Re: Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!]

[Nick FitzGerald <nick () virus-l demon co uk>]

Blue Boar to me:

> > And that benefits who most?
>
> Anyone who doesn't want to be dependent on someone else for their AV needs.

And these people writing their own malware scanners and analysing 
hundreds upon hundreds of samples a week to keep their scanners up to 
date (if you're doing true generics and heuristics properly you don't 
need samples at all) are who?

> Look, I'll come out and say it.
>
> The AV companies have an ivory tower attitude; they think they can 
> decide who deserves to know something and who doesn't.  If I don't have 
> a "legitimate" need, if I won't agree to keep secrets, then I'm not 
> deserving.

Dude -- don't confuse who someone works for with who someone is.  If 
you think AV _companies_ control sample sharing in the AV industry you 
have very little grasp on how things really work.  That's not to say 
that the occasional company does not have very strict policies about 
who gets to decide what is shared with whom, even within the industry, 
but in general the relationships are person to person, for the simple 
reason that people can trust other people (or not) but a person cannot 
trust a "company" and a company, being inanimate, has no such thing as 
a sense of trust.

> Those of us who have grown up in a world of full disclosure when dealing 
> with vulnerabilities and exploits are never going to buy into that. 
> That attitude carries over into the malware world.  Malware IS 
> different, but it's close enough that we are going to see it the same as 
> any other "dangeous information."
>
> I don't think you guys in your bucket are ever going to agree with us 
> over here in our bucket.

Unless we buy your bucket and you want to keep waorking...   8-)

> I don't wish to discourage discussion, but I think there is a basic 
> doctrinal difference that we aren't going to get past.

For sure, and I agree that the difference is essentially doctrinal, but 
when it comes to self-replicating malware there is a significant hard-
core in the AV domain that will not budge and that may raise a huge 
problem (in terms of continuing relationships with those in AV) for 
those outside AV that find simplistic schemes such as Val's acceptable.

> Yes, I have a basic attitude problem about being left out of the loop if 
> I wish to play.  It's a big part of the issue, so let me be open about that.
>
> > > I've been in the "vetted" category before.  ...
> > Do you mind me asking where and when?
> >
> > Was it in AV or some other security niche?
>
> I used to work at SecurityFocus, which was at best quasi-AV.  We 
> published analysis reports, IDS signatures, instructions for manual 
> detection & removal, etc...  I was one of the guys who did a lot of the 
> malware analysis.  They are Symantec now, but this was prior to that.
>
> I was provided samples by McAfee, Symantec, Kaspersky, Trend, and 
> probably a few others I can't recall.

Were those samples provided on a personal basis from someone who 
happened to be a McAfee/Symantec/Trend/etc employee, or as the result 
of an "official" company-to-company type approach?  The latter is quite 
different from the former and may be associated with explicit NDAs, 
publicity stipulations and so on...  But that's _not_ the trusted 
relationship model that is widely fostered among AV professionals.

> I have also been provided samples since I left, and no longer had even 
> that tenuous grasp on officialdom.  ...

The professionally preferred, trusted relationship model has nothing to 
do with company affiliation (well, beyond that you may approach someone 
you have an association with who happens to work at company X because 
you know from some publicity or whatever that they have seen whatever). 
It transcends employment relationships -- even ignores them -- and the 
word "official" has very little, if any, significance.  Yes, it means 
that you, the working security professional have to make connections, 
get known to others within your specialty field and establish a good 
trust relationship with them, but that's much better than being at the 
whim of some crack-head employer or corporate head office legalista.

> ...  These are more recent and more on 
> the sly, so that I don't care to name names.  ...

That's OK, no names needed.  Those folk presumably have some degree of 
trust _in you_, at least sufficient to entrust samples of whatever 
based on their evaluation of the risk presented.  If I knew you 
professionally I may well do the same thing too, and if a few of the 
folk I already really trust in such matters said "he's a good guy" I 
would extend my trust in their judgement.

> ...  That is based on (I 
> assume) part my reputation, and part the fact that the AV guys aren't 
> always as stringent as they claim to be, when dealing in private.  ...

You are, I think, confusing "official" with "trust relationship" 
activity.  Companies publicly (tend to) talk about the former, but 
those working in the industry tend to work on the latter basis.  Once 
you understand that _and_ work on developing the right kinds of 
relationships, you would better understand how we actually do things 
and that the above is not at all "odd" (or even inconsistent, unless 
you are one of the corporate legal eagles -- even many of the 
management types who may be seen publicly spouting the "official 
company line" type position know that to varying degrees their staff 
actually work by that other model and _need_ to; some of them have 
learnt it from keen personal experience).

> ...  In 
> those cases, the usual restriction I'm given is to share as I please, 
> but to not name sources.

That is commonly the basis of such relationships -- we don't want to be 
part of someone else's publicity, as they (usually) do not want to be 
part of ours.  Newcomers (usually newcomer _companies_) looking for PR 
usually don't get this at all and wonder why no-one will share samples 
from them when they "require" credit in any publicity, web description 
material, etc for supplying the sample.  (The "ego" value of being 
approached by someone working for a big competitor because you happened 
to be the first to find something brings out the skiddie in some, who 
completely miss that they have not seen _any_ of the 138 _other_ new 
malwares processed in that competitor's labs that day and that they 
would not, themslves, accept a reciprocal credit requirement should 
they want samples of any of those things from that competitor...)

> So, as a vetted guy I could get the samples, but it was with strings 
> attached, or with delays.  For example, if I emailed someone at an AV 
> company, the response would be typically... stall... stall... ok, our 
> sig file update is now released, sure you can have a sample!

Well, sometimes the person you need to talk to is literally 
incommunicado while working on something new.  Isolated analysis setups 
in some company labs mean pretty much totally (networkologically) 
isolated.  (In such cases it helps to have multiple connections so you 
can ask someone else who is not working the same thing and may be in 
and out of the lab and thus likely to see their Email sooner...)  
Further, individual trust relationships may bypass some of the 
"official" "we'll send samples to others when we ship detection" rules 
(though the samples may come with "please don't do PR until.." requests 
and such, which are understandable, and when your focus is ensuring 
your customer's protection, shouldn't greatly upset anything).


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.