Friday, June 09, 2006

can joe barr's opinion of the malware industry be trusted?

well, joe barr is at it again... i've blogged about joe once before and where the previous article i wrote about seemed to just be a case of false authority syndrome, this new one about whether the anti-malware industry can be trusted seems to be a more deliberate smear campaign...

when he's not throwing out non-sequiturs like what happened to dan greer formerly of @stake (which isn't really part of the anti-malware industry), he's redressing other non-sequiturs to look like they're actually relevant... for example:
US-Cert knows about the problem of the super-inflated malware numbers in their summary,
except that cert doesn't count malware, they count vulnerabilities - ergo what cert is or isn't doing, what they do or don't know has no bearing on whether the anti-malware industry can be trusted...

then there's innuendo about timing things specifically to make OSX look bad:
The SANS Institute, -- a name which sounds all officious and possibly not profit oriented, but which is owned by the mysterious but definitely for-profit Escal Institute of Technology -- recently did an unusual update to its Top 20 list of vulnerabilities.

They issued their "update" in order to trumpet the assertion that Apple OS X is now just as exposed and vulnerable to malware as Windows. The timing of the release of this unusual "update" is suspicious, coming as it did on the eve of the new advertising campaign by Apple which plays up the fact that Apple is pretty much immune to the types of malware infestations that plague Windows. Previous updates to this list have usually come in the fall: November, 2005; October, 2004; October, 2003; and October, 2002.
what mr.barr fails to acknowledge, however, is that there's a 3rd event in this coincidence - that being the dramatic change in the security landscape of OSX around the same time... 2 viruses and a spate serious vulnerabilities - issuing a report to inform people of the new state of things was a responsible thing for SANS to do...

there's some crazy re-interpreting of that same report, too:
The SANS Institute announcement seemed to be designed to destroy -- or at least bring into question -- the idea that Apple OS X is more secure than Windows. In a document sent to members of the press prior to the teleconference, the SANS Institute wrote:

During the past few months, Apple Safari browser users faced their first zero-day attack. A zero-day attack is one that causes damage to users even before the vendor makes a patch available. In this case, Safari users who just browsed a malicious web site found their computers automatically downloading and executing a malicious file. The user made no error other than to visit the web site. Apple patched Safari to fix this flaw, but almost immediately had to issue a second patch to stop another attack involving email attachments. The experts involved in the 2006 Top 20 Spring update agree that OS/X still remains safer than Windows; but its reputation for offering a bullet-proof alternative to Windows is in tatters. As attackers are increasingly turning their attention to the platform, OS/X vulnerabilities are being discovered at a rapid pace, which could erode this safety in the future.
now, how exactly can the report destroy or bring into question the idea that OSX is more secure than windows when his own quote of the report explicitly says that OSX is still safer than windows? and his later jab (by way of quoting a 3rd party) at the supposed claim that OSX's security reputation is in tatters? the quote clearly shows that the report said OSX's reputation for being bullet-proof was in tatters - which it is... it can't be considered bullet-proof anymore, it's been proven that it's not totally immune to threats...

the real meat of the article doesn't come until the section entitled "From Russia with malice", however... joe barr clearly has a venomous contempt for kaspersky labs, he goes on and on about supposed wrong-doings, such as:
Kaspersky Lab, a Russian Internet security company which operates around the globe, including here in the USA, has been spreading FUD about malware targeting Linux for years. I've cited this example from 2001 before, but here it is again, and it still appears on their Web site. Hey, maybe the SANS Institute used it as a template for their anti-Apple effort. I quote:

Predictions regarding a world epidemic of Linux-viruses have come true in the first quarter of 2001. The latest incidents caused by the Ramen Internet-worm and its numerous modifications, as well as the multi-platform virus Pelf (Lindose) and other Linux-targeted malicious code, have proved that this operating system, (previously considered as the most protected software), has fallen victim to computer viruses.
while one would probably not consider ramen going into the wild to be comparable with the windows worm epidemics like blaster or sasser, compared with other linux malware it was a very big deal... as for pelf, cross-platform infectors have long been considered the means by which self-replicating linux malware would become really widespread and pelf was an indication that such infectors were coming...

of course, since he was chronicling all the perceived misdeeds of kaspersky he had to include 'the case of the non-viral virus' that i de-debunked previously, but then he goes on to describe his disbelief over their linux malware report that showed there were 91 viruses for the linux platform:
I asked Kaspersky Lab if they had any documentation to back up that claim. Jennifer Jewett, a public relations person representing Kaspersky, told me "the documentation sighting the viruses is included in the Encyclopedia on Kaspersky's Viruslist site: http://www.viruslist.com/en/viruses/encyclopedia."

I searched the encyclopedia for Linux viruses and came up with an astounding 972 hits. But just the barest hint of an analysis of those hits reveal that the number would break an industrial-strength bogusity-meter.
strangely, when i did a search for linux viruses on that site, i got 92 hits not 972... just one more than was indicated in the report - most without actual descriptions but at least they include the aliases that other products use so that one can corroborate their existence... is he incapable of using a search engine or just so biased against kaspersky that he can't manage due dilligence? he knew the result set shouldn't have been anywhere near that big, he should have refined his search to narrow it down to just viruses (972 would have been the list of all linux malware, not just viruses, though the number now stands at 976 and will probably change again as time wears on)...

his final bit of evidence against kaspersky came from the recently noted intended macro virus which caused the confusion i wrote about earlier:
After this story was submitted, and the week following another black-eye for Microsoft security in the form of malevolent macros in MS Word, Kaspersky Lab issued another headline-grabbing but bogus alert for a proof-of-concept of the same type of attack on MS Word's largest competitor, OpenOffice.org. Was the timing once more just a coincidence? I don't think so.
since the existence of the malware was independently confirmed and since kaspersky labs didn't create it themselves, the timing was entirely out of their hands... it gets discovered when it gets discovered... should they have kept the first openoffice malware a secret? would it have really served the public to sit on the fact that openoffice is now being targeted by at least one malware writer? somehow that doesn't seem likely...

joe barr concludes that the anti-malware industry cannot be trusted and he attributes all these misdeeds to a desire for more money - so what should we attribute joe barr's misdeeds (ie. his FUD) to?

0 comments: