39:00 +1200
Jason Coombs to Donald J. Ankney:
Your definition is just a subset of the standard, broader one.
Indeed, that is the case. Had Jason spent a few seconds looking into the real history of the use of the word, its current "expert use" and its slippery, moving from year to year, "common" usage he would have recognized his pathetic attempts to justify his position for precisely what they are. Apparently that is too much like hard work for this self-styled top member of the computer forensics expert opinion witness industry though, so the rest of us are apparently expected (by that uber-elite class which Jason puts himself so high and mightily atop) to take Jason's word for things just because ill-educated, lazy, common use has changed, the experts should too...
When a word causes widespread misunderstanding such that you simply can't use it to communicate ideas clearly, the old meaning becomes archaic. ...
Utter twaddle. It is now, and has been almost since there was a "computer antivirus industry", the case that any-, and every-, thing "bad" that happens to a computer is labelled as a "virus" by the great unwashed. Fortunately, communication among computer professionals has largely resisted adopting this sloppy usage, and "virus" still has a fairly specific, fairly well and widely accepted technical meaning, at least within the community of computer security professionals. Such is also still the case with the word "Trojan", so if Jason is out of touch with that meaning, what does that tell us about Jason's reputed superior computer security expertise? If it's sadly lacking on an important terminological issue, what else has he missed out on? The computer security meaning of "Trojan" as something along the lines of "a bad program disguised or passed-off as something good, desirable or at least harmless" is still the usage of intelligent, informed computer security folk in my extensive experience. Sure, within some contexts some of those same folk will drop into a usage something more like that of the vulgar, uneducated masses (many of whom use "Trojan" and "virus" AND "hacker" totally interchangeably), but that is usually obvious to other informed, intelligent and experienced professionals from contextual (linguistic, situational, etc) cues.
... I think that's what has happened with Trojan. ...
No -- it has happened to very many commonly used comp-sec terms that have been "overused" by too many of the less-well-informed in the media and thence by the general public. As I said above, it is now widespread and common to find "ordinary folk" who use two or more of "hacker", "Trojan" and "virus" _interchangeably_. However, not only does that mean we (comp-sec professionals) SHOULD NOT adopt such slack usage, at least when communicating within our professional circles, it means we should RESIST IT. Taking what are, at the technical level of our expertise, inherently and importantly different concepts for which there are terms with well-established meanings and uses and smooshing them all together simply because what we know and understand as different concepts, and represent by those different words, is "too arcane", or "too deep", or "too detailed", or "too technical", or whatever, for the everyday communications of "the people in the street" is the ultimate intellectual slackness. It is not snobbish to remain intellectually precise and to treasure meaningfully distinct conceptual notions, though it can seem thus if one always insists on trying to enforce those distinctions at a conversational level where they are irrelevant or unimportant. So, if you're talking to Joe and Jane Bloggs, use "trojan" in a loose, slack, folksy way that they will "understand", but if you're going to stick your head up in a mailing list like this and boldly, and clearly very ignorantly given the last 20+ years usage of the term by this constituency and its founders, state that black is white, expect to have the top of your head knocked off and what has previously passed for your intellect pecked to pieces...
... Proof of this can be found in the list of malware that anti-Trojan software is designed to detect ...
That's a f*cking joke, right? Give me a break, puhlease! If this is an example of the kind of argument you make in those trials you play "expert opinion witness" in, I must assume they are real laugh- a-minute affairs to any real experts present...
... -- without double-checking this, just from memory, I'm going to say that the list of malware detected by the typical anti-Trojan software product is limited to malware that meets my definition and does not include the broader definition. ...
Many (most, probably all now, and for quite some time) of these products also detect some examples of many other pieces and types of (static-binary and/or other "characteristically odd" detection, e.g. by distinctive registry entry) malware, including many viruses. So, perhaps on this basis we _should_ conflate "virus" and "Trojan"?? Hmmmmm...
... That causes a real problem, in practice, since if the anti-Trojan doesn't stop spyware then how can spyware be a Trojan?
Had you considered it may be because your so-called "anti-Trojan" is NOT actually anti-Trojan? D'oh! Grab a brain for a few moments and consider some MORE history you are obviously lacking... So-called "anti-Trojan" software was _initially_ developed to detect what are more specifically known as "remote access Trojans" (or RATs, sometimes also called "remote access trapdoors", "remote control Trojans" and so on). (The motivation for this was that RATs were running rampant via chat network distribution, especially IRC, and mainly were not being detected by AV, whose developers were largely not interested in such malware at the time.) The particular community that used and developed most of this software adopted the use of the term "Trojan" as a shortcut for "remote access Trojan" (and possibly because it was largely ignorant of the much larger and broader history of "all Trojanic software") simply because the main kinds of trojans they happened to see, and thus were interested in, were RATs.
From the most vaguely purist of positions, that was wrong and lazy,
and eventually calling themselves "anti-Trojan" to specifically distinguish these products from anti_virus_ products was clearly a marketing move. With marketing generally being renowned for its abject lack of care for precision and accuracy, I doubt any intellectual discussion of the meaning of term is likely to be much interested, far less swayed, by the opinions of mere marketeers... In short, your argument that the rest of us should adopt their (and apparently also your) wrong and lazy usage of "Trojan" is symptomatic of why that usage ever gained any currency in the first place... (It's also somewhat of a circular argument to claim that the self- servingly and incorrectly named "anti-Trojan" software only detects RAT- like Trojans so therefore "Trojan" means "RAT", but that should be obvious even to Jason by now...) I put it to you "mister computer forensics expert opinion" that you are not only doing the word a dis-service, but your own reputed expertise, experience and relaevant (historical) knowledge of this whole sub-field of computer security is now showing as more than slightly lacking... I have close to 20 years "professional interest" in these matters and, to a person, the very many educated and informed academic and industry commentators I have seen and heard discuss this have never defined "Trojan" as you claim it must now be used "because that is the 'common' usage". Perhaps that means you hang with too many "too common" folk and would better hone your skills and understanding by moving in more intellectually high-brow circles? Whatever, just take a bit of a reality check on this one -- you are clearly wrong given the weight (and vehemence) of reaction to your posts, so stop the verbal m@sturbation and get on with something useful, eh? Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: Help put a stop to incompetent computer forensics, (continued)
- Re: Re: Help put a stop to incompetent computer forensics Thierry Zoller (Aug 10)
- Re: Re: Help put a stop to incompetent computer forensics Jason Coombs (Aug 10)
- Re: Re: Help put a stop to incompetent computer forensics Technica Forensis (Aug 10)
- Message not available
- Re: Re: Help put a stop to incompetent computer forensics Jason Coombs (Aug 10)
- RE: Re: Help put a stop to incompetent computerforensics Chuck Fullerton (Aug 10)
- Re: Re: Help put a stop to incompetent computer forensics J.A. Terranson (Aug 12)
- Re: Re: Help put a stop to incompetent computer forensics Donald J. Ankney (Aug 10)
- RE: Re: Help put a stop to incompetent computerforensics hummer (Aug 10)
- Re: Re: Help put a stop to incompetent computer forensics Jason Coombs (Aug 10)
- RE: Re: Help put a stop to incompetent computerforensics Chuck Fullerton (Aug 10)
- Re: Re: Help put a stop to incompetent computer forensics Nick FitzGerald (Aug 11)
- Re: Re: Help put a stop to incompetent computer forensics Blue Boar (Aug 10)
- Re: Re: Help put a stop to incompetent computer forensics Technica Forensis (Aug 10)