Introducing the “Malware Conference for Global Evil (and Mass Effect 2)”

Posted by Ed in Analysis on Sep 2, 2010

So I’ve been thinking more about Malcon (OH NOES you’re probably saying). Anyway, after I posted the thing the other day about Malcon, Kurt Wismer’s counter-argued on his blog that my logic was flawed. That could be.

Out of respect for Kurt’s well-reasoned disagreement, I won’t try to do a TLDR synopsis here (go read it if you want the full background) other than to focus in on one point that he alludes to. I’m still trying to get to the root of how (or if) this thing (Malcon) is different from Blackhat – and why one would be OK in our community and the other not (since there are quite a few folks who feel that way). So what Kurt said that was a starting point for me on my musings this morning was this one:

…blackhat/defcon are about more than just the race to zero or the blue pill. the blackhat/defcon conference pair focus on a wide variety of security issues, many of which not only deserve to be highlighted but also contribute to the betterment of the security condition… by way of contrast (since ed’s argument compares blackhat/defcon to malcon simply by substituting one for the other in his logical framework above), malcon focuses explicitly and exclusively on the advancement of malware creation which is (in general) incapable of providing the same contribution to the security condition.

Like I said, this is just one of Kurt’s points and not intended to represent everything he said – or even most of it. But it got me thinking more about why people have a problem with Malcon but not with other conferences. In other words, why someone would object to a conference like this one but not to something like Blackhat, HOPE, or toorcon.

Kurt alludes to about Blackhat forwarding the security condition and Malcon detracting from it so one is good and the other not. I don’t know… We have no way to measure the security benefit of Blackhat. We posit that it moves security forward, but does it really? Put aside the fact that we have no evidence about Blackhat, say for the sake of argument that it does make security better. Does Malcon detract from it? Again, it hasn’t happened yet, so anything we say is speculation. I personally doubt it, but maybe. The point is – we can’t know which conferences forward security and which don’t. Doesn’t it depend on circumstance? Is a malware author passing out drunk at RSA better for forwarding the security industry? Is a junior AV researcher learning how to analyze malware at Malcon setting it back? Not sure I buy it that it’s either all one way or all the other.

And we know the objection can’t be based on content. Put aside the fact the fact that (again) the conferences hasn’t happened yet (so we could find out that it’s really a Mass Effect fan con in disguise for all we know – like “Rickrolling” but for malware.)

The only real “meat” about what’s going on there comes from the cursory overview of the sessions, which are vague. The sessions as stated are:

Reverse Engineering Walkthrough
Introduction to WIN32 Programming
Introduction to Reverse Engineering
Malware “Concept” Introduction
Coding a Malware
Malware Analysis

So, with the exception of the penultimate module (“Coding a Malware”), this looks like it could be any day’s agenda from the development track at an RSA conference. For the coding a malware part, I’d bet that percentage-wise it’s probably about the same time spent on that as the Sonoma State University class where they author malware.

So to accept that Malcon detracts from the security community, based solely on the content you would have to also accept that Sonoma State does.

Maybe you do. Maybe you believe that Sonoma State is evil. Even taking that off the table, there’s still a spectrum here. On the one side, you have security conferences that have nothing to do with malware (like Cardtech or RSA). On the other you have conferences that provide varying degree of information that could be of use to a malware author (Defcon, toorcon, pumpcon,summercon, etc.). If it’s based on content, that means there’s a magic percentage of where it goes from “OK” to “evil”. And we know it’s less than 16% (the percentage of Malcon dealing with malware authorship).

But I don’t think any of that is true. What I think is really more likely is that the objection is not about the content, or the impact to the industry, or anything else. I think it’s about the fact that it’s called “Malcon” and (to a lesser extent) the fact that people think it’s somehow forwarding the malware writing community. I posit that if you took any conference (say our hypothetical Mass Effect fan con cited earlier) and named it something like “Malware Writers’ Conference for Global Evil” and marketed it with a picture of a virus giving a raspberry… Well, you’d get static from somebody (really guys? the virus picture?)

As far as intent goes, I also think people think this is a conference somehow intending to forward the malware author community. Who would want that? Their actual intent isn’t really that, by the way. Their stated goal is, “…to help the Security Industry… so that they can build better and secure code, as well as work towards mitigating potential new attack vectors.”

Pingback: Tweets that mention Introducing the “Malware Conference for Global Evil (and Mass Effect 2)” | SecurityCurve -- Topsy.com
r00t

I agree with you.. its the fact that its called MALCON.. if it was named something else, they wud have not minded it.. but more so, I agree that blackhat or defcon are no different.. besides in kurts post he mentions that Bluepill was never released in public.. so does the malcon site says it.. its not for public release but free for all AV vendors etc..

Also, since when releasing exploits and code an exception if its released at defcon or blackhat? Kurts logic is a pear in itself..

Lastly, Malware writers dont write malware because there is a conference..
Pingback: SecurityCurve – Introducing the “Malware Conference for Global Evil (and Mass Effect 2)” | Malcon