Re: DefCon 'Race to Zero'

[Gadi Evron <ge () linuxbox org>]

On Sat, 26 Apr 2008, Paul Ferguson wrote:
> This is about creating new malware as a contest to slip by
> AV scanners.

Yes, sounds like a very interesting contest for reversing skills.

Considering bad guys have that [manipulation] nailed down, I don't see any 
reason why good guys can't learn and use. Security is about knowing how 
attacks work, and reversing isn't just about attacks, this is crucial to 
defense.

Quit your whining Ferg, last thing we need is for some bleeding hearts 
from the AV industry (some of them very close friends of mine) to say 
reversing is black hat if not done by them.

Think they won't? They already bitch about protection software being 
evil, as naturally it is built just to make their lives harder.

I was in that world, and I still very much am deep in the AV world, that 
does not mean I am willing to accept all these antiquated concepts as 
written in stone. If I did I wouldn't have broken the anti virus 
industry's iron fist on being the only ones who can see or study samples.

I rather oppose this silliness now. They can call reversers black hats, 
but I can call them bleeding heart idiots, or more likely money mongering 
dolts stuck in cultural stagnation.

This is not an attack against AV software or AV-ers, it is an attack 
against the military secrecy culture with no "expiration" date of 
"publicity".

        Gadi.


> What the does that prove? Nothing, really. If people rely
> solely on an AV scanner for protection, they are sorely
> misguided.
>
> AV is only a tool. To assume it is anything more than that is
> disingenuous. Everyone knows that criminals have set up their
> own private "VirusTotal-like" scanner portals to test whether or
> not they can slip a new binary down the Botnet C&C pipeline.
>
> I call this what it is: "infotainment". It really accomplished
> nothing more than that.
>
> This won't be decided here, or in the court of public opinion,
> either.
>
> When you look at the fact that, in the past week alone,
> more than ~600,000 websites have compromised to harbor malicious
> iFrames or JavaScript in this whole process -- to infect unwitting
> consumers in an ongoing effort to rob them blind -- the problem is
> much, much larger than trying bypass virus scanners.
>
> $.02,
>
> - - ferg
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.6.3 (Build 3017)
>
> wj8DBQFIEpuuq1pz9mNUZTMRAh9AAJ4iv4Ngl8hJRI/LDu4FAK2EDqUEiwCg7pDd
> R9oiEylc6lKQTIp5lye0izI=
> =P34S
> -----END PGP SIGNATURE-----
>
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawg(at)netzero.net
> ferg's tech blog: http://fergdawg.blogspot.com/
>
>
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.