Wednesday, December 29, 2004

viruses and disclosure

let me make this perfectly clear - i do not support the indiscriminate sharing of viral materials...

you should not share viruses, source code, etc. with people you don't know you can trust (both competence and ethics-wise) and you should not ask for such materials from people you have no reason to expect trust from...

the argument for not sharing materials with people you don't know you can trust should be obvious... they might do something bad or stupid with the materials you give them... the argument against asking is that it legitimizes the sharing of materials in situations where it deserves no legitimacy...

there are some misguided notions that the full disclosure policy that works so well for vulnerabilities would be equally well applied to viruses... lets examine that more closely...

a vulnerability, ultimately, is a mistake... whether it's a mistake in the design or in the implementation doesn't matter, it's a mistake that in an ideal world could have been avoided and in the real world can (hopefully) be fixed... full disclosure of vulnerabilities benefits us in a variety of ways...
  1. first and foremost it places pressure on the people/organization responsible to fix the problem in a more timely manner than they may have otherwise been inclined to do.
  2. it helps us learn more about the mistake so that in the future we might better avoid it or similar mistakes.
  3. it helps us identify when a program or system no longer meets our expectations of trustworthiness if/when an unacceptable number of vulnerabilities are uncovered or not enough is done to rectify them.


viruses, on the other hand, are not mistakes nor do they depend on mistakes (though some particular viruses may depend on particular vulnerabilities)... the ability to support viral infection is inherent to ALL general purpose computing platforms... it cannot be fixed or avoided - and since it cannot be fixed or avoided, it cannot be used as a discriminating factor when judging the quality of the platform or organization (the fact that windows has more viruses than linux has more to do with the number of windows users there are and the nature of those users than with the fact that windows is garbage)... none of the benefits we receive from full disclosure of vulnerabilities are achievable in the virus realm... what is achievable is
  1. a state where it is easier for people learning to write and spread viruses to get their hands on examples.
  2. a state where it is easier for people who wish to use existing viruses as weapons of vengeance to get their hands on viruses.
  3. a state where it is easier for novices to get their hands on samples even though they don't have sufficient competence with viruses to deal with them safely.


as such, sharing viruses with people you don't know you can trust cannot be considered to be responsible handling of viral materials and is to be discouraged... instead, one should only share such materials with people one knows one can trust (who in turn do the same - leading to a 'web of trust') and only request such materials from those who you can reasonably expect will trust you...

Monday, November 29, 2004

vx'er crackdown

Police raided another virus writer
Benny, Ratter questioned

looks like law enforcement is starting to get more serious (and capable) about getting their hands on virus writers... i said this kind of thing was coming, years ago, but do the vx'ers listen to me? no...

well ok, maybe some of them did... but obviously not enough...

there should be billboards with pictures of stern looking cops and captions that read "write viruses? that's fine. let 'em out and you're mine."...

and i'm not even suggesting that the vx'ers referenced in those articles actually let anything out - but obviously someone has been doing so, and that endangers the whole 'scene'...

Thursday, August 12, 2004

100% protection? we know what that means!

page: MessageLabs Services: Virus Protection - FAQs

excerpt: "MessageLabs offer all new customers 100% guaranteed protection on all known and unknown viruses (in applicable countries). If we do let a virus infect any of our customers, they will be refunded a month's premium."

can you spot the snake-oil?

"100% guaranteed protection on all known and unknown viruses" sort of flies in the face of the 2 decade old realization that detecting all possible viruses is reducible to the halting problem and therefore is not possible....

but wait, it gets better!

page: MessageLabs

excerpt: "The only solution in the world to provide complete 100% protection against all known and unknown virus, trojan and other malware threats, even during critical 'zero-hour' outbreaks before anti-virus signatures are available."

it's not just viruses that they guarantee 100% detection of, it's basically all malware, including trojans... somehow, the difficulty the rest of the known universe has with context sensitivity of trojan classification just isn't a problem for them...

i think they must have licensed dr. solly's perfect.bat technology - you know the batch file that says everything is a virus and thus has a 100% detection rate (the 100% false positive rate is just an unfortunate side effect)...

where does the industry dig up these snake-oil marketers? haven't they learned their lesson yet?

as always, folks - vote with your wallet... when companies go bad the only thing left that they will understand is market pressure...

Thursday, July 29, 2004

Fight Virus With Virus - microsoft folks display once again that they just don't get it

ok, technically it's slate, not microsoft... but microsoft *owns* slate, so...

Fight Virus With Virus - That's the only way to stop MyDoom. By Paul Boutin

this is such a dead horse these days that i don't know if i should even bother with a rebuttal except to point the reader to Are "Good" Computer Viruses Still A Bad Idea? and then answer - of course they are!...

people who think anti-virus viruses are a good idea either don't have the background to know what they're talking about or haven't thought things through...

