RE: Re: Malware sharing? People are full of shit [was:Getyour computer viruses here!]

["Randy Abrams" <abrams () eset com>]

OK, how about using this list. There is already a degree of vetting. 

Technical suggestions? If you don't have the resources to cool the reactor
then atomic power plants are a really bad idea :)

Seriously, I don't think there are 60k people who need to be vetted. I think
that a distribution network of trusted individuals works pretty well. There
are probably people who are not on this list, who are qualified to handle
malware, who have need, and who have good intent that also know people on
this list. Let people develop a trust relationship and obtain the samples
that way.

There are damned good doctors with a legitimate need for morphine. There are
people who have the knowledge to administer Morphine for good purposes and
competently, but they don't have access to it. They have to go through the
hoops to get legitimate access. There are criminals who deal morphine. Is
the fact that someone who might do good is denied access to morphine and bad
guys have access a reason to legalize it. I can think of other reasons to
legalize it, but not that one.

I don't know of a current technology to automate the vetting, and so I think
it is best to restrict access until that problem is solved. I commend you
for your intent, but I think your current proposed implementation should be
placed on hold pending viable safety mods, rather than sweeping up after the
spill.

Cheers,

Randy

> -----Original Message-----
> From: funsec-bounces () linuxbox org 
> [mailto:funsec-bounces () linuxbox org] On Behalf Of val smith
> Sent: Wednesday, December 28, 2005 3:46 PM
> To: funsec () linuxbox org
> Subject: Re: [funsec] Re: Malware sharing? People are full of 
> shit [was:Getyour computer viruses here!]
>
> Just a note, all the log information is published on the site 
> for all to see :)
>
> How about moving this conversation in a more positive 
> direction if your're all willing?
>
> Can anyone make technical suggestions about how to make this 
> process more secure? Manual vetting won't work, because as of 
> right now I am only one person and I have to decide do i 
> spend my time doing:
>
> - web development
> - malware analysis
> - or vetting 60,000 people I do not know?
>
> Personally I prefer the malware analysis choice.
>
> If there are some nifty technical solutions to ensuring the 
> malware is only available to "qualified" (who makes that 
> determination or how?) researchers  Id love to hear them. For 
> example E-Bay has an interesting feedback system to help 
> buyers and sellers gain more confidence. Could something like 
> that be implemented here ? (im not sure how) what other ideas 
> are there ?
>
> I want to hear ways to make this better. "Stop doing it" 
> doesn't qualify. But you are all smart people.  help me 
> improve this idea if you can. 
>
> Incidentally Drsolly you say "its not my job to change your 
> mind, its your job"
>
> However my opinion is that if you really care about this 
> issue, and disagree with me, and you want me to stop, it IS 
> your job to discuss with me what you want if you hope to 
> acheive anything. Otherwise it can be viewed as simply trolling?
>
> V.
>
> On 12/28/05, Drsolly <drsollyp () drsolly com> wrote:
>
>       > I can further give a metaphore that will say 
> researchers anthrax is bad,
>       > for if there is no anthrax, having it is a risk b itself
>       
>       How about someone sets up a web site for people 
> interested in anthrax, so 
>       that people can upload and download samples?
>       
>       > contradiciting analogies can be given for days, and 
> we all pick our
>       > favorite. Fact is it is not very easy for researchers 
> to get data, and
>       > fact is that branding of people outside the inner 
> circle as blackhats if 
>       > they don't conform to what suits the inner circle 
> best is wrong.
>       >
>       > Further, even if I do agree sharing of samples should 
> be done securely and
>       > in a vetted enviroment, today it is as ridiculous as 
> telling people not to 
>       > watch porn.
>       
>       No, it's as ridiculous as telling people not to rob 
> banks. Sure, some
>       banks will still get robbed, but that doesn't make it right.
>       
>       > So, being a moral example is great, but does it do 
> any of us any good 
>       > where it is proven things get on when you keep that 
> stand while if yo
>       > changed it, maybe you could influence those you now 
> call blackhats, and
>       > see they may even be... wow, good guys?
>       
>       With this web site, I don't see any attempt to 
> determine who is blackhat 
>       and who isn't, let alone any attempt to influence the blackhats.
>       
>       > Finally, this guy believes in it. He is going to do 
> it. Help him or name
>       > him a blackhat, but helping him might get things 
> "safe" while not killing 
>       > his ideas all together.
>       
>       I am helping him. I'm explaining why it's ethically 
> wrong to run an
>       unvetted VX, and about the legal hot water he could 
> find himself in.
>       
>       > As an example, if some people in the AV industry 
> HELPED the good people at 
>       > ClamAV who had o learn all by themselves without 
> years of traditions,
>       > ideas and knowledge, instead of just critisizing, 
> Clam would have gottemn
>       > where it is today a lot sooner, and even far further 
> than that. 
>       
>       I don't know about the ClamAV issue. What did they need 
> to learn that they
>       needed help for?
>       
>       > My suggestion to this guy is do his thing, follow his 
> conscience, and let
>       > history prove him right or wrong. 
>       
>       You can't just say "let history prove". Because we'll 
> never know how
>       many blackhats got malware from his Virus Exchange and 
> spread it around.
>       
>       > It is harmful not to share openly. It is harmful not 
> to keep high moral 
>       > standards, but in this case, where did they come from?
>       
>       The moral standards in this case come from where they 
> always come from -
>       they come from your own understanding of right and wrong.
>       
>       > Why was it initially BAD to share samples? Do these 
> reasons still stand 
>       > oday?
>       
>       It was intially bad for a number of reasons.
>       
>       1) The easiest way to make a "new" virus, is to make a 
> small modification
>       to an old one such that current detectors no longer 
> recognise it. 
>       
>       2) A lot of people, at the time (and maybe even now) 
> were suggesting that
>       the AV people were encouraging the spread of viruses 
> (and maybe even
>       writing new ones). A VX certainly does encourage the 
> spread of viruses. 
>       
>       3) There are computer crime laws that make it illegal 
> to distribute
>       malicious software without the victim's consent. And 
> there's "criminal
>       negligence" laws that make it illegal to distribute 
> something that you 
>       *know* can be used to cause harm, without any vetting 
> of the recipient. It
>       is, for example, illegal to sell knives, alcohol or 
> tobacco to children -
>       the vetting in that case is age-based.
>       
>       I don't think that any of those three reasons have changed. 
>       
>       So, here's a question for anyone who is involved in 
> maintaining an ftp (or
>       other distribution method) of malware. Would you be 
> willing to publish the
>       access details and allow anyone at all to download from 
> it? If not, why 
>       not?
>       
>       
>       _______________________________________________
>       Fun and Misc security discussion for OT posts.
>       https://linuxbox.org/cgi-bin/mailman/listinfo/funsec 
>       Note: funsec is a public and open mailing list.
>       

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.