Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!]

[Blue Boar <BlueBoar () thievco com>]

Nick FitzGerald wrote:
> And that benefits who most?

Anyone who doesn't want to be dependent on someone else for their AV needs.

Look, I'll come out and say it.

The AV companies have an ivory tower attitude; they think they can 
decide who deserves to know something and who doesn't.  If I don't have 
a "legitimate" need, if I won't agree to keep secrets, then I'm not 
deserving.

Those of us who have grown up in a world of full disclosure when dealing 
with vulnerabilities and exploits are never going to buy into that. 
That attitude carries over into the malware world.  Malware IS 
different, but it's close enough that we are going to see it the same as 
any other "dangeous information."

I don't think you guys in your bucket are ever going to agree with us 
over here in our bucket.

I don't wish to discourage discussion, but I think there is a basic 
doctrinal difference that we aren't going to get past.

Yes, I have a basic attitude problem about being left out of the loop if 
I wish to play.  It's a big part of the issue, so let me be open about that.

> > I've been in the "vetted" category before.  ...
> Do you mind me asking where and when?
>
> Was it in AV or some other security niche?

I used to work at SecurityFocus, which was at best quasi-AV.  We 
published analysis reports, IDS signatures, instructions for manual 
detection & removal, etc...  I was one of the guys who did a lot of the 
malware analysis.  They are Symantec now, but this was prior to that.

I was provided samples by McAfee, Symantec, Kaspersky, Trend, and 
probably a few others I can't recall.

I have also been provided samples since I left, and no longer had even 
that tenuous grasp on officialdom.  These are more recent and more on 
the sly, so that I don't care to name names.  That is based on (I 
assume) part my reputation, and part the fact that the AV guys aren't 
always as stringent as they claim to be, when dealing in private.  In 
those cases, the usual restriction I'm given is to share as I please, 
but to not name sources.

And of course now, via neighboring mailing lists, I have access to far 
more samples than I could possibly use, since I don't do this all day 
for a living now.  If I enter into a non-sharing agreement, I honor it. 
 Any lists that you and I share membership to Nick, I consider to be 
under a default no-share rule.  On those, I ask permission.  But if 
there are no strings attached, I'm generally liberal about resharing.

So, as a vetted guy I could get the samples, but it was with strings 
attached, or with delays.  For example, if I emailed someone at an AV 
company, the response would be typically... stall... stall... ok, our 
sig file update is now released, sure you can have a sample!


                                                BB
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.