Wednesday, July 21, 2004

this public roasting is long overdue

check out
Billgates

and
Fewster.1781

notice anything amiss? no? well you should...

both of these are examples of anti-virus companies FAILING to comply with a long standing naming standard that (among other things) states that viruses must not be named after real people unless you know for sure the virus was written by them.... rod fewster is an anti-virus professional and did not write the virus named after him - i dare say bill gates didn't write any virus named billgates either...

both of these examples are quite old, but they don't outdate the naming convention of which i speak... further, it doesn't take a rocket scientist to figure out what's wrong with letting viruses be named after real people...

not only are these companies showing a distinct lack of concern for the reputations of these people, they're also showing a distinct lack of concern for the public at large... naming standards are made for good reasons, not the least of which being reducing confusion and making it easier for people with virus problems to find information on the virus they have...

and it's not like virus names don't get changed - they do, quite regularly, it's the only way to coordinate a common name used across multiple products... but those 2 examples have been sitting around for nearly a decade now... where's the effort to make your life easier? where's the concern for the customer? certainly doesn't look like it's anywhere near these 2 companies right now...

(thanks to art kopp for digging up these examples...)

Monday, July 19, 2004

IDG News Service gets it wrong

it's a short article, give it a read..

InfoWorld: First Windows CE virus emerges: July 19, 2004: By : APPLICATION_DEVELOPMENT : SECURITY

notice right at the beginning how it says the new WinCE virus was designed to demonstrate security holes in the WinCE operating system? this is a subtle point, one that far too many people fail to grasp, but the ability of viruses to infect a platform has nothing to with security holes in that platform... virus infectability is a 'feature' of all general purpose computing platforms... *all of them*... you can't create a general purpose computing platform that isn't susceptible to viruses...

therefore you cannot (as the article's author does) infer security holes in an OS simply because the system is vulnerable to viral infection... it's a shame mass media doesn't have a better grasp on what they're talking about when they're talking about viruses... this one article is being picked up by a number of tech related news sites, spreading this rubbish far and wide...

Sunday, July 18, 2004

all anti-virus products fail

if you haven't figured this out yet (and apparently most folks haven't) there is no such thing as a perfect anti-virus product... they all fail to stop a virus at one time or another either because the virus is too new, or it spread in ways that the anti-virus couldn't do anything about (network share enumeration, exploits, etc), or a host of other reasons...

for years now i've seen people 'discover' the lack of perfection in their anti-virus and the overwhelming response to this is to jump ship and try a different product... the assumption is that because their anti-virus didn't protect them there must be something wrong with it and they should try and find a better one...

the reality is that no matter what product you use, or even how many you use, your anti-virus product will fail at some point... the fact that it failed to prevent an incident (or 2 or 4 or however many it failed to prevent) does not necessarily mean there's anything wrong with the product - it could be that there's something wrong with the user...

the security of a system is only as strong as it's weakest link and most of the time that link is the computer operator - either s/he takes unnecessary risks, or s/he doesn't keep the anti-virus up to date, or s/he doesn't take any other safe-hex measures, etc . . . there's only so much these products can do to protect someone from themselves...

i'll be blunt - the knee-jerk reaction to blame the anti-virus for failing to prevent a virus incident needs to change... users need to start asking themselves if there was something they could have done to prevent the incident - some security precaution they could have taken, some policy they could have put in place... the anti-virus should not be the sole defence against malware, it should be one of many and it should be the one that acts when all other measures fail to prevent the incident...

and what other measures are those?
  1. the use of a firewall
  2. the closing of network shares and unnecessary ports
  3. keeping up to date with security patches and the migration away from the most often targeted applications (to minimize the impact of patch maintenance failure)
  4. minimizing the amount of outside active content (applications, word documents, excel spreadsheets, etc) that are introduced into the system
  5. turning off unnecessary active content support in your browser
  6. not accepting attachments from strangers
  7. not accepting attachments from legitimate contacts until after verifying that they intended to send it and what it is
  8. the use of strong passwords
  9. the scanning of all incoming material, preferably after a suitable 'cool down' period so that it's novelty doesn't play a part in avoiding detection of any malware that may be present


even after all that, you can still expect a virus/worm/malware incident once in a while... no security is perfect, that's just something we have learn to accept and plan for (i.e. make sure you have a plan for disaster recovery)...

Friday, June 25, 2004

terminology proposal

i hear a lot about people's machines becoming infected with spyware or infected with trojans or infected with adware or ...

i'm sorry, since when are these things considered infectious? if i connect to a network that has a spyware infected machine on it, is my computer going to become infected? how about if i share disks/programs/word documents/etc with such a machine? no, of course not...

