Well, your argument is the same as quite a few other people. My question though is, “why is it wrong… period?” Is it because that malware could get into the wrong hands? If so, who decides who the right hands are. Is it wrong because only AV companies are allowed to create malware? Who says? Do they have to get a special license or something? Not currently.

My issue is this: I don’t trust Symantec (or McAfee or Sophos) to say who can or who can’t write (or test) malware. So when they say that they are more qualified to do this than Consumer Reports or the University of Calgary (Google for “Dr. John Aycock” to see how that went down), I question who died and made them king of the forest.

-E

I came across an article today about John Aycock and his new spyware class at the University of Calgary. Dr. Aycock is of the opinion that students learn better how to protect against spyware by first understanding how spyware works – and what better w…

perhaps, but bungee jumping doesn’t do anything for the litter argument, does it…

In other words, “lalalala”.”

since my argument about why distribution is wrong regardless of how easy it already is to find malware consisted of more than just that one statement, i guess the above is your own way of saying “lalalala”…

i suppose i could have been more obvious and said 2 wrongs don’t make a right, or if everyone else jumped off a bridge would you do it too, but i chose to go with the litter analogy…

In other words, “lalalala”.

it’s easy enough to find garbage on the ground, that doesn’t mean it’s ok to add to it… the reason it’s bad is that it makes you part of the problem rather than part of the solution…

“”100% snake-oil” Having read Fred’s paper, I understand what you’re saying, but hueristics could be a lot more effective than they are now.”

that depends entirely on how you define effective… historically, dialing up the heuristic sensitivity does catch more things but it also increases the false alarm rate… the 2 most likely reactions to which are needless fear (when they don’t understand what false alarms are) or unwarranted confidence (when they do understand what false alarms are and assume the alarm is false because they’re too lazy to do what’s necessarty to resolve the ambiguity for each and every alert issued by the product)…

“Further, that’s not the marketing message any of these companies are sending.”

isn’t it? are the products not referred to as ‘solutions’ in spite of the fact that they don’t actually ‘solve’ the problem? do they not claim to protect the user just as you’re asking them to actually do in spite of the fact that they’re really just tools that can help the user protect him/herself?

“technical constraints on a priori algorithmic detection…” Sure. Taking in ~5 billion a year, they could invent some new methods.

[sarcasm]
yeah, sure, because throwing money at a problem is all that should be needed to solve it…
[/sarcasm]

the virus problem and the broader malware problem are not purely technological problems and they cannot be solved by technological means…

“that something could be considered a bad thing doesn’t make it a bad thing.”

do you think manufacturing new hazards needlessly is not a bad thing? if so i would be forced to acknowledge that we are likely never going to agree because our values are just too different…

@ed
“I don’t agree that signatures are the only way to do malware protection;”

you’re absolutely right, it’s not… signatures are just one possible method… it has it’s strengths and it’s weaknesses, as do all methods… ideally it should be used in conjunction with other methods that are able to complement it, ones that can be strong where it is weak…

“Hypothetically, you could build a product around preventing malware symptoms rather than scanning for known patterns/strings… For example, if you wanted to prevent malware from overwriting the file system, you could use a read-only file system – you don’t have to analyze the malware at all to enforce the constraint.”

i think in more general terms what you’re getting at is called behaviour blocking… it too has it’s strengths, but it also has it’s weaknesses and one of those weaknesses is that it allows the malware to run… if you can detect the malware before it gets control (as known malware scanning is able to do for known malware) then there is no opportunity for the malware to detect/disable/attack/bypass the protective mechanism… behaviour-based protection is fundamentally unable to stop malware before the malware is run because the malware’s behaviour only comes into play after it gains control… behaviour-based systems can be useful, but i wouldn’t use them in isolation – like known malware scanning, they’re best combined with other techniques (in fact, known malware scanning and behaviour based systems can do a lot to complement each other)…

i prefer to look at addressing malware by breaking it down into 3 parts – prevention, detection of preventative failures, and recovery from preventative failures… known malware scanning is quite good at prevention of known malware (and since the vast majority of malware happens to fall under that category, that makes known malware scanning pretty effective)… known malware scanning is essentially a blacklist technique but there are also whitelist techniques which are also good for prevention… i would classify behaviour based methods as detection of preventative failures (since they allow the malware to run)… behaviour blockers and change detectors and a number of other techniques fall into this category… backups, general purpose disinfectors (those usually found in known malware scanners), and dedicated malware removal tools (usually one-offs) are of course examples of methods that are meant to address recovery…

“What makes this “OK” is the fact that there is oversight over who has the authority to distribute say, anthrax. Not just any old lab can create new strains and none of those labs can release new pathogens into the wild – ever. As a consequence of this oversight, there are no questions about who can or can’t do this kind of work.”

actually there are still questions (surely you’ve heard people ask why does the military need to make new diseases, or ask whether it’s ethical, etc.), it’s just that the presence of that oversight makes most people feel more at ease about the whole thing… so long as it’s an authority figure and not just some guy somewhere most will assume it’ll be ok (and usually they’re right)…

“Whatever the reason, this debate will continue until there are some rules in place – formal rules – governing how this happens.”

and there’s the rub – to govern this implies involvment of the government… in reality there is no one, no group capable of exercising this kind of authority… it’s similar to trying to make local laws apply to the entire internet… it doesn’t work… maybe a country could put rules in place that affect testing organizations within that country, but there are testing organizations in multiple countries, and some people carry out their own tests as individuals which makes them nearly impossible to govern…

In terms of whether or not to create malware, if we use the physical world as an analogy, there are plenty of labs that create new microbes: and some of those labs actually traffic in, manipulate, and share pathogens amongst each other. What makes this “OK” is the fact that there is oversight over who has the authority to distribute say, anthrax. Not just any old lab can create new strains and none of those labs can release new pathogens into the wild – ever. As a consequence of this oversight, there are no questions about who can or can’t do this kind of work. We don’t have that type of control with malware. Why not? Maybe because the consequences aren’t as huge… Maybe because it’s a younger science… Whatever the reason, this debate will continue until there are some rules in place – formal rules – governing how this happens.

Again, just my humble opinion.

“and what makes you think it was or is a closed community?” My attempts to participate in it; their continued and persistent insistance that distributing samples is bad and irresponsible, despite the reality that I get samples every morning in email.

“100% snake-oil” Having read Fred’s paper, I understand what you’re saying, but hueristics could be a lot more effective than they are now. Further, that’s not the marketing message any of these companies are sending.

“technical constraints on a priori algorithmic detection…” Sure. Taking in ~5 billion a year, they could invent some new methods.

“because manufacturing new hazards needlessly couldn’t possibly be considered a bad thing…”

that something could be considered a bad thing doesn’t make it a bad thing. given toolkits for construction, and given that they were responsible in how they constructed and tested, the industry’s abject horror of “something could go wrong” is childish.

What went wrong is that consumer reports tested AV products in a way that those products are tested every day, and found them wanting. Now, if their methods are flawed (and they are) then we ought to be seeing innovation in methodologies, and sometimes that requires some tipping over of apple carts.