Sunday, March 20, 2011

the covenant is broken

one month ago i published a blog post excoriating mcafee for being involved with a firm that creates and sells malware. for one month i've been waiting - not for a reaction to my own post, but a parallel reaction from the industry to the revelation that mcafee was involved with malware creators. i have been underwhelmed by the response (or lack thereof), and somewhat overwhelmed by the implications.

take a moment to let the AV industry's silence on this matter sink in. what does it mean? does it mean that they can't say anything because they've all got similar skeletons in their closet? or does it mean they're just not interested in capitalizing on that sort of thing anymore?

you see, for a long time there's been a persistent rumour that AV vendors don't just partner with malware writing companies, they hire malware writers outright. the AV vendors, of course, claim that that doesn't happen - they claim to have a policy against hiring malware writers and they say not to just take their word for it because their competition would take advantage of such ethical lapses if they were ever to occur.

they weren't just blowing hot air, either. making an example of an anti-malware company that hired a virus writer has happened in the past (thank you f-secure), so we know that such self-correcting controls have previously been in place. we were supposed to trust AV companies because they were financially motivated to do the right thing. every company had something to lose if they misbehaved and every other company had something to gain if they caught someone misbehaving.

but now the revelation that mcafee works with a malware writing company comes along and nobody has anything to say. well, to be specific, no company has anything to say (since i know there are individuals who felt strongly about this but may not have been able to speak for their employers). it was the job, the duty, of every member company in the anti-malware industry to act as a watchdog for the industry in case things like this happened, and you all failed. each and every one. one month later is too late to strike - the opportunity has passed - the iron is no longer hot.

the industry was supposed to be policing itself, but that no longer seems to be happening. without that, all we have is their word that they should be trusted, but those are just words. nothing but sweet, sweet words that turn into bitter orange wax in my ears (to quote futurama's philip j. fry). without action it means nothing.

the industry's accountability is gone. we can't honestly believe they're still policing themselves now. they used to adhere to and enforce the anti-malware community's standard of ethical behaviour. it's important to draw a distinction between the anti-malware community and the anti-malware industry at this point. although there has always been significant overlap, there has also always been those who were part of one set but not the other. obviously i'm not in the anti-malware industry, and i can think of a number of people who were members of the community long before they became part of the industry. on the other side, do you think HR is staffed by anti-malware community members? the legal department? upper management may have a few here or there, but for the most part they're just ordinary business folks. increasingly, the anti-malware industry is representing business interests instead of the values and ideals of the anti-malware community. the community's influence in the industry has been gradually waning up to this point where there's no one left who can realistically hold them accountable for violations of the community's standard of ethical behaviour.

they can still be held accountable on technical grounds, i suppose, but for how long? anti-malware testing was in a bad state for a while - AMTSO has been helping to elevate the quality of testing, but does the anti-malware industry (which is increasingly losing touch with the anti-malware community) have too much influence over the goings-on there? ideally the inclusion of both the anti-malware industry and anti-malware testing industry should create a balance. the testing industry has an understandable bias towards the more practicable approaches to testing (they have limited resources, after all) and a strong motivation to not appear to be going to easy on the vendors. the vendors, on the other hand, have insights into the inner workings of their products which are sometimes necessary to understanding and eliminating certain sources of testing bias and a strong motivation to perform well on tests. this should create a balance that forces both sides to take harder but ultimately superior paths. as the industry moves away from ethical accountability in favour of business concerns, it stands to reason that they may start to move away from embracing technical accountability as well - and realizing their input in AMTSO feeds back into a system that enables technical accountability, they may try to game the system for their own ends.

this highlights yet another problem. not only does the industry itself become suspect, so does everything it touches. it's not just accountability that's gone, it's credibility as well, and that lack of credibility can be toxic to others.

when the anti-malware industry no longer represents the values and ideals of the anti-malware community, when the bottom line takes priority over everything else, the result is bad for everyone. it's bad for the users because they will eventually have little left but to choose between crappy products in pretty boxes. it's bad for the anti-malware community within the industry because their jobs will cease to be fulfilling and they will be increasingly disturbed by the actions of their employers. it's even bad for the anti-malware community outside the industry simply because of association and the failure of most people to recognize any distinction between the industry and community. this isn't something that happens overnight. this isn't something that started one month ago. it's been going on for a while and you community members in the industry are all frogs in a pot that is being slowly brought to a boil.

i don't know how to correct this. i don't even know if it can be corrected (damage has already been done, and you can't always go back to the way things were). i don't pretend to have those kinds of answers. if i had to guess, i would guess that turning the industry around and getting back on course would take as much influence as the community can muster. full recovery may not be possible, but is not trying really an option? an alternative may be to restore accountability through external sources, but given the particulars in play (a company that sells malware to a nation state), that would involve scrutiny from other nation states and being investigated by scores of foreign nations on an ongoing basis doesn't sound appealing.

there can be no credibility without accountability and there can be no accountability without consequences. that house of cards depends on consequences and as near as i can tell there have been none.