VIRUSES infect, not spyware or adware or whatever... i realize people need a way to indicate that very bad software has been installed on their system but lets not confuse the issue by using terms that already have a different meaning in this field, lets try a new word shall we?

we could use "contaminate"... 'my machine became contaminated with spyware'...

but maybe "contaminate" is too fancy (thus "afflict" is also out of the question) or maybe just not pejorative enough... then the answer is simple - the word we want is "poison"... 'my machine has been poisoned with spyware'... that conveys that something noxious has gotten onto the system and it is quite pejorative...

Wednesday, June 23, 2004

false authority syndrome finds it's way to The Register

in reference to the following artice:
Beastie Boys CD installs virus | The Register

the author of this article is Thomas C. Greene... consider the byline:

[quote]
Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, malware protection, online anonymity, encryption, and data hygiene for Windows and Linux.

[/quote]

there seems to be every reason to take his word as gospel, doesn't there... one problem, the article he wrote for The Register indicates that he clearly has no idea what viruses, worms, or trojan horse programs (3 major classes of malware) are...

the DRM software installed by the new Beastie Boys album is not a virus for 2 reasons... most importantly, it does not self-replicate - it does not make copies of itself, copies aren't placed on your existing music CD's, the installer is not (as far as i can tell) get placed on any new CDR's you happen to burn - the most fundamental requirement for classifying something as a virus is that that something has to self-replicate (this has been true ever since the invention of computer viruses by Fred Cohen in 1983, and you can refer to his numerous works on the subject if you don't believe me)... second, it does not infect any host program - by which i mean that it does not attach itself to any program in such a way that when an attempt is made to execute the host program the DRM software does not get executed as well as or instead of the host program... infection of host programs is generally regarded as a requirement for calling a self-replicating program a virus instead of a worm (another kind of self-replicating malware) or something else...

so it's not a virus because it doesn't self-replicate and it doesn't infect host programs...

Mr. Greene makes further errors in his justification of calling it a virus rather than a worm... there is an argument (that is not particularly well thought out) that says that viruses require user intervention and worms do not - however that argument is meant to be applied to the way the virus or worm gets executed, not how it gets copied (as Mr. Greene seems to think)... clearly, as the DRM software autoexecutes, the DRM software in question better suits the classification of worm under this (dubious) argument...

what the DRM software in question actually is, is the payload of a trojan horse - a trojan horse being something that advertizes itself as performing some desirable function but does something bad in addition to or instead of that desirable function... even a passing familiarity with the field of malware should have made this readily apparent to Mr. Greene....

the legal implications are pretty much the same, though... that much he got right...

Tuesday, June 22, 2004

and now for a lesson in spotting snake oil

take a look at

CyberScrub AntiVirus 1.0 - FAQ

specifically the paragraph:

[quote]
Does CyberScrub AntiVirus have all the “bells and whistles” of other products?
No, those in most cases are just efforts to try to stand out from a field of very similar products. CyberScrub AntiVirus is designed to “install and forget”, providing a secure environment from viruses, worms, Trojans and more. All major features are included: you can have CAV run in the background providing constant protect or you have the ability to scan selected files, folders or drives upon demand.

[/quote]

did you notice the words "install and forget"? they were so helpful they even put it in quotes to help it stand out... anti-virus software (theirs included) is not some kind of magical security dust that you can sprinkle on your computer and have it protect you without any further effort on your part... they cannot actually deliver on the promise of an anti-virus that's so good all you need to do is "install and forget", no one can... further, by promoting the idea that they can do so they are creating a false sense of security in their customers... in spite of the fact that they are offering a good anti-virus scanning engine, they are contributing to the virus problem instead of being part of the solution by these types of actions...

review question 1: what is it called when a salesman makes impossible claims?
answer: "snake oil"

then there's this paragraph:

[quote]
Can I use several antiviral programs at the same time?
If you are talking about Scanners then YES, you can first check a file with one of them, then with another. As for Monitors (resident online scanners) you should be warned that two or more active resident Monitors working simultaneously can cause conflicts. In most cases this leads to the false positives or unstable working. So it is not recommended to use two Monitors at the same time.
[/quote]

now this is a subtle point, i know, but a resident scanner and an online scanner are two completely different things... a resident scanner is one that stays resident in memory for as long as your computer is on, scanning things on your computer as you access them, trying to protect you from triggering an infection... an online scanner is one that runs in the context of your browser and just does a scan of your entire system and then quits when it is done... there's no such thing as a "resident online scanner"... mixing up terms like this makes me think they don't know what they're talking about - how about you?

review question 2: who throws technical terms together without regard for meaning in order to confuse the audience with credible sounding babble, thereby creating the illusion that they know far more about the subject than the audience?
answer: snake oil salesmen

but wait, there's more!

check out this thread that google has kindly archived for posterity (cyberscrub thread) - you'll find the cyberscrub folks pretending to be satisfied cyberscrub customers! those wacky cyberscrub people...

Thursday, June 17, 2004

let's play the name game

ok i'll preface this by saying this was sparked by a debate currently going on in alt.comp.virus.source.code...

if you don't know already, anti-virus companies generally do not call a virus by the name the virus' author gave it... they rename the virus... that renaming results in something you may have seen before - different companies issuing virus alerts for a particular virus with different names...

there are those that say it makes no sense to do this... they say it's stupid, it pisses off the virus writers and it creates confusion among end users...

however, there are some important points to realize:
  1. not all viruses are named by their author, so these clearly require naming by the anti-virus vendor...

  2. not all author supplied names are unique (for a variety of reasons) and so such viruses clearly need to be renamed to avoid confusing them with previous viruses that have the same author supplied name...

  3. some author supplied names refer to people, places, companies or brands and the anti-virus companies really don't want to be issuing alerts for the george bush virus or the corn flakes virus - it puts them in a difficult legal position...

  4. some author supplied names have political, religious, or obscene references in them, and that's also something anti-virus companies don't want to put into virus alerts for similar reasons...

so clearly some viruses have to be renamed... but do all of them have to be renamed?

it's been suggested that you could simply use your best judgment to tell if the author supplied name was suitable or not - maybe even use a search engine since obviously a person isn't going to see the significance of many references from far off lands... the thing is, a search engine isn't perfect in that regard either... more importantly, though, a search engine is bound to turn up some kind of reference (whether the virus author intended it or not) for all sorts of possible names so in practice the anti-virus researchers would probably find themselves renaming most viruses anyways... and should it really be the anti-virus company's job to go to the trouble of verifying the suitability of the name provided by the author? is that really the most productive use of their time and your money? i don't think so...

there is a valid complaint, however... sometimes the renaming process gets personal, the renamer chooses a name specifically to piss of the virus author (some have even bragged about doing this)... that is unprofessional and companies should not tolerate that kind of behaviour from their employees - they shouldn't be picking fights with virus writers, they should be doing their best to avoid contributing to any of the virus writers' possible motives for writing viruses...

there is another valid complaint... not all the companies seem to rename a given virus to the same new name, and this certainly does cause confusion... to a certain extent it's understandable - if 2 researches in different companies are trying to decide on a new name for a virus at about the same time (give or take a couple of days) then they're bound to decide on different names... hopefully those names get changed later to be more consistent, and i'd certainly like to see that happen as fast as possible (i'd like to see anti-virus companies making a visible effort to minimize the confusion associated with this sort of thing)... sometimes the names don't get changed at all, though, and for the end user that is simply not acceptable... if you find your anti-virus vendor doing that, vote with wallet, make your feelings heard where they'll feel it the most...

"Certified virus free" = snake oil

have you seen that message appended to emails or newsgroup postings that says it's "certified virus free"? did you believe it?

well, it's snake oil... just as sure as claims of 100% protection from all past, present, and future viruses would also be snake oil...

think about what it means - it's basically guaranteeing that there are no viruses present... ignoring the fact that you can't prove a negative, in order to say with certainty that there are no viruses present the scanner would have to be able to find all viruses in the first place and that's just impossible... detecting all viruses is reducible to the halting problem, an intractable problem in computer science, and this has been known for nearly 20 years...

so that message you see getting attached to emails and newsgroup postings (whether your own or someone elses) is false advertizing... the company behind it is lying to you... however good the product may be, it is not capable of making the determination that message implies and the company behind it should know better...

now you might be thinking "but kurt, it's just a little white lie to help boost sales. it's harmless."... but it is not harmless, it creates a false sense of security... infected emails can and have been sent out with such messages on them - in fact a virus or worm can easily put that message at the end of emails it sends out and there would be no way to tell it from an authentic 'certification'...

i'm tempted to be moderate; to suggest, as others have, simply turning that feature off... but i'm not really known for giving in to temptation - the feature is dangerous, it promotes falsehoods that contribute to over-reliance on anti-virus technology instead of practicing broader secure computing habits (safe-hex)... the only thing i can suggest is dumping such a product in favour of one that is more intellectually honest - at least until the company changes it's ways (market pressure, after all, is what really promotes change in the industry)...

ta da!

well, i pretty much knew this was coming... i knew i was going to create an anti-virus blog, i just didn't know when...

the time is now apparently...

criticisms, explanations, wishlists, and assorted rants to follow soon...